1SSA - Security News

RSA security breach the new age of "Ueber breaches"

2011-04-15T04:43:00.004-04:00

RSA a trusted name in the security industry had a major security breach. Just like a giant can die from a virus that is a billion times smaller RSA got taught a lesson about human weaknesses.

According to articles in the press a worker at RSA decided to retrieve an email from the spam folder which contained an Excel attachment. The individual opened up the Excel spreadsheet to just have an embedded flash file execute, running an exploit against Adobe's flash player, which in the recent past had several vulnerabilities with "zero-day" exploits being available. This allowed the attackers to install a backdoor and work their way through RSA's systems and network.

Security experts are now convinced that RSA had the "seeds" of their security tokens exposed. So far RSA has neither denied nor confirmed this scenario. The seeds allow an attacker to calculate the security code that RSA's hardware tokens display and use for two factor authentication.

The magnitude of this security breach is yet to be understood since the token business is one of the key business that RSA has. Thousands of customers around the globe have been using RSA's solution.

Such an "Ueber Breach" is the first one of its kind but for sure not the last one. In our information reach society, where companies are competing to gather more and more information about individuals, we will see more and more of such security breaches. The cloud technology being another factor that potentially will accelerate the rate of security breaches of that magnitude.

Read RSA's press release

1SSA - Security Consulting, Training and Products

Epsilon security breaches

2011-04-15T04:22:00.005-04:00

I received at least four notifications from various companies that have my personal information, notifying me that my email address and potentially other information had been exposed to an unauthorized third party as a result of a security breach at their marketing partner, Epsilon. All being the same format and verbiage. Telling me that Epsilon legal was potentially the source for the text.

This breach might have some people ask themselves: So why would someone steal email addresses? This breach seem to be just the first step in a much larger scheme. Back in 2008 PWC's job web site was breached, stealing thousands of email addresses and passwords. Initially nobody could understand why someone would go after such a site till cases of Paypal attacks surfaced and got connected to the PWC case. The individuals that had gained access to the emails and passwords were using them to access sites like Paypal, exploiting the fact that we all like to re-use passwords.

Read the official Epsilon press release

1SSA - Security Consulting, Training and Products

Impact of Egypt's awakining on IT outsourcing

2011-02-12T15:14:00.002-05:00

Egypt had the reputation to be a country with a well educated youth but a GDP that was one of the worst worldwide. Now that things are changing we will very likely see that increasing (I would wish that for the people in Egypt very much!). But what does that mean for you and your outsourcing efforts? Egypt is just another country following in the footsteps of countries like India were cost of living went up, salaries followed and eventually the cost of outsourcing went up too. The changes in Egypt might at the same time increase friction between various layers of the population: The new IT elite which is getting higher salaries and others that feel left behind. Time will tell if this friction will result in more unrest or if the country manages to find a social approach that ensures the stability of the country. Social economic and human factors are often underestimated in IT and particular in IT security resulting in significant risks to the business.

1SSA - Security Consulting, Training and Products

Egypt crisis and Outsourcing companies

2011-02-06T05:35:00.003-05:00

Some people see Egypt as the new India when it comes to IT outsourcing. What most people do not know is the fact that a lot of the IT support from Indian outsourcing companies already comes from countries like Egypt. A country with a well educated young generation that speaks English. It might be that your IT outsourcing is not directly affected, since being hosted in India, but the IT expert in India might have trouble getting his workstation supported from the help desk sitting in Egypt.

It is just another lesson learnt of how outsourcing creates risks that are not well understood, particular when it comes to the chain of dependencies that a global economy creates. With the introduction of the cloud the picture even gets fuzzier.

Read more: Outsourcing firms logging out of Egypt

1SSA - Security Consulting, Training and Products

Updates: Mobile apps & Cloud based services

2010-12-30T06:32:00.003-05:00

Mobile apps spying on you - It seems that there are two class action lawsuits that have been filled against Apple. Apple having tight control over apps that get posted on the iPhone app store has set itself up for this. Control also means responsibility and consumer feel cheated if they discover that Apple allows applications to spy on them.

Cloud based services and the risks - The latest victim of its cloud technology seem to be Skype, which had major outages right around the Christmas time. The service blames older clients to be the source for the outage. Those clients shutdown/crashed when receiving certain offline messages that arrived delayed. This just shows that cloud technology creates super complex systems that are not yet well understood and difficult to test for all scenarios.

Read more:
Two lawsuits target Apple, app makers over privacy concerns
Skype's mega-FAIL: exec cops to cause

1SSA - Security Consulting, Training and Products

Cloud based services and the risks

2010-12-26T09:01:00.009-05:00

The cloud is here, and it is here to stay...

Having worked in the outsourcing business for some time it is quite entertaining to see how the marketing folks sell you the same old car over and over again, just by changing the sales pitch. What I am trying to say is that the cloud is just a collection of technologies that already existed before, being sold as part of a regular outsourcing deal: Virtualization, data centers in cheap labor countries, and network capacity are nothing new. But what are the risks?

Many of the cloud solutions had outages according to various websites tracking these outages. Leaving sometimes customer with a total loss of data (E.g. T-Mobile's Sidekick outage).

Other times your privacy of your personal or business data is at risk (E.g. Health care records stolen).

Reading through the fine print (see screenshot) of some of those cloud based services, you will notice that you just provided them with the permission to circumvent the local law. Agreeing to have your data stored "somewhere", where the laws of the country your reside in, might or might not protect your data.

Read more:
Cloud Privacy report - World Privacy Forum
Top-10 cloud outages in 2010

1SSA - Security Consulting, Training and Products

Mobile apps spying on phone users

2010-12-19T19:01:00.002-05:00

Do you like listening to Pandora? According to a a study conducted by Wallstreet Journal you better be prepared to offer some of your private details. The Pandora application on iPhone, according to the article, sends information about you to at least eight (8!) tracking services that gather information. This is not unusual according to the article. Most of the 101 apps tested showed evidence that they provide information ranging from a unique phone ID up to location information, age, Zip code and gender to tracking companies. The article also mentions that iPhone apps seem to be worse than their siblings on Google's Android platform.

Apple claims to review all applications before being allowed in the iPhone app store. This has caused a false sense of privacy with users. All of the apps reviewed by WSJ were available in Apple's app store.

Blackberry applications were not reviewed but the model RIM (maker of Blackberry) introduced in it's Blackberries a different security model. Access to certain information can be blocked. The user needs to deny the application the "trusted application" status and allow just access to individual information.

Read the WSJ article here: iPhone and Android Apps breach privacy

1SSA - Security Consulting, Training and Products

The big information security illusion

2010-08-15T18:57:00.002-04:00

Now for years various vendors have worked to bring the various worlds together: IT, mobile phone service and physically security. The new thinking of "Everything is secure as long as the end point is secure" might not work out. Countries like Saudi Arabia or UAE pretty much told Blackberry manufacture RIM "Too much security/privacy" and are either thinking about, or already have made Blackberries illegal in their respective country.

Someone might say "Oh well not that big of a deal"...but this was just the start. Now IT outsourcing country #1 joins the club of Blackberry "haters" - India. What could that mean? For example software token solutions installed on your Blackberry used for multi-factor authentication could potentially be eavesdropped on by the Indian government. Some of them utilize SMS text messages to provide codes to users. Those codes are used to authenticate against IT systems requiring stronger authentication due to the sensitivity of the data stored on them. Some governments (e.g. Germany) already have advised to not use RIM devices for sensitive information.

Read more: Wallstreet Journal article

1SSA - Security Consulting, Training and Products

From Enigma to Infinion's security chip...

2010-02-03T17:47:00.002-05:00

During Blackhat DC 2010 Christopher Tarnovsky a researcher announced that he had broken through the defense mechanisms of Infineon's security chip. The chip has multiple mechanisms to protect itself from tempering with it. Making it the choice for many vendors to implement it in its devices. As the German Enigma during World War II has shown nothing holds for ever. Now Infineon, a German company, has to see once again that blind trust in its engineering is a recipe for the wrong attention. In this case Mr. Tanovsky worked his way step by step through the defense mechanism of the chip, having in the end ultra-small needles tap into the data bus. He then could readout encryption keys and other internal data of the chip. Tarnovsky informed Infineon of the flaws he had discovered, but so far Infineon has not responded.

According to Dark-Reading he told the Black-Hat audience: "Their initial reaction was to tell me that what I'd done was impossible," he said. "Then when I sent them some video and the code that I just showed [to the Black Hat audience], they went quiet. I have not heard back from anybody."

History repeats and blind trust in your engineering is never a good idea.

Read more: http://mobile.darkreading.com/9287/show/575baa2ef08cb38a3077417686e53489&t=0cd88a4fad7a9f5ce08e7b67d7d418d3

1SSA - Security Consulting, Training and Products
Attend our Oracle Security classes - Learn how to secure your Oracle databases

Have you checked your billboard today?

