Wednesday, February 29, 2012

How to minimize the risk and impact of Identity Fraud?

Tips to minimize the risk of identity fraud

Javelin Strategy & Research recommends that consumers follow a three-step approach to minimize their risk and impact of identity fraud.

  1. Keep personal data private - At home, at work and on your mobile devices, secure your personal and financial records in a locked storage device or behind a password. Of those consumers who knew how the crimes were committed, nine percent of all identity fraud crimes were committed by someone previously known to the victim in 2011.

    Avoid mailing checks to pay bills or to deposit funds in your banking account. Use online bill payment on a secure Internet access (not a public Wi-Fi hotspot) instead and direct deposit payroll checks.

  2. Be social, be responsible - While social networks are popular, be careful about publicly exposing personal information that is typically used for authentication (full birthdate, high school name). This applies to all social networks.

  3. Use mobile devices responsibly - Mobile devices are a treasure trove of information for fraudsters. The "always on" functionality of mobile devices provides fraudsters with new avenues for securing information. Be sure of the applications you download, the data you share over public Wi-Fi and where you leave your devices.

  4. Ask questions - Before providing any information on mobile phones, social media sites and transactions sites, question who is asking for the information? Why do they need it? How is the information being used? If volunteering information, ask yourself if you have more to gain or more to lose by sharing personal and unnecessary details.
  1. Take control - In 2011, 43 percent of fraud was first detected by the victims. By monitoring accounts online at bank and credit card websites, and setting up alerts that can be sent via e-mail and to a mobile device, consumers can more quickly detect if they are a victim of identity fraud and stop it early.

  2. Learn about methods to protect your identity - There is a wide array of services available to consumers who want extra protection and peace of mind. These include credit monitoring, fraud alerts, credit freezes and database scanning.

    Some services can be obtained for a fee and others at no cost. These services can detect potentially fraudulent information from credit reports, public records, and online activity that are difficult to track on your own.
  1. Report problems immediately - Work with your bank, credit union or protection services provider to take advantage of resolution services, loss protections and methods to secure your accounts.

    A fast response can enhance the likelihood that losses are reduced, and law enforcement can pursue fraudsters so they experience consequences for their actions.

  2. Take any data breach notification seriously - If you receive a data breach notification, take it very seriously as you are at much higher risk according to the 2012 Identity Fraud Report: Social Media and Mobile Forming the New Fraud Frontier.

    If you receive an offer from your financial institution or retailer for a free monitoring service after a breach, you should take advantage of the offer or closely monitor your accounts directly.

Monday, February 27, 2012

Top 10 Reports for Managing Vulnerabilities

Free Security eBook

I would like to recommend a free security eBook "Top 10 Reports for Managing Vulnerabilities". I think it is worth to share with all of you.

This free guide covers the key aspects of the vulnerability management lifecycle and shows you what reports today's best-in-class organizations are using to reduce risks on their network infrastructure.

New network vulnerabilities appear constantly and the ability for IT security professionals to handle new flaws, fix misconfigurations and protect against threats requires constant attention. However, with shrinking budgets and growing responsibilities, time and resources are at constrained.

Therefore, sifting through pages of raw vulnerability information yields few results and makes it impossible to accurately measure your security posture.

This guide cuts through the data overload generated by some vulnerability detection solutions and introduces The Top 10 Reports for Managing Vulnerabilities.

It's limited time offer, PDF Version:

Sunday, February 26, 2012

Google Chrome to offer easy-way to construct stronger passwords

Google Password Generator in the Works

Google is in the process of developing a tool to help users generate strong passwords for the various and sundry Web sites for which they need to register and authenticate. The password-generator is meant to serve as an interim solution for users while Google and other companies continue to work on widespread deployment of the OpenID standard.

The tool that Google engineers are working on is a fairly simple one. For people who are using the Chrome browser, whenever a site presents them with a field that requires a password, Chrome will display a small key icon, letting the users know that they could allow Chrome to generate a password for them.
"Detecting when we are on a page that is meant for account sign up will be most of the technical challenge. This will likely be accomplished via heuristics (i.e. there is an account name field and two password fields). If we determine that this is a signup page, then we will add a small UI element to the password field. If the user clicks on this element, we will pop up a small dialogue box next to field asking the user if they would like Chrome to manage this password for them," the project page on Chromium Projects says.
"If they accept the prompt then we pop up a small box which is prepopulated with what we think is an acceptable random password. The reason we don't just choose a password for them is that many sites have requirements (e.g. must have one digit, must be alphanumeric, must be between 6 and 20 characters) some of which may be contradictory between sites.

