Shoaib Yousuf

Intrusion Detection for Embedded Control Systems

2012-02-24T20:59:00.002+11:00

Digital Bond's SCADA Security Scientific Symposium (S4)

S4 did include one paper from academia, IDS for Embedded Control Systems presented by Jason Reeves of Dartmouth College and the TCIPG effort. Jason and a TCIPG team had previously developed a research product called Autoscopy and have recently enhanced it in Autoscopy Jr.

The primary purpose of Autoscopy Jr. is to detect rootkits on embedded control systems while limiting the overhead to less than 5%. The primary method is to monitor the sequence of executed instructions in a learning phase and then detect behavior that is indicative of rootkits. Jason refers to it as something akin to function level whitelisting.

It’s a detailed technical talk worth watching if you are interested in the future of IDS in PLC’s, RTU’s and other field devices. The performance testing showed it was under the 5% threshold and there were ways to improve the performance further by identifying the most resource intensive Kprobes.

The effectiveness is an open question. The team did test this against 15 rootkits that attempted control flow hijacking, but there was not a set of real world embedded system rootkits to test against.

Refer here to watch the presentation video.

Half of the Fortune 500 companies are still infected with DNSChanges Virus!

2012-02-22T18:03:00.000+11:00

FBI could take down Internet for millions on March 8

On March 8, the FBI may be forced to shut down DNS servers, originally installed to stop the spread of the DNSChanger virus, which would cut off Internet access to millions of Web users worldwide.

The Federal Bureau of Investigation may soon be forced to shut down a number of key Domain Name System (DNS) servers, which would cut Internet access for millions of Web users around the world, reports BetaBeat.

The DNS servers were installed by the FBI last year, in an effort to stop the spread of a piece of malware known as DNSChanger Trojan. But the court order that allowed the set up of the replacement servers expires on March 8.

In November of last year, authorities arrested six men in Estonia for the creation and spread of DNSChanger, which reconfigures infected computers’ Internet settings, and re-routes users to websites that contain malware, or other illegal sites. DNSChanger also blocks access to websites that might offer solutions for how to rid the computer of its worm, and often comes bundled with other types of malicious software.

By the time the FBI stepped in, DNSChanger had taken over computers in more than 100 countries, including half-a-million computers in the US alone. To help eradicate the widespread malware, the FBI replaced infected servers with new, clean servers, which gave companies and individuals with infected computers time to clean DNSChanger off their machines.

Unfortunately, DNSChanger is still running on computers “at half of the Fortune 500 companies,” and at “27 out of 55 major government entities,” reports cybersecurity journalist Brian Krebs. These computers rely on the FBI-installed DNS servers to access the Web. But if the court order is not extended, the FBI will be legally required to remove the clean servers, which would cut off the Internet for users still infected with DNSChanger.

Companies or other agencies that are unsure whether their systems are infected with DNSChanger can get free assistance here. And private users can find out if they are infected using instructions provided here.

Learn the process of documentation writing to implement ISO 27001

2012-02-20T21:37:00.000+11:00

ISO 27001 Video Tutorials

One of the biggest obstacles for companies starting to implement ISO 27001 is writing various documents required by this information security standard.

Information Security & Business Continuity Academy has launched ISO 27001 Video Tutorials, a new product that facilitates the process of documentation writing.

According to ISO Survey of Certifications published by the International Organization for Standardization (ISO), ISO 27001 is within the 5 most popular management standards, and is also one of the standards with the highest growth in the number of certified companies – about 20% annually.

However, the fact that a large percentage of companies that have started to implement this standard never finish the job is less known. The reason for failure is very often insufficient time or lack of knowledge for writing the documentation – ISO 27001 has very specific requirements about how the documentation should look like.

At the moment 13 video tutorials are available, and each month 2 new tutorials will be published. A total of 50 video tutorials are planned, which will cover all the steps in ISO 27001 implementation – from setting up the project all through successful certification.

Dejan Kosutic, the author of the video tutorials said:

"I've worked with quite many companies as a consultant, and most of those companies struggle with the same thing – how to fill in the documentation. I believe these video tutorials will increase the success rate of ISO 27001 projects by at least 25%, and increase the speed of implementation by 50%".

Typical duties of an Incident Handler / Incident Response Teams

2012-02-18T21:31:00.000+11:00

Seven Typical Tasks of Incident Handling

The typical areas of performance by an incident handler are found in most incident response (IR) teams. The following are the primary responsibilities of the handler personnel and describe a typical day (if that actually exists) for an IR team member:

Analyzing reports—All incidents are usually reported to the IR team after or, hopefully, during the incident. These reports are analyzed to identify the type of activity, its potential impact, its scope, how many systems are involved, whether it’s local or larger, and whether it’s a known type of attack. These areas are all analyzed first during the initial response efforts.

Analyzing logs—Evaluating any logs, suspect files or artifacts is a prime responsibility of incident handlers. The network logs, system logs, router logs, firewall logs, sniffer logs, application logs, any supporting information and possibly even the incident artifacts are analyzed to help identify the systems, possibly other sites involved in the incident, and the methods of ingress and attack.

Researching background information—What were the first steps taken by the attackers? When was the affected system last patched? When and where did the attackers enter the network? Identifying the hosts, systems and IP addresses from the attack location or attack vector provides important support information to help prevent future attacks and to isolate potential vulnerabilities in the security posture of the compromised system or network.

Monitoring system and network logs—Watching the system or network once the attack or compromise is discovered can add to the data and information needed to further secure the system in the future. A handler could determine if the compromise is still active by evaluating the logs currently being recorded and may possibly catch the perpetrator in the act.

Technical assistance—Providing technical assistance, whether it is over the phone or by sending an e-mail with a source document and suggestions or steps for recovery, is part of the handler’s duties.

The team may have a web site with all the necessary documentation or there may be a repository of defined information for the organization; in either case, the handler would update this as part of his/her technical assistance responsibilities.

Coordinating and sharing information—The handler will coordinate information with the various affected units within the organization and, possibly, with outside organizations.

Collaboration improves response efforts, and information sharing helps the responders react and contain at a much faster rate than what was seen in the past, so this part of the handler’s job has become much larger in recent years. Tracking of tasks, contacting software and hardware vendors for data research, and preparing briefings and reports are all part of this task.

Other duties—Typically, if the incident warrants it, the handler will assist law enforcement with incidents that involve the criminal element. The handler can be, and is often, called upon to provide detailed expert testimony on previous cases and incidents. He/she also could be tasked with supporting the notification activities of victims of unauthorized release of data.

Current State of SCADA Security 'Laughable'

2012-02-16T20:17:00.000+11:00

Many of the systems that are now exposed to the Internet were not designed with that connectivity in mind

Researchers have been speaking publicly about some of them for a couple of years now, and a group recently discussed a huge set of vulnerabilities it found during an extended project looking at PLCs (programmable logic controllers). That talk at the S4 conference showed just how vulnerable such systems are to a wide variety of attacks.

"It's a blood bath mostly," said Reid Wightman, a consultant at Digital Bond, said during that conference last month. "Many of these devices lack basic security features."

During talks on SCADA security problems at the Kaspersky-Threatpost Security Analyst Summit here Friday, several other researchers talked about the serious issues inherent in these ICS installations, and the picture they painted is one of systemic problems and a culture of naivete about security in general.

Terry McCorkle, an industry researcher, discussed a research project he did with Billy Rios in which they went looking for bugs in ICS systems, hoping to find 100 bugs in 100 days. That turned out to be a serious underestimation of the problem.

"It turns out they're stuck in the Nineties. The SDL doesn't exist in ICS," McCorkle said. "There are a lot of ActiveX and file format bugs and we didn't even bother looking at problems with services. Ultimately what we found is the state of ICS security is kind of laughable."

