(IN)SECURE Magazine
Contents
1. Register by July 20 2009 and save www usenix org sec09 hnsa Germany The current debate on the Internet filter by Daniel Opperman When talking about cybercrime there is one topic that is discussed frequently and often results in public outrage by many Internet users and non users as well It is child pornography that I am talking about a problem that harms thousands of children physically and mentally and is a business where mil lions of dollars are spent each year worldwide Child pornography is nothing new and is not connected exclusively to the Internet In fact this form of abuse exists for centuries proba bly as long as humankind itself But with the Internet producers and consumers found an easy fast cheap and anonymous way to get and distribute it And getting is really the ap propriate word not buying Estimations say that about 80 of child porn consumers are not involved in it for financial interest but trade pictures and movies as a hobby Besides websites which usually ex ist only for a limited amount of time e groups newsgroups bulletin board systems chat rooms or peer 2 peer networks P2P are also used to access the material In recent years different approaches have been tried out to combat this form of crime on the Inter net One has been the identification of con sumers by their credit cards which they use to buy child porn material Another one the one www insecurema2. Identity Manager a place for secure passwords The original version of the IronKey I got was created prior the RSA Conference 2009 so besides an older Firefox 2 0 the only other application was Password Manager During testing it appeared a bit spartan With the new update Password Manager was decommis sioned and its functionality evolved into the newly released Identity Manager www insecuremag com Since the mid 90s always tried to remember all my passwords As the Internet evolved lots of new web services appeared and with in creased use it became practically impossible to track all the password phrases Combining this with the mindset change that now all passwords need to contain at least 10 characters of garbled text made me start using password management applications That was five years ago and now am very satisfied with 1Password a top solution that works solely on Macs and iPhones Identity Manager is practically the same type of application it sits in the background and tries to sniff web pages for login forms If the form is not in the database it will ask if you would like to save it If the form is found in the database you will have an option to automatically fill username and password for the specified page This is a rather straightforward concept that works perfectly on lronKey PayPal The new Identity Manager looks much better than the now obsolete Password Manager it has a better GUI
3. IN OPEN INFORMATIVE TO THE POINT I WINDOWS 7 SECURIPYSs WEB 2 0 EMERGING THREATS IRONKEY REVIEW MALICIOUS PDF CERTIFICATION MORE RSA CONFERENCE 2009 BLACK HAT EUROPE 2009 INFOSECURITY EUROPE 2009 CURITY ASA RVIC NOW AVAILABLE AT A BROWSER NEAR YOU ooftware as a Service Saas has been described as the most disruptive delivery model to ever face the enterprise software market for one simple reason if works For a free trial go to a browser near you www qualys com Saas trial QUALYS ON DEMAND SECURITY TABLE OF CONTENTS A ad RL Rad Ahi Page 05 Corporate security news GRY i Wit Page 08 Malicious PDF Get owned without opening Page 14 Review lronKey Personal Page 21 Windows 7 security features Building on Vista Page 33 Web 2 0 emerging threats Page 37 Latest additions to our bookshelf Page 40 Using Wireshark to capture and analyze wireless traffic Page 47 Q amp A Paul Cooke on Windows 7 Page 50 RSA Conference 2009 Page 58 Your applications are trying to tell you something are you listening Page 61 Twitter security spotlight Page 63 Q amp A Hord Tipton on certification and ISC 2 Page 66 Unclonable RFID a technical overview Page 71 The application security maturity ASM model Page 77 Secure development principles Page 88 Enterprise risk and compliance reporting Page 92 Events around
4. Windows Registry Analysis Data carving and Password cracking Methods and procedures to maximize effectiveness of evidence gathering Finding and cataloguing all files in the systems under investigation including all visible files deleted files encrypted files Data recovery of all hidden files undelete of files decryption of encrypted files and cracking password protected files Data analysis of all digital evidence in relevance to the c Omppu iter forensics investigation e Legal and process issues surrounding Incident Response Litigation Support and preserving evidence in pristine condition in such a way that it is acceptable as evidence in a court of law e Learn from live case studies REGISTER NOW www machivantage com computerforensics htm 65 6305 1385 esther machtvantage com Official Media Partners HELP NET vir FUS SECURITY CN WWW NET SECURITY ORG Hypertext Transfer Protocol over Secure Socket Layer HTTPS is a protocol that promises integrity of data transmitted over this channel and prevents pry ing parties from spying on the communication between two entities Informa tion security professionals constantly advocate the implementation of HTTPS within the enterprise to secure sensitive data and critical transactions Con sumers are also sold on the benefits of HTTPS This buy in has cascaded to the market and providers have been pressured into incorporating HTTPS into
5. about 10 the average cost of a breach That s a good figure to remember when the accounting hatchet seems poised to descend on data se curity budgeting Risk based prioritization replaces the all too common and costly triage security model which is ineffective whether you re triaging based on compliance needs or the security threat of the moment with a thought out logi cal plan that takes into account long range costs and benefits as well as enabling enter prises to target their budgets towards ad dressing the most critical issues first It s a balanced approach that delivers the en hanced security reduced costs and labor with the least impact on business processes and the user community Ulf T Mattsson is the CTO of Protegrity Ulf created the initial architecture of Protegrity s database security technology for which the company owns several key patents His extensive IT and security industry experi ence includes 20 years with IBM as a manager of software development and a consulting resource to IBM s Research and Development organization in the areas of IT Architecture and IT Security Ulf holds a degree in electrical engineering from Polhem University a degree in Finance from University of Stockholm and a mas ter s degree in physics from Chalmers University of Technology www insecuremag com 140 J j eran iia rai Il iten l onal Conference on i ig i al Fore nsics amp ie Crime A a g ba SR A
6. would rather like my data to be in one archive as in this way ac cessing the backup folder on a PC would re veal the names and types of my private data e IRONKEY Current File information File Name File Size 448 094 KB Processed Files 167 Size 24 558 MB Time 00 00 10 Status Backing up the file No one could do anything with it but am just looking at this from the information disclosure point of view F ronkey System Files Mozilla Firefox js3250 dll Estimated 408 62 514 MB 00 00 25 39 Yo Process of backing up to a local disk Secure online surfing and shopping As previously noted this feature of lronKey is the selling point Let s identify a couple of common problems When it comes to important data that we transmit online we mostly use some kind of Secure Sockets Layer implementation How ever secure transmission is not always avail able The second problem is logging in to different sites or even shopping from computers that aren t yours Working from a conference checking the latest emails from an Internet ki osk on an airport paying bills from your par www insecuremag com ents computer am the only one that always has potential keyloggers in mind Maybe this will sound like a marketing pitch but IronKey indeed tackles all of these situa tion through one fine concept a customized Mozilla Firefox browser sitting installed di rectly on the device an
7. www insecuremag com If you are required to provide a logon within your application you should also implement timeouts and the requirement for users to set strong passwords To determine how long your timeouts should be you need to estab lish the sensitivity of the data or resource you are trying to protect The timeout for an online bank would more than likely be shorter than the timeout for an online game site for exam ple The same question should apply when you are determining how strong your users pass words should be What are you trying to pro tect In general your application should en force the use of complex passwords with a minimum length of 7 characters Complex passwords normally mandate the use of 3 of the following 4 elements e Uppercase characters e Lowercase characters e Numbers e Special characters i e 4 amp Depending on the applications purpose you should implement additional password con trols such as a maximum age and prevention of password re use The passwords must be protected whilst being stored on application servers and whilst they are transmitted There are several points during the lifetime of a password that feel require special atten tion 81 The passwords must be stored in a secure location and encrypted they must never be transmitted in the clear i e without using pro tection such as SSL and never fully visible in account management emails At this point we
8. Cisco 1 _20 65598 00 19 76 1209 00 9 l Address 3 M _ source ade AR 4596 090 1d 7 6 i 20104 90 Sequence Control FCS Data JO i 5d 00 OO je 20 G4 90 20 OO 7 83 11 www insecuremag com 45 As mentioned previously the Frame Control section of the packet contains a lot of informa tion and you can see all of these options here Looking further into this packet you should be able to clearly find all of the sections of the packet The great thing about analyzing wireless packets is that what you see is what you get and the packet you just looked at is what the great majority of wireless packets will look like The defining difference between one packet and another is the type and subtype of that packet Management frames such as a Beacon will still contain all of the information listed above but rather than the data portion of the packet they will contain the data specific to that frame type You can view a complete listing of 802 11 frame types by viewing the 802 11 standards document bit ly f2lOp A few frame types of interest include e Management Type 0 o Subtype 0000 Association Request o Subtype 0001 Association Response o Subtype 1000 Beacon o Subtype 1010 Disassociation o Subtype 1011 Authentication o Subtype 1100 De authentication e Control Type 01 o Subtype 1011 Request to Send RTS o Subtype 1100 Acknowledgement e Data Type 10
9. development time Testing QA took about 2 weeks of time We work hard on the development of the new products and on bringing the easiest to use most capable products to market that we can www insecuremag com Right now we are about to release Honey Point Security Server Console 3 00 and then a whole new architecture for the HoneyPoints HornetPoints themselves That s a lot for us and keeps our engineers and technical team hopping or buzzing as the case may be What are the major news in this release In the new Personal Edition we changed the interface to make it easier to use added in the defensive fuzzing techniques of Hornet Points Patent Pending and brought the flexibility of plugins to the product That means that in addition to detecting scans probes and attacks you can also allow Hor netPoints to try and defend themselves by at tempting to crash the offending malware or tool that is doing the probing and you can use the plugins to automate a variety of responses from custom alerting SEIM integration to up dating other security controls or modifying the security posture of your system that is under attack Pretty cool stuff that our Security Server prod uct had that we wanted to bring to the inde pendent host product There s a lot more to come as well We are working on plans for more updates and capabilities for Personal Edition even as write this MicroSolved has sponsore
10. e Does the organization utilize source code scanning tools If so are there security source code scan ning tools in place e How and where are the source code tools used e g on developers desktops at check in or build time continuous integration at a single clearinghouse gatekeeper station prior to deployment e Who uses the source code scanning tools e g security architects developers testers QA information security officer analyst etc People amp Processes P amp P Investments in this area include the hiring of security staff ongoing training programs and improvements to the SDLC specifically for enhancing code or application security While the typical reaction to real perceived or po tential security threats is a tool buying spree over time companies learn to invest in improv ing security deeper in the organization by making investments in P amp P which almost al ways pay higher dividends than an investment in tools Specific examples of investment in this area include e Secure SDLC activities for development teams at each phase e g design code test et al Training both technical and awareness Internal Red Teams playing the role of at tacker Third party security reviews at code and as built layers e Application security auditing Integration of Application Security with Risk Management practices Just as we did with T amp T each P amp P are
11. examining The tricky thing about the wireless data link layer is that these frames aren t collected just by loading up Wireshark our packet sniffer of choice for this article and doing a standard Capture Know what you re thinking I ve capture packets from my wireless NIC before and it shows layer two information just like any other packet Well you are correct in saying that Wireshark displays layer two frame informa tion for packets captured from your wireless NIC However it only displays the compo nents that it would display for an Ethernet network your source and destination MAC addresses There is a whole heap of informa tion you are not seeing and in order the get that information you have to make use of a feature called monitor mode Monitor mode is one of many modes that a wireless NIC can be set to In monitor mode a wireless NIC does not transmit any data and only captures data on the channel it is configured to listen on When set on monitor mode Wireshark will capture and display the entire contents of an 802 11 wireless layer two frame How you utilize monitor mode is de pendent upon the drivers available for your wireless NIC and your operating system of choice Using monitor mode in Linux In Linux a great majority of wireless drivers support monitor mode functionality so chang ing your wireless NIC into monitor mode is a fairly simple process Most of the wireless NIC drivers in Linux su
12. example www insecuremag com For a given challenge the same IC nearly always has a consistent response For a given challenge different ICs have dif ferent responses We note that the output of the MUX PUF is typically processed through logical operations in order to enhance the variation across RFIDs and to make it hard to create a software model of the PUF Unclonable RFIDs Design and implementation While traditional RFID technology has limita tions in its use as a true anti counterfeiting measure it still is an almost ideal technology to talk to things A critical element that has been missing is a scalable cost effective way to make it trusted and secure An RFID tag that has a secret that cannot be copied would allow you to immediately distinguish a counterfeit tag from the genuine one 67 A PUF based RFID chip has its own unique secrets derived from the silicon itself And these secrets are e Essentially impossible to predict or control in advance of manufacture e Essentially impossible to duplicate or clone from one chip to the next The figure below illustrates the PUF based authentication process Here we exploit the observation that the PUF can have an expo nential number of challenge response pairs where the response is unique for each IC and each challenge A trusted party such as a product vendor when in possession of an authentic RFID with an authentic product ap plie
13. teams at each phase e g design code test et al 8 Training both technical and awareness 9 Internal Red Teams playing the role of attacker 10 Third party security reviews at code and as built layers 11 Application security auditing 12 Integration of Application Security with Risk Management practices For each area ask both the IS and the HOW questions For example is your or ganization using test automation tools and if so how are they being used And then dive one layer deeper and ask how it applies di rectly to your organizations security and data protection objectives Even this simple exer cise will likely uncover some stagnant invest ments and need for awareness improvement Conclusion Understanding your Application Security Ma turity level is critical to understanding your overall IT security posture and accurately as sessing your data protection initiatives Many people don t realize that applications and servers are responsible for over 90 of all security vulnerabilities yet more than 80 of IT security spend continues to be at the net work or perimeter layer There is no shortage of data points and indus try studies that document this dangerous phenomenon however there are very few re sources that give you practical advice on what to do about it The ASM Model can be your first steps down that road Ed Adams is the President and CEO of Security Innovation www
