In the article, Lin writes, “ we may not be ready yet for the government to lead cyberdefense against foreign adversaries. To do so would trigger serious and unresolved [International humanitarian law] issues, including Geneva and Hague Conventions [which] requires that we take care in distinguishing combatants from noncombatants.”

I would first draw a distinction between passive defense ( i.e. blocking attacker access, removing a vulnerability being exploited, etc ) and active defense ( i.e. launching a counter attack to disable the attackers capabilities).

All entities, government and private sector, are engaged in the former. Some more successfully than others. Some with greater effort than others. There are no legal or ethical questions there except a much broader sense . If gas pipelines are considered critical national infrastructure and these pipelines are owned and operated by private companies, should/can the government do more to defend them from attack? More than information sharing and increased collaboration, that is.

As to active defense, I have heard have seen proposals or discussions in security circles of the government launching counter cyber attacks against foreign adversaries on behalf of private companies. Lin’s proposal would create a legal framework that would allow the companies themselves to retaliate. He seems to find inspiration in the much talked about ” stand your ground” laws such as the one in Florida that came to national attention as a it is reportedly invoked in the defense of the fatal shooting an unarmed teenager by an armed neighborhood watch volunteer.

Notwithstanding his references to armed citizens taming the wild, wild west. I find this proposal problematic on three fronts. From the purely cyber security perpective ,from a business perspective, and as a matter of national security policy. I’ll reiterate, in fairness, that Lin is not necessarily endorsing this as a solution, but contributing to a much needed discussion on nation cyber defense policy.

• Security: In most cases, it is difficult to nearly impossible to ascertain the real identity of the attacker. Attackers use other compromised systems (victims) to launch attacks. Lin makes the point that ” There is a reasonable argument in claiming that a botnet is not fully innocent and therefore not immune to harm.Most, if not all, botnets are made possible by negligence in applying security patches to software, installing anti-malware, and using legally purchased and not pirated, vulberable copies of software“. In other words, you allowed your systems to by hacked, so you deserve it if caught in a counter attack. I certainly agree that most reported successful attacks or breaches are a result of some degree of negligence. Most security professionals would agree that no system is immune to attack. We are trained to practice due diligence in making reasonable attempts to identify vulnerabilities and risk. You can never eliminate all risks all the time nor can you afford to mitigate all identified ones.

• Business: Typical business security incidence response practice includes: Detecting the attack, containing the damage, remediating effects of attack and gathering evidence, returning systems to normal and some follow-up. Lin’s proposal would require additional steps to gather sufficient forensic evidence to identify an actual perpetrator. He proposes allowing companies to present this evidence to some governmental body to review and sanction retaliation. Companies will then have to plan and execute the counter attack. Few companies have in-house expertise to do this. Few business managers will be willing to fund such activities. Whats the return? You get hacked from a $500 laptop and you spend $50,000 to do what exactly?

• National Security: We know for a fact some of the attacks on our private owned critical infrastructure have been attributed to foreign government affiliated networks. Would it really be wise to license private companies to attack these networks? I would think not. Most of these folks can’t even patch their servers or encrypt their sensitive data. The last think we need is an international incident started by some system administrator at some SMB. I mean a government allowing private entities to conduct cyber attacks against a foreign nation with a wink and a nod is not exactly a novel concept. Google ‘Russia Georgia Cyberwar”.

I commend Dr. Lin for his contribution to this very important discussion. I don’t necessarily agree with the proposed approach but as a nation, we really need to come to terms with how best to improve our national cyber defense as we are in dire straits.

Related posts:

1. Pentagon and Congress wants control of your network during cyberattack There has been a lot of chatter in the news...
2. We really need to start taking information security more seriously From the Wall Street Journal: Hackers in Europe and China...
3. Google and China: A Dysfunctional Marriage Since making it’s search engine available to Chinese users in...

Most of the commentary written about companies moving to the Cloud  focuses on  the loss of control over company data as a consequence of giving up self-hosted infrastructure. There is usually an implication that this is bad. I believe that is not necessarily a given. How may stories do you read daily about data breaches unrelated to the cloud? It’s almost cliche now.

The critical question that must be asked is “Can cloud provider X protect your company’s  data better than you can?”.

In many cases, the answer is yes. Basically [ in most cases] they do security better than you do. They can afford to hire more security staff  and deploy a more robust security infrastructure. Their business depends on it. In a presentation I gave some time ago on cloud computing located here, I listed the following as additional reasons why:

• Security measures are cheaper when implemented on a large scale
• Better security provides competitive advantage to providers
• Increased standardization and industry collaboration
• Improved forensic capabilities and evidence gathering
• Improved resource scaling

Back of our aforementioned daily horror stories of data breaches. How many of those companies or organizations get closed down or do out of business due to their lax security practices? Not many. For cloud service providers, trust of their customers and potential customers is key to survival. Good security practices are not optional, they are a business imperative.

I’ve witness this first hand working for a financial industry application services provider. Long before “cloud” was a buzz word, there were Application Service Providers (ASPs) that basically performed Software as a Service ( SaaS).  There was a strong culture of security at all levels of the company, from the board on down.

Giving up some control means trusting your provider. This also requires doing your due diligence in selecting the right provier and having a proper service level agreement in place that will allow you access to verify that they are indeed adequately protecting your data.

Related posts:

1. Moving data storage to the cloud? What’s your business continuity plan? Many trumpet increased availability as a reason to move to...
2. Cloud-based…hacking?? I assigned my class a research paper on the security...
3. Cloud Computing = Loss of Confidentiality? Interesting excerpt from article in ITWorldCanada: “Adi Shamir, a computer...