McCorkle and Rios, who reported all of their findings to the affected vendors and through the ICS-CERT, found that the basic security model underlying the ICS systems that run critical services such as power, water and others, is completely inadequate.

Many of the systems that are now exposed to the Internet were not designed with that connectivity in mind, and some of them now have mobile interfaces that can be run on smartphones, leading to an entirely new set of issues.

"People are gonna get owned, it's going to hurt," McCorkle said. "These HMIs are listening, they're out there and they give access to these systems that are supposed to be segregated."

Tiffany Rad, a computer science professor at the Universiry of Southern Maine and an intellectual property attorney, said during her talk here on vulnerabilities in the ICS systems at correctional facilities that there is a serious, overarching set of problems that needs to be addressed.

"Security through obscurity no longer works with SCADA," she said. "The belief that PLCs are not vulnerable because they're not connected to the Internet is not true."

It would cost hundreds of billions of dollars to fix these problems physically. The only solution is [user] training."

Microsoft's India store hacked

2012-02-14T18:53:00.004+11:00

Microsoft website saying "unsafe system will be baptized"

Hackers, allegedly belonging to a Chinese group called Evil Shadow Team, struck at www.microsoftstore.co.in on Sunday night, stealing login ids and passwords of people who had used the website for shopping Microsoft products.

While it is troublesome that hackers were able to breach security at a website owned by one of the biggest IT companies in the world, it is more alarming that user details - login ids and passwords - were reportedly stored in plain text file, without any encryption.

Following the hack, the members of Evil Shadow Team, posted a message on the Microsoft website saying "unsafe system will be baptized". The story was first reported by www.wpsauce.com.

Later, the website seemed to have been taken offline by Microsoft. We advise the users at Microsoft India Store to change the password as soon the website comes online. Also, if they have used the same password or login id on any other web service, they should change it immediately.

Last year, hacker groups like Lulzsec had carried out several-profile high profile break-ins, putting focus on the security measures companies put in place. Sony allegedly suffered several security breaches and hackers stole user ids and passwords of customers from its network.

In a message posted on a website called Pastebin, Lulzsec claimed the group was bringing attention to the web security. "Do you think every hacker announces everything they've hacked? We certainly haven't, and we're damn sure others are playing the silent game. Do you feel safe with your Facebook accounts, your Google Mail accounts, your Skype accounts? What makes you think a hacker isn't silently sitting inside all of these right now," the group wrote.

But the incident at Microsoft Store on Sunday hints that lessons have not been learnt. Just like Sony, which later revealed that user ids and passwords were not encrypted at the time of security breach, Microsoft too seemed to have been casual about handling the user details by storing them in a plain text file.

Free Security eBook [Compliance and Beyond]

2012-02-13T19:17:00.003+11:00

Toward a Consensus on Identity Management Best Practices

I would like to recommend a Web Security eBook [Compliance and Beyond: Toward a Consensus on Identity Management Best Practices] to learn best practices for identity management and IT security for the Energy industry.

For more than a decade, government and industry bodies around the world have issued a growing number of regulations for the energy industry designed -- in whole or in part -- to ensure the security, integrity and confidentiality of personal and corporate data. Combined, these individual regulatory guidelines outline what constitutes best practices in identity management and IT security.

It's limited time offer, PDF version.

Free Download: http://tinyurl.com/7kbgm8w

Trojan rounds up and steals Word and Excel docs

2012-02-09T18:30:00.001+11:00

Malware Uses Sendspace to Store Stolen Documents

Beware of bogus FedEx emails asking you to review a shipment notification - the attached Fedex_Invoice.exe is actually a downloader Trojan that opens you computer to other pieces of malware.

In this particular case spotted by Trend Micro researchers, it downloads and executes a Trojan that searches for and snatches MS Word and Excel documents from the infected machine.

"The collected documents are then archived and password-protected using a random-generated password in the user’s temporary folder," they share. And after creating the archive, it sends it to sendspace.com, a file hosting service that allows its users to send, receive, track and share files.

Once the archive is uploaded, the malware retrieves the Sendspace download link, and then sends it to the C&C server operated by the crooks along with the password needed to open it.

This is not the first time that Sendspace has been used by cyber thieves to store stolen data, and the same can be said for other free online hosting services.

Unfortunately, the criminals have realized that these legitimate services allow them to forgo the need of operating their own drop zones.

Ten little things to secure your online presence

2012-02-07T09:31:00.002+11:00

Life online can be a bit of a minefield, especially when it comes to avoiding malicious hacker attacks.

Here’s some basic advice on the tools and tricks you can implement immediately to secure your identity and online presence.

You’ve all heard the basic advice — use a fully updated anti-malware product, apply all patches for operating system and desktop software, avoid surfing to darker parts of the Web, etc. etc.

Those are all important but there are a few additional things you can do to secure your online presence and keep hackers at bay. Here are 10 little things that can provide big value:

1. Use a Password Manager

Password managers have emerged as an important utility to manage the mess of creating strong, unique passwords for multiple online accounts. This helps you get around password-reuse (a basic weakness in the identity theft ecosystem) and because they integrate directly with Web browsers, password managers will automatically save and fill website login forms and securely organize your life online.

Some of the better ones include LastPass, KeePass, 1Password, Stenagos and Kaspersky Password Manager. Trust me, once you invest in a Password Manager, your life online will be a complete breeze and the security benefits will be immeasurable.

2. Turn on GMail two-step verification

Google’s two-step verification for GMail accounts is an invaluable tool to make sure no one is logging into your e-mail account without your knowledge. It basically works like the two-factor authentication you see at banking sites and use text-messages sent to your phone to verify that you are indeed trying to log into your GMail. It takes a about 10-minutes to set up and can be found at the top of your Google Accounts Settings page. Turn it on and set it up now.

While you’re there, you might want to check the forwarding and delegation settings in your account to make sure your email is being directed properly. It’s also important to periodically check for unusual access or activity in your account. You can see the last account activity recorded at the bottom of GMail page, including the most recent IP addresses accessing the account.

3. Switch to Google Chrome and install KB SSL Enforcer

With sandboxing, safe browsing and the silent patching (auto-updates), Google Chrome’s security features make it the best option when compared to the other main browsers. I’d also like to emphasize Google’s security team’s speed at fixing known issues, a scenario that puts it way ahead of rivals.

Once you’ve switched to Chrome, your next move is to install the KB SSL Enforcer extension, which forces encrypted browsing wherever possible. The extension automatically detects if a site supports SSL (TLS) and redirects the browser session to that encrypted session. Very, very valuable.

4. Use a VPN everywhere

If you’re in the habit of checking e-mails or Facebook status updates in coffee shops or on public WiFi networks, it’s important that you user a virtual private network (VPN) to encrypt your activity and keep private data out of the hands of malicious hackers.

The video above explains all you need to know about the value of VPNs and how to set it up to authenticate and encrypt your web sessions. If you use public computers, consider using a portable VPN application that can run off a USB drive.

5. Full Disk Encryption

The Electronic Frontier Foundation (EFF) has made this a resolution for 2012 and I’d like to echo this call for computer users to adopt full disk encryption to protect your private data. Full disk encryption uses mathematical techniques to scramble data so it is unintelligible without the right key.

This works independently of the policies configured in the operating system software. A different operating system or computer cannot just decide to allow access, because no computer or software can make any sense of the data without access to the right key. Without encryption, forensic software can easily be used to bypass an account password and read all the files on your computer.

Here’s a useful primer on disk encryption and why it might be the most important investment you can make in your data. Windows users have access to Microsoft BitLocker while TrueCrypt provides the most cross-platform compatibility.

