Tuesday, January 31, 2012

Password Security is MUST - Remember To Change Them Frequently!

Your Not-So-Secret Password

Every day, millions of people create accounts on millions of websites. The sites range from online banking to social media, from photo sharing to online pharmacies.

Some developers of these sites have found a way to make the sign-up process easier by allowing new users to sign up using their Facebook, Twitter and other accounts. Because opting in to this type of sign up is so simple, many people do it.

What they may not realize is that they have now shared their social media and/or email passwords with several entities. While those organizations may not proactively use those passwords for their own nefarious activities, they may not be taking all the necessarily security steps to protect them from hackers or other inappropriate use.

My best tip for passwords is this: If you don't want to maintain a large number of different passwords for each site, establish a set of passwords based upon the types of sites you're using. For example, use one password for the set of social network sites you use.

Use a different password for your email accounts, and a different password for your sites where you do financials transactions (such as banks, credit card companies, etc.).

Make sure your passwords are GOOD passwords! They should be a combination of numbers, letters and, if possible, special characters. And it's worth repeating: Never use the same passwords on your financial sites as you do with your email or social media accounts.

One final reminder about passwords: Remember to change them frequently. I know a friend whose Facebook password was possibly compromised after a friend posted a video to my wall that looked legitimate. Because he knew the friend well, he clicked it. He later quickly realized it was not a legitimate link and changed his password right away. Thankfully, he caught it before any real damage was done.

Monday, January 30, 2012

Gartner: 2012 Information Technology Predictions and Trends

Gartner has issued a full report titled "Gartner's Top Predictions for IT Organizations and Users, 2012 and Beyond: Control Slips Away"

Gartner, Inc. issued a press release announcing it’s 2012 list of top predictions and trends for IT organizations and users. Highlighted are key trends like Cloud Computing, Social Business, Big Data, Security, and Mobile. The predictions and trends made by Gartner align closely with the research I am conducting for my HorizonWatching 2012 Trends report due out in early January.

The eleven predictions from Gartner are as follows

Cloud Services: By 2015, low-cost cloud services will cannibalize up to 15 percent of top outsourcing players' revenue.

Social & Collaboration Platforms: In 2013, the investment bubble will burst for consumer social networks, and for enterprise social software companies in 2014.

Enterprise Email: By 2016, at least 50 percent of enterprise email users will rely primarily on a browser, tablet or mobile client instead of a desktop client.

Mobile Apps: By 2015, mobile application development projects targeting smartphones and tablets will outnumber native PC projects by a ratio of 4-to-1.

Cloud Security: By 2016, 40 percent of enterprises will make proof of independent security testing a precondition for using any type of cloud service.

Public Clouds: At year-end 2016, more than 50 percent of Global 1000 companies will have stored customer-sensitive data in the public cloud.

IT Budget Management: By 2015, 35 percent of enterprise IT expenditures for most organizations will be managed outside the IT department's budget.

Asia Sourcing: By 2014, 20 percent of Asia-sourced finished goods and assemblies consumed in the U.S. will shift to the Americas.

Cybercrime: Through 2016, the financial impact of cybercrime will grow 10 percent per year, due to the continuing discovery of new vulnerabilities.

Cloud & Sustainability: By 2015, the prices for 80 percent of cloud services will include a global energy surcharge.

Big Data: Through 2015, more than 85 percent of Fortune 500 organizations will fail to effectively exploit big data for competitive advantage.

Gartner has issued a full report titled "Gartner's Top Predictions for IT Organizations and Users, 2012 and Beyond: Control Slips Away," which is available on Gartner's website at www.gartner.com/predicts. The report apparently has links to more than 70 Gartner ‘predicts’ reports broken out by topics, industries and markets.

Friday, January 27, 2012

Top Skimming Trends to watch in 2012

2012: Year of the Skimmer

Fraud losses linked to card skimming are quickly hitting epidemic proportions. So what are the top card-skimming trends financial institutions and financial-services providers should be on the lookout for in 2012? Industry experts weigh in to offer their domestic and global perspectives.

The top six trends to watch:
  • ATM attacks;
  • Network hacks;
  • Crime rings aiming for retail;
  • Skimming at self-service points of sale;
  • International fraud migration; and
  • EMV in the U.S.
ATMs: The No. 1 Target

In 2011, debit fraud losses for the first time outpaced losses associated with credit fraud. The reason for tipping of the fraud-loss scales: skimming.