“ …Engineer Doe developed Wi-Fi data collection software code that, in addition to collecting Wi-Fi network data for Google’s location-based services, would collect payload  that Engineer Doe thought might be useful for other Google services. …Google made clear for the first time that Engineer Doe’s software was written specifically to capture payload data. “

Despite all of Google previous assertions to the contraire, this quoted section indicates that Google engineer[s] intended for payload data to be captured and stored. Google insists that this was done without the knowledge or approval of project leader and was not a necessary requirement. This would certainly indicate a failure on the part of project management as this drastically changes the scope of the project with far reaching implications. Even if this were indeed the case of a single engineer going rouge, it makes one wonder even more about the internal culture of the company with respect to consumer privacy. Keep in mind that Wi-Fi traffic only travels between individual computers and an access point. Both end points, in this case, reside on private property. Why would anyone believe it acceptable to capture and store this data with affected individuals knowledge and/or consent?

” ..Google employees stated that any full-time software engineer working on the Street View project was permitted not only to access and review the code, but also to modify it without prior approval from the project managers if the engineer believed he or she could improve it. In addition to Engineer Doe, at least one other engineer wrote or modified an aspect of the Wi-Fi data collection code. “ 

If this is indeed the case, it might explain the feature creep. Were these modifications or “improvements” not documented as part of project documentation? It certainly should have been. Project managers can’t pass the buck on this.

“ A manager of the Street View project estimated that five engineers took turns [ deploying and testing] the Wi-Fi data collection code into Street View cars. Despite their hands-on work…these engineers claim they did not realize Google was collecting payload data” 

Google engineers tasked with reviewing the code and deploying it to street cars claim they did not realize it captured payloads. Really? This must be the equivalent to the infamous ” I don’t recall” defense.  Or sheer ineptitude maybe?

Lastly, the FCC fined Google $25,000 for “impeding the investigation”. Google agreed to pay the fine though the company blames the delays in internal FCC processes. This has been the only penalty on Google to date in the US.

Read Full Report below:(Click on Full Screen at bottom right)

Related posts:

1. Enter the Dragon browser, the more secure Google Chrome The open source engine that forms the basis for Google’s...
2. Skipfish-Web Scanning Security Tool from Google Google has released an open-source Web security scanner called Skipfish...
3. Use Google Apps or Gmail? Avoid getting hacked! It can happen to the best of us. Blogger and...

Related posts:

1. New Best Practices for Security Assurance in the Cloud The Cloud Security Alliance (CSA) produced version 2 of its...

What are some consequences of the lack of basic cyber security controls?

• Loss or stolen customer data
• Loss of intellectual property
• Decreased productivity
• Legal liability
• Regulatory sanctions and fines
• Computer systems downtime
• Loss of reputation and customer confidence
• Loss of revenue
• Banking Fraud

Could this happen to you?

It is very important to understand that neither size nor industry guarantees protection from an attack. The use of computer systems and the Internet makes you vulnerable to attacks and other threats.

A 2010 survey conducted by the Ponemon Institute and Guardian Analytics of over 500 SMBs surfaced these alarming statistics:

• 55% experienced a fraud attack in the last year
• 58% of the incidents involved online banking
• Over 50% experienced multiple incidents
• 87% failed to fully recover lost funds

You are not a big, well known business. Why would anyone attack you?

While it might be the case that well trained hackers are not very interested in your small company, most online attacks aren’t carried out by expert hackers. Attacks are perpetrated by low-skilled, common criminals with access to pre-packaged hacking tools, thereby casting a wide net in hopes of finding an unprotected computer system or network. These tools are easy to use and readily available on the Internet, often times free of charge. The anonymity of a cyber attack makes it even more attractive to criminals. Many attackers use safe havens in foreign countries which do not have strong cyber crime laws.

Malicious software like viruses, worms, trojan horses, spam, bots are all vectors of cyber attacks that are indiscriminately spreading across the Internet. These attacks don’t only target your small business computer systems but also seek to use your unprotected systems to launch attack on others.

Hasn’t IT guy(s) already dealt with this issue?

Although cyber security includes traditional “IT”related issues, it primarily focuses on protecting your valuable information from all threats including physical attacks, data corruption, equipment failure, social engineering, and bad security choices due to insufficient security awareness education. Effective cyber security management requires specific training related to threats, vulnerabilities, and risks affecting computer systems, business operational processes, and most importantly you and your employees. One’s security problems cannot be addressed solely by off the shelf products. Security must be addressed in the boardroom before it is addressed in the computer room.

What are the benefits and cost of cyber security?

Besides avoiding some of the devastating consequences mentioned earlier, good security is simply good business. It does far more than increase customer confidence and protects the integrity of your businesses brand. A secure business increases customer confidence, loyalty and adds to the businesses bottom line.

Responsible businesses understand that risk management mandates that all threats, including cyber threats, be assessed and managed to protect the business, employees and customers.

The potential cost of inaction far outweighs the cost of action. Analyzing your businesses risks allows you to weigh the costs and benefits and make informed decisions.

Where do you start? Where can you get help?

Although improving your security may seem a daunting task, it doesn’t have to be. Increasing cyber security awareness helps small and medium sized businesses proactively implement simple best practices to protect their businesses. Security should be built into your business processes, information technology (IT), and most importantly your employees and contractors. Each business is unique and faces challenges particular to their operations. There is no magic pill that guarantees 100% security. The SMB Cyber Security Alliance have security experts available to help you understand your unique risks and implement solutions that work your your particular business environment.

Visit us today and sign up for your free membership at http://www.smbcybersecurity.org

The SMB Cyber Security Alliance is volunteer-run organization seeking to increase cyber security awareness in small business communities through education, awareness training, free resources and consultations, and active engagements between small business owners and local security professionals.

Related posts:

1. Defend your Small Business against Online Bank Fraud Is your banking practices putting your business at risk? Protect...
2. Security On A Shoestring SMB Budget The e-mail appeared to be an invitation from an old,...
3. Facebook poses biggest security threat to businesses According to it’s  Security Threats 2010 report published today, security...

• Develop and enforce IT policies and automate compliance processes. By prioritizing risks and defining policies that span across all locations, organizations can enforce policies through built-in automation and workflow and not only identify threats but remediate incidents as they occur or anticipate them before they happen.