2010-01-17T12:35:00.003-05:00

Times are over were just IT devices were a target for hacker attacks. Years ago I read an article in 2600 magazine describing how to hack traffic bill boards, the one's that have the bright orange LED type displays, making them display a random message. Now that art has been brought to a new level, adopting to the new display technology and a networked world. Last Thursday drivers on one of Moscow's (Russia) busiest roads were confronted with some porn clip that was flickering off a 30-foot-by-20-foot (aproximately 10m x 6.5m) size electronic billboard. This resulted in a major traffic jam since drivers slowed down to catch the "message" that the billboard was trying to convey. According to news article the advertising firm that owns the billboard stated that hackers had broken into their system and switched the content to the adult material.

The more our society is networked and technologies are melted together, the more we expose ourselves to such juvenile hoaxes. In the end this one had some people being upset and others with a smile on their faces but it also could have been a nuclear power plant's controls that suddenly show Pac-man instead of the controls for the reactor.

1SSA - Security Consulting, Training and Products
Providing Solutions that protect your Assets and People in a changing world

Y2K+10 it finally caught up with us

2010-01-08T17:22:00.002-05:00

Europe, particular Germany, Europe's largest economy has been shaken by a glitch in a security chip that is implemented in most ATM and some credit cards. This chip allows for additional security and is in some cases the only way for merchants to accept cash-less payments. Due to the weak security of the magnet stripe on the back of ATM and credit cards that chip was implemented. Up to midnight December 31st 2009 everything was fine. After that suddenly cards were rejected. Now after close to a week of confusion finally the riddle is solved, most ATM machines and merchants can now accept payments again. And this only because thousands of payment terminals and ATMs have been patched with new software.
Rumors say that the source for this disaster is a programmer at a french company producing the chips, confusing the format (hexadecimal or decimal) of the expiration year. Thinking that the year is in hexadecimal format, which did not matter for 09 but making the value 10 (hex) suddenly become a 16 (dec) in the decimal system. Since ATM cards usually have a lifetime/expiration of 5 years in Europe those cards were being rejected. According to various sources over 30 Million German ATM/credit cards have been affected. Even ATM cards in Australia seem to be impacted.

1SSA - Security Consulting, Training and Products

Promote moral behavior by a clean smell

2010-01-01T22:03:00.002-05:00

New study suggest that a clean smell promotes moral behavior. According to this soon to be published study, led by a Brigham Young University professor, people are unconsciously fairer and more generous when they are in clean-smelling environments.

While there current study examined the influence of the physical environment on morality, Zhong and Liljenquist previously published a work that demonstrated an intimate link between morality and physical cleanliness. Their 2006 paper in Science reported that transgressions activated a desire to be physically cleansed.

So how can information security professionals make use of this knowledge? I guess that this might be a bigger challenge since criminals nowadays can sit thousands of miles away.

Read more:
Science Daily

1SSA - Security Consulting, Training and Products

German Big Brother Award - Companies & Privacy

2009-11-08T19:34:00.005-05:00

Each year a committed of privacy experts determines the companies that have actively profited and supported the privacy breaches (so called legal ones or border line ones). This year, according to Heise Online, the price for the worst offender actually went to not only one company but a large number of companies:

- Quante Netzwerke for the development and sale of programs that allow for storage of network information of Internet users also known as "Lawful Interception".

- Utimaco Safeware for its "Data Retention Suite".

- Datakom-subsidiary GTEN for its outstanding work in eavesdropping technology.

- Syborg a company specialized in telephone recording and analysis.

- DigiTask for the development of a Trojan (malicious code) that can be used to eavesdrop on Skype conversations.

- Secunet because of selling/providing their "Sina-Box" to each telecom recording facility that the German government has in place.

- Cisco for its excellent work in deep packet inspection that allows for continued monitoring of information even with increasing Internet traffic.

- Trovicor, a Spin-Off from Nokia Siemens Networks (NSN), which delivered surveillance software to the Iran.

Read more: German Big Brother Awards(English)

1SSA - Security Consulting, Training and Products

HHS issues an interim final rule on HIPAA enforcement

2009-11-01T12:09:00.002-05:00

On October 30th the US Department of Health & Human Services issued a interim final rule to strengthen the enforcement of the Health Insurance Portability and Accountability Act (HIPAA). This was necessary due to the The Health Information Technology for Economic and Clinical Health (HITECH) Act, which modified the HHS Secretary’s authority to impose civil money penalties for violations of the HIPAA act occurring after Feb. 18, 2009. These HITECH Act revisions significantly increase the penalty amounts the Secretary may impose for violations of the HIPAA rules and encourage prompt corrective action.

Prior to the HITECH Act, HHS could not impose penalties of more than $100 for each violation or $25,000 for all identical violations. A covered health care provider, health plan or clearinghouse could also bar the Secretary’s imposition of a civil money penalty by demonstrating that it did not know that it violated the HIPAA rules. Section 13410(d) of the HITECH Act strengthened the civil money penalty scheme by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.

Do you have checks in place that ensure you are in compliance? It is common practice and required by NIST SP 800-66 to actually have regular checks in place.

Contact us, we can help: contact@1ssa.net

Read more:
HHS announcement

1SSA - Security Consulting, Training and Products

UK healthcare records sold in India

2009-10-25T11:28:00.003-04:00

According to an ITV show (just viewable in the UK - see link below for short transcript) medical records of UK residents are sold on the black market in India. The service offered is very sophisticated, even promising to break down information based on disease categories.

Besides the ethical part of this, there are various other reasons that make me want to ask the US government to heavily regulate electronic medical records and not go the usual approach of having the market determine what is good for the companies offering the service...or was it the patient? Looking back I guess I am not the only one that has that confused.

Read more: ITV article, Pete Finnigan's blog

1SSA - Security Consulting, Training and Products

Sidekicks and a Danger-eous Cloud

2009-10-12T08:13:00.002-04:00

I think we have our first major cloud incident and nobody knows how to handle it. T-Mobile customers in the United States using Sidekick devices might not be the biggest fans of T-Mobile's approach of handling data with cloud computing. T-Mobile has outsourced it's Sidekick services to a company called Danger, which is owned by Microsoft. Sidekick devices heavily use the network and offside storage. The network storage devices used to store Sidekick data at Danger are manufactured by Hitachi.

Microsoft, Hitachi, and T-Mobile all big names but the information that leaked out does not show much professionalism. Hitachi was tasked to update Danger's network storage devices. According to an Engadget article, without a data backup or a working back-out plan that update went quite wrong. Some of the data stored by T-Mobile's Sidekick users has been deleted.

Even days later the overall system is still not stable and T-Mobile advises individuals to not turn-off their devices. Even sales of Sidekicks are on hold.

I guess cloud computing is in Danger.

Read more at:
Engadget
New_york Times

1SSA - Security Consulting, Training and Products

Trojan forging bank statements to cover traces

2009-10-08T07:28:00.004-04:00

This is getting way too "perfect". Now malware was discovered that re-writes bank online statements on the fly, covering traces of illegal bank transactions. By doing this, criminals have more time to route the money and hide it. This new Trojan seems to be using a server in the Ukraine for control. First victims were spotted in Germany, with damages up to 300,000 Euros (approximately $400,000) in just 22 days.

You can read more at: Wired article

1SSA - Security Consulting, Training and Products

Wifi security problems - Just paint!

2009-10-02T16:26:00.004-04:00

This was just a question of time till a company would come out with it and here it is: A paint that stops radio-waves which are used for wireless Lan (WLAN/WIFI). The same goes for cell phone and other radio waves used in modern mobile devices. For the electrical engineers: The paint claims to block radio waves up to 100 GHZ. So what exactly does that mean? An additional layer of security that can be introduced, to prevent someone to access your wireless network. You can paint the outside facing walls of your home or office with this special paint and nobody can pickup the radio waves from inside anymore...that actually also means nobody can use a cordless phone anymore when outside the home. So you might want to reconsider the paint and configure your wireless access point/router to use WPA2, the latest security standard for wireless devices. Is it a 100% assurance that nobody can break into your wireless network? Unfortunately the answer is No. Attacks that use so called rainbow tables containing precomputed keys that are used for the encryption and authentication of the wireless traffic and devices are the latest attacks, besides the usual attacks that go after flawed implementations of the wireless protocol with certain vendors. Maybe the paint is not such a bad idea but keep in mind that windows cannot be painted...

Read more at: BBC News, Wikipedia - Rainbowtable

1SSA - Security Consulting, Training and Products

Ants attacking malicious code (or the slow death of antivirus tools II)

2009-09-26T09:04:00.003-04:00

Three researchers are working on a new method of detecting malicious code. The approach is basically based on mimicking ant behavior. So far it is in a development stage but has already identified a worm that was purposely introduced into a network of computers. The so called digital ants depend on agents so called "sentinels" installed on each machine, which in report back to so called "sergeants" on the network that are monitored by humans.