So we will choose a default generator that will work on most sites, but users may need to change our password if it doesn't work. We can skip this for sites that have 'pattern' set on the password field. Long term we can hopefully also gather some aggregate information from UMA users about the form of passwords they generated so that this whole process can be skipped for the vast majority of sites."
Password management has become a major pitfall for many users in recent years as the number of sites that require authentication has exploded. As users have been required to register with more and more sites and services, including mobile apps and games, many of them have naturally tended to re-use passwords and use weak or easily guessable ones.

This has been a boon for data thieves who, after stealing a database of usernames and passwords from one retailer or Web site, find that they often can compromise any number of other accounts belonging to those victims simply by re-using the passwords.

A variety of services and products have emerged to help address the problem of password generation and management, including applications that will generate random passwords or store existing passwords in an encrypted form. But the problem has persisted.

Google's password generator, which is in the development stage, won't be able to protect users in every scenario. It's meant for use in situations where users are signing up for a new service or need to set a new password. In situations where a user is simply signing in to an existing account, it won't be of use. It also may not protect against a majority of phishing sites.
"Any website that has autocomplete turned off will not be able to be protected. Going by current phishing attacks, this means that 40-70% of phishing pages can't be protected against. Once this feature is rolled out we probably want to see if we can get around this problem. Maybe we can get users to re-authenticate to the browser before logging into such sites," the Google documentation says.

Friday, February 24, 2012

Intrusion Detection for Embedded Control Systems

Digital Bond's SCADA Security Scientific Symposium (S4)

S4 did include one paper from academia, IDS for Embedded Control Systems presented by Jason Reeves of Dartmouth College and the TCIPG effort. Jason and a TCIPG team had previously developed a research product called Autoscopy and have recently enhanced it in Autoscopy Jr.

The primary purpose of Autoscopy Jr. is to detect rootkits on embedded control systems while limiting the overhead to less than 5%. The primary method is to monitor the sequence of executed instructions in a learning phase and then detect behavior that is indicative of rootkits. Jason refers to it as something akin to function level whitelisting.

It’s a detailed technical talk worth watching if you are interested in the future of IDS in PLC’s, RTU’s and other field devices. The performance testing showed it was under the 5% threshold and there were ways to improve the performance further by identifying the most resource intensive Kprobes.

The effectiveness is an open question. The team did test this against 15 rootkits that attempted control flow hijacking, but there was not a set of real world embedded system rootkits to test against.

Refer here to watch the presentation video.

Wednesday, February 22, 2012

Half of the Fortune 500 companies are still infected with DNSChanges Virus!

FBI could take down Internet for millions on March 8

On March 8, the FBI may be forced to shut down DNS servers, originally installed to stop the spread of the DNSChanger virus, which would cut off Internet access to millions of Web users worldwide.

The Federal Bureau of Investigation may soon be forced to shut down a number of key Domain Name System (DNS) servers, which would cut Internet access for millions of Web users around the world, reports BetaBeat.

The DNS servers were installed by the FBI last year, in an effort to stop the spread of a piece of malware known as DNSChanger Trojan. But the court order that allowed the set up of the replacement servers expires on March 8.

In November of last year, authorities arrested six men in Estonia for the creation and spread of DNSChanger, which reconfigures infected computers’ Internet settings, and re-routes users to websites that contain malware, or other illegal sites. DNSChanger also blocks access to websites that might offer solutions for how to rid the computer of its worm, and often comes bundled with other types of malicious software.

By the time the FBI stepped in, DNSChanger had taken over computers in more than 100 countries, including half-a-million computers in the US alone. To help eradicate the widespread malware, the FBI replaced infected servers with new, clean servers, which gave companies and individuals with infected computers time to clean DNSChanger off their machines.

