Wednesday, August 31, 2011

Free tool for penetration security testing

Automated Pen-Testing Tool

INSECT Pro is a new free tool for Penetration Testing and the ultimate resource to demonstrate the security or vulnerability of your network. It goes goes beyond simply detecting vulnerabilities to safely exploiting them. The first free integrated vulnerability and penetration testing tool.

This penetration security auditing and testing software solution is designed to allow organizations of all sizes mitigate, monitor and manage the latest security threats vulnerabilities and implement active security policies by performing penetration tests across their infrastructure and applications.



Research offers to evaluate the vulnerabilities on your network. Some features include:
  • Run Faster: Because to make a good security testing is not enough
  • Load Better: Major graphical interface and optimisation features were implemented
  • Module Search: This version includes a new built-in search feature
  • Improvements and Changes: Many more optimisations and updates were added
  • Quality assurance: Reported bugs were patched
Download now your copy from http://www.insecurityresearch.com and try to defeat and test your network security

Tuesday, August 30, 2011

Singapore Airport enhances airfield security with fibre-optic sensors

No system is fool-proof and perfect

Changi Airport will be the world's first airport to reinforce its perimeter fences with fibre-optic sensors to detect intruders.

More cameras will also be installed at airport boundaries, which will be integrated with the new multi-million-dollar defence system called AgilFence, made by Singapore Technologies (ST) Electronics.

Said Changi Airport Group's executive vice-president (airport management) Foo Sek Min: "No system is fool-proof and perfect."

"And as we review our existing perimeter protection, the introduction of this perimeter intrusion detection system will help us to have a better and faster response if there are any signs of intrusion."

The pressure-sensitive sensors are protected by an armoured casing to prevent tampering and for easy maintenance.

ST Electronics said the system is expected to last a decade, adding that it is immune to electromagnetic and radio frequency interferences, making it effective for deployment in an airfield.

The system is expected to be fully operational by end-2012.

Sunday, August 28, 2011

Must-Read: A New Guide to Facebook Security

16 ways to Stay Safe on Facebook

A new, free guide on Facebook security, though geared for users, details the practices chief information security officers and other organizational security practitioners should share with their staffs to assure, not only safe Internet hygiene when workers access Facebook from work, but for use with other social media sites, as well.

A Guide to Facebook Security is, in the words of one of its authors, "fun to read and easy to understand."

In 20 pages, the guide explains how users can protect their accounts, avoid scammers and configure advanced security settings. It shows how to use one-time passwords, secure browsing and track account activity as well as explains why account thieves and malware pushers seek account access.

There's a whole section on avoiding: avoiding clickjacking, avoiding malicious script scam, avoiding account thieves and avoiding Facebook gaming scams.

Here are 16 tips the authors present to stay safe on Facebook:
  1. Only friend people you know.
  2. Create a good password and use it only for Facebook.
  3. Don't share your password.
  4. Change your password on a regular basis.
  5. Share your personal information only with people and companies that need it.
  6. Log into Facebook only once each session. If it looks like Facebook is asking you to log in a second time, skip the links and directly type www.facebook.com into your browser address bar.
  7. Use a one-time password when using someone else's computer.
  8. Log out of Facebook after using someone else's computer.
  9. Use secure browsing whenever possible.
  10. Only download apps from sites you trust.
  11. Keep your anti-virus software updated.
  12. Keep your browser and other applications up to date.
  13. Don't paste script (computer code) in your browser address bar.
  14. Use browser add-ons like Web of Trust and Firefox's NoScript to keep your account from being hijacked.
  15. Beware of "goofy" posts from anyone, even friends. If it looks like something your friend wouldn't post, don't click on it.
  16. Scammers might hack your friends' accounts and send links from their accounts. Beware of enticing links coming from your friend

Friday, August 26, 2011

Mobile users are three times more vulnerable to phishing attacks

As smartphone usage grows exponentially, so does the potential for fraud

A study by Trusteer in early 2011 showed that mobile users are three times more vulnerable to phishing attacks, and a Juniper Networks study published this May shows that instances of malware on Android phones grew 400 percent between summer 2010 and spring 2011. Both banks and consumers need to understand how to detect and prevent fraud so that malware attacks don't grow at the same rate, or exceed the rate, of mobile banking adoption.

