Thursday, December 27, 2007

Security Trends to Watch Out in 2008

Symantec Security Trends in upcoming year...

Inching close to year end as we are, security companies are focusing on the year to be, telling us what virus threats we need to watch out for, and what will be the security scenario in the coming year. Security major, Symantec, has come up with a list of such security trends to look out for in 2008.

First on the list is "election campaigns". With political candidates increasingly turning to the World Wide Web, it is important to understand the associated security risks. Which include things like diversion of online campaign donations, dissemination of misinformation, fraud, phishing, and invasion of privacy.

Symantec claims to have analyzed 17 well-known candidate domain names in the course of the US 2008 elections, to reveal that a large number of typo and cousin (correctly spelt with additional wording) domain names have been registered by parties other than the candidates' own campaigners. A lot of these Web sites are registered for driving traffic to advertising Web sites.

The second trend to keep an eye on is "bot evolution". Symantec is expecting bots to diversify and evolve. For instance, phishing sites hosted by bot zombies. Bots tend to be 'early adopters' of new functionality, and as a result, they can be used as test environments for using newer malicious functionalities on a variety of targets before actually using these. Bots may be used in client-side phishing attacks against the legitimate owner or user of an infected computer, which allows phishers to bypass traditional phishing protection mechanisms, or they may be used to artificially increase apparent traffic to certain Web sites by hijacking browsers.

Bots may also give attackers specific access to infected PCs, which they can use to their advantage. Say if bot owners advertised their controls on PCs within an organization, parties interested in the organization may pay these guys for access to that control.

The third suspect, according to Symantec, is "advanced Web threats". With increase in the number of available Web services, and with browsers continuing to converge on uniform interpretation standards for scripting languages like JavaScript, Symantec expects the number of new Web-based threats to continue to rise. Symantec also warns against "user-generated content", which the company says can be used to host browser exploits or distribute malware/spyware, or host links to malicious Web sites. Completing Symantec's list of security trends for 2008 are "mobile platform", "spam evolution", and "virtual worlds".

Symantec says 'Mobile' security has never been a high priority. And with phones becoming more complex and interesting and connected, hackers will increasingly rely on mobile transactions offered by banks and other money transfer agents.

Similarly, Symantec expects 'spam' to evolve in trying to evade newer blocking systems and finding newer ways to trick users into reading messages. Newer attachment files in the form of mp3 and flash, or guised as social networking sites might come into play.

Last but not the least, Symantec expects that with the growing use of persistent virtual worlds (PVWs) and massively multiplayer online games (MMOGs), newer threats will emerge as criminals, phishers, spammers, and other anti-social elements turn their attention to these avenues.

Friday, December 21, 2007

Social Networking Websites

Using of FaceBook, MySpace and other Social Network Websites during Work Hours?

I was quite surprised to see the stats of a recently surveyed carried out by Microsoft showing that 4.17% of people stay connected throughout the working day to their favourite Social Networking Website. 42.50% of the people are joining the network without knowing all the members of that network. For example, People are joining London when they don't know all the members in London. Mind you, all members in London can get access to your profile if you haven't set any special privacy settings.

I was reading a post by Steve Lamb in regards to a recently surveyed and would like to share with my viewers.


What are the UK trends in the corporate use of Social Networking sites like Facebook, LinkedIn and MySpace?


Microsoft recently surveyed nearly four hundred IT Professionals to find out their approaches to Social Networking. You can view the full results here.


I think the findings are interesting as the results suggest that social networking sites are more popular with IT Pros than end users by a factor of nearly two to one.40% of IT Pros do not see any security concerns in using social networking sites and 46% of companies are not monitoring their use.


I AM concerned that 35% of respondents publish their address and date of birth on these sites.16% of respondents stated they have downloaded an application without checking it's safe - I would love to know what steps they took to verify the "safety" of a suspect application...


The whole idea of "downloading" an application in Facebook is quite different to the "traditional approach" as code is not actually downloaded to the client machine - it's simply enabled on the Facebook website/backend. Rogue applications DO pose a threat to the privacy of both those who install them AND their friends. They DO NOT pose a threat of compromising the security of the client machine as code is not installed there.