According to an article on Physorg.com the system only works in large networks where computers have the same build. Which means: If an "ant" sees a deviation from the standard build it will alert others to inspect what it could be. Just that it does not happen in real-time. Most infections require to act fast (i.e. a keyboard logger are sending your credit card data across as you type). Also the number of ants is concerning...the researches already planning on having 3,000 different type of ants. Is this another signature based approach?

Again a technology that only works in large networks/clouds. What about the typical corporation that has a sales force with laptops that randomly connects to check just email?

Here is the article - Ants vs worms: New computer security mimics nature

1SSA - Security Consulting, Training and Products

The slow death of antivirus tools

2009-09-22T11:55:00.003-04:00

I think by now everyone using a computer that is somehow connected to the Internet is using an antivirus/Internet security/Spyware/etc. solution. No matter which one you choose they all are based on signatures to recognize malicious code entering your system. Those signatures need to be updated on a regular basis, to keep up with the known malware out there. You wonder why "known"? An antivirus company needs to have a sample of the malicious code to produce a signature. Which means Zero-day malicious code cannot be recognized by the program. Also if you do not update the signatures, the antivirus tool might not catch the latest known malicious code (e.g a virus or a worm) since you are lacking the signature. Let's summarize this and take a closer look:

First of all the malicious code needs to be already known and identified as such before your software can do anything about it. Most vendors incorporate so called heuristic analysis routines into their programs but they are usually so sensitive that most users turn them off (some vendors even have them turned off by default!) or do not react at all. Fact is that the industry has failed to provide a reliable heuristic scan solution so far.

Second those programs do not reliably identify all the viruses they "know". There is not one program out there that has recognized 100% of all the malicious code that is out there in the wild, even having all signatures installed. This is quite disturbing but a reality.

I am sure everyone has complaint about his/her computer being slow or flaky. Ever thought that this might be because of the antivirus program you are running? Reality is that those programs have hooks into all kinds of system calls and are constantly checking memory and files for malicious code. All this costs performance and your time. Unfortunately the signature based checks can only work that way.

Which brings me to the third point, the number of signatures has increased so much that each year the antivirus vendors set a new record in pushing out new signatures.

So what is the point? The point is that all these malicious code programs are dieing a slow death, the death of too many signatures to check in the time available.

Some of the vendors have realized that and are already turning to solutions that utilize the "cloud" (see cloud posting in this blog) and that way recognize infected files that way. But what happens to the people that are offline for an extended time? I guess they might be out of luck.

Here is some further reading:
Antivirus tools compared August 2009

1SSA - Security Consulting, Training and Products

Erasing HD: One time is enough?

2009-09-15T09:25:00.004-04:00

For decades I have heard about HDs needing to be overwritten several times before being discarded. All to avoid someone from being able to retrieve information from that HD. It seems that we have been a little too paranoid. At least that is what Craig Wright, Dave Kleiman, and Shyaam Sundhar three forensic experts say in a White Paper they published.

According to the White Paper the chance of getting a Bit back the correct way is only 56% (which is close to flipping a coin). As a result the chance to reconstruct a Byte correctly is only 0.97%! You can imagine how this looks like for even a file in the Kilobyte range.

1SSA - Security Consulting, Training and Products

What is cloud computing?

2009-08-25T13:21:00.004-04:00

Having listened to Google, having done my reading I am still not clear on what cloud computing is for each of the companies offering it. I guess it depends on who you talk to and how they define the cloud and what cloud computing offering they have for you. Most of us Internet oldtimers remember that the Internet was the original cloud. It took care of things e.g. routing. But are all the cloud offering taken care of e.g. security? Privacy and security seem to be still at an immature state.

Now NIST has taken on the challenge of helping with the definition of "cloud computing" and has drafted a document. I guess the next step is to define a standard for cloud security or at least some common APIs.

Background material:
NIST Cloud computing

1SSA - Security Consulting, Training and Products

Infected websites on Google &Yahoo

2009-08-25T08:04:00.010-04:00

We all (or at least the majority of us) use Google and Yahoo to search the Internet - "Just google for it" has become the answer to most questions that cannot be answered. This is something that many hackers are using now to infect computers with malware (virus, bots, worms, etc).

The latest case now has over 64 thousand (see pictures, click to enlarge) websites that contain a so called "Iframe" (a reference to another website in a section of the page, that gets displayed) which points to a web server that tries to infect your computer.

Nowadays googling for something and clicking on a search result can easily result in malware infections. Counting on your Anti-Virus/Spyware tools to catch the attack is a gamble that you might loose. Most of the sites use zero-day (or close to 0 day) exploits for browser vulnerabilities. Microsoft sometimes needs months to fix such issues.

On the other hand organizations need to show more due diligence in patching such holes. It is part of the TOC of your Internet presence.

Some background information:
Mass infection turns websites into exploit launch pads
Free Antivirus Software
A grim day for browser security at hacker contest

1SSA - Security Consulting, Training and Products

SMS based 2-factor authentication not that secure?

2009-08-22T08:48:00.003-04:00

There is a push to get away from token based two factor authentication (for the not security savvy folks: Tokens are the little things that displays numbers and are used to login to your bank or work account). Using your cell phone (for the non-US readers: mobile phone) instead seem to be a general trend. Many companies are now offering SMS based two factor authentication, using your cell phone as a secure device to provide you with a code.

How does it work? A text message (SMS) is send to your cell phone containing a code. Once received, you simply need to type it when trying to log into your account online.

The idea sounds brilliant. Cutting down the cost by not buying the expensive token devices. And as an extra benefit, no clunky device on your key chain

But as always the devil is in the details. Is a cell phone really that secure? The GSM standard that has been the predominant technology worldwide for quite some time, with core developed taken place quite some time ago. At that time some compromises were made when it came to security, simply to shave of some of the costs.

Also in some of the more "regulated" countries the encryption, that is offered with the GSM standard, is not used (e.g. Pakistan). Other Operators like "Eltasel", a mobile operator in the United Arab Emirates, seem to have their own idea of privacy and security. According to several news articles Eltasel tried to install malware on its customers Blackberries to snoop on them. It is suspected that Eltasel was serving the local government when doing this but it is still not clear.

Another development of interest is that suddenly certain cell phone models are increasing in price on the 2nd hand market. A German Nokia 1100 handset supposedly went for 25K Euros in the Netherlands. Rumors have it, that those handsets can be used to intercept SMS messages. Currently an investigation into the technical details are pending but if it is possible than it is just a question of time before other models might come in demand with even bigger flaws.

All in all this does not look too good if you ask me. Cell phones were designed for voice calls and security even for that has been lacking. But now we are trying to use this platform for way more, a secure communication device that allows us to log into critical systems. If you ask me, I think we have a little bit to go before there is a clear trust model on channel and end-point security with mobile devices in general.

Some background reading:

25K Euros for an old Nokia
Handset makers the criminal's friend
Eight accused in AT&T, T-Mobile $22m ID theft scam

1SSA - Security Consulting, Training and Products

Ameriprise website security: Fly-by-night operation

2009-08-21T08:55:00.003-04:00

Ameriprise one of the larger financial investment companies did not patch major security flaws on their investment site for at least five months. Russ McRee notified Ameriprise financial several times but none of his emails were answered. The flaws Mr. McRee discovered allowed even lesser skilled attackers to exploit those vulnerabilities and ultimately bring customers/users of Ameriprise at risk. One of the flaws allowed for sending Ameriprise customers bona fide links to the Ameriprise website that opened pages that intermingled counterfeit content with legitimate text and graphics.

I can only think of one case that tops this "fly-by-night" operation and this is with ISH/UnityMedia a cable company in Germany, that actually replied to emails complaining about Spam coming from their network with the comment "Just configure your Anti Spam software, this is not our problem".

Seems like irresponsibility is on the rise.

Read the article: Security bugs crawl all over financial giant’s website

1SSA - Security Consulting, Training and Products

Radisson joining the club of credit card victims

2009-08-19T16:16:00.003-04:00

Today, August 19th, Radisson Hotels put up an open letter addressing its guest that stayed at their chain between November 2008 and May 2009. The letter is to notify guests about a security breach that exposed credit and debit card information. According to the letter just some hotels have been involved in this incident but the letter does not specify which ones.

As usual free credit monitoring for a year is offered. I wonder who came up with this idea, to let organizations off the hook so cheaply. It is well known in the security industry that credit card information is not used immediately and sometimes stored/traded for years before being used.

If this year continues like this close to every credit card owner in the United States has free credit monitoring for at least a year, or maybe even double and triple monitoring for a year.

