Posts belonging to Category Security News



How to protect against Firesheep attacks

Experts suggest defensive measures to ward off Firefox add-on’s hijacking of Facebook, Twitter sessions via Wi-Fi
By Gregg Keizer – October 26, 2010 07:29 PM ET

Computerworld – Security experts today suggested ways users can protect themselves against Firesheep, the new Firefox browser add-on that lets amateurs hijack users’ access to Facebook, Twitter and other popular services.

Firesheep adds a sidebar to Mozilla’s Firefox browser that shows when anyone on an open network — such as a coffee shop’s Wi-Fi network — visits an insecure site.

A simple double-click gives a hacker instant access to logged-on sites ranging from Twitter and Facebook to bit.ly and Flickr.

Since researcher Eric Butler released Firesheep on Sunday, the add-on has been downloaded nearly 220,000 times.

“I was in a Peet’s Coffee today, and someone was using Firesheep,” said Andrew Storms, director of security operations at San Francisco-based nCircle Security. “There were only 10 people in there, and one was using it!”

But users aren’t defenseless, Storms and several other experts maintained.

One way they can protect themselves against rogue Firesheep users, experts said on Tuesday, is to avoid public Wi-Fi networks that aren’t encrypted and available only with a password.

However, Ian Gallagher, a senior security engineer with Security Innovation, argued that tosses out the baby with the bathwater. Gallagher is one of the two researchers who debuted Firesheep last weekend at a San Diego conference.

“While open Wi-Fi is the prime proving ground for Firesheep, it’s not the problem,” Gallagher said in a blog post earlier on Tuesday. “This isn’t a vulnerability in Wi-Fi, it’s the lack of security from the sites you’re using.”

Free, open Wi-Fi is not only taken for granted by many, but it’s not the problem. There are plenty of low-risk activities one can do on the Internet at a public hotspot, including reading news or looking up the address of a nearby eatery.

So if Wi-Fi stays, what’s a user to do?

The best defense, said Chet Wisniewski, a senior security adviser at antivirus vendor Sophos, is to use a VPN (virtual private network) when connecting to public Wi-Fi networks at an airport or coffee shop, for example.

While many business workers use a VPN to connect to their office network while they’re on the road, consumers typically lack that secure “tunnel” to the Internet.

“But there are some VPN services that you can subscribe to for $5 to $10 month that will prevent someone running Firesheep from ‘sidejacking’ your sessions,” Wisniewski said.

For more, visit Computerworld.com

Half of critical private networks hit by political cyber attacks

By Gautham Nagesh – 10/06/10 09:47 AM ET

Half of the companies that provide critical infrastructure such as utilities or communication services have experienced politically motivated cyber attacks, according to a new report from Symantec.

survey of critical infrastructure providers found 53 percent suspected they had experienced an attack with a specific political goal in mind. The companies affected reported being attacked an average of 10 times over the past five years. Half said they expect another attack in the next year and 80 percent believe the attacks are becoming more frequent. The respondents said the majority of the attacks were somewhat to extremely effective and cost firms an average of $850,000 each.

“Critical infrastructure protection is not just a government issue. In countries where the majority of a nation’s critical infrastructure is owned by private corporations, in addition to large enterprises, there is also the presence of small and medium-sized businesses,” said Symantec chief information security officer Justin Somaini.

Somaini cited the Stuxnet virus, which has disabled physical security features at factories around the globe in recent months, as evidence that the threat to private networks is evolving. The survey also showed the energy industry is most ready for an attack, while the communications industry was least prepared.

“Security alone is not enough for critical infrastructure providers of all sizes to withstand today’s cyber attacks,” Somaini said. “The Stuxnet worm that is targeting energy companies around the world represents the advanced kind of threats that require security, storage and backup solutions, along with authentication and access-control processes to be in place for true network resiliency.”

Protecting the nation’s critical infrastructure from cyber attacks is an increasing priority for the Obama administration, which asserts it already has the right to act to protect private-sector networks in the event of a catastrophic cyber attack that could cost significant loss of life or financial damage under a little-used clause in the Communications Act passed in the wake of the Japanese bombing of Pearl Harbor in December 1941.

For more, visit TheHill.com

Nigerian advance-fee scammer gets 12 years

By Robert McMillan – September 3, 2010 02:12 PM ET

IDG News Service – A Nigerian man has been sentenced to 12 years in prison for sending out fraudulent e-mails offering victims big bucks in exchange for moving cash to the United States.

Okpako Mike Diamreyan, 31, was sentenced to 151 months of prison Wednesday by United States District Judge Janet Hall in Bridgeport, Connecticut.

Diamreyan made more than US$1.3 million in a scam that suckered 67 victims between 2004 to 2009, prosecutors said. This type of fraud, called an advance-fee scam, was the number-one type of Internet fraud in 2009, according to the U.S. Federal Bureau of Investigation. Last year, advance-fee fraud accounted for nearly 17 percent of the Internet fraud logged by the FBI.

Diamreyan pretended to be different people — Prince Nana Kamokai of Sierra Leone or an airport director from Ghana, for example. He said he needed to move between $11.5 million and $23.4 million out of the country and offered victims 20 percent of the funds, if they would help him out.

After using fake documentation to convince his victims that he was legitimate, Diamreyan would get them to wire him different types of fees such as “PIN code fees” or courier services charges with the understanding that they would then get the money. These fees would pile up, but the promised money never arrived.

For this and more, visit Computerworld.com

Securely disposing data on hard drives and other storage media

Date: August 31st, 2010
Author: Chad Perrin

Debates sometimes arise, both within academic circles and outside of them, over the necessity of high-intensity secure deletion techniques. Find out the true state of affairs for secure data disposal.

—————————————————————————————————————————————-
The state of the art of secure data disposal is, like that in most technical spheres of knowledge, always subject to change as researchers do their work. One might imagine that this involves new techniques for more effective data recovery that employs magnetic force microscopes and similarly high-cost solutions, countered by new advice for how to defeat such efforts when disposing of hard drives and other storage media.

One example of an impressive data recovery effort is that of the remains of hard drives from the Columbia space shuttle disaster, which ultimately led to the recovery of experimental data. Six months after the shuttle came apart on atmospheric reentry, a damaged hard drive was found in a dry lakebed and delivered to data recovery specialists at Kroll Ontrack Inc. Some time in the next four years or so, 99% of the data stored on the drive was recovered. The drive was eight years old before the shuttle disaster; it was delivered to the people who recovered the data from it looking like a melted down piece of slag and then damaged further during the recovery process — but recovery was a success.

On the other hand, two other drives involved in the shuttle disaster were complete losses.

There is a persistent myth to the effect that to securely delete everything from a hard drive one must overwrite it thirty-five times with random data. This myth arises from a superficial read and misunderstanding of Peter Gutmann’s 1996 paper, Secure Deletion of Data from Magnetic and Solid-State Memory. The truth of the matter, as presented in his paper, is that 35 random overwrites serves only to apply the necessary means of securely deleting data for any of several different drive technologies. A specific data storage technology only requires some lesser technique applied to ensure secure deletion.

Perhaps more interesting is the fact that, for the most modern hard drive technologies, a single complete overwrite of a drive with zeros should be sufficient. Part of the reason for this is the fact that data density on a drive is much greater than it used to be. In layman’s terms, “the bits are smaller”, which means that when rewriting, there is less room for old data to be left behind in a recoverable manner. A fair amount of redundancy of stored data occurred on older, lower density drives because the reading and writing devices were not as precise, and small deviations would leave random small areas unaffected on a single overwrite.

