Tuesday, August 31, 2010

The Human Side of Security

Most corporate security breaches are a result of low-tech oversights and employee negligence - not the work of systems hackers.

With all the focus on high-tech security, organizations are overlooking some basic gaps that leave them vulnerable to data loss and network intrusion. Despite a handful of high-profile hacking incidents, the preponderance of corporate security breaches are tied to low-tech oversights or employee negligence.

Insider negligence was a significant factor in more than 88 percent of all cases in a January 2009 study of the cost of data breaches by the Ponemon Institute. About 35 percent of the breaches identified in the study involved lost or stolen laptop computers or other mobile data-bearing.

Other common gaps: improperly disposed of PCs or backup tapes, unattended shredders and countless other seemingly mundane and benign events that occur regularly in the course of daily offlice life.

People may not realize that the vast majority of high-impact security breaches - particularly the ones that involve loss of important business or personally indentifiable data -- are not not the result of a pierced and tattooed hacker in the basement, but often the result of either mistakes or mischief by insiders who have access to that data in the course of their normal work.

Sunday, August 29, 2010

Trust, but Verify

"The most prevalent control is trust, and that is the most easily defeated"

Although the blinders we wear when we trust are probably inherent in human nature, there are remedies for ensuring that those to whom we've given privileged access don't misbehave. Security professionals advise the following precautions:

  • Do more extensive background checks.

  • Segregate duties and privileges

    Suppose an operator has privileged access so he can back up information on a server. He may need those privileges to do the job, but he doesn't need to see the data he is backing up. Encrypt those confidential data such as customer information or medical records.

  • Carefully control the privileges you grant.

    Give only the privileges that the system administrator needs to do her / his job and nothing more.

  • Use encryption more widely.

    Put encryption as close to the source of the data as possible to minimize the number of those who can see it in plaintext.

  • Tighten controls on the use of privileged accounts.

    Explicitly describe the reason the user has been given privileged access. Then monitor his activity. When privileged access ends, make sure you reset the password.

  • Restrict privileged access of employees whose behavior causes concern.

    Monitor more diligently the behavior and job performance of such individuals.

  • Manage passwords more strictly.

    Give out passwords for certain purposes only. When they have been used and the job is done, change the password.

  • Make sure that usernames of those with privileged access tie the use of an account to a named person.

    Don't allow a username such as "SysAdmin" that doesn't identify the person using the account.

  • Do more extensive security and threat awareness training.

  • Prevent "privilege creep" by rescinding access when it is no longer necessary.

  • Finally, allocate resources based on risk.

    The more risk a transaction carries or the more crucial the functioning of a system, the more closely you should monitor it.
It's the vigilance that is the most important safeguard. It's a question of what controls are most prevalent. The most prevalent control is trust, and that is the most easily defeated.

Friday, August 27, 2010

We have Met the Enemy

Insider Threat Study - "The enemy is us"

There are no reliable statistics on misuses of privileged access. After all, companies won't report such embarrassing incidents unless they are required to do so by law. Intentional and malicious breaches by privileged users make up only a small minority of all breaches. But they keep recurring and their incidence doesn't seem to be diminishing. And when they do happen, the damage can be significant.

After all, the more lucrative the assets, the more likely that it will take privileged access or technical expertise to exploit them. It's problem that festers in secret wherever assets are not guarded well enough. The only way to prevent such breaches is to be more careful about those you hire, more vigilant with those you trust, and more painstaking about monitoring how access is handled.

In most cases, perpetrators have technical expertise. According to the Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector, published in January 2008 by the CERT program of Carnegie Mellon University, 63 percent of the insiders were employed in technical positions, including engineers (25 percent); system administrators (22 percent); programmers (22 percent); information technology specialists (14 percent); and other technical positions (14 percent).

Eighteen percent were employed in a professional position such as sales specialist, account manager, editor or analyst. Of the remaining insiders, 7 percent were employed in executive management or supervisory management positions; 7 percent worked in customer server positions; and 5 percent held administrative / clerical support positions.

These figures indicate that many, if not most, breaches come from those with IT privileges which proves "The enemy is us".