I would like to see all organisations providing guidance to their employees regarding the threat to privacy that thoughtless use of social networking sites can lead to. Only 17% of respondents state they have provided guidance to employees and fewer than 5% of the workforce actually say they have received advice.

Tuesday, December 18, 2007

MUST-HAVE Free Security Utilities

Ten free security utilities you should already be using:

  1. Secunia Personal Software Inspector, quite possibly the most useful and important free application you can have running on your Windows machine. It can be used to scan all the installed applications on the PC to determine which programs are missing security patches/updates.

  2. OpenDNS is a must-have free service (there's no software to install) that speeds up Web surfing, corrects domain typos on the fly and protects you from phishing scams. All you do is change your DNS settings (instructions here) to the OpenDNS servers: 208.67.222.222 and 208.67.220.220

  3. America Online's Active Virus Shield, powered by Kaspersky Lab, is one of the better free anti-virus packages available for Windows users. The program installs smoothly, pulls down hourly virus definition signatures from Kaspersky Lab and features real-time protection (including e-mail scanning).

  4. Haute Secure is a browser plug-in currently available for Microsoft's Internet Explorer that does real-time blocking of drive-by malware downloads. The tool, the brainchild of for ex-Microsoft staffers, fits behaviour-based profiling algorithms into the browser (Firefox support is coming soon) to identify and intercept malicious files in real-time.

  5. GMER, a free rootkit scanning tool built by Polish Windows internals guru, is widely hailed as the best at ferreting out stealth rootkits from PCs. GMER does an excellent job of finding hidden processes hidden services, hidden files hidden registry keys, hidden drivers and all kinds of driver hooking.

  6. Netcraft Toolbar is effectively a giant neighbourhood watch that helps you spot phishing and other identity theft schemes. It provides a direct glimpse at the hosting location and Risk Rating of every site you visit.

  7. File Shredder is a must-have privacy tool that wipes/destroys documents beyond recovery. With File Shredder, you can choose between 5 different shredding algorithms, each one gradually stronger than the previous one to get rid of files forever.

  8. CCleaner can remove unused files, temporary files, URL history, cookies from the three main Web browsers (IE, Firefox and Opera). It can also be used to delete temp files and recent file lists for all those third-party applications sitting on your PC.

  9. PC Decrapifier does exactly that -- removes crapware that comes pre-installed on Windows computers. This program will not remove crapware from older computers but is perfect for new machines that ships with trialware.

  10. NoScript for Firefox must-have Firefox extension does pre-emptive blocking malicious scripts and allows JavaScript, Java and other potentially dangerous content only from sites you trust.

Sunday, December 16, 2007

Cryptograf

Send Message Keep Secret

Cryptograf is a mobile based software which helps you to encrypt your SMS and MMS.Allows users to send encrypted and digitally signed SMS and MMS on widely available Symbian smartphones. User experience of mobile messaging with CryptoGraf is simple when encrypting messages to send...or when decrypting received messages. Users generate their own private encryption key and save the corresponding public key (for distribution) as a standard secure digital certificate.

Crypto
The Art and Science of Ensuring the Security and Integrity of Messages

Graf
In Greek "grafo" means write.

Cryptography related technologies, for privacy protection, have been available for use on computers for a long time. People have been sending encrypted email messages for more than 10 years. It's about time for technical innovations to make cryptography usable on the mobile phone. Currently, use of crypto for business and trade has overtaken the volume of crypto used by governments and military combined. Crypto is now used to encode satellite television signals, protect banking and ATM networks, and almost every purchase done over the internet.

More Information: CryptoGraf and Software Download: CryptoGraf Download

Friday, December 14, 2007

First Crucial Hour

When Your Security Is Compromised, Panic May Be Your Biggest Enemy.

