Tuesday, May 31, 2011

Cybercriminals have one motivation in mind: To make money!

Beware: Fraudster Airline Agencies

Consider a customer of the fraudster-operated travel agency that just got the travel deal of a lifetime. He was able to purchase a $1,000 airline ticket for just $200. But advised by the dealer to purchase his ticket under a different identity, the cybercriminal is then referred to another underground service provider that can provide him with a stolen passport to be anyone he wants to be to make his trip. The cybercriminal has decided he is going to take a European vacation so he will need a passport.

"Welcome to Scanlab... the largest collection of documents on the Web"

(Website setup by Cybercriminals for fraudulent activity)

Legitimate online travel agencies are getting competition from the darkest corners of the Internet – the black market. Fraudster travel agencies are springing up all over the cybercriminal underground and offering unbeatable prices for worldwide airline tickets to other fraudsters. How are they able to do it? There are two main ways they accomplish this:

The most common way is to use stolen credit cards to purchase airline tickets. A recently released report1 showed that airlines lost nearly $1.4 billion in 2010 due to online payment fraud. As you can see in Figure 1, a criminal offering a fraudster- operated ticketing service offers to sell tickets for any kind of travel with a “99.99% assured success” rate and at only 20-30% of the face value of the ticket. (Of course, the criminal buyer pays the fraudulent ticket agency using a stolen card, as well).

The second way, while not nearly as common but growing in popularity, is to secure access to consumers’ loyalty and rewards program accounts and cash out available points in exchange for travel vouchers. RSA has witnessed multiple phishing attacks recently targeting airline customers with the goal of obtaining their login credentials in order to monetize their reward points.

Friday, May 27, 2011

Fake (Rogue) AV installs on MAC without "PASSWORD"

Securing Your MAC from the new MACGUARD malware variant

A new version of rogue antivirus malware that targets the Macintosh operating system does not need victims to type in their administrator passwords to install and infect the machine, a security company said today.

The latest version of the malware has been overhauled to look like a native Mac OS X application and is using the application name MacGuard, according to an
Intego blog post. But particularly concerning is the fact that unlike previous versions, which were dubbed Mac Defender, MacProtector, and MacSecurity, MacGuard installs itself without prompting for the admin password.

If Safari's 'Open safe files after downloading' option is checked, the package will open Apple's Installer, and the user will see a standard installation screen. If not, users may see the downloaded ZIP archive and double-click it out of curiosity, not remembering what they downloaded, then double-click the installation package. In either case, the Mac OS X Installer will launch.

Since any user with an administrator's account--the default if there is just one user on a Mac--can install software in the Applications folder, a password is not needed. This package installs an application--the downloader--named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user's Mac, so no traces of the original Installer are left behind.

The MacGuard program is downloaded by the avRunner application from an IP address that is hidden using steganography in an image file in the Resources folder of avRunner.

Web pages that look like a Finder window and appear to be scanning the computer are bogus, Intego said. Users should leave the page, quit the browser, and quit the Installer application immediately if anything has downloaded, as well as delete any associated file from the Downloads folder. Also, users should uncheck the "Open safe files after downloading" option in Safari's General Preferences, Intego advises.

In an
Apple support article, the company said "in the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware."

The malware keeps changing names and appearances. It is designed to trick people into paying for supposed antimalware software that they don't need.

More information about how it operates is in this
FAQ, and information about how to remove it is here and a comprehensive article about how to secure your computer against MacGuard is here.

Tuesday, May 24, 2011

2011 Information Security Virtual Conference

Free conference worth attending

The conference sessions cover a wide variety of topics, including:

Building Trust in the Cloud – This session will look at how to turn the concept of a trusted cloud into reality.

Smart phones, apps, and crowd sourcing – This session will look at crowd sourcing, application security, and just what employees are – and should – be using their work smart phones for.