ATM Skimming

ADT Security Solutions in early 2010 estimated financial losses per ATM-skimming incident averaged $30,000. Now, as the average loss to ATM skimming has jumped $20,000, it's clear card fraud and skimming are increasing. And the industry can expect more fraud losses in 2012 as global crime rings enhance their networks and improve their techniques to exploit lingering magnetic-stripe technology.

ATMs are typically the last to be upgraded from a hardware perspective.

More Network Hacks

Institutions and retailers need to focus more attention on locking down their networks. Now that more networks and systems are connected, as institutions and businesses work to achieve enterprise-level data management, they increase their risk of exposure. If a system is compromised, fraudsters can easily access every server, POS device, ATM, PC and network that's connected to that system.

The widespread deployment and use of common and well-known operating systems, such as Windows, compounds the problem. Fraudsters know how to get in, and with evolving malware, it's getting easier for them to wage successful attacks.

Advances in wireless communications also will reap greater skimming crime rewards in 2012. Network security holes aside, skimming schemes themselves will become easier, as wireless communications and Bluetooth technology have made it increasingly easier for fraudsters to remotely transmit card data once it's been skimmed.

Crime Rings Aim for Retail

Pointing to 2011's skimming breaches at Michaels and Save Mart/Lucky Supermarkets, open communication between retailers and card issuers kept fraud losses and card compromises in check. Once the fraud starts to occur, it just makes everyone's job easier when the retailers take a transparent and proactive approach.

Those attacks have illustrated how critical the need for retailers to invest in real-time fraud monitoring is. The incidents also prove retailers have an incentive to move toward the Europay, MasterCard, Visa standard. At least 50 percent of the card-present fraud is charged back to the merchants. They are now motivated to make a move to EMV because they won't see those chargeback charges. And there is more authentication with the chip, so that will help fraud as well.

A Security Soft Spot

As the Lucky's breach and countless others that target self-service payments devices, including pay-the-pump gas terminals, prove, any terminal that accepts credit and debit cards will be targeted by fraudsters. Even ATM vestibule doors, which read debit swipes for entry, are compromised with ease.

But despite the fact that EMV and anti-skimming measures have displaced ATM attacks in those markets, ATM fraud continues. During the last six months of 2011, Europe saw upticks in low-tech ATM-fraud schemes, such as cash-trapping. Cash trapping, like it sounds, prevents bills from being dispensed. European ATM deployers are addressing the trend with physical ATM inspections and investments in enhanced tampering-detection technology.

Geo-Blocking and International Backlash

Despite innovative moves to curb card fraud in Europe, skimming remains a global problem. Even as fraud migrates and different global regions progress in their adoption of EMV, losses associated with skimming continue to escalate.

This year, more fraud migration and increasing losses, especially in the United States. Part of that migration will be spurred by steps European countries are taking to shut off mag-stripe acceptance as a way to reduce financial losses associated with skimming.

Migrating Fraud

The United States can expect skimming to increase. Why? Fraud will migrate from other parts of the world, where card security is more sophisticated.

Compliance with EMV in western Europe and parts of central and eastern Europe over the last five to 10 years initiated the migration of fraud. Now that EMV is the standard in neighboring Mexico and Canada, hits to U.S. card issuers and acquirers will be substantially higher. Card fraud linked to skimming will be the catalyst.

EMV in the U.S

Movement toward EMV compliance, to address growing card fraud, is not far off for the United States. Visa and MasterCard have both issued soft dates for a U.S. movement toward EMV. MasterCard set an April 2013 deadline for all U.S. ATMs to be EMV compliant; and Visa announced compliance dates of 2013 and 2015 for U.S. merchants.

Last week, Visa provided EMV guidance and suggested EMV adoption best practices for U.S. merchants and card issuers.

In 2013, the responsibility for fraud losses will shift from the EMV card issuer to the acquirer. Given that stipulation, 2012 will see an increase in EMV activity.

Tuesday, January 24, 2012

20 critical controls for effective cyber defence

Baseline of high-priority information security measures and controls

The Centre for the Protection of National Infrastructure is participating in an international government-industry effort to promote the top twenty critical controls for computer and network security. The development of these controls is being coordinated by the SANS Institute.

