Tuesday, December 21, 2010

DHS Secretary Asserts Cybersecurity Leadership

Cybersecurity should be left neither to the free market nor to the military to solve, Department of Homeland Security (DHS) secretary Janet Napolitano said in a speech in Washington, D.C., last week as she reasserted her agency's role as the locus of cybersecurity authority in the federal government.

"Cyberspace is fundamentally a civilian space," Napolitano said. "There are some who say cybersecurity should be left to the market, and there are some who characterize the Internet as a battlefield. Both the market and the battlefield analogies are the wrong ones to use. We should be talking about this as, fundamentally, a civilian space and a civilian benefit that employs partnerships with the private sector and across the globe."

The DHS has taken the lead in the federal government on cybersecurity measures via its National Cyber Security Division. That group this year headed up a major international and inter-governmental cyber exercise, Cyber Storm III, and continued ramping up efforts to protect federal systems and critical infrastructure like power plants.

Napolitano has been an ardent supporter of DHS' leadership role, but while she implied a DHS-centered view of cybersecurity, she did admit that DHS can't do it alone. "It is our goal to build one of the very best teams that we can to tackle the cybersecurity challenge," she added. "No single industry or agency, quite frankly, can manage it. Cybersecurity is about effective partnerships and shared security."

This year, DHS has expanded partnerships with private industry, for example doing a substantial amount of investigative work on the Stuxnet worm that infiltrated power plant control systems earlier this year and working to build up liaisons with private sector industries it deems to be "critical."

Have a look at the rest of this article over at Information Week Goverment

Thursday, October 7, 2010

AT&T announces first carrier-provided, two-factor voice encryption service

AT&T announced today that have just launched a new service; AT&T Encrypted Mobile Voice; “the first carrier-provided two factor encryption service for calls on the AT&T network.” This new encryption service, which will be available for BlackBerry and Windows Mobile devices, combines KoolSpan’s TrustChip and SRA International’s One Vault Voice. As the press release explains:

TrustChip is a fully hardened, self-contained crypto engine inserted into the smartphone’s microSD slot. Embedded with AT&T TrustGroup, the KoolSpan TrustChip offers the strength of additional hardware authentication, enables encrypted calling interoperability with a defined group of other AT&T TrustGroup users and can be managed over-the-air. [...] SRA’s One Vault Voice integrates the security functions of the TrustChip with a feature rich application that provides an intuitive user interface. This powerful combination allows users to easily place and receive encrypted calls by integrating with the mobile phone’s standard operation and address book to provide a user friendly and seamless security option.


Take a look at AT&T's full press release HERE.

Monday, July 26, 2010

Researchers discover WPA2 vulnerability

Researchers at wireless security company AirTight Networks have uncovered a vulnerability in the widely used WPA2 security protocol, part of the 802.11 standard. The vulnerability, termed "Hole 196", which can be exploited by attackers already authenticated to the network, allows decryption of data sent by other users across the network.

Wireless encryption uses two keys to protect the communications, firstly a Pairwise Transient Key (PTK), unique to each client, and used to protect traffic between that client and the access point, and secondly, a Group Temporal Key (GTK) that is known to all clients on the network, and used to encrypt broadcast traffic (traffic sent to all clients connected to the network).

The attack does not rely on brute-forcing, or breaking of the AES encryption used to protect the communications. The vulnerability arises when a malicious client uses the GTK to send spoofed packets to another user on the network. GTKs do not have the ability to detect spoofed packets, an ability which does exist in PTKs.

Researcher Md Sohail Ahmad, who discovered the vulnerability, says it took around 10 lines of code added to open source driver software, and an off-the-shelf wireless adaptor in order to implement the exploit. By spoofing the MAC address of the access point, clients who receive the malicious packets, believe the sender to be the gateway, and respond using their PTK, which the attacker can then decrypt.

Exploiting the vulnerability is limited to users already authorised to the network, which mitigates the risk, but security studies repeatedly indicate security breaches from inside continue to be the biggest source of loss to businesses.