6. Routine Backups

If you ever went through the sudden death of a computer or the loss of a laptop while travelling, then you know the pain of losing all your data. Get into the habit of automatically saving the contents of your machine to an external hard drive or to a secure online service.

Services like Mozy, Carbonite or iDrive can be used to back up everyone — from files to music to photos — or you can simply invest in an external hard drive and routinely back up all the stuff you can’t afford to lose. For Windows users, here’s an awesome cheat sheet from Microsoft.

7. Kill Java

Oracle Sun’s Java has bypassed Adobe software as the most targeted by hackers using exploit kits. There’s a very simple workaround for this: Immediately uninstall Java from your machine. Chances are you don’t need it and you probably won’t miss it unless you’re using a very specific application. Removing Java will significantly reduce the attack surface and save you from all these annoying checked-by-default bundles that Sun tries to sneak onto your computer.

8. Upgrade to Adobe Reader X

Adobe’s PDF Reader is still a high-value target for skilled, organized hacking groups so it’s important to make sure you are running the latest and greatest version of the software. Adobe Reader and Acrobat X contains Protected Mode, a sandbox technology that serves as a major deterrent to malicious exploits.

According to Adobe security chief Brad Arkin says the company has not yet been a single piece of malware identified that is effective against a version X install. This is significant. Update immediately. If you still distrust Adobe’s software, you may consider switching to an alternative product.

9. Common sense on social networks

Facebook and Twitter have become online utilities and, as expected, the popular social networks are a happy hunting ground for cyber-criminals. I strongly recommend against using Facebook because the company has no respect or regard for user privacy but, if you can’t afford to opt out of the social narrative, it’s important to always use common sense on social networks.

Do not post anything sensitive or overly revealing because your privacy is never guaranteed. Pay special attention to the rudimentary security features and try to avoid clicking on strange video or links to news items that can lead to social engineering attacks. Again, common sense please.

10. Don’t forget the basics

None of the tips above would be meaningful if you forget the basics. For starters, enable Windows Automatic Updates to ensure operating system patches are applied in a timely manner. Use a reputable anti-malware product and make sure it’s always fully updated.

Don’t forget about security patches for third-party software products (Secunia CSI can help with this). When installing software, go slowly and look carefully at pre-checked boxes that may add unwanted crap to your machine. One last thing: Go through your control panel and uninstall software that you don’t or won’t use.

Criminals hit the jackpot in Victoria with $55K lottery scam

2012-02-04T08:35:00.002+11:00

CRIME syndicates are setting up fake lotteries to swindle Australians with promises of windfall jackpots.

A Victorian (Australia) man has become the latest victim, losing $55,000 in bogus administration fees when he tried to claim a supposed $4.5 million fortune. The theft is one of the biggest lottery fraud losses reported to Consumer Affairs Victoria.

The man told the watchdog and police that he transferred the cash after responding to an email sent to his wife advising of the massive win. Sources said there was little hope of retrieving the money because lottery fraudsters were normally based overseas and avoided detection through reinventing themselves.

The man, who declined to be named and has not told all of his family about the theft, was ordered to keep details of the lottery win secret. The scammers later claimed they had transferred the $4.5 million but the International Monetary Fund had stopped the payment and a 3 per cent fee was required to access it.

Con artists siphon at least $3 million a year from Australians through phony lotteries and sweepstake offers that steal cash or bank details, the Australian Competition and Consumer Commission says.

CAV director Dr Claire Noone said people should be suspicious of any texts, emails or mail claiming that they've won or could win a fortune.

"The scammer will inform consumers they've won a large amount of money or a holiday and they need to send money to claim it," Dr Noone said.

"Scammers often say this money is needed to cover the costs of taxes or administration fees. Once you send the payment overseas though, the scammer pockets the fee and the prize never arrives."

CAV received 6770 reports about various scams last financial year, up 44 per cent on the previous year.

TIPS TO AVOID GETTING RIPPED OFF

Never send money, credit card or bank details, or personal information to someone you don’t know.
Beware of claims to provide you with instant income or winnings.
Do not give out information over the phone unless you made the call or know the number.
If you fall victim to a scam email, change your email address as soon as possible to avoid further contact.

Source: Consumer Affairs Victoria

Password Security is MUST - Remember To Change Them Frequently!

2012-01-31T21:23:00.002+11:00

Your Not-So-Secret Password

Every day, millions of people create accounts on millions of websites. The sites range from online banking to social media, from photo sharing to online pharmacies.

Some developers of these sites have found a way to make the sign-up process easier by allowing new users to sign up using their Facebook, Twitter and other accounts. Because opting in to this type of sign up is so simple, many people do it.

What they may not realize is that they have now shared their social media and/or email passwords with several entities. While those organizations may not proactively use those passwords for their own nefarious activities, they may not be taking all the necessarily security steps to protect them from hackers or other inappropriate use.

My best tip for passwords is this: If you don't want to maintain a large number of different passwords for each site, establish a set of passwords based upon the types of sites you're using. For example, use one password for the set of social network sites you use.

Use a different password for your email accounts, and a different password for your sites where you do financials transactions (such as banks, credit card companies, etc.).

Make sure your passwords are GOOD passwords! They should be a combination of numbers, letters and, if possible, special characters. And it's worth repeating: Never use the same passwords on your financial sites as you do with your email or social media accounts.

One final reminder about passwords: Remember to change them frequently. I know a friend whose Facebook password was possibly compromised after a friend posted a video to my wall that looked legitimate. Because he knew the friend well, he clicked it. He later quickly realized it was not a legitimate link and changed his password right away. Thankfully, he caught it before any real damage was done.

Gartner: 2012 Information Technology Predictions and Trends

2012-01-30T15:04:00.001+11:00

Gartner has issued a full report titled "Gartner's Top Predictions for IT Organizations and Users, 2012 and Beyond: Control Slips Away"

Gartner, Inc. issued a press release announcing it’s 2012 list of top predictions and trends for IT organizations and users. Highlighted are key trends like Cloud Computing, Social Business, Big Data, Security, and Mobile. The predictions and trends made by Gartner align closely with the research I am conducting for my HorizonWatching 2012 Trends report due out in early January.

The eleven predictions from Gartner are as follows

Cloud Services: By 2015, low-cost cloud services will cannibalize up to 15 percent of top outsourcing players' revenue.

Social & Collaboration Platforms: In 2013, the investment bubble will burst for consumer social networks, and for enterprise social software companies in 2014.

Enterprise Email: By 2016, at least 50 percent of enterprise email users will rely primarily on a browser, tablet or mobile client instead of a desktop client.

Mobile Apps: By 2015, mobile application development projects targeting smartphones and tablets will outnumber native PC projects by a ratio of 4-to-1.

Cloud Security: By 2016, 40 percent of enterprises will make proof of independent security testing a precondition for using any type of cloud service.

Public Clouds: At year-end 2016, more than 50 percent of Global 1000 companies will have stored customer-sensitive data in the public cloud.

IT Budget Management: By 2015, 35 percent of enterprise IT expenditures for most organizations will be managed outside the IT department's budget.

Asia Sourcing: By 2014, 20 percent of Asia-sourced finished goods and assemblies consumed in the U.S. will shift to the Americas.

Cybercrime: Through 2016, the financial impact of cybercrime will grow 10 percent per year, due to the continuing discovery of new vulnerabilities.

Cloud & Sustainability: By 2015, the prices for 80 percent of cloud services will include a global energy surcharge.

Big Data: Through 2015, more than 85 percent of Fortune 500 organizations will fail to effectively exploit big data for competitive advantage.

Gartner has issued a full report titled "Gartner's Top Predictions for IT Organizations and Users, 2012 and Beyond: Control Slips Away," which is available on Gartner's website at www.gartner.com/predicts. The report apparently has links to more than 70 Gartner ‘predicts’ reports broken out by topics, industries and markets.

