Welcome to the SecAware blog

I spy with my beady eye ...

31 Mar 2005

Risks of file-sharing

US-CERT Cyber Security Tip ST05-007 explains the risks associated with P2P (peer-to-peer) file sharing, including threats such as malware, disclosure of confidential information and denial of service.
This is the latest of around 30 Cyber Security Tips released by CERT, each one addressing a single everyday aspect of information security. Mindi McDowell, the main author, has a beautifully clear, largely non-technical writing style and provides straightforward advice for ordinary computer users.
More malware links here

30 Mar 2005

Visa Cardholder Information Security Program

The VISA Cardholder Information Security Program includes a security standard designed to ensure that all VISA merchants conform to a common security baseline, plus the associated training, validation and certification processes.
More standards and laws links here

Distributed brute-force attacks

The US Secret Service uses a network of 4,000 computers for brute-force attacks on encrypted forensic evidence obtained from target systems, using plaintext snippets and information from the user's browsed websites as cribs or clues to possible passwords. The system is reminiscent of the DES cracker built in 1999 by the Electronic Frontier Foundation, but uses spare cycles on desktop PCs like the SETI@home project.
More confidentiality links here

29 Mar 2005

Web application security tester

Acunetix web vulnerability scanner is a tool to test the security of your website by simulating common attacks such as cross site scripting, SQL injection and more. Identify vulnerabilities in your web applications off-line before the on-line hackers do their worst!
More Internet and web security resources here

Prevent malware and data leakage via USB sticks

GFI LANguard Portable Storage Control is an example of a software product to control the use of USB memory sticks, smartphones, MP3 devices etc. It can help avoid the introduction of malware as well as preventing the removal of confidential data.
More malware and confidentiality resources

Microsoft's approach to incident response

A Microsoft paper gives the inside track on how they deal with infosec incidents.
More incident management and contingency planning links here

Blogging guidelines

Blogs like the one you are reading are great for free speech and personal expression, but are not necessarily in keeping with corporate security, marketing and legal requirements. The link above, itself a blog entry, points to a number of blogging guidelines published on the web. These should prove useful if you are considering your own corporate policy in this area. [NoticeBored's May module on email security will provide further guidance].
More email security links here

28 Mar 2005

NIST guide to HIPAA security

NIST Special Publication 800-66 is "An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule". 'Nuff said.
More privacy/data protection and confidentiality resources

$100k malware incident

Serious networking problems at a law firm were traced to a malware-infected screensaver circulated by highly qualified and bright (but evidently naive) staff. Nonproductive downtime and recovery costs are estimated to have cost $100,000.
More malware links here

24 Mar 2005

Web banking almost entirely safe

This is a brilliant parody by the New Zealand Herald's Willy Trolove of a typical bank's promotion of Internet banking, complete with get out of jail free clauses. It's a good reminder about the difficulties of balancing the benefits of information security controls against the costs for system users.

More internet security links here

22 Mar 2005

Disposal of disks embedded in equipment

Modern dedicated or multifunction printer/scanner/photocopier devices typically contain embedded hard drives used to cache and re-sequence document images. A piece in Canadian cNews (no longer online) points out the risk of accidentally disclosing images of ‘everything you’ve ever printed’ [a bit of journalistic license there, we think] when machines are sold or returned to the leasing companies [or, for that matter, are ‘serviced’ by unethical engineers or hackers].
More physical security links here

21 Mar 2005

DTI security advice

The UK Department of Trade and Industry publishes a range of basic good advice for businesses, including a set of awareness materials on information security topics. The link above takes you to an index page with access to all sorts of goodies on malware, internet security, physical security etc. plus a new overview publication Information Security: Hard Facts.
More malware links here

19 Mar 2005

eRobbery foiled

Hackers attempting to steal £220m (around $400m) from Sumitomo bank in London have been stopped by, presumably, concerted effort from the bank's internal information security systems/processes and the British National High Tech Crime Unit. The gang used keyloggers - whether hardware or software versions has not been made public.
More on malware here

ITsafe security awareness initiative

The link [above] takes you to the inaugural issue of the UK Government's ITsafe newsletter. ITsafe is a basic security awareness service for home computer users and micro-businesses. The inaugural newsletter is mostly a fanfare announcing the launch of the service (much as ours did) plus a little information on vulnerabilities in a potted selection of software applications. It will be interesting to see how the service develops, assuming it survives the pre-election promises of Labour and Conservative parties to cut government bureaucracy ...
More security awareness links here and here's our white paper explaining the need for security awareness

17 Mar 2005

CERT cyber security tip: recovering from malware

The latest snippet of end-user advice from US CERT concerns what to do if, despite the controls, your system is infected with a virus, worm, Trojan or other malicious software. The tip includes actions to minimize the chances of re-infection.
Other CERT cyber security tips listed here
Other malware links here

15 Mar 2005

You Are A Loser!

Read our brief review of this fun little book. It is full of short information security case studies, in the form of entertaining news stories about computer glitches, data entry errors etc. Good fodder here for case study seminar sessions, or anecdotes to spice up those otherwise rather tedious security induction sessions.