Major banks have begun to offer new mobile services in response to this trend. For today's retail banks, mobile banking is seen as table stakes, and new functionality like remote deposit capture is continuously being integrated. There are several touchpoints where mobile banking users are potentially exposed to fraud. Malware and phishing are on the rise.

Transactions can be viewed and intercepted. Fraudulent operating systems and applications can be written for download and used by unsuspecting consumers. And good operating systems and applications can be corrupted.

In addition, wireless networks themselves can pose risks. One particular emerging fraud threat, dubbed a "sidejack" attack, occurs when fraudsters and/or thieves insert themselves into an unsecured Wi-Fi network connection and intercept messages and data that are exchanged.

Consumers also too often conduct mobile banking over insecure networks in places like airports, hotels and libraries. Successful fraud mitigation approaches need to be able to cover consumers at all of these touchpoints.

The key to identifying mobile banking fraud is by understanding consumer usage patterns. In normal activity, for example, banking actions like mobile payments and fund transfers take place on demand, with patterns that appear random.

Fraudulent usage patterns for payments, on the other hand, tend to take place several times in a row; and funds transfers could take place several times after that. Fraud analytics, which can build unique, adaptive profiles based on a consumer's real-time mobile banking activity, are emerging because of their ability to monitor transaction patterns and integrate those profiles into data for wireless access points, banking applications, as well as the time of the day and week when the network was used.

Then banks can compare one user's profile to the entire user base, to evaluate and assess whether the patterns fall outside the norm. If the patterns do fall outside the norm, that could be an indicator of suspicious activity. The behavior of mobile bank customers does change over time, as new apps and features are introduced. New pattern-detection technologies are built in to identify out-of-the-ordinary activity for a particular user.

In order to prevent mobile bank fraud, those fraud analytics identify patterns in milliseconds, which is critical. Speed enables a bank to deny a transaction or ask a user for additional user verification, ensuring intentions are proper. Not only does this help a bank ensure a successful customer experience, it also helps avoid aggravating consumers by incorrectly denying a legitimate transaction.

Most mobile banking applications today don't include these kinds of sophisticated security capabilities, as the focus is more on functionality. As mobile banking continues to grow, security needs to become an integral component of mobile infrastructure planning.

Today's security systems reside in a bank's data center; tomorrow they need to be on mobile devices, wireless hotspots and the like. Security also should be built into mobile apps, so that the apps can monitor usage patterns and self-police a user's own mobile-banking activity.

As the use of mobile banking grows, banks and credit unions also should take steps to educate their customers and members about safe e-banking practices.

Here are some tips banks could share:
  • Always use a secured Wi-Fi connection, where you have a unique user name and password, before sending any sensitive information over your mobile phone.
  • Download your bank's mobile application from a legitimate app store associated with your phone and use it every time, so you can be sure you are visiting the real bank every time and not a copycat site.
  • Install anti-malware technology, and back up data regularly.
  • Configure your device to auto-lock after a period of time with a password of six-to-eight alphanumeric characters.
  • Keep your apps and device software up-to-date.
Mobile banking technologies will revolutionize the way we handle our money, and they give banks a wonderful way to serve their customers. But just as banks are rolling out mobile banking interfaces, they also need to develop and integrate fraud prevention. It will be much easier to do so now, when the mobile banking trend is still in its relative infancy.

Wednesday, August 24, 2011

Test Drive Career Academy CISA Training Video Free

Free Certified Information Security Auditor training

CareerAcademy.com is offering a free CISA training video course to try out their training delivery platform.

The course offered is on Certified Information Systems Auditor (CISA): The Importance of Information Security, and is intended for IT security professionals. The course outline is below, along with a link to try it out.

Please feel free to forward to others in your organization or your friends who may be interested in this type of training.

Link to sign up for the free training course:
http://www.careeracademy.com/download/freeinfoseccisa.html

Course Description:

CISA Certification Training will give the student in-depth knowledge on such topics as: Key Elements of Information Security Management, Mandatory and Discretionary Access Controls, Identification of Risks Related to External Parties, Security Incident Handling and Response, and many more critical concepts. We have invited the best security trainers in the industry to help us develop the ultimate training and certification program which includes everything you will need to fully prepare for the CISA certification exam.

