Information Security Gurus

Details of the Government Cyber Security Plan

2011-05-12T11:09:00.000-07:00

The plan, as provided by the White House:

Protecting the American People

1) National Data Breach Reporting. State laws have helped consumers protect themselves against identity theft while also incentivizing businesses to have better cybersecurity, thus helping to stem the tide of identity theft. These laws require businesses that have suffered an intrusion to notify consumers if the intruder had access to the consumers' personal information. The Administration proposal helps businesses by simplifying and standardizing the existing patchwork of 47 state laws that contain these requirements.

2) Penalties for Computer Criminals. The laws regarding penalties for computer crime are not fully synchronized with those for other types of crime. For example, a key tool for fighting organized crime is the Racketeering Influenced and Corrupt Organizations Act (RICO). Yet RICO does not apply to cyber crimes, despite the fact that cyber crime has become a big business for organized crime. The Administration proposal thus clarifies the penalties for computer crimes, synchronizes them with other crimes, and sets mandatory minimums for cyber intrusions into critical infrastructure.

Protecting our Nation's Critical Infrastructure

Our safety and way of life depend upon our critical infrastructure as well as the strength of our economy. The Administration is already working to protect critical infrastructure from cyber threats, but we believe that the following legislative changes are necessary to fully protect this infrastructure:

1) Voluntary Government Assistance to Industry, States, and Local Government. Organizations that suffer a cyber intrusion often ask the Federal Government for assistance with fixing the damage and for advice on building better defenses. For example, organizations sometimes ask DHS to help review their computer logs to see when a hacker broke in. However the lack of a clear statutory framework describing DHS's authorities has sometimes slowed the ability of DHS to help the requesting organization. The Administration proposal will enable DHS to quickly help a private-sector company, state, or local government when that organization asks for its help. It also clarifies the type of assistance that DHS can provide to the requesting organization.

2) Voluntary Information Sharing with Industry, States, and Local Government. Businesses, states, and local governments sometimes identify new types of computer viruses or other cyber threats or incidents, but they are uncertain about whether they can share this information with the Federal Government. The Administration proposal makes clear that these entities can share information about cyber threats or incidents with DHS. To fully address these entities' concerns, it provides them with immunity when sharing cybersecurity information with DHS. At the same time, the proposal mandates robust privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties.

3) Critical Infrastructure Cybersecurity Plans. The Nation's critical infrastructure, such as the electricity grid and financial sector, is vital to supporting the basics of life in America. Market forces are pushing infrastructure operators to put their infrastructure online, which enables them to remotely manage the infrastructure and increases their efficiency. However, when our infrastructure is online, it is also vulnerable to cyber attacks that could cripple essential services. Our proposal emphasizes transparency to help market forces ensure that critical-infrastructure operators are accountable for their cybersecurity.

Protecting Federal Government Computers and Networks.

Over the past five years, the Federal Government has greatly increased the effort and resources we devote to securing our computer systems. While we have made major improvements,[1] updated legislation is necessary to reach the Administration goals for Federal cybersecurity, so the Administration's legislative proposal includes:

1) Management. The Administration proposal would update the Federal Information Security Management Act (FISMA) and formalize DHS' current role in managing cybersecurity for the Federal Government's civilian computers and networks, in order to provide departments and agencies with a shared source of expertise.

2) Personnel. The recruitment and retention of highly-qualified cybersecurity professionals is extremely competitive, so we need to be sure that the government can recruit and retain these talented individuals. Our legislative proposal will give DHS more flexibility in hiring these individuals. It will also permit the government and private industry to temporarily exchange experts, so that both can learn from each others' expertise.

3) Intrusion Prevention Systems. Intrusion detection systems are automated sensors that identify cyber intrusions and attacks. Intrusion prevention systems can actually block cyber intrusions and attacks. DHS' Einstein system is one example of an intrusion prevention system, and the proposal makes permanent DHS's authority to oversee intrusion prevention systems for all Federal Executive Branch civilian computers. Internet Service Providers (ISPs) implement these systems on behalf of DHS, blocking attacks against government computers. The Attorney General currently reviews and provides immunity for those ISPs, as necessary, to provide that service, and the proposal streamlines that process. This only applies to intrusion prevention systems that protect government computers, and the proposal also codifies or adds: strong privacy and civil liberties protections, congressional reporting requirements, and an annual certification process.

4) Data Centers. The Federal Government has embraced cloud computing, where computer services and applications are run remotely over the Internet. Cloud computing can reduce costs, increase security, and help the government take advantage of the latest private-sector innovations. This new industry should not be crippled by protectionist measures, so the proposal prevents states from requiring companies to build their data centers in that state, except where expressly authorized by federal law.

New Framework to Protect Individuals' Privacy and Civil Liberties.

The Administration's proposal ensures the protection of individuals' privacy and civil liberties through a framework designed expressly to address the challenges of cybersecurity.

-- It requires DHS to implement its cybersecurity program in accordance with privacy and civil liberties procedures. These must be developed in consultation with privacy and civil liberties experts and approved by the Attorney General.

-- All federal agencies who would obtain information under this proposal will follow privacy and civil liberties procedures, again developed in consultation with privacy and civil liberties experts and with the approval of the Attorney General.

-- All monitoring, collection, use, retention, and sharing of information are limited to protecting against cybersecurity threats. Information may be used or disclosed for criminal law enforcement, but the Attorney General must first review and approve each such usage.

-- When a private-sector business, state, or local government wants to share information with DHS, it must first make reasonable efforts to remove identifying information unrelated to cybersecurity threats.

-- The proposal also mandates the development of layered oversight programs and congressional reporting.

-- Immunity for the private-sector business, state, or local government is conditioned on its compliance with the requirements of the proposal.

Taken together, these requirements create a new framework of privacy and civil liberties protection designed expressly to address the challenges of cybersecurity.

Obama Set to Release "Cyber Security Plan"

2011-05-12T11:00:00.000-07:00

The White House is about to announce it Cyber Security plan. Which, in essence, allows the Government to regulate private businesses. Not only will this be an enormous cost to the private sector, but it will be completely useless. Although, I can see a bunch of consulting firms really lucking out on this one. (Remember SOX anyone? GLBA? HIPPA?). The only people benefiting from this are owners of consulting firms. Let's review the Government's track record on security from the last few years:

Cyberspies Steal Fighter Jet Info From Pentagon

http://www.crn.com/blogs-op-ed/the-channel-wire/216900362/cyberspies-steal-fighter-jet-info-from-pentagon.htm

Infected pen drive led to US cyber breach

http://www.asianage.com/international/infected-pen-drive-led-us-cyber-breach-991

Hackers Break Into Top Government Research Lab

http://www.foxnews.com/story/0,2933,315941,00.html

WikiLeaks:

http://en.wikipedia.org/wiki/United_States_diplomatic_cables_leak

It's clear our government has its own problems to deal with. Leave the private sector alone please.

Microsoft May 2011 Update

2011-05-10T11:57:00.001-07:00

Microsoft just released its May 2011 security update: Two bulletins covering three vulnerabilities. Here's the early analysis from security companies Qualys, Symantec and McAfee:

Qualys
"MS11-035 is rated as critical and affects the WINS component of Windows 2003 and 2008 server operating systems. WINS (like DNS) is a name resolution service. WINS resolves names in the NetBIOS namespace (like DNS which resolves names in the DNS domain). WINS is not enabled by default in Windows 2003 and 2008, but server administrators who have it enabled should apply the patch immediately as attackers could remotely cause a denial of service. The exploitability index is 2 which imply that remote code execution is not likely, but denial of service is possible.

"MS11-036 affects Microsoft Office Power Point and is rated important. As it happened before on several occasions, users of the new Office 2010 for both Windows and Mac OS X are not affected by the vulnerability. Older versions like Office XP, 2003, 2007 and 2004 for Mac are affected. Using this vulnerability, an attacker could take full control of the target machine if a victim opens a malicious power point document.

"The two patches released today came with a new and improved exploitability index rating that was announced by Microsoft. The original rating is split into a rating for the most recent version of the software, and an aggregate rating for all older versions. For example in MS11-036 the latest version, which is Office 2010, was not affected. Therefore the exploitability rating for the latest version was 'Not Affected' and for older platforms was 2. The new rating more accurately reflects risk to customers that keep their environments updated with latest product releases.

"Today's release provided a breather for administrators so they can brace themselves for a larger update next month."

Symantec
"What might make the WINS vulnerability appealing to attackers is that it is a server-side issue," said Joshua Talbot, security intelligence manager, Symantec Security Response. "That means an attacker wouldn't have to trick a user into doing anything. All they would have to do to exploit this is find a server running the vulnerable service and send that machine a malicious string of data.

"This is a more serious issue on Windows Server 2003 than Server 2008," Talbot added. "At its heart, this is a memory corruption issue. In-built protections such as DEP and ASLR in Server 2008 will probably keep most attackers from achieving a complete takeover. However, a complete system compromise appears to be more likely on Server 2003, which lacks the ASLR protection.

"Microsoft also patched a couple WINS-related issues in August of 2009," Talbot concluded. "At least one of those vulnerabilities was exploited by attackers after the patches were released. That should serve as motivation for IT managers to take this month's patches seriously, even though there is a lighter load."

McAfee
"These patches address a fix a vulnerability that could potentially allow attackers to remotely execute arbitrary code on systems," said Dave Marcus, director of security research and communications at McAfee Labs. "Even though it's a light Patch Tuesday this month, administrators should still attend to these patches quickly.

"Microsoft also announced that it will be modifying its Exploitability Index, a patch rating system aids in prioritization, by assigning a number based on the likelihood of an attack as a result of vulnerabilities in the first 30 days. Also included will be the "Denial of Service" risk score, which will take into account the risk posed by a denial-of-service (DoS) attacks.

"This updated rating system will make it easier for IT administrators to determine their risk level, so customers should be sure to look at the new Exploitability Index in the bulletin summary to get a feel for the 'exploit potential' of each vulnerability," said Marcus.

"With massive updates such as we had in April it's easy to get overwhelmed. Microsoft's new index simplifies the process, which will help IT administrators to prioritize which patches they tackle first."

--
-Karn

Are You Ready to Red Flag?

2010-01-25T17:01:00.000-08:00

THE RED FLAGS RULE

The Red Flags Rule sets out how certain businesses and organizations must develop, implement, and administer their Identity Theft Prevention Programs. Your Program must include four basic elements, which together create a framework to address the threat
of identity theft.

First, your Program must include reasonable policies and procedures to identify the “red flags” of identity theft you may run across in the day-to-day operation of your business. Red flags are suspicious patterns or practices, or specific activities, that indicate the possibility of identity theft. For example, if a customer has to provide some form of identification to open an account with your company, an ID that looks like it might be fake would be a “red flag” for your business.

Second, your Program must be designed to detect the red flags you’ve identified. For example, if you’ve identified fake IDs as a red flag, you must have procedures in place to detect possible fake, forged, or altered identification.

Third, your Program must spell out appropriate actions you’ll take when you detect red flags.

Fourth, because identity theft is an ever-changing threat, you must address how you will re-evaluate your Program periodically to reflect new risks from this crime.

Just getting something down on paper won’t reduce the risk of identity theft. That’s why the Red Flags Rule sets out requirements on how to incorporate your Program into the daily operations of your business. Your board of directors (or a committee of the board) has to approve your first written Program.

