Saturday, August 22, 2009

Marines: Facebook is not for the few good men

By Doug Beizer

Marine Corps officials have banned using social-networking Web sites on the service’s networks due to the security risks associated with the Web 2.0 tools, according to an order published on the Marine Corps Web site .

The order issued August 3 bans accessing social networking tools that include Facebook and Twitter on the Marine Corps Enterprise Network and on the Non-secure Internet Protocol Router Network.

“These Internet sites in general are a proven haven for malicious actors and content and are particularly high risk due to information exposure, user generated content and targeting by adversaries,” the order states, adding that social networking sites create an easy conduit for information leakage.

The service also banned accessing the sites through virtual private network connections. However, Marine Corp personnel may still access social networking sites sponsored by the Defense Department and hosted on internal networks, the order states.

DOD-wide policies on the use of social media tools are being re-evaluated, according to a U.S. Strategic Command blog entry and widespread media reports.

The Strategic Command, which oversees the use of the dot-mil network, has launched a review of the safety of the sites, according to several reports.
Technorati Tags:

Thursday, August 20, 2009

Microsoft Security Essentials Release

Microsoft Security Essentials (MSE) beta build 1.0.1500.0 has quietly appeared out of nowhere today. There's no official announcement, testers haven't received any e-mail notification, and it's unclear if this is the second public build, either a Beta Refresh or a Release Candidate, which the software giant promised to release this summer.

There's a few more odd things with this release, such as the fact that the update points to KB article 972958, which doesn't appear to exist, at least not at the time of publishing. Furthermore, some users are reporting that they are actually getting build 1.0.1501.0 instead of 1.0.1500.0 when they update. The new version is available for current MSE testers on the Downloads section of the Microsoft Security Essentials beta program on Microsoft Connect, although the release date mistakenly says the build was posted on June 21, 2009. On Connect, the version is also mistakenly referred to as 1.0.1500.0 but the actual installers are for 1.0.1501.0. The new build was also released as an optional update on Windows Update, with today's date stamp, and that update really gets you build 1.0.1500.0:

Saturday, July 04, 2009

Simple Ways to Protect Your PC - Back It Up!

Ok, this is a very simple one, back up your PC. I have a small (300GB) drive attached to my laptop at home and at work and I simply run Acronis to backup the Laptop every time it is on. For Information Security Gurus readers, we have a special 30% off:

Acropack 2009: Save 30% on Acronis Disk Director Suite 10 and True Image 2009!

Technorati Tags:

Sunday, April 12, 2009

Your Biggest Security Threat May Already Be On Your Network

by Jeff Porn
Information Security Consultant
Compushare, Inc.

With technology now reaching into nearly every aspect of your business, keeping your bank or credit union secure has become one of, if not the, biggest challenges IT administrators face every day. The last thing a financial institution wants to worry about is what their trusted employees are doing on the network. Yet, this concern is prevailing as the biggest threat to the security of any company’s infrastructure today.

By now, every player within the financial services industry has learned of the data breach that took place within New Jersey-based credit card payment processor, Heartland Payment Systems, in 2008. The event affected more than 625 banking institutions and has been noted as the largest data breach in U.S. history. Although the means by which computer hackers gained access to the accounts has not been disclosed, it is known that the external security measures used to protect Heartland‘s network were PCI certified. This means that proper firewall practices were being followed. Furthermore, due to the multiple layers of anti-virus and malware protections in place, the company stated that they do not believe the breach occurred by an employee opening an email attachment. So, a potential scenario that I’m sure is being investigated is the possible involvement of an employee with access to the network either through malicious intent or compromised through social engineering. Even with the proper security practices in place, PCI standard certifications and strong encryption, a single compromised employee with access to sensitive data can bypass all of these security measures. In the case of Heartland Payment Systems, key loggers were used on the workstations capturing sensitive data before any encryption was used targeting the weakest point in any security model - the human element.