Sign up for the free training course:
http://www.careeracademy.com/download/freeinfoseccisa.html

Tuesday, August 23, 2011

Smart grid cybersecurity strategy – industry proposals

Smart grid security challenge highlighted in report

Government plans to create a smart grid for energy networks will require a coordinated focus on cybersecurity as communication networks play a key role, according to a report from The Energy Networks Association (ENA).

The ENA published the report for the Department of Energy and Climate Change (DECC), which is responsible for the energy smart grid. The findings of the research, which was carried out by consultancy KEMA, revealed that the government and network providers need a more "coherent and joined-up approach" to secure the smart grid.

Security a top priority in smart grid development

The report outlines how the smart grid will affect networks and describes how cybersecurity should be an important consideration when developing the smart grid's architecture, technology and management systems.

For example, the report says: "ICT security, along with computing system reliability, safety and maintainability, are critical attributes for smart grid implementation and operation, and need to be considered as part of overall risk management for this critical national infrastructure."

Coordinating the smart grid project

Last week, the IT sector, under the wing of Intellect, got involved in the smart grid debate with the launch of cross-industry organisation SmartGrid GB. This group brings together IT companies, environmental organisations, government, regulators and consumer groups. It will coordinate the multiple stakeholders and advise the government.

Robert McNamara, energy and environment programme manager at Intellect, is SmartGrid GB's manager. He welcomed the report: "A lot of data will be transported on the smart grid and through smart metering. It is absolutely imperative that security is the number one priority."

IT suppliers invited to bid for smart grid contracts

The DECC has already put a notice out to IT suppliers informing them to be ready to bid for work. A new company will be set up to manage the data that smart meters send and receive. The central data and communications company (DCC), as it is known, will require services from IT and communication service providers.

The smart grid project involves using smart meters in the home to help consumers control their energy usage. But a survey, which was commissioned by smart meter technology provider T-Systems and carried out by the Economist Intelligence unit, revealed antipathy towards the government's plans to roll out smart meters to 30 million homes by 2020. Consumers are more concerned about the financial costs of using smart meters than the environmental costs of inefficient energy use.

Sunday, August 21, 2011

BackTrack 5 - Penetration Testing Distribution

BackTrack 5 R1 Released!

BackTrack is intended for all audiences from the most savvy security professionals to early newcomers to the information security field. BackTrack promotes a quick and easy way to find and update the largest database of security tools collection to-date. Our community of users range from skilled penetration testers in the information security field, government entities, information technology, security enthusiasts, and individuals new to the security community.


BackTrack 5 - Penetration Testing Distribution from Offensive Security on Vimeo.

Feedback from all industries and skill levels allows us to truly develop a solution that is tailored towards everyone and far exceeds anything ever developed both commercially and freely available. The project is funded by Offensive Security.

Whether you’re hacking wireless, exploiting servers, performing a web application assessment, learning, or social-engineering a client, BackTrack is the one-stop-shop for all of your security needs.

Thursday, August 18, 2011

US-CERT: Security Recommendations to Prevent Cyber Intrusion

Good practice guidelines to prevent cyber intrusion attacks

US-CERT is providing this Technical Security Alert in response to recent, well-publicized intrusions into several government and private sector computer networks. Network administrators and technical managers should not only follow the recommended security controls information systems outlined in NIST 800-53 but also consider the following measures. These measures include both tactical and strategic mitigations and are intended to enhance existing security programs.