If you don’t have a board, approval is up to an appropriate senior-level employee. Your Program must state who’s responsible for implementing and administering it effectively. Because your employees have a role to play in preventing and detecting identity theft, your Program also must include appropriate staff training. If you outsource or subcontract parts of your operations that would be covered by the Rule, your Program also must address how you’ll monitor your contractors’ compliance.

The Red Flags Rule gives you the flexibility to design a Program appropriate for your company – its size and potential risks of identity theft. While some businesses and organizations may need a comprehensive Program that addresses a high risk of identity theft in a complex organization, others with a low risk of identity theft could have a more streamlined Program.

Technorati Tags: Information Security Network Security Hacking Hacker Bank Banking FFIEC GLBA FDIC Cisco Computers Technology

Breaking the "Fraud Triangle" to Enhance Security

2010-01-20T11:39:00.000-08:00

Coined by Fraud expert Donald Cressey in 1950, the "Fraud Triangle" highlights the three elements that need to be in place for Fraud to occur. The Fraud Triangle describes three factors that are present in every situation of fraud:

Motive (or pressure) – the need for committing fraud (need for money, etc.);
Rationalization – the mindset of the fraudster that justifies them to commit fraud; and
Opportunity – the situation that enables fraud to occur (often when internal controls are weak or nonexistent).

Breaking the Fraud Triangle is the key to fraud deterrence. Breaking the Fraud Triangle implies that an organization must remove one of the elements in the fraud triangle in order to reduce the likelihood of fraudulent activities. “Of the three elements, removal of Opportunity is most directly affected by the system of internal controls and generally provides the most actionable route to deterrence of fraud” (Cendrowski, Martin, Petro, The Handbook of Fraud Deterrence).

In order for fraud to occur, all three elements have to be present. Individuals or institutions can takes steps to influence all three legs:

Pressure

Pressure is what causes a person to commit fraud. Pressure can include almost anything including medical bills, expensive tastes, addiction problems, etc. Most of the time, pressure comes from a significant financial need/problem. Often this need/problem is non-sharable in the eyes of the fraudster. That is, the person believes, for whatever reason, that their problem must be solved in secret. However, some frauds are committed simply out of greed alone.

Opportunity

Opportunity is the ability to commit fraud. Because fraudsters don’t wish to be caught, they must also believe that their activities will not be detected. Opportunity is created by weak internal controls, poor management oversight, and/or through use of ones position and authority. Failure to establish adequate procedures to detect fraudulent activity also increases the opportunities fraud for to occur. Of the three elements, opportunity is the leg that organizations have the most control over. It is essential that organizations build processes, procedures and controls that don’t needlessly put employees in a position to commit fraud and that effectively detect fraudulent activity if it occurs.

Rationalization

Rationalization is a crucial component in most frauds. Rationalization involves a person reconciling his/her behavior (stealing) with the commonly accepted notions of decency and trust. Some common rationalizations for committing fraud are:

The person believes committing fraud is justified to save a family member or loved one.
The person believes they will lose everything – family, home, car, etc. if they don’t take the money.
The person believes that no help is available from outside.
The person labels the theft as “borrowing”, and fully intends to pay the stolen money back at some point.
The person, because of job dissatisfaction (salaries, job environment, treatment by managers, etc.), believes that something is owed to him/her.
The person is unable to understand or does not care about the consequence of their actions or of accepted notions of decency and trust.

Managers and employees responsible for stewardship of resources should be aware of red flags of fraud. These are only warning signs that may indicate the fraud risk is higher, they are not evidence that fraud is actually occurring. Also, the existence of one or two flags is not something to be overly concerned about. Many employees demonstrate one or more of flags on the list.

Common Personality Traits Of Fraudsters

Wheeler and Dealer
Domineering/Controlling
Don’t like people reviewing their work
Strong Desire for Personal Gain
Have a “Beat the System Attitude”
Live Beyond Their Means
Close relationship with customers or vendors
Unable to Relax
Often have a “too good to be true” work performance
Don’t take vacation or sick time or only take leave in small amounts
Often work excessive overtime
Outwardly, appear to be very trustworthy
Often display some sort of drastic change in personality or behavior

Common Sources of Pressure

Medical Problems – Especially for a loved one
Unreasonable performance goals
Spouse loses a job
Divorce
Starting a New Business or Current Business is Struggling
Criminal Conviction
Civil Lawsuit
Purchase of a new home, a second home, or a home remodel
Need to Maintain a Certain Lifestyle
Excessive Gambling
Drug or Alcohol Addiction

Changes in Behavior

Suddenly appears to be buying more material items – houses, cars, boats, clothes, jewelry, electronics, etc.
Brags about new purchases
Starts to carry unusual amounts of cash
Creditors/Bill Collectors show up at work or call frequently
Borrows money from coworkers
Becomes more irritable or moody
Becomes unreasonably upset when questioned
Becomes territorial over their area of responsibility
Won’t take vacation or sick time or only takes it in small increments
Works unneeded overtime
Turns down promotions
Start coming in early or staying late
Redo or Rewrite work to “make it neat”
May start to mention family or financial problems
Exhibits signs of a drug or gambling addiction
Exhibits signs of dissatisfaction

While corporations have traditionally relied on operational controls to detect fraud, most fraudulent behavior is caught through whistle blowers who call out suspicious behavior.

Several studies are now being conducted using regression analysis to see if fraudulent activity can be detected through the use of email keywords before the crime becomes significant.

Technorati Tags: Information Security Network Security Hacking Hacker Bank Banking FFIEC GLBA FDIC Cisco Computers Technology

Facebook and McAfee Team Up

2010-01-14T14:49:00.001-08:00

Facebook has announced today that they have signed a deal with McAfee that will give all 350 million members a free six-month license for Internet security software.

"Now, if your computer is infected, you will be asked to run a scan ... and clean it before accessing Facebook," added Facebook project manager Jake Brill. "We're not aware of another free Internet service that takes this much responsibility for helping people keep their accounts secure."

After the six months, you will have to pay to continue using the license, but McAfee says the fee will be cheaper than the annual subscription price for the software in stores.

The software will run on Windows PCs only, with no expected Mac OS X or Linux deal coming anytime soon.

Technorati Tags: Information Security Network Security Hacking Hacker Bank Banking FFIEC GLBA FDIC Cisco Computers Technology

Marines: Facebook is not for the few good men

2009-08-22T14:02:00.000-07:00

By Doug Beizer

Marine Corps officials have banned using social-networking Web sites on the service’s networks due to the security risks associated with the Web 2.0 tools, according to an order published on the Marine Corps Web site .

The order issued August 3 bans accessing social networking tools that include Facebook and Twitter on the Marine Corps Enterprise Network and on the Non-secure Internet Protocol Router Network.

“These Internet sites in general are a proven haven for malicious actors and content and are particularly high risk due to information exposure, user generated content and targeting by adversaries,” the order states, adding that social networking sites create an easy conduit for information leakage.

The service also banned accessing the sites through virtual private network connections. However, Marine Corp personnel may still access social networking sites sponsored by the Defense Department and hosted on internal networks, the order states.

DOD-wide policies on the use of social media tools are being re-evaluated, according to a U.S. Strategic Command blog entry and widespread media reports.

The Strategic Command, which oversees the use of the dot-mil network, has launched a review of the safety of the sites, according to several reports.
Technorati Tags: Information Security Network Security Hacking Hacker Bank Banking FFIEC GLBA FDIC Cisco Computers Technology

Microsoft Security Essentials Release

2009-08-20T15:37:00.001-07:00

Microsoft Security Essentials (MSE) beta build 1.0.1500.0 has quietly appeared out of nowhere today. There's no official announcement, testers haven't received any e-mail notification, and it's unclear if this is the second public build, either a Beta Refresh or a Release Candidate, which the software giant promised to release this summer.

There's a few more odd things with this release, such as the fact that the update points to KB article 972958, which doesn't appear to exist, at least not at the time of publishing. Furthermore, some users are reporting that they are actually getting build 1.0.1501.0 instead of 1.0.1500.0 when they update. The new version is available for current MSE testers on the Downloads section of the Microsoft Security Essentials beta program on Microsoft Connect, although the release date mistakenly says the build was posted on June 21, 2009. On Connect, the version is also mistakenly referred to as 1.0.1500.0 but the actual installers are for 1.0.1501.0. The new build was also released as an optional update on Windows Update, with today's date stamp, and that update really gets you build 1.0.1500.0:

Simple Ways to Protect Your PC - Back It Up!

2009-07-04T13:30:00.000-07:00

Ok, this is a very simple one, back up your PC. I have a small (300GB) drive attached to my laptop at home and at work and I simply run Acronis to backup the Laptop every time it is on. For Information Security Gurus readers, we have a special 30% off:

Acropack 2009: Save 30% on Acronis Disk Director Suite 10 and True Image 2009!

Technorati Tags: Information Security Network Security Hacking Hacker Bank Banking FFIEC GLBA FDIC Cisco Computers Technology

Your Biggest Security Threat May Already Be On Your Network

2009-04-12T12:53:00.001-07:00

by Jeff Porn
Information Security Consultant
Compushare, Inc.

With technology now reaching into nearly every aspect of your business, keeping your bank or credit union secure has become one of, if not the, biggest challenges IT administrators face every day. The last thing a financial institution wants to worry about is what their trusted employees are doing on the network. Yet, this concern is prevailing as the biggest threat to the security of any company’s infrastructure today.

By now, every player within the financial services industry has learned of the data breach that took place within New Jersey-based credit card payment processor, Heartland Payment Systems, in 2008. The event affected more than 625 banking institutions and has been noted as the largest data breach in U.S. history. Although the means by which computer hackers gained access to the accounts has not been disclosed, it is known that the external security measures used to protect Heartland‘s network were PCI certified. This means that proper firewall practices were being followed. Furthermore, due to the multiple layers of anti-virus and malware protections in place, the company stated that they do not believe the breach occurred by an employee opening an email attachment. So, a potential scenario that I’m sure is being investigated is the possible involvement of an employee with access to the network either through malicious intent or compromised through social engineering. Even with the proper security practices in place, PCI standard certifications and strong encryption, a single compromised employee with access to sensitive data can bypass all of these security measures. In the case of Heartland Payment Systems, key loggers were used on the workstations capturing sensitive data before any encryption was used targeting the weakest point in any security model - the human element.

The main focus of most financial institutions when it comes to security is to protect against attacks from the outside by ensuring that firewalls are in place, configurations are correct, and testing is conducted on a regular basis per Federal requirements. In addition, Intrusion Detection solutions are available that will monitor network traffic for attacks and automatically shut them down, or alert key personnel that a potential attack is underway. Internally, most follow standard best practices for security recommended by Microsoft, Novell, or other recommendations and requirements for the financial industry. However, those practices are ineffective in instances of employees performing unauthorized activities or accessing unauthorized data on the network.

The Identity Theft Resource Center (ITRC) reported that data breaches rose 50% in 2008. Of the many methods used, including insider theft, Malware attacks and hacking, insider theft saw the largest increase of more than double the number from 2007. Data on the move and accidental exposure, both human error categories, account for 35.2% of those breaches that indicate cause. Of the various industries reviewed, the financial industry showed the largest increase in breaches, almost doubling the number of incidents from 2007. In looking at the protections that were in place when breaches occurred, it was discovered that only 11% had either encryption or password protection in place. The bulk of the data that was breached had no protection at all. Here at Compushare, we also saw an alarming 50% increase in the number of clients that were successfully “breached” through Social Engineering testing. The methods used were a combination of email phishing, phone calls and physical site assessments. When at least two of these methods were combined, we saw nearly a 100% success rate in breaching the client or gaining sensitive information.