WPA2 is the latest encryption protocol available for wireless networking, and as yet, there is no successor ready to take its place in order to resolve this issue, it remains to be seen what the security community can devise to work around the problem in the protocol.

http://www.neowin.net/news/researchers-discover-wpa2-vulnerability

Thursday, May 27, 2010

Apple’s iPhone security flaw

Bernd Marienfeldt and Jim Herbeck have discovered that a fully up-to-date, non-jailbroken iPhone 3GS can be plugged into a computer running Ubuntu Lucid Lynx that will allow nearly full read access to the iPhone's storage, even when it's locked by pin authentication.

Bernd states in his write up that:
“This data protection flaw exposes music, photos, videos, podcasts, voice recordings, Google safe browsing database, game contents… by in my opinion the quickest compromising read/write access discovered so far, without leaving any track record by the attacker. It’s about to imagine how many enterprises (e.g. Fortune 100) actually do rely on the expectation that their iPhone 3GS’s whole content is protected by encryption with a PIN code based authentication in place to unlock it.

The contents sample have been collected off a non jail broken iPhone 3GS (with latest iPhone OS installed, all apps fully up to date and immediately PIN lock enabled) by simply connecting it powered off via USB to a Linux Lucid Lynx PC (10.04) and then switched back on – being automatically mounted with given insecurity and never been attached to the PC before.


Other exposed contents and OS behavior has to be further investigated. The write access could also lead into triggering a buffer overflow.”


This will be a big issue for enterprises who think that the data held in the device is encrypted and secure. Check out Bernd’s full write up at his blog - HERE

Tuesday, May 25, 2010

U.S. Deputy Defense Secretary Notes Cyber Command’s Significance

U.S. Deputy Defense Secretary William J. Lynn III called the establishment of U.S. Cyber Command at Fort Meade, Md., today a milestone in the United States being able to conduct full-spectrum operations in a new domain.

Lynn spoke to reporters in his office before attending the stand-up of the command. During the ceremony, Army Gen. Keith Alexander, Cyber Command’s top officer, pinned on his fourth star and uncased the colors of the new command.

The command is the latest in a series of steps that will better protect military networks, Lynn said, as it combines a confederation of task forces into a formal sub-unified command.

Cyber Command will report to U.S. Strategic Command based at Offutt Air Force Base, Neb. Lynn has led the effort to stand up the command since Defense Secretary Robert M. Gates directed its establishment almost a year ago.

The new command will centralize cyberspace operations. The cyber domain, Lynn said, is as important as the land, sea, air and space domains to the U.S. military, and protecting military networks is crucial to the Defense Department’s success on the battlefield.

The U.S. military is more dependent than any other military on information technology, and that is a major reason why the U.S. military is the best in the world, Lynn said. The military must be able to protect its computer networks and must ensure freedom of movement in the domain to be able to operate on networks around the world, he added.

“We want to be able to maintain those advantages and protect the military missions, and that is the main mission of Cyber Command – it is to protect the military networks,” the deputy secretary said. “It will have a role, though, in protecting the government’s networks and critical infrastructure.”

Cyber Command draws existing cyber capabilities and places them under one organizational structure, Lynn said. And with a four-star general in command, he noted, Cyber Command can deal with the combatant commands on an equal basis.

“It will be the place where the Department of Homeland Security will come to on cybersecurity matters,” Lynn said. “And it will help rationalize the interagency process.”

About 1,000 people will work at Cyber Command at Fort Meade, most shifting over from existing task forces. The services will provide their cyber organizations: Army Forces Cyber Command, the 24th Air Force, the 10th Fleet and Marine Forces Cyber Command.

How the command will implement policies remains to be seen, Lynn said, because cyber capabilities have outpaced policy. However, “substantial progress” has been made in certain areas, he said.

Today marks the command’s attainment of initial operations capability. Full capability is set for Oct. 1. “That didn’t happen in isolation – we’ve been training people up, we’ve had task forces, we’ve made investments – this is sort of a capping step,” Lynn said.

The Defense Department has made substantial progress in working with defense industries, Lynn said. Officials wanted to share concerns about the cyber threat and best practices, but there were legitimate concerns about protecting proprietary information.