Recommendations

  • Deploy a Host Intrusion Detection System (HIDS) to help block and identify common attacks.
  • Use an application proxy in front of web servers to filter out malicious requests.
  • Ensure that the "allow URL_fopen" is disabled on the web server to help limit PHP vulnerabilities from remote file inclusion attacks.
  • Limit the use of dynamic SQL code by using prepared statements, queries with parameters, or stored procedures whenever possible. Information on SQL injections is available at http://www.us-cert.gov/reading_room/sql200901.pdf.
  • Follow the best practices for secure coding and input validation; use the secure coding guidelines available at: https://www.owasp.org/index.php/Top_10_2010 and https://buildsecurityin.us-cert.gov/bsi/articles/knowledge/coding/305-BSI.html.
  • Review US-CERT documentation regarding distributed denial-of-service attacks: http://www.us-cert.gov/cas/tips/ST04-015.html and http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf.
  • Disable active scripting support in email attachments unless required to perform daily duties.
  • Consider adding the following measures to your password and account protection plan.
  • Use a two factor authentication method for accessing privileged root level accounts.
  • Use minimum password length of 15 characters for administrator accounts.
  • Require the use of alphanumeric passwords and symbols.
  • Enable password history limits to prevent the reuse of previous passwords.
  • Prevent the use of personal information as password such as phone numbers and dates of birth.
  • Deploy NTLMv2 as the minimum authentication method and disable the use of LAN Managed passwords.
  • Use minimum password length of 8 characters for standard users.
  • Disable local machine credential caching if not required through the use of Group Policy Object (GPO).
  • Deploy a secure password storage policy that provides password encryption.
  • If an administrator account is compromised, change the password immediately to prevent continued exploitation. Changes to administrator account passwords should only be made from systems that are verified to be clean and free from malware.
  • Implement guidance and policy to restrict the use of personal equipment for processing or accessing official data or systems (e.g., working from home or using a personal device while at the office).
  • Develop policies to carefully limit the use of all removable media devices, except where there is a documented valid business case for its use. These business cases should be approved by the organization with guidelines for their use.
  • Implement guidance and policies to limit the use of social networking services at work, such as personal email, instant messaging, Facebook, Twitter, etc., except where there is a valid approved business case for its use.
  • Adhere to network security best practices. See http://www.cert.org/governance/ for more information.
  • Implement recurrent training to educate users about the dangers involved in opening unsolicited emails and clicking on links or attachments from unknown sources. Refer to NIST SP 800-50 for additional guidance.
  • Require users to complete the agency's "acceptable use policy" training course (to include social engineering sites and non-work related uses) on a recurring basis.
  • Ensure that all systems have up-to-date patches from reliable sources. Remember to scan or hash validate for viruses or modifications as part of the update process.

Wednesday, August 17, 2011

PCI Council issues PCI tokenization compliance guidance

PCI tokenization document mirrors the Visa Best Practices for Tokenization

Using tokenization technology to eliminate credit card data can reduce the scope of a Payment Card Industry Data Security Standard assessment, but merchants must be careful to avoid many pitfalls associated with the technology, according to a new report issued today by the PCI Security Standards Council.

The long-awaited PCI DSS Tokenization Guidelines outline how tokens can be used in merchant systems and ways to properly deploy the technology, which substitutes tokens in place of primary account numbers (PANs) to limit the movement of cardholder data in the environment. A properly deployed system in certain merchant environments can “potentially” reduce the merchant’s effort to implement PCI DSS requirements, according to the report.

The tokenization document mirrors the Visa Best Practices for Tokenization report, which was issued last summer. Tokens used within merchant analytical systems and payment applications may not need the same level of security protection.

Monday, August 15, 2011

Tackling the Big 3: Personal Devices, Cloud Security & Human Factor

SC's first ever virtual Information Security Event

So how secure are the personal devices in your workplace and just how often do your staff open the door to cybercriminals?

On 3rd November, SC magazine are launching a virtual summit which will offer; avatar networking with your peers, exhibition stands and hard-hitting sessions on “tackling the big 3” – personal devices at work, cloud security and the insider threat.

You can create your own avatar and view the programme at the below link:

http://www.scvirtualsummit.com

VIRTUAL SUMMIT; TACKLING THE BIG 3 – YOUR 2012 SURVIVAL GUIDE


Step into our virtual world on Thursday 3rd November 2011

http://www.scvirtualsummit.com

Hear from the likes of:
  • - Bryan Littlefair, Chief Information Security Officer, Vodafone
  • - Adrian Asher, Chief Information Security Officer, Skype
  • - Bob Rodger, Group ISR Head of Infrastructure Security, HSBC
  • - Spencer Mott, Vice President and Chief Information Security Officer, Electronic Arts
  • - Plus more...
Network virtually, visit stands and listen-in on sessions on the following areas:
  • from iPads to personal PC’s learn how to mitigate the enormous risk of personal devices in your workplace
  • with users entering the cloud from here, there and everywhere – understand how to stay secure
  • you can have the most watertight security in place but your staff can always let you down, hear how to stop this, now
I hope that you can attend this landmark information security event.