As technology evolves and becomes more intelligent, hackers have to continually find new security gaps and better ways to circumvent these new levels of security. However, the one thing they can continue to rely on is the fact that there is no patch for human error. This has been, and will always be, the weakest link and the most frustrating security concern that IT administrators face. So what can be done to help mitigate the threat of employees being targeted or exploited to gain access to sensitive data?

There are two main areas of focus - Technology and Risk and Compliance. From a technology standpoint, the institution should ensure that the recommended security best practices, controlling who has access to what data and when, are implemented and enforced both at a technological and policy level. All activity on the network should be logged with alert points implemented notifying personnel of any unauthorized activity.

When it comes to Risk and Compliance, there are several areas of vital importance that must be addressed by every financial institution. A Risk Assessment should be performed to determine what your risks are, how to control these risks, and the right measures to take to protect sensitive data across all areas of the network and on the move. Ongoing training must be conducted for all employees on what is considered sensitive data, who should have access to this data, and what to do in a situation where someone asks for, or tries to gain access to, data either through email, phone calls or physical site visits. Testing should be conducted on at least an annual basis to ensure that all the technology, policies and training you have implemented are being enforced and followed throughout your institution. Quarterly testing is required for certain security parameters, such as firewalls.

Technology has evolved to become a required element in business and performing our job functions. Technology is deeply entrenched in everything we do and the protection of sensitive information had become complex and more difficult than ever. However, this does not mean that we throw our hands up and give in to the hackers and attackers. With proper implementation of security best practices, upkeep of policies and procedures, and ongoing training and testing, we stay a step ahead and ensure that our data is protected, access is limited, safeguards are implemented, and employees are informed, aware and ready to act when malicious activity is suspected.

Technorati Tags: Information Security Network Security Hacking Hacker Bank Banking FFIEC GLBA FDIC Cisco Computers Technology

Computer Hackers Eye U.S. Power Grid

2009-04-08T12:29:00.000-07:00

By Matt Williams

Computer spies from China, Russia and other countries are tunneling into the U.S. electricity grid with increasing frequency in order to study America's infrastructure, The Wall Street Journal reported Wednesday. An unnamed intelligence official told the newspaper that hackers have left behind software tools that could be turned on during a war in order to damage critical infrastructure systems.

The revelation comes amid growing public sentiment for transforming the U.S. electrical grid into a "smart grid." It would rely upon IT to help utility companies manage peak loads and allow consumers to sell back excess power to the grid during off-peak hours.

An estimated $11 billion from the economic stimulus bill President Barack Obama signed in February is dedicated to enacting standards for the smart grid and funding test cases. Millions of sophisticated "smart meters" have already been installed in homes in cities such as Los Angeles; Austin, Texas; and Boulder, Colo.

Industry insiders expect the federal government to release guidance for the stimulus money as soon as next week. Analysts say a nationwide build-out of the smart grid ultimately could cost trillions of dollars.

Watchdogs caution that the smart grid could be a hacker's paradise because its network of sensors, wireless technology and home-based energy meters would allow multiple entry points into the system. CNN.com reported last month that security services firm IOActive determined a malicious hacker "with $500 of equipment and materials and a background in electronics and software engineering" could simultaneously take command of smart-grid metering infrastructure of thousands or millions of homes and businesses.

Power Industry Aware of Security Deficiencies

A December 2008 report from the U.S. Department of Energy's Electricity Advisory Committee said utilities are increasingly using digital devices in substations to improve protection and increase reliability and control. "However, these remotely accessible and programmable devices can introduce cyber-security concerns," according to the report. While smart-grid technology offers more layers of control, it will require built-in security during the implementation, according to the report.
The North American Electric Reliability Corp. (NERC) has developed Critical Infrastructure Protection standards to address cyber-security issues. But in a letter to its members Tuesday, NERC Chief Security Officer Michael Assante expressed concern that only a third of them had identified "critical assets" and "cyber-critical assets."

"One of the more significant elements of a cyber-threat, contributing to the uniqueness of cyber-risk, is the crosscutting and horizontal nature of networked technology that provides the means for an intelligent cyber-attacker to impact multiple assets at once, and from a distance," Assante wrote.

In February, Obama ordered a 60-day cyber-security review of how well the federal government thwarts cyber-attacks. The findings are due next week.

Technorati Tags: Information Security Network Security Hacking Hacker Bank Banking FFIEC GLBA FDIC Cisco Computers Technology

Canadian Researchers Uncover Vast Spy Network

2009-04-05T23:01:00.001-07:00

WASHINGTON (Reuters) - Canadian researchers have uncovered a vast electronic spying operation that infiltrated computers and stole documents from government and private offices around the world, including those of the Dalai Lama, The New York Times reported on Saturday.

In a report provided to the newspaper, a team from the Munk Center for International Studies in Toronto said at least 1,295 computers in 103 countries had been breached in less than two years by the spy system, which it dubbed GhostNet.

Embassies, foreign ministries, government offices and the Dalai Lama's Tibetan exile centers in India, Brussels, London and New York were among those infiltrated, said the researchers, who have detected computer espionage in the past.

They found no evidence U.S. government offices were breached.

The researchers concluded that computers based almost exclusively in China were responsible for the intrusions, although they stopped short of saying the Chinese government was involved in the system, which they described as still active.

"We're a bit more careful about it, knowing the nuance of what happens in the subterranean realms," said Ronald Deibert, a member of the Munk research group, based at the University of Toronto.

"This could well be the CIA or the Russians. It's a murky realm that we're lifting the lid on."

A spokesman for the Chinese Consulate in New York dismissed the idea China was involved. "These are old stories and they are nonsense," the spokesman, Wenqi Gao, told the Times. "The Chinese government is opposed to and strictly forbids any cybercrime."

The Toronto researchers began their sleuthing after a request from the office of the Dalai Lama, the exiled Tibetan spiritual leader, to examine its computers for signs of malicious software, or malware.

The network they found possessed remarkable "Big Brother-style" capabilities, allowing it, among other things, to turn on the camera and audio-recording functions of infected computers for potential in-room monitoring, the report said.

The system was focused on the governments of South Asian and Southeast Asian nations as well as on the Dalai Lama, the researchers said, adding that computers at the Indian Embassy in Washington were infiltrated and a NATO computer monitored.

The report will be published in Information Warfare Monitor, an online publication linked to the Munk Center.

At the same time, two computer researchers at Cambridge University in Britain who worked on the part of the investigation related to the Tibetans are releasing an independent report, the Times said.

They do fault China and warned that other hackers could adopt similar tactics, the Times added.

(Writing by Paul Simao; Editing by Peter Cooney)
Technorati Tags: Information Security Network Security Hacking Hacker Bank Banking FFIEC GLBA FDIC Cisco Computers Technology

Another Conficker, Kido, Downadup Checker

2009-04-03T17:03:00.000-07:00

Here is a neat little tool, a Conficker Eye Chart. If any of the images are missing, you could be infected. Nice Idea!

http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

Technorati Tags: Information Security Network Security Hacking Hacker Bank Banking FFIEC GLBA FDIC Cisco Computers Technology

New Nmap Version Detects Conficker

2009-04-03T11:16:00.000-07:00

The Conficker worm is receiving a lot of attention because of its vast scale (millions of machines infected) and advanced update mechanisms. Thanks to research by Tillmann Werner and Felix Leder of The Honeynet Project and implementation work by Ron Bowes, David Fifield, Brandon Enright, and Fyodor, a new Nmap release is here which can remotely scan for and detect infected machines.

To scan for Conficker, use a command such as:
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]

A clean machine should report at the bottom: “Conficker: Likely CLEAN”, while likely infected machines say: “Conficker: Likely INFECTED”. For more advice, see this nmap-dev post by Brandon Enright. Dan Kaminsky broke the story on Doxpara.com.

Technorati Tags: Information Security Network Security Hacking Hacker Bank Banking FFIEC GLBA FDIC Cisco Computers Technology Nmap

Conficker: Much To do About Nothing?

2009-04-02T13:47:00.000-07:00

Here we go again. Another Virus, another media hype. Thanks to "60 Minutes", I had to spend about 6 hours researching Conficker on Monday and writing a letter to my clients to make sure they were calm. What the media is not telling you is that the vat majority of Conficker infections are in Russia, Brazil, China and the Phillipines. Why? Because those countries have a overwhelming amount of pirated copies of Windows which cannot be patched.

What is the Lesson:

1. Apply OS patches as soon as they are released. The MS08-067 patch was available two weeks before Conficker was created.
2. When Microsoft releases a patch on a day other than Black Tuesday, pay attention.
3. Install Winpatrol
4. Install Spybot Search and Destroy
5. Install Free AVG

Technorati Tags: Information Security Network Security Hacking Hacker Bank Banking FFIEC GLBA FDIC Cisco Computers Technology

The Servers Have Left the Building

2009-04-01T13:53:00.000-07:00

Your servers are leaving the building, and with good reason. The cost of maintaining interna severs is becoming too much to bear for many SMBs. With increased regulatory pressures on maintaining proper Business Continuity safeguards, rising hardware and software requirements, and increasing user demand for mobile business solutions, the cost of maintaining an internal email and message collaboration system is skyrocketing.

The purpose of this month’s Compass editorial is to demonstrate how a hosted messaging solution can reduce cost, increase operational efficiency and provide rock solid disaster recovery options. We will look at 6 primary costs areas in which a hosted email solution can help you reduce cost or increase efficiency.

Keeping in line with the Compass article I authored in December of 2008, Picking Your Investments – Building a Business Case for Your Strategic Technology Investments, it is important to understand true costs before we can calculate the Return on Investment (ROI) required to justify any investment. In the case of email, this has been traditionally hard to do. Email as we used to know it – a simple messaging solution – has morphed into a complete communications platform, often incorporating mobile access, live conferencing, group calendaring, and task management. In addition, the cost of properly securing email and reducing employee error, or malfeasance, has increased. Lastly, in most organizations, reliance on the email platform has muscled its way into the “mission critical” category without us even knowing it. This is especially true in organizations that employ call centers, customer service departments, or generally communicate with their customers or staff by email. In this day and age of shaky consumer confidence, it would be a hit to your service reputation to have your email bounce back to one of your clients or prospects.

In short, the primary costs of owning and maintaining an email system can be broken down into these 6 areas:

- Hardware Costs
- Software and Licensing Costs
- Management and Monitoring
- Service and Support
- Backup and Recovery
- Additional Features and Functionality

Hardware Costs
Microsoft Exchange 2007 gives rise to extraordinary new costs, primary from the requirement of using a 64-bit operating system, and a 64-bit hardware platform with significantly expanded resource requirements. Secondarily, Exchange 2007 introduces a new concept and set of requirements to Exchange organizations – the concept of server roles.

With current Exchange servers, you can either make a Front-End server or a Back-End server and that is about the extent of it. Exchange 2007 introduces five server roles to the Exchange organization.

- Edge Transport
- Hub Transport
- Client Access
- Mailbox
- Unified Messaging

Technically, although all five could run on one server, it is of course not recommended. So at a very minimum, you will need two Exchange servers, even in a small environment. And don't forget, you'll need two duplicates at your Disaster Recovery site.