The main focus of most financial institutions when it comes to security is to protect against attacks from the outside by ensuring that firewalls are in place, configurations are correct, and testing is conducted on a regular basis per Federal requirements. In addition, Intrusion Detection solutions are available that will monitor network traffic for attacks and automatically shut them down, or alert key personnel that a potential attack is underway. Internally, most follow standard best practices for security recommended by Microsoft, Novell, or other recommendations and requirements for the financial industry. However, those practices are ineffective in instances of employees performing unauthorized activities or accessing unauthorized data on the network.

The Identity Theft Resource Center (ITRC) reported that data breaches rose 50% in 2008. Of the many methods used, including insider theft, Malware attacks and hacking, insider theft saw the largest increase of more than double the number from 2007. Data on the move and accidental exposure, both human error categories, account for 35.2% of those breaches that indicate cause. Of the various industries reviewed, the financial industry showed the largest increase in breaches, almost doubling the number of incidents from 2007. In looking at the protections that were in place when breaches occurred, it was discovered that only 11% had either encryption or password protection in place. The bulk of the data that was breached had no protection at all. Here at Compushare, we also saw an alarming 50% increase in the number of clients that were successfully “breached” through Social Engineering testing. The methods used were a combination of email phishing, phone calls and physical site assessments. When at least two of these methods were combined, we saw nearly a 100% success rate in breaching the client or gaining sensitive information.

As technology evolves and becomes more intelligent, hackers have to continually find new security gaps and better ways to circumvent these new levels of security. However, the one thing they can continue to rely on is the fact that there is no patch for human error. This has been, and will always be, the weakest link and the most frustrating security concern that IT administrators face. So what can be done to help mitigate the threat of employees being targeted or exploited to gain access to sensitive data?

There are two main areas of focus - Technology and Risk and Compliance. From a technology standpoint, the institution should ensure that the recommended security best practices, controlling who has access to what data and when, are implemented and enforced both at a technological and policy level. All activity on the network should be logged with alert points implemented notifying personnel of any unauthorized activity.

When it comes to Risk and Compliance, there are several areas of vital importance that must be addressed by every financial institution. A Risk Assessment should be performed to determine what your risks are, how to control these risks, and the right measures to take to protect sensitive data across all areas of the network and on the move. Ongoing training must be conducted for all employees on what is considered sensitive data, who should have access to this data, and what to do in a situation where someone asks for, or tries to gain access to, data either through email, phone calls or physical site visits. Testing should be conducted on at least an annual basis to ensure that all the technology, policies and training you have implemented are being enforced and followed throughout your institution. Quarterly testing is required for certain security parameters, such as firewalls.

Technology has evolved to become a required element in business and performing our job functions. Technology is deeply entrenched in everything we do and the protection of sensitive information had become complex and more difficult than ever. However, this does not mean that we throw our hands up and give in to the hackers and attackers. With proper implementation of security best practices, upkeep of policies and procedures, and ongoing training and testing, we stay a step ahead and ensure that our data is protected, access is limited, safeguards are implemented, and employees are informed, aware and ready to act when malicious activity is suspected.

Technorati Tags:

Wednesday, April 08, 2009

Computer Hackers Eye U.S. Power Grid

By Matt Williams

Computer spies from China, Russia and other countries are tunneling into the U.S. electricity grid with increasing frequency in order to study America's infrastructure, The Wall Street Journal reported Wednesday. An unnamed intelligence official told the newspaper that hackers have left behind software tools that could be turned on during a war in order to damage critical infrastructure systems.

The revelation comes amid growing public sentiment for transforming the U.S. electrical grid into a "smart grid." It would rely upon IT to help utility companies manage peak loads and allow consumers to sell back excess power to the grid during off-peak hours.

An estimated $11 billion from the economic stimulus bill President Barack Obama signed in February is dedicated to enacting standards for the smart grid and funding test cases. Millions of sophisticated "smart meters" have already been installed in homes in cities such as Los Angeles; Austin, Texas; and Boulder, Colo.