Unfortunately, DNSChanger is still running on computers “at half of the Fortune 500 companies,” and at “27 out of 55 major government entities,” reports cybersecurity journalist Brian Krebs. These computers rely on the FBI-installed DNS servers to access the Web. But if the court order is not extended, the FBI will be legally required to remove the clean servers, which would cut off the Internet for users still infected with DNSChanger.

Companies or other agencies that are unsure whether their systems are infected with DNSChanger can get free assistance here. And private users can find out if they are infected using instructions provided here.

Monday, February 20, 2012

Learn the process of documentation writing to implement ISO 27001

ISO 27001 Video Tutorials

One of the biggest obstacles for companies starting to implement ISO 27001 is writing various documents required by this information security standard.

Information Security & Business Continuity Academy has launched ISO 27001 Video Tutorials, a new product that facilitates the process of documentation writing.

According to ISO Survey of Certifications published by the International Organization for Standardization (ISO), ISO 27001 is within the 5 most popular management standards, and is also one of the standards with the highest growth in the number of certified companies – about 20% annually.

However, the fact that a large percentage of companies that have started to implement this standard never finish the job is less known. The reason for failure is very often insufficient time or lack of knowledge for writing the documentation – ISO 27001 has very specific requirements about how the documentation should look like.

At the moment 13 video tutorials are available, and each month 2 new tutorials will be published. A total of 50 video tutorials are planned, which will cover all the steps in ISO 27001 implementation – from setting up the project all through successful certification.

Dejan Kosutic, the author of the video tutorials said:
"I've worked with quite many companies as a consultant, and most of those companies struggle with the same thing – how to fill in the documentation. I believe these video tutorials will increase the success rate of ISO 27001 projects by at least 25%, and increase the speed of implementation by 50%".

Saturday, February 18, 2012

Typical duties of an Incident Handler / Incident Response Teams

Seven Typical Tasks of Incident Handling

The typical areas of performance by an incident handler are found in most incident response (IR) teams. The following are the primary responsibilities of the handler personnel and describe a typical day (if that actually exists) for an IR team member:

Analyzing reports—All incidents are usually reported to the IR team after or, hopefully, during the incident. These reports are analyzed to identify the type of activity, its potential impact, its scope, how many systems are involved, whether it’s local or larger, and whether it’s a known type of attack. These areas are all analyzed first during the initial response efforts.

Analyzing logs—Evaluating any logs, suspect files or artifacts is a prime responsibility of incident handlers. The network logs, system logs, router logs, firewall logs, sniffer logs, application logs, any supporting information and possibly even the incident artifacts are analyzed to help identify the systems, possibly other sites involved in the incident, and the methods of ingress and attack.

Researching background information—What were the first steps taken by the attackers? When was the affected system last patched? When and where did the attackers enter the network? Identifying the hosts, systems and IP addresses from the attack location or attack vector provides important support information to help prevent future attacks and to isolate potential vulnerabilities in the security posture of the compromised system or network.

Monitoring system and network logs—Watching the system or network once the attack or compromise is discovered can add to the data and information needed to further secure the system in the future. A handler could determine if the compromise is still active by evaluating the logs currently being recorded and may possibly catch the perpetrator in the act.

Technical assistance—Providing technical assistance, whether it is over the phone or by sending an e-mail with a source document and suggestions or steps for recovery, is part of the handler’s duties.

The team may have a web site with all the necessary documentation or there may be a repository of defined information for the organization; in either case, the handler would update this as part of his/her technical assistance responsibilities.

Coordinating and sharing information—The handler will coordinate information with the various affected units within the organization and, possibly, with outside organizations.

Collaboration improves response efforts, and information sharing helps the responders react and contain at a much faster rate than what was seen in the past, so this part of the handler’s job has become much larger in recent years. Tracking of tasks, contacting software and hardware vendors for data research, and preparing briefings and reports are all part of this task.

Other duties—Typically, if the incident warrants it, the handler will assist law enforcement with incidents that involve the criminal element. The handler can be, and is often, called upon to provide detailed expert testimony on previous cases and incidents. He/she also could be tasked with supporting the notification activities of victims of unauthorized release of data.