Software Costs
You will need to calculate costs for new Windows Server Licenses, Exchange Server Licenses, Exchange Client Licenses, Windows Access Licenses, and Outlook 2007 Licenses. Don't forget your DR site also needs licensing as well. Also, if you are running Blackberry Enterprise Server or Goodlink, you will have additional costs to factor in.

Management and Monitoring
For management and monitoring, it is important to remember this is a mission critical application. You will have costs associated with 24/7 monitoring, patch management, virus protection, spyware protection, and outbound content filtering.

Service and Support
For service and support, you will have to calculate the cost of ongoing support to cover network administration, server administration, user administration, technical support, security administration, backup administration, and training. This number can be difficult to calculate and very hard to get a hold of. It is generally estimated that the cost for just supporting an Exchange 2007 system runs from $250 to $500 per user, per year. So, for a financial institution of 50 full time employees, you would be looking at budgeting around $12,500 to $25,000 for internal staff costs or outsourcing services. In essence, two to four hours of service and support per user should be allocated each year.

If on-site staff is employed, you will need to calculate the cost of training. Exchange 2007 is an entirely new beast compared to 2003. On average, you will spend approximately $5,000 in new training for the first year of ownership, and an estimated $1,500 a year after that.

Lastly, costs must be factored in for initial setup, administration and end-user training of a new Exchange system.

Backup and Recovery
As email has become mission critical and the Recovery Time Objective (RTO) has become shorter and shorter, the cost of providing an actual recoverable messaging system has increased. To estimate costs, you can take all the aforementioned, and double it. Add to that disaster recovery testing, the cost of the DR site itself, and data replication, vaulting, backup and recovery costs.

Additional Features and Functionality
Depending on the needs of your institution, you may have costs here for mobile messaging, email archiving, eDiscovery, and other collaborative services such as Sharepoint.

How Hosted Email Can Help
Having a hosted email solution can greatly eliminate or reduce almost all of these costs. Many of our clients have found that the reduction in cost for disaster recovery and data vaulting alone are enough to pay for the entire hosted solution.

Hosted solutions are already treated like mission critical applications. The enterprise can be hosted in a SAS70 compliant, Tier IV, fully-redundant data center, with 99.9% uptime guaranteed. Redundant power, networking, servers and data provide a rock-solid disaster recovery scenario with minimal effort.

Hardware, software and licensing costs are completely eliminated. And when end-of-life is reached on your Microsoft product, you can obtain an upgrade to the next version seamlessly, and for free.

Management and monitoring is also included. Your email enterprise is monitored 24 hours a day, 7 days a week, 365 days a year. Patch management and general maintenance are performed behind the scenes with no effort required on your part. For new user set up, all that is required from the institution is a simple email sent to the Command Center or a quick call placed to the toll-free support number.

Service and support costs are reduced to the initial installation costs. Here is another line item that usually can cover the entire cost of a hosted solution.

Backup and recovery is an area where a hosted solution really shines. With your servers and data already treated like a mission critical application and hosted off-site, your DR picture gets crystal clear. Where to house your staff in the case of disaster remains as your biggest issue, but your mission critical email application is available anywhere you can obtain a internet connection, including wirelessly.

Need to add features and functionality? Did the President or Chairman purchase a Blackberry this weekend? Is the examiner demanding a fully archived solution? Does your Marketing VP want to install an Intranet? No sweat. With a quick email notification to your support team, you can have that new feature turned on in minutes, with no hardware, software or licensing to install.

Most of all, a hosted email solution can give you clear visibility on your actual messaging costs over the next three years and on. Budgeting is easy with a flat per user, per month price based on the features and functionality you actually use.

For our clients, I have created a simple ROI calculator that can help to determine the true Total Cost of Ownership for your messaging and collaboration solution outlining the exact costs mentioned above. I would be happy to share this with you and teach you how to use it. For more information or to discuss a hosted Exchange solution that fits your messaging needs and cost requirements, please contact me at kgriffen@compushare.com.

Technorati Tags: Information Security Network Security Hacking Hacker Bank Banking FFIEC GLBA FDIC Cisco Computers Technology

Related Feature

2009-01-20T16:07:00.000-08:00

The above article features related content.

Technorati Tags: Information Security Network Security Hacking Hacker Bank Banking FFIEC GLBA FDIC Cisco Computers Technology

Flash flaw leads to Vista laptop's fall

2008-03-30T00:34:00.000-07:00

Posted by Tom Krazit

It held out as long as possible, but a Windows Vista laptop fell to a determined bunch of hackers Friday evening at the Pwn to Own contest at CanSecWest.

Since it was the third day of the contest, which saw a MacBook Air get hacked on Thursday, the TippingPoint Zero Day Initiative relaxed the rules even further. On the first day of the contest, only the operating system could be targeted, but on the second day that was expanded to include standard applications. An undisclosed Safari flaw led to the MacBook Air's downfall.

TippingPoint's Aaron Portnoy, with Shane Macauley and Alexander Sotirov (left to right) take control of a Windows Vista laptop.

(Credit: TippingPoint)

But on Friday, hackers could target any "popular" piece of application software that you might find on a system. The Fujitsu laptop, running Vista Ultimate, was compromised by a previously undiscovered flaw in Adobe's Flash software.

Shane Macaulay, Derek Callaway and Alexander Sotirov, were able to gain control of the laptop, which also means they get to keep it. However, since the rules had been relaxed, they only get $5,000; the MacBook Air winners collected $10,000.

The contest rules stipulated that any winner sign a nondisclosure agreement immediately after a successful hack, so that the nature of the flaw could be disclosed to the vendor. Once Adobe and Apple patch their flaws, the nature of the flaw will be disclosed.

A Sony Vaio laptop running Ubuntu remained unscathed at the end of the conference.

Technorati Tags: Information Security Network Security Hacking Hacker Bank Banking FFIEC GLBA FDIC Cisco Computers Technology

Cracking Syskey and the SAM on Windows Using Samdump2 and John

2006-11-28T21:40:00.000-08:00

The following is a good tutotial on cracking XP. Just goes to show you, use strong passwords and don't let people have physical access to your machine.

Cracking Syskey and the SAM on Windows Using Samdump2 and John (Hacking Illustrated Series)

Technorati Tags: Information Security Network Security Hacking Hacker Bank Banking FFIEC GLBA FDIC Cisco Computers Technology

How To Become A Hacker

2006-10-28T22:05:00.000-07:00

An extensive definitive guide to learning to be a hacker written by the editor of the Jargon File and author of a few other well-known documents of similar nature. Very comprehensive document that makes for an interesting read whether you want to be a hacker or just want to know more about the lifestyle. Very nice resource.

How To Become A Hacker

Technorati Tags: Information Security Network Security Hacking Hacker Bank Banking FFIEC GLBA FDIC Cisco Computers Technology

ATM Passwords Found Online

2006-09-25T15:22:00.000-07:00

Saw this today. I can tell you for a fact that the manufacturer's password is rarely changed.

-KG

Up to 70,000 US cash machines vulnerable.

Andrew Charlesworth, vnunet.com 22 Sep 2006
The manufacturers' passwords for cash machines used widely across the US are available online in an installation manual.

New York-based security researcher Dave Goldsmith, founder and president of penetration testing outfit Matasano Security, pieced together clues from a CNN broadcast and the website of Tranax Technologies, the ATM's manufacturer.

Then he searched for the ATM's installation and maintenance manual online which he said gave him enough information to hijack a Tranax Mini-bank 1500 series ATM if the manufacturer's default passwords had been left unchanged.

"My guess is that most of these mini-bank terminals are sitting around with default passwords untouched," Goldsmith told eWeek.

According to the Tranax website, around 70,000 1500 series ATMs are installed in the US.

Technorati Tags: Information Security Network Security Hacking Hacker Bank Banking FFIEC GLBA FDIC Cisco Computers Technology

Wells Fargo Discloses Another Data Breach

2006-09-25T11:35:00.000-07:00

Here we go again.

One thing I will never understand is why a bank would let an auditor take information out of the institution without having a fully encrypted disk.

This stuff is so simple to fix . . . .

Wells Fargo discloses another data breach

Who Should Bear the Cost of Phishing Attacks?

2006-09-15T18:27:00.000-07:00

I came across a recent article from the Netcraft site that poses some interesting questions. Should Banks be responsible for monetary losses due to phishing schemes, or should customers be to blame for not protecting their information and using technology poorly?

Here is the article by Netcraft. Warning! There is a sales pitch here, I have not personally evaluated this product.

Bank, Customers Spar Over Phishing Losses

"Who should bear the cost of phishing losses: the bank or the customer? That question is at the heart of a recent dispute between the Bank of Ireland and a group of customers that fell victim to a phishing scam that drained 160,000 Euros ($202,000) from their accounts. The bank initially refused to cover the losses, but has since changed its mind and credited the accounts of nine victims, who had threatened to sue to recover their funds.

"The Bank of Ireland incident is one of the first public cases of a bank seeking to force phishing victims to accept financial responsibility for their losses, but it likely won't be the last. Phishing scams continue to profilerate, as Netcraft has blocked more than 100,000 URLs already in 2006, up from 41,000 in all of 2005. Financial institutions continue to cover most customer losses from unauthorized withdrawals. But after several years of intensive customer education efforts, the details of phishing cases are coming under closer scrutiny, and the effectiveness of anti-phishing efforts taken by both the customer and the bank are likely to become an issue in a larger number of cases.

"The issue of responsibility has been most prominent in the UK. In late 2004, the UK trade association for banks, known as APACs, began warning that financial institutions may stop covering losses from customers who have ignored safety warnings. That stance is reflected in the group's statement on customer protection.

'Banks are committed to keeping their customers' money safe and will protect customers from Internet fraud as long as they have acted with reasonable care," APACS says on its Bank Safe Online web site. "Customers must also take sensible precautions however so that they are not vulnerable to the criminal. Each case of Internet fraud is different and you can be sure that the bank will make a full investigation in the unlikely event that money is withdrawn from your account.'

"The American Banking Association, the industry group for the U.S. banking industry, is more definitive in its reassurance to customers on phishing losses. "Consumers are protected against losses," the ABA says on its web site. "When a customer reports an unauthorized transaction, the bank will cover the loss and take measures to protect your account."

"But there have been exceptions. Last year Miami business owner Joe Lopez sued Bank of America after it refused to cover $90,000 in phishing losses. Lopez' computer was infected by a keylogging trojan, which captured his login details. His funds were soon transferred to a bank in Latvia. When Bank of America refused to cover the loss, Lopez sued for negligence, saying the bank failed to warn him about the trojan.

"Where will the line be drawn between the bank's responsibility and the customer's? The handful of existing cases leave the issue unsettled, but suggest that the quality of the banks' phishing defenses will be a key point in the debate, and that in practice banks will not be able to pass on the financial risk of phishing to its customers simply through careful writing of the customer agreement, as the customer has no direct influence over the anti-phishing measures the bank takes."

Here is the link to the original story:
Bank of Ireland to refund phishing victims

Technorati Tags: Information Security Network Security Hacking Hacker Bank Banking FFIEC GLBA FDIC Cisco Computers Technology

Biometrics: Use Capacitance Dummy

2006-09-14T10:53:00.000-07:00

I get a lot of questions about biometrics and fingerprint scanners. Especially from the Bankers I normally work with as they are under a deadline this year.

The Federal Financial Institutions Examination Council (FFIEC) issued new guidance on the risk management controls necessary to authenticate the identity of customers accessing online financial services, and has stated that US banks will be expected to comply with the rules - which includes the introduction of multi-factor authentication - by the end of 2006!

