Wednesday, July 28, 2010

Hackers say Browsers are a Source of Private Data

Good hackers are always worth listening to. They generally have a very high skill level and love to talk about their conquests, which means they are a good source for identifying vulnerabilities in systems. At the Black Hat conference this week in Las Vegas, which is a conference of highly skilled hackers, a speaker pointed out that browsers can be used to obtain private information such as bank account login information if the "Auto Complete" function is turned on. It takes a special tool to extract the information, but nevertheless, one assumes that the tools are not hard for the hackers to obtain. It's well known that the history files in browsers present a similar risk, but the Auto Complete function is not as well known.

Useful people, those hackers! See a writeup on this presentation at this site.

Monday, July 26, 2010

Information Leakage

Increased use of a variety of new and powerful electronic units, like mobile smart phones and printers with hard drives point to a growth in the problem of information leakage. An organization can have reasonably good systems controls and procedures and yet be subject to information leakage because the new advanced devices bring in exposures that were never considered when the policies were put into place because they either didn't exist or weren't present in the system at that time.This short article in ISACA Now points to a few of the exposures and stresses the importance of awareness.

What information leakage means is increased vigilence is necessary when adding a device to a system. Vigilence to watch for features of the new device that can drain off information and then inadvertently expose it to unauthorized persons. It also means reviews with the objective of identifying information leakage risks and exposures.

Friday, July 23, 2010

ISSA International Conference Coming Up

The ISSA International Conference is scheduled for Sept 15th to 17th in Atlanta, Ga. The theme is Connect and Collaborate.

In the words of the organizers:

The CONNECT & COLLABORATE theme of the 2010 International Conference can be meaningful to information security professionals in a variety of ways: The world is becoming more CONNECTed and we must embrace this free exchange of information, yet maintain the safeguards to protect confidential data and personal privacy. We COLLABORATE in internal work groups to construct effective security while fostering productivity in the new world of mobile devices.  As Information Security professionals we are asked to CONNECT many different disciplines ranging from technical to legal compliance. And we COLLABORATE as a professional community sharing our hard won knowledge and valuable lessons learned through programs like the ISSA International Conference to deter breaches and cybercriminals.

For registration and more information, check out the site.

Wednesday, July 21, 2010

Deloitte Survey Focuses on Cyber-Warfare

Deloitte has released its 2010 Financial Services Survey, which heralds a new era in information security. The survey focuses on the fact that the major security threats are now coming not from kids in the basement but from organized crime and other countries with subversive intentions. These groups are pouring immense resources into their efforts.Of course, that raises the stakes for security professionals, and the survey is beginning to reflect some of this reality. For example, more companies have their chief security officer reporting directly to the CIO.

The survey is comprehensive and part of it reports on the top security issues for 2010. These include governance and budgets (no surprise there). Some of the companies are raising their budgets, however, despite the recession, although some of this reflects a coming out of the recession, such as companies in Canada, where the recovery has been strong and earlier than in many other countries.

The survey is a must read for security professionals. It can be downloaded from the Deloitte site, and on the same page there is also a 20 minutes discussion of the results.

Tuesday, July 20, 2010

Using the Cloud to Address Cloud Security

The cloud has raised security concerns to higher levels, and become the focus of a new generation of hackers. But the cloud, through the use of viral computers, has tremendous computing capacity as well - capacity that can be used to fight the hackers. A new service does just that.

"The service, known as WPA Cracker, is one of the first hacking services to rely on cloud computing. WPA Cracker went live on Monday--it uses pay-as-you go cloud computing resources to search for an encrypted WiFi Protected Access (WPA) password from 135 million different possibilities, says creator and hacker Moxie Marlinspike. Normally the task would take a single computer about five days, but WPA Cracker uses a cluster of 400 virtual computers and high-performance computing techniques. It takes only 20 minutes, he says."

The cloud is a logical venue for a security dogfight. But new services like this one will benefit all users, whether in the cloud or not. For an interesting article on WPA Cracker, see this site.

Thursday, July 15, 2010

Dangers of Outsourcing

Although there are constant reminders out there, many companies still don't seem to realize that while you can outsource IT functionality, you can't outsource security, much less responsibility for it. A recent Gartner Report shows that this is one of the vague areas in many outsourcing contracts.

Lawleaf, a web-based financial services company, outsourced its IT functions - obviously very critical to its operations - and suffered a massive SGL injection attack that compromised its systems and almost put it out of business. It makes an interesting case study, which is outlined at this site.

Wednesday, July 14, 2010

Training Staff in Mobile Computing

Mobility is the new standard business practice. There is no getting away from it. It's convenient and makes staff more productive. But there are risks, and no matter how many controls have been put into place, such as required VPNs and skeleton laptops, the staff themselves need to take precautions from having the data or the hardware hijacked.

These precautions range from simply taking care of the actual hardware to prevent it being stolen to not doing business over public networks to turning off wireless and bluetooth functions when they are not in use.

It's important that staff be trained in this usage and, to the extent possible, that compliance procedures be put in place. For an excellent article on the precautions that should be considered, follow this link.

Friday, July 9, 2010

SSL Configuration in Critical

Almost every website out there uses SSL in some way for security. In fact, its used so much and has such a good reputation, that people tend to ignore it and don't pay attention to its shortfalls - or at least shortfalls in the way in which it is installed.

There is scope for a periodic review of any SSL installation, to see which version of SSL is used (whether it's up to date), configuration weaknesses in the type of Web server being used and configuration issues such as cipher suites and protocol support.

Not only can such a review improve security, it can avoid scaring customers away with false security messages, such as invalid certificates.

For an article on this idea, check out this link.

Wednesday, July 7, 2010

2010 Survey of 250 Professionals

A survey done in 2010 by nCircle of 250 security professionals finds that the leading security concern for 2010 is meeting security compliance requirements, and more than 94 percent of respondents said they expect security breaches to increase in 2010. On the positive side, more than 66 percent of respondents feel their executives are more aware of security issues than they were a year ago.

The survey covers a wide range of security concerns, from cloud computing to mobile computing to social networks. It's a very contemporary view of the current IT security scene. You can download the report from this site.

Friday, July 2, 2010

Point of Sale Systems Pose a Threat

Hackers have been exploiting point of sale systems that store credit card data and also are connected to the Internet. this is done by guessing the password that is used for remote administration of the system or else exploiting known bugs in the particular system.

A recent casualty is Destination Hotels & Resorts, a high-end chain best known for its resort hotels in destinations such as Vail, Colorado; Lake Tahoe, California; and Maui, Hawaii. Hackers may have stolen the credit card numbers of guests who have stayed there. How many is anybody's guess, apparently. Similar episodes have occurred at Wyndhams, another big hotel chain. For a report on the latest, see this link.  

It points to the need for good security over such systems, including strong access control over admin accounts and staying on top of system bugs and the related vulnerabilities.