Malware: The Bad, the Ugly, and the Uglier – It has been predicted by industry experts for some time now that malware – botnet-type malware, in particular – will continue to become more sophisticated and more threatening. The word 'stuxnet' proves this to be true. In this session you will discover the anatomy of the virus and its attacks, and learn how to put defenses in place to stop a breach. This session will also take a look at what malware has in store for us in 2011.

How to educate your workforce – It is time to update awareness campaigns and make educational programs interesting, and dare we say it, enjoyable. This session will tell you how!

Getting Ready for Cyberwar: Protecting the CNI – This session hopes to answer these big, and very important, questions.

Forensic Analysis in the Cloud – This session will examine the questions you need to ask, and the agreements that should be in place, before you hand your infrastructure, platforms, and/or data over to a cloud provider.

Preventing Insider Data Leak - This session will offer advice on how to plug those holes which could lead to the loss of company data.

The death of endpoint security? – This session will examine exactly what a data-centric approach to security entails, and what the future holds for end point device security.

Full conference programme available here.

Sunday, May 22, 2011

How to Develop & Maintain Information Security Policies & Procedures

1 hour presentation designed for professionals who are responsible for writing, approving or reviewing security policies or procedures

Information security policies and procedures are the cornerstone of any information security program - and they are among the items that typically receive the greatest scrutiny from examiners and regulators.

But beyond satisfying examiners, clear and practical policies and procedures define an organization's expectations for security and how to meet those expectations. With a good set of policies and procedures, employees, customers, partners and vendors all know where you stand and where they fit in re: information security.

The key to creating effective policies and procedures is to start with a solid risk assessment, and then follow a measured program that includes:
  • Implementation
  • Monitoring
  • Testing
  • Reporting
The webinar from Banking Information Security is designed for IT professionals, risk managers, auditors or compliance officers who are responsible for writing, approving or reviewing security policies or procedures.

It's a daunting task to create effective policies and procedures, and it's ongoing work to monitor and maintain them. But in this age of endless information security threats, please remember: Policies and procedures aren't just a "nice to have" - they're a must.

Information security policies and procedures are the cornerstone of any information security program - and they are among the items that typically receive the greatest scrutiny from examiners and regulators. Cursory, disconnected or poorly communicated security policies will fail and likely drag down the overall information security program with them.

Register for this webinar to learn:
  • How to ensure your policies map to your own institution's risk profile;
  • How to structure your policies and presentations to senior management and board members; The basics of information security policies and what they must cover.

Saturday, May 21, 2011

International Cyber Security Strategy from White House

Protecting Nation’s Critical Infrastructure

The Obama administration, in a White House event Monday that featured four cabinet secretaries, issued its international cybersecurity strategy with the goal to work with other nations to promote an open, interoperable, secure and reliable information and communications infrastructure that supports global trade and commerce, strengthens international security and fosters free expression and innovation.

To achieve that goal, the strategy says, cooperation among nations is needed to build and sustain an environment in which norms of responsible behavior guide states' actions, sustain partnerships and support the rule of law in cyberspace.

Clinton outlined the seven principles in the international cybersecurity framework:

Economic engagement Promoting international standards, innovation and open markets to ensure that cyberspace serves the needs of the global economies and innovators.
Protecting networks: Enhancing security, reliability and resiliency because strong cybersecurity is critical to national and economic security in the broadest sense.

Law enforcement: Extending collaboration and the rule of law to strengthen confidence in cyberspace and pursue those who would exploit online systems.

Military cooperation: Preparing for 21st century security challenges because the nation's commitment to defend its citizens, allies and interests extends to wherever they might be threatened,

Multi-stakeholder Internet governance: Fostering governance structures that effectively serve the needs of all Internet users.

International development: Building capacity, security and prosperity to promote the benefits of networked technology globally, enhance the reliability of shared networks and build a community of responsible stakeholders in cyberspace.

Internet freedom: Supporting fundamental freedoms and privacy to help secure fundamental freedoms as well as privacy in cyberspace.