The Top Twenty Critical Security Controls are a baseline of high-priority information security measures and controls that can be applied across an organisation in order to improve its cyber defence. The controls (and sub-controls) focus on various technical measures and activities, with the primary goal of helping organisations prioritise their efforts to defend against the current most common and damaging computer and network attacks.

The controls (and sub-controls) focus on various technical measures and activities, with the primary goal of helping organisations prioritise their efforts to defend against the current most common and damaging computer and network attacks.

Outside of the technical realm, a comprehensive security program should also take into account many other areas of security, including overall policy, organisational structure, personnel issues and physical security. To help maintain focus, the twenty controls do not deal with these important but non-technical aspects of information security.

The twenty controls and supporting advice are dynamic in order that they recognise changing technology and methods of attack. All twenty controls, together with a brief description, are given below. For further information, visit the SANS website.

CONTROL 1 - INVENTORY OF AUTHORISED AND UNAUTHORISED DEVICES

Reduce the ability of attackers to find and exploit unauthorised and unprotected systems. Use active monitoring and configuration management to maintain an up-to-date inventory of devices connected to the enterprise network, including servers, workstations, laptops, mobile, and remote devices.

CONTROL 2 - INVENTORY OF AUTHORISED AND UNAUTHORISED SOFTWARE

Identify vulnerable or malicious software to mitigate or root out attacks. Devise a list of authorised software for each type of system, and deploy tools to track software installed (including type, version, and patches) and monitor for unauthorised or unnecessary software.

CONTROL 3 - SECURE CONFIGURATIONS FOR HARDWARE AND SOFTWARE ON LAPTOPS, WORKSTATIONS, AND SERVERS

Prevent attackers from exploiting services and settings that allow easy access through networks and browsers. Build a secure image that is used for all new systems deployed to the enterprise, host these standard images on secure storage servers, regularly validate and update these configurations, and track system images in a configuration management system.

CONTROL 4 - CONTINUOUS VULNERABILITY ASSESSMENT AND REMEDIATION

Proactively identify and repair software vulnerabilities reported by security researchers or vendors. Regularly run automated vulnerability scanning tools against all systems and quickly remediate any vulnerabilities - with critical problems fixed within 48 hours.

CONTROL 5 - MALWARE DEFENCES

Block malicious code from tampering with system settings or contents, capturing sensitive data, or spreading. Use automated anti-virus and anti-spyware software to continuously monitor and protect workstations, servers, and mobile devices. Automatically update such anti-malware tools on all machines on a daily basis. Prevent systems from using auto-run programs to access removable media.

CONTROL 6 - APPLICATION SOFTWARE SECURITY

Scan for, discover, and remediate vulnerabilities in web-based and other application software. Carefully test internally developed and third-party application software for security flaws, including coding errors and malware. Deploy web application firewalls that inspect all traffic, and explicitly check for errors in all user input (including by size and data type).

CONTROL 7 - WIRELESS DEVICE CONTROL

Protect the security perimeter against unauthorised wireless access. Allow wireless devices to connect to the network only if they match an authorised configuration and security profile and have a documented owner and defined business need. Ensure that all wireless access points are manageable using enterprise management tools. Configure scanning tools to detect wireless access points.

CONTROL 8 - DATA RECOVERY CAPABILITY

Minimise the damage from an attack: Implement a trustworthy plan for removing all traces of an attack. Automatically back up all information required to fully restore each system, including the operating system, application software, and data. Back up all systems at least weekly; back up sensitive systems more often. Regularly test the restoration process.

CONTROL 9 - SECURITY SKILLS ASSESSMENT AND APPROPRIATE TRAINING TO FILL GAPS
Find knowledge gaps, and fill them with exercises and training. Develop a Security Skills Assessment program, map training against the skills required for each job, and use the results to allocate resources effectively to improve security practices.

CONTROL 10 - SECURE CONFIGURATIONS FOR NETWORK DEVICES SUCH AS FIREWALLS, ROUTERS, AND SWITCHES

Preclude electronic holes from forming at connection points with the Internet, other organisations, and internal network segments: Compare firewall, router, and switch configurations against standards for each type of network device. Ensure that any deviations from the standard configurations are documented and approved and that any temporary deviations are undone when the business need abates.