• Protect information proactively by taking an information-centric approach. Taking a content-aware approach to protecting information is key in knowing who owns the information, where sensitive information resides, who has access, and how to protect it as it is coming in or leaving your organization. Utilize encryption to secure sensitive information and prohibit access by unauthorized individuals.

• Authenticate identities by leveraging solutions that allow businesses to ensure only authorized personnel have access to systems. Authentication also enables organizations to protect public facing assets by ensuring the true identity of a device, system, or application is authentic. This prevents individuals from accidentally disclosing credentials to an attack site and from attaching unauthorized devices to the infrastructure.

• Manage systems by implementing secure operating environments, distributing and enforcing patch levels, automating processes to streamline efficiency, and monitoring and reporting on system status.

• Protect the infrastructure by securing endpoints, messaging and Web environments. In addition, defending critical internal servers and implementing the ability to back up and recover data should be priorities. Organizations also need the visibility and security intelligence to respond to threats rapidly.

• Ensure 24×7 availability. Organizations should implement testing methods that are non-disruptive and they can reduce complexity by automating failover. Virtual environments should be treated the same as a physical environment, showing the need for organizations to adopt more cross-platform and cross-environment tools, or standardize on fewer platforms.

• Develop an information management strategy that includes an information retention plan and policies. Organizations need to stop using backup for archiving and legal holds, implement deduplication everywhere to free resources, use a full-featured archive system and deploy data loss prevention technologies.

Source: http://www.symantec.com/content/en/us/about/presskits/Symantec_2010_CIP_Study_Global_Data.pdf

Related posts:

1. Hacking the Soft Underbelly I often reiterate to my students that security is more...
2. 2010 CyberSecurity Watch Survey Cybercrime threats posed to targeted organizations are increasing faster than...
3. Staying safe on public Wi-Fi Picture this: You’re at a café with your laptop and...

This brings to mind the current state of the cloud computing market. The mad gold rush of cloud services providers continues. Everyone wants a piece of the action.  These companies offer a variety of hosting services for IT infrastructure, platforms and applications.  The lure of moving to the cloud is obvious. Let someone else do it better, cheaper, more reliably and worry about the  details. More organizations are taking advantage. Companies, large and small, are moving their data, applications, and systems to one or more of the legion of providers out there.  This means more dependence on these providers for accessing business critical resources.  Although there are some obvious leaders in the cloud market today ( Google, Amazon, Salesforce), there are also a many smaller boutique providers that compete mostly on price.

In coming years, I expect the market to settle. Some providers will flourish, others will go down in flames or be acquired by one of the larger shops. These changes could have real consequences to customers. What happens if your provider is using proprietary technology and goes out of business?  Migrating to a new provider might be difficult. Doing your due diligence before selecting a provider is very important. Verifying the financial stability of the company and developing a strong service level agreement are key requirements.  Your SLA must address uptime, performance and security. The ability to audit your provider is also very important.

Many small businesses would not exist without the cloud. Building, hosting, and managing an IT infrastructure can be cost prohibitive. Choosing the right provider, however, may be the difference between success and failure.

Related posts:

1. The real arguments for Cloud Computing As more vendors dive into the cloud computing market, every...
2. Moving data storage to the cloud? What’s your business continuity plan? Many trumpet increased availability as a reason to move to...
3. Cloud Computing = Loss of Confidentiality? Interesting excerpt from article in ITWorldCanada: “Adi Shamir, a computer...

Cloud Computing — As an emerging technology, security concerns remain a hurdle for organizations looking to adopt cloud computing. As organizations transition to the cloud, IBM recommends that they start by examining the security requirements of the workloads they intend to host in the cloud, rather than starting with an examination of different potential service providers. Gaining a good understanding of the needs and requirements first will help organizations take a more strategic approach to adopting cloud services.

Virtualization – As organizations push workloads into virtual server infrastructures to take advantage of ever increasing CPU performance, questions have been raised about the wisdom of sharing workloads with different security requirements on the same physical hardware. X-Force’s vulnerability data shows that 35 percent of vulnerabilities impacting server class virtualization systems affect the hypervisor, which means that an attacker with control of one virtual system may be able to manipulate other systems on the same machine. This is a significant data point when architecting virtualization projects.

Read more: http://www.prnewswire.com/news-releases/ibm-x-force-report-reveals-global-security-threats-have-reached-record-levels-101460029.html

Related posts:

1. Exploring Cloud Computing Information Leakage If you are in cloud computing security (or part of...
2. Moving data storage to the cloud? What’s your business continuity plan? Many trumpet increased availability as a reason to move to...
3. Will your Cloud Provider be around in two years? I just read that my hosting company, GoDaddy, is on...

That was probably the script the culprit had in mind …and who knows how many times it played out.

I received the following message in my email inbox earlier from a cousin on Facebook.

It was so obviously malicious. Never mind the spelling issues. That is a trick typically used to get by email filters. My first reaction was to log in to Facebook and verify that it was indeed the source. I was reminded of an article I read about a similar fake LinkedIN email attack. In this case, the message was right there with a slight difference. The link now was more obvious.

One of those shortened bit.ly links that could lead you anyway. Without clicking the link, I clicked “reply” asking ” Did you send this?” . I already knew the answer but hey!  I immediately got the following response from one of the sender’s friends.

The plot thickens…

I sent the cousin a message advising a change of Facebook credentials. The message was apparently sent to many other users.  I’ve read and blogged about compromised Facebook account being used to spread malware and/or lure users to malicious sites but this is my first such experience. I’m not the average Facebook user though, since I only use it to cross-post blog updates.  I didn’t have to time to investigate what’s on the other side of that bit.ly link but just thought I’d share the experience.

Beware fellow Facebook users!

Related posts:

1. Brevity is the soul of…..getting yourself infected with all kinds of nasties! Would you click on the link : http://www.click-here-to-give-me-access-to-all-your-computer-files.com? No? How...
2. Alert your connections if your Social Networking Account get compromised Social Network attacks are becoming more popular as daily we...
3. Fake virus alert spreads massively across Facebook Panda Security has released the following advisory: In the last...

sophos-security-threat-report-midyear-2010-wpna.pdf

Related posts:

1. Facebook poses biggest security threat to businesses According to it’s  Security Threats 2010 report published today, security...
2. Twitter users hit hard by "LOL" phishing attack IT security and data protection firm Sophos is warning that...
3. Top ten malware-hosting countries revealed US and UK among the top 10 countries hosting the...