Thursday, February 16, 2012

Current State of SCADA Security 'Laughable'

Many of the systems that are now exposed to the Internet were not designed with that connectivity in mind

Researchers have been speaking publicly about some of them for a couple of years now, and a group recently discussed a huge set of vulnerabilities it found during an extended project looking at PLCs (programmable logic controllers). That talk at the S4 conference showed just how vulnerable such systems are to a wide variety of attacks.
"It's a blood bath mostly," said Reid Wightman, a consultant at Digital Bond, said during that conference last month. "Many of these devices lack basic security features."
During talks on SCADA security problems at the Kaspersky-Threatpost Security Analyst Summit here Friday, several other researchers talked about the serious issues inherent in these ICS installations, and the picture they painted is one of systemic problems and a culture of naivete about security in general.

Terry McCorkle, an industry researcher, discussed a research project he did with Billy Rios in which they went looking for bugs in ICS systems, hoping to find 100 bugs in 100 days. That turned out to be a serious underestimation of the problem.

"It turns out they're stuck in the Nineties. The SDL doesn't exist in ICS," McCorkle said. "There are a lot of ActiveX and file format bugs and we didn't even bother looking at problems with services. Ultimately what we found is the state of ICS security is kind of laughable."

McCorkle and Rios, who reported all of their findings to the affected vendors and through the ICS-CERT, found that the basic security model underlying the ICS systems that run critical services such as power, water and others, is completely inadequate.

Many of the systems that are now exposed to the Internet were not designed with that connectivity in mind, and some of them now have mobile interfaces that can be run on smartphones, leading to an entirely new set of issues.

"People are gonna get owned, it's going to hurt," McCorkle said. "These HMIs are listening, they're out there and they give access to these systems that are supposed to be segregated."

Tiffany Rad, a computer science professor at the Universiry of Southern Maine and an intellectual property attorney, said during her talk here on vulnerabilities in the ICS systems at correctional facilities that there is a serious, overarching set of problems that needs to be addressed.
"Security through obscurity no longer works with SCADA," she said. "The belief that PLCs are not vulnerable because they're not connected to the Internet is not true."

It would cost hundreds of billions of dollars to fix these problems physically. The only solution is [user] training."

Tuesday, February 14, 2012

Microsoft's India store hacked

Microsoft website saying "unsafe system will be baptized"

Hackers, allegedly belonging to a Chinese group called Evil Shadow Team, struck at on Sunday night, stealing login ids and passwords of people who had used the website for shopping Microsoft products.

While it is troublesome that hackers were able to breach security at a website owned by one of the biggest IT companies in the world, it is more alarming that user details - login ids and passwords - were reportedly stored in plain text file, without any encryption.

Following the hack, the members of Evil Shadow Team, posted a message on the Microsoft website saying "unsafe system will be baptized". The story was first reported by

Later, the website seemed to have been taken offline by Microsoft. We advise the users at Microsoft India Store to change the password as soon the website comes online. Also, if they have used the same password or login id on any other web service, they should change it immediately.

Last year, hacker groups like Lulzsec had carried out several-profile high profile break-ins, putting focus on the security measures companies put in place. Sony allegedly suffered several security breaches and hackers stole user ids and passwords of customers from its network.
In a message posted on a website called Pastebin, Lulzsec claimed the group was bringing attention to the web security. "Do you think every hacker announces everything they've hacked? We certainly haven't, and we're damn sure others are playing the silent game. Do you feel safe with your Facebook accounts, your Google Mail accounts, your Skype accounts? What makes you think a hacker isn't silently sitting inside all of these right now," the group wrote.
But the incident at Microsoft Store on Sunday hints that lessons have not been learnt. Just like Sony, which later revealed that user ids and passwords were not encrypted at the time of security breach, Microsoft too seemed to have been casual about handling the user details by storing them in a plain text file.

Monday, February 13, 2012

Free Security eBook [Compliance and Beyond]

Toward a Consensus on Identity Management Best Practices

I would like to recommend a Web Security eBook [Compliance and Beyond: Toward a Consensus on Identity Management Best Practices] to learn best practices for identity management and IT security for the Energy industry.

For more than a decade, government and industry bodies around the world have issued a growing number of regulations for the energy industry designed -- in whole or in part -- to ensure the security, integrity and confidentiality of personal and corporate data. Combined, these individual regulatory guidelines outline what constitutes best practices in identity management and IT security.

It's limited time offer, PDF version.