The release of the international cybersecurity policy is the second major Obama administration IT security initiative in as many weeks. On Thursday, the White House introduced a cybersecurity legislative package that would codify the Department of Homeland Security as the lead agency in protecting federal civilian agencies and the national critical IT infrastructure as well as nationalize data breach notification and the toughening of penalties for cybercrimes (see
White House Unveils Cybersecurity Legislative Agenda).

Friday, May 20, 2011

Facebook caught exposing millions of user credentials

App bug overrides user privacy settings

Facebook has leaked access to millions of users' photographs, profiles and other personal information because of a years-old bug that overrides individual privacy settings, researchers from Symantec said.

The flaw, which the researchers estimate has affected hundreds of thousands of applications, exposed user access tokens to advertisers and others. The tokens serve as a spare set of keys that Facebook apps use to perform certain actions on behalf of the user, such as posting messages to a Facebook wall or sending RSVP replies to invitations. For years, many apps that rely on an older form of user authentication turned over these keys to third parties, giving them the ability to access information users specifically designated as off limits.

The Symantec researchers said Facebook has fixed the underlying bug, but they warned that tokens already exposed may still be widely accessible. “There is no good way to estimate how many access tokens have already been leaked since the release [of] Facebook applications back in 2007,” Symantec's Nishant Doshi wrote in a blog post published on Tuesday. “We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers.”

Refer here to read more details.

Wednesday, May 18, 2011

Protecting against the Malware and other Security Risks

Latest Information Security Whitepapers

Here are some new security white papers I'd like to share - I hope you find them interesting (registration required).

Embracing Employee-Acquired Smartphones without Compromising Security

Protecting Against the New Wave of Malware

Social Networking and Security Risks

PCI Compliance for Dummies Guide

Security Considerations for Small and Medium-Sized Enterprises

Monday, May 16, 2011

Encryption: Neither improves security postures nor decreases risk?

Outsourcers blamed for most data breaches in Australia

Australian IT managers have shunned platform-based encryption technology, claiming that it neither improves security postures nor decreases risk, according to a Ponemon Institute survey

The survey on encryption trends was funded by Symantec. It polled 477 Australian IT professionals with an average of nine years IT security experience who worked in roles that “directly implemented encryption technologies”.

Eighty-eight percent had “declining impressions” of the ability of platform-based encryption to improve the “effectiveness and efficiency” of IT security.

But most of the 21 percent who used platform-based encryption said it improved security.

Of those using the technology, most said it reduced operational costs and redundant administrative tasks, and provided consistent policy enforcement across applications.

About a quarter of respondents to the survey said their business had more than five data breach incidents in 2010, slightly more than those who reported none.

Ninety percent reported that loss or theft of sensitive information was likely, ahead of probable unauthorised access to virtualised systems, and network malware infections.

A separate study run and funded by the same organisations blamed outsourcers for most data breaches in Australia.

It found the average cost of data breaches totalled an average of $2 million, a figure unchanged over the last 12 months.

The study polled 19 Australian companies that lost between 3,200 to 65,000 records last year.

Each lost record cost an average of $128, and total repatriation costs tipped $4.2 million - up 5 percent since 2009.

The Ponemon Institute’s first data breach study ran in the US in 2005.

Saturday, May 14, 2011

Tips for Mobile Risk Management

Simple tips can be taken to mitigate risks from Mobile Devices

Mobile devices are changing the business landscape. Deployment of mobile devices can present a significant amount of risk to the overall enterprise security posture. Ironically, many of the risks associated with mobile devices exist because of their biggest benefit: portability.

Deploying mobile devices cannot be addressed solely as a technical activity, as they affect the organizational information flow and the business processes of the enterprise from many perspectives. Some special considerations that organizations should bear in mind when considering deployment of mobile devices include:

Policy: Does a security policy exist for mobile devices? Does it include rules for appropriate physical and logical handling? The enterprise should have a policy addressing mobile device use and specifying the type of information and kind of devices and information services that may be accessible through the devices. The policy should also cover devices that are owned by the organization as well as devices that are owned by staff, contractors or other external entities.