Industry insiders expect the federal government to release guidance for the stimulus money as soon as next week. Analysts say a nationwide build-out of the smart grid ultimately could cost trillions of dollars.

Watchdogs caution that the smart grid could be a hacker's paradise because its network of sensors, wireless technology and home-based energy meters would allow multiple entry points into the system. reported last month that security services firm IOActive determined a malicious hacker "with $500 of equipment and materials and a background in electronics and software engineering" could simultaneously take command of smart-grid metering infrastructure of thousands or millions of homes and businesses.

Power Industry Aware of Security Deficiencies

A December 2008 report from the U.S. Department of Energy's Electricity Advisory Committee said utilities are increasingly using digital devices in substations to improve protection and increase reliability and control. "However, these remotely accessible and programmable devices can introduce cyber-security concerns," according to the report. While smart-grid technology offers more layers of control, it will require built-in security during the implementation, according to the report.
The North American Electric Reliability Corp. (NERC) has developed Critical Infrastructure Protection standards to address cyber-security issues. But in a letter to its members Tuesday, NERC Chief Security Officer Michael Assante expressed concern that only a third of them had identified "critical assets" and "cyber-critical assets."

"One of the more significant elements of a cyber-threat, contributing to the uniqueness of cyber-risk, is the crosscutting and horizontal nature of networked technology that provides the means for an intelligent cyber-attacker to impact multiple assets at once, and from a distance," Assante wrote.

In February, Obama ordered a 60-day cyber-security review of how well the federal government thwarts cyber-attacks. The findings are due next week.

Technorati Tags:

Sunday, April 05, 2009

Canadian Researchers Uncover Vast Spy Network

WASHINGTON (Reuters) - Canadian researchers have uncovered a vast electronic spying operation that infiltrated computers and stole documents from government and private offices around the world, including those of the Dalai Lama, The New York Times reported on Saturday.

In a report provided to the newspaper, a team from the Munk Center for International Studies in Toronto said at least 1,295 computers in 103 countries had been breached in less than two years by the spy system, which it dubbed GhostNet.

Embassies, foreign ministries, government offices and the Dalai Lama's Tibetan exile centers in India, Brussels, London and New York were among those infiltrated, said the researchers, who have detected computer espionage in the past.

They found no evidence U.S. government offices were breached.

The researchers concluded that computers based almost exclusively in China were responsible for the intrusions, although they stopped short of saying the Chinese government was involved in the system, which they described as still active.

"We're a bit more careful about it, knowing the nuance of what happens in the subterranean realms," said Ronald Deibert, a member of the Munk research group, based at the University of Toronto.

"This could well be the CIA or the Russians. It's a murky realm that we're lifting the lid on."

A spokesman for the Chinese Consulate in New York dismissed the idea China was involved. "These are old stories and they are nonsense," the spokesman, Wenqi Gao, told the Times. "The Chinese government is opposed to and strictly forbids any cybercrime."

The Toronto researchers began their sleuthing after a request from the office of the Dalai Lama, the exiled Tibetan spiritual leader, to examine its computers for signs of malicious software, or malware.

The network they found possessed remarkable "Big Brother-style" capabilities, allowing it, among other things, to turn on the camera and audio-recording functions of infected computers for potential in-room monitoring, the report said.

The system was focused on the governments of South Asian and Southeast Asian nations as well as on the Dalai Lama, the researchers said, adding that computers at the Indian Embassy in Washington were infiltrated and a NATO computer monitored.

The report will be published in Information Warfare Monitor, an online publication linked to the Munk Center.

At the same time, two computer researchers at Cambridge University in Britain who worked on the part of the investigation related to the Tibetans are releasing an independent report, the Times said.

They do fault China and warned that other hackers could adopt similar tactics, the Times added.

(Writing by Paul Simao; Editing by Peter Cooney)
Technorati Tags:

Friday, April 03, 2009

Another Conficker, Kido, Downadup Checker

Here is a neat little tool, a Conficker Eye Chart. If any of the images are missing, you could be infected. Nice Idea!