Free Download:

Thursday, February 9, 2012

Trojan rounds up and steals Word and Excel docs

Malware Uses Sendspace to Store Stolen Documents

Beware of bogus FedEx emails asking you to review a shipment notification - the attached Fedex_Invoice.exe is actually a downloader Trojan that opens you computer to other pieces of malware.

In this particular case spotted by Trend Micro researchers, it downloads and executes a Trojan that searches for and snatches MS Word and Excel documents from the infected machine.

"The collected documents are then archived and password-protected using a random-generated password in the user’s temporary folder," they share. And after creating the archive, it sends it to, a file hosting service that allows its users to send, receive, track and share files.

Once the archive is uploaded, the malware retrieves the Sendspace download link, and then sends it to the C&C server operated by the crooks along with the password needed to open it.

This is not the first time that Sendspace has been used by cyber thieves to store stolen data, and the same can be said for other free online hosting services.

Unfortunately, the criminals have realized that these legitimate services allow them to forgo the need of operating their own drop zones.

Tuesday, February 7, 2012

Ten little things to secure your online presence

Life online can be a bit of a minefield, especially when it comes to avoiding malicious hacker attacks.

Here’s some basic advice on the tools and tricks you can implement immediately to secure your identity and online presence.

You’ve all heard the basic advice — use a fully updated anti-malware product, apply all patches for operating system and desktop software, avoid surfing to darker parts of the Web, etc. etc.

Those are all important but there are a few additional things you can do to secure your online presence and keep hackers at bay. Here are 10 little things that can provide big value:

1. Use a Password Manager

Password managers have emerged as an important utility to manage the mess of creating strong, unique passwords for multiple online accounts. This helps you get around password-reuse (a basic weakness in the identity theft ecosystem) and because they integrate directly with Web browsers, password managers will automatically save and fill website login forms and securely organize your life online.

Some of the better ones include LastPass, KeePass, 1Password, Stenagos and Kaspersky Password Manager. Trust me, once you invest in a Password Manager, your life online will be a complete breeze and the security benefits will be immeasurable.

2. Turn on GMail two-step verification

Google’s two-step verification for GMail accounts is an invaluable tool to make sure no one is logging into your e-mail account without your knowledge. It basically works like the two-factor authentication you see at banking sites and use text-messages sent to your phone to verify that you are indeed trying to log into your GMail. It takes a about 10-minutes to set up and can be found at the top of your Google Accounts Settings page. Turn it on and set it up now.

While you’re there, you might want to check the forwarding and delegation settings in your account to make sure your email is being directed properly. It’s also important to periodically check for unusual access or activity in your account. You can see the last account activity recorded at the bottom of GMail page, including the most recent IP addresses accessing the account.

3. Switch to Google Chrome and install KB SSL Enforcer

With sandboxing, safe browsing and the silent patching (auto-updates), Google Chrome’s security features make it the best option when compared to the other main browsers. I’d also like to emphasize Google’s security team’s speed at fixing known issues, a scenario that puts it way ahead of rivals.

Once you’ve switched to Chrome, your next move is to install the KB SSL Enforcer extension, which forces encrypted browsing wherever possible. The extension automatically detects if a site supports SSL (TLS) and redirects the browser session to that encrypted session. Very, very valuable.

4. Use a VPN everywhere

If you’re in the habit of checking e-mails or Facebook status updates in coffee shops or on public WiFi networks, it’s important that you user a virtual private network (VPN) to encrypt your activity and keep private data out of the hands of malicious hackers.

The video above explains all you need to know about the value of VPNs and how to set it up to authenticate and encrypt your web sessions. If you use public computers, consider using a portable VPN application that can run off a USB drive.

5. Full Disk Encryption

The Electronic Frontier Foundation (EFF) has made this a resolution for 2012 and I’d like to echo this call for computer users to adopt full disk encryption to protect your private data. Full disk encryption uses mathematical techniques to scramble data so it is unintelligible without the right key.

This works independently of the policies configured in the operating system software. A different operating system or computer cannot just decide to allow access, because no computer or software can make any sense of the data without access to the right key. Without encryption, forensic software can easily be used to bypass an account password and read all the files on your computer.

Here’s a useful primer on disk encryption and why it might be the most important investment you can make in your data. Windows users have access to Microsoft BitLocker while TrueCrypt provides the most cross-platform compatibility.