14. the conference There was a potential fifth vulnerability but it was not disclosed or pre sented because the vendor did not release the patch on time Black Hat organizers are fans of responsible disclosure of vulnerabili ties where it is advised to wait for the vendor to release the patch before talking about the vulnerability details in public On the first day of the Black Hat briefings Jeff Moss director of Black Hat made a short in troduction for the event After Jeff finished his www insecuremag com welcome peech the invited keynote speaker was ready to present The speaker for this year was Lord Erroll and his keynote had an interesting title and posed an interesting question Privacy protecting People or Peo ple protecting Privacy Lord Errol is a cross bench member of the UK s House of Lords and takes pride in voting against stupid gov ernment ideas whoever is in power As he is a technical person he is often in such situa tions After the keynote speech Mariano Nunez Di Croce demonstrated security vulnerabilities in SAP systems Mariano also presented his tool that helps with security testing of SAP infra structure Even though many of the presented problems can be mitigated with the implemen tation of correct configuration parameters 123 or by upgrading the SAP systems it is a very common occurrence that SAP systems are not configured properly or are not updated Moxie Marlinspike repri
15. their products and services The employment of HTTPS is now universal and has created an illusion that HTTPS is trustworthy thus resulting in a blind eye turned to what traffic traverses over this secure pro tocol Hackers have started exploiting this misconception by incorporating HTTPS into their insidious activities to take advantage of this complacency This is evidenced by non existent monitoring of outbound HTTPS con nections in most cases due to the misplaced trust in this protocol Perimeter access controls focus on restricting inbound connections originating from the Internet Access control mechanisms such as www insecuremag com firewalls VPNs DMZs and 2 factor authenti cation are relied on to limit access into the internal network These factors highlight the threat posed by the HTTPS protocol It is shocking to interact with administrators who are still oblivious to the abuse of this protocol and the threat it poses to their environments Users are often victims due to ignorance and the lack of protection Threats Administrators favor traditional client server 106 remote administration tools eg SSH pcAny LogMeln is a radical tool that perforates exist l l l l 1 where VNC as they provide convenient ac ing edge defenses and permits remote access I cess to machines Remote administration cli from anywhere over the Internet How does l ents are thus obvious targets for attackers LogMeIn
16. tion is high risk data and requires the most rigorous protection other data protection lev els should be determined according to its value to your organization and the anticipated cost of its exposure would business proc esses be impacted Would it be difficult to manage media coverage and public response to the breach Then assign a numeric value for each class of data high risk 5 low risk 1 Classifying data precisely according to risk levels enables you to develop a sensible plan to invest budget and efforts where they matter most Step 2 Map the data flow Data flows through a company into and out of numerous applications and systems A com plete understanding of this data flow enables an enterprise to implement a cohesive data security strategy that will provide comprehen sive protections and easier management resulting in reduced costs Begin by locating all the places relevant data resides including applications databases files data transfers across internal and exter nal networks etc and determine where the highest risk data resides and who has or can gain access to it see attack vectors section below Organizations with robust data classi fication typically use an automated tool to as sist in the discovery of the subject data Avail able tools will examine file metadata and con tent index the selected files and reexamine on a periodic basis for changes made The indexing process provide
17. to be plot ted we had to be able to determine an or ganization s investment for both T amp T and P amp P based on our scale From this information we were able to Plot organizations over time multiple data points By working with an organization for an extended period of time we were able to plot its evolution in terms of the two primary axes of the ASM model This organization normalized curve mirrored the generalized all organizations curve mentioned below www insecuremag com Plot individual companies single data points We could plot each company we worked with according to the two major axes of the model While a single point does not enable us to create a company specific pro gression it does help us validate an overall curve Determine the ASM curve all data points Using the information we had from companies both over time and at a point in time a pre dictable ASM curve developed This curve re liably predicts where organizations are along the curve and their likely future course of ac tion While the ASM model and the typical maturity curve provide great insight for organizations to understand and alter their security invest ments there are some caveats of the model that should be taken into consideration e The model is based upon organizations that have asked us for help so by definition going to a third party source for help they are al ready more aware and mature than an or ganizatio
18. ways executing as the top layer on the page it cannot be overlaid by a rogue application This method is not foolproof however as us ers may use plug ins or change their browser settings to disallow JavaScript thus defeating this countermeasure As a user of a Mozilla based browser protection against Clickjacking can be installed via a user installed plug in The recently released Internet Explorer 8 browser has a form of Clickjacking protection native to the application No previous versions of Internet Explorer offer any protection against this threat Browser developers can get into the game as well Similar to how browsers give users the option to globally en able prompt for user input or globally disable third party cookies the same options could be given for how to handle cross domain inline frames a popular method for exploiting Click jacking vulnerabilities on web sites Conclusion Online threats continue to evolve every day and the social engineering tactics that cyber Criminals are using to lure users into infecting their personal computers with malware or giv ing up their sensitive information are getting more and more difficult to identify to the un trained eye Today s hackers are not moti vated by fame or notoriety amongst their peers rather they are motivated by money They are also not always the most technical people you will encounter A full service un derground economy exists whereby credit card num
19. we created a standard reporting format called a nessus report that makes it very Estimating the number of users is very diffi easy for anyone who wants to work with Nes cult since a single large network scanned by sus data a single Nessus scanner could in fact audit the security of 10 000 users Similarly many The performance of Nessus 4 surprised many home users download Nessus and subscribe people We didn t get many complaints about to our HomeFeed and only scan a few the speed of earlier versions of Nessus but a systems We typically measure downloads lot of times people forget that Nessus per of Nessus in the millions per year forms testing that is much more comprehen sive than most other scanners Similarly for What are the features Nessus clients re customers that use credentials for patch quest the most What can we expect in audits when we added the ability to do client upcoming versions side netstat port enumeration this dramati cally changed the way a lot of experienced There are many different types of Nessus Nessus users performed their audits users Very often new users don t know about that Nessus can perform patch and configura As time goes by software and threats tion audits and they are pleasantly surprised change and so does the process of look to add this to their list of tools to perform audit ing for security issues In your opinion ing what should be done in order to improve vulner
20. Advanced Search or put in typical search operators such as OR AND etc Just like when searching LinkedIn and Facebook remember to try different spellings of your company name and different ways people may know your company One thing you might find inter esting is all the customer complaints if you are in a service type of business This alone can be an eye opener for some Another service that is more of a private version of Twitter is called Yammer This serv ice only allows networks to be created by oth ers with the same email address For exam ple if your email address is tom company com only other company com email addresses can view posts from others in your social network These posts can t be viewed by others out side of the private network To find company information on Yammer you need to sign up with a company email address to view what s being posted about your company 103 Internet posting policies Now that you have searched the three most popular social media and networking sites for your company information did you find any thing of value Did you see employees post ing things that they probably shouldn t Are you sounding the alarm about the potential of information getting out that might damage corporate reputation The good news is that there is a policy more companies are starting to adopt These are called Internet Posting Policies What is an Internet posting
21. Compliance Mykonos is an enterprise development framework and security service for building secure and scalable Web applications Mykonos provides a Visual Builder for the rapid creation of applications that have secu rity scalability multi lingual Support and white labeling built in com bined with a security service that delivers updates to keep applications protected Zecurion launched its email security solution Zgate which ensures that confi dential information is not compromised through email by working as a check point filtering outgoing email messages The software also facilitates the inves tigation into incidents of data breaches by placing emails in quarantine for manual processing or archiving for future review www insecuremag com 54 OEM APPLIANCES WITHOUT BOUNDARIES CUSTOMIZED APPLIANCE SOLUTIONS WITH UNIVERSAL APPE INFINITELY FLEXIBLE pe HARDWARE ei a WITH OUT OF THIS WORLP RSA BSAFE EncryptionToolkits now free RSA launched the RSA Share Project a new initiative designed to bring security tools within reach of corporate and independent software developers and project R SA leaders The RSA BSAFE Share software is available for free download offered as SDKs supporting C C and Java These products are fully interoperable with AESP DERT the applications embedded with RSA BSAFE encryption www rsa com New version of proactive network security management platform Ston
22. Implement appropriate reporting W Edwards Deming said What cannot be measured cannot be managed Business management is likely to be of the same opin ion Establish a single risk and compliance application for the entire company The appli cation should accept data from a variety of sources Questionnaire functionality is needed to facilitate security self assessments and an nual security awareness training and testing The application should accept data feeds from a variety of sources such as log and security monitoring software Security team members will need the ability to manually enter findings from on site assessment reports The applica tion should also produce security reports to support internal and external audits such as Sarbanes Oxley and PCI Reporting is a data centric pursuit Therefore it makes sense to copy reporting data to a central repository From a single location it is possible to analyze data and provide report ing It will be necessary to have a phased im plementation If a large organization is in scope start with a line of business and scale to the enterprise over time Duplicate existing reports in the initial phase and add new re ports later Use role based access control to www insecuremag com restrict reporting to those with a need to know Monitor manually entered report data to ensure it is kept current Establish a risk and compliance dash board Establish enterprise reporting
23. It is any type of post or comment on any type of social net work This should include all of the social net working sites LinkedIn Facebook Twitter etc blogs forums and other multimedia such as YouTube Vimeo and more Con tained in an Internet Posting Policy are guide lines for employees on how they should post things about or relating to your company Be cause social media is so prevalent and more people are using it inside and outside your company boundaries must be defined as far as what is acceptable and what is not in re gards to Internet postings Keep in mind you are not censoring free speech or telling em ployees they can t talk about the company These are just rules and guidelines employees need to follow While every company has different require ments and levels of risk a good starting point is the template that Cisco has provided Cisco has shared their Internet Posting Policy for other companies to use bit lyWwOwVC highly recommend using the Cisco template to model a policy for your specific business and requirements Monitor your brand and company informa tion on social networks Lastly what good is finding all this information about your company on social media and networks without a proactive monitoring pro gram There are two things your company should define First how often should you look for information on social networks Is this weekly monthly quarterly Second what tools or
24. Microsoft In this interview he discusses Windows 7 security With such an immense user base there must be a myriad of details you need to work on What s the most significant security challenge Microsoft tackled while developing Windows 7 No matter how good the technical protections are it is important to help the user to make the best decisions that will help keep them safe from malicious users and software Changes in UAC are an example of this sort of work to reduce the number of prompts all users will see while helping move the ecosys tem to an environment where everyone can run as a Standard non privileged user by de fault Other great examples include the new SmartScreen Filter and Clickjacking preven tion technologies that are included with Win dows 7 through Internet Explorer 8 www insecuremag com Is the rising skill level of malicious users combined with an increasing variety of attacks becoming a significant problem when developing something as demanding as a new version of Windows Clearly the sophistication and motives of ma licious users has changed dramatically over the past few years We continue to work with security researchers and others to understand not only today s threat landscape but tomor row s as well This helps us build protections into the system that help secure your PC from acquiring and running code without the user s consent In addition we continue to make sure Win dows i
25. a lt lt Type Catalog f Outlines 2 OR Metadata 50 R endobj When I hover with the mouse cursor over the my specially crafted PDF document the vul document I don t click a tooltip will appear nerability is triggered because the metadata is with the file properties and metadata But with read to display the tooltip amp Demo File Edt View Favorites Tools Help ex P F pO Search if Folders re3 Address cc C Demo JBIG2ZDecode PoC Metadata Metadata hover demo File and Folder Tasks Adobe Acrobat Document Adobe Acrobat Document iibe NE Mae ZKE W cD Make a new folder Type Adobe Acrobat Document Tile Metadata hoover demo re Publish this folder to the Web Date Modified 3 03 2009 21 47 Size 1 21 KB kal Share this Folder www insecuremag com 10 No user interaction required When Adobe Reader 9 0 Is installed it also installs an IFilter AcroRdIF dll This COM ob There are also circumstances that require no ject extends the Windows Indexing Service user interaction at all to trigger the JBIG2De with the capability to read and index PDF code bug The bug occurs in a process run documents When the Windows Indexing ning with Local System rights Service encounters a PDF file it will index it The content indexing daemon cidaemon exe On a Windows XP SP2 machine with Win calls the Acrobat Filter AcroRdlF dll which dows Indexing Services started and Adobe loa
26. accepted that validating inputs against whitelists will be the most secure option A whitelist will allow you to define what data should be accepted by your application for a given input point in short you define a set of known good inputs The blacklist approach will attempt to do the opposite by defining a set of known bad inputs which requires the developer to understand a wide range of po tentially malicious inputs A simple regular expression used for whitelist ing a credit card number input is shown below d 12 16 This will ensure that any data received in this input point is a number d 0 9 with a mini mum length of 12 and a maximum of 16 12 16 Although this is a simple example it clearly demonstrates the power of whitelist validation techniques because this input point will now prevent many common attacks The blacklisting approach will try to identify potentially malicious inputs and then replace or remove them The example shown below will search the data received through an input point and replace any single quotes with a double quote s replaceAll Pattern quote Matcher quoteReplacement The blacklisting approach is often avoided where possible because it only protects against threats the developer could think of at the time of its creation This means the black list might miss new attack vectors and have higher maintenance costs when compared to a whitelist 78 Input
27. an approach is a desktop that is much harder to manage and an in crease in the organization s support costs Looking for a solution User Account Control UAC was therefore introduced with Windows Vista and provides increased security be cause the tool is intended to prevent unau thorized changes being made by the end user to a system system files UAC is based upon the concept of the so called least privilege which effectively means an account is set up which contains only the minimum number of privileges that are required to enable a par ticular user to perform necessary and appro priate tasks The standard user within Win dows 7 is also this least privileged individual Yet this mechanism became one of the main areas of complaint by Vista users UAC is a blunt instrument that is frequently invoked www insecuremag com meaning that more clicks are needed to exe cute a program when it involves system level changes Moreover many software programs did not properly support UAC when it was first introduced and applications created many issues that culminated in a terrible user expe rience The consequence was that because there was so little control many people just disabled the tool with the result being de creased security and different types of prob lems What is more if the tool is not disabled the lack of control referred to combined with UAC notifications in the form of pop ups which con fuse and
28. and realistic this book covers the full spectrum of attack avenues from wireless networks to physical access and social engineering www insecuremag com 38 The Google Way How One Company is Revolutionizing Management As We Know It By Bernard Girard No Starch Press ISBN 1593271840 THE Management consultant Bernard Girard has been analyzing Google since its founding and now in this book he explores Google s innovations in depth many siti of which are far removed from the best practices taught at the top business way schools You ll see how much of Google s success is due to its focus on users and automation You ll also learn how eCommerce has profoundly changed the relationship between businesses and their customers for the first time giving customers an important role to play in a major corporation s growth iPhone Forensics Recovering Evidence Personal Data and Corporate Assets By Jonathan Zdziarski O Reilly Media ISBN 0596153589 With iPhone use increasing in business networks IT and security professionals face a serious challenge these devices store an enormous amount of information If your staff conducts business with an iPhone you need to know how to recover analyze and securely destroy sensitive data iPhone Forensics supplies the knowledge necessary to conduct complete and highly specialized forensic analysis of the iPhone iPhone 3G and iPod Touch ORELL Web Security Testing Cookbook By
29. are starting to construct a se cure authentication system But this hard work can be undone by the incorrect use of automated systems designed to help you and your users Almost every web application will have some form of password reminder system and a high percentage of them would have security weaknesses These systems are de signed to provide self service capabilities to the end users but they can also assist attack ers in hijacking user s accounts The point at which these systems traditionally fail is the secret questions used for password remind ers The answers to these questions can be easily guessed with a small amount of social engineering or brute forcing of the values If your system used a question such as What is your favorite capital city the attacker knows this has a finite set of answers and can at tempt to brute force the correct answer If the secret question system fails to prevent a brute force attack the user s password can be eas ily obtained To prevent these kinds of attacks you could allow the user to define their own secret question or require the users to answer multiple questions before revealing the pass word The administrative functions should only be available to users in the admin group and the standard users must not have the capability to elevate their privileges In addition to weaknesses of the secret ques tions many systems fail when they attempt to create information verif
30. audience is you sometimes it s your friend or sometimes its your crazy uncle who moved to Timbuktu Add social web applications like Facebook LinkedIn and Twitter to this media and you have social media Social networking is where you use these applications to network with others that have similar interests This can involve responding to and sharing social media with others in your social network 100 Here is a very simple example Suppose find a great news article on a web site and de cide to send the link to my Facebook page My friends that are part of my social network on Facebook would see that posted a link to something was interested in thus they might be interested in this same article or sub ject matter My friends could comment and respond to my posting adding to the conver sation within my social network In turn they could send this link to others in their social network adding to the overall conversation Why use social media for business As a business you are probably looking for new ways to market and promote your busi ness and ways to provide better service to your customers and clients Social media is a great option Now that social media is so popular you can get your message out about products and services to millions of people In return some of those people could respond by giving you business or providing instant feedback on your products or services Have you thought ab
31. be the next version of Micro soft s Windows platform In 2007 the com pany revealed that it was planning to develop this software over a three year time period which would follow on from the release of Vista The latest announcement is that the new OS will be made available in the last quarter of 2009 while the RC is out right now Unlike Vista Windows 7 Is intended to be an incremental upgrade With updated features a new task bar improved performance and a revamped shell it will certainly be ready to take the place of its predecessor Neverthe less there will be no major changes on the www insecuremag com security part Microsoft will instead be concen trating on scalability and stability As well as the touch look and feel of Windows 7 there will also be security improvements so let s have a look at these particular features and see what they will mean for your business Overall Windows 7 has been built upon the security foundations of Windows Vista al though improvements have been made in a number of areas such as the auditing of group policies the User Account Control UAC ex perience and BitLocker As well as these changes there are also some new features such as AppLocker which enables you to 21 control which software can run in the envi ronment and BitLocker To Go which makes it possible to secure removable storage devices Secure Windows 7 Secure Start up Like Vista there is Secure
32. compensating controls may not be cost ef fective in the long run This approach is only suitable for temporary protection of low risk data www insecuremag com Software based encryption Many businesses also find themselves grap pling with the decision between hardware based and software based encryption Ven dors selling database encryption appliances have been vociferously hawking their wares as a faster and more powertul alternative to software database encryption Many organi zations have bought into this hype based on their experiences with hardware based net work encryption technology The right ques tion would be about the topology or data flow The topology is crucial It will dictate perform ance scalability availability and other very important factors The topic is important but the question is usually not well understood Usually hardware based encryption is remote and software based encryption is local but it doesn t have anything to do with the form fac tor itself Instead it is about where the encryp tion is happening relative to your servers processing the database information Software to encrypt data at the table or col umn levels within relational database man agement systems is far more scalable and performs better on most of the platforms in an enterprise when executing locally on the da tabase server box Software based encryption combined with an optional low cost HSM for key management oper
33. eS BS tn te WW W OSVDB ORG www insecuremag com 32 Wen 745 0 smerging inreats OY e WERT fe There is one universal truth when it comes to Internet security cyber crimi nals will leverage the vulnerabilities that exist within any technology in an ef fort to distribute soam malware and steal personal information Less univer sal however are the definitions behind many of today s most important and widely used technology terms As Internet technologies rapidly evolve it can lead to the coining of new sometimes difficult to understand terms and acro nyms on what seems like a daily basis In an effort to stay or at least to appear as if they are staying on the cutting edge busi nesses are constantly looking for ways to de scribe their products and services in such a way that it fits the definition of this new ver nacular The end result of this jockeying for position leads to overly broad definitions of terms that are difficult to understand and leads to confu sion amongst those on the outside looking in The term Web 2 0 is a recent example of one of those who definition has come to po tentially mean so many different technologies that few do not consider themselves to be Web 2 0 at this point www insecuremag com Shaping the Web 2 0 platform The Web 2 0 movement is not just about col laboration and user contributed content through wikis personal and micro blogs and podcasts
34. from spreading and contaminating an organi zation s internal network It provides built in solid state disk technologies that emphasize reliability and durability while using 50 less power compared to similar appliances www stonesoft com New release of RSA Data Loss Prevention Suite RSA announced enhancements to the RSA Data Loss Prevention Suite its suite of data security products that are engineered to discover moni tor and protect sensitive data from loss leakage or misuse whether in a datacenter on the network or out at the endpoints The allows organiza tions to secure sensitive content in a way that saves time and stream lines processes for data security personnel Sensitive data at rest can now be moved or quarantined automatically and users can apply self remediation for emails quarantined due to violations Www rsa com New services to secure Web applications from TippingPoint TippingPoint announced its Web Application Digital Vaccine Web App DV Web App 2 services a two part approach to address the security threat posed by Web w applications This set of services enables users to maximize their security investments while reducing the risk of attacks through custom built Web ap plications www tippingpoint com www insecuremag com 7 The JBIG2 vulnerability In March Adobe released a new version of Adobe Reader to fix several bugs One of the fixes is for the notorious JBIG2 vulnerability
35. id and password is no longer sufficient and a multi factor form like smart cards is increasingly being introduced Two factor authentication is something you know a pin code you are fingerprint biometrics or you carry like a token or smart card All of this points to multi factor authenti cation being the standard in the future Both Windows Vista and Windows 7 have built in authentication support for the use of smart cards but the latter makes it possible for developers to add their own customized methods such as biometrics and tokens more easily It also provides enhancements to the Kerberos authentication protocol and smart card logons By making it easier for de velopers to include such solutions the secu rity professional will have more choice when it comes to biometrics smart cards and other www insecuremag com forms of strong authentication such as finger print readers In Vista if you want to use fingerprint logon you have to use software provided by the fin gerprint sensor vendor In the early days of the OS every such vendor had its own driv ers software development kits SDKs and applications This had some disadvantages in terms of overall experience and compatibility In Windows 7 the operating system provides native support for fingerprint biometric devices through the Windows Biometric Framework WBF The Windows Biometric Service WBS is part of this and manages fingerprint readers a
36. is a dilemma to defend methods that are obviously useless against child pornography on the Internet or not One of their main difficulties is that they are willing to solve the problem but they do not know how Nevertheless they cannot ad mit to having major problems with the under standing of the dynamics of cybercrime with out losing their credibility But maybe Minister von der Leyen is trying to solve another prob lem with the introduction of filters This year is the year of the parliamentary elections Affirm ing to act against child pornography will defi nitely get some votes for the Christian con servative party CDU she belongs to espe cially as the discussion about Internet filters popped up on the headlines of major news papers As a member of a democratic Government von der Leyen should also be aware that the concern of introducing a highly undemocratic procedure does get the attention of those in terested in maintaining democratic standards Because in the end the Federal Criminal In vestigation Agency BKA would be the only institution who could add websites to or re move them from the secretly kept block list without any democratic control of their deci sions Critics see this as a first step towards introducing censorship or opening the door for lobby groups that would love to see more websites being filtered This could be sites with political content as well as religious gambling or music website
37. mention the Kerberos lec ture as most organizations today use Kerbe ros for authentication but few are aware of risks when it s misconfigured Any future plans for Black Hat As we want to expand the European Black Hat on three tracks and Amsterdam is not capable of handling it we are moving to Barcelona Also we will not do Black Hat Ja pan this year We are looking for a new loca tion where Black Hat will be held for Asian participants We are working on Black Hat social web pages where you could get the summary of the projects on which security researchers are working and where you can share with friends or colleagues on which lectures you want to go It will not be a Facebook or a LinkedIn re placement but it will be communication ori ented towards people interested in topics that Black Hat is covering Also it will give some interaction to people who cannot come to Black Hat events Vlatko Kosturjak is a security specialist from Croatia Europe He specialized in penetration testing and ethical hacking IT auditing OS Network security hardening and ISMS development according to international security standards He also has extensive experience in Linux on almost every platform from PDAs to mainframes Vlatko holds stack of Linux and Security certificates You can reach him through his website at kost com hr www insecuremag com 125 Montreal Canada August 10 14 2009 Join us for a 5 day tutorial and refere
38. monitor It is important to note that not every Linux wireless NIC driver supports Linux Wireless Extensions However due to the open source nature of typical Linux drivers most other drivers have been modified so that they can be put into monitor mode through some alter native means If your wireless NIC doesn t support Linux Wireless Extensions then you should be able to do a quick Google search to find an alternative means of getting to monitor mode As you may remember reading earlier one of the distinct differences between a wired and wireless connection is that the wireless con nection operates on a shared spectrum This spectrum is broken up into several differ ent channels in order to prevent interference from different systems in the same geographi cal area This being the case each node ona wireless network may only use one channel at a time to transmit or receive This means that our wireless NIC in monitor mode must be explicitly configured to listen on whatever channel we want to grab packets off of In or der to set your wireless NIC to monitor on channel 6 you would use the command iwconfig ethl channel 6 In this scenario you would substitute what ever the assigned name for your wireless NIC www insecuremag com Invalid misc 6197 Missed beacon 5 interface is for eth1 and the numbers 1 11 US or 1 14 International in for the channel number Using an AirPcap device in Windows