Technorati Tags:

New Nmap Version Detects Conficker

The Conficker worm is receiving a lot of attention because of its vast scale (millions of machines infected) and advanced update mechanisms. Thanks to research by Tillmann Werner and Felix Leder of The Honeynet Project and implementation work by Ron Bowes, David Fifield, Brandon Enright, and Fyodor, a new Nmap release is here which can remotely scan for and detect infected machines.

To scan for Conficker, use a command such as:
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]

A clean machine should report at the bottom: “Conficker: Likely CLEAN”, while likely infected machines say: “Conficker: Likely INFECTED”. For more advice, see this nmap-dev post by Brandon Enright. Dan Kaminsky broke the story on

Technorati Tags:

Thursday, April 02, 2009

Conficker: Much To do About Nothing?

Here we go again. Another Virus, another media hype. Thanks to "60 Minutes", I had to spend about 6 hours researching Conficker on Monday and writing a letter to my clients to make sure they were calm. What the media is not telling you is that the vat majority of Conficker infections are in Russia, Brazil, China and the Phillipines. Why? Because those countries have a overwhelming amount of pirated copies of Windows which cannot be patched.

What is the Lesson:

1. Apply OS patches as soon as they are released. The MS08-067 patch was available two weeks before Conficker was created.
2. When Microsoft releases a patch on a day other than Black Tuesday, pay attention.
3. Install Winpatrol
4. Install Spybot Search and Destroy
5. Install Free AVG

Technorati Tags:

Wednesday, April 01, 2009

The Servers Have Left the Building

Your servers are leaving the building, and with good reason. The cost of maintaining interna severs is becoming too much to bear for many SMBs. With increased regulatory pressures on maintaining proper Business Continuity safeguards, rising hardware and software requirements, and increasing user demand for mobile business solutions, the cost of maintaining an internal email and message collaboration system is skyrocketing.

The purpose of this month’s Compass editorial is to demonstrate how a hosted messaging solution can reduce cost, increase operational efficiency and provide rock solid disaster recovery options. We will look at 6 primary costs areas in which a hosted email solution can help you reduce cost or increase efficiency.

Keeping in line with the Compass article I authored in December of 2008, Picking Your Investments – Building a Business Case for Your Strategic Technology Investments, it is important to understand true costs before we can calculate the Return on Investment (ROI) required to justify any investment. In the case of email, this has been traditionally hard to do. Email as we used to know it – a simple messaging solution – has morphed into a complete communications platform, often incorporating mobile access, live conferencing, group calendaring, and task management. In addition, the cost of properly securing email and reducing employee error, or malfeasance, has increased. Lastly, in most organizations, reliance on the email platform has muscled its way into the “mission critical” category without us even knowing it. This is especially true in organizations that employ call centers, customer service departments, or generally communicate with their customers or staff by email. In this day and age of shaky consumer confidence, it would be a hit to your service reputation to have your email bounce back to one of your clients or prospects.

In short, the primary costs of owning and maintaining an email system can be broken down into these 6 areas:

- Hardware Costs
- Software and Licensing Costs
- Management and Monitoring
- Service and Support
- Backup and Recovery
- Additional Features and Functionality

Hardware Costs
Microsoft Exchange 2007 gives rise to extraordinary new costs, primary from the requirement of using a 64-bit operating system, and a 64-bit hardware platform with significantly expanded resource requirements. Secondarily, Exchange 2007 introduces a new concept and set of requirements to Exchange organizations – the concept of server roles.

With current Exchange servers, you can either make a Front-End server or a Back-End server and that is about the extent of it. Exchange 2007 introduces five server roles to the Exchange organization.

- Edge Transport
- Hub Transport
- Client Access
- Mailbox
- Unified Messaging

Technically, although all five could run on one server, it is of course not recommended. So at a very minimum, you will need two Exchange servers, even in a small environment. And don't forget, you'll need two duplicates at your Disaster Recovery site.