In a recent epilogue to his paper, Gutmann quoted himself responding to a researcher who considered doing some data testing:

Any modern drive will most likely be a hopeless task, what with ultra-high densities and use of perpendicular recording I don’t see how MFM would even get a usable image, and then the use of EPRML will mean that even if you could magically transfer some sort of image into a file, the ability to decode that to recover the original data would be quite challenging. OTOH if you’re going to use the mid-90s technology that I talked about, low-density MFM or (1,7) RLL, you could do it with the right equipment, but why bother? Others have already done it, and even if you reproduced it, you’d just have done something with technology that hasn’t been used for ten years. This is why I’ve never updated my paper (I’ve had a number of requests), there doesn’t seem to be much more to be said about the topic.

Recent papers by other researchers may seem to contradict Gutmann’s results. He does address some of this in his epilogues. Judging by both his epilogues and an independent look at reporting on such papers, it seems that such papers are in some cases misguided, and in others not contradictory of Gutmann’s results so much as relating to a specific technology that falls within the range of Gutmann’s more general overview.

While no single storage technology requires Gutmann’s described technique for dealing with all technologies, few of us have the time or inclination to double-check the specific technologies and the approaches required for each of them before tackling the task of secure data disposal. If you want to run a secure data disposal service where you expect to need to deal with many, many different storage devices regularly, it pays to know the specific techniques for specific technologies, and to apply them, if only because the time and resource costs for secure deletion will add up quickly. If you are a more typical user who just needs to get rid of a hard drive every couple years or so, the time spent keeping track of drive technologies and data disposal techniques is probably worth more to you than the time it takes a computer to perform Gutmann’s thirty-five overwrite “scorched earth” technique.

For more, visit TechRepublic.com

Sticks and stones: Picking on users AND security pros

Nobody likes to get picked on. But is it sometimes necessary to snap people out of their apathetic approach to security?

By Bill Brenner, Senior Editor

August 25, 2010 — CSO

I took my share of name-calling as a kid. I did my share of name-calling, too. We’re taught that nothing good comes of such behavior. I’ve been thinking a lot about that since writing an article two weeks ago called “Security blunders ‘dumber than dog snot’” during the 2010 USENIX Security Symposium.

The story is based on a talk of the same title given by Roger G. Johnston, a member of the Vulnerability Assessment Team at Argonne National Laboratory. In the presentation, he gave examples of surprising (or not) examples of what he has seen as a vulnerability assessor: security devices, systems and programs with little or no security — or security thought — built in. There are the well-designed security products foolishly configured by those who buy them, thus causing more vulnerability than before the devices were installed.

Then there are the badly-thought-out security rules and security programs laden in security theater, lacking muscle and teeth. In fact, some policies only make some employees disgruntled because they are treated like fools. In turn, the company risks turning them into malicious insiders.

Also see “Ouch! Security pros’ worst mistakes

Johnston described three common problems: People forgetting to lock the door, people too stupid to be helped and — worst of all — intelligent people who don’t exploit their abilities for the betterment of security. Enter what he calls the dog snot model of security– where intelligence and common sense exist but are not used.

He came up with the term by watching his dogs, who often crash themselves against the picture window facing the yard when they want to go chase a squirrel. Hence, the windows are covered in dog snot. Executives and lower-level users are often like the dogs in that they bang their heads against the firewall (or their fingers against the keyboard) in an effort to get at a shiny object online. The security pros themselves can get caught up in this too, usually banging up against the glass by trying to prevent bad things from happening by repeating the same failed practices.

Moments after the story went live and appeared on Twitter, I got a message from Adam Shotack, co-author of “The New School of Information Security” and a security specialist at Microsoft.

“Is that attitude helpful? Does anyone respond better when you call them ‘dumber than dog snot?'” he asked.

For the rest, visit CSO Online.