39. now have the added burden of monitoring these types of sites for comments that could end up hurting their brand or reputation Many of these sites allow for the setup of groups where people with a common life thread previous employees of the same or ganization for instance can gather and have a central place to collaborate These groups can morph into community support forums where derisive comments from current or ex employees or the leaking of confidential intel lectual property can hurt not only a company s reputation but potentially also their competi tive advantage An often understated risk with a more open Internet is the physical security danger that could result out of providing too much per sonal information online Is your family going on vacation Are your kids going to be home alone while you and your significant other en joy a night on the town Are there pictures of you online that some might find offensive Any of these scenarios could result in a www insecuremag com physical security risk with catastrophic conse quences lt is also important to consider that since so cial networking sites are so commonplace Facebook currently has over 200 million ac tive users employers are now also using them as part of routine background checks The key takeaway from this point is to not in clude information about yourself that could end up damaging your personal reputation The Clickjacking Threat Fact
40. of the security of the software when delivered As with any other contractual re quirements security requirements should be clearly articulated and the method for evalu ating compliance should be precise The source code is the only consistent reli able place to look for this knowledge The software speaks directly to the issues of the contracted security criteria This clarity is not possible through simple functional or black box testing as many times the implementa tion of required security is naturally invisible to such testing Mandates for the use of only ap proved validation routines communication through secure protocols and secure data storage are examples of important security enablers that are transparent to the user or to user styled testing Source code analysis is a clear and unique must go on faith or make an uneducated means to evaluate performance measure guess about the security of their data The compliance and potentially to recover costs time for such uncertainty is over and impose penalties The vulnerabilities that put your data at risk Secure your applications today so you can are buried in the millions of lines of source do business tomorrow code that power your organization Given the chance your applications will soeak out loud There are many elements in an application and clear pointing you to their weakest points that impact data security Source code analy and faults With this information you
41. principles IT security specialists members of civil socie ties and police investigators in different coun tries complain about the ineffectiveness of Internet filters the lack of consistency of pub lic institutions in going against the producers of child pornography and the disregard of democratic rights and principles Hannes Federrath Professor of Information Security at the University of Regensburg Germany considers filtering absolutely inef fective In his opinion there are better meth ods than using filters for example working with hash values Investigators of the Swedish police are also disappointed by the success of the methods used in the country In an interview with the German magazine Focus the Swedish chief investigator against child pornography and child abuse Bjorn Sell strom stated that the methods introduced to limit access to child pornography on the Inter net did not reach their goal Instead the num ber of child porn websites on the Swedish fil ter list has been growing since the system was initiated www insecuremag com Representatives of the ISPs also admit that filtering does not solve the problem of child pornography It just covers the crimes for the public They would prefer clarification and education combined with cooperation with po lice investigators to prosecute the producers and professional distributors In 2008 Ger man ISPs informed the police about child por nograph
42. s in put was processed by the SQL Server that Caused an exception to occur because the users column doesn t exist Microsoft OLE DB Provider for ODBC Drivers 0x80040E14 Microsoft ODBC SQL Server Driv er SQL Server Invalid column name userscolumn examplesite login asp line 10 This type of error message is a common sight across the Internet and it will help attackers fine tune their attacks against your applica tion To prevent these kinds of errors reaching the end users of your application you need to en sure that you develop your code to handle ex pected and unexpected exceptions The er rors that are returned to the end users should be generic messages such as Server error please contact support There are several simple points to remember when you are try ing to implement secure error handling e Never include information such as the line an exception has occurred on the method that has encountered an exception or informa tion such as stack traces e Never include file system paths within error messages e Ensure that service information such as ASP NET version numbers are not contained within error messages Most languages will have their own methods for handling exceptions and have included an example of the Try Catch method of han dling exceptions in Java on the following page 80 import java 1o IOException import java io InputStream import java net MalformedURLExceptio
43. securityinnovation com As CEO Mr Adams applies his information security and business skills as well as his pervasive industry experience in the Applica tion Quality space to direct software security experts in helping organizations understand the risks in their software systems and developing programs to mitigate those risks His organization has delivered high quality risk solutions to the most recognizable companies in the world including Microsoft IBM Visa Fedex ING Sony Symantec Nationwide and HP Mr Adams is the founder and business owner of the Application Security Industry Consortium Inc an asso ciation of industry technologists and leaders establishing and defining cross industry application security guid ance and metrics He is on the board of the National Association of Information Security Groups NAISG Mr Adams has presented to thousands at numerous seminars software industry conferences and private companies He has contributed written and oral commentary for business and technology media outlets such as New England Cable News CSO Magazine SC Magazine CIO Update Investors Business Daily Optimize and CFO Magazine Mr Adams is in the process of writing a book titled Information Security Management Survival Guide which will be published by Wiley amp Sons and is due out in November 2009 www insecuremag com 76 Secure development principles by David Rook Security professionals have often pointed
44. services should you use to monitor your brand The cost effective model highly suggest starting with monitoring your brand with a simple cost effective solution that you can do on your own Start with the Twitter search function and create a search on your company and related keywords Next subscribe to these searches using Google Reader or some other RSS reader Do the same for Google Blog and News searches by creating these RSS feeds through the Google Alerts functionality Then create an account on both Facebook and LinkedIn Embed your self in existing company groups and pages so you can periodically monitor these sites for company information Finally another tool recommend you try is Maltego www paterva com maltego Mal tego allows you to visually see how your company information may be linked to other information found from many different sources including social networks in a nice GUI visual format The free version of Maltego is some what limited in functionality but the commer cial version is only 430 In this article have outlined what social me dia is how it works the benefits risks what information is out there about your company and more Now it s up to you to decide how to best use this information to define a social media strategy for your company Get to gether with the business and marketing or public relations people in your company and partner with them from a security perspective Soci
45. that the account be removed after you verify you do in fact own that particular brand Twitter is adding a new twist in the near future with pro level accounts that you would have to pay for bit ly 1ZZTc While there is nota lot of information about how these accounts work it is rumored that pro level accounts will have some means for verifying that your company owns a brand prior to activating the account Registering your name or brand on social networks today is just as vital as registering a domain name if you don t take it now someone else will Information leakage Do you know what your employees are post ing on social networks How do you know if employees are intentionally or unintentionally posting confidential or proprietary information to social media or networking sites If you don t look yourself you will never know For example employees might start sending messages on Twitter or posting Facebook up dates about unannounced layoffs or an acqui sition of another company before it is an nounced to the public These are just two simple examples but it could be much much worse Just use your imagination Damage to corporate reputation Information posted on social networks can spread like wildfire and can quickly damage a company s reputation On Twitter these short 140 character messages can be forwarded or retweeted to others and become easily searchable Take for example what r
46. that will be compiled by the Federal Criminal Investigation Agency BKA and which will have to be kept secret and utilized www insecuremag com by all ISPs Opening one of the websites mentioned on the list will lead to a stop web site which contains a short explanation why the user cannot access the content As at least two communication laws may have to be changed and the Constitution Grundgesetz GG is expected be affected An evaluation of the new law will take place two years after the law is passed IF it is passed Supporter and opponents The most important argument that Minister von der Leyen and her supporters use is the fact that as members of a democratic gov ernment they are obliged to act against child pornography on the Internet Notwithstanding all the criticism they cannot lean back and refuse any activities just because they might turn out to be of little effect A government that will not try even the least thing possible to end child abuse would probably be confronted later with much harsher criticism than the one they re getting now In the issue at hand the argument of the re victimization is a strong one By this mean the double effect of abuse once during the production of the photo or film material and later again during the unlim ited access of the material on the Internet The protection of a child that became victim of such an abuse justifies going against the dis tribution of the material Si
47. the removal of data consider instead alerting the user privileges of data requiring attention Additionally an understanding of where all the sensitive data resides usually results in a pro ject to reduce the number of places where the sensitive is stored Once the number of pro tection points has been reduced a project to encrypt the remaining sensitive data with a comprehensive data protection solution pro vides the best protection while also giving the business the flexibility it needs and requires a reduced investment in data protection costs 132 Step 3 Understand attack vectors know your enemy Use your data risk classification plan and the data flow map along with a good understand ing of criminals favored attack vectors to identify the highest risk areas in the enterprise ecosystem Currently web services data bases and data in transit are at high risk The type of asset compromised most frequently is online data not offline data on laptops back up tapes and other media Hacking and mal ware proved to be the attack method of choice among cybercriminals targeting the application layer and data more than the op erating system But these vectors change so keep an eye on security news sites to stay abreast of how criminals are attempting to steal data There are two countervailing trends in mal ware both likely to continue One trend is to ward the use of highly automated malware that uses basic buildin
48. the system relating to the digital signature rather than the hash value or path of a spe cific file You can now use the information de rived in this manner more easily including the publisher product name file name and file version You will be able to create rules that are based on the publisher and file version attributes which remain consistent during up dates to a certain level It will also be possible to create rules that target a specific version of a file This approach makes application man agement much easier and also means that you don t have to change all of these rules every time versions change and are updated Newer applications have a signature that can be used for the Publisher Rules and Win dows 7 also makes it possible to view this signature by examining the file properties of the executable Path Rules enable you to restrict the execu tion of programs to a certain directory path For example you can allow end users to launch applications only from the Windows Program Files folders This is safe provided that these individuals are not allowed to install programs The problem with this type of rule however is that users often also need to start applications from other locations or that applications do not commit to the recommended paths issued by Microsoft C Network List Manager Policies C Public Key Policies C Software Restriction Policies Executable Rules Applicati
49. the technical aspect fit into your responsibilities as the CEO These days split my time between market ing leadership and technical research pri marily focused on our HoneyPoint line of products for security visibility The good news is that those technical threat vector insights has helped us grow MicroSolved since we bring some unique knowledge and capabilities to our clients that stem from our in depth ex posures to bleeding edge attack techniques How would you assess the current state of Internet security threats think the state of the OS and networks in general is much improved Some of the very basics we talked about for years firewalls patching etc are starting to become main stream and common practice think security at the application layer and designing for fail ure are currently the biggest challenges think our industry has a lot of bad habits 118 We rely on user awareness to solve problems that awareness won t solve like malware We also tend to engineer IT environments and applications as if best practices were in place when in reality they rarely are We need to embrace the idea that designing for failure is much more real world than designing by best practice We know from experience that fail ure happens thus we have to design our systems networks and applications to mini mize the damages that failure can cause Again malware as an example if we know that some user will click o
50. the world Page 93 Q amp A Ron Gula on Nessus and Tenable Network Security Page 96 Infosecurity Europe 2009 Page 100 Establish your social media presence with security in mind Page 106 HTTPS is bad Page 111 Security software spotlight Page 112 A historical perspective on the cybersecurity dilemma Page 118 Q amp A Brent Huston on security in general CEO challenges and Microsolved Page 122 Black Hat Europe 2009 Page 127 Germany The current debate on the Internet filter Page 131 A risk based cost effective approach to holistic security NRE BE AR EI TY Welcome to IN SECURE 21 the digital security magazine The magazine you re reading was put together during an extremely busy few months that saw us pile up frequent flier miles on the way to several conferences You can read about some of them in the pages that follow specifically RSA Conference 2009 Infosecurity Europe 2009 and Black Hat Europe 2009 This issue brings forward many hot topics from respected security professionals located all over the world There s an in depth review of IronKey and to round it all up there are three interviews that you ll surely find stimulating This edition of IN SECURE should keep you busy during the summer but keep in mind that we re coming back in September Articles are already piling in so get in touch if you have something to share Mirko Zorz Editor in Chief Visit the magazine website at www insecur
51. transmits personally identifiable information uses unique identifiers to track you or much much more ZOC www net security org software php id 369 This terminal emulator and telnet Secure Shell client is well Known for it s outstanding user inter face It lets you access character based hosts via telnet modem Secure Shell SSH SSH2 ISDN and other means of communication It can be used to connect to Unix Linux hosts and shell accounts BBSes 3270 mainframes via TN3270 emulation or internet muds Foremost www net security org software php id 31 8 Foremost is a console program to recover files based on their headers and footers Foremost can work on image files such as those generated by dd Safeback Encase etc or directly on a drive The headers and footers are specified by a configuration file so you can pick and choose which headers you want to look for ArpAlert www net security org software php id 335 This software listens on a network interface without using promiscuous mode and catches all conversations of MAC address to IP request It then compares the mac addresses it detected with a pre configured list of authorized MAC addresses If the MAC is not in list arpalert launches a pre defined user script with the MAC address and IP address as parameters www insecuremag com 111 h ee nc a gt Bites o SKi i i gt t A historical perspective on the cyberse urity dilemma by Ned Moran Ma