Top Skimming Trends to watch in 2012

2012-01-27T20:55:00.004+11:00

2012: Year of the Skimmer

Fraud losses linked to card skimming are quickly hitting epidemic proportions. So what are the top card-skimming trends financial institutions and financial-services providers should be on the lookout for in 2012? Industry experts weigh in to offer their domestic and global perspectives.

The top six trends to watch:

ATM attacks;
Network hacks;
Crime rings aiming for retail;
Skimming at self-service points of sale;
International fraud migration; and
EMV in the U.S.

ATMs: The No. 1 Target

In 2011, debit fraud losses for the first time outpaced losses associated with credit fraud. The reason for tipping of the fraud-loss scales: skimming.

ATM Skimming

ADT Security Solutions in early 2010 estimated financial losses per ATM-skimming incident averaged $30,000. Now, as the average loss to ATM skimming has jumped $20,000, it's clear card fraud and skimming are increasing. And the industry can expect more fraud losses in 2012 as global crime rings enhance their networks and improve their techniques to exploit lingering magnetic-stripe technology.

ATMs are typically the last to be upgraded from a hardware perspective.

More Network Hacks

Institutions and retailers need to focus more attention on locking down their networks. Now that more networks and systems are connected, as institutions and businesses work to achieve enterprise-level data management, they increase their risk of exposure. If a system is compromised, fraudsters can easily access every server, POS device, ATM, PC and network that's connected to that system.

The widespread deployment and use of common and well-known operating systems, such as Windows, compounds the problem. Fraudsters know how to get in, and with evolving malware, it's getting easier for them to wage successful attacks.

Advances in wireless communications also will reap greater skimming crime rewards in 2012. Network security holes aside, skimming schemes themselves will become easier, as wireless communications and Bluetooth technology have made it increasingly easier for fraudsters to remotely transmit card data once it's been skimmed.

Crime Rings Aim for Retail

Pointing to 2011's skimming breaches at Michaels and Save Mart/Lucky Supermarkets, open communication between retailers and card issuers kept fraud losses and card compromises in check. Once the fraud starts to occur, it just makes everyone's job easier when the retailers take a transparent and proactive approach.

Those attacks have illustrated how critical the need for retailers to invest in real-time fraud monitoring is. The incidents also prove retailers have an incentive to move toward the Europay, MasterCard, Visa standard. At least 50 percent of the card-present fraud is charged back to the merchants. They are now motivated to make a move to EMV because they won't see those chargeback charges. And there is more authentication with the chip, so that will help fraud as well.

A Security Soft Spot

As the Lucky's breach and countless others that target self-service payments devices, including pay-the-pump gas terminals, prove, any terminal that accepts credit and debit cards will be targeted by fraudsters. Even ATM vestibule doors, which read debit swipes for entry, are compromised with ease.

But despite the fact that EMV and anti-skimming measures have displaced ATM attacks in those markets, ATM fraud continues. During the last six months of 2011, Europe saw upticks in low-tech ATM-fraud schemes, such as cash-trapping. Cash trapping, like it sounds, prevents bills from being dispensed. European ATM deployers are addressing the trend with physical ATM inspections and investments in enhanced tampering-detection technology.

Geo-Blocking and International Backlash

Despite innovative moves to curb card fraud in Europe, skimming remains a global problem. Even as fraud migrates and different global regions progress in their adoption of EMV, losses associated with skimming continue to escalate.

This year, more fraud migration and increasing losses, especially in the United States. Part of that migration will be spurred by steps European countries are taking to shut off mag-stripe acceptance as a way to reduce financial losses associated with skimming.

Migrating Fraud

The United States can expect skimming to increase. Why? Fraud will migrate from other parts of the world, where card security is more sophisticated.

Compliance with EMV in western Europe and parts of central and eastern Europe over the last five to 10 years initiated the migration of fraud. Now that EMV is the standard in neighboring Mexico and Canada, hits to U.S. card issuers and acquirers will be substantially higher. Card fraud linked to skimming will be the catalyst.

EMV in the U.S

Movement toward EMV compliance, to address growing card fraud, is not far off for the United States. Visa and MasterCard have both issued soft dates for a U.S. movement toward EMV. MasterCard set an April 2013 deadline for all U.S. ATMs to be EMV compliant; and Visa announced compliance dates of 2013 and 2015 for U.S. merchants.

Last week, Visa provided EMV guidance and suggested EMV adoption best practices for U.S. merchants and card issuers.

In 2013, the responsibility for fraud losses will shift from the EMV card issuer to the acquirer. Given that stipulation, 2012 will see an increase in EMV activity.

20 critical controls for effective cyber defence

2012-01-24T21:36:00.002+11:00

Baseline of high-priority information security measures and controls

The Centre for the Protection of National Infrastructure is participating in an international government-industry effort to promote the top twenty critical controls for computer and network security. The development of these controls is being coordinated by the SANS Institute.

The Top Twenty Critical Security Controls are a baseline of high-priority information security measures and controls that can be applied across an organisation in order to improve its cyber defence. The controls (and sub-controls) focus on various technical measures and activities, with the primary goal of helping organisations prioritise their efforts to defend against the current most common and damaging computer and network attacks.

The controls (and sub-controls) focus on various technical measures and activities, with the primary goal of helping organisations prioritise their efforts to defend against the current most common and damaging computer and network attacks.

Outside of the technical realm, a comprehensive security program should also take into account many other areas of security, including overall policy, organisational structure, personnel issues and physical security. To help maintain focus, the twenty controls do not deal with these important but non-technical aspects of information security.

The twenty controls and supporting advice are dynamic in order that they recognise changing technology and methods of attack. All twenty controls, together with a brief description, are given below. For further information, visit the SANS website.

CONTROL 1 - INVENTORY OF AUTHORISED AND UNAUTHORISED DEVICES

Reduce the ability of attackers to find and exploit unauthorised and unprotected systems. Use active monitoring and configuration management to maintain an up-to-date inventory of devices connected to the enterprise network, including servers, workstations, laptops, mobile, and remote devices.

CONTROL 2 - INVENTORY OF AUTHORISED AND UNAUTHORISED SOFTWARE

Identify vulnerable or malicious software to mitigate or root out attacks. Devise a list of authorised software for each type of system, and deploy tools to track software installed (including type, version, and patches) and monitor for unauthorised or unnecessary software.

CONTROL 3 - SECURE CONFIGURATIONS FOR HARDWARE AND SOFTWARE ON LAPTOPS, WORKSTATIONS, AND SERVERS

Prevent attackers from exploiting services and settings that allow easy access through networks and browsers. Build a secure image that is used for all new systems deployed to the enterprise, host these standard images on secure storage servers, regularly validate and update these configurations, and track system images in a configuration management system.

CONTROL 4 - CONTINUOUS VULNERABILITY ASSESSMENT AND REMEDIATION

Proactively identify and repair software vulnerabilities reported by security researchers or vendors. Regularly run automated vulnerability scanning tools against all systems and quickly remediate any vulnerabilities - with critical problems fixed within 48 hours.

CONTROL 5 - MALWARE DEFENCES

Block malicious code from tampering with system settings or contents, capturing sensitive data, or spreading. Use automated anti-virus and anti-spyware software to continuously monitor and protect workstations, servers, and mobile devices. Automatically update such anti-malware tools on all machines on a daily basis. Prevent systems from using auto-run programs to access removable media.

CONTROL 6 - APPLICATION SOFTWARE SECURITY

Scan for, discover, and remediate vulnerabilities in web-based and other application software. Carefully test internally developed and third-party application software for security flaws, including coding errors and malware. Deploy web application firewalls that inspect all traffic, and explicitly check for errors in all user input (including by size and data type).