The council is an inter-agency body representing the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS).

The guidance, which applies to all member banks, states that firms are expected to use enhanced authentication methods when verifying online customers and states that single-factor authentication, when used as the only control mechanism, is inadequate for high-risk transactions involving access to customer information or the movement of funds.

Even where risk assessments indicate that the use of single-factor authentication is inadequate, FFIEC says financial institutions should implement multifactor authentication.

The regulator also says that banks should ensure there are reliable methods of originating new customer accounts online - as required by the US Patriot Act - and implement fraud detection systems. Banks are also expected to educate customers about the dangers of ID theft.

FFIEC says financial Institutions will be expected to achieve compliance with the guidance no later than year-end 2006.

So I get a lot of questions . . . .

Technorati Tags: Information Security Network Security Hacking Hacker Bank Banking FFIEC GLBA FDIC Cisco Computers Technology

Say Goodbye Mr. Network Geek

2006-09-14T10:14:00.000-07:00

I was intrigued by a recent blog post by Michael Farnum of An Information Security Place that laments yet another Microsoft vulnerability. Michael has decided to get out of his Infomation Security Manager role, and in my comment on his blog, I suggest we all do.

This led me to thinking a lot about security, and the "Three Legged Dog" of Confidentiality, Integrity and Availability. While these three "pillars" of information security must be understood and followed, the tasks within each of these practices have drastically changed in the last couple of years, and continues to do so at an alarming pace. While CIA defines the end goal, what we have really been doing lately is trying to stick our finger in a large dam that has already released its flood. We spend more time in defense of the corollary to CIA . . . DAD. We spend the majority of our time trying to prevent Disclosure, Alteration and Destruction. With almost 90% spent on Destruction.

Information Security workers have found themselves caught up in this wave of change. Originally, it was an important and vital job to track down the current virus threats, manage the Service Packs in [Pick your Windows flavor here], install the few hotfixes needed and call it a day. The rest of our time was spent on the important matters - defining the information we want to protect, striking the correct balance between 100% usable and 100% secure, gaining an in-depth knowledge of our environment and our user communities, training our communities on what was important and what was critical.

Remember the backlash that ensued when Microsoft reported that it would pool vulnerability information and release security announcements and fixes on the second Tuesday of every month? The big worry at that time was that there would be many more zero-day vulnerabilities to worry about, and that vulnerabilities could arise without the installed base being aware - leading to another Code Red or Sasser worm outbreak.

While that was a valid concern and continues to be true, what we really missed was how this single event changed the landscape of the typical information security worker's job. It also was one of the most brilliant marketing ploys ever foisted upon the public. While 1 or 2 vulnerabilites used to generate a firestorm of complaints and meaningful news, 8 new vulnerabilities released on Black Tuesday barely registers a blip on true news sources. If you eliminate all of the pseudo news, like vendor security blogs and patch management companies hocking their wares, the news is fairly light. Unless, of course, someone finds the vulnerability before Tuesday, or the patch itself causes further problems.

What does this mean for us? It means that X number of vulnerabilities are announced every 20 working days. Adding to the problem is that applying these patches to production systems has been problematic sometimes, and multiply that by trying to figure out which vulnerability affects which system and the job becomes full-time + a lot of hours * X. And this is only ONE software vendor.

Which leads me to the point of this article: We spend far too much time running down vulnerabilities from hardware and software vendors, and not enough time creating secure environments, understanding business needs, and finding the true security holes. Furthermore, its very difficult to convice the executive teams that this is where the money should be spent.

Lets face it, software these days contains millions of lines of code, its impossible to create without bugs, easy to break, and completely unpredictable. We have to face the future . . . these millions of lines of code do not belong on individual instances of millions of servers and PCs. What is the future? Largely, your servers will be moved to the cloud, core data will be aggregated to service providers, and network guys will be relegated to the black boxes they originally came from. Think about it, bandwidth will become large and cheaply available, and most of these services can be outsourced (Virus, Spam, Patch Management, etc.)

If there is a way to give the end user a better computing experience, reduce the cost of maintenance, and maintain or improve security, what is to keep companies from adopting this en masse?

Technorati Tags: Information Security Network Security Hacking Hacker Bank Banking FFIEC GLBA FDIC Cisco Computers Technology

Authentication - Who Are You? Can You Prove It?

2006-09-04T23:16:00.000-07:00

The following article was written by one of Compuhsare's top Security Gurus for our monthly newsletter. It is a great introduction to the concepts of authentication.

BY ANDREW VESAY, CISSP

When we use the term authentication, we are referring to the process of identifying a person, confirming their identity, and securing access to that person’s accounts.

Up until recently, this has been done by employing the standard username and password. As the power of today’s PC has increased, the ability to break even well-selected passwords, becomes easier each day. This weakness is further reinforced by the FDIC guidance issued in October of this year.

The FFIEC agencies consider single-factor authentication, when used as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.

The basic premise of this guidance is that simple username and passwords are not effective authentication. Our discussion of authentication focuses on three areas:

Identification – Who are you?
Multifactor Authentication – Can we verify your identity in more than one way?
Non-Repudiation – Can we prove a valid transaction has occurred?

First, we will look at the problems with simply using usernames and passwords. In the traditional method, our user ID is the key that the system will use to look up our password information and enable the services that we are permitted to use. The weakness in this is a very simple one, if I know that my user ID is my first initial and last name, I can make a pretty good guess that your user ID follows the same convention. I’ve guessed your user ID, now I just have to get your password.

Traditional systems rely on your password to verify that you are who you say you are. These days however, even well picked passwords are susceptible to breaking. Precompiled tables of every letter and number combination called “rainbow” tables, let an attacker run through every password combination in a matter of minutes.

If I have guessed your user ID and password, I have assumed your online identity and can perform transactions as you. This presents the problem of non-repudiation, which means, can we prove that a valid transaction was performed between valid parties? We have to verify that the transaction and parties involved in it cannot be contested. If I have guessed your username and password, how can you prove that it wasn’t you that transferred all of your funds to a numbered Swiss bank account?

Now let’s look at some of the components of strong authentication. To prove someone’s identity we can use the following simple formula. We need to have two of the three following components.

Something you have – a physical device of some sort, such as a card or security token
Something you are – a biometric identifier, such as fingerprint scan, or retinal scan of your eye
Something you know – a passcode that only you would know such as password or phrase, or answers to personal security questions

These three components are found in most of the emerging methods for identification or authentication and together provide the foundation for non-repudiation. Authentication utilizing two or more of these components is called “multifactor” authentication.
A good example of multifactor authentication is your ATM card. You have your card, something you have, and your PIN, something you know.

Completing a successful, secure online transaction requires several steps. First, we must validate that the site we are communicating with is the actual merchant’s site. Next, we must identify ourselves and successfully authenticate our identity. Finally, we must be able to prove that the transaction was successfully completed by both parties.

When we start our online session, we need to verify that we have a authentic connection to the web server of the institution with whom we want to do business. This is commonly accomplished using a digital certificate. A website would register with a trusted third party that validates its identity. When you connect to the website, you can view the digital certificate and verify that it is valid. In most web browsers, you can click on the lock icon in the lower right of the browser window to view the digital certificate for the site with whom you are communicating.

An additional technique that some institutions are using to further validate that a user has reached their site, is requiring that the user answer some personal security questions and identify a picture with a caption they have selected.

Next, we must identify ourselves to the web server and validate our identity. This is one of the problems in the current online banking environment. We have something we know in our username and password. However, we do not have either of the other components of multifactor authentication, something we have or something we are.

A technique that is becoming more prevalent is the use of digital signatures, which uses a technology called public/private key pairs. A key pair has two interrelated parts. The key pair is generated as a single key and then split into a public and private key. The public key is made available to anyone who wants it, while the private key is kept in secret on your PC. Your private key becomes “something you have.”

The only way to complete a secure transaction would be to use your password, something you know, and use your private key, something you have, to authorize the session. The basis for non-repudiation of this transaction is that we have used multifactor authentication to ensure that you are who you say you are.

Another technique frequently used, also incorporates “something we have.” A “token” is a physical device that constantly updates a complex algorithm. Your complete password is calculated using your PIN and the constantly changing key generated by your security token. This technique is called one-time passwords.

Using a security token allows us to incorporate something I have, my token, and something I know, my PIN, which then increases the security by making my password a constantly changing value. Again, non-repudiation of a transaction has its basis in the use of multifactor authentication to verify our identity.

In response to the FDIC guidance, Internet banking and authentication vendors are quickly developing potential solutions to this authentication challenge. No clear-cut methodology has yet emerged. The two methods we have discussed are widely used in other areas of enterprise security and we can expect some form of these techniques to start showing up in our online banking systems very soon.

Technorati Tags: Information Security Network Security Hacking Hacker Bank Banking FFIEC GLBA FDIC Cisco Computers Technology

Visa Issues Data Security Alert

2006-08-31T16:31:00.000-07:00

BROOKFIELD, Wis. — Visa USA issued a data security alert Aug. 31 to warn merchants about the risks associated with storing magnetic-stripe and other sensitive data on point-of-sale systems. The alert recommends specific actions that merchants can take to mitigate these risks.

To support compliance with the Visa USA Cardholder Information Security Program, Visa issues security alerts when vulnerabilities are detected in the marketplace, or as a reminder about best practices.

Security vulnerability

Visa announced in a news release that it is aware of credit and debit compromises that resulted from the improper storage of mag-stripe data after transaction authorization was completed. The mag-stripe holds data in two tracks.

Track information is received by a merchant’s POS system when a card is swiped. Some merchant POS systems improperly store that data after authorization, violating Visa’s operating regulations. Hackers are aware of the vulnerability and are targeting certain POS systems to steal this information.

Visa also has observed compromises involving other data elements, namely card verification value 2 (CVV2), PINs and PIN blocks. CVV2 is the 3-digit number typically found on the signature panel of the card. PIN blocks are encrypted versions of PINs.

According to Visa, merchants may only store specific data elements, including the cardholder’s name, primary account number, expiration date and service code, from the mag-stripe to support card acceptance. But that information must be protected in accordance with the Payment Card Industry Data Security Standard.

Merchants may mistakenly believe they need to store prohibited elements to process merchandise returns and transaction reversals, Visa says. Acquirers should ensure their merchants have proper processes for each type of transaction.

Recommended mitigation strategy

To safeguard their systems and reduce risk from a compromise, merchants should make sure that they are not storing prohibited data.

Visa offers the following suggestions:

• Ask the software vendor to verify that your software version does not store mag-stripe data, CVV2, PINs or encrypted PIN blocks. If it does, those data elements must be removed immediately.

• Ask the software vendor to share a list of files written by the application, and a summary of the content to verify prohibited data is not stored.

• Review custom POS applications for any evidence of prohibited data storage. Eliminate any functionality that enables storage of this data.

• Search for and expunge all historical prohibited data elements that may be residing within your payment-system infrastructure.

• Confirm that it’s necessary to store the data you’re keeping. If not, don’t store it.

• Verify that your POS software meets Visa Payment Application Best Practices. A list of PABP compliant applications is available on Visa’s Web site.

Technorati Tags: Information Security Network Security Hacking Hacker Bank Banking FFIEC GLBA FDIC Cisco Computers Technology

Yet Another Loss of Customer Data

2006-08-30T17:36:00.000-07:00

SAN FRANCISCO, Aug 29 (Reuters) - AT&T Inc. (T.N: Quote, Profile, Research) said on Tuesday that computer hackers illegally accessed credit card data and other personal information from several thousand customers who bought DSL equipment from AT&T's online store.