CONTROL 11 - LIMITATION AND CONTROL OF NETWORK PORTS, PROTOCOLS, AND SERVICES

Allow remote access only to legitimate users and services. Apply host-based firewalls and port-filtering and scanning tools to block traffic that is not explicitly allowed. Properly configure web servers, mail servers, file and print services, and domain name system (DNS) servers to limit remote access. Disable automatic installation of unnecessary software components. Move servers inside the firewall unless remote access is required for business purposes.

CONTROL 12 - CONTROLLED USE OF ADMINISTRATIVE PRIVILEGES

Protect and validate administrative accounts on desktops, laptops, and servers to prevent two common types of attack: (1) enticing users to open a malicious e-mail, attachment, or file, or to visit a malicious website; and (2) cracking an administrative password and thereby gaining access to a target machine. Use robust passwords that follow known standards.

CONTROL 13 - BOUNDARY DEFENCE

Control the flow of traffic through network borders, and police content by looking for attacks and evidence of compromised machines. Establish multilayered boundary defences by relying on firewalls, proxies, demilitarised zone (DMZ) perimeter networks, and other network-based tools. Filter inbound and outbound traffic, including through business partner networks (“extranets”).

CONTROL 14 - MAINTENANCE, MONITORING, AND ANALYSIS OF SECURITY AUDIT LOGS

Use detailed logs to identify and uncover the details of an attack, including the location, malicious software deployed, and activity on victim machines. Generate standardised logs for each hardware device and the software installed on it, including date, time stamp, source addresses, destination addresses, and other information about each packet and/or transaction. Store logs on dedicated servers, and run biweekly reports to identify and document anomalies.

CONTROL 15 - CONTROLLED ACCESS BASED ON THE NEED TO KNOW

Prevent attackers from gaining access to highly sensitive data. Carefully identify and separate critical data from information that is readily available to internal network users. Establish a multilevel data classification scheme based on the impact of any data exposure, and ensure that only authenticated users have access to non-public data and files.

CONTROL 16 - ACCOUNT MONITORING AND CONTROL

Prevent attackers from impersonating legitimate users. Review all system accounts and disable any that are not associated with a business process and owner. Immediately revoke system access for terminated employees or contractors. Disable dormant accounts and encrypt and isolate any files associated with such accounts. Use robust passwords that follow known standards.

CONTROL 17 - DATA LOSS PREVENTION

Stop unauthorised transfer of sensitive data through network attacks and physical theft. Scrutinise the movement of data across network boundaries, both electronically and physically, to minimise the exposure to attackers. Monitor people, processes, and systems, using a centralised management framework.

CONTROL 18 - INCIDENT RESPONSE CAPABILITY

Protect the organisation’s reputation, as well as its information. Develop an incident response plan with clearly delineated roles and responsibilities for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.

CONTROL 19 - SECURE NETWORK ENGINEERING

Keep poor network design from enabling attackers. Use a robust, secure network engineering process to prevent security controls from being circumvented. Deploy network architecture with at least three tiers: DMZ, middleware, private network. Allow rapid deployment of new access controls to quickly deflect attacks.

CONTROL 20 - PENETRATION TESTS AND RED TEAM EXERCISES

Use simulated attacks to improve organisational readiness. Conduct regular internal and external penetration tests that mimic an attack to identify vulnerabilities and gauge the potential damage. Use periodic red team exercises—all out attempts to gain access to critical data and systems— to test existing defences and response capabilities.

Prioritisation of the critical controls:

The twenty controls are a baseline of high-priority ‘technical’ information security measures and controls that can be applied across an organisation to improve its cyber defence. In order for a control to be a high priority, it must provide a direct defence against attacks.

Controls that mitigate known attacks, or a wide variety of attacks, or attacks early in the compromise cycle, all have priority over other controls. Controls that mitigate the impact of a successful attack also have a high priority. Special consideration is given to controls that help mitigate attacks that have not yet been discovered.

Monday, January 23, 2012

Insider Scams and Fraud a Growing Trend

Teenager Sentenced for Card Skimming

A 17-year-old was slapped with a 60-day jail sentence after he was busted for skimming credit and debit details while working the drive-thru window at a McDonald's restaurant in Olympia, Wash. This insider scam highlights a card fraud trend the industry needs to watch.