CONTROL 7 - WIRELESS DEVICE CONTROL

Protect the security perimeter against unauthorised wireless access. Allow wireless devices to connect to the network only if they match an authorised configuration and security profile and have a documented owner and defined business need. Ensure that all wireless access points are manageable using enterprise management tools. Configure scanning tools to detect wireless access points.

CONTROL 8 - DATA RECOVERY CAPABILITY

Minimise the damage from an attack: Implement a trustworthy plan for removing all traces of an attack. Automatically back up all information required to fully restore each system, including the operating system, application software, and data. Back up all systems at least weekly; back up sensitive systems more often. Regularly test the restoration process.

CONTROL 9 - SECURITY SKILLS ASSESSMENT AND APPROPRIATE TRAINING TO FILL GAPS
Find knowledge gaps, and fill them with exercises and training. Develop a Security Skills Assessment program, map training against the skills required for each job, and use the results to allocate resources effectively to improve security practices.

CONTROL 10 - SECURE CONFIGURATIONS FOR NETWORK DEVICES SUCH AS FIREWALLS, ROUTERS, AND SWITCHES

Preclude electronic holes from forming at connection points with the Internet, other organisations, and internal network segments: Compare firewall, router, and switch configurations against standards for each type of network device. Ensure that any deviations from the standard configurations are documented and approved and that any temporary deviations are undone when the business need abates.

CONTROL 11 - LIMITATION AND CONTROL OF NETWORK PORTS, PROTOCOLS, AND SERVICES

Allow remote access only to legitimate users and services. Apply host-based firewalls and port-filtering and scanning tools to block traffic that is not explicitly allowed. Properly configure web servers, mail servers, file and print services, and domain name system (DNS) servers to limit remote access. Disable automatic installation of unnecessary software components. Move servers inside the firewall unless remote access is required for business purposes.

CONTROL 12 - CONTROLLED USE OF ADMINISTRATIVE PRIVILEGES

Protect and validate administrative accounts on desktops, laptops, and servers to prevent two common types of attack: (1) enticing users to open a malicious e-mail, attachment, or file, or to visit a malicious website; and (2) cracking an administrative password and thereby gaining access to a target machine. Use robust passwords that follow known standards.

CONTROL 13 - BOUNDARY DEFENCE

Control the flow of traffic through network borders, and police content by looking for attacks and evidence of compromised machines. Establish multilayered boundary defences by relying on firewalls, proxies, demilitarised zone (DMZ) perimeter networks, and other network-based tools. Filter inbound and outbound traffic, including through business partner networks (“extranets”).

CONTROL 14 - MAINTENANCE, MONITORING, AND ANALYSIS OF SECURITY AUDIT LOGS

Use detailed logs to identify and uncover the details of an attack, including the location, malicious software deployed, and activity on victim machines. Generate standardised logs for each hardware device and the software installed on it, including date, time stamp, source addresses, destination addresses, and other information about each packet and/or transaction. Store logs on dedicated servers, and run biweekly reports to identify and document anomalies.

CONTROL 15 - CONTROLLED ACCESS BASED ON THE NEED TO KNOW

Prevent attackers from gaining access to highly sensitive data. Carefully identify and separate critical data from information that is readily available to internal network users. Establish a multilevel data classification scheme based on the impact of any data exposure, and ensure that only authenticated users have access to non-public data and files.

CONTROL 16 - ACCOUNT MONITORING AND CONTROL

Prevent attackers from impersonating legitimate users. Review all system accounts and disable any that are not associated with a business process and owner. Immediately revoke system access for terminated employees or contractors. Disable dormant accounts and encrypt and isolate any files associated with such accounts. Use robust passwords that follow known standards.

CONTROL 17 - DATA LOSS PREVENTION

Stop unauthorised transfer of sensitive data through network attacks and physical theft. Scrutinise the movement of data across network boundaries, both electronically and physically, to minimise the exposure to attackers. Monitor people, processes, and systems, using a centralised management framework.

CONTROL 18 - INCIDENT RESPONSE CAPABILITY

Protect the organisation’s reputation, as well as its information. Develop an incident response plan with clearly delineated roles and responsibilities for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.

CONTROL 19 - SECURE NETWORK ENGINEERING

Keep poor network design from enabling attackers. Use a robust, secure network engineering process to prevent security controls from being circumvented. Deploy network architecture with at least three tiers: DMZ, middleware, private network. Allow rapid deployment of new access controls to quickly deflect attacks.

CONTROL 20 - PENETRATION TESTS AND RED TEAM EXERCISES

Use simulated attacks to improve organisational readiness. Conduct regular internal and external penetration tests that mimic an attack to identify vulnerabilities and gauge the potential damage. Use periodic red team exercises—all out attempts to gain access to critical data and systems— to test existing defences and response capabilities.

Prioritisation of the critical controls:

The twenty controls are a baseline of high-priority ‘technical’ information security measures and controls that can be applied across an organisation to improve its cyber defence. In order for a control to be a high priority, it must provide a direct defence against attacks.

Controls that mitigate known attacks, or a wide variety of attacks, or attacks early in the compromise cycle, all have priority over other controls. Controls that mitigate the impact of a successful attack also have a high priority. Special consideration is given to controls that help mitigate attacks that have not yet been discovered.

Insider Scams and Fraud a Growing Trend

2012-01-23T11:02:00.000+11:00

Teenager Sentenced for Card Skimming

A 17-year-old was slapped with a 60-day jail sentence after he was busted for skimming credit and debit details while working the drive-thru window at a McDonald's restaurant in Olympia, Wash. This insider scam highlights a card fraud trend the industry needs to watch.

This case highlights just how easy it is for insiders to perpetrate card fraud, especially in a retail environment. Even if we protect the ATMs and POS devices, insider fraud like this will take place due to the ease with which criminals can get their hands on the appropriate devices. This is an industry that clearly needs an elegant and innovative solution (not EMV) that can at least make it an order of magnitude harder for skimmers to succeed.

Transactions Monitored

In the McDonald's incident, the teen's card-fraud scheme was foiled before exceeding $13,000 in losses after transaction monitoring traced the fraud. Detectives connected the dots and linked fraud to the Olympia McDonald's when contacted by the Washington State Employees Credit Union about fraudulent transactions hitting member accounts.

The credit union found one commonality: All of the compromised cards had been used at the same McDonald's. McDonald's management later confirmed the juvenile suspect had worked the drive-thru every time one of the compromised cards had been used.

The teenager used the stolen card numbers, which he collected with a handheld skimming device, to buy gift cards at retail stores such as Walmart and Toys R Us, according to a news report. With the fraudulently purchased gift cards, he allegedly bought about $13,000 worth of merchandise that he later sold on Craigslist and eBay for profit.

The purchases the teenager made included iPads, computers, video game systems and digital cameras, according to the Thurston County Prosecuting Attorney's Office.

The teen has been in custody since Nov. 16, after his parents refused to post bail. On Monday, he pleaded guilty to two juvenile counts of forgery and two juvenile counts of identity theft. As part of his sentence, the court has asked that he pay restitution to the victims whose cards were compromised.

The investigation is ongoing because other suspects may be involved.

Stuxnet Analysis Report by Cyber Security Forum Initiative (CSFI)

2012-01-20T10:40:00.001+11:00

A must-read report which will answer many of yours questions regarding STUXNET!!

The Cyber Security Forum Initiative (CSFI) is a non-profit organization headquartered in Omaha, NE and in Washington DC with a mission "to provide Cyber Warfare awareness, guidance, and security solutions through collaboration, education, volunteer work, and training to assist the US Government, US Military, Commercial Interests, and International Partners."