Wednesday, August 25, 2010

The Priviledged Abuser

How to protect yourself when your most trusted insiders go bad

Breaches of security by a privileged user are usually hushed up, but sometimes the damage is way too big to sweep under the rug. In January 2008, Societe Generale, the second-largest bank in France, reported that a 31-year-old trader named Jerome Kerviel had made unauthorized trades of European equities futures that caused the bank to lose $7.6 billion and exposed it to risks amounting to billions more.

How could such liability have gotten so enormous without supervisors becoming aware of it?

The bank characterized Kerviel as a "computer genius" who was able to evade internal monitoring because of the knowledge he had acquired while working for five years on the bank's security systems.

A Compliance Mentality

Companies make themselves more vulnerable than they realize. They usually don't vigilantly monitor those they trust with privileged access. Often, privileged access is not rescinded when it is no longer necessary.

Moreover, a disgruntled employee who knows he maybe terminated may create a back door into the organization's system, which he can use later to create mischief. Even though disgruntled employees almost always give warning of their hostility by overt cantankerous behavior, according to security professionals, in many cases this evidence is ignored.

In addition, companies tend to think of security in terms of protecting organizations from attacks by outsiders rather than insiders. Another source of vulnerability is "privilege creep". That's when an administrator is granted certain privileges and retains them even after his or her role changes and the privileges are no longer necessary.

Typically, access is rescinded less frequently and far less vigilantly than it is granted. Such vulnerabilities are easily overlooked if a company has a compliance mentality rather than a risk-based approach to security.

The compliance mentality slaps technical fixes onto the network in order to meet regulations. The company may be compliant, but not necessarily secure.

Sunday, August 22, 2010

ATM Skimming: How effective are the security solutions, such as Jitter?

Fraudsters Already Know How to Bypass Security Solution

ATM skimming -- it is the fastest-growing electronic-fraud risk, according to the U.S. Secret Service, accounting for more than $1 billion in annual losses. And some industry experts estimate skimming-related losses to be as much as three times higher.

While the average skimming attack spans a timeframe of between one and two hours, losses per incident average $30,000, according to ADT Security Solutions, which provides anti-skimming solutions for the financial industry. ADT also estimates ATM skimming attacks cost financial institutions and their customers 10 times more than losses suffered during robberies.

Among the initiatives deployed to combat ATM skimming is jitter technology, which uses a stop-start, or jitter motion, when a card is inserted in the ATM. In theory, the irregular motion distorts the magnetic stripe details on the card, so if a skimming device has been placed on an ATM, the jitter feature makes the copied information unusable.

But some industry experts say that jitter technology is outdated and only partially effective - and that banking institutions need to be exploring new security solutions.

Jitter works on ATMs with motorized card readers -- ones in which the user inserts the card and then allows the reader to pull the card in, read the mag-stripe data and then push the card out. The technology is not effective on machines with dip readers, in which the user manually inserts and withdraws the card. "[Jitter] is easily defeated and has been," Schriber says.

As Gartner's Litan points out, even if jitter were unbreakable, it's a siloed solution - one that only addresses the ATM link in the payments chain. That kind of siloed approach to fraud prevention is no longer effective.

"Right now, a lot of financial institutions are only relying on jitter," Litan says. "Some of the bigger banks -- the big five, I'd say -- are just now working toward incorporating fraud detection at the ATM. It's kind of shocking that they did not have better fraud detection before now, but then again, up until recently, ATM fraud was manageable."

Multilayered Approach Needed

ANZ, as an extra measure of protection, has installed PIN shields on its ATMs to protect the PIN from capture. "Putting measures in place to protect both the card data and the PIN gives the best chance of stopping the fraud," Prestwood says.

Other techniques institutions might deploy in addition to jitter include:
  • Radio-frequency jamming, which uses an electromagnetic field to detect foreign objects placed or mounted on an ATM's fascia;
  • Camera surveillance, which can recognize when a foreign object is placed on an ATM;
  • Devices that sense vibration, such as when an ATM is drilled to attach a skimmer.
There is no single 'silver bullet' to overcome the increasingly serious skimming threat, in which criminals continually work to defeat vendors' evolving anti-skimming technologies. Therefore, a multilayered approach to ATM security is what we needed.