This case highlights just how easy it is for insiders to perpetrate card fraud, especially in a retail environment. Even if we protect the ATMs and POS devices, insider fraud like this will take place due to the ease with which criminals can get their hands on the appropriate devices. This is an industry that clearly needs an elegant and innovative solution (not EMV) that can at least make it an order of magnitude harder for skimmers to succeed.

Transactions Monitored

In the McDonald's incident, the teen's card-fraud scheme was foiled before exceeding $13,000 in losses after transaction monitoring traced the fraud. Detectives connected the dots and linked fraud to the Olympia McDonald's when contacted by the Washington State Employees Credit Union about fraudulent transactions hitting member accounts.

The credit union found one commonality: All of the compromised cards had been used at the same McDonald's. McDonald's management later confirmed the juvenile suspect had worked the drive-thru every time one of the compromised cards had been used.

The teenager used the stolen card numbers, which he collected with a handheld skimming device, to buy gift cards at retail stores such as Walmart and Toys R Us, according to a news report. With the fraudulently purchased gift cards, he allegedly bought about $13,000 worth of merchandise that he later sold on Craigslist and eBay for profit.

The purchases the teenager made included iPads, computers, video game systems and digital cameras, according to the Thurston County Prosecuting Attorney's Office.

The teen has been in custody since Nov. 16, after his parents refused to post bail. On Monday, he pleaded guilty to two juvenile counts of forgery and two juvenile counts of identity theft. As part of his sentence, the court has asked that he pay restitution to the victims whose cards were compromised.

The investigation is ongoing because other suspects may be involved.

Friday, January 20, 2012

Stuxnet Analysis Report by Cyber Security Forum Initiative (CSFI)

A must-read report which will answer many of yours questions regarding STUXNET!!

The Cyber Security Forum Initiative (CSFI) is a non-profit organization headquartered in Omaha, NE and in Washington DC with a mission "to provide Cyber Warfare awareness, guidance, and security solutions through collaboration, education, volunteer work, and training to assist the US Government, US Military, Commercial Interests, and International Partners."

CSFI was born out of the collaboration of dozens of experts, and today CSFI is comprised of a large community of nearly 5000 Cyber Security and Cyber Warfare professionals from the government, military, private sector, and academia. Our amazing members are the core of all of our activities, and it is for them that we are pushing forward our mission.

So, after quite some time of working behind the scenes, and making an effort to focus on essence rather than buzz, the CSFI have published their official report on Stuxnet.

Scope of Research
  1. Find the source code of the attack

  2. Reverse engineer the code

  3. Create a countermeasure and recommendation from these type of attacks

  4. Understand the political motivations behind this attack

  5. Explain how such a piece of malware can be used in cyber warfare scenario

  6. Can Iran retaliate using the same form of cyber attack?

Feel free to download the report form here: CSFI_Stuxnet_Report_V1

As well as watch the demonstration video on the CSFI website: http://csfi.us/?page=stuxnet

Wednesday, January 18, 2012

Ramnit Worm Threatens Online Accounts

Facebook Targeted by Fraudsters Seeking Log-in Credentials

Ramnit is a worm, which means, unlike malware, it can spread to other computers without being sent through e-mail or a malicious website. Ramnit, which surfaced in April 2010, continues to evolve.

In August 2011, security vendor Trusteer was the first to discover Ramnit's merger with the Zeus variant designed to target online banking accounts. The Ramnit-Zeus hybrid was superior because of its advanced man-in-the-browser capabilities, which enabled it to steal online banking and corporate log-in credentials.

The Ramnit hybrid bypassed two-factor authentication, and between September 2011 and December 2011, Trusteer estimated that some 800,000 machines had been infected.

Once launched on a corporate PC, Ramnit's browser penetration module steals internal and software-as-a-service credentials. Incoming web pages can then be modified using an HTML injection to request and steal more sensitive information.

Ramnit's man-in-the-middle looks like an actual social-media or bank-account sign-in page that captures a user's ID and password, and sometimes other personal information en route to the actual log-in page.

The difference, however, is that the page in the middle captures authentication data and allows the attacker to gain access to the victim's accounts at will.

Ramnit compromised 45000 Facebook accounts and now targeting financial accounts...