“I think we’ve worked through a lot of that,” Lynn said. “We’ve been able to work with the industry and share information about the threats and show them what we think is coming at them. I think we will be able to build further on that.”

The department also has made progress internationally. Lynn traveled to Great Britain and Australia to begin that process, and will travel to Canada to continue the outreach. This entails shared warning and shared technologies, and Cyber Command will be part of the outreach, he said.

Lynn acknowledged that more progress is needed on the many legal issues related to cybersecurity. A U.S. interagency team is looking at the laws of war and the application to the cyber domain. What is an attack in the cyber world? How does a nation respond to an attack? What does sovereignty mean in regard to the Internet?

“We’re in the midst of a series of meetings the White House is leading to work through a lot of those legal issues,” Lynn said. “We’ve made progress organizationally, industrially and internationally, but the legal regime in particular is an area we need to tackle further.”

And the threat continues to grow, he said.

“The first thing you say about this threat is that it’s asymmetric,” Lynn said. “It doesn’t take the resources of a nation state to launch cyber war. Nations still have the best capabilities, but you can do very threatening and damaging things with modest investments.

“Our ability to predict where the threats are coming [from], even in conventional threats, is remarkably poor,” he continued. “We didn’t see Desert Storm coming. We didn’t see the series of events that led to Afghanistan. Foreseeing the threats in cyberspace is harder. With Cyber Command, I think we need to be prepared for the unexpected.”


----
Jim Garamone
American Forces Press Service

Wednesday, April 28, 2010

CIA Director Says Cyber Attack Could Be Next Pearl Harbor



WASHINGTON D.C.—Central Intelligence Agency director Leon Panetta told 300Sacramento Metro Chamber Cap-to-Cap delegates that the next “Pearl Harbor” is likely to be an attack on the United States’ power, financial, military and other Internet systems.

Panetta addressed the Sacramento delegation that includes 43 elected officials and hundreds of business and civic leaders who are in Washington D.C. for the annual program that advocates for the region’s most pressing policy issues. He spoke on Monday, April 19, during the Cap-to-Cap opening breakfast.

“Cyber terrorism” is a new area of concern for the CIA, Panetta said. The United States faces thousands of cyber attacks daily on its Internet networks. The attacks are originating in Russia, China, Iran and from even hackers.
“The next Pearl Harbor is likely to be a cyber attacking going after our grid…and that can literally cripple this country,” Panetta said. “This is a whole new area of threat.”

But cyber terrorism is just one of four primary missions for Panetta, who took over directing the CIA last year after appointment by President Obama. The CIA is also focusing on counter-terrorism, reducing the proliferation of weapons of mass destruction and fighting narcotics trafficking.

Al Qaeda is becoming a viscous target, and as CIA and military operations tamp it down in Pakistan, Afghanistan and Iraq, the terrorist elements are moving to places like Somalia, Yemen and North Africa—as well changing its tactics, he said.

“The president’s direction…is we must dismantle and destroy Al Qaeda and its known elements,” he said. “It’s a fundamental mission….The primary effort takes place in Pakistan and tribal areas. We are now focused on Afghanistan and have increased our presence there.”

Thursday, April 15, 2010

NSA director to testify at Senate hearing on cyber command unit

In an effort to protect the military's computer networks, the Obama administration is planning to put the leader of the nation's largest electronic spying agency in charge of a new military organization capable of launching attacks against enemy networks and power grids.
















If confirmed by Senate, Lt. Gen. Keith Alexander, director of the National Security Agency, would take charge of the Pentagon's newly formed cyber command and preside over a virtual army of computer technicians and network warfare specialists.

But even as the Obama administration presses the importance of cybersecurity and hails its nominee as an aggressive and innovative military intelligence officer, Alexander's confirmation has been delayed for nearly six months. Lawmakers have questioned whether the head of the NSA should lead a military unit and what, exactly, that new unit will be empowered to do.

Alexander is set to testify before the Senate Armed Services Committee on Thursday but has already provided written responses to questions from lawmakers.

Among other things, he stated that, faced with a cyber attack, the military must be able to respond in kind. It is "reasonable to assume that returning fire in cyberspace" is lawful, as long as any actions comply with the laws of war, he said in a 32-page document.