Software Costs
You will need to calculate costs for new Windows Server Licenses, Exchange Server Licenses, Exchange Client Licenses, Windows Access Licenses, and Outlook 2007 Licenses. Don't forget your DR site also needs licensing as well. Also, if you are running Blackberry Enterprise Server or Goodlink, you will have additional costs to factor in.

Management and Monitoring
For management and monitoring, it is important to remember this is a mission critical application. You will have costs associated with 24/7 monitoring, patch management, virus protection, spyware protection, and outbound content filtering.

Service and Support
For service and support, you will have to calculate the cost of ongoing support to cover network administration, server administration, user administration, technical support, security administration, backup administration, and training. This number can be difficult to calculate and very hard to get a hold of. It is generally estimated that the cost for just supporting an Exchange 2007 system runs from $250 to $500 per user, per year. So, for a financial institution of 50 full time employees, you would be looking at budgeting around $12,500 to $25,000 for internal staff costs or outsourcing services. In essence, two to four hours of service and support per user should be allocated each year.

If on-site staff is employed, you will need to calculate the cost of training. Exchange 2007 is an entirely new beast compared to 2003. On average, you will spend approximately $5,000 in new training for the first year of ownership, and an estimated $1,500 a year after that.

Lastly, costs must be factored in for initial setup, administration and end-user training of a new Exchange system.

Backup and Recovery
As email has become mission critical and the Recovery Time Objective (RTO) has become shorter and shorter, the cost of providing an actual recoverable messaging system has increased. To estimate costs, you can take all the aforementioned, and double it. Add to that disaster recovery testing, the cost of the DR site itself, and data replication, vaulting, backup and recovery costs.

Additional Features and Functionality
Depending on the needs of your institution, you may have costs here for mobile messaging, email archiving, eDiscovery, and other collaborative services such as Sharepoint.

How Hosted Email Can Help
Having a hosted email solution can greatly eliminate or reduce almost all of these costs. Many of our clients have found that the reduction in cost for disaster recovery and data vaulting alone are enough to pay for the entire hosted solution.

Hosted solutions are already treated like mission critical applications. The enterprise can be hosted in a SAS70 compliant, Tier IV, fully-redundant data center, with 99.9% uptime guaranteed. Redundant power, networking, servers and data provide a rock-solid disaster recovery scenario with minimal effort.

Hardware, software and licensing costs are completely eliminated. And when end-of-life is reached on your Microsoft product, you can obtain an upgrade to the next version seamlessly, and for free.

Management and monitoring is also included. Your email enterprise is monitored 24 hours a day, 7 days a week, 365 days a year. Patch management and general maintenance are performed behind the scenes with no effort required on your part. For new user set up, all that is required from the institution is a simple email sent to the Command Center or a quick call placed to the toll-free support number.

Service and support costs are reduced to the initial installation costs. Here is another line item that usually can cover the entire cost of a hosted solution.

Backup and recovery is an area where a hosted solution really shines. With your servers and data already treated like a mission critical application and hosted off-site, your DR picture gets crystal clear. Where to house your staff in the case of disaster remains as your biggest issue, but your mission critical email application is available anywhere you can obtain a internet connection, including wirelessly.

Need to add features and functionality? Did the President or Chairman purchase a Blackberry this weekend? Is the examiner demanding a fully archived solution? Does your Marketing VP want to install an Intranet? No sweat. With a quick email notification to your support team, you can have that new feature turned on in minutes, with no hardware, software or licensing to install.

Most of all, a hosted email solution can give you clear visibility on your actual messaging costs over the next three years and on. Budgeting is easy with a flat per user, per month price based on the features and functionality you actually use.

For our clients, I have created a simple ROI calculator that can help to determine the true Total Cost of Ownership for your messaging and collaboration solution outlining the exact costs mentioned above. I would be happy to share this with you and teach you how to use it. For more information or to discuss a hosted Exchange solution that fits your messaging needs and cost requirements, please contact me at

Technorati Tags:

Tuesday, January 20, 2009

Related Feature

The above article features related content.

Technorati Tags: