Welcome to the SecAware blog

I spy with my beady eye ...

30 Jan 2006

Microsoft phished?

The above go.microsoft.com link in a Microsoft Partner Programme email redirects to a Security Assessment Tool hosted at www.SecurityGuidance.com. The domain looked a bit odd to me so I checked on whois the domain registration details. The domain belongs not to Microsoft but Ziff-Davis ... which seems rather odd for a Microsoft branded page and a Microsoft security tool. The 'tool' itself appears to consist of a questionnaire about visitors' security arrangements, exactly the kind of information someone with malicious intent might want. The FAQ on the site notes that Microsoft has a relationship with Ziff-Davis, but why should I trust the information on a dubious website? My advice FWIW - steer clear.
More security awareness links

Researchers: Rootkits headed for BIOS

A SecurityFocus article picks up on the possibility of rootkits in the computer's BIOS. The same principle applies to rootkits in video BIOS and network card BIOS. The thing about these locations is that a reboot won't clear them, nor will a normal complete system rebuild - not even a new hard drive will clear them ... unless, that is, the code in the BIOS is just a stub, a loader for the main payload on disk. Given that the machine BIOS, by its very nature, gives low level access to the hardware, it is conceivable that a stub could load the remainder from another BIOS store, or from a normally inaccessible area on disk (such as a sector marked bad).
More [anti-]hacking resources

29 Jan 2006

Cisco backdoor

A backdoor in a mainstream security product could certainly be considered a bug. The product is Cisco Security Monitoring, Analysis and Response System (CS-MARS) (CS-MARS) up to version 4.1.2 and the backdoor is an undocumented user ID with a default password giving access to the root fully-privileged administrator ID. Doh! The access was deliberately inserted allegedly for “advanced debugging purposes” - fair enough maybe but why on Earth did it end up in shipped code, and in a security product at that?!
More links on Bugs!

Awareness module on Bugs!

The latest NoticeBored Classic module covers something dear to my heart - Bugs! Having suffered bugs in almost every program I've ever used, the Bugs! module is a chance to get a few things off my chest. Read about the benefits and constraints of software development quality assurance and testing processes, and catch up with the patching treadmill.
New links page on Bugs! here

28 Jan 2006

Consumer frauds reported to FTC in 2005

The US Federal Trade Commission reports on the 685,000 complaints of fraud and identity theft they received during 2005, costing consumers an average of just under $1,000 each (yes, that's a whopping $680m!). Just under half the complaints were Internet related, slightly down on recent years. Identity theft was slightly more common than 2004 but again slightly down as a proportion of the total. Perhaps information security is starting to have a positive effect?
More IT-related fraud resources

Online security training from CERT

CERT's Virtual Training Environment provides online access to mini courses on a variety of information security topics. The knowledge library is produced by Carnegie Mellon University's renowned Software Engineering Institute.
More security awareness resources

26 Jan 2006

Hidden threats - rootkits and botnets

A new US CERT Cybertip covers 'hidden threats' such as Rootkits and Botnets. The Cybertips neatly summarize common information security issues for ordinary computer users - not geeks.
More "virus" links

24 Jan 2006

Wired News: The Backhoe: A Real Cyberthreat

Diggers (backhoes) are evidently one of the most serious threats to comms networks, including otherwise well-designed resilient networks with redundant links.
More physical security links

Spear phishing for MPs

The Guardian newspaper reports that British Members of Parliament were specifically targeted in what looks like a spear-phishing attack. Thankfully, the Parliamentary security systems seem to have foiled the attack but other victims may not have the same level of protection. What's interesting about spear-phishing is that the classic pattern-matching antivirus tools may prove ineffective if the attackers create or use virgin never-before-in-the-wild malware specifically for these attacks. The implications are horrific.
More malware links here

23 Jan 2006

Ed Skoudis on security awareness

In an interesting interview by Tony Bradley, Ed Skoudis said: "Given that many organizations have dramatically improved the patching process, we now face an even more difficult problem: user awareness. With targeted phishing and Trojan horse attacks, an unwitting user can be duped into running an attachment, surfing to a happy-looking-but-evil website, or entering information into a form that pops up on the screen. Such attacks represent a real threat to most organizations. And the real problem here is summarized well in that wonderful T-shirt: 'Because there is no patch for human stupidity' Our entire culture needs to come to terms with the risk of computer crime and how to identify and avoid its common forms. Pretty much everyone that uses computers has to learn about e-mail and website con jobs, phishing, Trojans, viruses, and other scams." Hear hear Ed!
More awareness resources

22 Jan 2006

Microsoft secure coding site

The Microsoft developers' security site has a section on writing secure code with a good range of advice including some on threat modelling - a structured way to determine the threats that may apply to your applications.
More secure development links

16 Jan 2006

Windows XP and 2003 security guides

Microsoft has released a pair of useful security configuration guides for Windows XP and Windows Server 2003. These are detailed guides, suitable for use as-is or conversion into security standards to suit your specific organization's security requirements.
More IT Operations links here

14 Jan 2006

BBC DJs 'unaware of copy law'

It appears that some BBC DJs are illegally copying and using digital copies of music despite a new music licensing scheme in the UK, and of course the Copyright Act. The BBC news story fails to mention how many non-BBC DJs are also breaking the law in this fashion but judging by the number of remote control joggers I see on the streets, it must be quite a few.
More Intellectual Property Rights links

13 Jan 2006

ISACA drops audit name

To help cement its move away from IT auditing towards IT governance, ISACA will no longer be known officially as the Information Systems Audit and Control Association. This is a bit like British Petroleum, British Telecom and British Airways becoming BP, BT and BA, respectively: some of us traditionalists still recall the original names and all that they once stood for. Some of us can tell the difference between Personal Computer and Politically Correct.
More IT audit resources

11 Jan 2006

419 Legal

An interesting global self-help initiative to counteract the 419 scammers has been launched by the South African police. It’s a kind of name-and-shame deal, with police and community backing lending some weight to their efforts to get scammer sites and services closed down. Awareness/education is a primary and very worthy aim.
More IT fraud links here

9 Jan 2006

SPI Dynamics white papers

SPI Dynamics, providers of software for testing web applications etc., publishes a range of useful white papers relating to software quality etc. Unlike some of their peers, the papers are provided free of charge with no strings attached - you don't need to register, sign up for their newsletter, supply a small DNA sample or otherwise jump through hoops. Just click, wait and read :-)

More secure software development links here

2 Jan 2006

NoticeBored this month

Information security aspects of third party relationships is the subject of January's NoticeBored Classic module. It points out the need for, and value of, numerous information security controls when dealing with business partners etc.

More 3rd party security links

Recommended security awareness book

Managing an Information Security and Privacy Awareness and Training Program wins the prize for the longest book title we've seen of late but it's worth it. This is an excellent textbook for security awareness professionals, packed full of good ideas. Thoroughly recommended.
More security awareness resources