Read the letter:
Radisson's open letter

1SSA - Security Consulting, Training and Products

Data of over 130 Million Credit Cards stolen

2009-08-17T21:32:00.002-04:00

This year will become a record breaking one for sure. Albert Gonzalez a man who already is jailed on charges of hacking into major retail computer networks has been indicted a third time for allegedly stealing data on a record number of credit and debit cards.He is accused of stealing data involving 130 million (yes the number with 6 zeros) credit cards. Some of them being used at stores like 7-Eleven stores and other well known chains.

According to Prosecutors Gonzalez is charged along with two co-conspirators identified only as "Hacker 1 and Hacker 2, both of Russia." They allegedly moved the data to computer servers operating in California and Illinois, and overseas in Latvia, the Netherlands and Ukraine.

What is "entertaining" to me is that he could be also fined up to $500,000...which he can probably pay with credit card, question is who's card?

Article in the Guardian

1SSA - Security Consulting, Training and Products

111,000 bogus Antivirus products found in Q1 2009

2009-08-16T21:12:00.002-04:00

According to Pandalabs more than 111,000 bogus antivirus (or other anti-malware tools), so called scareware, have been discovered in the first quarter of 2009. This is more than what was discovered in 2008 in total!

Before downloading and using a tool that claims to check and remove a virus it is advisable to do a check against one of the white lists, to see if the vendor is reputable. Otherwise the tool might infect the computer that it has been installed on.

Here is a link to a whitelist page: Antivirus Vendor Whitelist

1SSA - Security Consulting, Training and Products

eVoting - Not ready for prime time

2009-08-15T22:05:00.002-04:00

I find the idea of eVoting kind of appealing but on the other hand scary. With so many security problems that we have with our regular IT systems, I am not sure how secure eVoting can be made. I monitored for a while the email threads on the various security blogs and it seems that some security researcher had quite some fun with eVoting systems.

Here are some interesting articles:
- Voting machine hack costs less than $100K
- Sequoia e-voting machine commandeered by clever attack
- Can DREs provide long lasting security?

1SSA - Security Consulting, Training and Products

Cookies for the feds?

2009-08-12T11:20:00.002-04:00

That the Obama administration is taking on hot topics is nothing new. This time it is the cookie ban that the federal government has in place now for over 9 years. Since 2000 the federal government has banned so called "tracking cookies" with government websites. This has caused quite some pain for web application developers and other groups wanting to use those. Now the Obama administration has proposed a revised version of this ban, making it a three tiered approach. This seems to now cause the American Civil Liberties Union some pain and it is opposing the new approach.

Read the online article.

1SSA - Security Consulting, Training and Products

US government cybersecurity bigwigs leaving

2009-08-11T17:19:00.002-04:00

According to the Register two key people of president Obama's cyber security staff left over the 5 months.

In March, Rod Beckstrom, resigned as head of the National Cyber Security Center. He headed an office within the Department of Homeland Security that is responsible for coordinating the defense of civilian, military, and intelligence networks. According to the article there was quite some frustration on Mr. Beckstrom's side regarding the funding of responsibilities of his office.

Last week then Mischel Kwon submitted her letter of resignation. She was the director of the Department of Homeland Security's U.S. Computer Emergency Readiness Team. Again the

According to the Washington Post Kwon, who was the fourth US-CERT director in five years, was frustrated with bureaucratic obstacles and a lack of authority to fulfill her mission.

According to the Post also the lead White House cyber security official, Melissa E. Hathaway, is going to step down next week.

What is going on with the nation's cyber security? I must say I have not been impressed so far with the approaches that the nation has been going to secure some of the nation's most critical infrastructure. But those resignations make me believe we might have had the right people but they could not execute.

Here are the articles:
Mischel Kwon article
Rod Beckstrom article

1SSA - Security consulting, training and products: http://www.1ssa.net

Analysis on Twitter DDoS

2009-08-11T17:05:00.003-04:00

As I already had suspected, the attacks on Twitter were politically motivated. People seem to not learn. This just results in the target becoming a martyr. In the case of last weeks DDoS attacks on Twitter and Facebook it is a Pro-Georgian blogger going by the name of Cyxymu.

F-Secure and McAfee each have put together an analysis that can be read here:
F-Secure
McAfee

1SSA - Security consulting, training and products: http://www.1ssa.net

Updated: Twitter taken down by distributed denial of service attacks

2009-08-07T05:50:00.004-04:00

After a series of complaints from foreign entities and groups Twitter finally became the target of a distributed denial of service attack (DDoS). Somehow that was just a question of time before that happened: If you can't get the people to shut up than you go after the medium they use to communicate. Twitter is currently operating normal but the DDoS seems to be ongoing according to Twitter's official blog.

Update: Rumors say that a massive wave of spam using Twitter brought it the service to it's knees, not a planned DDoS attack.
Update2: It is now confirmed that it was a DDoS attack on a particular account - see post from 08/11/09

Link to Twitter's official blog: http://status.twitter.com/post/157191978/ongoing-denial-of-service-attack

1SSA - Security consulting, training and products: http://www.1ssa.net

Hacking the hacker - fake ATMs in Las Vegas

2009-08-04T05:41:00.002-04:00

During Defcon and Blackhat several ATMs (Automated Teller Machines, for the non-US readers) were discovered that were not dispensing any money but charging the account of the user. Strangely that happened at the same time when Defcon and Blackhat, some major hacking events took place.

Read more at: http://www.pcworld.com/businesscenter/article/169473/security_analyst_las_vegas_atms_may_have_malware.html

1SSA - Security consulting, training and products: http://www.1ssa.net

Hacking for free parking

2009-07-31T17:21:00.002-04:00

San Francisco has been working on a computerized parking meter system for some time. Based on smart cards it should collect parking fees via a smart card. It just looks like that this is not working that well. I am sure most Europeans that know about the Chaos Computer Club, which has been doing a lot of research in that regards are not surprised. What do we learn out of this: Smart cards are not a silver bullet...or if they are then you better know where to aim before shooting yourself in the foot.

Read the full article at: http://www.networkworld.com/news/2009/073009-meter-hackers-find-free-parking.html

1SSA - Security consulting, training and products: http://www.1ssa.net

US government's latest computer monitoring program

2009-07-30T09:56:00.002-04:00

It is nothing new that government's spy on their own people. Not only in the countries that are having a quite different opinion of what democracy is and how it should be implemented but also in other's that normally pride themselves as one of the first one's to implement it.

The US government has been asked to provide more details about the new version of Einstein, a computer program that works at the Telecom level gathering and analyzing data as it passes through the Telecoms' backbones. Version 3 of the Einstein program has raised quite some disturbance with the Center for Democracy and Technology (CDT), which suspects that the new version gathers many privacy related information.

Read the full report at: http://www.cdt.org/security/20090728_einstein_rpt.pdf

1SSA - Security consulting, training and products: http://www.1ssa.net

Recording your ATM PIN via the power cable

2009-07-30T07:56:00.003-04:00

Two researches from Italy have developed a new form of Skimming (for the people that are not so security lingo savvy - skimming refers to an attack where an attacker eavesdrops the information that you are entering e.g. PIN and your ATM card information). This new attack uses the power line to determine which buttons you pushed on an ATM. Another attack they presented shows how the vibration of a notebook could be recorded and analyzed to replay what was typed.

Their presentation is available at: http://www.blackhat.com/presentations/bh-usa-09/BARISANI/BHUSA09-Barisani-Keystrokes-SLIDES.pdf

1SSA - Security consulting, training and products: http://www.1ssa.net

Microsoft to issue critical patches out of band

2009-07-27T14:22:00.003-04:00

Normally Microsoft does stick it patch schedule but this time the vulnerabilities are so critical that MS announced some patches to be issued early next week.

Read what the Washington Post has to say: http://voices.washingtonpost.com/securityfix/2009/07/microsoft_to_issue_emergency_p.html?wprss=securityfix
1SSA - Security consulting, training and products: http://www.1ssa.net

Network solutions had major security breach - CC data exposed

2009-07-27T14:12:00.002-04:00

Over a 3 month period hackers could collect as many as 500,000 credit and debit card information after Network Solutions' e-commerce service was hacked and a software planted to eavesdrop on transactions. According to Network Solutions that came forward last Friday the eavesdropping took place between March 12th and June 8th.

Network solutions processes credit and debit card transactions for over 4,343 merchants.

Read the full story at http://www.theregister.co.uk/2009/07/25/network_solutions_ecommerce_breach/

1SSA - Security consulting, training and products: http://www.1ssa.net

Microsoft's Office Web Component vulnerable

2009-07-13T13:01:00.002-04:00

Our integrated world provided by Microsoft...Microsoft announced that there are exploits available that are using a flaw in Microsoft office web component that can be exploited through (you guessed it) Internet Explorer. A tool to disable this functionality, till it is fixed, is available here: http://support.microsoft.com/kb/973472

1SSA - Security consulting, training and products: http://www.1ssa.net

German health-card project at risk due to PKI problems

2009-07-11T18:04:00.003-04:00

This is kind of entertaining because it is part of the 101 of PKI, key management. according to Heise, one of the larger publisher of IT magazines in Germany the root key of the CA has been lost. As a result no more health-cards signed by the CA or even revocation of existing health cards can be done. At least this is just the initial trial of this large project, which would mean that nearly every German citizen has a health card signed by that root CA.