Friday, August 20, 2010

Privacy and Data Breaches

Why are data breaches a concern?

Any breach of the secure storage of customers’ personal information can result in the release of personal, identifying information of an individual. That personal information may be sufficient to allow an unauthorised person to assume the identity of the victim and use that illicit identity to open, for example, new accounts in the victim’s name.

Why organizations doesn't take Data security seriously?

Last year’s Heartland Payment Systems’ spectacular data breach stemmed from errors that allowed hackers to break into the payment processor’s networks and steal data on approximately 130 million credit and debit cards over several months.

But most data breaches do not involve sophisticated hackers. They usually result from not following simple procedures.

In 2009, the UK Financial Services Authority (FSA) fined three HSBC firms over £3 million for not having adequate systems and controls in place to protect their customers’ confidential details from being lost or stolen. These failings contributed to customer data being lost in the post on two occasions.

During its investigation into the firms’ data security systems and controls, the FSA found that large amounts of unencrypted customer details had been sent via post or courier to third parties. Confidential information about customers was also left on open shelves or in unlocked cabinets and could have been lost or stolen. In addition, staff were not given sufficient training on how to identify and manage risks like identity theft.

In April 2007, HSBC Actuaries lost an unencrypted floppy disk in the post, containing the personal information of 1,917 pension scheme members, including addresses, dates of birth and national insurance numbers.

In February 2008 HSBC Life lost an unencrypted CD containing the details of 180,000 policy holders in the post. The confidential information on both disks could have helped criminals to steal customers’ identities and commit financial crime.

The firms have taken a number of remedial actions to address the concerns raised, including contacting the customers concerned, improving their staff training and requiring that all electronic data in transit is encrypted.

In the last four years, the FSA has also fined Capita Financial Administrators £300,000; Nationwide £980,000; BNP Paribas Private Bank £350,000; Norwich Union £1,260,000; and Merchant Securities £77,000 for failings relating to data security lapses and fraud.

Avoiding breaches

We can learn from an analysis of breaches notified in the US. Verizon’s 2009 Data Breach Investigations Report concluded:
  • 74 per cent were caused externally, 20 per cent internally;
  • 67 per cent were aided by errors, 22 per cent involved privilege misuse;
  • 69 per cent were discovered by a third-party, 87 per cent were considered avoidable through simple controls.
The five recommendations were:
  • Ensure essential controls are met
  • Have data retention policies: find, track, and assess data
  • Collect and monitor event logs
  • Audit user accounts and credentials
  • Test and review web applications.

Wednesday, August 18, 2010

'Free' iPad scam fooling Facebook friends

It's also happening on Twitter

Apple's popularity with the iPod and iPhone attracted a slew of scammers, and now the latest con involves a free iPad offer from a Facebook friend.

The scammers claim it's a special promotion, but once you sign up for the 'free' offer, consumers are usually asked to participate in an online quiz and provide their cell phone number so the results can be sent to your phone.

Instead, the scammers use your cell number to sign you up for a premium cell phone service, which can cost as much as $10 a week until you unsubscribe. Facebook is taking steps to block the hackers, but new iPad scams keep popping up. It's also happening on Twitter. Experts say you should never provide a cell phone number, because scammers can sign you up for services you don't want.

Monday, August 16, 2010

SEO Poisoning Attack

A Look Inside How It Works

One of the biggest risks that users run across during their everyday Internet browsing at the moment is from what security researchers call search engine optimization poisoning or SEO poisoning. Criminal hackers are taking advantage of our blind trust in popular search engines such as Google and Bing to trick us into clicking into malicious links.

The bad guys use blackhat SEO techniques to boost the page rankings of their bogus sites. As these higher ranked sites start breaking into the top ten and top 20 results of a popular search term, users are lured into trusting the links.

Capitalizing on anything from the Haiti earthquake to Mel Gibson’s rants to the World Cup, these hackers use the links to bait users and then reel them in with malicious downloads. They unwittingly click into a malicious link due to their trust in the search engine. Channel Insider examines just how SEO poisoning is carried out by these bad guys and how common it is to see malicious links within legitimate search results.