Symantec: A mid-year status check on security predictions

Fast-flux botnets, social networking attacks, mobile malware and more — Symantec looks back at 2010 security predictions and how reality is matching up

By Vincent Weafer, Symantec – August 23, 2010

CSO

As predictive analytics emerge as a sought-after business tool, Symantec continues to gather data that it uses to both analyze and predict trends in Internet security. Just like predictive analytics provides valuable information allowing businesses to make smart decisions, Symantec’s predictions are based on analysis and give businesses and individuals important information on the changing threat landscape that helps them make smart decisions. In order to offer the best information possible, Symantec reevaluates its yearly predictions halfway through the year. Here’s a look at each prediction for 2010 and an evaluation of where it stands at the midyear mark.

What We Said: Antivirus Won’t Cut It
The multiplication of both malicious code and of polymorphic threats was so great in 2009 that the amount of malicious software actually surpassed the amount of good software. While users should still maintain antivirus protection, they are going to need something more to be secure. Other approaches, such as Reputation-Based Security, will emerge as key alternatives to the footrace of writing signature codes for malware.

Where it Stands
The increase of malicious code has not let up since making that prediction. While Symantec created 2,895,802 new malicious code signatures in 2009 (71 percent more than 2008), it has already created 1.8 million new malicious code signatures in the first half of 2010. It has also identified 124 million distinct new malicious programs.

The number of sources for new malicious code is huge and keeps growing. The security industry is simply not going to be able to keep up with the speedy spawning of malware. That doesn’t, however, mean cybercriminals have won. Reputation-Based security is catching on as a smart, innovative solution that promises security to those who are interested. Heuristic, behavioral and intrusion prevention technologies are also means of future protection as malware continues to spread.

What We Said: Rogue Security Software Vendors Step it Up
Sellers of rogue security software have not yet reached their peak. They will become more active and more innovative. They have already begun to sell rebranded copies of free third-party AV software and will likely begin to use tactics such as rendering computers useless and holding them for ransom until they are paid.

Where it Stands
While cases of vendors holding computers for ransom have not yet been observed, Symantec has certainly seen more activity and more innovation from rogue security software sellers. One example of this is the practice of cold calling where sellers insist a person’s computer is infected and offer “solutions” either by having them download something or by convincing the user to let them access the computer remotely. In such cases sellers may be from actual companies who make a business out of such scams, as was one company Symantec investigated called Online PC Doctors.

What We Said: Social Networking Third-Party Applications Will Be Fraud Targets
Social networking sites have been awakened (rudely, in some instances) to the reality that their popularity makes them a target for fraud and other cybercrimes. Symantec predicted that many of them would react well and continue to take steps to secure their sites. Sadly, cybercriminals are not so easily deterred. They will turn to vulnerabilities in third-party applications to weasel their way in and wreak havoc.

Where it Stands
This trend is still developing, but it is developing in the predicted direction. Fortunately, social networking sites have reacted well and decreased the amount of malware breaking through their sites. Unfortunately, malicious efforts are increasing in the world of third-party applications. One app, for example, turned out to be part of an IQ testing scam that covertly signed up users for premium mobile service that cost $10 per month.

Also see ‘The 7 deadly sins of social networking security’ on CSOonline.com

Social networking sites may already have begun working against this trend. Facebook recently updated their application authorization system in an effort to reduce the number of scams and misleading applications making their way into the site. Users are now informed when an application seeks to access their information or post on their wall.

For more, visit CSO Online

Bulletin: Intel to buy McAfee for $7.68 billion

Chip maker says deal intended to beef up its mobile strategy

By Marc Ferranti – August 19, 2010 09:45 AM ET

IDG News Service – Intel said Thursday it plans to acquire security vendor McAfee in a cash deal valued at about $7.68 billion and aimed at enhancing the chip maker’s mobile strategy.

Both boards of directors have approved the deal, and McAfee is expected to become a subsidiary within Intel’s Software and Services Group.

“Hardware-enhanced security will lead to breakthroughs in effectively countering the increasingly sophisticated threats of today and tomorrow,” said Renée James, Intel senior vice president, and general manager of the group.