Researchers advises that the Ramnit worm, which last year defeated two-factor authentication measures used to protect online banking accounts and corporate networks, is now targeting Facebook - a development that should especially concern financial service businesses.
Lab researchers working for the Israel-based provider of cyberthreat management services say Ramnit has been linked to the compromise of more than 45,000 Facebook log-in credentials, primarily hitting users in the United Kingdom and France.
"We suspect that the attackers behind Ramnit are using the stolen credentials to log in to victims' Facebook accounts and to transmit malicious links to their friends, thereby magnifying the malware's spread even further," says a blog posted on Seculert's website Jan. 5.

"In addition, cybercriminals are taking advantage of the fact that users tend to use the same password in various web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks."
Because users often use the same log-in and password credentials for multiple accounts, the threat of Ramnit attacks should be concerning to every industry, not just financial services, though financial institutions often have the most to lose when consumers online banking accounts are breached.
"As demonstrated by the 45,000 compromised Facebook subscribers, the viral power of social networks can be manipulated to cause considerable damage to individuals and institutions when it is in the wrong hands," Securlet says.
A Call for Multifactor Authentication

Bill Wansley an analyst at Booz Allen Hamilton, says every organization should take Ramnit's rapid evolution as a sign that outdated authentication measures are no longer effective.
"Passwords are not very useful for anything anymore," Wansley says. "They are just too easy to forget, copy or break. Everyone needs to go to multifactor authentication - like Google has recently - for social-media sign-in, and certainly for anything that is for financial or medical-related accounts."
Passphrases are better than passwords, but multifactor authentication is the new standard. "Nobody should be using their social-media passwords or phrases for their financial accounts," Wansley says.

In the financial space, cybercriminals increasingly use older malware to capture individual passwords and personal information that is later exploited to gain access to financial accounts.

"The Ramnit example is typical of these type attacks," Wansley says. "Ramnit is actually an older malicious code that has been updated with new features to achieve other purposes."

Sunday, January 15, 2012

Signcryption: New Technology & Standard to improve Cyber Security

Signcryption is a technology that protects confidentiality and authenticity, seamlessly and simultaneously

For example, when you log in to your online bank account, signcryption prevents your username and password from being seen by unauthorized individuals. At the same time, it confirms your identity for the bank.

UNC Charlotte professor Yuliang Zheng invented the revolutionary new technology and he continues his research in the College of Computing and Informatics. After nearly a three-year process, his research efforts have been formally recognized as an international standard by the International Organization of Standardization (ISO).

News of the ISO adoption comes amidst daily reports of cyber attack and cyber crime around the world. Zheng says the application will also enhance the security and privacy of cloud computing.

“The adoption of signryption as an international standard is significant in several ways,” he said. “It will now be the standard worldwide for protecting confidentiality and authenticity during transmissions of digital information.”

“This will also allow smaller devices, such as smartphones and PDAs, 3G and 4G mobile communications, as well as emerging technologies, such as radio frequency identifiers (RFID) and wireless sensor networks, to perform high-level security functions,” Zheng said.

“And, by performing these two functions simultaneously, we can save resources, be it an individual’s time or be it energy, as it will take less time to perform the task.”

Friday, January 13, 2012

Indian Hackers has hacked Symantec Norton AntiVirus software!

Symantec's Norton AntiVirus source code exposed by hackers

Symantec, the makers of Norton AntiVirus, has confirmed that a hacking group has gained access to some of the security product's source code.

An Indian hacking group, calling itself the Lords of Dharmaraja, has threatened to publicly disclose the source code on the internet.

So far, there have been two claims related to Symantec's source code.

First, a document claiming to be confidential information related to Norton AntiVirus's source code was posted on Pastebin. Symantec says it has investigated the claim, and that - rather than source code - it was documentation dated from April 1999 related to an API (application programming interface) used by the product.

And secondly, the hacking group shared source code related to what appears to have been the 2006 version of Symantec's Norton AntiVirus product with journalists from Infosec Island.

Chris Paden, a Symantec spokesperson, confirmed to InfoSec Island that some of the firm's source code had been accessed:
"Symantec can confirm that a segment of its source code has been accessed. Symantec’s own network was not breached, but rather that of a third party entity."

"We are still gathering information on the details and are not in a position to provide specifics on the third party involved."

"Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec's solutions. Furthermore, there are no indications that customer information has been impacted or exposed at this time."