At issue is how military and intelligence authorities guide the operations of any new cyber command. U.S. policies governing cyber attacks and counterattacks lag behind the military's ability to conduct them.

Part of the challenge is that in cyberspace, a line of computer code could be an attempt to spy, disrupt a network or defend it, and that same code might unintentionally knock out critical systems in countries far from the target. The ambiguity -- and the fact that there is no international consensus on what constitutes use of force in cyberspace -- means the risks of provoking international conflict are real, experts say.

Have a look at the rest of this story over at the Washington Post

Thursday, April 1, 2010

Execs Need to Be Involved in Cyber Security Decisions

Business Week has a great story on how a new study calls for more C-level involvement in cybersecurity:

Organizations with top executives who aren't involved in cybersecurity decisions face a serious problem -- a major hit to their bottom lines, according to a report released Wednesday.

"Many organizations see cybersecurity as solely an IT problem," said Karen Hughes, director of homeland security standards programs at the American National Standards Institute (ANSI), one of the major sponsors of the new report. "We are directing a wake-up call to executives nationwide. The message is, this is a very serious issue, and it's costing you a lot of money."

The report, called "The Financial Management of Cyber Risk," recommends how C-level executives can implement cybersecurity risk management programs at their companies. Part of the goal is to get executives such as chief financial officers directly involved in cybersecurity efforts, said Larry Clinton, president of the Internet Security Alliance (ISA), the other major sponsor of the report.

The report cites a cyberpolicy review released by President Barack Obama's administration last May saying that U.S. businesses lost US$1 trillion worth of intellectual property to cyberattacks between 2008 and 2009. That number doesn't include losses due to theft of personal information and loss of customers, the report said.
The total cost of a typical breach of 10,000 personal records held by an organization would be about $2 million, the report said.

"We believe if we can educate American organizations about how much they're actually losing, we can move to the next step, which is solving the problem," Clinton said. Eighty to 90 percent of cybersecurity problems can be avoided by a combination of best practices, standards and security technology, but some organizations need to understand the financial problems associated with poor security practices before they will make changes, Clinton said. 

Read the full article over at Business Week

Wednesday, March 31, 2010

Technical Cyber Security Alert TA10-089A

US-Cert has issued a new Technical Cyber Security Alert - TA10-089A:

Microsoft Internet Explorer Vulnerabilities

Original release date: March 30, 2010
Last revised: --
Source: US-CERT

Systems Affected

  • Microsoft Internet Explorer

Overview

Microsoft has released out-of-band updates to address critical vulnerabilities in Internet Explorer.

I. Description

Microsoft has released updates for multiple vulnerabilities in Internet Explorer, including the vulnerability detailed in Microsoft Security Advisory (981374) and US-CERT Vulnerability Note VU#744549.

II. Impact

By convincing a user to view a specially crafted HTML document or Microsoft Office document, an attacker may be able to execute arbitrary code with the privileges of the user.

III. Solution

Apply updates
Microsoft has released updates to address these vulnerabilities. Please see Microsoft Security Bulletin MS10-018 for more information.
Apply workarounds
Microsoft has provided workarounds for some of the vulnerabilities in MS10-018.

IV. References

Thursday, February 25, 2010

National Cyber Alert - Technical Cyber Security Alert TA10-055A

Malicious Activity Associated with "Aurora" Internet Explorer Exploit

Original release date: February 24, 2010
Last revised: --
Source: US-CERT


Systems Affected

  • Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
  • Microsoft Internet Explorer 6, 7, and 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows 2008, Windows 7, and Windows Server 2008 R2


Overview

Malicious activity detected in mid-December targeted at least 20 organizations representing multiple industries including chemical, finance, information technology, and media.  Investigation into this activity revealed that third parties routinely accessed the personal email accounts of dozens of users based in the United States, China, and Europe. Further analysis revealed these users were victims of previous phishing scams through which threat actors successfully gained access to their email accounts.