Network access control: How do you know if the mobile device meets the appropriate software standards before allowing access to the network? If the device is an organization-owned device, there should be regular updates to the antivirus software, or other protection, before allowing a connection to the organizational network to prevent perpetuation of malware. Verify that data synchronization of mobile devices is not set to receive access to shared files or network drives that contain data that are prohibited for mobile use by the policy.

Encryption: Verify that any sensitive information is properly secured while in transit or at rest.

Secure transmission: Determine whether mobile device users are connecting to the enterprise network via a secure connection. Virtual private network (VPN), Internet Protocol Security (IPsec) or Secure Sockets Layer (SSL) can offer some protection.

Device and information management: Is there is an asset management process in place for tracking mobile devices? This asset management program should detail procedures for lost and stolen devices as well as procedures for employees who have been terminated or have resigned from the enterprise. If the device is owned by a staff member, contractor or other external entity, the organization should provide procedures for protecting the information to which it is allowed access.

Awareness training: As a part of a regular awareness program, make clear the importance of securing mobile devices physically and logically. The awareness and training should also make clear the types of information that can and cannot be stored on such devices.
Risk—Mobile devices have the capability to store large amounts of data and present a high risk of data leakage and loss.

As such, mobile device policies should be created and enforced to ensure that information assets are not exposed. At the time of the writing of this article, there were no publicly available standards specific to mobile device management; however, frameworks such as COBIT® and Risk IT: Based on COBIT® can provide a strong foundation for mobile device management.

To find additional resources related to mobile devices, visit the Securing Mobile Devices page of the ISACA web site.

Wednesday, May 11, 2011

Application Security Intelligence

Free Online Event

Forward-thinking organizations have begun to adopt a holistic approach to securing applications rather than investing in perimeter defenses like firewalls and intrusion prevention systems.

Join on May 19th for a full day of interactive webcasts to hear leading IT security experts discuss the role of application security intelligence in enabling software security assurance programs to proactively reduce business risk across the enterprise.

About the event:

"Traditionally, organizations have responded to security threats by investing in perimeter defenses like firewalls and intrusion prevention systems. While effective in the short-term, this approach is simply a bandage that offers reactive protection only, falling short of proactively and programmatically securing the applications and assets that are the lifeblood of any modern business. Recently, some organizations have begun to adopt a holistic and strategic approach to securing their applications. Join us to hear leading software security experts discuss the role of application security intelligence in enabling software security assurance programs to proactively reduce the business risk of insecure software across the enterprise."

Presentations include:

"Application Security Intelligence: Managing Application Risk"
Roger Thornton, CTO & Founder, Fortify Software, an HP company

"Optimizing Security in Software Development: Secure at the Source"
Derek Brink, VP & Research Fellow, Aberdeen Group

"Application Security Strategy in a Mobile World"
John South, CISO, Heartland Payment Systems

"Cloud Security and Its Impact on Application Security"
Dennis Hurst, Founding Member, Cloud Security Alliance

"Addressing the Top 5 Web Application Security Threats"
Dave Wichers, OWASP Board Member & COO, Aspect Security

Sign up to attend any or all of the May 19 webcasts at: http://bit.ly/mPYS1V

Tuesday, May 10, 2011

Metasploit 3.7 Released

Takes Aim at Apple IOS

The open source Metasploit vulnerability testing framework got a major overhaul this week with the release of Metasploit 3.7.

The Metasploit 3.7 release provides an enhanced session tracking backend that is intended to improve performance. Metasploit 3.7 also provides over 35 new exploit modules for security researchers to test, including new ones designed to test Apple's iOS mobile operating system security. The Apple iOS Backup File Extraction module however is not an attack vector for directly exploiting iOS. Rather it is what is known as a post-exploitation module.