A number of similar incidents to this one highlight the threats of online crime facing small and midsize businesses (SMBs), says Stan Stahl, president of Citadel Information Group and president of the Los Angeles chapter of the ISSA.

“Typically, they say, ‘We have firewalls in place and have AV on all the desktops, so I guess we are secure,’” Stahl says. “But today cybercrime is so sophisticated that is not enough anymore.”

Read full article at http://www.darkreading.com/smb-security/security/attacks/showArticle.jhtml?articleID=225702557&cid=RSSfeed

Related posts:

1. Thoughts on Skype security Michael Gough, an information security specialist and president of the...
2. Did Facebook CEO play fast and loose with user login data? Did you Facebook CEO play fast and loose with user...
3. IRS reminds you not to go Phishing this tax season It’s tax time again and IRS phishing scams are alive...

Some companies are faced with this very question this week as storage provider, EMC  announced its plan to shut down its Atmos Online cloud storage service immediately, according to a posting on its website.

EMC launched Atmos Online in May 2009, calling it “Cloud Optimized Storage [with] capabilities that can scale effectively, coupled with security and management tools.”  This placed EMC in direct competition with some of its service provider partners who used EMC’s Atmos technology to provide cloud storage to its customers.

EMC has now  downgraded Atmos Online to a development platform and is offering no guarantee as to the availability of user data moving forward. EMC used its web posting to “strongly encourage [companies to] migrate any critical data or production workloads currently served via Atmos Online to one of our partners offering Atmos based services,”

The provider going out of business is one of the many risks companies have to address when considering moving their critical data into the cloud. In this case, companies now have to spend resources doing the necessary due diligence in selecting an alternative cloud storage provider.

According to Morris Cody, CIO at Washington D.C. based Information Security Services Firm, Secure Intervention, companies moving to the cloud better consider the following:

Related posts:

1. The real arguments for Cloud Computing As more vendors dive into the cloud computing market, every...
2. Will your Cloud Provider be around in two years? I just read that my hosting company, GoDaddy, is on...
3. Cloud Computing = Loss of Confidentiality? Interesting excerpt from article in ITWorldCanada: “Adi Shamir, a computer...

Every other day, we hear about the risks. Compromised Twitter accounts, phishing via LinkedIN,  malicious Facebook apps were only a sample of an every growing landscape. Most enterprises, appreciating the threats these pose to an environment, simply deny access to social networks from company systems and networks.

Even within such organizations, there are user who need to access social networks to perform their job functions. LinkedIN has become a great tool for recruiting prospective new hires. More companies are using Twitter, Facebook, Myspace and others to promote their business an connect with customers.

But outside of that, is there a value in allowing employees, whose job function do not require it, access to social networks on company systems?

I’m prompted to ask this because last week I was at a meeting of the Northern Virginia chapter of the  Information Systems Security Association (ISSA-NOVA) and the speaker was the deputy CISO of the IRS, Devon Bryan. He spoke about how the IRS was dealing with the security challenges posed by Web 2.0, particularly social networking, Their current stance is to block all access except for those employees who job function required it. Most security  professionals would agree this is probably wise. However, he also added that they are looking at technology that would allow users to “view” social networking sites, but not allow them to “update” them. As he explained, or tried to, read vs. write/execute.

As this was an audience full of security professionals, it was quickly pointed out that drive-by malware downloads only require the user to browse the infected web page or one that is linked to an infected web page. To view is to infect, so to speak. There was then talk of how to mitigate that using virtual machines or proxies.

I have no doubt the technical challenges can be overcome. The hackers who now treat social networks as the new frontier will probably change tact to react as well. Besides wanting to keep employees happy, what’s the policy rationale for allow users to follow their subscribed tweets or friends updates? Never mind, the adverse effect this with have on productivity. Really, why bother?

Related posts:

1. How to limit Twitter risks Twitter is now used by over 350 million people worldwide....
2. Staff Leak Military Secrets on Facebook and Twitter Are your employees ( or you ) leaking sensitive data...
3. Gartner predicts the Enterprise is going Social Gartner believes that social networking will be embraced, but perhaps...

What is the government’s role in protecting these private networks? Should it have a role at all? Although some in the private sector are still debating these questions, the government has already moved in action. Last month, the DoD launched its new Cyber Command, headquartered at Ft. Meade, Maryland. Military observers still aren’t quite sure what this supposed to do. The Pentagon’s number two, Deputy Secretary William Lynn, in a gathering of cybersecurity officials and defense contractors,  floated the idea that the “Defense Department might start a protective program for civilian networks”.

According to Lynn, companies may “opt out ” of the program but by doing so would place us all at risk.  Does that mean, by default, all companies are considered in the program?

The congress also is taking action. A draft bill, co-sponsored by Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine), gives the Department of Homeland Security authority to keep “critical infrastructure” up and running during a “cybersecurity emergency”.

It would be interesting to see the bill’s definition of cybersecurity emergency.   All would agree that coordinated defense is essential. The federal government is probably the only entity able to provide that coordination on a national scale.  Coordination is one thing. Control, however, well that’s another animal.

Related posts:

1. No National ‘Stand Your Cyberground’ Law Please Patrick Lin, who is Assistant Professor and Director of Ethics and...
2. Protecting Wireless Network From Hackers and Neighbors Local wireless networks, which provide information to receive and send...
3. Protect the Internal Network From Hackers Attention! All the hackers on the systems of various according...

On July 13, Microsoft will officially retire Windows XP Service Pack 2 . Although it will continue to provide security updates for XP Service Pack 3, it will stop providing patches for the older SP2. Microsoft offers support for its products for five years and extended support for another five years. For XP SP2, that journey comes to an end on July 13. Windows XP 3 will be supported until April 2014.

Microsoft issues security updates and other core operating system patches every second Tuesday of the month, known as Patch Tuesday. Whereas most home users typically install these patches automatically, corporate users usually install service packs and security updates manually and only after extensive testing. For large corporate environments,  operating system upgrades are often a very perilous and expensive exercise.

According to security risk and compliance management provider Qualys, 50 percent of the several hundred thousand PCs it monitors for its clients are still running Windows XP SP2.  Most of these are probably user desktops, but some may also be applications and appliances that use Windows XP 2 as the base platform. Upgrading such systems may make them inoperable.

According to Sajed Naseem, principal at Washington DC based security firm, Secure Intervention,

” The longer these systems  linger after the July 13 deadline, the more vulnerable they become. There will undoubtedly be many Windows XP 2 systems still out there and hackers know that. Only there will no longer be security patches coming from Microsoft as new holes are discovered and publicized.”

Related posts:

1. Aaaah The Infamous Blue Screen of Death On Tuesday, Microsoft issued a patch, MS10-015,  to fix a...
2. Microsoft warns of new IE bug being exploited by hackers Microsoft Corp. today warned of a critical vulnerability in Internet...
3. Microsoft resumes pushing Blue Screen Update Microsoft has resumed pushing out the patch connected to the...

According to Google, Web History allows the following:

• View and manage your web activity.
  You know that great web site you saw online and now can’t find? From now on, you can. With Web History, you can view and search across the full text of the pages you’ve visited, including Google searches, web pages, images, videos and news stories. You can also manage your web activity and remove items from your web history at any time.
• Get the search results most relevant to you.
  Web History helps deliver more personalized search results based on the things you’ve searched for on Google and the sites you’ve visited. You might not notice a big impact on your search results early on, but they should steadily improve over time the more you use Web History.
• Follow interesting trends in your web activity.
  Which sites do you visit frequently? How many searches did you do between 10 a.m. and 2 p.m.? Web History can tell you about these and other interesting trends in your web activity.

If you don’t care to have that information recorded, you can and should “pause” it.

https://www.google.com/history

Related posts:

1. Google pulls out of China Is this a divorce or separation?  I chronicled Google’s dysfunctional...
2. Google and China: A Dysfunctional Marriage Since making it’s search engine available to Chinese users in...
3. Big Broth…I mean, Google Last week ( December 3. 2009), Google announced it Public...

Google is apparently making this decision in response to the hacking attacks on late last year in China. The attackers  used vulnerabilities  in Microsoft’s Internet Explorer 6 to go after Google’s intellectual property, believed to be source code.  One could argue that if they had updated their browsers, the attacker would have had to find other vectors for attacks.

Could this be a strategic move by Google to prove that an Enterprise can survive WITHOUT Microsoft? With Google’s Chrome OS on the horizon, this may just be the warm-up act.

Source: http://www.ft.com/cms/s/2/d2f3f04e-6ccf-11df-91c8-00144feab49a.html

Related posts:

1. Google and China: A Dysfunctional Marriage Since making it’s search engine available to Chinese users in...
2. Microsoft says Do Not Call for Help! If it sounds like a horror movie….well, that’s because is...
3. Use Google Apps or Gmail? Avoid getting hacked! It can happen to the best of us. Blogger and...

I often fault security professionals and educators who speak in absolutes when trying to increase security awareness. Human nature isn’t absolutist. Any security doctrine that doesn’t account for reasonable human behavior is doomed to failure. Never do this! Never do that! Never use the same password with more than one account! And be sure to change them periodically. Naturally they must be complex passwords including upper and lower case letters, numbers and special characters. Really?

It’s not unusual today for an average Internet user to have 10 or more online accounts. That would mean 10 complex, constantly changing passwords. That would also mean the user will write them all down in a place that is readily available. Oh, I forget the never write passwords down mantra. Sigh.

I’ve taught course where as I went through my list of  “never do’s”, I would watch students’ eyes move from the gleam of interest to dull hopelessness. ” I could never do all THAT!”, someone would say.  Another would chime in, :” That’s why I don’t do online banking!”

Is have the same password for your Facebook and Twitter accounts the harbinger of doom??  Probably not. Myspace and your online bank account? That’s an absolute NO NO.

How do we increase security awareness in average computer users thereby strengthening the “weakest link” in our security posture? We certainly can’t continue to do it by burying them in an avalanche of rules.

Related posts:

1. Changing Internet passwords a waste of time?? From the following article: http://wcbstv.com/seenat11/internet.passwords.microsoft.2.1633927.html “The study concluded someone hacking...
2. Did Facebook CEO play fast and loose with user login data? Did you Facebook CEO play fast and loose with user...
3. How much is your Twitter Account worth on the Hacker Underground? Well, that depends on the name of your account and...

The question is not  Cloud Computing vs. Open Source.  In fact, there are open source SaaS providers like MindTouch out there.  If considering a product like Nagios, a better comparison would be open source vs. commercial.  In many cases, cost is the determining factor for companies to look  to open source technologies. Other considerations include flexibility and security.

The more relevant  comparison would be hosting and managing a network monitoring system on site vs. moving to a SaaS provider. For many organizations,  IT is considered overhead and not the primary function of the organization. Companies move to the cloud for most of the same reasons companies out-source.  Can someone else do it better for less?  Cost is ually the easier consideration. Companies have to grapple with the ‘better’. Does it mean more security, availability, capacity? Many cloud providers would say ‘yes’ to all and then some.  Organizations have to really consider and make that determination themselves. Make a real comparision between their options and not just follow the typical vendor hype.

Related posts:

1. Exploring Cloud Computing Information Leakage If you are in cloud computing security (or part of...
2. Cloud Computing = Loss of Confidentiality? Interesting excerpt from article in ITWorldCanada: “Adi Shamir, a computer...
3. Moving data storage to the cloud? What’s your business continuity plan? Many trumpet increased availability as a reason to move to...

Update Summary

• Metasploit now has 551 exploit modules and 261 auxiliary modules (from 445 and 216 respectively in v3.3)
• Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net (400K lines of Ruby)
• Over 100 tickets were closed since the last point release and over 200 since v3.3

The full release notes can be found  here.

Related posts:

1. CISSP All In One Book FIFTH EDITION has been released The fifth edition of this best-selling comprehensive CISSP training resources...
2. Backtrack 4 Final Released!! Backtrack is a linux-based penetration testing suite of tools  used...
3. 2010 CyberSecurity Watch Survey Cybercrime threats posed to targeted organizations are increasing faster than...

Does the remote chance of your virtual server being attacked by another virtual server on the same host server justify the added cost of a private cloud deployment? That’s for each client to decide. Ensure you are doing your due diligence before making a decision one way or the other.

Abstract:

Amazon’s EC2, allow users to instantiate virtual machines (VMs) on demand and thus purchase precisely the capacity they require when they require it.In turn, the use of virtualization allows third-party cloud providers to maximize the utilization of their sunk capital costs by multiplexing many customer VMs across a shared physical infrastructure. However, in this paper, we show that this approach can also introduce new vulnerabilities.Using the Amazon EC2 service as a case study, we show that it is possible to map the internal cloud infrastructure, identify where a particular target VM is likely to reside, and instantiate new VMs until one is placed co-resident with the target. We explore how such placement can then be used to mount cross-VM side-channel attacks to extract information from a target VM on the same machine.

Download paper: http://people.csail.mit.edu/tromer/papers/cloudsec.pdf

Related posts:

1. Cloud Computing = Loss of Confidentiality? Interesting excerpt from article in ITWorldCanada: “Adi Shamir, a computer...
2. IBM X-Force handicaps future trends in security Looking ahead, the X-Force Research and Development team has identified...
3. Will your Cloud Provider be around in two years? I just read that my hosting company, GoDaddy, is on...

Facebook claims they turned the information about the hacker to law enforcement authorities and that the hacker’s claims are grossly overstated. Even if this guy is caught, extradition to the US is unlikely. Russia’s stance on this sort of thing is ” show us the proof and we will prosecute him ourselves”.

Related posts:

1. Hacker Updates Woman Facebook Status Here’s an interesting story. Who didn’t see this coming? “Police...
2. Did Facebook CEO play fast and loose with user login data? Did you Facebook CEO play fast and loose with user...
3. Facebook to share your information with other sites Facebook users are expressing strong disapproval of proposed privacy changes...

In the next few weeks, Booz Allen Hamilton will provide a status report on its compliance audit study for the Office for Civil Rights in the Department of Health and Human Services, the governmental unit that enforces the privacy and security rules, says Susan McAndrew, OCR’s deputy director for privacy.

Read Full Article: http://www.healthcareinfosecurity.com/articles.php?art_id=2517

Related posts:

1. 2010 CyberSecurity Watch Survey Cybercrime threats posed to targeted organizations are increasing faster than...
2. United States Department of Defense Embraces Hacker Certification Mar 01, 2010 – The U.S. Department of Defense (DoD)...
3. Pentagon and Congress wants control of your network during cyberattack There has been a lot of chatter in the news...

I ran into this article today  titled ” Botnet exploits Linux users’ ignorance“. The writer makes the point that ” a lack of knowledge and awareness about how to use Linux mail servers could be contributing to the disproportionately large number of Linux machines being exploited to send spam”.

I wholeheartedly agree with this. Companies see open source technologies as a means of saving money but do not have staff adequately trained to secure these systems.

The second point I noticed was that the report from Symantec’s Hosted Services referenced in the article pointed out that ” Linux based machines are 5 times more likely to send out spam than Windows based computers”.

The writer quotes a Symantec Malware Analyst as saying:

“…..one reason there is so much spam from Linux could be that many companies that have implemented their own mail servers, and are using open-source software to keep costs down, have not realised that leaving port 25 open to the Internet also leaves them open to abuse.”

Related posts:

1. 5 Open Source Alternatives to Microsoft Office The Microsoft Office productivity suite has risen to become the...
2. 2010 CyberSecurity Watch Survey Cybercrime threats posed to targeted organizations are increasing faster than...
3. Botnets give the hacker espionage tools formerly reserved for nation states The cyber attacks against Google, Adobe and a raft of...

“Enterprise customers will get compensation tailored to each individual customer and will receive a combination including products, services and support,” a McAfee spokesman told ZDNet UK on Tuesday.

The concept of companies paying for damages caused by buggy software has been often discussed. Is this a step in that direction or is McAfee  just doing some good customer management ?

Source: http://www.zdnet.co.uk/news/security-management/2010/04/27/mcafee-to-compensate-businesses-for-buggy-update-40088779/?s_cid=938

Related posts:

1. If Microsoft can do it, why not McAfee? Yesterday, a faulty McAfee anti-virus update labeled a critical Microsoft...
2. SMB Cyber Security Alliance helps Small Businesses address Cyber Security Risks Across all industries, small businesses are increasingly facing new threats...
3. Skipfish-Web Scanning Security Tool from Google Google has released an open-source Web security scanner called Skipfish...

I couldn’t wait to get my hands on Assassin’s Creed II. It’s nice to be able to unwind for an hour or so at night, running across rooftops in 15th Century Venice, leaping on an unsuspecting Templar and burying my dual hidden blades in his neck. Well, it would be nice accept my wireless signal in my bedroom isn’t all that great (or maybe it’s a laptop hardware issue) and the game hangs every 2 mins for about 30 seconds because I lose my connection. Thanks to the Ubisoft’s always-online DRM. I have to be online at all times to play the game.

“Hackers have overcome Ubisoft’s controversial DRM system that relied on constant connection to the internet for games to function.

A crack for Ubisoft’s anti-piracy system published by a group called Skid Row allows gamers to circumvent the controls.  A message from the group on a gamers’ forum sets out the group’s agenda: allowing legitimate copies of PC games to be played without an internet connection, rather than facilitating piracy. Skid Row cheekily thanks Ubisoft for posing an interesting intellectual challenge.”