Saturday, August 13, 2011

Cloud computing guide to help enterprise increase value and manage risk

ISACA issued a new guide for implementing controls and governance

For all the talk of Cloud computing, the governance issue remains, for many enterprises, the great unknown. Cloud computing inevitably impacts business processes, making governance vital to managing risk and adapting to take advantage of new opportunities.

According to a survey of ISACA’s Australian members, less than half — 42 per cent — currently include Cloud computing strategies within their enterprise. And 80 per cent of these organisations limit Cloud computing to low-risk, non-mission-critical IT services.

Due diligence around the proposed service provider and appropriate controls must also be in place, she said, to ensure corporate information, is protected from loss, theft, tampering and loss of jurisdictional control.

Key questions for Cloud governance

ISACA’s guidance recommends enterprises ask the following key questions:
  • What is the enterprise’s expected availability?
  • How are identity and access managed in the Cloud?
  • Where will the enterprise’s data be located?
  • What are the Cloud service provider’s disaster recovery capabilities?
  • How is the security of the enterprise’s data managed?
  • How is the whole system protected from internet threats?
  • How are activities monitored and audited?
  • What type of certification or assurances can the enterprise expect from the provider?
ISACA will hold its Oceania CACS2011 conference to be held in Brisbane from 18-23 September, which will explore issues such as control, risk management, data loss prevention and assurance for Cloud strategies.

Thursday, August 11, 2011

Survey: Median Cost of Cybercrime Up 56% in a Year

Cybercrime is expensive, Cost of Cybercrime Soaring!

EMC CFO David Goulden the other day said last month's breach of the system that stores secret codes for RSA's SecurID multifactor authentication tokens cost EMC $66.3 million in the second quarter.

That's well above average, according to a just-released survey by technology provider Hewlett-Packard, conducted by the Ponemon Institute. HP's second annual Cost of Cybercrime Study pegged the median annualized cost of cybercrime incurred by a benchmark sample of organizations at $5.9 million. The survey revealed a range of $1.5 million to $36.5 million, a 56 percent increase from the median cybercrime cost reported in HP's inaugural study published in July 2010.
The battle against cybercrime has gotten much harder in the past year. It takes organizations longer, and costs them more, to resolve cyber attacks.
But, as the study shows, taking the proper preventative measures is a money-saver. Organizations that had deployed security information and event management solutions realized a cost savings of nearly 25 percent over those who didn't.

Still, the survey suggests the battle against cybercrime has gotten much harder in the past year. It takes organizations longer, and costs them more, to resolve cyberattacks. In 2011, the survey shows, the average time to resolve a cyberattack took 18 days, with an average cost to participating organizations of nearly $416,000. That's a nearly 70 percent increase from the estimated $250,000 cost and a 14-day resolution period surmised from last year's study.
And, it's tougher to solve an insider crime than one perpectuated from the outside. A malicious insider attack can take more than 45 days to contain.
Of course, averages can't be applied to all situations. The RSA breached occurred nearly five months ago, and no one knows - or at least no one is saying - who perpetrated that costly cybercrime that not only diminished EMC's coffers but RSA's reputation as well.

Wednesday, August 10, 2011

Vulnerabilities Could Let Hackers Spring Prisoners From Cells

Most people don’t know how a prison or jail is designed, that’s why no one has ever paid attention to it. “How many people know they’re built with the same kind of PLC used in centrifuges?

Vulnerabilities in electronic systems that control prison doors could allow hackers or others to spring prisoners from their jail cells, according to researchers. PLCs are small computers that can be programmed to control any number of things, such as the spinning of rotors, the dispensing of food into packaging on an assembly line or the opening of doors. Two models of PLCs made by the German-conglomerate Siemens were the target of Stuxnet, a sophisticated piece of malware discovered last year that was designed to intercept legitimate commands going to PLCs and replace them with malicious ones.