According to Heise online, Gematik the company in charge commissioned D-Trust, a subsidiary of the Bundesdruckerei (Mint), to act as the root CA for the health card PKI.

Heise online interviewed Matthias Merx, the firm's managing director, following a voltage drop, "something unusual happened" (comment: whatever that means??) in the D-Trust's "Trustcenter" and the HSM independently deleted the data because it suspected an attack.

Comment: Good job - just like old times when you had your Cyanide capsule.

Read the full article at: http://www.h-online.com/security/Loss-of-data-has-serious-consequences-for-German-electronic-health-card--/news/113740

1SSA - Security consulting, training and products: http://www.1ssa.net

ATM security, no not the network, the money machines

2009-07-11T17:24:00.004-04:00

I think we all use those wonderful ATM machines to get cash from our bank accounts. Who would go to a teller if it is more convenient to just punch in our four digit PIN and get money. The biggest fear we have is that maybe someone is behind us stealing our PIN and ATM card or robbing us after we got the cash...seems like that a gentleman from Juniper had done some research on ATM security and found a way to actually get around the security measures. His talk was expected at Blackhad/Defcon in Las Vegas later this month. It seems that Juniper actually asked him to pull that presentation due to the high impact of what he has to say. We will keep you posted.

Read the full article at: http://www.scmagazineus.com/Juniper-pulls-researchers-Black-Hat-ATM-talk/article/139402/?DCMP=EMC-SCUS_Newswire

1SSA - Security consulting, training and products: http://www.1ssa.net

Microsoft Security Advisory: Vulnerability in Microsoft Video ActiveX control could allow remote code execution

2009-07-07T18:28:00.001-04:00

Business as usual...this time an Active X control that can be used to remotely execute code on a Windows machine. No patch available just a work around, this time from Microsoft, which seems to understand how critical this one is.

Find the workaround at: http://support.microsoft.com/kb/972890

1SSA - Security consulting, training and products: http://www.1ssa.net

New MI6 chief on Facebook

2009-07-05T10:43:00.002-04:00

This is kind of funny and kind of shocking but then again it is real life. Here is Sir John Sawers, the upcoming MI6 chief (I am sure I do not need to explain to Bond fans what that stands for, but for the ones that wonder what MI6 stands for: It is the British secret service) and his wife is posting on Facebook all kinds of personal information that you normally do not want the public to have.

Read the full article at: http://www.mailonsunday.co.uk/news/article-1197562/MI6-chief-blows-cover-wifes-Facebook-account-reveals-family-holidays-showbiz-friends-links-David-Irving.html

1SSA - Security consulting, training and products: http://www.1ssa.net

Microsoft Update Quietly Installs Firefox Extension

2009-07-03T17:33:00.002-04:00

We could call it business as usual for Microsoft or simply another irresponsible move of Microsoft to dominate the browser market. According to various sources, and confirmed by 1SSA, Microsoft has pushed a .Net update that automatically installs an add-on in Firefox that allows for silent(!) installation of code from the web. Some people made a choice to use Firefox because the people creating it prevented this feature. Now Microsoft just installs it without any consent from the user.

Read more here: http://voices.washingtonpost.com/securityfix/2009/05/microsoft_update_quietly_insta.html?wprss=securityfix

Here are instructions on how to de-install it (for sure):http://annoyances.org/exec/show/article08-600

1SSA - Security consulting, training and products: http://www.1ssa.net

Hackers crack ColdFusion - Drive-by download attack hits multiple hosts

2009-07-03T12:36:00.002-04:00

Time to finally upgrade or at least apply some patches if you run an older version of Cold Fusion on your servers. According to SANS the number of infected hosts is going up by the hour.

Read more: http://isc.sans.org/diary.html?storyid=6715

1SSA - Security consulting, training and products: http://www.1ssa.net

Latin Best Buy surfers sprayed by drive-by download malware

2009-07-03T12:30:00.002-04:00

This is really bad. A major website that the whole nation is going to once in a while has a malware download problem. I am sure Best Buy's management has some words for its website and security teams, which I believe are both outsourced to a major outsourcing company here in the US.

Read more about it at: http://blog.trendmicro.com/gumblar-invades-best-buy/#ixzz0KBzplb8I&D

1SSA - Security consulting, training and products: http://www.1ssa.net

iPhone crashing bug could lead to serious exploit

2009-07-03T07:58:00.002-04:00

As cool as it is the Iphone, the more I read about it the more I am disappointed by some of the features it offers. I was for example not aware that it could not execute multiple applications at once, or at least Apple did not allow for it. So far people are still waiting for a tethering option, which seem to be coming soon. And all those poor people that chose not to use AT&T as provider and got locked out by Apple's patch. And now a simple SMS can crash the whole device. I think Apple needs to adjust a bit here...this hype over the Iphones is only going to last as long as it is special....I only say Starbucks. After that it is just a phone that needs to be fixed ;-)

Read the full story at: http://www.theregister.co.uk/2009/07/02/critical_iphone_sms_bug/

1SSA - Security consulting, training and products: http://www.1ssa.net

Clear the company pre-screening frequent fliers stopped operating

2009-07-02T21:50:00.003-04:00

I always though who is doing this, who is paying $199 a year for this privilege of bypassing normal airport security? According to a CSO article 260,000 individuals were part of the program paying each. This is $52M a year...not enough I guess to operate. Clear, the company providing the service has declared that it cannot longer operate the service. Interesting aspect, and nothing new for security professionals, the "data life cycle" for the data collected (e.g. Iris scans, finger prints, etc.) is not clear. Does Clear delete all data or maybe sell it to a competitor?

Read the full article at: http://www.csoonline.com/article/496471/Lawsuit_Seeks_Refund_for_Clear_Subscribers

1SSA - Security consulting, training and products: http://www.1ssa.net

Guilty Plea: Blind Hacker Admits Harassment, Eavesdropping, Fraud

2009-06-30T22:57:00.002-04:00

Not necessary something the neighbors want to see, a SWAT team storming into your house. But I guess for some people that was funny till now.

Read the full article here: http://www.wired.com/threatlevel/2009/01/guilty-plea-bli/

1SSA - Security consulting, training and products: http://www.1ssa.net

Trojans are fastest-growing data-stealing malware

2009-06-30T22:55:00.002-04:00

This is nothing new but it seems that the current approaches are not really getting this problem under control, trjans stealing information of computers.

Read the full article here: http://www.scmagazineus.com/Trojans-are-fastest-growing-data-stealing-malware/article/139252/

1SSA - Security consulting, training and products: http://www.1ssa.net

Britney Spears Twitpic account hacked

2009-06-30T22:53:00.000-04:00

A vulnerability in a third-party service through which users post photos to their Twitter profiles allowed hackers on Sunday to falsely report that Britney Spears had died.

Read the full article at: http://www.scmagazineus.com/Britney-Spears-Twitpic-account-hacked-to-post-fake-death-notice/article/139250/

1SSA - Security consulting, training and products: http://www.1ssa.net

Michael Jackson's death exploited by cybercriminals

2009-06-28T19:06:00.002-04:00

Michael Jackson's death exploited by cybercriminals
Always quick to capitalize on major headlines, spammers have begun sending out messages related to the deaths of Michael Jackson and Farrah Fawcett, security researchers said.

Read the full article here:
Michael Jackson's death exploited by cybercriminals

We are on Twitter - http://www.twitter.com/1ssa

2009-06-28T18:02:00.002-04:00

We are now also on Twitter, for the really busy people that do not even have time to read the RSS, Blog or Newsletter version. Take a look at www.twitter.com/1ssa

1SSA - Security consulting, training and products: http://www.1ssa.net

Q2 security highlights

2009-06-28T13:39:00.002-04:00

Business as usual I would say...

Q2 security highlights
President Obama's cybersecurity speech was the most notable information security event from the second quarter of 2009, security vendor F-secure said in its quarterly threat summary. The most notable threats from March to June included the Conficker worm, Twitter attacks, and PDF exploits. Conficker, in particular, "proved to be the most significant malware outbreak in recent years," F-Secure said. — AM

Read the full article here:
Q2 security highlights

FTP login credentials at major corporations breached

2009-06-28T13:31:00.002-04:00

This article was sent to you by: fsiepm@yahoo.com

Message:

Who knows what else has been working under the cover for years...

FTP login credentials at major corporations breached
A trojan has reportedly been uncovered that is harvesting FTP login data of major corporations, including the Bank of America, BBC, Amazon, Cisco, Monster.com, Symantec and McAfee.