I understand Ubisoft’s desire to protect its products from pirates but this causes a great inconvenience to legitimate customers like myself. Not to mention, it only took about a a dayto crack it. It causes me all this aggravation with controls that only held up for 24 hrs ?

Silent Hunter NFO:

Ü ß               ßÜ    ÜþßßßþÜ      Û                ÜþßßßþÜ
°   ÛÜ     ²Ü     °    ÜÛÝ  ß       ²Ü     ßßÛÛÛÜÜ     ° ÜÛÜ     ²ÛÜ
ßÛÛÛÜ ²ÛÛÜ     ÜÜÛÛÛÜÜß    °   ²ÛÛÜÜÜÜÜÜÜÛÛÛÛÛÜ ° ÜÛÛßÛÛÜ ° ²ÛÛ²  °     Ü
ÜÛÛÛÛßßßßßß ²ÛÛ²  ²ÛÛÛÛßÛ²²²Û  ÜÜÜÜÜܲÛÛ² ²ÛÛ²  ²ÛÛ²ß ÜÛÛ²   ²ÛÛÜ ²ÛÛ² °°°  ÜÛ²
ßßßßßß²²²²Üß²²²ßß²²²Ü   ßßß  Û²²²ß  ²²²² ²²²²ßß²²²ÜÜ ²²²² ° ²²²² ²²²² °°° ²²²²
±±±±±  Þ±±±±ÛÞ±±  Þ±±±± ²²²²²Þ±±±± ° ±±±± ±±±±  Þ±±±±Ûܱ±± ° ±±±± ±±±± °°° ±±±±
°°°°° ° °°°°°Ý°° ° °°°°°°°°°°Þ°°°° ° °°°° °°°° ° °°°°°°°°° ° °°°° °°°°  Ü  °°°°
±±±±± ° ±±±±±Ý±± ° ±±±±±Ü±±±±±±±±± ° ±±±± ±±±± ° ±±±±±Ý±±± ° ±±±± ±±²ßÜÛÛÛÜß²±±
Þ²²²² °Þ²²²²²²²² °Þ²²²²²Ý²²²²Þ²²²²Ý  ²²²² ²²²² °Þ²²²²²²²²² ° ²²²² ²²²²²ß ß²²²²²
ßÛÛ² ÜÛ²ÛÛßÜÛÛß  ²ÛÛÛÛ²ÛÛÛß  ²ÛÛÛ²ÜܲÛ۲ܲÛß   ²ÛÛÛ² ßÛÛ²   ²ÛÛß ²ÛÛß ° ° ßÛÛ²
°  ßÜÛÛßß   Ûß   ÜÛ²ÛÛß Ûß  °  ÛÛÛÛÛßßß   ß  ° ÞÛÛ²ÛÝ ° ßÛÛÜÛÛß ° ²ß   °     ßÛ
Üßß    °     ÜÛÛÛßß  ° ßþÜÜþß ßßÛÛÛÛÜÜÜþß  °  ßßÛÛÛÜÜÜÜÜÛÛß Eboy
ßÜÜþß     þßß                                     ßßßßßß
S   K   i   D   R   O   W

Üß               ->  T H E   L E A D i N G   F O R C E   <-                 ßÜ
ßÜ                                                                          Üß
ßßßßßßßßßßßßßßßßßßß ßßßßß  ß proudly presents ß  ßßßßß ßßßßßßßßßßßßßßßßßßß
° ÛÛÛ²²²²±±°° Silent Hunter 5: Battle of the Atlantic / Ubisoft °°±±²²²²ÛÛÛ °
±ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜܱ
²                                                                           ²
²   RELEASE DATE : 03-03-2010               PROTECTION : Ubisoft DRM        ²
²   GAME TYPE    : Submarine Simulation     DISKS      : 1 DVD              ²
°                                                                           °
ßÛ²ßßßßßßßßßßßßßßßßÛÛßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ßßß  ß
ßÛÝ Release Notes: ßÛÜ                                               ° Û
Üþ  Þ² ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛÛÜ                                             ± Û
Û   ÜÛß Û                                                                ² Û
ßßß  ° Û The Skid Rowdies are looking new blood to fill up the ranks.   Û Û
± Û We're a professional team of dedicated sceners with big mark   Û Û
Û Û under sceners. We believe on the ground idealism of the root   Û Û
Û Û of the real old school scene. We do all this for fun and       Û Û
Û Û nothing else. We don't earn anything on our hobby, as we do    Û Û
Û Û this for the competition and the heart of what got the scene   Û Û
Û Û started in the mid eighties.                                   Û Û
Û Û                                                                Û Û
Û Û If you think you got something to offer, then don't hold back  Û Û
Û Û on contacting us as soon as possible.                          Û Û
Û Û                                                                Û Û
Û Û  _______  __     ___     _____   /__                          Û Û
Û Û      / |/ /_/_|         _  / /_ /  /                   Û Û
Û Û  / /| / / //| |     //_// / / / / / /                   Û Û
Û Û /   |   /  | |_   / / / /_/ / /// /                    Û Û
Û Û ____/|_|___/|___/ / /_/_/__/_/____/                     Û Û
Û Û     twice the fun   / double the trouble                      Û Û
Û Û                                                                Û Û
Û Û ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Û Û
Û Û                                                                Û Û
Û Û On with the game release information:                          Û Û
Û Û                                                                Û Û
Û Û Silent Hunter 5 hails the return of the number one submarine   Û Û
Û Û simulation. For the first time the player will be able to play Û Û
Û Û & feel as U-boat captain leading his crew from a first person  Û Û
Û Û view in a true dynamic campaign.                               Û Û
Û Û                                                                Û Û
Û Û Operate against Allied shipping on a vast area all across the  Û Û
Û Û Atlantic Ocean and Mediterranean Sea and participate in famous Û Û
Û Û encounters with strong enemy warships. Can you do better than  Û Û
Û Û the best U-boat aces?                                          Û Û
Û Û                                                                Û Û
Û Û Silent Hunter 5 raises the levels of interactivity and         Û Û
Û Û immersion inside the U-boat and outside                        Û Û
Û Û                                                                Û Û
Û Û For the first time the player will walk through highly         Û Û
Û Û detailed submarines in FPS view and be able to access every    Û Û
Û Û inside & outside part of the U-boot                            Û Û
Û Û                                                                Û Û
Û Û With the help of an advanced order system the player will      Û Û
Û Û interact with the submarine crew, watch them doing their daily Û Û
Û Û jobs and experience the tension & fear inside the U-boot.      Û Û
Û Û                                                                Û Û
Û Û Player actions will impact the outcome of battles and the      Û Û
Û Û scenario evolution in campaign. Depending on his approach the  Û Û
Û Û player can open new locations with upgrade and resupply        Û Û
Û Û possibilities, while the Allied response adjusts dynamically   Û Û
Û Û                                                                Û Û
Û °                                                                Û °
ßÛ²ßßßßßßßßßßßßßßßßÛÛßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ßßß  ß
ßÛÝ Install Notes: ßÛÜ                                               ° Û
Üþ  Þ² ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛÛÜ                                             ± Û
Û   ÜÛß Û                                                                ² Û
ßßß  ° Û 1. Unpack release                                              Û Û
± Û 2. Mount image or burn it                                      Û Û
Û Û 3. Install                                                     Û Û
Û Û 4. Copy the content from the SKIDROW folder on the DVD to your Û Û
Û Û    installation directory and overwrite                        Û Û
Û Û 5. Play the game                                               Û Û
Û Û                                                                Û Û
Û Û Additinal Notes:                                               Û Û
Û Û                                                                Û Û
Û Û Don't install/use Ubisoft launcher, or simply block any        Û Û
Û Û connection to internet.                                        Û Û
Û Û                                                                Û Û
Û Û Install game and copy crack, it's that simple!                 Û Û
Û Û                                                                Û Û
Û Û Support the companies, which software you actually enjoy!      Û Û