The post-exploitation modules (post for short) are designed to run on systems that were compromised through another vector, whether its social engineering, a guessed password, or an unpatched vulnerability. This module requires iTunes to be installed and for a backend to be accessible that has not been encrypted.

here to read more details

Saturday, May 7, 2011

Free On-Line CEH Course

Logical Security is providing 25 hours of free CEH on-line training

The video modules are outlined below and can be found here.

Hope you find them useful!

1. Ethical Hacking and Penetration Testing
2. Footprinting and Reconnaissance
3. TCP/IP Basics and Scanning
4. Enumeration and Verification
5. Hacking and Defending Wireless/Modems
6. Hacking and Defending Web Servers
7. Hacking and Defending Web Applications
8. Sniffers and Session Hijacking
9. Hacking and Defending Windows Systems
10. Hacking and Defending Unix Systems
11. Rootkits, Backdoors, Trojans and Tunnels
12. Denial of Service and Botnets
13. Automated Penetration Testing Tools
14. Intrusion Detection Systems
15. Firewalls
16. Honeypots and Honeynets
17. Ethics and Legal Issues

All videos can be viewed at

Thursday, May 5, 2011

Complex Cyber Threats Creating New Managed Security Services Opportunities

Keeping the lights ON!
As breaches and cyber threats continue to mount, so do the government and industry regulations designed to increase enterprise security, fight consumer data theft, and protect the critical infrastructure. And, as the complexities of security and regulatory compliance increase, so does the need for organizations to turn to the expertise of the channel to manage risk more effectively.
According to a recent report by Global Industry Analysts, the market for managed security services will reach $8.4 billion by 2015. A separate report, from the same group, pegs the market for all IT security products and services at $125 billion that same year.
Consider the recent Epsilon breach, where many dozens of companies had their customer contact information stolen. Following that breach, there's been talk in Washington D.C. of even more stringent privacy laws for companies that handle customer data. And this comes at a time when the industry already faces stern data security laws.
Compliance and security-related spending also is increasing in critical infrastructure and utilities.
A recent survey produced by the Center for Strategic and International Studies (CSIS), and funded by IT security firm McAfee, found a startling gap between where critical infrastructure security actually is today and where it should be. The survey consisted of 200 IT security executives from critical power infrastructure providers in 14 countries. It found that 40 percent of those surveyed believe that their industry has become more vulnerable than the prior year; about 30 percent also believe their company is not prepared for a cyber attack.
To improve resiliency against such attacks, the bulk power generation industry is working now to comply better with NERC's Critical Infrastructure Protection (CIP) regulations. CIP regulations are designed to help the bulk power generation and delivery infrastructure by establishing a minimum acceptable level of risk. It does so by requiring thorough log collection and analysis, access control, reporting, deployment of intrusion detection/prevention systems, and other controls. Solution providers who have worked extensively with utilities say that, while many utilities have improved from where they were a few years ago, there still is much more to be done.
To harden those vulnerabilities, utilities are deploying more traditional IT technologies such as firewalls, intrusion detection systems, and security information and event managers around crucial systems. They're also increasing their use of security-related services. We see them requesting more penetration tests, so that utilities obtain a better view of the viability of their entire security architecture.
Please refer here to read this interesting article.

Wednesday, May 4, 2011

"SONY"exposes another 24.6 million accounts

Affected Sony user accounts to be more than 100 million

Just when you thought things couldn’t get any worse for Sony: Hours after shutting down access to its Sony Online Entertainment service, the company announced another security intrusion that exposed information on an additional 24.6 million accounts.

Sony says hackers infiltrated the Sony Online Entertainment (SOE) systems around the same time as the recent break-in to Sony’s PlayStation Network (PSN). Data thieves made away with personal information from approximately 24.6 million SOE accounts, according to Sony.

An “outdated database from 2007″ was also copied which included 12,700 credit card and debit card numbers and expiration dates from customers in Austria, Germany, Netherlands and Spain. Sony noted that credit card security codes were not included in that database.