The phone company said it is notifying "fewer than 19,000" customers whose data was accessed over the past weekend.

The company said it noticed the hacking "within hours," immediately shut down the online store, notified credit card companies and is working with law enforcement agencies to investigate the incident and find the hackers.

Technorati Tags: Information Security Network Security Hacking Hacker Bank Banking FFIEC GLBA FDIC Cisco Computers Technology

Dear Bankers: Your Vault is Not Safe

2006-08-28T21:51:00.000-07:00

Several high-profile examples of data tape loss during transit have put customers on alert over the risk that their confidential information may be subject to loss due to movement of backup tapes. For example, Bank of America last year was dealt a severe blow when the company admitted to losing data tapes en route to a data center. The tapes reportedly featured employee and personal information on 1.2 million federal workers.

This year’s news has been full of tape losses from Wells Fargo, Bank of America, Iron Mountain, etc. This, on top of the federal regulators hightened focus on Disaster Recovery and Business Continuity due to Katrina and other disasters, has put many financial institutions in a quandary on how to handle backups safely while still providing quick access for disaster recovery needs.

The age-old problem of 100% usable vs. 100% secure rears its ugly head again.

For years I have been telling my financial institution clients that storing your tapes in your vault, or in your sock drawer, is not an adequate recovery solution. Not to mention, it is inherently not secure. Now I am telling you that your vault isn’t secure either.

What? My vault is not secure? That’s right, it’s not. I’m going to share a true story with you now, that is so shocking, so scary, that I cannot even reveal what location this took place in. In order to protect my client’s identity, I will even have to fudge the numbers a little, but rest assured, I am rounding down!

The story starts with a bank robbery. A bank robber walked into a very remote bank branch and demanded all of the money in the teller drawers. When finished, he asked for the security videotapes. The branch manager attempted to explain, at gunpoint, that there are no security tapes and that the cameras were 100% digital.

Not being the brightest bank robber, he did not understand or believe the manager and took him to the vault. The bank robber then proceeded to steal the banks DATA tapes, thinking that they were videotapes.

Unfortunately, these tapes contained the names, addresses, social security numbers, birthdates, account numbers, and bank balances of 15,000 active bank customers, and another 8,000 inactive customers.

So your vault is not safe either. So what is the solution? You must encrypt your data at rest. Period. There are many solutions that allow for online data backup, encrypted, that allows for block level daily changes and keeps the data fully encrypted in transit and at rest. At a minimum, data tapes must not be able to be read in plaintext. We are just not in that world anymore.

In fact, if you are storing any of your non-public private information in a plaintext format, it is only a matter of time and effort before you are going to be exposed.

Technorati Tags: Information Security Network Security Hacking Hacker Bank Banking FFIEC GLBA FDIC Cisco Computers Technology

Why You Should Perform Regular Security Audits

2006-08-25T10:38:00.000-07:00

This was a real nice articel I found today out of Australia. Great points on why Security Audits are important:

Jonathan Yarden, TechRepublic - August 25, 2006

In less than a decade, Internet security has evolved from an almost esoteric topic to become one of the more important facets of modern computing. And yet it's a rarity to find companies that actually consider information security to be an important job function for all workers—and not just the IT department's problem.

Unfortunately, it's the general opinion of most companies, particularly at the management level, that their computer systems are secure. However, one of the only ways to determine whether this is actually true is by performing a thorough audit of computer systems. But most companies don't make it a habit of performing regular security audits, if they perform them at all.

In my experience, many companies base their Internet and information security strategy entirely on assumptions. And we're all familiar with that old saying about making assumptions.

But I don't entirely blame companies for failing to conduct periodic computer security audits. Frankly, the complexity and variability of administering and interpreting a comprehensive computer systems audit is equal to the complexity and variability of the systems used in corporations.

Several dozen popular commercial network and computer security auditing programs are currently available. While I've used several myself, I've honestly found no favorites. These tools produce mountains of useful information, but understanding what to do with the data is no simple job.

Most computer network and system security audits begin the same way. An automated program gathers information about hosts on the corporate network, identifying the type of network device. If applicable, it also scans the TCP and UDP services that are present and "listening" on the host, and it might even determine the versions of the software supplying an Internet service.

In most cases, the process involves at least two automated scans—one of internal networks, which are generally behind a firewall, and one of the Internet subnet used by the corporation. If a security audit doesn't include both an interior and exterior scan, then you're not getting a complete picture of what hosts are on your organisation's network.

In addition, I also recommend that companies perform their own auditing whenever possible. If not, it's vital that you select an Internet security vendor you don't currently do business with.

Security audits produce a huge amount of data, and you need to be prepared to review this information in order to truly benefit from the audit. It's also important to understand that a computer security audit may report potential problems where no real issue exists.

For example, an isolated switch from 1998 in an internal network could quite possibly be running firmware that's vulnerable to a denial-of-service flood. Should you replace it? Probably not. Nor should you be too concerned about the ancient Windows NT 4 system running outdated voice mail software that's subject to an obscure TCP sequence number exploit. It's not running anything other than a specialised application for voice mail services, and it's behind the firewall.

But some issues should concern you. For example, it's a good idea to disable guest accounts on dedicated Windows servers. Don't run IIS on Windows domain controllers, and DNS servers should not be running services other than DNS either.

However, a security audit may not always identify these issues, and one could debate whether it's actually a security problem. When there's doubt, disable unused services, or determine a secure solution.

The major problems with security audits are that they typically produce either too much data or not enough. A dearth or an excess of data can lead to misinterpretation and even exploitation of the information. Fear remains a very effective way to sell unnecessary equipment and services to companies that don't truly understand security.

For example, one company's recent Internet security audit completely ignored the security issue of direct VPN connections to the internal network and a dial pool, both of which completely bypassed the firewall. Coincidentally, while the same vendor that performed the audit was busy replacing functioning internal network equipment due to "vulnerable" firmware, one of the many recent Sober flavors was busy spreading internally, sourced from a remote office connected via a VPN.

Knowing what is and what isn't a significant issue goes to the very core of understanding Internet and information security. While assumptions can be correct, in many cases, they're dead wrong. Perform regular security audits on your organisation's network to be sure. And if you're not using a particular TCP or UDP service, shut it off.

Technorati Tags: Information Security Network Security Hacking Hacker Bank Banking FFIEC GLBA FDIC Cisco Computers Technology

Update for MS06-042 released late.

2006-08-24T22:56:00.000-07:00

Microsoft released the patch for MS06-042 one day late due to technical problems.

http://www.microsoft.com/technet/security/Bulletin/MS06-042.mspx

I'm not sure I would put this patch into production as there were issues with the patch.

Meanwhile, my recommendation is to implement Microsoft’s “workaround”.
1. Start Internet Explorer 6.
2. On the Tools menu, click Internet Options, and then click the Advanced tab.
3. In the Settings box, click to clear the Use HTTP 1.1 check box under HTTP 1.1 settings, and then click OK.

Technorati Tags: Information Security Network Security Hacking Hacker Bank Banking FFIEC GLBA FDIC Cisco Computers Technology

Internal Network Security Trends

2006-08-24T13:45:00.000-07:00

This was an interesting article I came across today. I feel like I have been yelling about "aggressive patch management" and stricter access control for mobile employees for 5 years now. Enjoy:

Don’t Forget About Network Security Inside Your Perimeter

High-profile network security breaches have been headline news these last few months, and the face of network crime is becoming more ominous with the mass theft of sensitive personnel information. The boundaries of the network are also changing. According to Forrester Research, “Remote Access and Business Partner connectivity means the [network] perimeter is disappearing.”

Michael Rothschild, director of marketing for CounterStorm (www.counterstorm.com), developer of the CounterStorm-1 internal network security solution, sees hacking shifting in the past 48 months from the simple defacing of Web sites to the theft of corporate data. He also sees the perpetrators of such cyber attacks shifting from career hackers to organized crime.

Turning Your Security Focus Inside Your Network Perimeter

So many organizations focus their network security on perimeter defenses such as firewalls and intrusion detection, but they also need to focus inside their network perimeter.

CounterStorm’s Rothschild says that beyond the basic security measures of deploying firewalls and antivirus software is the need to establish aggressive patching strategies for both server and client PCs.

Rothschild also emphasizes being diligent about establishing and enforcing internal IT policies for network access. He says, “Mobile workers, road warriors, and home office workers need policies to govern how they access your corporate network.”

Steve O’Brian, vice president of product management and marketing for Granite Edge Networks (www.graniteedgenetworks.com), developers of the Granite Edge ESP appliance-based internal network security solution, says, “Small to midsized enterprises have to support and manage many of the same business processes and IT needs as large enterprises but struggle with efficiencies due to limited staff and budget. In order for IT to overcome these efficiency battles and
become enablers for enhancing business performance and overall competitive advantage, data center/IT managers need to focus on deploying low-support solutions that improve core business operations.”
Get the full article here:
http://www.processor.com/email.asp?emid=6947

Technorati Tags: Information Security Network Security Hacking Hacker Bank Banking FFIEC GLBA FDIC Cisco Computers Technology

FFIEC Releases FAQ on Authenticaion in an Internet Banking Environment

2006-08-21T12:19:00.000-07:00

The Federal Financial Institutions Examination Council (FFIEC) member agencies released a frequently asked questions document (FAQs) to aid in the implementation of the interagency guidance on Authentication in an Internet Banking Environment issued October 12, 2005.

The authentication guidance, which applies to both retail and commercial customers, specifically addresses the need for risk-based assessment, customer awareness, and security measures to reliably authenticate customers remotely accessing their financial institutions’ Internet-based financial services. The FAQs are designed to assist financial institutions and their technology service providers in conforming to the guidance by providing information on the scope of the guidance, the timeframe for compliance, risk assessments, and other issues.

Get the FAQ here.

---------------
Technorati Tags:
Information Security
Bank
Banking
Security
FFIEC
GLBA
Hacking
Consulting
Compliance
Technology
Computer Security
Network Security
Forensics
Computers

Biometrics History -- Looking at Biometric Technologies from Past to Present

2006-08-20T16:57:00.000-07:00

Biometrics History -- Looking at Biometric Technologies from Past to Present
By Alice Osborn

The ancient Egyptians and the Chinese played a large role in biometrics' history. Although biometric technology seems to belong in the twenty-first century, the history of biometrics goes back thousands of years. Today, the focus is on using biometric face recognition and identifying characteristics to stop terrorism and improve security measures. Once an individual is matched against a template, or sample, in the database, a security alert goes out to the authorities. A person's space between the eyes, ears and nose provides most of the identifying data.

The ACLU and other civil liberties groups are against the widespread use of these biometric technologies, although they acknowledge the necessity of their presence in airports and after the London bombings. Biometric technologies also need to achieve greater standardization and technological innovations to be recognized as a trustworthy identity authentication solution.

A timeline of biometric technology

• European explorer Joao de Barros recorded the first known example of fingerprinting, which is a form of biometrics, in China during the 14th century. Chinese merchants used ink to take children's fingerprints for identification purposes.
• In 1890, Alphonse Bertillon, a Parisian police desk studied body mechanics and measurements to help identify criminals. The police used his method, the Bertillonage method, until it falsely identified some subjects. The Bertillonage method was quickly abandoned in favor of fingerprinting, brought back into use by Richard Edward Henry of Scotland Yard.