"Symantec can confirm that a segment of its source code used in two of our older enterprise products has been accessed, one of which has been discontinued. The code involved is four and five years old. This does not affect Symantec's Norton products for our consumer customers. Symantec's own network was not breached, but rather that of a third party entity."

"We are still gathering information on the details and are not in a position to provide specifics on the third party involved. Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec's solutions. Furthermore, there are no indications that customer information has been impacted or exposed at this time."

"However, Symantec is working to develop remediation process to ensure long-term protection for our customers' information. We will communicate that process once the steps have been finalized.
Given the early stages of the investigation, we have no further details to disclose at this time but will provide updates as we confirm additional facts."
It's hard not to feel sympathy for Symantec - who appear to have been caught in the crossfire between a hacking gang and the Indian authorities.

Although Symantec customers may not be at risk, it's easy to see how the software company will feel bruised by the publicity that the Lords of Dharmaraja have generated through their hack.

Wednesday, January 11, 2012

WPS-enabled Wi-Fi routers are vulnerable to brute force attack

Security flaw found in Wi-Fi Protected Setup

The US Computer Emergency Readiness Team (US-CERT) warned of a security flaw in a popular tool intended to make it easier to add additional devices to a secure Wi-Fi network.

The organisation cited findings from security researcher Stefan Viehbock, who uncovered the security hole in the so-called Wi-Fi Protected Setup, or WPS, protocol, which is often bundled into Wi-Fi routers.

The WPS protocol is designed to allow unskilled home users to set up secure networks using WPA encryption without much hassle. Users are then able to type in a shortened PIN instead of a long passphrase when adding a new device to the secure network.

That method, however, also makes it much easier for hackers to break into a secure Wi-Fi network, US-CERT says. The security threat could affect millions of consumers, since the WPS protocol is enabled on most Wi-Fi routers sold today.

The basic problem is that the security of the eight-digit PIN falls dramatically with more attempts to key in the password. When an attempt fails, the hacker can figure out whether the first four digits of the code are correct. From there, it can then narrow down the possibilities on the remaining digits until the code is cracked. Viehbock said that a hacker can get into a secure Wi-Fi hotspot in about two hours using this method to exploit a vulnerability.

Here's how US-CERT describes the flaw:

When the PIN authentication fails, the access point will send an EAP-NACK message back to the client. The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct. Also, the last digit of the PIN is known, because it is a checksum for the PIN. This design greatly reduces the number of attempts needed to brute force the PIN. The number of attempts goes from 108 to 104 + 103, which is 11,000 attempts in total.

It has been reported that some wireless routers do not implement any kind of lock-out policy for brute-force attempts. This greatly reduces the time required to perform a successful brute-force attack. It has also been reported that some wireless routers resulted in a denial-of-service condition, because of the brute-force attempt, and required a reboot.

US-CERT said in its warning that there is no known fix to the security problem. Instead, the group recommends that users disable the WPS function on their routers. The warning lists several wireless router vendors as selling devices that are affected by the security hole: Buffalo, D-Link, Cisco Linksys, Netgear, Technicolor, TP-Link and ZyXEL.

US-CERT indicated in its warning that it notified router vendors that are affected by the security issue in early December, but so far the vendors have not offered a response, nor have any of them issued statements.

Monday, January 9, 2012

Android Network Toolkit for Penetration Testing and Hacking

Zimperium have unveiled the Android Network Toolkit for easy hacking on the go!

ANTi is a smartphone, android based, penetration testing toolkit that can scan a network, find vulnerabilities, run exploits, produce reports and more.

There is a free version with limited functions and several paid versions that scale up in functionality. The videos linked at the bottom of this article are interesting.

ANTi – Android Network Toolkit – [zimperium.com]

What is Anti?


ZImperium LTD is proud to annonce Android Network Toolkit – Anti.
Anti consists of 2 parts: The Anti version itself and extendable plugins. Upcoming updates will add functionality, plugins or vulnerabilities/exploits to Anti

Using Anti is very intuitive – on each run, Anti will map your network, scan for active devices and vulnerabilities, and will display the information accordingly: Green led signals an ‘Active device’, Yellow led signals “Available ports”, and Red led signals “Vulnerability found”.

Also, each device will have an icon representing the type of the device. When finished scanning, Anti will produce an automatic report specifying which vulnerabilities you have or bad practices used, and how to fix each one of them.