CSFI was born out of the collaboration of dozens of experts, and today CSFI is comprised of a large community of nearly 5000 Cyber Security and Cyber Warfare professionals from the government, military, private sector, and academia. Our amazing members are the core of all of our activities, and it is for them that we are pushing forward our mission.

So, after quite some time of working behind the scenes, and making an effort to focus on essence rather than buzz, the CSFI have published their official report on Stuxnet.

Scope of Research

Find the source code of the attack
Reverse engineer the code
Create a countermeasure and recommendation from these type of attacks
Understand the political motivations behind this attack
Explain how such a piece of malware can be used in cyber warfare scenario
Can Iran retaliate using the same form of cyber attack?

Feel free to download the report form here: CSFI_Stuxnet_Report_V1

As well as watch the demonstration video on the CSFI website: http://csfi.us/?page=stuxnet

Ramnit Worm Threatens Online Accounts

2012-01-18T20:04:00.000+11:00

Facebook Targeted by Fraudsters Seeking Log-in Credentials

Ramnit is a worm, which means, unlike malware, it can spread to other computers without being sent through e-mail or a malicious website. Ramnit, which surfaced in April 2010, continues to evolve.

In August 2011, security vendor Trusteer was the first to discover Ramnit's merger with the Zeus variant designed to target online banking accounts. The Ramnit-Zeus hybrid was superior because of its advanced man-in-the-browser capabilities, which enabled it to steal online banking and corporate log-in credentials.

The Ramnit hybrid bypassed two-factor authentication, and between September 2011 and December 2011, Trusteer estimated that some 800,000 machines had been infected.

Once launched on a corporate PC, Ramnit's browser penetration module steals internal and software-as-a-service credentials. Incoming web pages can then be modified using an HTML injection to request and steal more sensitive information.

Ramnit's man-in-the-middle looks like an actual social-media or bank-account sign-in page that captures a user's ID and password, and sometimes other personal information en route to the actual log-in page.

The difference, however, is that the page in the middle captures authentication data and allows the attacker to gain access to the victim's accounts at will.

Ramnit compromised 45000 Facebook accounts and now targeting financial accounts...

Researchers advises that the Ramnit worm, which last year defeated two-factor authentication measures used to protect online banking accounts and corporate networks, is now targeting Facebook - a development that should especially concern financial service businesses.
Lab researchers working for the Israel-based provider of cyberthreat management services say Ramnit has been linked to the compromise of more than 45,000 Facebook log-in credentials, primarily hitting users in the United Kingdom and France.

"We suspect that the attackers behind Ramnit are using the stolen credentials to log in to victims' Facebook accounts and to transmit malicious links to their friends, thereby magnifying the malware's spread even further," says a blog posted on Seculert's website Jan. 5.

"In addition, cybercriminals are taking advantage of the fact that users tend to use the same password in various web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks."

Because users often use the same log-in and password credentials for multiple accounts, the threat of Ramnit attacks should be concerning to every industry, not just financial services, though financial institutions often have the most to lose when consumers online banking accounts are breached.

"As demonstrated by the 45,000 compromised Facebook subscribers, the viral power of social networks can be manipulated to cause considerable damage to individuals and institutions when it is in the wrong hands," Securlet says.

A Call for Multifactor Authentication

Bill Wansley an analyst at Booz Allen Hamilton, says every organization should take Ramnit's rapid evolution as a sign that outdated authentication measures are no longer effective.

"Passwords are not very useful for anything anymore," Wansley says. "They are just too easy to forget, copy or break. Everyone needs to go to multifactor authentication - like Google has recently - for social-media sign-in, and certainly for anything that is for financial or medical-related accounts."

Passphrases are better than passwords, but multifactor authentication is the new standard. "Nobody should be using their social-media passwords or phrases for their financial accounts," Wansley says.

In the financial space, cybercriminals increasingly use older malware to capture individual passwords and personal information that is later exploited to gain access to financial accounts.

"The Ramnit example is typical of these type attacks," Wansley says. "Ramnit is actually an older malicious code that has been updated with new features to achieve other purposes."

Signcryption: New Technology & Standard to improve Cyber Security

2012-01-15T19:57:00.001+11:00

Signcryption is a technology that protects confidentiality and authenticity, seamlessly and simultaneously

For example, when you log in to your online bank account, signcryption prevents your username and password from being seen by unauthorized individuals. At the same time, it confirms your identity for the bank.

UNC Charlotte professor Yuliang Zheng invented the revolutionary new technology and he continues his research in the College of Computing and Informatics. After nearly a three-year process, his research efforts have been formally recognized as an international standard by the International Organization of Standardization (ISO).

News of the ISO adoption comes amidst daily reports of cyber attack and cyber crime around the world. Zheng says the application will also enhance the security and privacy of cloud computing.

“The adoption of signryption as an international standard is significant in several ways,” he said. “It will now be the standard worldwide for protecting confidentiality and authenticity during transmissions of digital information.”

“This will also allow smaller devices, such as smartphones and PDAs, 3G and 4G mobile communications, as well as emerging technologies, such as radio frequency identifiers (RFID) and wireless sensor networks, to perform high-level security functions,” Zheng said.

“And, by performing these two functions simultaneously, we can save resources, be it an individual’s time or be it energy, as it will take less time to perform the task.”

Indian Hackers has hacked Symantec Norton AntiVirus software!

2012-01-13T21:27:00.000+11:00

Symantec's Norton AntiVirus source code exposed by hackers

Symantec, the makers of Norton AntiVirus, has confirmed that a hacking group has gained access to some of the security product's source code.

An Indian hacking group, calling itself the Lords of Dharmaraja, has threatened to publicly disclose the source code on the internet.

So far, there have been two claims related to Symantec's source code.

First, a document claiming to be confidential information related to Norton AntiVirus's source code was posted on Pastebin. Symantec says it has investigated the claim, and that - rather than source code - it was documentation dated from April 1999 related to an API (application programming interface) used by the product.

And secondly, the hacking group shared source code related to what appears to have been the 2006 version of Symantec's Norton AntiVirus product with journalists from Infosec Island.

Chris Paden, a Symantec spokesperson, confirmed to InfoSec Island that some of the firm's source code had been accessed:

"Symantec can confirm that a segment of its source code has been accessed. Symantec’s own network was not breached, but rather that of a third party entity."

"We are still gathering information on the details and are not in a position to provide specifics on the third party involved."

"Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec's solutions. Furthermore, there are no indications that customer information has been impacted or exposed at this time."

"Symantec can confirm that a segment of its source code used in two of our older enterprise products has been accessed, one of which has been discontinued. The code involved is four and five years old. This does not affect Symantec's Norton products for our consumer customers. Symantec's own network was not breached, but rather that of a third party entity."

"We are still gathering information on the details and are not in a position to provide specifics on the third party involved. Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec's solutions. Furthermore, there are no indications that customer information has been impacted or exposed at this time."

"However, Symantec is working to develop remediation process to ensure long-term protection for our customers' information. We will communicate that process once the steps have been finalized.

Given the early stages of the investigation, we have no further details to disclose at this time but will provide updates as we confirm additional facts."

It's hard not to feel sympathy for Symantec - who appear to have been caught in the crossfire between a hacking gang and the Indian authorities.

Although Symantec customers may not be at risk, it's easy to see how the software company will feel bruised by the publicity that the Lords of Dharmaraja have generated through their hack.

WPS-enabled Wi-Fi routers are vulnerable to brute force attack

2012-01-11T21:16:00.001+11:00

Security flaw found in Wi-Fi Protected Setup

The US Computer Emergency Readiness Team (US-CERT) warned of a security flaw in a popular tool intended to make it easier to add additional devices to a secure Wi-Fi network.