52. twitter com andrewsmhay Security Evangelist http twitter com jasonmoliver IT security analyst and penetration tester http twitter com ChrisJohnRiley If you want to suggest an account to be added to this list send a message to helpnetsecurity on Twitter www insecuremag com 61 ad tnl Ra B a 5 a Hole Ollissipo www digitalsecurityforum eu Oriente The Digital Security Forum aims to be a reference in European security conferences and training p events allowing for infosec professionals to network and acquire knowledge by discovering the industry s best practices new methodologies and tools Keynote Speakers FR raon Prol Howard Schmidt Open on January 2009 SP CISM President amp CEO of ernsticn Security Forum l President of ISSA T j N Pricing all 3 panere Before 31 January 200 ee From 1 February to 28th February 240 x From 15t March on 360 and developer of RFIDiot org All prices inchidle VAT a 20 eer Y o Patricia Peck N 1 A LawyerDigital Law Expert NT A N Call for Papers N Deadline Workshops N The deadline for papers proposals Christian Bockermann W A submission is the 10th of February ModSecurity AL 009 and should be sent to This list is not final and only includes the already confirmed participants cfp digitalsecurityforum eu N _ W IU S N Partners AULE YX diplomata e y C
53. virtual machines and their hypervisor www insecuremag com 57 Your applications are trying to tell you something are you listening by Jack Danahy Your applications are trying to tell you something They are saying I can help you find potential risks to your business please just ask me Applications are the gatekeepers for all of your data where it gets processed trans formed and transmitted and by their very nature applications are best posi tioned to help you ensure data privacy for your customers By listening to your applications it is possible to know not guess or hope that your in formation is secure enough i Understanding what your applications can tell you puts power in your hands The power to know you re compliant with regulations such as PCI DSS e The power to know your promises are kept by protecting your customers private data The power to hold your outsourcers ac countable to measurable security require ments Today when you make decisions about IT se curity priorities you must strike a careful bal ance between business risk impact likeli hood of incidents and the costs of prevention or cleanup Historically the most well under stood variable in this equation was the meth ods that hackers used to disrupt or penetrate the system Protective security became the natural focus and the level of pro
54. vs FUD Clickjacking is a Web 2 0 introduced browser and application design flaw that allows for ma licious content to be overlaid on top of a le gitimate application This means that if a le gitimate application is compromised by a Clickjacking exploit an unsuspecting user could be clicking on a malicious application created by a cyber criminal that is performing actions on the user s behalf in the back ground These actions could range from the seemingly innocuous to disabling application security settings and data theft One of the ways that a Clickjacking exploit can occur on a web site is by using a technol ogy frequently used in Web 2 0 sites called Dynamic HTML DHTML One of the key fea tures of DHTML is the incorporation of the Z axis into a web page Web 1 0 sites with static HTML content can generally be thought of as having been rendered in a two dimensional plane across the X and Y axes Content had height and width only With the inclusion of the Z axis web pages can now also have depth That means that content can be layered on top of other content This tech nique has frequently been implemented using float overs that cover what you might be trying to read on a web page This often manifests itself on legitimate sites in the form of an inva Sive survey invitation or an advertisement Al though not malicious this method to grab a user s attention is generally considered to be an annoyance In an expl
55. will find sis translates an application s full range of that you have the power to make more effec possible behaviors into a representation that tive risk management decisions more insight provides credible facts about the security ful decisions about your partnering and more state of an application Without going to the cost effective decisions for your organization source code for this knowledge organizations Jack Danahy is founder and CTO of Ounce Labs www ouncelabs com and one of the industry s most promi nent advocates for data privacy and application security Jack is a frequent speaker and writer on information security topics and has been a contributor to the U S Army War College the Center on Law Ethics and Na tional Security the House Subcommittee on Information Technology His blog can be read at suitablesecurity blogspot com and he can be reached at JDanahy ouncelabs com HNS SECURITY SOFTWARE DATABASE Get the largest selection of the best security software for Windows Linux and Mac OS X www net security org www insecuremag com 60 Gudther security spotlight Here are some of the Twitter feeds we follow closely and can recommend to anyone interested in learning more about security as well as engaging in interesting conversations on the subject Our favorites for this issue are Erin Jacobs Chief Security Officer for UCB http twitter com SecBarbie Security author blogger and advocate http
56. work looking to gain system control This attack vector is often thwarted by perimeter de The remote client ie LogMeln host estab i fenses that typically require an established lishes a persistent outbound HTTPS connec 1 VPN session before permitting access to tion to LogMeln s server and this link facili l I authorized remote clients located in the tates reverse tunneling from an external I i internal network browser Client Browser LogMeln Host Figure 1 LogMeln architecture Source LogMeln user manual Active Ports i Progam F bes Loge n tib LooMedn exe P y fT Ad e t A C Users may install this remote administration have remote access to their workstation so i i tool at the request of a third party vendor to that they can work from the comfort of their I avoid having to raise a Business Partner BP homes This tool puts the corporate security at connection request to save time and effort It risk as the access credentials are either inthe 1 could be as innocent as users wanting to hands of a third party or could potentially be l www insecuremag com 107 compromised through password stealing Tro jans installed on the user s home computer LogMeln becomes a potential backdoor into your network when compromised Data theft is an increasing concern to compa nies protecting their valuable intellectual property Companies ban the use of portable storage devices webmail Instant Messag
57. your own SSDLC on their internal processes Development Education Publications such as this one will always contain information that is useful for developers and above all it will Review Guide contains guidance on how to review code for many different vulnerabilities There are a few free tools available and would recommend the OWASP Code Crawler and Orizon projects to help you with your re views Security Testing The testing of an applica tion should consist of both manual and auto mated tests To help you with your automated testing recommend using the Burp Suite and Grendel Scan be free An avenue that is often not explored is OWASP chapter meetings These meetings will have experts from your area presenting on application security topics that anyone can at tend for free The OWASP also have an edu cation project that provides free materials for conducting developer awareness sessions Code Review This is another area where the OWASP can help you The OWASP Code Mapping the principles to specific vulner abilities The table shown below maps the secure de velopment principles to common vulnerabili ties taken from three top x lists More infor mation surrounding these mappings can be found on securityninja co uk blog Specific vulnerabilities for each principle Sans Improper Input Validation Failure to Preserve SQL Query Structure Failure to Preserve Web Page Structure Failure to Prese
58. A O Viewauvinwrormen 0 SECURE DES G N olde TFIDION On FAV and DCG lt IV KC TAO or 4 Hord Tipton is the executive director for ISC 2 the global leader in educating and certifying information security professionals throughout their careers What has been your biggest challenge as the Executive Director of ISC ISC is celebrating its 20th anniversary and there has been a tremendous culture change from a small organization to a sizable corpo ration Yet while we have accomplished a lot there is still much work to be done With my recent trip to Asia discovered we have had difficulty effectively communicating with mem bers in their native language be it through e mail or by phone In June we plan to start addressing some of these issues by imple menting people who can speak the native language in countries where we have signifi cant membership This will help us better reach the growing information security profes sion in new regions as well such as Latin America also learned we need to do a better job of communicating the continuing education re quirements of our certifications so members know exactly what is expected of them to maintain their credential This may involve www insecuremag com more information on CPEs being included in our educational programs There are many other initiatives that need to be taken to ensure that we are exceeding member expectations when it c
59. A Se curelD support as well as automatic antivirus scanning When the tagline of the product is The world s most secure flash drive you are definitely in terested in hearing about the specs lronKey sports a rather elegant and simple design with a rugged metal casing The casing is water proof and tamper resistant Breaking into the device will only destroy it and you can auto matically say goodbye to the data on board The Cryptochip operations follow industry s best practices therefore the device uses only well established and thoroughly tested crypto graphic algorithms All the data is encrypted in hardware using AES CBC mode encryption Everything stored executed and saved to the disk is encrypted and as hardware encryption is in place everything works extremely fast The encryption keys used to protect your data are generated in hardware by a FIPS 140 2 compliant True Random Number Generator on the IronKey Cryptochip If you are a true hardware geek you will also be interested in the fact that the memory used is the ultra fast dual channel SLC Flash In short what can I do with lronKey This will be a lengthy and detailed review of the device If you are impatient to see if Iron Key is of any use to you let me tell you that it provides e Secure encrypted storage on the go e Password management and elevated secu rity in the online world e A secure and anonymous Web browsing ex perience from any compute
60. By the way even when logging in to the Safe mode there is a security twist Before successfully logging in with just your user name and password an Account Login Code will be sent to your e mail and you will need to write it in Final thoughts If you had the willpower to read this extensive review or better say a guide on IronKey us age you won t be shocked to learn that really liked the product It works great and there were no issues during my thorough tests The functions described in detail would take care of multiple situations usually come across and the additional reliability with the paired online account is surely a significant plus Mark Woodstone is a security consultant that works for a large Internet Presence Provider IPP that serves about 4000 clients from 30 countries worldwide www insecuremag com 20 AIEE Windows 7 security features Building on Vista by Rob Faber In November 2007 Windows Vista first saw the light of day with all of its her alded improvements After a mixture of both criticism and positive reactions from end users there will soon be a new member of the Windows family available Following Microsofts announcement Windows 7 will be released this year and will make us forget its predecessor As a consequence it s about time to have a look at the enhanced security features that have been added to Vista s fundamentals Windows 7 formerly code named Blackcomb and Vienna will
61. CURITY COVERAGE SPONSORED BY lt lt SBS RSA Conference 2009 took place in San Francisco during April The industry s most pressing in formation security issues were addressed by more than 540 speakers in 17 class tracks contain ing more than 220 educational sessions More than 325 of the industry s top companies exhibited the latest information security technologies What follows are some of the many products presented at the show www insecuremag com 50 Art of Defence launched the Hyperguard SaaS solution which will en able cloud technology providers to offer security solutions at the web application layer Hyperguard SaaS is built on Art of Defence s dWAF technology suited for the diverse platform and infrastructure scenarios required to deliver applications through a cloud Using the OWASP best practice recommendations as a starting point Hyperguard adds high level proactive security features such as secure session man agement URL encryption and a web authentication framework Mobile Armor added anti malware support to its KeyArmor product group The solu tion is a military level encrypted USB drive managed by the Mobile Armor enterprise policy console PolicyServer KeyArmor USB drives are FIPS 140 2 Level 2 vali dated using on processor AES hardware encryption KeyArmor now independently provides protection against viral and malware threats The nuBridges Protect Token Manager is a data security softwa
62. Capturing wireless traffic in a Windows envi ronment is unfortunately not as easy as a Set ting change As with most Windows based software drivers in Windows are often not open source and do not allow for configura tion change into monitor mode With this in mind we must use a specialized piece of hardware known as an AirPcap device Developed by CACE Technologies employer of the original creator of Wireshark an AirP cap device is essentially a USB 802 11 wire less adapter that is bundled with specialized software that will allow the device to be used in monitor mode Once you have obtained an AirPcap device you will be required to install the software on the accompanying CD to your analysis com puter The installation is a fairly straightfor ward accepting of the licensing agreement and clicking next a few times so we won t cover that here Once you have the software installed you are presented with a few op tions you can configure in the AirPcap Control Panel 42 N AirPcap Control Panel a i Cn a m ja aa Settings Keys nterlace AuPocap USB wireless capture adapter nr U0 v Blink Led Modet ArPcap Tx Transmit yes Media 802 11 b g Basic Configuration Channel 2412 MHz BG 1 Y Include 802 11 FCS in Frames Extension Channe Capture Type 802 11 Radio gt FCS Filter All Frames v l Help Reset L onhiguration Ok Lancel l As you can see from the screenshot above there isn t an incre
63. Data encryption and auditing monitoring are both necessary for a properly secured system not one vs the other There are many pro tections that a mature database encryption solution can offer today that cannot be had with some of the monitoring solutions that are available Installing malicious software on in ternal networks to sniff cardholder data and export it is becoming a more common vector for attack and by our estimates is the most common vector of massive breaches includ ing TJX Hannaford Heartland and Cardsystems Storage layer encryption or file layer encryp tion doesn t provide the comprehensive pro tection that we need to protect against these attacks There is a slew of research indicating that advanced attacks against internal data flow transit applications databases and files is increasing and many successful attacks were conducted against data that the enter prise did not know was on a particular system Using lower level encryption at the SAN NAS or storage system level can result in ques tionable PCI compliance and separation of duties between data management and secu rity management is impossible to achieve Compensating controls PCI compensating controls are temporary measures you can use while you put an ac tion plan in place Compensating controls have a shelf life and the goal is to facilitate compliance not obviate it The effort of im plementing documenting and operating a set of
64. IT For in stance a hacker could infiltrate someone s technology controlled medical device such as a pacemaker with the intent to do harm At universities like Stanford and Johns Hopkins research is being conducted on such revolu tionary concepts as being able to download the memory cells of a person s brain into a data file for the purpose of preserving short term memory If a cure for diseases for such diseases as Alzheimer s are found that data could then be transferred to a new regener ated brain The security component comes into play when dealing with the transfer of data www insecuremag com In short we have tremendous tools and proven security techniques to protect our criti cal assets if we get to play on the front end of development of these exciting technologies It would be a mistake to watch these advances take place and then have to address security and privacy concerns only after they are al ready deployed Some believe that certification is essential when it comes to working in the IT security industry while others think it s wasted time and money imagine you value certifica tion programs so what would you say to those not interested do believe certification is vital to the further ance of improved IT security performance and always has been The IT security world would be in a world of hurt without understanding and acceptance of standard practices Many professions require objective valid
65. It is about how to send and receive information faster than ever before lt is also about services that make the Web easier to use breaking down the walls of what used to be considered functionality that was best performed by a desktop program and creating rich internet experiences that rivaled the functionality of their desktop counterparts Heading into the danger zone As with most new technologies the focus is initially on evolution and creating new innova tive features that will entice users and organi zations to adopt them Many companies want to be viewed as progressive so they jump on the bandwagon quickly not fully knowing or feeling educated about what bumps may lay on the road in front of them Unfortunately security and secure coding practices often play second fiddle while development is mov ing full steam ahead so early adopters either have to look for ways to code around or fix known security issues or they are left holding the bag This problem is often fed by a lack of best practices in the space Application coding flaws are not the only vul nerabilities that need to be considered when looking at the spectrum of threats introduced by a more information rich collaborative internet Some of the characteristics that make these technologies so powerful can also be their biggest weaknesses Despite the collaborative benefits that Web 2 0 sites like Twitter Facebook MySpace and many others provide businesses
66. Paco Hope Ben Walther O Reilly Media ISBN 0596514832 The recipes in this book demonstrate how developers and testers can check for the most common web security issues while conducting unit tests regression tests or exploratory tests Unlike ad hoc security assessments these recipes ae are repeatable concise and systematic perfect for integrating into your regular 4 test suite Recipes cover the basics from observing messages between clients Cookbook and servers to multi phase tests that script the login and execution of web application features Cisco Secure Firewall Services Module FWSM By Ray Blair Arvind Dural Cisco Press ISBN 1587053535 i Cisco Secure Firewall Services Module FWSM covers all aspects of the FWSM The book provides a detailed look at how the FWSM processes information as well as installation advice configuration details recommendations for network integration and reviews of operation and management This book provides you with a single source that comprehensively answers how and why the FWSM functions as it does This information enables you to successfully deploy the FWSM and gain the greatest functional benefit from your deployment oo 5 F Services Module FWSM www insecuremag com 39 silg s Weiieehliteceltthe anaie analyze wireless traffic k 4 by Chris Sai oan de te Le amp The tricky thing about a wireless network is that you can t always see what you re dealing with In a w
67. Start up in Win dows 7 which means that the entire hard drive can be encrypted prior to boot and the encryption key will be safely stored inside a Trusted Platform Module TPM chip on the motherboard This can be achieved with Bit Locker Many of the methods currently used to circumvent permissions will no longer work by way of the simple reading of data from the NTFS partition Although Windows Vista Service Pack 1 did later add the ability to encrypt multiple fixed disks within the initial release of the OS the BitLocker encryption mechanism could only be used to encrypt the volume upon which the system was installed even though a volume can of course span one or more disks In fact it was only by using the command line that more options were available Both the improved BitLocker Drive Encryption and the new BitLocker to Go will be discussed next There has been much improvement to Bit Locker in Windows 7 although the first activa tion or use of it is slightly different to Vista be cause the BitLocker partition is already avail able and will be 200 MB in size Since the partition is hidden and there is no drive letter attached to it its utilization is only possible by disk management MMC It can be found and activated by searching under System and Security in the Control Panel If you want to upgrade from Windows Vista to Windows 7 this will be possible without hav ing to decrypt the whole partition This save
68. The PDF format supports several image com pression algorithms you re probably familiar with JPEG JBIG2 is another compression al gorithm Adobe s implementation of the JBIG2 decompression algorithms contained bugs that could lead to arbitrary code execution i e gt 0 obj lt lt Length 10 Filter stream endstream endobj www insecuremag com Malicious PDF Get owned without opening by Didier Stevens vulnerabilities Malware authors started ex ploiting this JBIG2Decode vulnerability before Adobe was able to release a fix They man aged to create PDF documents that cause the buggy JBIG2 decompression code to malfunc tion in such a way that shellcode is executed which ultimately downloads a Trojan will use the following malformed JBIG2 data to trigger an error in the vulnerable JBIG2 de compression algorithm in Adobe Reader Some user interaction required How is it possible to exploit this vulnerability in a PDF document without having the user opening this document The answer lies in Windows Explorer Shell Extensions Have you noticed that when you install a pro gram like WinZip an entry is added to the right click menu to help you compress and ex tract files This is done with a special program a shell extension installed by the WinZip setup program Name Size Type e gt ETTTTTTTTTTTTTTTTTTTTTTTTTTTT aia drr This explains how the PDF vulnerability can be exploited without y
69. a A aliea a1 Bi i it a i i 30 September 2 October 2009 Albany NY USA i mah www d forensics org ICDF2C a unique conference encompassing not only technical but also the social legal and business aspects of forensics The forensics field is set to explode and the Capital Region is in a prime position to take advantage of it By bringing together both practitioners and researchers we hope to benefit from understandings of current practice and the innovations that research has to offer TRACKS CALL FOR PAPERS Financial Crimes Paper submission deadline is on 15 Accounting Fraud Forensic Accounting June 2009 For the details visit Continuous Assurance and Crime Detection Deterrence Forensics Training amp Education Forensics and Law Cyber Crime Investigations Network Forensics and Data Analysis Computer Handheld Device amp Multimedia http d forensics org callforpapers shtmli Forensics CALL FOR PRESENTERS Forensics Standardization and Accreditation As opposed to research papers the Data Recovery amp Business Continuity presentations will be focused on intellectual Property Theft and more applied topics For further Watermarking details visit http www d Cyber Warfare and Terrorism P forensics org callforpresenters shtml a om ya CREATE NET gt HELP NET ea JF UNIVERSITY ATALBANY SECURI i Y State University of New York WWWNET SECURITY ORG
70. a is analyzed and explored in depth and breadth The resulting database had over 10 000 data points that were sorted normalized and compared to extract trend lines and conduct point in time analyses Note that having invested in all of the specif ics outlined above essentially a laundry list of security best practices in both the T amp T and P amp P categories would indicate a very high security maturity level for an organiza tion and high maturity is the goal if and only if the investment is coupled with the culture change necessary to integrate the invest ments as part of operational business There fore it is not a simple matter of picking and choosing a handful of investments to make in each category Rather it is a journey that leads organizations to eventually understand the benefit of funding and implementing the T amp T and P amp P investments mentioned above Plotting the data Understanding these two critical elements led us to plot organizations according to these two criteria Using a standard 4x4 grid with the left corner the origin representing low and the top left and bottom right corners rep resenting high we plotted an organization s investment in Technology amp Tools on the verti cal Y axis and its investment in People amp Processes on the horizontal X axis The grid was populated from information we knew directly about organizations and their security investments For example
71. abase ad ministrators can assign one or more tables to a table space file and then policies can spec ify which table spaces to encrypt Therefore one needs only to encrypt the database tables that have sensitive data and leave the other tables unencrypted However some organiza tions choose to encrypt all of their database files because there is little performance pen alty and no additional implementation effort in doing so Production database requirements often use batch operations to import or export bulk data files If these files contain sensitive data they should be encrypted when at rest no matter how short the time they are at rest Note some message queues such as MQ Series write payload data to a file if the message queue is backed up sometime for a few sec onds or up to hours if the downstream net work is unavailable It may be difficult to pro tect these files with column level encryption solutions This approach can encrypt while still allowing transparent access to authorized applications and users This approach is suitable for protection of low risk data Be aware of the limitations with this approach in the areas of no separation of DBA duties and potential issues that operating system patches can cause File encryption doesn t protect against database level attacks How are you going to effectively and easily keep administrators from seeing what they don t need to see with file level encryption P
72. ability research in the future Experienced users often ask for features more about how Nessus is used than what Nessus think the industry is moving in the right direc does For example we get a lot of requests to tion with more focus on secure code devel integrate Nessus results with ticketing sys opment before a product is shipped as well www insecuremag com 93 as more of a focus on configuration manage ment of operational systems rather than being reactionary to newly discovered vulnerabili ties As the CEO of a vulnerability scanner com pany we do log analysis and network moni toring too get some criticism for this view but the reality is that if you are 100 patched right now you are still 100 vulnerable to what you don t know about Minimizing what your systems do and hardening them is the only real way to combat this sort of threat Where do you see the current security threats your products are guarding against in 5 years from now What kind of evolu tion do you expect feel that cloud computing has been over hyped but if you are in an organization that has made a political decision to outsource some sort of business critical applications you need the tools to understand what sort of risk this poses to your network You may or may not be able to audit the architecture of this ap plication This scares me much more than any particular new threat Our strategy here is the same one that has helped Te
73. acking and statistics with page views and visitor information Facebook pages are a new feature to the site and pro vide a way for Facebook to drive more traffic to popular topics and information Searching for information about your com pany couldn t be easier in Facebook Simply www insecuremag com type in your company name in the search box in the upper right side of the main Facebook page and you will get information separated by several different tabs People Pages Groups Events Web Clicking on each of these will drill down to specific information about what you are searching for Again just like LinkedIn you may find every thing from customer complaint groups to em ployees giving away the jewels Keep in mind that for all of these searches you will need to use or create a Facebook account Pages are the one exception as you can search for these with any search engine Google Yahoo etc Twitter Twitter is currently the hottest social media and networking application today If you are not familiar with Twitter think of it as a short messaging service or what some call mi croblogging service You have 140 charac ters to tell the world what you are up to Con tinuing the theme from LinkedIn and Face book there could be a lot of valuable informa tion about your company on Twitter Its easy to find information on Twitter Go to search twitter com and type in your company name You can also use the
74. ake months of staff time to complete Then secu rity administrators must determine where to keep payment data and where it shouldn t be kept It s pretty obvious that the fewer reposi tories housing credit card information the fewer points of exposure and the lower the cost of encryption and PCI initiatives In the event of a breach of one of the busi ness applications or databases only the to kens could be accessed which would be of no value to a would be attacker All credit card numbers stored in disparate business applica tions and databases are removed from those systems and placed in a highly secure cen tralized tokenization server that can be pro www insecuremag com tected and monitored utilizing robust encryp tion technology Tokenization is a very hot buzzword but it still means many things to different people and some implementations of it can pose an additional risk relative to mature encryption solutions Companies are still being required to implement encryption and key manage ment systems to lock down various data across the enterprise including PII data transaction logs and temporary storage A to kenization solution would require a solid en cryption and key management system to pro tect the tokenizer Organizations use card numbers and PII data in many different places in their business processes and applications that would need to be rewritten to work with the token numbers instead The co
75. al media and networks don t have to be a risk or threat to your company as long as you take proactive steps to ensure security is involved along the way Tom Eston is a penetration tester for a Fortune 500 financial services organization Tom currently serves as the security assessment team lead He is actively involved in the security community and focuses his research on the security of social media Tom is a contributing author to a social media eBook and has written a Face book Privacy amp Security Guide that is used in several major universities as part of student security awareness programs Tom is also a frequent speaker at security user groups and conferences You can find Tom blogging on Spylogic net and as one of the co hosts of the Security Justice Podcast Locate him on Twitter as agentOxO www insecuremag com 104 ma ac gt MASTERING acht nie ii Aia EYNA Y W WE ReNaih Learn latest forensics tools and techniques to effectively identify collect analyze preserve and present digital data evidence July 22 23 2009 JW Marriott Hotel Jakarta Indonesia This intensive hands on training course offers an in depth understanding of What kind of information you can retrieve with computer forensics All tools necessary to perform a number of basic forensics techniques such as Data acquisition Recovery of deleted files Large scale analysis and Data visualization e
76. alidating an individual s competency in addressing security issues throughout the software lifecycle SLC www isc2 org F Secure launches new version of Protection Service for Business PSB 4 0 provides a fast response to emerging new threats requires less user involvement and delivers significant performance improvements It is auto matic and always up to date The solution protects business desktops lap tops file servers and e mail servers Its easy to use web based management portal is available anywhere from the Internet Wwww f secure com www insecuremag com 56 DeviceLock announced DeviceLock 6 4 which adds true file type detection and filtering the first deep data analysis feature built on top of its new content proc essing engine The software can intercept peripheral device read write opera tions perform analysis of the entire digital content in real time and enforce appli cable file type based security policies True file types can now be used as a pa rameter for DeviceLock data shadowing policies thus increasing the level of granularity and flexibility of controls EN RedCondor secure nCircle announced that its Configuration Compliance Manager configura tion auditing solution delivers new policies that audit the configurations of the virtual infrastructure and compare the configurations to Center for Internet Security benchmarks or hardening guides to ensure the security of