I. Description

Through analysis of the malware used in this incident, McAfee discovered one of the malware samples exploited a vulnerability in Microsoft Internet Explorer (IE). The vulnerability exists as an invalid pointer reference within IE and, if successfully exploited, allows for remote code execution.
Microsoft has released Security Bulletin MS10-002, which provides updates for Internet Explorer that address this and other vulnerabilities.
US-CERT is providing technical indicators that can be incorporated into an organization’s security posture to detect and mitigate any malicious activity.
In addition to the discovery of the IE exploit, the following malicious domains were identified as associated with this incident:
Domain IP Resolution as of 15 January Notes
blogspot[dot]blogsite[dot]org 209[dot]200[dot]236[dot]253 IP address hosts at least 4 domains
voanews[dot] ath[dot]cx 200[dot]55[dot]186[dot]66
ymail[dot]ath[dot]cx 59[dot]36[dot]101[dot]217 IP address hosts at least 3 domains
tyuqwer[dot]dyndns[dot]org 75[dot]101[dot]212[dot]55
google[dot]homeunix[dot]com 173[dot]201[dot]21[dot]161
ftp2[dot]homeunix[dot]com 127[dot]0[dot]0[dot]2 Domain resolution indicative of offline site status. Call-back discovered through analysis of malware file AppMgmt.dll
360[dot]homeunix[dot]com 127[dot]0[dot]0[dot]2 Domain resolution indicative of offline site status. Call-back domain discovered through analysis of malware file rasmon.dll
update[dot]ourhobby[dot]com 127[dot]0[dot]0[dot]1 Domain resolution indicative of offline site status. Call-back discovered through analysis of malware file securmon.dll
demo1[dot]ftpaccess[dot]cc/demo/ad[dot]jpg 127[dot]0[dot]0[dot]2 Domain resolution indicative of offline site status
360[dot]homeunix[dot]com
ad01[dot]homelinux[dot]com
ads1[dot]homelinux[dot]org
ads1[dot]webhop[dot]org
Aep[dot]homelinux[dot]com
Aka[dot]homeunix[dot]net
alt1[dot]homelinux[dot]com
Amd[dot]homeunix[dot]com
amt1[dot]homelinux[dot]com
amt1[dot]homeunix[dot]org
aop01[dot]homeunix[dot]com
aop1[dot]homelinux[dot]com
app1[dot]homelinux[dot]com
asic1[dot]homeunix[dot]com
Bbsnewss[dot]ath[dot]cx
Bdc[dot]homeunix[dot]com
blog1[dot]servebeer[dot]com
Connectproxy[dot]3322[dot]org
Corel[dot]ftpaccess[dot]cc
Csport[dot]2288[dot]org
ddd1[dot]homelinux[dot]com
demo1[dot]ftpaccess[dot]cc
du1[dot]homeunix[dot]com
Filoups[dot]info
fl12[dot]ftpaccess[dot]cc
ftp1[dot]ftpaccess[dot]cc
ftp2[dot]homeunix[dot]com
Ftpaccess[dot]cc
hho1[dot]homeunix[dot]com
hp1[dot]homelinux[dot]org
i1024[dot]homelinux[dot]com
i1024[dot]homeunix[dot]org
Ice[dot]game-host[dot]org
il01[dot]homeunix[dot]com
il01[dot]servebbs[dot]com
il02[dot]servebbs[dot]com
il03[dot]servebbs[dot]com
Jlop[dot]homeunix[dot]com
li107-40[dot]members[dot]linode[dot]com
lih001[dot]webhop[dot]net
lih002[dot]webhop[dot]net
lih003[dot]webhop[dot]net
list1[dot]homelinux[dot]org
live1[dot]webhop[dot]org
Members[dot]linode[dot]com
on1[dot]homeunix[dot]com
Patch[dot]homeunix[dot]org
patch1[dot]ath[dot]cx
patch1[dot]gotdns[dot]org
patch1[dot]homelinux[dot]org
ppp1[dot]ftpaccess[dot]cc
sc01[dot]webhop[dot]biz
sl1[dot]homelinux[dot]org
temp1[dot]homeunix[dot]com
Tor[dot]homeunix[dot]com
ttt1[dot]homelinux[dot]org
up01[dot]homelinux[dot]com
up1[dot]homelinux[dot]org
up1[dot]mine[dot]nu