The organisation cited findings from security researcher Stefan Viehbock, who uncovered the security hole in the so-called Wi-Fi Protected Setup, or WPS, protocol, which is often bundled into Wi-Fi routers.

The WPS protocol is designed to allow unskilled home users to set up secure networks using WPA encryption without much hassle. Users are then able to type in a shortened PIN instead of a long passphrase when adding a new device to the secure network.

That method, however, also makes it much easier for hackers to break into a secure Wi-Fi network, US-CERT says. The security threat could affect millions of consumers, since the WPS protocol is enabled on most Wi-Fi routers sold today.

The basic problem is that the security of the eight-digit PIN falls dramatically with more attempts to key in the password. When an attempt fails, the hacker can figure out whether the first four digits of the code are correct. From there, it can then narrow down the possibilities on the remaining digits until the code is cracked. Viehbock said that a hacker can get into a secure Wi-Fi hotspot in about two hours using this method to exploit a vulnerability.

Here's how US-CERT describes the flaw:

When the PIN authentication fails, the access point will send an EAP-NACK message back to the client. The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct. Also, the last digit of the PIN is known, because it is a checksum for the PIN. This design greatly reduces the number of attempts needed to brute force the PIN. The number of attempts goes from 108 to 104 + 103, which is 11,000 attempts in total.

It has been reported that some wireless routers do not implement any kind of lock-out policy for brute-force attempts. This greatly reduces the time required to perform a successful brute-force attack. It has also been reported that some wireless routers resulted in a denial-of-service condition, because of the brute-force attempt, and required a reboot.

US-CERT said in its warning that there is no known fix to the security problem. Instead, the group recommends that users disable the WPS function on their routers. The warning lists several wireless router vendors as selling devices that are affected by the security hole: Buffalo, D-Link, Cisco Linksys, Netgear, Technicolor, TP-Link and ZyXEL.

US-CERT indicated in its warning that it notified router vendors that are affected by the security issue in early December, but so far the vendors have not offered a response, nor have any of them issued statements.

Android Network Toolkit for Penetration Testing and Hacking

2012-01-09T19:37:00.005+11:00

Zimperium have unveiled the Android Network Toolkit for easy hacking on the go!

ANTi is a smartphone, android based, penetration testing toolkit that can scan a network, find vulnerabilities, run exploits, produce reports and more.

There is a free version with limited functions and several paid versions that scale up in functionality. The videos linked at the bottom of this article are interesting.

ANTi – Android Network Toolkit – [zimperium.com]

What is Anti?

ZImperium LTD is proud to annonce Android Network Toolkit – Anti.
Anti consists of 2 parts: The Anti version itself and extendable plugins. Upcoming updates will add functionality, plugins or vulnerabilities/exploits to Anti

Using Anti is very intuitive – on each run, Anti will map your network, scan for active devices and vulnerabilities, and will display the information accordingly: Green led signals an ‘Active device’, Yellow led signals “Available ports”, and Red led signals “Vulnerability found”.

Also, each device will have an icon representing the type of the device. When finished scanning, Anti will produce an automatic report specifying which vulnerabilities you have or bad practices used, and how to fix each one of them.

Anti – Android Network Toolkit Capabilities Video/Demo by ZImperium LTD – [youtube.com]

Hacking a Mac using Android Network Toolkit CSE in ANTI3 by ZImperium LTD – [youtube.com]

How Developers Can Secure their Code?

2012-01-05T21:35:00.003+11:00

5 Application Security Tips

Over the last 30 years, many organizations have done an amazing job of automating their business, resulting in productivity gains, efficiencies and innovations.

Unfortunately, the threat landscape has changed dramatically during this time. A lot of that application code, written without security in mind decades ago, is still the heart-and-soul of many enterprises. That code was designed for a world where computers could not be accessed remotely.

Since then, it has been wrapped, integrated, connected, ported, and most importantly, exposed. That application code is not strong enough to withstand today's threat.

OWASP has a number of free and open-source resources that developers can use right now to help secure their code.

5 Tips for Developers

Start with the OWASP Top Ten - This awareness document will help you understand, identify, and fix the most critical application security risks quickly.

Get hands-on with WebGoat - WebGoat is a deliberately flawed application that is riddled with holes to give people the opportunity for hands-on learning. It is open-sourced to help developers and security testers get experience with real vulnerabilities.

Leverage the OWASP Cheat Sheets - This is a fantastic series from leading experts globally. Let me know what you think of the Cross-Site Scripting Prevention Cheat Sheet, one of OWASP's most popular pages.

Verify Your Applications - There is no substitute for getting real facts about the security of your application portfolio. OWASP Application Security Verification Standard helps developers get started scanning, testing and code reviewing with tools like OWASP Zap and CSRFTester.

Get Training - Perhaps the hardest thing about application security is that there are so many different ways that software can fail, particularly when it's targeted by a motivated attacker. The key is training to get started with securing applications quickly.

If instructor-led training isn't possible, eLearning solutions are available to allow developers to learn on-demand and get hands-on, practical experience with vulnerabilities, security controls and real code. Training is a remarkably effective way to reduce vulnerabilities.

Before you trust your business to application software, make certain that the people who are writing your code know how to defend your business and its assets. It's time to learn.

How-to encrypt and password protect your personal folders & files in Windows and Mac

2012-01-02T18:44:00.001+11:00

TrueCrypt - Free Open-Source Disk Encryption Software

You can’t easily password protect folders or files in Windows / MAC yet, but you can remove the permissions for users or use TrueCrypt to create mountable encrypted containers that can only be accessed with the correct password.

TrueCrypt is a software system for establishing and maintaining an on-the-fly-encrypted volume (data storage device). On-the-fly encryption means that data is automatically encrypted right before it is saved and decrypted right after it is loaded, without any user intervention.

No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. Entire file system is encrypted (e.g., file names, folder names, contents of every file, free space, meta data, etc).

Encryption does not mean it has to be slow or difficult. In fact, TrueCrypt makes it really fast and you can access all files as if they were unencrypted. Here is how you can do it:

Download TrueCrypt from http://www.truecrypt.org/downloads (latest stable 7.1 09/26/11)
When you install TrueCrypt select Extract files, this will extract the program without actually installing it.
Now start the TrueCrypt.exe
Click on Create New Volume and this screen will pop up:
Select Standard for now
Find a place for your encrypted container. Think of it as a real file that is password-protected. Store it for example here: C:\Users\yourusername\Desktop
Make sure you have enough disk space.
Select an algorithm. Don’t know what to choose? Use the default!
Enter a size for the encrypted container.
Set a password for your encrypted container. Don’t make your password too short or it will be easy to crack
Move your mouse for some time to get a good encryption and click on Format
Back on the TrueCrypt main screen, enter the path to your encrypted container (or click on Select file and browse to it)
Finally click on Mount, you can now access your encrypted password-protected container like any other hard drive via the explorer! Awesome? It is!

There are various other methods to password protect and encrypt folders. However, TrueCrypt is the best free solution and using the to effectively protect your private folders.

If you need more protection, simply create an encrypted container and store your files on a flash drive. Flash drives with 8GB or more are cheap and can be used to store all your private files. You could also use an external USB hard drive for storing the password-protected encrypted folders.

2011 - Year of the HACK and DATA Breaches

2011-12-31T23:59:00.007+11:00

This year’s headlines have been made up of data breaches, hacks, APT attacks and mergers and acquisitions

Like a sleeper agent, it embeds itself in key industrial systems and waits, gathering intelligence and biding its time. It studies design documents to find weak spots for future attacks that could bring a nation to its knees.

It is the description by US security firm Symantec of the newly discovered Duqu worm in its report ‘W32.Duqu: The precursor to the next Stuxnet.’