SOE systems power Sony’s multiplayer online games including EverQuest II, Free Realms and DC Universe Online. The service went down Monday morning in the United States with a maintenance message. Sony has since followed up with more details.

Over the weekend Sony executives held a press conference to discuss security problems with its PlayStation Network (PSN) and Qriocity media streaming service. Around April 18, data thieves broke into PSN and Qriocity’s databases and made away with personal information on 77 million account holders, including, possibly, credit card information on about 10 million subscribers.

Please refer here to read further details.

Tuesday, May 3, 2011

'Tricked' RSA Worker Opened Backdoor to APT Attack

Threat Landscape is CHANGING!
A well-crafted e-mail with the subject line "2011 Recruitment Plan" tricked an RSA employee to retrieve from a junk-mail folder and open a message containing a virus that led to a sophisticated attack on the company's information systems.
An Excel spreadsheet attached to the e-mail contained a zero-day exploit that led to the installation of a backdoor virus, exploiting an Adobe Flash vulnerability, which Adobe has since patched, writes Uri Rivner, head of new technologies, identity protection and verification at RSA, in a blog posted Friday.
RSA unveiled on March 17 that an attacker targeted its SecurID two-factor authentication product in what it termed an advanced persistent threat breach. An APT refers to sophisticated and clandestine means to gain continual, persistent intelligence on a group such as a nation or corporation. Rivner's blog is the first substantial public comment on the breach since Coviello's statement.
The exploit injected malicious code into the employee's PC, allowing full access into the machine. The attacker installed a customized variant of a remote administration tool known as Poison Ivy, which has been used in APT attacks against other companies. Such tools set up a reverse-connect model, which pulls commands from the central command and control servers, then execute the commands, rather than getting commands remotely, making them harder to detect.
The attacker gained access to staging servers at key aggregation points to prepare for extraction. Next, the attacker accessed servers of interest, moving data to internal staging servers to be aggregated, compressed and encrypted for extraction. Then, the attacker used file transfer protocol to transfer many password protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider. The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack.
APT is characterized as a new attack doctrine built to evade existing perimeter and endpoint defenses, and analogized an APT attack to stealth jet fighters that circumvent radar.

Sunday, May 1, 2011

Majority of BANKS perceive malware to be their biggest threat

Malware is the enemy

In February this year, a Gartner survey of 76 U.S. banks found that a majority of institutions perceive malware to be their biggest threat. But banks, overall, are not making investments and commitments to constantly improve layered security approaches.

By comparison, when surveyed by Gartner in 2008, only 34 percent of these banks said they deemed malware on a bank customer's PC to be a top security threat. In 2010, that response jumped to 79 percent, more than doubling.

In the China-based scheme launched against U.S. commercial customers, the FBI says Zeus, Backdoor.bot and SpyEye were used. One business hit by the malicious software reported its computer's hard drive was infected and erased remotely before the IT department could investigate. Facts about the most common malware:
  • Zeus is capable of stealing multifactor authentication tokens, allowing cyberthieves to log in to bank accounts with user names, passwords and token IDs.
  • Backdoor.bot has worm, downloader, keylogger and spy ability. It allows fraudsters to remotely access an infected computer, deepening the infection by downloading additional malware from a remote server.
  • And SpyEye, a backdoor Trojan, runs as a service process in the background, allowing unauthorized remote access to the compromised computer.
Fraudsters have perfected the technique, first described to the industry by Uri Rivner at RSA over two years ago, of a multipronged attack technique involving acquisition of Zeus or a similar Trojan via phishing or drive-by downloads, man-in-the-browser interception of the victim's online banking credentials, subsequent unauthorized access to the victim's account, and use of money mules to move the funds back to the fraudsters' home country.

The fraud prevention strategy for small businesses don't understand online fraud risks. In the community bank or credit union space, many outsource to third parties. Those institutions should leverage their relationships to get more sophisticated technology.