For more, visit Computerworld.com

Critical Adobe Reader hole to be patched Thursday

Elinor Mills CNET News | August 19, 2010 4:52 AM PDT

Adobe will release a patch on Thursday for a critical hole in Reader that was disclosed at the Black Hat conference late last month, the company said on Wednesday.

Adobe had announced on August 5 that the emergency fix was coming this week, in advance of the next quarterly security release, scheduled for October 12.

The security update will resolve an undisclosed number of critical issues in Reader 9.3.3 for Windows, Mac, and Unix; Acrobat 9.3.3 for Windows and Mac; and Reader 8.2.3 and Acrobat 8.2.3 for Windows and Mac, according to Adobe’s advisory.

The flaw, which could be exploited to take control of a computer, is related to the way Adobe’s PDF (portable document format) reader software handles fonts, said Charlie Miller, principal analyst at Independent Security Evaluators who disclosed the hole at the security conference.

Visit cnet.news for the rest of this story.

Deep theater defense

We all know perimeter firewalls are necessary but not sufficient. But what’s the right strategy for building additional layers of security? Greg Machler dives in.

By Greg Machler

August 17, 2010 — CSO

As an executive, do you ever get worried wondering if your corporate brand is properly protected from a lack of technological integrity? Corporations today have sensitive HR data, financial data, and often consumer data. If this data is compromised, often the outside world finds out about it, lawsuits are initiated and the corporate brand is tarnished. This could lead to consumers thinking twice about purchasing your products or services.

In the case of retail organizations, how does one effectively protect customer credit card data? Consider deploying an IT architecture that information security professionals call a deep-theater defense. Let’s investigate the design of this protective architecture:

First, put sensitive data in a second-tier of firewall segments behind the main corporate firewalls. This second-tier firewall and corresponding network shields sensitive applications and their data from being easily accessed if the Web-facing firewalls are breached.

For example, many national retailers sell groceries and have a pharmacy. It would be wise to deploy at least five firewall/network segments: one for HR data, one for financial data, one for credit card PCI (Payment Card Industry) data, one for pharmacy (HIPAA) data, and one for services that the other segments shared.

The segment containing services that are shared could contain common support services such as network and systems management, encryption and PKI functions, access control services, and security event management functions. Another architectural implementation that protects corporations from internal data theft is the creation of a tunneling access protocol. Often, critical systems are accessed by administrators and outside vendors.

It is important that all access to these applications be logged so that if an internal data breach occurs, the source can be discovered. It is important that the second-tier firewall close its administrative port access so that administration can only be initiated from the segment for common services. One wants to prevent access from administrative tools that exist in front of the second-tier firewalls.

Applications need to be ported behind the deep theater second-tier firewalls. Where does one start?

For the rest, visit CSO Online.

Hackers steal customer data by accessing supermarket database

Sunday 15th August, 03:50 AM JST

OSAKA – Hackers stole customer data from eight online supermarkets in Japan, including Uny Co. and Neo Beat Co, in July using a hacking technique called SQL injection to access their databases, sources familiar with the matter said Saturday.

A source close to Neo Beat, which also operates the websites of these online supermarkets, said it believes that the approximately 30,000 unauthorized accesses to its database server were likely ‘‘perpetrated by a group of professional hackers.’‘

The accesses, which were conducted from Japan and China on July 24-26, resulted in the theft of data on a total of 12,191 customers of the Osaka-based company as well as its seven business partners including supermarket chains Izumiya Co, Maruetsu Inc and Ryukyu Jusco Co.

Neo Beat has since filed a damage report with the Osaka prefectural police, and the companies have closed their online markets since late last month. Police investigators are now looking into the case and gathering relevant information.

Some major credit card companies have confirmed cases in which the credit card data stolen by the hackers in the July incident were used by third parties to buy goods.

An official at a credit card company said there have been more than 100 cases in which such parties either used or attempted to use the stolen card data.

Although credit card companies do not charge customers whose card data were illicitly used, some card companies have recommended that affected customers get new cards and invalidate their old ones.

For more, visit Japantoday.com