Duqu is based on the sophisticated Stuxnet worm that shut down an Iranian nuclear fuel processing plant and set back its nuclear program by years. Duqu has so far infected industrial systems in eight countries: France, the Netherlands, Switzerland, Ukraine, India, Iran, Sudan, and Vietnam.

While at this point Duqu is only able to gather intelligence, Symantec judges that it is “essentially the precursor to a future Stuxnet-like attack” against industrial control systems. These systems are used to control everything from nuclear power plants and the electricity grid to oil pipelines and large communication systems.

The discovery of Duqu was a major security event in 2011; not exactly because of the effect that the worm has had, but for its potential. Duqu signals a growing trend of malware developed not to steal identities and profit financially, but to disable and destroy critical infrastructure – the life blood of modern society.

News of Duqu was followed by a (now-mistaken) malware attack on a US water utility network that destroyed the industrial control system of a key water pump.

Destruction of critical infrastructure has been the elephant in the room for the information security profession. Many recognize the danger, but it is seen as too esoteric and remote to worry about. It is someone else’s (i.e., the government’s) problem.

But if major critical infrastructure collapses from a cyberattack, whether your boss’s iPad makes the company’s network less secure is not going to matter all that much.

Cyber Wasteland

From the mega breach at Sony to the annoying self-righteous breaches perpetrated by Anonymous et al., 2011 was a wasteland of data loss.

In March, RSA – the company that ensures its elite customers are water-tight – sprang a leak when it was penetrated by a spear-phishing attack that hooked one of its employees and resulted in a huge catch for cyberattackers.

In an open letter to RSA customers, executive chairman Art Coviello said that a sophisticated “advanced persistent threat” (APT) attack had extracted valuable information related to its SecurID two-factor authentication product used by remote workers to securely access their company’s network.

"Destruction of critical infrastructure has been the elephant in the room for the information security profession"

“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack”, Coviello said.

Coviello, it turned out, was wrong about this assumption, as numerous SecureID token customers – including US defense giant Lockheed Martin – reported attacks resulting from the RSA breach. In an effort to limit the damage, RSA agreed to replace the tokens for its key customers.

In response to the RSA breach, APT became the new catchword for cyberattacks. “It’s not our fault our networks were breached and our data stolen, it was an APT. What could we do?”, whined many companies in the ‘year of the breach’.

April was the Cruelest Month

April was indeed a cruel month for Sony, which admitted that hackers had gained access to names, addresses, email addresess, birth dates, passwords and IDs for over 100 million PlayStation Network, Qrocity, and Online Entertainment customers.

The massive size of the breach, as well as the delay in informing customers, attracted the attention of the US Congress. A House Commerce Committee panel held a hearing on the breach, but Kazuo Hirai, chairman of Sony Computer Entertainment America, declined to appear.

Panel chairman Mary Bono Mack (R-Calif.) criticized Sony for the delay in informing its customers of the data breach and the manner of notification through its blog. “I hate to pile on, but – in essence – Sony put the burden on consumers to ‘search’ for information, instead of accepting the burden of notifying them. If I have anything to do with it, that kind of half-hearted, half-baked response is not going to fly in the future.”

More Breaches!

Marketing firm Epsilon had a breach of its extensive database, which contained the names and emails of customers at such high-profile partners as BestBuy, Walgreens, Marriott, Lacoste, Marks & Spencer, JP Morgan Chase, Barclays, Citibank, US Bank, and Capital One.

While Epsilon initially downplayed the breach, its partners could not. They began issuing warnings to millions of their customers about the breach, cautioning them to be on the lookout for subsequent spam and phishing attempts as a result of the compromised email addresses. Reuters put a $100 million price tag on the incident, which falls directly on Alliance Data Systems, Epsilon’s parent company.

And for much of 2011, Anonymous and its offspring were claiming credit for what seemed like a breach a week – in the name of improving security by showing how incredibly bad many organizations’ information security really is.

Not with a Whimper, but a Bang

In the arena of mergers and acquisitions, 2011 started off with a bang, with Dell’s acquisition of SecureWorks, an Atlanta-based security-as-a-service provider with 3,000 clients worldwide, and Verizon’s $1.4 billion purchase of Terremark, a Miami-based managed IT infrastructure and cloud service provider with advanced security offerings.

Also early in the year, Sourcefire bought Immunent, a cloud-based anti-malware startup, for $21 million, and Google agreed to acquire Zynamics, a Germany-based forensic specialist, for an undisclosed consideration.

In April, storage giant EMC acquired NetWitness, a Herndon, Va.-based network monitoring specialist, and added it to RSA. While the purchase price was not disclosed, some estimates put the price tag as high as $500 million. Too bad RSA did not have network monitoring in March!

After the April showers, there was a spurt of acquisition activity in May. In that month, Symantec acquired Clearwell Systems, a provider of e-discovery, data archiving, and data backup products, for $390 million, augmenting its information management and governance portfolio.

In addition, cloud provider VMWare purchased Shavlik Technologies, a Minnesota-based patch management and cloud-security firm; Thoma Bravo bought Tripwire, a Portland, Ore.-based network security firm; and Sophos acquired Astaro, a Germany-based private network security firm.

Other noteworthy information security acquisitions in 2011 included: IBM’s purchase of Q1Labs, a Waltham, Mass.-based provider of security event and log management software; McAfee’s purchase of NitroSecurity, a Portsmouth, N.H.-based security information and event management firm; and Check Point’s acquisition of Dynasec, an Israeli-based governance, risk, and compliance firm.

“Prediction is very difficult, especially about the future.”

Despite the wisdom of those great minds, I will venture to make some predictions for 2012. First, I predict that the world will not end. If I’m wrong about that, then no need to read further.

Certainly, Stuxnet, Duqu, and their heirs will increasingly plague governments, critical infrastructure operators, and information security professionals. It’s time to take these threats as seriously as the mundane security problems of everyday life in the 21st century.

The explosion of mobile device use, particularly in the workplace, will increasingly concern information security staffs for years to come. Malicious mobile malware has become widespread, and this trend is likely to accelerate.

Enterprises will have to come to grips with social media, particularly as cybercriminals find it a fertile ground for mischief. Should employees be banned from using it at work or is it the next great efficiency tool? The answer is: Yes.

Of course, the cloud – companies will likely accelerate cloud adoption to improve the bottom line, while security professionals will struggle with the implications of giving up control over key corporate information assets.

And the boldest prediction of all: there will be more data breaches in 2012.

Hackers could shut down train lines?

2011-12-30T18:26:00.003+11:00

Hackers who have shut down websites by overwhelming them with Web traffic could use the same approach to shut down the computers that control train switching systems, a research conducted by a security expert.

Stefan Katzenbeisser, professor at Technische Universität Darmstadt in Germany, advised that switching systems were at risk of "denial of service" attacks, which could cause long disruptions to rail services.

"Trains could not crash, but service could be disrupted for quite some time," Katzenbeisser told Reuters.

"Denial of service" campaigns are one of the simplest forms of cyber attack: hackers recruit large numbers of computers to overwhelm the targeted system with Internet traffic.

Hackers have used the approach to attack sites of government agencies around the world and sites of businesses.

Train switching systems, which enable trains to be guided from one track to another at a railway junction, have historically been separate from the online world, but communication between trains and switches is handled increasingly using wireless technology.

Katzenbeisser said GSM-R, a mobile technology used for trains, is more secure than the usual GSM, used in phones, against which security experts showed a new attack at the convention.

"Probably we will be safe on that side in coming years. The main problem I see is a process of changing ... keys. This will be a big issue in the future, how to manage these keys safely," Katzenbeisser said.

The software encryption 'keys', which are needed for securing the communication between trains and switching systems, are downloaded to physical media like USB sticks and then sent around for installing -- raising the risk of them ending up in the wrong hands.