Read the full article here:
FTP login credentials at major corporations breached

US passport cards insecure

2008-10-23T21:42:00.002-04:00

Do you know what a passport card is? An hour ago I did not. But now I know that the department of state is trying to offer an alternative to the normal US passport - A passport card, which can be produced for just 45% of the cost of a normal passport. With RFID implemented on the card it allows US citizens to cross borders to neighboring countries via land or sea. The card contains an ID that is transmitted when crossing the border. Those numbers are then checked against blacklists. There is just one problem. The numbers can be easily gathered and used to create fake passport cards. Equipment that can be bought for less than $2K can be used to do that.

Here is an article about the passport card by the state department: http://travel.state.gov/passport/ppt_card/ppt_card_3926.html

Here is a comment from Ari Juels, the director of RSA labs: http://www.rsa.com/rsalabs/node.asp?id=3557

1SSA - Security consulting, training and products: http://www.1ssa.net

Google Ads used to infect users with malware

2008-10-21T12:43:00.002-04:00

We all have come to love and hate those Google ads that suddenly pop up over, under on the side or wherever with a text on a website, interrupting our reading with advertisement. Now this type of advertisement might not only have interrupted our reading but also the security of the PCs we are using. According to a news article published in CT, a German IT magazine, Google advertisement (also known as Adwords) has been used to distribute malicious code to exploit vulnerabilities in Adobe's Flash player.

If you are fluent in German, here is the article: http://www.heise.de/security/Google-Werbung-wird-als-Malware-Schleuder-missbraucht-Update--/news/meldung/117564

1SSA - Security consulting, training and products: http://www.1ssa.net

Europe standardizing on privacy

2008-10-16T20:33:00.003-04:00

EuroPriSE the European Privacy Seal has official started its work. Nine European countries are behind EuroPriSE, tasked to standardize privacy standards and assessment methods for (at least eight of the) EU states. Privacy has been one of the biggest problems in our information overloaded societies. Hopefully eventually we will see some true international standards that bring the US and the EU a little closer.

Read more at: http://www.european-privacy-seal.eu/

1SSA - Security consulting, training and products: http://www.1ssa.net

Fake MS email with PGP signature

2008-10-14T10:21:00.004-04:00

Normally I would not post this since it is nowadays a constant annoyance that we are living with: Fake emails for phishing, trojan, virus, worms, etc. purposes. But this one was special. Not only that it was good in mimicking the Microsoft language normally used but it also contained a PGP signature block on the bottom! Nice job. Who checks the signature block each time you get a message? Lucky are the ones that use an email program that does it automatically. But not everyone has one like that.

Read the article: http://www.scmagazineus.com/Fake-Microsoft-email-contains-backdoor-virus/article/119306/

1SSA - Security consulting, training and products: http://www.1ssa.net/

Creditcard readers manipulated to send data to Pakistan

2008-10-13T08:52:00.004-04:00

Wowww... In Europe law enforcement discovered credit card readers that had additional electronic build in that allowed it to send information to Pakistan. The only initial difference with the devices, made in China, is that they are 100 grams heavier than a normal reader. So far the criminals have created $50-$100 Million in damage an early estimate says.

Read the full article: http://online.wsj.com/article/SB122366999999723871.html?mod=googlenews_wsj#printMode

1SSA - Security consulting, training and products: http://www.1ssa.net/

Deutsche Telekom (again) - This time 30 million customer data breach

2008-10-11T20:07:00.004-04:00

I guess I keep typing and see if Deutsche Telekom continues to trump itself. This time 30 million customers are affected by a data breach that puts their confidential data on the Internet. A first reaction from Deutsche Telekom: "We shall adopt a new policy" in respect of communication...well you could also try to systematically build security in your business processes...but it gets even better: A spokesman said that bank details were not attached, and that "according to our information, even though these details have been put up for sale on the black market, there has not been a buyer." - My crystal ball did not tell me that but I guess Deutsche Telekom' crystal ball told them that. Data is NOT a physical piece that can be retrieved. Data can be copied and sold to multiple buyers. Once lost you can never be sure that it does not surface again, someday, somewhere in some kind of form!

Read the article here: http://www.dw-world.de/dw/article/0,2144,3706182,00.html

1SSA - Security consulting, training and products: http://www.1ssa.net/

Major data security breach is still causing Deutsche Telekom headaches

2008-10-11T19:53:00.004-04:00

I guess some organizations will not learn it, maybe because they used to be owned by the government and still operate like they are or they simply have no concept around data privacy and security. Deutsche Telekom and its subsidiary T-Mobile (mainly focusing on mobile phone service) always had a bad reputation with the German population (they used to be the only choice for telephone services) but after a data breach that allowed access to sensitive customer data it issued some statements that really let the German population doubt that it had any concept around data privacy and security. The breach happened in spring 2006 and was just recently disclosed, even though T-Mobile reported the breach to authorities. I am kind of amused and shocked by a statement made by Philipp Humm, managing director of T-Mobile Germany: "We are very concerned by the fact that the incident from 2006 is relevant once again. Until now, we were under the assumption that the data in question had been recovered completely as part of the investigations of the public prosecutors' office and were safe." - data is not a car that gets stolen and recovered. Data can be copied a million times without anyone knowing about it.

Read the article here:
http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=210700232

1SSA - Security consulting, training and products: http://www.1ssa.net/

The dilemma with email spam

2008-10-09T09:49:00.002-04:00

We all have our fair share of email spam every day we are dealing with. If you ask me I do not see any improvement in the number of spam messages I receive, no matter what legislation is passed or what "cool" anti-spam technology hits the market. My mailbox receives the same amount of spam messages now for years. Once in awhile it goes up a bit, usually when spammers discover a new way to get around anti-spam techniques (e.g. PDF Spam), and a couple of months later it goes down, when the anti-spam vendors have caught up with that new way of distributing spam. As with malicious code we are always one step behind. When is this going to change? Technically it could have changed years ago when major email providers (e.g. Yahoo, AOL, etc.) tried to implement better authentication/security into email. Unfortunately that lost momentum quickly due to the number of mail servers. We are actually facing the same problem with the DNS system, too many DNS servers to change if a new technology arrives, addressing the DNS security problems we have seen lately.

Here is an interesting article on how spammers check if they have a valid email account: http://www.scmagazineus.com/Spammer-campaign-exploits-email-read-receipts/article/119130/

1SSA - Security consulting, training and products: http://www.1ssa.net

Clickjacking - Serious security problems

2008-10-08T12:07:00.002-04:00

Clickjacking is the latest flavor in attacks that "bad" people use to gain access to your information, money and even your web cam or microphone. Take a look at the YouTube video that shows how a simple online game can be used to enable cam and microphone to listen and watch you in front of your computer.

YouTube Video showing how it works: http://www.youtube.com/watch?v=gxyLbpldmuU

Blog Entry about Click Jacking: http://blog.guya.net/2008/10/07/malicious-camera-spying-using-clickjacking/

1SSA - Security consulting, training and products: http://www.1ssa.net

VMware patches 64 Bit emulator bug

2008-10-07T14:38:00.003-04:00

It is interesting how Vmware goes down the path of maturity as so many other vendors before. From "it is more secure" to it is just another piece that can fail and has flaws. This time Vmware is patching a serious problem with its 64-Bit emulator. An error in the 64-bit CPU emulation makes the CM jump to the wrong address when it receives a JMP instruction.

Read the article here: http://www.heise-online.co.uk/security/VMware-patches-holes--/news/111675

1SSA - Security consulting, training and products: http://www.1ssa.net/

Study shows that hotel networks are lacking security

2008-10-07T13:10:00.004-04:00

This does not surprise me at all. I have been talking about this for years. Sometimes "looking around" on a hotel network is like a who-is-who of consulting companies. Some of them happily naming their laptops with a name that includes the firm's name. Worse is that most laptops are configured to trust (at least to a certain degree) the local network, meaning in the worst case every machine on a hotel network can access another machine's services . To add to this scenario make it wireless...

Cornell did their own study which shows that most U.S hotels are vulnerable to malicious attacks and are "ill prepared" to protect their guests from Internet security problems.

Read the full article: http://www.hotelschool.cornell.edu/research/chr/pubs/reports/abstract-14928.html

1SSA - Security consulting, training and products: http://www.1ssa.net

Stolen republican party laptop had no security safeguards in place

2008-10-07T11:44:00.004-04:00

This is like the never ending story...it repeats and repeats. You would think that the government or in this case politicians and their staff learnt from the past. Not the recent past but maybe from the last three years? What is really interesting is that the victims now also publicly admit that the stolen laptop contains "...the type of stuff we wouldn't want another campaign to have,...” . Wonderful, now the thiefs know that they can get even more money for the laptop...I guess from either party.