• Karl Pearson, an applied mathematician studied biometric research early in the 20th century at University College of London. He made important discoveries in the field of biometrics through studying statistical history and correlation, which he applied to animal evolution. His historical work included the method of moments, the Pearson system of curves, correlation and the chi-squared test.

• In the 1960s and '70s, signature biometric authentication procedures were developed, but the biometric field remained fixed until the military and security agencies researched and developed biometric technology beyond fingerprinting.• 2001 Super Bowl in Tampa, Florida -- each facial image of the 100,000 fans passing through the stadium was recorded via video security cameras and checked electronically against mug shots from the Tampa police. No felons were identified and the video surveillance led many civil liberties advocates to denounce biometric identifying technologies.

• Post 9/11 -- after the attacks, authorities installed biometric technologies in airports to ID suspected terrorists, but some airports, like Palm Beach International, never reached full installation status due to the costs of the surveillance system.• July 7th, 2005 London, England -- British law enforcement is using biometric face recognition technologies and 360-degree "fish-eye" video cameras to ID terrorists after four bombings on subways and on a double-decker bus. In fact, London has over 200,000 security cameras and surveillance cameras that have been in use since the 1960s.

Today and looking forward

Biometrics is a growing and controversial field in which civil liberties groups express concern over privacy and identity issues. Today, biometric laws and regulations are in process and biometric industry standards are being tested. Face recognition biometrics has not reached the prevalent level of fingerprinting, but with constant technological pushes and with the threat of terrorism, researchers and biometric developers will hone this security technology for the twenty-first century.

About the Author

Alice Osborn is a successful freelance writer providing practical information and advice about everything related to CCTV surveillance systems and related topics. Her numerous articles include tips for saving both time and money when shopping for video security products; equipment reviews and reports; and other valuable insights. Increase your knowledge about CCTV equipment and security cameras when you visit Video-Surveillance-Guide.com today!

Article Source: http://EzineArticles.com/?expert=Alice_Osborn

Technorati Tags:
Information Security
Bank
Banking
Security
FFIEC
GLBA
Hacking
Consulting
Compliance
Technology
Computer Security
Data Security
Forensics
Computers

Highlights of the 2006 CSI/FBI Computer Crime and Security Survey

2006-08-17T17:49:00.000-07:00

I felt like Steve Martin in "The Jerk" this morning, as I was jumping up and down in glee when the new 2006 CSI/FBI Computer Crime Survey arrived on my desk. It's not as easy to yell as "The Phonebook is here! The Phonebook is here!", but you get the point. Each year the Computer Security Institute and the San Francisco FBI Computer Intrusion Squad conduct this exciting survey. Going on 11 years, it provides interesting insights into the present state of security and also the current trends we are seeing in our industry. In this post, I'll be covering the highlights and key findings of the survey.

Budgeting

Overall expenditures in IT are hard to understand from the survey, as company size is broken out by revenue. While smaller companies under $100 million in revenue experienced a 200 to 300 percent increase in security expenditures per employee, larger companies experienced a decline in overall spending.

Companies under 10 million in annual sales are spending a whopping $1664 per employee annually on security and security training, while companies over 1 billion are averaging only $218 per employee. It seems like the evil dream of hurting Big Corporate America through cyber-crime is actually crippling the little guy.

Most respondents felt that not enough money was being budgeted for end-user security training. Companies with revenue over 1 billion spend less than $20 on end-user security awareness training. Economies of scale notwithstanding, this strikes me as exceptionally low. Isn’t the end user the greatest threat?

Frequency, Nature and Cost of Breaches

The leading causes of financial loss cited in the survey were:

1. Virus
2. Unauthorized Access
3. Laptop / PDA Theft
4. Theft of Proprietary Information

68% of those losses were from insider threats. This number is down slightly, but it is clear that the problem is not solved by building a more robust perimeter. One interesting statistic in the report is that unauthorized use is down this year, to 52%. Down to 52%! 52% of the companies surveyed reported unauthorized use of their computer systems! Doesn't this bother anyone? I guess it is an improvement over the 70% finding in 2000.

While most attack types have been declining over the past 7 years of the survey, there were several attack types that were on the rise:

1. Financial Fraud
2. System Penetration
3. Sabotage
4. Misuse of Public Web Site
5. Web Site Defacement

All of these attack types were reported by less than 20% of the respondents, but the rise in these categories is something to watch carefully.

64% of all respondents had some sort of website incident, with 59% reporting more than 10 incidents per year. There is obviously something going on here. As organizations have become better at protecting the perimeter with Firewalls, IDS and IPS systems, the remaining Achilles heel is the organization’s public web site, which must remain somewhat open for business.

We began our Deep Web Application Scanning offering in early 2005, and have seen this portion of our business grow rapidly as people of malicious intent are down to the final frontier. Attacking the web server is easy, fairly unsophisticated, and simple to perform with off-the-shelf tools.

Risk Management

Only 29% of respondents deferred any risk by using external “cyber insurance”. You would expect with all that has happened in the last 5 years that organizations would be more willing to pay for insurance. I guess we need a few more tapes with 5 million credit card numbers to disappear.

Outsourcing

Overall there was a slight decrease in IT security outsourcing. While not statically significant (63% to 61%), it is interesting given the current outsourcing trend. It appears that IT security is being considered in a different light than regular IT projects and is not riding the outsourcing wave.

Conclusion

While overall financial losses are down this year, it is still apparent that organizations are still not willing to spend on security technology that could really help them. I suspect that part of this is that many companies do not know exactly how much risk they are carrying because they have not performed a quantitative risk assessment. It is not enough to label your risk as High, Medium, Low. You need to put hard dollars on these items to understand the true impact. This also helps IT organizations in getting the funding they need. If I can reduce 2M in risk with a $50,000 patch management program, why wouldn’t I?

There is also still a definite lack of end user awareness training when it is assumed that the "user is the weakest link." Also, it is clear that the largest cause of financial loss is not the largest concern of most IT departments. Viruses only ranked 5th on the respondents list of concerns behind:

1. Data Protection (Classification, Identification, Encryption)
2. Web Application Security
3. Regulatory Compliance
4. Identity Theft

One thing I would like to see in the study covered in future years is more data on how these attacks are carried out. How many were due to poor access lists, poor administrative control, or social engineering? For instance, viruses are the leading cause of financial loss, we know that, but how are these viruses introduced into the network? Is it people clicking on e-mail links, surfing the web, or is it just poor patch management? Until you can answer those questions, it is hard to determine where an organization can realize the best reduction of risk at the least possible cost.

Technorati Tags:
Information Security
Bank
Banking
Security
FFIEC
GLBA
Hacking
Consulting
Compliance
Technology
Computer Security
Data Security
Forensics
Computers

CNET: RFID Passports Arrive for Americans

2006-08-16T22:32:00.000-07:00

The U.S. State Department is about to begin handing out RFID-equipped passports, despite lingering security and privacy concerns.
By Anne Broache
Staff Writer, CNET News.com
Published: August 16, 2006, 4:43 PM PDT

"A first wave of U.S. passports implanted with radio tags will soon begin making their way into the hands of American travelers despite lingering privacy and security concerns, federal officials said Monday.

Not long after researchers at a pair of security conferences in Las Vegas demonstrated potential risks associated with the new documents, the U.S. State Department insisted the documents are tamperproof and said it had begun producing them at the Colorado Passport Agency, which serves applicants from that state and the Rocky Mountain region.

The agency said it plans to issue the documents through the nation's other passport facilities within the next few months, as part of its original plan to make all future passports electronic by October. It was unclear how many e-passports would be mailed out this year, although a State Department representative said Monday that the agency expects to distribute a total of 13 million passports by year's end.

The new passports, which have been undergoing testing for several months and have already been issued to some U.S. diplomats, will be equipped with radio frequency identification (RFID) chips that can transmit personal information including the name, nationality, sex, date of birth, place of birth and digitized photograph of the passport holder. They employ a "multilayered approach" to protect privacy and reduce the possibility that passersby can skim data from the books, the agency said.

"The Department of State is confident that the new e-passport, including biometrics and other improvements, will take security and travel facilitation to a new level," the agency said in a statement.

State Department officials claim that a layer of metallic antiskimming material in the front cover and spine of the book can prevent information from being read from a distance, provided that the book is fully closed. The document will also employ a cryptographic technique called Basic Access Control, which means the RFID chip unveils its contents only after a reader successfully authenticates itself as being authorized to receive that information.

State Department spokesman Kurtis Cooper dismissed recent concerns raised by security researchers that the passports could nevertheless be "cloned"--that is, copied and used in a forged passport. The agency is confident that other security features built into the book would foil would-be imposters, he said.

The cloning technique demonstrated at the Las Vegas events is simple: It requires only a laptop equipped with a $200 RFID reader and a smart card programmer. The laptop's software scanned information from the RFID chip and wrote it to the smart card, which can then be embedded in a fake passport.

Security researchers have not, however, figured out how to alter the personal information, which is protected with a digital signature designed to enable unauthorized changes to be detected. Creating a fake passport therefore would be most useful to anyone who can forge the physical document and resembles the actual passport holder.

"The digital photograph of the passport holder embedded in the data page and the digital signature on the data, combined with our human U.S. border inspection process, would prevent someone from using a forged passport to gain entry into the United States," Cooper said in a telephone interview."

Technorati Tags:
Hacking
Information Security
Intrusion Prevention
Technology
Bank
Banking
Security
Business Continuity
Consulting
Compliance
Computers
Computer Security
Data Security
Disaster Recovery
FFIEC
Forensics
GLBA

Managing Employee Access

2006-08-16T21:02:00.000-07:00

Ok, so we have performed our Risk Assessment, classified our assets and data so that we know what and where everything is that we are trying to protect. Next, we need to consider who needs access to the which data, and how we are going to facilitate this.

You can see how important that Risk Assessment is now. If you don't know what you are trying to protect and where it resides, you don't stand a chance.

There are two parts of Managing Employee Access. The first, is authentication, the second access.

How to Hack a Bank

2006-08-15T18:34:00.000-07:00

To illustrate the points we have covered so far, I’d like to share a real-life story with you that happened to me a few months ago. We were hired by the CIO of a large bank in Texas to perform an internal and external penetration test and site assessment. What happened within the first 45 minutes will hopefully shock you. We have been talking about the first steps in building an Information Security Program that really works, and most importantly we are beginning to lay down the foundation of a “layered” security approach. This story will clearly illustrate why that is a good idea.

When I begin to perform a site assessment, I will usually arrive at the bank’s main administrative office 30 minutes before opening. While in the parking lot, I can easily check for wireless devices, and drive around the building looking for possible entrances. I especially look for employee entrances, designated smoking areas, and external telco closet doors. As the traffic begins to pick up in the morning, and the branch is fully open, I will attempt to “piggy-back” an employee into the institution.

So this is how I began at my client's site. After following an employee into the back door I found myself in the hallway of the building, but all the doors in the hallway were locked! Foiled. I tried the stairway, as this was a two story building, I thought I might get lucky. No luck, stairway was locked. I found the elevator, I tried to go the 2nd floor . . . no luck . . . keycarded. Next I pressed “B” for Basement. Viola! I was now heading downstairs, which, by the way, is where the data center was.