up1[dot]serveftp[dot]net
up2[dot]mine[dot]nu
Update[dot]ourhobby[dot]com
update1[dot]homelinux[dot]org
update1[dot]merseine[dot]nu
vm01[dot]homeunix[dot]com
Voanews[dot]ath[dot]cx
Vvpatch[dot]homelinux[dot]org
war1[dot]game-host[dot]org
Webswan[dot]33iqst[dot]com
Xil[dot]homeunix[dot]com
Yahoo[dot]8866[dot]org
Yahoo[dot]8866[dot]org
McAfee provided several IP addresses involved in the incident:
69[dot]164[dot]192[dot]46
69[dot]164[dot]192[dot]0/24
72[dot]32[dot]6[dot]235
203[dot]69[dot]40[dot]128/27
203[dot]69[dot]41[dot]0/26
203[dot]69[dot]41[dot]64/27
203[dot]69[dot]66[dot]0/27
203[dot]69[dot]68[dot]96/27
203[dot]69[dot]68[dot]128/25
168[dot]95[dot]1[dot]1
– Call-back IP address discovered in file rasmon.dll.
The table below contains the file characteristics of the malware analyzed:
File Name IPs/Domains File Details Description
uploaded_data MD5: 1AEA206AA64EBEABB07237F1E2230D0F Byte Size: 17310 ASCII text, with very long lines, with CRLF line terminators
securmon.dll call-back: update[dot]ourhobby[dot]com:443 MD5: E3798C71D25816611A4CAB031AE3C27A Byte Size: 62464 MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit
Rasmon.dll call-backs: 360[dot]homeunix[dot]com:443, 168.95.1.1:DNS MD5: 0F9C5408335833E72FE73E6166B5A01B Byte Size: 90112 Path: C:Windows\system32\Rasmon.dll Type: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit Installs as service that begins with "UPS", followed by a random string. Example: Upskvk command-line: C:\WINDOWS\System32\svchost.exe -k SysIns
ad_1_.jpg MD5: CD36A3071A315C3BE6AC3366D80BB59C Byte Size: 34816 Appears to be packed executable. Significant portion of file is XOR'd 0x95
b.exe MD5: 9F880AC607CBD7CDFFFA609C5883C708 Byte Size: 34816 MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit, UPX compressed Drops: Rasmon.dll
cdef MD5: 29F52213E171C3D4B4418939D9E466C3 Byte Size: 41984 MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit Drops: AppMgmt.dll
AppMgmt.dll call-backs: ftp2[dot]homeunix[dot]com:443 MD5: 6A89FBE7B0D526E3D97B0DA8418BF851 Byte Size: 31744 MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit. Installs as service "Application Management"
A0029670.dll MD5: 3A33013A47C5DD8D1B92A4CFDCDA3765 Byte Size: 90112 MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit
msconfig32.sys MD5: 7A62295F70642FEDF0D5A5637FEB7986
VedioDriver.dll MD5: 467EEF090DEB3517F05A48310FCFD4EE
acelpvc.dll MD5: 4A47404FC21FFF4A1BC492F9CD23139C
wuauclt.exe MD5: 69BAF3C6D3A8D41B789526BA72C79C2D
jucheck.exe MD5: 79ABBA920201031147566F5418E45F34
AdobeUpdateManager.exe MD5: 9A7FCEE7FF6035B141390204613209DA
zf32.dll MD5: EB4ECA9943DA94E09D22134EA20DC602
The following signatures can be deployed to assist in detecting malicious activity associated with this incident:
Primary Malware Beacon
alert tcp any any -> any any (msg:"Targeted Malware Communication Beacon Detected"; flow:to_server,established; dsize:20; content:"|ff ff ff ff ff ff 00 00 fe ff ff ff ff ff ff ff ff ff 88 ff|"; depth:20; sid:7777777; rev:1;)  
Secondary Malware Beacon
alert tcp any any <> any any (msg:"ORC:DIS:BEACON_380DFF"; content:"|38 0d ff 0a d7 ee 9d d7 ec 59 13 56|"; sid:99980060; rev:1;)
Note: US-CERT has not verified or tested these signatures and recommends proper testing prior to deployment.