77. ance and is ideal for legacy applications To find out more about SSH Tectia to protect your data and stay ahead of the compliancy curve visit www ssh com r A lf oe Se sulin LIR l a GZ The application security maturity ASM model by Ed Adams Based on this research it s clear that organi zations that develop and deploy the most se cure software have a high maturity level fur ther they only reach maturity through many trials and errors particularly when it comes to purchasing and integrating tools into their software development and information secu rity organizations By understanding and us ing the ASM model organizations can un cover their current maturity level and then un derstand the most effective course of action to increase this level quickly and pragmatically while introducing as little disruption as possi ble to their current development process and in production application management The goal of this article is to 1 Understand how the ASM model was cre ated www insecuremag com 2 Learn how the model works and what it can tell you about your organization 3 Help fine tune your security related invest ments in order to positively impact your soft ware security maturity more quickly The ASM model was developed after analyz ing first hand the software security activities and investments of hundreds of organizations The initial data input fo
78. and it is much easier to work with If in any case you wouldn t like to run it in the background you can always manually start it via the mentioned keyhole icon in Mozilla Firefox When your passwords data base pumps up don t forget to back it up lo cally or directly to your associated online account D Would you like to create a new account Account Name P Online Payment Merchant Account Pay Username markwood ix netcom com Password eeeeee0 Link https fwww paypal com us Location 4 J Advanced Add e safer easier bur credit card or A A A Automatically scouting the PayPal login page for data Further benefits of an online account Here s some insight on the actual interconnec tion between IronKey and your my lronKey com account When the device is in place in one of your USB slots and you have successfully authorized to it you will be able to access your full online account Only in this situation everything will be available for you to use In case you want to login online but you don t have the device with you the two factor authentication cannot be done and you will enter the account in Safe mode Safe mode is used mostly in the case you lose your key and while residing in it you might just work around some activities such as recover your device s password report the device as lost and delete your online backups both the password as well as data from Identity Man ager
79. aps Classify each baseline control to facilitate reporting when findings are present Control Name ACME0O001 ACME0002 ACME0003 Requirement Maintain a security awareness Sensitive authentication Monitor system and net and training program data must not be stored af work performance and ca ter authorization pacity levels Environment Enterprise _ PaymentCard Card Enterprise Control Objectives Objectives O Teme Technical Preventive e Risk Impact Medium Domain Personnel Securty Data Retenton Montorng Security metrics Determine what types of reporting are necessary based upon mission audience and available data Here are a few examples and free reporting resources for inspiration Percentage of high vulnerabilities mitigated within NIST SP 800 55 Performance Measurement organizationally defined time periods after discovery Guide for Information Security bit ly 1wvY5Z Percentage of business unit heads and senior manager Corporate Information Security Working Group ho have implemented operational procedures to ensure Report of the Best Practices and Metrics Teams compliance with approved information security policies and bit ly Skt9h controls of systems configured to approved standards Center for Internet Security Consensus Informa ion Security Metrics Service bit ly MThR6 www insecuremag com 89 The large number of metrics within the above resources may seem overw
80. artphone After sending an SMS with a password to the lost device the user receives a link to Google Maps containing its exact coordinates The Anti theft module of Kaspersky Mobile Security 8 0 makes it possible for the owner of a lost or stolen smartphone to remotely block access to or completely wipe the memory of the device by simply sending a codeword via SMS to his her number www kaspersky com Ven Woke Security www insecuremag com SSH solution for real time inspection and audit of encrypted traffic SSH Communications Security announced SSH Tectia Guardian a new A ste technology solution that enables real time session and file transfer monitor ssh ing with IDS or DLP integration capabilities as well as replay of sessions for post session auditing of encrypted traffic This unique security solution enables both real time inspection and full re play of SSH SFTP Telnet and RDP traffic and sessions to meet compliance governance audit ing and forensics requirements in enterprises and government entities www ssh com Acunetix Web Vulnerability Scanner 6 5 now available Acunetix announced new file upload forms vulner ability checks in version 6 5 of the Acunetix Web Vulnerability Scanner WVS Other key features in the new versions are the new Login Sequence Re corder Session Auto Recognition functionality and improved cookie and session handling With the new Login Sequence Recorder and Session Auto Recogn
81. as soon as a user lands on your site this means making the logon pages you have HTTPS instead of HTTP In addition to en crypting the session from the get go you need to continue this protection throughout the whole session and not only for the submission of logon credentials If the data is highly sensi tive you should continue to provide secure transport mechanisms internally from your ap plication server to systems such as database servers The final thing to address is using a mecha nism that is cryptographically secure and does not have a flawed design A good example of a protection mechanism that is not secure is SSLv2 several of its vulnerabilities come from weaknesses in its design and not through a cryptographic weakness mentioned two pro tection mechanisms earlier and they are ex amples of how to protect your data in transit If you are selecting a transmission protection mechanism you should use one that is ac cepted as being secure such as SSLv3 TLSv1 and SSHv2 Secure resource access Securing access to your application resources has been addressed in several of the previous principles but we will look at specific issues that can arise now The issue of authenticating and authorizing users along with secure ses sion management have been covered already but these can be undermined by poor design decisions If a design depends on the principle of secu rity through obscurity it is almost certain to fail A
82. ase the difference be tween five microseconds and five thousand microseconds is not noticeable But if you have a high volume of processing on your website or data warehouse it will matter If you add up all of your transactions and each of them takes a thousand times longer than necessary you will hit multiple resource con straints and you will overload your computer It can really cripple the user s experience and business operations It is interesting also to notice that a fast network doesn t really help you If you summarize all the steps that need to be processed for the data to go all the way from the database over to another appliance and back that path length is so much higher that the network speed doesn t really help yOu Another thing to think about when you dissect a remote appliance solution is this if you want to be secure you actually need to encrypt the data traveling over the wire between the ap pliance and your database server Guess what It costs you more overhead to encrypt that traffic than to do the encryption in the first place Another myth is that the speed and the power of the appliance is going to affect the total speed of the encryption and decryption processing The marketers will say Well we can stack appliances so that you can harness this enormous power of these boxes Put it on a fast network and you can really offload the processing Seems to make sense at first until all of the fa
83. ases involved more than 1 million records Some type of cardholder data was compromised in 84 percent of cases Obviously these statistics correlate to the fi nancial motivation of the criminals Related findings support this statement as fraudulent use of stolen information was detected follow ing 79 percent of breaches Additionally 32 percent of cases involved one of the many types of personally identifiable information PII This is likely attributable to the useful ness of this type of data for committing fraud and other criminal activities www insecuremag com Step 4 Cost effective protections Cost cutting is typically accomplished in one of two ways reducing quality or by getting the most out of a business investment Assuming you ve wisely opted for the latter look for multi tasking solutions that protect data ac cording to its risk classification levels sup ports business processes and is able to be change with the environment so that you can easily add new defenses for future threats and integrate it with other systems as necessary Concerns about performance degradation invasiveness application support and how to manage broad and heterogeneous database encryption implementations too often produce hard barriers to adopting this important security measure some aspects to consider when evaluating data security solutions for effectiveness and cost control include 134 Access controls and monito
84. ata defense customers can ensure business continuity with always on protection and not have to worry about malicious software entering their networks www pgp com www insecuremag com 6 Web penetration testing live CD The Samurai Web Testing Framework is a live Linux environment that has been pre configured to function as a web pen testing environment i F OFS EFIR j S The CD contains the best of the open source and free tools that focus on test ing and attacking websites The developers included the tools they use in their own security practice sourceforge net projects samurai RIM launches BlackBerry Enterprise Server 5 0 RIM launched BlackBerry Enterprise Server 5 0 which supports advanced IT ad ministration features and smartphone controls that help improve the productivity of mobile workers and meet the demands of large scale mission critical enterprise deployments It enables a secure centrally managed link between BlackBerry smartphones and enterprise systems applications corporate phone environments and wireless networks www bdlackberry com Stonesoft introduced the StoneGate FW 1030 appliance with firewall capabilities It provides data security for small enterprises and remote offices combined with StoneGate s built in high availability features that guarantee always on connectivity With perimeter protection and internal network segmenting ca pabilities the FW 1030 prevents computer worms
85. ation skills If my barber needs certification why shouldn t an information security professional who may be securing highly critical infrastructure The problem is not enough people understand what a particular certification really means No one credential qualifies anyone for every situation 64 Credentials must be mapped to job skills which should be mapped to the position After all without examinations college degrees would be easy The same principle applies to certifications Not all certifications are created equal either Like ours there are certifications that require validated work experience professional en dorsement adherence to a Code of Ethics and require continuing professional education Certified staff offers organizations additional protection in meeting regulatory compliance or in governance related lawsuits It also can help reduce risk involved with new projects and technologies enterprise wide think it in creases cooperation between security em ployees throughout your organization with standardized practices and terms What challenges does ISC face in the global certification market What are your advantages Challenges include languages and the trans lations necessary to remain an international organization Our test questions are devel Oped in English and undergo very detailed examination and are often difficult to convert into different languages We also have to un derstand the c
86. ations will provide a cost effective solution that proves to be scal able in an enterprise environment The most cost effective solutions can be de ployed as software a soft appliance a hard ware appliance or any combination of the three depending on security and operational requirements for each system The ability to deploy a completely green solution coupled with deployment flexibility make these solu tion alternatives very cost effective also for shared hosting and virtual server environ ments The green solution is not going away There s too much at stake In a data warehouse users may search among 100 million encrypted records or maybe five billion records It s crucial how much time is consumed for each decryption since a person may wait for hundreds or mil lions of records to be decrypted before the answer come back 137 If you do it locally close to the data you may have a response time of around five micro seconds for each record and then you multiply by 100 million if you have 100 million records and so on Compare those five micro seconds for local encryption to the case of remote en cryption You may have a thousand times greater latency and total processing time so if you add up that time the user may wait for an hour instead of one second In online transaction processing one user may not see a difference between local and remote encryption If one user is looking for one record in the datab
87. authentication procedure The first commercially available PUF based RFID IC operates at 13 56MHz and is based on the ISO 14443 type A specification Al though this first implementation uses a spe cific frequency and a command set we note that the same PUF technology can be inte grated into RFIDs that operate at other fre quencies The first implementation was de signed to be the simplest passive RFID tag in order to demonstrate that the PUF based authentication is feasible even in low cost tags This passive RFID IC operates just like a regular RFID IC for storing a unique identifier or EPC code the PUF circuit is activated only for authentication www insecuremag com 68 To allow an RFID reader to access the PUF the RFID chip supports one new command CHALLENGE On a CHALLENGE command the chip accepts a 64 bit challenge from the reader internally produces a 64 bit response for the given challenge and returns the re sponse bits to the reader Also the existing READ and WRITE commands in RFIDs can be used as the PUF commands A WRITE into a specific address can be interpreted as the challenge command and a READ from a specific address can be interpreted as the re sponse command PUF based unclonable RFID provides the following advantages Highly secure The RFID chip itself cannot be cloned The responses to challenges are generated dynamically and are volatile Vola tile information is much harder t
88. ber warfare examined including terrain mobility ease of conscription surprise duality of knowledge and the use of force appear to favor the offense In contrast firepower favors the defense Not only do these characteristics favor the offense they also lower the costs of becoming a military power albeit an asym metric military power As stated earlier during the Cold War nation states invested tremendous amounts of raw materials human capital and money in order to develop robust conventional or nuclear forces This high barrier to entry prevented all but a handful of states from becoming a global military power However the advent of cyber warfare drastically lowers the inherent costs of becoming a military power As demonstrated by the attacks in Estonia and Georgia all that is required to wage a digital war is a cadre of technically sophisticated individuals willing to organize a larger population of motivated pa triots with access to low end computing resources and an Internet connection Therefore as a nation state deploys cyber www insecuremag com warfare strategies tactics and weapons its rivals will feel more insecure This pattern ac curately describes the security dilemma that states that any actions taken by a nation state to increase its own security will result in a de creased sense of security in its rivals History demonstrates that when the security dilemma has been exacerbated and the of fen