Read the full article: http://www.scmagazineus.com/Stolen-McCain-party-laptop-had-minimal-data-safeguards/article/119080/

1SSA - Security consulting, training and products: http://www.1ssa.net/

Was Forever 21 wrongly certified PCI compliant?

2008-10-06T17:41:00.002-04:00

The risk of being security professionals...I find it shocking and entertaining at the same time that a merchant takes a PCI certification as an excuse for lack of security and responsibility.

Breached clothing retailer Forever 21, which last week said it has been Payment Card Industry (PCI) compliant since 2007, apparently should have never been certified.
The Los Angeles-based company told a retail blog this week that its PCI Data Security Standard assessor failed to unearth tens of thousands of credit card files that it was unknowingly storing despite being unauthorized to do so.

Read the full article: http://www.scmagazineus.com/Was-Forever-21-wrongly-certified-PCI-compliant/article/118739/

1SSA - Security consulting, training and products: http://www.1ssa.net

Researcher finds server with stolen FTP credentials

2008-10-06T17:38:00.001-04:00

An Israeli researcher has uncovered a criminal server containing the FTP account credentials for nearly 100,000 legitimate websites across 86 countries, including the U.S. Postal Service and several universities here.

Of the 200,000 credentials the criminals were storing, the criminals deemed 107,000 to be valid and some 80,000 led to web content, he said. More than 60 percent were associated with web servers in Europe, but many U.S. organizations were victimized, including the University of Pennsylvania's Wharton School and the University of Southern California.

Read the full article: http://www.scmagazineus.com/Researcher-finds-server-with-stolen-FTP-credentials/article/118756/

1SSA - Security consulting, training and products: http://www.1ssa.net

Data Breaches Expose About 30M Records in '08

2008-10-06T17:26:00.001-04:00

U.S. corporations, governments and universities reported a record 516 consumer data breaches in the first nine months of this year, incidents prompted chiefly by hackers and employee theft, according to a report released today by a nonprofit group that works to prevent fraud.

Read the full article at: http://voices.washingtonpost.com/securityfix/2008/10/516_data_breaches_in_2008_expo.html

1SSA - Security consulting, training and products: http://www.1ssa.net

Nevada mandates encrypted personal data communication

2008-10-03T07:07:00.002-04:00

On one hand I applaud Nevada to step up to protect personal information on the other hand it is just another step in the direction of slicing up security even smaller, overloading the already very busy security professionals. Not only that we need to worry about international privacy and security standards (if we happen to work for a company operating internationally) but now the US becomes by itself a major challenge. What happens if my company has a branch in Nevada but the rest is all over the US? Don't get me wrong, we need stronger privacy and security laws but on a federal level!

Read the full article: http://www.scmagazineus.com/Nevada-mandates-encrypted-personal-data-communication/article/118630/

1SSA - Security consulting, training and products: http://www.1ssa.net

Hackers penetrate South Korean missile manufacturer

2008-10-03T07:01:00.002-04:00

According to news reports some hackers were able to steal information from a South Korean missile manufacturer. They planted some malicious code on the computer systems that eventually allowed them to gain access to secret data about missiles.

Read the full article at: http://www.theregister.co.uk/2008/10/01/missile_manufacturer_hacked/

1SSA - Security consulting, training and products: http://www.1ssa.net

TCP weakness could potential result in new DoS attacks

2008-10-02T14:17:00.003-04:00

Two researches (supposedly) discovered a new weakness in the TCP implementation that allows even with a relatively small up-link to run DoS attacks with high bandwidth web servers (e.g. Google, Ebay, etc.). So far no independent verification has been done but it would not surprise me if this is just another major flaw that we have to deal with.

Read Robert Graham's blog post: http://erratasec.blogspot.com/2008/10/tcp-dos-probably-real.html

1SSA - Security consulting, training and products: http://www.1ssa.net

Phorm becomes Webwise

2008-10-01T06:13:00.004-04:00

Back in 2006 British Telecom (BT) and Phorm tested the idea of personalized advertisement by secretly collecting information about surf habits and targets of 18,000 of its customers. Since 09/30/08 BT offers 10,000 of it's online customers a program which is now called "Webwise". All this is nothing new just the label that BT puts on this is quite concerning. It is sold as an online protection/security service. In reality it tracks all of the users online transactions from URLs visited up to searches done on search-engines to inject targeted advertisement into the data streams to the user.

Read the full article at: http://blog.wired.com/business/2008/09/phorm-trials-be.html

1SSA - Security consulting, training and products: http://www.1ssa.net

Cros site request forgery - What comes next?

2008-09-30T22:43:00.002-04:00

A pair of Princeton University researchers announced Monday that they have discovered cross-site request forgery (CSRF) vulnerabilities on four popular websites — ING Direct, YouTube, MetaFilter and The New York Times.

Researchers found CSRF vulnerabilities on The New York Times website which made user email addresses available to an attacker. On ING Direct's website, attackers could open up bank accounts on behalf of a user and transfer funds into their own account.

Read the full article here: http://www.scmagazineus.com/Popular-websites-fall-victim-to-CSRF-exploits/article/118564/

1SSA - Security consulting, training and products: http://www.1ssa.net

Adobe Exploit toolkit in the wild

2008-09-29T07:08:00.002-04:00

An Adobe exploit toolkit has been discovered in the wild. It seems that it has already reached a quite mature state with all kinds of features that can make security professional's life miserable. PDF - Once the format of trust, to exchange information with un-trusted parties, it now can become another victim of its functionality.

The full article can be found here: http://www.scmagazineus.com/Adobe-vulnerability-exploits-are-mounting/article/118456/

1SSA - Security consulting, training and products: http://www.1ssa.net

Brits happy to hand over password details for £5 gift voucher

2008-09-26T06:59:00.001-04:00

This should tell security professionals something...Although the majority (60 percent) of 207 London residents were happy to hand over computer password data which might be useful to potential ID thieves in exchange for a £5 M&S gift voucher, the public at large take a hard line on firms who fail to keep tight hold of customer data. Maybe a topic for the next security training session?

Read the full article here: http://www.theregister.co.uk/2008/09/26/security_breach_attitudes_survey/

1SSA - Security consulting, training and products: http://www.1ssa.net

Cloned US ATM cards used in the UK at self checkouts

2008-09-26T06:39:00.003-04:00

The "plastic money" no matter in which form, ATM card, credit card, debit card, blah blah...all have a significant flaw. US issued cards have a fall back to using data from the magnetic stripe in cases where the cards does not support Chip and PIN. For the longest time card reader and writer that could write that information were not available to the public, at least in certain countries and that was already the flaw. Nowadays it is very easy to copy such cards or create them once you have the information that needs to go on the card.

Read the full article at: http://www.theregister.co.uk/2008/08/29/cloned_us_atm_cards_in_uk/

1SSA - Security consulting, training and products: http://www.1ssa.net/

Passport snooping public servant faces year in prison

2008-09-26T06:36:00.002-04:00

A bored former State Department analyst faces up to a year behind bars as a result of his penchant for reading the passport files of celebrities. In our information overloaded society access rights, trust and the ability to make an informant decision (i.e. what does an airport TSA screener know about my computer files? - a separate post for this topic is coming).

Read the full article at: http://www.theregister.co.uk/2008/09/23/passport_snooping_plea/

1SSA - Security consulting, training and products: http://www.1ssa.net/

World's electrical grids open to attack

2008-09-25T21:30:00.001-04:00

History repeats....doesn't that sound like something we had 10-12 years ago? People discovering buffer overflows in all kinds of applications. Now hackers and security experts are discovering the edge technologies of IT e.g. SCADA.Read the full article:http://www.theregister.co.uk/2008/09/25/abb_critical_bug/1SSA - Security Consulting, Products and Training - http://www.1ssa.net

read more | digg story

US and China top cyber attacker list

2008-09-24T06:44:00.004-04:00

According to a study the United States tops the list of cyber attackers against SecureWorks' clients with 20.6 million attempted attacks originating from computers within the country.

China ran second with 7.7 million attempted attacks emanating from computers within its borders. This was followed by Brazil with over 166,987 attempted attacks, South Korea with 162,289, Poland with 153,205, Japan with 142,346, Russia with 130,572, Taiwan with 124,997, Germany with 110,493, and Canada with 107,483.

The only two questions I have are: What is your customer base? Is it distributed evenly across the globe? Studies/Statistics can sometimes paint a wrong picture, even though I believe that the overall distribution of attackers could be right.

Having talked with a friend in China I get the impression that they are in a phase of Internet adoption that we had back in 2000. Not much strategic thinking around security (e.g. Today ISPs in the US offer free Antivirus software. They have learnt that for example a worm that spreads across its customer base only back fires on them - congested networks, unhappy customers, etc. To invest in providing a free antivirus solution to its customers helped and in the end paid for itself.)