II. Impact

By convincing a user to view a specially crafted HTML document or Microsoft Office document, an attacker may be able to execute arbitrary code with the privileges of the user.


III. Solution

The Internet Explorer vulnerability used in these attacks is addressed with the updates provided in Microsoft Security Bulletin MS10-002.
Other recommendations include:
  • As a best practice, limit end-user permissions on systems by granting minimal administrative rights.
  • Enable Data Execution Prevention (DEP) for IE 6 Service Pack 2 or IE 7. IE 8 automatically enables DEP.
  • Inspect network traffic history for communication with external systems associated with the attack.
  • Examine computers for specific files or file attributes related to the attack.


IV. References

Friday, February 19, 2010

Our national assets are in desperate need for more cyber protection!

Hackers are staging a massive attack that has breached 10 federal agencies. It involves more than 75,000 computers in 196 countries. The ZeuS botnet offensive goes after passwords, corporate secrets and financial information, and it's spread by infected emails and Web sites. The Wall Street Journal reports the attack started 18 months ago and is still running.

Brian Clarke security expert at c5i Federal stated "The general attack vector is a email dropper – the main problem with infection is truly human error, clicking on links with embedded scripts or malicious pages."

Friday, January 29, 2010

The National Cyber Alert System has put out a series of tips on protecting portable devices

Why do you need another layer of protection?

Although there are ways to physically protect your laptop, PDA, or other portable device (see Protecting Portable Devices: Physical Security for more information), there is no guarantee that it won't be stolen. After all, as the name suggests, portable devices are designed to be easily transported. The theft itself is, at the very least, frustrating, inconvenient, and unnerving, but the exposure of information on the device could have serious consequences. Also, remember that any devices that are connected to the internet, especially if it is a wireless connection, are also susceptible to network attacks (see Securing Wireless Networks for more information).

What can you do?

  • Use passwords correctly - In the process of getting to the information on your portable device, you probably encounter multiple prompts for passwords. Take advantage of this security. Don't choose options that allow your computer to remember passwords, don't choose passwords that thieves could easily guess, use different passwords for different programs, and take advantage of additional authentication methods (see Choosing and Protecting Passwords and Supplementing Passwords for more information). 
  • Consider storing important data separately - There are many forms of storage media, including CDs, DVDs, and removable flash drives (also known as USB drives or thumb drives). By saving your data on removable media and keeping it in a different location (e.g., in your suitcase instead of your laptop bag), you can protect your data even if your laptop is stolen. You should make sure to secure the location where you keep your data to prevent easy access. It may be helpful to carry storage media with other valuables that you keep with you at all times and that you naturally protect, such as a wallet or keys.
  • Encrypt files - By encrypting files, you ensure that unauthorized people can't view data even if they can physically access it. You may also want to consider options for full disk encryption, which prevents a thief from even starting your laptop without a passphrase. When you use encryption, it is important to remember your passwords and passphrases; if you forget or lose them, you may lose your data.
  • Install and maintain a firewall - While always important for restricting traffic coming into and leaving your computer, firewalls are especially important if you are traveling and using different networks. Firewalls can help prevent outsiders from gaining unwanted access (see Understanding Firewalls for more information).
  • Back up your data - Make sure to back up any data you have on your computer onto a CD-ROM, DVD-ROM, or network (see Good Security Habits and Real-World Warnings Keep You Safe Online for more information). Not only will this ensure that you will still have access to the information if your device is stolen, but it could help you identify exactly which information a thief may be able to access. You may be able to take measures to reduce the amount of damage that exposure could cause.
See the original posting here  

Tuesday, January 26, 2010

Cloud Computing Security

Tim Brown over at CIO online has a great piece on Cloud Security: Ten Questions to Ask Before You Jump:

From regulations to liability, CA cloud security expert Tim Brown outlines the key security issues you should explore while preparing for a cloud deployment.