Step 1: Compromise legitimate web sites
These will be used to form the foundation of the attack.

Step 2: Create SEO-friendly fake pages related to popular search topics on compromised sites
In the past year hackers have taken advantage of user curiosity about the Olympics, the Haiti earthquake, Corey Haim's death, the World Cup and Mel Gibson's recent craziness to formulate their SEO poisoning attacks.

Step 3: Use Google Hot Trends to search for popular terms
Hackers leverage the hottest search terms and then stuff their fake pages with additional relevant key phrases that track well with the most common way users phrase their searches.

Step 4: Crosslink with other SEO poisoned pages to boost page rankings
Hackers work on scale, with a web of hundreds of crosslink pages to ensure that their malicious sites make it to the top of the page rankings for any given search term.

Step 5: Cloak malicious content from spiders and security researchers
The reason SEO poisoning attacks have been difficult to stymie is because the hackers are shielding their attacks from search engine detection and security do-gooders. Poisoned pages serve up an alternative non-malicious page with relevant keywords and links to other poisoned pages when crawlers view a page and direct traffic to non-malicious content when it doesn't come from a search engine.

Step 6: Deliver payload
If traffic does come from a website, hackers will serve up the bad content. Right now, researchers report that the bulk of SEO poisoning attacks are used to send users to a fake AV scan page to convince them to install bogus AV 'scareware.'

SEO Poisoning By The Numbers
Symantec found that on average 115 of the 300 most popular search terms contained at least 10% malicious links.

SEO Poisoning By The Numbers
Users have a 1 in 3 chance of coming across a malicious link via searches, according to Symantec.

SEO Poisoning By The Numbers
Typically, 15 links out of the first 70 results were malicious for search terms that were found to be poisoned, according to Symantec researchers.

Thursday, August 12, 2010

Internet Explorer 9 to launch to public on 15 September

IE9 will run on Windows XP

Microsoft yesterday updated its bare-bones preview of Microsoft Internet Explorer 9 (IE9) for the last time, saying that the next release would be a beta build.

Although Microsoft hasn't named a release date for IE9's beta, the six-to-eight week stretch between each Platform Preview may provide a clue: If the company sticks to the same gap between the fourth preview and the beta, the latter should show on or after September 15 - confirming previous messages from Microsoft.

In IE9 Platform Preview 4, Microsoft has integrated its new JavaScript engine into the browser, finished its work on hardware acceleration and boosted performance in several areas, including the Acid3 test, said the IE team's leader.

"The IE9 platform is nearly complete," said Dean Hachamovitch, general manager of IE, in a detailed post on the browser's blog Wednesday.

Unlike production versions, the IE9 preview can run alongside other editions, such as IE7 on Vista or IE8 on Windows 7. However, neither the Platform Preview nor the final version of IE9 will run on Windows XP, a sticking point with some users of that nine-year-old operating system.

Refer here for details.

Tuesday, August 10, 2010

Inside Mozilla's Firefox 4 Security

Content Security Policy (CSP) system will help to mitigate clickjacking

Open source browser vendor Mozilla is readying an ambitious new release of its Firefox Web browser. The third beta of Firefox 4, set to debut sometime this month, is expected to include more stability, features and performance improvements over earlier versions.

Among the areas that Mozilla is focusing on with Firefox 4 are a number of new security features that it says will make the browser even more secure than earlier versions. The new Firefox 4 browser development comes as rival Microsoft pushes its Internet Explorer 9 platform forward and Google continues to accelerate its Chrome browser development.

One of the new security features in Firefox 4 is the Content Security Policy (CSP) effort.

"Content security policy is focused on Cross Site Scripting (XSS) mitigation so it prevents injected scripts from actually running," Brandon Sterne, security program manager at Mozilla, toldInternetNews.com. "The site gets to declare a policy that the Firefox browser will then apply to the page and then any content that hasn't been blessed by the site won't be loaded or executed."

Refer here to read more details.