Stuxnet’s malicious commands are believed to have caused centrifuges in Iran to spin faster and slower than normal to sabotage the country’s uranium enrichment capabilities. Though Siemens PLCs are used in some prisons, they’re a relatively small player in that market. The more significant suppliers of PLCs to prisons are Allen-Bradley, Square D, GE and Mitsubishi. Across the U.S. there are about 117 federal correctional facilities, 1,700 prisons, and more than 3,000 jails. All but the smallest facilities, according to Strauchs, use PLCs to control doors and manage their security systems.

Researchers says the vulnerabilities exist in the basic architecture of the prison PLCs, many of which use Ladder Logic programming and a communications protocol that had no security protections built into it when it was designed years ago. There are also vulnerabilities in the control computers, many of which are Windows-based machines, that monitor and program PLCs.

The vulnerabilities are inherently due to the actual use of the PLC, the one-point-controlling-many. Upon gaining access to the computer that monitors, controls or programs the PLC, you then take control of that PLC. A hacker would need to get his malware onto the control computer either by getting a corrupt insider to install it via an infected USB stick or send it via a phishing attack aimed at a prison staffer, since some control systems are also connected to the internet.

Prison systems have a cascading release function so that in an emergency, such as a fire, when hundreds of prisoners need to be released quickly, the system will cycle through groups of doors at a time to avoid overloading the system by releasing them all at once. Researchers confirms that a hacker could design an attack to over-ride the cascade release to open all of the doors simultaneously and overload the system.

An attacker could also pick and choose specific doors to lock and unlock and suppress alarms in the system that would alert staff when a cell is opened. This would require some knowledge of the alarm system and the instructions required to target specific doors, but researchers explains that the PLC provides feedback to the control system each time it receives a command, such as “kitchen door east opened.” A patient hacker could sit on a control system for a while collecting intelligence like this to map each door and identify which ones to target.

While PLCs themselves need to be better secured to eliminate vulnerabilities inherent in them, prison facilities also need to update and enforce acceptable-use policies on their computers so that workers don’t connect critical systems to the internet or allow removable media, such as USB sticks, to be installed on them.

Refer here to read more about this research.

Monday, August 8, 2011

Researcher discovered ABB-branded transformer running an electricity substation

SCADA equipment Google-able

Most SCADA protocols do not use encryption or authentication, and they don't have access control built into them or into the device itself. This means that when a PLC has a web server, and is connected to the internet, anyone who can discover the internet protocol (IP) address can send commands to the device, and the commands will be performed.

If that RTU or PLC has large motors connected to it, pumping out water or chemicals, the equipment could be turned off. If it was a substation and the power re-closer switches were closed, we could break it open and create an [electricity] outage for an entire area or city. The bottom line is you could cause physical damage to whatever is connected to that PLC.

While SCADA security has been an issue for decades, as legacy systems have been connected to the internet and remote technologies have emerged, with the emergence of Stuxnet, a worm that spreads via holes in Windows, but specifically targets Siemens SCADA systems and uses other sophisticated methods. Experts theorise that Stuxnet was designed to sabotage Iran's nuclear development program.

However, Stuxnet has raised awareness in the general public and within companies running critical infrastructure systems, and scared some of them enough to beef up their security. Stuxnet created an interest in the community to learn more about vulnerabilities and SCADA systems. We've seen direct impact in our customers being able to get funding to secure their SCADA systems.

While Stuxnet appears to have run its course and had minimal impact, SCADA systems are at risk from vulnerabilities and exploits in general, the US ICS-CERT (Industrial Control System Computer Emergency Response Team).

Not only are Supervisory Control and Data Acquisition (SCADA) systems used to run power plants and other critical infrastructure lacking many security precautions to keep hackers out, operators also sometimes practically advertise their wares on Google search, according to a demo held yesterday during a Black Hat conference workshop.

Saturday, August 6, 2011

Hospital Networks are the next big target for hackers?