The hype around cloud computing would make you think mass adoption will happen tomorrow. But recent studies by a number of sources have shown that security is the biggest barrier to cloud adoption. The reality is cloud computing is simply another step in technology evolution following the path of mainframe, client server and Web applications, all of which had — and still have — their own security issues.

Cloud Computing Definitions and Solutions

Security concerns did not stop those technologies from being deployed and they will not stop the adoption of cloud applications that solve real business needs. To secure the cloud, it needs to be treated as the next evolution in technology not a revolution that requires broad based changes to your security model. Security policies and procedures need to be adapted to include cloud models in order to prepare for the adoption of cloud-based services. Like other technologies, we're seeing early adopters take the lead and instill confidence in the cloud model by deploying private clouds or by experimenting with less-critical information in public clouds.

Defining Cloud Security: Six Perspectives Cloud Security: Danger (and Opportunity) Ahead
Organizations are asking many questions and weighing the pros and cons of utilizing cloud solutions. Security, availability and management all need to be considered. As part of that process, here are 10 security-related questions organizations should consider to help them determine if a cloud deployment is right for them, and if so, which cloud model — private, public or hybrid.

1. How does a cloud deployment change my risk profile? A cloud computing deployment — whether private or public — means you are no longer in complete control of the environment, the data, or the people. A change in control creates a change in risk — sometimes an increase in risk and in some cases a decrease in risk. Some cloud applications give you full transparency, advanced reporting, and integration with your existing systems. This can help lower your risk. Other cloud applications may be unable to modify their security profiles, they may not fit with your existing security measures, and may increase your risk. Ultimately the data and its sensitivity level will dictate what type of cloud is used or if a cloud model makes sense at all.

2. What do I need to do to ensure my existing security policy accommodates the cloud model?
A shift to a cloud paradigm is an opportunity to improve your overall security posture and your security policies. Early adopters of cloud applications will have influence and can help drive the security models implemented by the cloud providers. You should not create a new security policy for the cloud, but instead extend you existing security policies to accommodate this additional platform. To modify your policies for cloud, you need to consider similar factors: where the data is stored, how the data is protected, who has access to the data, compliance with regulations, and service level agreements.

Check out the rest of this great article HERE

Friday, January 22, 2010

Clinton Pushes Cyber-security in Wake of Google Attacks

Secretary of State Hillary Clinton calls for countries to cooperate in defending against cyber-attacks, but remains cautious in her comments regarding the recent attacks reported by Google.

U.S. Secretary of State Hillary Clinton in a speech Jan. 21 took a strong stance in favor of promoting cyber-security partnerships and ending Internet censorship, but stopped short of using harsh language against China in connection with the recent cyber-attacks reported by Google.

China has been at the center of accusations of attacks on Google, Adobe Systems and more than 30 other enterprises. Direct evidence of government involvement in the attacks has been lacking—however, systems used by the attackers were linked to China and the main Trojan used in the attacks included code with a cyclic redundancy check originating in China as well "We have identified that systems in Taiwan were involved, as were systems in the United States," said Dave Marcus, director of security research at McAfee's Avert Labs. "That said, cyber-espionage and state sponsored cyber-attacks are nothing new and we have said in the past that China is one of the nation states that conducts such activities, as does the United States and other countries."

Read the entire eWeek article here.

Technical Cyber Security Alert TA10-021A - Internet Explorer out of band patch released

Microsoft has issued a security patch for a vulnerability in Internet Explorer which was responsible for China’s targeted and sophisticated attacks against Google.

This security update is rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8 (except Internet Explorer 6 for supported editions of Windows Server 2003). For Internet Explorer 6 for supported editions of Windows Server 2003 as listed, this update is rated Moderate. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles objects in memory, validates input parameters, and filters HTML attributes. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection under the next section, Vulnerability Information.

This week Microsoft began urging businesses and consumers to upgrade to Internet Explorer 8, explaining that the security benefits are far greater than that of Internet Explorer 6. Both the French and German governments warned their populations to cease using Internet Explorer due to the un-patched flaw. Currently the flaw exists in Internet Explorer versions 6, 7 and 8 but exploit code is only available for Internet Explorer 6.