We always here from people that whenever there is danger or problem first thing you should do is calm down and don't get panic. Even more important is a calm response. Your initial and frantic reaction may be to fix the breach, but that is counterproductive. Instead, do three things:

  • Assessn what's really taking place. Look at the situation holistically. Is it a system error? A hardware issue? A software issue? Which system is affected? Which network is affected? Can you segment the affected networks so that unaffected networks can continue to function?
  • Diagnose the problem. Just as emergency responders do, conduct triage, a method of screening and classification. Sometimes security or network devices can send out false positives that can me misdiagnosed. Did someone make a configuration change the night before that wasn't properly documented and is affecting the network? Is there a new patch to an application that no one knew about?
  • Preserve logs that indicate what happened. Sometimes in the haste to bring a system back online, staff will use backup data to restore the system. Unfortunately, that can erase important data that helps trace and analyze the problem, so be sure someone is responsible for finding and preserving system logs that will offer vital insight into the event. In certain situations relating to complaince, companies are required to maintain records of what happened and how they resolved the problem.

Wednesday, December 12, 2007

10 Security Trends and Predictions

A Snapshot of the X-Force team's annual report

  1. The VOLUME OF SPAM DOUBLED from 2005 to 2006. The U.S., Spain and France are the three largest originators of spam.
  2. Local-Language spam will grow as cyberprowlers increasingly target specific countries. Currently, 93 PERCENT OF SPAM MESSAGES are written in English.
  3. FOUR OF THE TOP FIVE COUNTRIES targeted by phishing scams are also part of the top 10 countries hosting shopping and banking websites. These include the U.S., U.K., Germany and Canada.
  4. The quantitiy of "unwanted" Web content such as VIOLENCE, CRIME, PORNOGRAPHY AND SEX NEARLY DOUBLED IN 2006. The U.S. is the top hosting site for this content, followed by South Korea.
  5. Image-based spam techniques will grow increasingly sophisticated. In 2007, NEW FORMS OF IMAGE-BASED SPAM likely will evade exisitng protection solutions.
  6. Much like a biologic virus, MALWARE WILL CONTINUE TO EVOLVE and change characteristics. The classic malware groups (virus, rootkit and spyware) will blend, making stand-alone security products less relevant in 2007.
  7. Web exploit obfuscation and encryption technologies are increasingly popular, making it dificult for signature-based INTRUSION DETECTION and prevention products to detect attacks.
  8. HACKERS ARE INCREASINGLY TARGETING WEB BROWSERS. Managed exploit providers are purchasing exploit code from the underground, encrypting it so that it cannot be pirated, and selling it for the top dollar to spam distributors. As a result, signatured-based protection systems will become less effective in 2007.
  9. NEW OPERATING SYSTEM RELEASES - coupled with new applications for those operating systems - will likely push the number of vulnerabilities higher in 2007.
  10. Vulnerabilities are not a Windows- or Microsoft-specific problem. In fact NEARLY 97 PERCENT OF VULNERABILITIES don't involve Microsoft's software.

Tuesday, December 11, 2007

Cross-Site Request Forgery

CSRF Hacking Database & Tutorial
What is CSRF? How does it work?

Well, CSRF is also known as Cross-site request forgery works by exploiting the trust that a site has for the user. Site tasks are usually linked to specific urls allowing specific actions to be executed when it’s requested. If a user is logged into the site and an attacker will be able to trick their browser into making a request to one of these task urls, then the task is performed and logged as the logged in user. The CSRF vulnerability lies in most every Website, but it has remained mostly under the radar for nearly a decade — it’s not even included in the Web Security Threat Classification, OWASP Top 10 or Mitre Corp.’s. One of Indonesian security expert, zoiz even says that CSRF’s able to cause DOS attack against web server by manipulating the amounts of GET request. Well, it’s really horrible…

The only way to prevent yourself to be the victim of CSRF is to keep clearing cookies or ensure you’re properly logged off to all sites before you visit another. (I hope that’s not all)
A Step By Step Tutorial on CSRF can be read here , it’s a very nice walkthrough on CSRF I think. Well, if you’re familiar enough with Google Hacking Database , which is made by Johnny, right now I’ll introduce you the CSRF Hacking Database which is made by hackerswebzine. It’s definitely the same as Google Hacking Database, but it’s specialized on CSRF dorks.