Medical Device Security in a Hospital Network

Medical devices are everywhere today. In your doctors office measuring your blood pressure, at your cosmetician (for hip reductio) and in the hospital for everything from patient monitoring to robot-assisted surgery.

The people that develop embedded medical devices based on Intel platforms know that Windows is vulnerable.

Lacking embedded Linux know-how, medical device developers often end up adopting Windows and Visual Studio as a default. Using Windows is a security-blanked for developers who grew up the Microsoft monoculture and are scared of the Linux command line.

But – make no mistake using Windows in networked embedded medical devices is a mistake.
This is big mistake #1.

The top 2 threats to a medical device are software defects and software updates. Consider the implications of updating patient monitoring devices in a hospital with an infected USB stick or an infected Windows notebook.
In product development (and medical device are no exception), the support and version update process is often something left for the end of the project. At that point, when the product manager asks how are we going to update the software in the field – the hands raise in favor of USB memory stick updates as an “interim” solution.

It is crucial to use threat analysis on systems of networked medical devices in order to arrive at the right, cost-effective countermeasures (apropos the management challenge of large number of VLANS…). Threat analysis must be an integral part of the SDLC (software development life cycle) – done early in the process and validated from time to time whenever there are significant design, configuration or environmental changes.

Threat analysis enables a medical device vendor and the hospital security team to have an objective discussion on balancing the need to protect the hospital network asset with protecting the availability of the medical device itself and concomitantly – the safety of patients that are dependent on the device – patient monitoring is the first example that comes to mind.
Unfortunately many device vendors and their hospital customers use a system management model based on Microsoft Windows and business IT management practices. This is big mistake #2.
Medical device vendors need to assess their software security and not assume that an embedded medical device running Windows XP is no different from any other Windows PC on the network running Office 2007.

To use an analogy from the world of real time embedded systems – consider avionics as key to safety of the pilot and success of the mission. Avionics are not managed like a network of Windows PCs and neither should medical devices on the hospital network.

A medical device in a hospital network – whether it monitors patients, assists in surgery or analyzes EEGs – is an embedded device in a extremely heterogeneous and hostile environment that should simply not be vulnerable to Microsoft Windows malware.

Embedded medical devices should be based in embedded Linux – and not a stock version of Red Hat – but rather built ground up from the latest Linux kernel, with the minimum set of services and software (Qtk etc…) needed to run the application. The software update process should be part of the design – not something bolted on after the implementation.

Developing for embedded Linux is not copy and paste from Windows. It requires expertise to setup the basic infrastructure. But – once that infrastructure is up, the medical device developer and it’s hospital customer can be confident that they are standing on a secure platform and not a house of glass built on a foundation of sand.

Friday, August 5, 2011

Cyber Storm III participants found shortcomings in its cybersecurity “escalation procedures”

Australian report identifies cybersecurity gaps during Cyber Storm III exercise

An Australian report issued Monday found gaps in cybersecurity procedures and processes for both government and industry, based on a review of the US-sponsored Cyber Storm III exercise held last September.

The report, commissioned by the Australian government and carried about by former Australian Army intelligence officer Miles Jakeman, said that Cyber Storm III identified "gaps” in cybersecurity procedures, processes, and plans by government and industry.

The Australian government identified gaps in its interim cybersecurity crisis management plan, and industry found shortcomings in its cybersecurity “escalation procedures”, according to the report.

The Cyber Storm III exercise included participants from seven US federal agencies, 11 US states, 60 private companies, and 12 international partners. The Australian government sent representatives from the Defence Signals Directorate, Computer Emergency Reponse Team (CERT) Australia, and Australian Federal Police; industry was represented by Telstra, ASX, Woolworths, ANZ, and domain name registrar AuDA.

Australian Attorney General Robert McClelland said that more than 50 Australian organizations participated in Cyber Storm III. He said in releasing the report: “The Cyber Storm III exercise provided a good test of new government processes including the interim cybersecurity crisis management plan, which allowed agencies to identify gaps and revise processes.”