1SSA - Security consulting, training and products: http://www.1ssa.net

Certification still pays for CISSPs, CISMs

2008-09-23T22:35:00.001-04:00

Of 165 IT certs, 17 increased in value... 7 of those being security certs. The trend starts with compliance concerns and security awareness has grown from there. With increased awareness comes greater need for experienced security pros to manage security plans and systems. Info Sec has proven to be one of the most stable IT niches.1SSA - Consulting, Training and Products http://www.1ssa.net

read more | digg story

Two-Third of US companies victim of cybe-crime in 2005

2008-09-23T04:32:00.004-04:00

According to a report compiled by the US Department of Justice (DoJ) Two-Third of the companies replying to its survey have been a victim of cyber-crime. The DoJ received more than 7800 replies to its request for information. That is 23% of the overall send out requests.

Read the report here:
http://www.ojp.usdoj.gov/bjs/pub/pdf/cb05.pdf
http://www.ojp.usdoj.gov/bjs/pub/press/cb05pr.htm

1SSA - Security consulting, training and products: http://www.1ssa.net/

Kaspersky with new patents...faster and better in recognizing rootkits

2008-09-22T21:20:00.002-04:00

Kaspersky registered several patents with the US patent office. Most of them are targeted to increase the speed (most of the readers know that this is a favorite topic of mine). But also new approaches on finding rootkits. Overall none of the patents is really new, according to AV-TEST, a website that tests antivirus solutions.

Here is one of the patents:
http://patft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%252Fnetahtml%252FPTO%252Fsrchnum.htm&r=1&f=G&l=50&s1=7392544.PN.&OS=PN/7392544

1SSA - Security consulting, training and products: http://www.1ssa.net

DNSSEC for .gov

2008-09-22T07:06:00.002-04:00

According to a Networkworld article the US government has decided to deploy DNSSEC, a technology that replaces the old venerable DNS services that is used to look up Internet addresses of websites and email servers. The old system was the target of multiple attacks in recent years and was never designed for the Internet as it is used today.

Read more at:
http://www.networkworld.com/news/2008/092208-government-web-security.html?fsrc=rss-security

1SSA - Security consulting, training and products: http://www.1ssa.net

After Trend now Kaspersky...killing Windows Vista

2008-09-21T20:52:00.002-04:00

After Trend Micro now Kaspersky...both vendor released updates to their antivirus products that identified valid (not infected) Windows Vista system files as infected files and deleted or quarantined them. As a result users got stuck with after a reboot with the famous blue screen. The latest signature files should address the issue...questions comes up where we are heading with the signature based anti-virus approach? It slows systems down more and more due to the constantly increasing number of virus signatures that it needs to check against and how much longer before we run the issue of valid files (maybe we have reached that point already) being identified as infected? A signature is only a few bytes long and some vendors have some other methods to check for an infection but one thing that we learnt out of those two incidents is that it is not fool proof.

For the German speaker here is a link to Kaspersky's German forum with lots of "stressed" users:
http://forum.kaspersky.com/index.php?showtopic=85001

1SSA - Security consulting, training and products: http://www.1ssa.net

Clickjacking...what comes next?

2008-09-19T20:25:00.002-04:00

Clickjacking is nothing new but so far nobody really came up with a way to use it for bad things. I guess this has changed and some guys tried to present about their discovery at the OWASP (Open Web Aplication Security Project) conference in New York this month but I guess too much explosive material in it and the presentation was canceled. So what is clickjacking? It makes a user click on a link/button/etc. that is only visible for a short time or hardly visible.

I personally was thinking about this for years, ebing annoyed by Widnows behavior of switching the focus of windows, right int he middle when I was typing a password...I think most of us had that happen to us, at least sot of us power users ;-) This might not qualify as a clickjacking attack but for sure it is anoying and has resulted in at least oen of my passwords goign out via IM message to a friend.

Read more about clickjacking (or why nobody should know about the security problems associated with it) here:

http://ztrek.blogspot.com/2008/09/possible-clickjacking-security-flaws-in.html
http://ha.ckers.org/blog/20080915/clickjacking/
http://jeremiahgrossman.blogspot.com/2008/09/cancelled-clickjacking-owasp-appsec.html

1SSA - Security consulting, training and products: http://www.1ssa.net

NSA snooping on cell phone calls

2008-09-17T21:36:00.002-04:00

According to a posting on Bruce Schneier's blog the NSA seems to have triggered a new market for data mining in the cell phone space.

Read the full post here:
http://www.schneier.com/blog/archives/2008/09/nsa_snooping_on.html

1SSA - Consulting, Training and Products: http://www.1ssa.net

Phishing is out and Trojans are back in according to an APWG report

2008-09-17T07:06:00.002-04:00

According to the latest report released by the Anti-Phishing-Work-Group (APWG) there is a trend with websites being used to distribute malicious code (Trojans) that has now outnumbered the number of phishing attacks.

You can download the report from here:
http://www.antiphishing.org/reports/apwg_report_Q1_2008.pdf

Business Week website hacked - Another victim of SQL injection

2008-09-17T06:56:00.002-04:00

And another prominent victim of a SQL injection attack. Most people do not know but tools are now widely available to automate such attacks. Sooner or later the attacker will find a vulnerable site where the tool is successful....scary but in the battle of good and evil we are unfortunately always one step behind.

Here is the full article on Sophos' blog:
http://www.sophos.com/security/blog/2008/09/1777.html

Hackers infiltrate Large Hadron Collider systems

2008-09-15T11:19:00.001-04:00

Hackers have mounted an attack on the Large Hadron Collider, raising concerns about the security of the biggest experiment in the world.

read more | digg story

Cloud computing may draw government action - Network World

2008-09-13T10:36:00.001-04:00

Cloud computing has been pitched as the silver bullet for resource management. Big players are already offering it. Now it draws some more attention and I think some of the concerns are quite justified.

read more | digg story

iPhone records all user actions according to a Iphone hacker

2008-09-12T07:47:00.001-04:00

That is what we need, another privacy issue...The iPhone is recording everything users see and do on their devices, for caching purposes, an iPhone hacker has said.Read the full article at:http://news.zdnet.co.uk/security/0,1000000189,39487429,00.htm

read more | digg story

Stolen laptops at airport number too high?

2008-09-10T07:36:00.001-04:00

Seems like Computer World magazine did not buy into a common study that claims that thousands of laptops got stolen every week at US airports. The number seem to be a little high and Computer World did some research....Here is the link:http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9107799

read more | digg story

PwC in Germany looses unknown number of user data including clear text passwords

2008-09-09T07:10:00.002-04:00

You would expect that one of the leading audit companies would play by the rules it preaches to its customers. But it seems that PriceWaterhouse Coopers (PwC) in Germany had a major security breach according to ZDF, the German public TV channel. At least 56,000 users of their online application system have been affected. To make it worse, PwC is currently not sure how many data elements have been affected. But to top the whole story: The passwords used by applicants were stored in clear text (!!) and have been used for attacks on online payment systems like Money Bookers and Click&Pay, using the passwords stolen from PwC.

On a site note:
According to the German magazine WiSo, which conducted a survey with 2000 users, approximately 80% of them use the same password for their online accounts. Which is not surprising in our information rich society, requiring us to have sometimes 20-30 accounts with passwords.

Here is the German online article:

http://www.heise.de/security/Gestohlene-PwC-Datensaetze-fuer-Missbrauch-von-Click-Buy-benutzt-Update--/news/meldung/115621

4 critical patches coming from Microsoft in the September patch round

2008-09-08T07:42:00.002-04:00

The never ending story of buffer, heap, etc. overflows...this time the full bandwidth of Microsoft products is part of it. Let's see if my PC boots up Tuesday after the patches have been applied.

See Microsofts anouncement below:

http://www.microsoft.com/technet/security/bulletin/ms08-sep.mspx

Trend Micro identifying Microsoft operating system files as Trojans

2008-09-08T07:38:00.002-04:00

Oh well....now after over a decade of Anti Virus products we still use pattern recognition as the primary method of identifying malware....I guess either we run out of paterns or Trend Micro was a little too aggressive ;-)

Recent updates from Trend Micro Internet Security, pattern 5.521.50 and 5.525.50, detected the Microsoft operating system files as Troj_Generic or Troj_Generic.ADV and quarantined them.

Read the Trend Micro Support update here:

http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1038089

The Number of Machines Controlled by Botnets Has Jumped 4x

2008-09-04T21:19:00.001-04:00

Increasing number of compromised machines in botnets.

read more | digg story

Study: 88% of IT Pros Would Steal Passwords or Data if Fired

2008-09-03T21:36:00.001-04:00

If you needed another reason to keep your sysadmins happy: Out of 300 IT pros polled by security company Cyber Ark, 88% said they would steal sensitive data or futz with master login passwords if they happened to be fired.

read more | digg story