Source: http://www.theregister.co.uk/2010/04/28/ubisoft_drm_cracked/

Related posts:

1. Cloud Computing Security: An Insider's View As CSO of Qualys, Randy Barr is responsible for security,...

“Blippy, a social networking site that allows users to share their purchases and discuss shopping with others, will revamp its security plans and hire a Chief Security Officer after an embarrassing incident in which the site accidentally published a few of its members’ credit card numbers on Google.

Blippy Co-founder and CEO Ashvin Kumar said in a blog post this week that the slip-up occurred as a result of a technical oversight back in February that caused raw transaction data to appear within the HTML code on some Blippy pages for about half a day. ”

Who didn’t see this coming a mile away? Presenters at Shmoocon this year noted that penetration testers [and hackers] absolutely love this the Blippy platform because of the naked insight it offers into the spending habits of specific individuals. They also shared a favorite quote making its way around the infosec community: “I joined Blippy and all I got was jacked at the ATM.”"

Sigh

Related posts:

1. Blippy, the Next Evolution of Stupid At what point do we as a society realize this...
2. CISSP All In One Book FIFTH EDITION has been released The fifth edition of this best-selling comprehensive CISSP training resources...
3. ISSA-NOVA Chapter December Meeting The Northern Virginia Chapter of the Information System Security Association...

Today, however, Sophos is reporting hackers are compounding the problem by using blackhat SEO (search engine optimisation) techniques to create webpages stuffed with content which appears to be related to McAfee’s false alarm problem – but are really designed to infect visiting computers.

Sophos has identified malicious webpages which appear on the first page of Google results if users search for phrases associated with McAfee’s false positive.

“It’s bad enough if many of the computers in your company are out of action because of a faulty security update, but it’s even worse if you infect your network by Googling for a fix,” explained Graham Cluley, senior technology consultant for Sophos. “These poisoned pages are appearing on the very first page of search engine results, making it likely that many will click on them. If you visit the links you may see pop-up warnings telling you about security issues with your computer. The warnings are fake and designed to trick you into downloading dangerous software, which could result in hackers gaining control of your corporate computers or the theft of your credit card details.”

Related posts:

1. Top ten malware-hosting countries revealed US and UK among the top 10 countries hosting the...
2. Google and China: A Dysfunctional Marriage Since making it’s search engine available to Chinese users in...
3. Beware of Haiti-Themed Scams and Attacks! Our thoughts and prayers go out to all those affected...

• A1: Injection
• A2: Cross-Site Scripting (XSS)
• A3: Broken Authentication and Session Management
• A4: Insecure Direct Object References
• A5: Cross-Site Request Forgery (CSRF)
• A6: Security Misconfiguration
• A7: Insecure Cryptographic Storage
• A8: Failure to Restrict URL Access
• A9: Insufficient Transport Layer Protection
• A10: Unvalidated Redirects and Forwards

Download the full report here.

Related posts:

1. Women in IT Security I recently had a conversation with a former student of...
2. Black Hat DC -2010 is here! Black Hat, one of the biggest and most popular security...
3. Web Application Security Testing White Paper The need to provide web security and defend web applications...

“The study concluded someone hacking into your computer and stealing your password is similar to a crook getting your house key.

The crook will likely use it right away and not wait until after you’ve changed the locks.

“As soon as they’ve got it, they’re using it and then they’re gone,” said Lance Ulanoff, editor of PC Magazine.

Ulanoff advises people to get stronger passwords in the first place. ”

The so-called “expert” advise: Use stronger, more complex passwords.

I guess he is not familiar with the fact that stolen account credentials are bartered and traded like goods in the hacker underground. Ofscourse you should use complex passwords. But it’s still a good practice to change it occasionally.

Related posts:

1. CISSP All In One Book FIFTH EDITION has been released The fifth edition of this best-selling comprehensive CISSP training resources...
2. ISSA-NOVA Chapter December Meeting The Northern Virginia Chapter of the Information System Security Association...
3. 2010 CyberSecurity Watch Survey Cybercrime threats posed to targeted organizations are increasing faster than...