McClelland added: “The exercise revealed many areas where internal and cross-sector partnerships worked effectively to communicate and resolve issues, but also highlighted areas where communications and planning could be further developed….While it did highlight gaps within existing government and business cyber incident processes, particularly in regards to escalation procedures, this feedback allows both government and businesses to take steps to improve our cybersecurity.”

Thursday, August 4, 2011

Conficker found on external HD devices on sale

Aldi recalls Conficker-infected hard drives

Australian supermarket chain ALDI might seem like the last place where one can pick up a Conficker infection, but according to an emergency security alert by the Australian Computer Emergency Response Team, the worm has been discovered on a Fission External 4-in-1 Hard Drive/DVD/USB/Card Reader product the stores offer for sale.

ALDI has effected an immediate recall of the product from its shelves and has urged customers who have bought the product to return it. The chain says that the worm was found on a small number of the devices, and that it can be removed by fully formatting them.

SCMagazine Australia reports that AusCERT has also advised a full format of the device for those who won’t be returning it to the store and to scan their computer with an up-to-date AV solution. Since Conficker is an old threat, the majority of commercial AV solution contain the signature for spotting it.

The worm’s presence on the drives has initially been detected by a Kaspersky AV product, and “the manufacturer recommends that this same software or similar be used to scan all customers’ computers and USB storage devices which have been in contact with the four-in-one hard drive, to detect and remove if present,” an ALDI spokeperson stated.

Tuesday, August 2, 2011

Cyber criminals have been shaking the security world

What does the second half of the year have in store for the data security industry?

2011 is only half way through and there is a growing amount of cyber threat stories to recount already, including data security breaches, encryption breaches and e-mail /credit card theft incidents. Cyber criminals have been shaking the security world with attacks like never before. We have seen the rise and fall of groups like Anonymous and LulzSec, who have carried out some very high profile cyber-attacks on companies like Sony, large banks, the IMF, government agencies like the FBI.

Even the highly regarded security firm RSA had experienced a sophisticated cyber-attack that came through a security breach within the organisation. The attack that brought RSA to its knees originated from one spear phishing email that contained a malicious excel file which preyed on vulnerability within Adobe Flash. The phishing emails tricked users into opening a file, which installed a backdoor through the vulnerability in Flash. Due to the sensitive nature of RSA’s work, most details about what data was stolen have been withheld.

Perhaps the most publicized breach of all was the Sony PlayStation Network hacks in April, which ended up compromising over 100 million customer accounts, and had Sony shut down its services for over six weeks. Initially Sony said that 77 million accounts had been compromised, but later the company admitted another 25 million accounts had been breached.

The stolen information entailed customer’s user names and passwords, email addresses, home addresses, birthdays, billing information and security questions. This kind of information is the ideal ammunition for identity theft and data security threats through phishing.

These are just some of the serious data breaches that have taken place in 2011 so far.
To mitigate data breaches from attackers, accessing of all stored personal details and confidential information, must be authenticated physically by the relevant and authorised personnel to prevent any unauthorized entry.

Monday, August 1, 2011

US fears that Stuxnet variants could threaten its critical infrastructures

US government warns of potential Stuxnet variants

Security experts at the US Department of Homeland Security (DHS) fear that variants of the Stuxnet worm could threaten important US infrastructures. In a US House of Representatives committee hearing, Roberta Stempfley and Sean P. McGurk from the DHS's Office of Cyber Security and Communications said that copies of the Stuxnet code have been publicly available for some time, and that the increasing amount of available information about it potentially enables attackers to develop variants that could target a larger number of systems.

According to the two experts, Stuxnet was first discovered in July 2010. It was believed to be targeting an Iranian uranium enrichment facility at Natanz and would only become active once it had identified its target. When asked by anti-virus vendor McAfee in April 2011, 59 per cent of German power, gas and water suppliers replied that they were able to identify the Stuxnet worm in their systems. However, according to the state of knowledge at the time, the worm didn't cause any damage.

Shortly after the discovery of Stuxnet, the DHS started to analyse the code, highly complex according to experts, and inform other governments of its findings. The worm is reportedly intended for industrial control systems that feature a specific hardware and software combination. Stempfley and McGurk said that this type of malware could automatically infect a system, steal sensitive information, manipulate the system and cover up its actions.