Once downstairs, I again started checking doorways. The doorway to the data center was locked and keycarded, I wasn’t going to be that lucky today! But, lo and behold, the stairway was not locked. I went into the stairway, and made my way to the second floor. On the second floor, I found the onsite hackers dream, the TRAINING ROOM! Yes! A room full of exploitable computers, just waiting for keyloggers and pstoreview (a program that gives me all of the usernames and passwords that someone has entered into Internet Explorer). Better yet, the machines were turned on, and logged in! I closed the door slightly, to gain a “moment of obscurity” as they call it in the CIA, cracked my knuckles, plugged in my USB with pstoreview and began . . .

I started with poking around the Network Neighborhood. I immediately found a server with an interesting name “mail-old”. Hmm, that looks promising. I browsed over to “mail-old” looked for some shares, found one called “users”. Went into the users folder, found the President of the Bank’s user folder, opened that (yes, I was surprised I could get this far), and found the CIOs annual performance review, complete with Salary and performance history. Total time: 30 minutes in the parking lot, 15 minutes onsite. It turns out that “mail-old” was a server that was used for a large file transfer, and then abandoned. The entire bank file system had been copied here a month earlier. Customer data, loan files, account numbers . . . all were mine for the taking. Luckily they were paying me for this.

This little story clearly identifies how a layered security model is supposed to work, and how each layer could have stopped me, or slowed me down enough to make my attempts unsuccessful. This is what security is all about – you’ll never make a system 100% secure. 100% secure = 0% usable. 100% usable = 0% secure. Somewhere in between is the right spot, but it is a continuum. Any system can be broken, as long as you have the time and resources to work on it. Our job as security experts is to increase the work factor for the attack to such high levels that attack is near impossible or not worth the effort.

In this example these are only some of the “layers” that could have thwarted my attempt:

Having a keycard that prevented access to the basement. (The stairway door had to remain open as it is the only exit from the basement.)
Training all employees to challenge un-badged or unknown people.
Calling the police when a suspicious person is sitting in the parking lot of your bank for 30 minutes with a laptop.
Segregating the Training and Production networks.
Removing old files from the network.
Keeping all file shares restricted to an “as needed” basis.
Not allowing training PCs to log in automatically.
Not leaving PCs logged in un-attended, or using auto-logoff features.
Restricting training PCs from browsing the Network Neighborhood.

The next few blogs will cover the building of the layers needed to create an Information Security Program that really works . . . .

I welcome all comments!

Creating Good Physical Security

2006-08-14T20:04:00.000-07:00

Physical security describes measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media. It can be as simple as a locked door or as elaborate as multiple layers of armed guardposts.

The field of security engineering has identified three elements to physical security:

obstacles, to frustrate trivial attackers and delay serious ones;

alarms, security lighting, security guard patrols or closed-circuit television cameras, to make it likely that attacks will be noticed;

and security response, to repel, catch or frustrate attackers when an attack is detected.

In a well designed system, these features must complement each other. For example, the response force must be able to arrive on site in less time than it is expected that the attacker will require to breach the barriers; and persuading them that the likely costs of attack exceed the value of making the attack.

For example, ATMs (cash dispensers) are protected, not by making them invulnerable, but by spoiling the money inside when they are attacked. Attackers quickly learned that it was futile to steal or break into an ATM if all they got was worthless money covered in dye.

Conversely, safes are rated in terms of the time in minutes which a skilled, well equipped safe-breaker is expected to require to open the safe. (These ratings are developed by highly skilled safe breakers employed by insurance agencies, such as Underwriters Laboratories.) In a properly designed system, either the time between inspections by a patrolling guard should be less than that time, or an alarm response force should be able to reach it in less than that time.

Hiding the resources, or hiding the fact that resources are valuable, is also often a good idea as it will reduce the exposure to opponents and will cause further delays during an attack, but should not be relied upon as a principal means of ensuring security.

Bank
Banking
Business Continuity
Consulting
Compliance
Computers
Computer Security
Data Security
Disaster Recovery
FFIEC
Forensics
GLBA
Hacker
Hacking
Information Security
Intrusion Prevention
Technology

Creating an Atmosphere of Risk Management : Part II

2006-08-13T21:38:00.000-07:00

Continuing from yesterdays post, here are the beginning steps every company must perform to begin the process of Creating an Atmosphere of Risk Management:

Perform an IT Risk Assessment. If you haven't assessed the risks within yourenvironmentt, you cannot begin to build the controls needed to adequately control them. Any policies instituted without this foundation, are at best without support. The interviewing process of a proper Risk Assessment will also help to begin the awareness that this is indeed a serious process that the corporation is 100% invested in.

Classify Your Data. The military does this well. How can you possibly control access to your data if you don't know what type of data it is. Do you have regulated data within your company that must follow certain standards? How abouHuman ResourceHR data? How about Board Minutes? Financial Data? Marketing Plans? All of these must be put into classifications. Oh, and by the way, I am not talking just about computer data, I mean ALL data. That loan file you left on your desk during lunch? Not acceptable.

Set up an IT Steering Committee. If you don't have this, you need to start one now. Besides overseeing that the mandate of Information Technology is following the strategic mission of the corporation, but this Committee is also where the standards for security should be ratified.

Set up Board Reporting. Each and every meeting of the Board of Directors should contain a time period in which the overall IT Security Risk is reported and evaluated. This futhers the top down approach needed to bring about total awareness.

Perform Regular Testing and Training. Regular testing of security controls, especially performing regular Social Engineering testing is paramount to building awareness.

In my next post, we'll start the next step, which is Creating the Physical Security Perimeter . . . .

Technorati Tags:
Bank
Banking
Business Continuity
Consulting
Compliance
Computers
Computer Security
Data Security
Disaster Recovery
Forensics
GLBA
Hacker
Hacking
Information Security
Intrusion Prevention
Technology

Creating an Atmosphere of Risk Management : Part I

2006-08-13T21:37:00.000-07:00

Greetings,

Any security professional will tell you that the weakest link in security is always people. Even in the movies, how do the antagonists gain access to secure computer systems? By taking advantage of a person with trusted access. So any Information Security Program, in order to be successful, needs to start by building an “Atmosphere of Risk Management” within the organization.

This atmosphere of security is created through raising the awareness level of all employees and through the direction and example of senior management. We cannot emphasize enough, the importance of senior management’s buy-in and involvement in establishing an atmosphere or corporate culture where security is second nature to all employees.

In many of the organizations for which I perform security assessments, lack of buy-in by senior management is evident through the setup of their user accounts. More often than not, the President, CEO,and other senior managers are found to have special access privileges that include never having to change their passwords. On top of that, their passwords are among the worst in complexity, making them easily cracked by simple dictionary methods.

How can employees be expected to follow security policies and practices when it is well known that the top managers do not follow those same policies and practices? Corporate culture is created through the actions and attitudes of the organization’s managers. Therefore, the first step in creating an atmosphere of security is for senior management to adhere to , and enforce, the same policies as everyone else.

Many organizations make the mistake of combining awareness and training simply calling it security awareness training. Awareness is not training. Awareness is an ongoing process designed to focus employees’ attention on security. Awareness presentations are intended to make individuals recognize information security concerns and respond accordingly.

Effective IT security awareness presentations must be designed with the understanding that people develop a tuning-out process known as acclimation. If the same method of providing information is continually used, no matter how stimulating it is, the recipient will selectively ignore the stimulus. Therefore, awareness presentations must be ongoing, creative, and motivational. Awareness presentations should focus employees’ attention so that the information provided will be incorporated into conscious decision-making. This process where an individual incorporates new experiences into existing behavior patterns is called assimilation.

Learning attained through a single awareness activity will tend to be short-term, immediate, and specific. Repeated awareness activities spread over time improves assimilation. Another words, security awareness training performed once a year will not be assimilated into the existing behavior patterns of individuals. Information Security Officers must develop a program of ongoing security awareness in order to building atmosphere of security.

In my next post, I will cover some steps that every organization must take to begin this process . . .

Information Security
Data Security
Hacking
Hacker
Data Security
Computer Security
Forensics
Bank
Banking
Disaster Recovery
Business Continuity
Computers
Intrusion Prevention
Technology

3 Year Old Girl At John Wayne Airport Might Be Hezbollah

2006-08-12T17:28:00.000-07:00

Our airline security is so worthless. I was coming back from a trip to Dallas this week and saw a little three year old girl exiting the extended security search area of the TSA. She could barely walk, but she was putting her shoes back on. This is just getting silly. Is she a terrorist?

Isn't it time to institute the national ID card? Isn't there any better way to control who is on the airplane? At least let us frequent business travelers have a easy-pass lane or something.

And let's think a little beyond airports . . . isn't any area where lot of people congregate a target? How are you going to control that? Any Football game, or better yet, Baseball, the American Tradition. You could sneak the bomb past security in an apple pie for insult.

With so much technology in the security arena available to us, can't we find a better way? C'mon President Bush! Israel has airplanes, they don't seem to have any airport trouble. But now I can't have toothpaste? Sweet, I can't wait until the next guy falls asleep on my shoulder who has been flying for 5 hours, and hasn't brushed his teeth in days.

hezbollah
terror
airline
airplane
airport
bush
israel
security
travel

Building A Information Security Management Program That Works!

2006-08-11T22:12:00.000-07:00

Greetings! Over the next couple of days I will outline the basic steps for creating an Information Security Program that really works. Ther are seven major areas, listed below that I'll be covering over the coming days and week. Stay tuned . . . .

If you have any questions you would like answered, feel free to email me at securityguru@dot73.net, or just post a comment!

1. Create an Atmosphere of Risk Management

2. Create Physical Security Perimeter

3. Manage Employee Access

4. Have Good Internal Controls

5. Protect Against Malicious Code

6. Implement Training and Testing Programs

7. Prepare for Disaster

Information Security
Hacking
Hacker
Data Security
Computer Security
Forensics
Disaster Recovery
Business Continuity
Computers
Intrusion Prevention

Theft of laptop puts thousands of identities at risk | CNET News.com

2006-08-11T14:57:00.000-07:00

This fron CNET news yesterday. Why in the world is this type of data allowed on Laptops? And why are these laptops allowed outside a controlled environment. And why aren't these laptops full-disk encrypted, or using something like www.beachheadsolutions.com

Theft of laptop puts thousands of identities at risk CNET News.com: "Theft of laptop puts thousands of identities at risk
Thieves take a U.S. Department of Transportation notebook with personal information on 133,000 Florida residents.
By Joris Evers
Staff Writer, CNET News.com

Published: August 11, 2006, 12:46 PM PDT
TalkBack E-mail Print del.icio.us Digg this
A U.S. Department of Transportation laptop with personal information on 133,000 Florida residents has been stolen, exposing the data to identity fraud.
The computer was taken from a government-owned vehicle on July 27 in the Miami area, the agency said in a statement Wednesday. The password-protected laptop was assigned to a special agent in the Miami arm of the department's Office of Inspector General, it said.
While the laptop did not contain financial or medical information, four databases with identifiable information were stored on it. The details included names, Social Security numbers, dates of birth and addresses in databases covering holders of Florida pilot's and driver's licenses, both commercial and personal.
The databases were being used in an investigation into the use of fraudulent information to obtain commercial driver's or pilot's licenses, the Department of Transportation said.
There is no indication that the thief or thieves took the computer because of its contents. Still, steps are being taken to protect and inform Florida residents and to recover the laptop, the agency said.
The incident is the latest in a long string of data security breaches. The U.S. Department of Veterans Affairs is still recovering from the theft of a laptop and external hard disk drive that exposed the identities of 26.5 million veterans. Others that have lost"