Anti – Android Network Toolkit Capabilities Video/Demo by ZImperium LTD – [youtube.com]

Hacking a Mac using Android Network Toolkit CSE in ANTI3 by ZImperium LTD – [youtube.com]

Thursday, January 5, 2012

How Developers Can Secure their Code?

5 Application Security Tips

Over the last 30 years, many organizations have done an amazing job of automating their business, resulting in productivity gains, efficiencies and innovations.

Unfortunately, the threat landscape has changed dramatically during this time. A lot of that application code, written without security in mind decades ago, is still the heart-and-soul of many enterprises. That code was designed for a world where computers could not be accessed remotely.

Since then, it has been wrapped, integrated, connected, ported, and most importantly, exposed. That application code is not strong enough to withstand today's threat.

OWASP has a number of free and open-source resources that developers can use right now to help secure their code.

5 Tips for Developers

Start with the OWASP Top Ten
- This awareness document will help you understand, identify, and fix the most critical application security risks quickly.

Get hands-on with WebGoat - WebGoat is a deliberately flawed application that is riddled with holes to give people the opportunity for hands-on learning. It is open-sourced to help developers and security testers get experience with real vulnerabilities.

Leverage the OWASP Cheat Sheets - This is a fantastic series from leading experts globally. Let me know what you think of the Cross-Site Scripting Prevention Cheat Sheet, one of OWASP's most popular pages.

Verify Your Applications - There is no substitute for getting real facts about the security of your application portfolio. OWASP Application Security Verification Standard helps developers get started scanning, testing and code reviewing with tools like OWASP Zap and CSRFTester.

Get Training - Perhaps the hardest thing about application security is that there are so many different ways that software can fail, particularly when it's targeted by a motivated attacker. The key is training to get started with securing applications quickly.

If instructor-led training isn't possible, eLearning solutions are available to allow developers to learn on-demand and get hands-on, practical experience with vulnerabilities, security controls and real code. Training is a remarkably effective way to reduce vulnerabilities.

Before you trust your business to application software, make certain that the people who are writing your code know how to defend your business and its assets. It's time to learn.

Monday, January 2, 2012

How-to encrypt and password protect your personal folders & files in Windows and Mac

TrueCrypt - Free Open-Source Disk Encryption Software

You can’t easily password protect folders or files in Windows / MAC yet, but you can remove the permissions for users or use TrueCrypt to create mountable encrypted containers that can only be accessed with the correct password.

TrueCrypt is a software system for establishing and maintaining an on-the-fly-encrypted volume (data storage device). On-the-fly encryption means that data is automatically encrypted right before it is saved and decrypted right after it is loaded, without any user intervention.

No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. Entire file system is encrypted (e.g., file names, folder names, contents of every file, free space, meta data, etc).

Encryption does not mean it has to be slow or difficult. In fact, TrueCrypt makes it really fast and you can access all files as if they were unencrypted. Here is how you can do it:

  1. Download TrueCrypt from http://www.truecrypt.org/downloads (latest stable 7.1 09/26/11)

  2. When you install TrueCrypt select Extract files, this will extract the program without actually installing it.

  3. Now start the TrueCrypt.exe

  4. Click on Create New Volume and this screen will pop up:

    Encrypt and protect files

  5. Select Standard for now

  6. Find a place for your encrypted container. Think of it as a real file that is password-protected. Store it for example here: C:\Users\yourusername\Desktop

    Create volume location for encrypted files

    Make sure you have enough disk space.

  7. Select an algorithm. Don’t know what to choose? Use the default!

  8. Enter a size for the encrypted container.

  9. Set a password for your encrypted container. Don’t make your password too short or it will be easy to crack

  10. Move your mouse for some time to get a good encryption and click on Format

    Volume format encryption
  11. Back on the TrueCrypt main screen, enter the path to your encrypted container (or click on Select file and browse to it)

  12. Finally click on Mount, you can now access your encrypted password-protected container like any other hard drive via the explorer! Awesome? It is!

Mount password protected encrypted folder

There are various other methods to password protect and encrypt folders. However, TrueCrypt is the best free solution and using the to effectively protect your private folders.

If you need more protection, simply create an encrypted container and store your files on a flash drive. Flash drives with 8GB or more are cheap and can be used to store all your private files. You could also use an external USB hard drive for storing the password-protected encrypted folders.