More freebies here

Antivirus software response times

Curious about which antivirus products react first to new malware outbreaks? Then take a look at AVtest.org. The research team have been tracking and comparing the average release times for signature updates from all the main antivirus vendors. According to their presentation of the results in September 2004, Bitdefender and Kaspersky were the speediest firms.
More malware links here

12 Mar 2005

Worm library

Where earthworms go to read? No, it's someone's blog outlining worms discovered in the wild this year.
More malware links here

11 Mar 2005

Internet Storm Center report on worms and phish

The SANS Internet Storm Center maintains a watching brief on current network security issues. This is a fairly typical page from the handler's diary discussing a worm targetting PHP bulletin boards, phishing attacks and spyware. Dismiss the thought that these are purely theoretical threats.
More malware links here

Viruses explained - Sophos booklet

Antivirus vendor Sophos offers a neat little 64-page booklet explaining viruses and other forms of malware in simple terms. It is a useful document for non-technical users - not a sales glossy - and includes practical advice for reducing the risk of infection.
More malware links here

Physical access = Game over

If a skilled adversary can gain physical access to a PC, it's game over as far as information security is concerned. Without appropriate controls in place, he/she can potentially install a hardware keyboard logger, download data and programs to/from a USB memory device, reboot from a powerful operating system on a CD/DVD or USB memory device, steal the hard drive or other components, destroy the system ... Do you search visitors to your site for USB pens for example?

Other physical security links here

GoToMyPC remote control security

GoToMyPC is a system for users to permit full remote access to their systems through the Internet from a standard browser. The system has clearly been designed with security in mind, incorporating numerous security controls as documented in this paper. However, no system is totally idiot-proof. If the additional two-factor authentication controls and other security mechanisms available in the high-end Corporate version are not used properly, a determined idiot can grant full remote access to anyone. Do you monitor or restrict out/inbound HTTP connections to/from GoToMyPC servers on your network? What about other similar systems? [By the way, the paper itself is a model of clarity. If only all system security designs were so thoroughly thought-out and so clearly and comprehensively documented!]

10 Mar 2005

Blogging could cost you your job

A story prompted by comments from a US employment law firm warns about the dangers of publishing confidential information in weblogs - fair enough - but then goes on to warn that employers may be within their rights to dismiss employees whose blog comments imply disloyalty. [Funny, I thought the American Constitution protected the right to free speech! It could be argued that employers in this position have bigger problems than employee blogs to worry about].
More IT law links here

On the value of security awareness

Harris Miller, President of ITAA, made this 2001 presentation to the Senate Committee on Commerce, Science and Transportation about Internet security. In it, he highlighted the need for management support for information security in order to create a security culture. Well said Mr Miller.
Free paper on 'why we need security awareness' here

9 Mar 2005

Anti-phishing Act of 2005

Senator Patrick Leahy has (re-)introduced his Anti-Phishing Act to the U.S. Senate. The act outlaws phishing (emails that mislead victims into visiting fake websites) and pharming (attacks that redirect visitors' attempted connections to a legitimate website, sending them to a fake website). "The Anti-Phishing Act of 2005 would enter two new crimes into the U.S. Code. The first prohibits the creation or procurement of a website that represents itself to be that of a legitimate business, and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft. The second prohibits the creation or procurement of an email that represents itself to be that of a legitimate business, and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft."
More malware links here and more IT fraud links here

The Oops List

The Oops List is a collection of images of (mostly) aircraft disasters. Warning: these are truly graphic images - not much blood and gore as such but undoubtedly passengers or crew were injured or killed in at least some of them. A few look like fakes or set-ups but, subject to any copyright restrictions, they would make fascinating slides for your contingency planning presentations.
More contingency planning links here

8 Mar 2005

New FREE Windows security ebook

Don Jones has written The Definitive Guide to Securing Windows in the Enterprise - a practical guide to Windows security for system and security administrators. The book is being published online chapter-by-chapter for free by Realtime Publishers - the first introductory chapter is available now. Having written Windows baseline security standards ourselves, it will be interesting to see how the rest of the eBook turns out.
More information security management links here

7 Mar 2005

Spyware advice and awareness video from Microsoft

Microsoft is promoting its own anti-spyware software, currently on Beta release and hence probably unsuitable for Production use . Microsoft's short awareness video is a great way to outline the spyware problem to computer users and gives clear advice on how to reduce the risk of infection.
More malware links here

5 Mar 2005

IT security indecision

This article in a Canadian journal highlights the need to spend more of the IT budget on information security, and pay more attention to security awareness.
More security awareness links here and a paper on the need for security awareness here

4 Mar 2005

Bill Cheswick presentation

Bill Cheswick gave a fabulous presentation at the N.I.T.E.S conference in Dublin on March 1st entitled “My dad’s computer”. Ches’s dad’s PC was unprotected against malware and hence was chock-a-block with viruses, Trojans, spam and other digital detritus. Ches made the point that his dad has virtually no interest in or understanding of the technology and security implications, he simply wants to use his system in peace. Bill’s dad is all around us. Ches went on to describe his approach to securing his own systems with a heavy emphasis on hardening them by removing all unnecessary network services - ideally hard enough that firewalls are unnecessary. Thanks Ches!
More malware links here

Analysis of the functions in Phatbot Trojan

Amazing list of functions available remotely to someone who controls systems infected with the Phatbot Trojan. Read the list to understand what it really means if your system is "0wn3d" using Phatbot.
More malware links here

Flaw in Trend Micro AntiVirus Library

A heap overflow in a Trend Micro library can be triggered by a specially-crafted ARJ file, presumably leading to the dreaded 'execution of arbitrary code' (i.e. game over - your system is 0wn3d). It seems the library is used by a number of other antivirus packages so this is not just an issue for Trend Micro AV users.
More malware links here

Three more Bagles on the loose

Three more Bagle variants are on the loose. There have been so many Bagle variants that the antivirus people have had to use two-character extensions to distinguish them: the latest one is called Bagle BE.
More malware links here.

1 Mar 2005

Malware awareness module released

The latest awareness module on malware to be sent to NoticeBored customers this evening comprises more than 15 separate editable items and around 9Mb of data. The read-only newsletter will also be distributed overnight to those on our mailing list. Enjoy!
Updated malware links here