6. Routine Backups

If you ever went through the sudden death of a computer or the loss of a laptop while travelling, then you know the pain of losing all your data. Get into the habit of automatically saving the contents of your machine to an external hard drive or to a secure online service.

Services like Mozy, Carbonite or iDrive can be used to back up everyone — from files to music to photos — or you can simply invest in an external hard drive and routinely back up all the stuff you can’t afford to lose. For Windows users, here’s an awesome cheat sheet from Microsoft.

7. Kill Java

Oracle Sun’s Java has bypassed Adobe software as the most targeted by hackers using exploit kits. There’s a very simple workaround for this: Immediately uninstall Java from your machine. Chances are you don’t need it and you probably won’t miss it unless you’re using a very specific application. Removing Java will significantly reduce the attack surface and save you from all these annoying checked-by-default bundles that Sun tries to sneak onto your computer.

8. Upgrade to Adobe Reader X

Adobe’s PDF Reader is still a high-value target for skilled, organized hacking groups so it’s important to make sure you are running the latest and greatest version of the software. Adobe Reader and Acrobat X contains Protected Mode, a sandbox technology that serves as a major deterrent to malicious exploits.

According to Adobe security chief Brad Arkin says the company has not yet been a single piece of malware identified that is effective against a version X install. This is significant. Update immediately. If you still distrust Adobe’s software, you may consider switching to an alternative product.

9. Common sense on social networks

Facebook and Twitter have become online utilities and, as expected, the popular social networks are a happy hunting ground for cyber-criminals. I strongly recommend against using Facebook because the company has no respect or regard for user privacy but, if you can’t afford to opt out of the social narrative, it’s important to always use common sense on social networks.

Do not post anything sensitive or overly revealing because your privacy is never guaranteed. Pay special attention to the rudimentary security features and try to avoid clicking on strange video or links to news items that can lead to social engineering attacks. Again, common sense please.

10. Don’t forget the basics

None of the tips above would be meaningful if you forget the basics. For starters, enable Windows Automatic Updates to ensure operating system patches are applied in a timely manner. Use a reputable anti-malware product and make sure it’s always fully updated.

Don’t forget about security patches for third-party software products (Secunia CSI can help with this). When installing software, go slowly and look carefully at pre-checked boxes that may add unwanted crap to your machine. One last thing: Go through your control panel and uninstall software that you don’t or won’t use.

Saturday, February 4, 2012

Criminals hit the jackpot in Victoria with $55K lottery scam

CRIME syndicates are setting up fake lotteries to swindle Australians with promises of windfall jackpots.

A Victorian (Australia) man has become the latest victim, losing $55,000 in bogus administration fees when he tried to claim a supposed $4.5 million fortune. The theft is one of the biggest lottery fraud losses reported to Consumer Affairs Victoria.

The man told the watchdog and police that he transferred the cash after responding to an email sent to his wife advising of the massive win. Sources said there was little hope of retrieving the money because lottery fraudsters were normally based overseas and avoided detection through reinventing themselves.

The man, who declined to be named and has not told all of his family about the theft, was ordered to keep details of the lottery win secret. The scammers later claimed they had transferred the $4.5 million but the International Monetary Fund had stopped the payment and a 3 per cent fee was required to access it.

Con artists siphon at least $3 million a year from Australians through phony lotteries and sweepstake offers that steal cash or bank details, the Australian Competition and Consumer Commission says.

CAV director Dr Claire Noone said people should be suspicious of any texts, emails or mail claiming that they've won or could win a fortune.

"The scammer will inform consumers they've won a large amount of money or a holiday and they need to send money to claim it," Dr Noone said.

"Scammers often say this money is needed to cover the costs of taxes or administration fees. Once you send the payment overseas though, the scammer pockets the fee and the prize never arrives."

CAV received 6770 reports about various scams last financial year, up 44 per cent on the previous year.


  • Never send money, credit card or bank details, or personal information to someone you don’t know.
  • Beware of claims to provide you with instant income or winnings.
  • Do not give out information over the phone unless you made the call or know the number.
  • If you fall victim to a scam email, change your email address as soon as possible to avoid further contact.
Source: Consumer Affairs Victoria