Monday, August 9, 2010

Watch out latest scam trend using "StarCraft 2"

'StarCraft 2' Phishing Scams Deploying Via Email

At least one version of this scheme will open up with the line, "Hello, thank you for shopping at the Blizzard Store!" according to a post on Siliconera. The first prescribed step in the email asks the user to create a Battle.net account at a URL that doesn't belong to Blizzard.

Senders' email addresses can be faked, so just because your message claims to come from Blizzard doesn't always mean that it's the real deal. Free keys or keys that come bearing receipts for purchases you didn't make are also good indicators that your email is probably a phony.

Ultimately, it's never a bad idea to check out Blizzard's Battle.net security page to make sure you're taking the proper precautions, and if you think you may have already made a terrible mistake and left yourself vulnerable to hackers, Battle.net has a response team set up to aid you in dealing with that as well.
Malware in "StarCraft 2" may only be a problem with illegally pirated copies, but emails phishing for passwords have been circulating, and Battle.net users should be on the lookout for fraudulent messages that come bearing fake product keys. The scam will insert a malicious URL in place of legit Battle.net login and proceed to request personal information, so be sure to vet any unsolicited email claiming to be from Blizzard before clicking through to any unsavory links.

Sunday, August 8, 2010

Unpatched kernel-level vuln affects all Windows versions

No reports of the vulnerability being exploited in the wild

Researchers have identified a kernel-level vulnerability in Windows that allows attackers to gain escalated privileges and may also allow them to remotely execute malicious code. All versions of the Microsoft OS are affected, including the heavily fortified Windows 7.

The buffer overflow, which was originally reported here, can be exploited to escalate privileges or crash vulnerable machines, IT research company Vupen said. The flaw may also allow attackers to execute arbitrary code with kernel privileges.

The bug resides in the “CreateDIBPalette()” function of a device driver known as “Win32k.sys.” It is exploited by pasting a large number of color values into an improperly allocated buffer, potentially allowing attackers to sneak in malicious payloads, vulnerability tracking service Secunia warned.

Refer here to read more details.

Wednesday, August 4, 2010

IPad's open to attack

Drive-by attack could enslave iPad, iPhone
A newly discovered vulnerability in the software that runs Apple's IPad and IPhone could allow hackers to remotely enslave the popular mobile devices.
The flaw which affects Apple's iOS that also runs the IPod Touch, could allow hackers to take complete control. Attackers could trick a user into visiting a website with a tainted PDF to infect the devices. Apple is now investigating the report.

Monday, August 2, 2010

ATMs accessed with $10 key - Can also attack remotely

A HACKER has stolen the show at a security conference by forcing ATMs to spit out cash.

Barnaby Jack spent two years tinkering in his Silicon Valley apartment with ATMs he bought online. They were standalone machines, the type seen in convenience stores, rather than the ones in bank branches. His goal was to find ways to take control of ATMs by exploiting weaknesses in the computers that run the machines.

At the Black Hat conference - an annual gathering devoted to exposing the latest computer-security vulnerabilities - he made three ATMs disgorge thousands of dollars onto the floor.

Upping the cool stakes, Mr Jack also forced the machines to display the word "Jackpot" while it was haemorrhaging cash. His talk was one of the conference's most widely anticipated, as it had been pulled a year ago over concerns that fixes for the ATMs wouldn't be in place in time.

Refer here to read more details.

Sunday, August 1, 2010

Hackers dupe world's biggest companies

The hacker convinced the worker to change his mind by claiming to be under pressure to finish a report for a boss by that evening.

HACKERS at an infamous DefCon gathering are proving that old-fashioned smooth talk rivals slick software skills when it comes to pulling off attacks on computer networks.

A first-ever "social engineering'' contest challenges hackers to call workers at 10 companies including technology titans Google, Apple, Cisco, and Microsoft and get them to reveal too much information to strangers.

"Out of all the companies called, not one company shut us down,'' said Offensive Security operations manager Christopher Hadnagy, part of the social-engineer.org team behind the competition.

The team kept hackers within the boundaries of the law, but had them coax out enough information to show that workers would have unintentionally made it easier to attack networks. Workers that unknowingly ended up on calls with hackers ranged from a chief technical officer to IT support personnel and sales people.

Refer here to read more. It's worth reading it.