Monday, December 10, 2007

SWF Intruder

Testing Security in Flash Movies

Today I have been reading a lot about Web Application Malware / Web Application Worm that spreads through social networking site, like Friendster and Myspace. Embed a malicious Flash SWF movie, is one of the most used technique to hack friendster account or hack myspace account as well. In the dumbest way, you could embed a malicious Flash swf movie script into your friend’s testimonial box, and make it to be redirected to a fake login page, and let them entry their login data , it’s only one of many dumb way to hijack friendster account or to hijack myspace account.
According to the condition specified above, a useful tool called SWFintruder has been developed, and known as the first tool for testing security in Flash movies. The major features of this tool are:


1. Basic predefined attack pattern
2. Highly customizable attacks
3. Highly customizable undefined variables
4. Semi automated Xss check


· Download the SWFintruder source code from GoogleCode.
· Extract the source code into the root of your web server.
· Browse to your
http://yourhost/swfintruderdir
· Download some flawed swf files, and put it on your web server too.
· Fill the “Flash Movie” with your desired flawed swf movie, and then click “Load”.
· If some XSS was found, it will be listed in the Xss area click on it to get the result on a new browser window.


The other video tutorial on SWFintruder can be downloaded here. Other previews about this application can be read on: Ngoprekweb.com , ProfessionalSecurityTesters.org , and Ajaxian.com .

Thursday, December 6, 2007

Can Consumers’ Infected Systems Harm you?

Buyer at your website can infect your system…

Who knows what evil lurks in the heart of computers? If you have an e-commerce server, your system could be in infected by malware from a consumer’s machine. Hackers can plant what’s called a bot on a machine that activates when the computer begins an SSL connection. Once the bot is in process, it is able to hijack the session or conduct a “man in the middle” attack, which would mean the hacker could execute remote code on the server.

The results can vary, from instigating denial-of-service attacks to stealing passwords. The solution is simple, however when you want to protect sensitive data such as employee records or bank account information, build a tiered architecture. That way, even if a hacker has access to a Web server, safeguards prevent it from communicating with the next machine in the hierarchy. You can solve most of those problems with perimeter controls.

Wednesday, December 5, 2007

Information Security - Basic Understanding

Immutable Laws of Security

I just came across a beautiful article while reading a blog of Steve Lamb. As mention by Steve, this article is fairly old but it is still worth reading it. Article tells the basic of Information Security and tells us what are the important facts we need to take in consider when talking about Information Security. See: 10 Immutable Laws of Security

Tuesday, December 4, 2007

Google is asking for help finding malicious Web sites

Google is asking everyday Web surfers to help with its efforts to stamp out malicious Web sites.

The company has created an online form designed to make it easy for people to report sites they suspect of hosting malicious code. It's the latest step by Google to expand its database of the bad Web sites it knows about, as those sites continue to proliferate.

The simple form has an entry box for the Web site's URL and a space to provide additional information. Users also fill out a "captcha" to prevent software robots from reporting sites automatically.

Security vendor Sunbelt Software said hackers appeared to be using various tricks to ensure their malicious sites appear high in Google's search results. Sunbelt said it turned up 27 different domains hosting malware, each with up to 1,499 malicious pages, or some 40,000 pages in total.

Why Can't We Get The BAD Guys?

What can be done...?

In the face of growing organized malfeasance online, what can and should individual organizations, local and national law enforcement, and the greater global cyber-community do? Stay vigilant on the micro level and get organized on the macro level.


That means enacting state-of-the-art security practices: harden your network, defend your perimeter to the death, adopt a layered approach to security internally, continue with filtering best practices, consider data-level encryption where appropriate (both in transit and at rest) and get a better picture of your networks' true reach.

Bigger picture, companies need to begin working within their respective industries and with local, state and national law enforcement to share information that can help detect organized activities.

"Right now the problem is that the bad guys talk with one another better than the good guys do. We need to share resources and information a lot better way than we do."

Monday, December 3, 2007

Adding Applications in your FACEBOOK account!

Always be careful of adding applications and what information you are giving....

FACEBOOK - no doubt is fast growing social networking website, which let users to add applications to their account to have bit of more fun while using their account. Unfortunately, most of the users doesn't even read message and just install application which could reveal their personal information and could affect their privacy information.

Detail information was recently published by Dshield handler John Bambenek in his recent post.
See: Facebook, pr0n and privacy