89. bers and bank web site logins are traded in a bazaar like environment thus low ering the bar of technical expertise required to get involved in criminal activity Armed with the knowledge that new technolo gies are built before they are built securely cyber criminals have identified Web 2 0 sites and technologies as a primary target in 2009 Clickjacking is one of the more serious of those threats because of the level of stealth that can be employed when a vulnerable ap plication is exploited The user being victim ized will likely have no idea that they may be interfacing with a malicious application setup for the sole purpose of compromising their sensitive data From a user s perspective it is also important to remember that the sky is not falling De spite the attention that Clickjacking has been getting there are currently very few exploits in the wild taking advantage of vulnerable appli cations and those exploits that do exist are mostly proof of concept quality This is not to trivialize the potential for more widespread activity but rather to temper the amount of fear uncertainty and doubt that almost inevi tably arises when a particular threat receives a lot of attention Sam Masiello is the VP of Information Security at MX Logic www mxlogic com where he oversees the MX Logic Threat Operations Center In this role he represents the company s primary resource for monitoring and predicting threat trends offering i
90. business essential HTTPS connec tions and explicitly permit them in your access controls Exercise some prudence and flexibil ity by permitting specific non business HTTPS sites e g government services Internet banking that employees may need to access A comprehensive study of permissible HTTPS sites must be conducted before implementing a complete whitelist A change control process should be in place to facilitate the addition of new HTTPS requirements as and when they arise Monitor HTTPS communications traversing your perimeter This proposition does not im ply scrutinizing every single HTTPS connec tion and the data being exchanged as this may constitute a breach of privacy in certain countries Collect HTTPS statistics e g source destination timestamp on a monthly basis to assist in identifying anomalies or suspicious outbound connections I COAWINNT iS pemi netewunerio exe It is as simple as performing lookups on des Companies need to shake off their false You don t believe that these activities are oc curring in your organization Review your logs and you may be in for a surprise i l l l tination addresses that are not familiar for sense of security and get down to the basics verification Suspicious connections would Technologies assist with protecting the or I 1 warrant further examination HTTPS inspec ganization s prized resources but it is the ef I tion may be justified if you susp
91. by management tiers Reporting should start at a high level detailing risk and compliance statuses for the enterprise and individual lines of business Take care when aggregating enterprise risk and compliance statuses to provide a high level executive view It can be difficult to accu rately accomplish this task due to the com plexity of the underlying reporting The execu tive dashboard should also include security metrics and trending Management needs the ability to drill down from high level reporting to specific issues within underlying populations subjects and findings That functionality is crucial Include a link to the reporting method ology document at the bottom of the screen for quick reference Consider the audience Reporting by tiers is an effective way to pre sent information in a manner that is meaning ful to each audience Report findings must be actionable 90 e Company executives want to know the state of risk and compliance throughout the enter prise Reporting at this level may be pre sented to shareholders and the audit committee e Line of Business management needs coor dinated reporting from security teams to un derstand what the issues are and how they can impact business Once an issue is con firmed it is necessary to offer a solution ide ally with options T managers need reporting by population and low level details used by their reports to resolve findings Individual contr
92. cies under Computer Configuration Administra tive Templates Windows Compo nents BitLocker Drive Encryption BitLocker to Go is fully integrated into Win dows 7 and you can turn it on in Windows Explorer via a memory stick s context menu which contains a list of options Then before Windows can encrypt the flash drive you have to choose a password or smart card that will later be required to unlock the device You can also store a recovery key in a file and print it This key is of course necessary in cases where the password has been forgot ten If this happens clicking on forgot my password leads to BitLocker prompting the user to enter this recovery key This way you can unlock the flash drive A drawback how ever is that this feature is only available in the Windows 7 Ultimate and Enterprise editions Finally regarding this issue must refer to the news from 2008 of an attack method that al lows a Bitlocker protected machine to be compromised by booting it off a USB device into another operating system after it is shut 24 down The contents of the memory are then dumped In these circumstances the RAM retains information for up to several minutes and this period can even be lengthened if the memory temperature is maintained at a very low level by active cooling The simple use of a TPM module does not offer the protection needed because the keys are held in the memory while Windows
93. common approach to securing sensitive lo cations is to hide them from users by not pub lishing a link to them This really fails to pro vide any level of security because automated tools will discover these locations and allow www insecuremag com attackers to access them directly If the loca tion contains sensitive information i e oack ups or functionality i e admin you must provide strong access control mechanisms that ensure users accessing the location are authorized to do so The authentication and authorization checks must not be a one time check each step taken by a user using sensi tive functions must be evaluated A real world example of a failure in this kind of system would be the T Mobile website hack 2005 which lead to Paris Hilton s account being compromised The password reset functional ity of the T Mobile website required a user to prove who they are by providing their phone number the site would send them a unique token to enter into the site before they pro gressed to a password reset page The prob lem with the site design was it assumed users would only ever access the password rest page if they had been authenticated An at tacker called Luckstr4w found that if you browsed directly to the password reset page you could reset the accounts password with out providing any evidence of who you were The rest as the say is history You have to assume that if your resource is accessible to any of
94. countability is critical to remediation e Support compliance with laws regulations and contracts The process of gathering existing reports also identifies reporting points of contact and data sources Take note of each Begin document ing a reporting methodology at this phase as well Risk vs compliance Business management may be of the mindset that compliance is an ideal state similar to nirvana Identify which mandate each control corresponds to When a control is tied back to an external requirement management may support compliance to avoid penalties Risk can be subjective which is where a well documented reporting methodology becomes crucial Executives want reporting in relatively simple terms The use of high medium and low findings with corresponding red yellow and green colors is common Include support ing data as well Create a reporting methodol ogy based upon sound principles with management as the intended audience ll Identify reporting types Baseline controls It is necessary to have well defined informa tion security standards before reporting com pliance status Start by establishing a control baseline in accordance with regulations laws and contractual obligations A control baseline also clarifies policy into specific requirements Refer to NIST SP 800 53 as an example Use a control framework such as ISO 27002 or COBIT to bolster the baseline Conduct a risk assessment to close remaining g
95. ctors above are taken into consideration Is the additional risk of developing a custom system acceptable Build vs buy Many projects that have made the build vs buy decision purely based on the miscon ceived notions from management about one option or the other This is a decision that re quires analysis and insight Why re invent the wheel if several vendors already sell what you want to build Use Build or Buy Analysis to determine whether it is more appropriate to custom build or purchase a product When comparing costs in the buy or build analysis include indirect as well as direct costs in both sides of the analysis For example the buy side of the analysis should include both the actual out of pocket cost to purchase the packaged solution as well as the indirect costs of managing the procurement process Be sure to look at the entire life cycle costs for the solutions Is the additional risk of developing a custom system acceptable Is there enough money to analyze design and develop a custom system www insecuremag com e Does the source code have to be owned or controlled e Does the system have to be installed as quickly as possible Is there a qualified internal team available to analyze design and develop a custom sys tem Is there a qualified internal team available to provide support and maintenance for a cus tom developed system Is there a qualified internal team available to prov
96. d www gridsure com www insecuremag com 97 AEP Networks launched AEP SecComm Personal a unique communications platform that delivers enhanced grade encryption to remote work forces The technology is eminently portable coming as it does in a small yet robust computer bag It s plug and play so users do not need any degree of technical skill or expertise to get the product up and running and then connect to the available networks The small durable and easily transportable Hard Disk Crusher can crush over 60 disks an hour It drills through the hard disk s spindles and physically creates ripples in the platters making it impossible to recover the data The HDC V can destroy a disk and the one on it in Uan seconds without the need of a peripheral PC or worksta Breach Security and Evolution Security Systems jointly released their 2008 UK PCI Compliance Report Surveying UK organizations across a variety BREACH of market sectors including healthcare government e commerce finance and banking the report findings indicate that PCI compliance is important to eight in 10 UK organizations Further 57 percent are either PCI compli ant or actively working toward becoming compliant While this represents n Progress it also indicates that the UK is trailing the US in adoption of PCI compliance www breach com www insecuremag com 98 Hardware encrypted drive for Mac users Kingston announced that its DataTraveler Vault P
97. d In Windows 7 even the icons prompts when programs try to make changes and messages presented by the UAC are but not when the user does this by himself more low profile However it should be noted User Account Control Do you want to allow the following program to make changes to this computer E Program name Sysinternals Utilities Verified publisher Microsoft Corporation File origin Hard drive on this computer V Show details ve No Help me decide Change when these notifications appear UAC notification The Windows 7 UAC settings have changed vided you will see that the user can navigate and give you more control There is a slider to the UAC settings and change how these option to change the level of notifications and notifications appear Of course administrators there are a couple of pre defined options to can pre define these levels choose from Indeed from the picture pro Choose when to be notified about changes to your computer User Account Control helps prevent potentially harmful programs from making changes to your computer AREER REE EERE EERE EEE EEE EERE EE EEE EERSTE EE EEE EEE EEEEEE ESSE TEETER EEE EEE E EEE ESHEETS TTT TREES SESE ESSE EEE EEE Ee MOE EEE EES r Account Control settings Always notify Default Notify me only when programs try to make changes to my computer e Don t notify me when I make changes to Windows settings i Recommended if you use familiar programs an
98. d and contrib uted to various open source initiatives and working groups What projects do you Support and why For a variety of reasons am not going to mention them by name We do a lot of vulner ability research and much of that is working with a variety of open source projects We en joy fantastic relationships with the OSS de velopers and we contribute to helping many of them make their products more secure on an Ongoing basis We consider it as a part of training new engi neers and doing research on new tools QA on tool updates and other integrated work on the business Instead of doing those things with no outcome we often use OSS projects as the basis for the work and then share our findings new security vulnerabilities and other results with the project leaders That way everyone wins We also have a large set of tools that we contribute to community Our web site is currently being revamped to fea ture them more prominently but we have a number of free software tools that we give away when you attend our events or speaking engagements We also maintain the stateofsecurity com blog the honeypoint Twitter feed of ongoing attack sources in real time and publish our State of the Threat presentations that we have been giving ongoing for more than five years The why is easy The community has given so much to us over the last nearly 20
99. d it to three parallel tracks so they must find a new place to host it As Amsterdam is not able to host three parallel tracks it is very likely that Euro pean Black Hat will move to Barcelona next year As this is one of the rare quality techni cal conferences this represents very good news for participants because they can ex pect a lot more content than before If you still aren t sure about going to the con ference next year I ll make it easy for you Go Especially if you are into information se curity on a technical level Jeff Moss Dark Tangent director of Black Hat On the last day of the conference we talked with Jeff Moss also known as Dark Tangent director of Black Hat about the Black Hat conference and its future Today is the last day of Black Hat are you satisfied with this year s conference In short yes I m satisfied It is a good year The current economic situation does not help but I m very satisfied with the content There were quite a few surprises this year Even though every year feel there is place for im provement also feel we are getting better as well This is the best year for Amsterdam so far What lecture did you like this year Is there any specific talk you want to men tion We have only two tracks in Amsterdam so we have to choose lectures carefully would have to say RFID training because RFID technology is used in passports nowadays Also would like to
100. d leveraging the power ful Tor network that provides security and anonymity They named this security mechanism Smart Surfing It is directly built into the browser and you can switch it on and off with a click BARNES NOBLES ey w waw paypalcom gt Smart Surfing toggle on off If you are not familiar with the concept of Tor by using this Secure Sessions service your data goes from a secure encrypted tunnel to lronKey s servers and then it is rerouted to its final destination When packets are coming into their data centers the actual destination is tested against a local DNS database so pharming and phishing ploys are automatically intercepted As Tor is using multiple network routing servers your online surfing habits will automatically be made anonymous Surfing ty IRONKEY 4b aa Madd Wedt G Backup Account Item Info Y7 login yahoo com P Online Payment Merchan te Settings markwoodstone bs markwood ix n this way will be secure but naturally a bit slower because of the multiple routings Keyloggers won t be a threat if you deploy a built in virtual keyboard which can be opened through a keyhole icon in the top right corner of Mozilla Firefox Input works as a charm perfectly fitted when you need to use shared computers Items 2 Link Auto Login https ilagin yahoo com c ERa https waww paypal com ERa uau Newly released Identity Manager application
101. d mainframe en vironments Windows Unix Linux and now IBM i making it easier for enterprises to integrate and automate business information security with end to end encryption www insecuremag com 96 Data protection and vulnerability management solutions from Lumension Lumension announced the next iterations of its Lumension Endpoint Suite l and Lumension Vulnerability Management Suite Key benefits of the Lumen dh Lumension sion Endpoint Suite include validated encryption capabilities via in process FIPS 140 2 certification expanded OS platform and virtualization support www lumension com IT Secured Success Optimized Trend Micro s Web security services will be made available to users of both PS3 and PSP With the increasing number of gamers now connected to the Web Sony has taken the precautionary step to provide their handheld and video game console users with protection against online crime www trendmicro com Innovative authentication for Microsoft IAG GrlDsure s authentication solution for Microsoft s Intelligent Application Gateway IAG allows users to authenticate themselves by remembering a minimum of a four block sequential pattern on a five by five grid Known a as a Personal Identification Pattern PIP Users just enter a randomly generated number on the keypad that corresponds to their PIP on the gri
102. d to attack Estonia was comprised of as many as one million infected computers located in various countries including the US 113 This type of distributed botnet allows an ag gressor to rapidly converge on a target from multiple locations in near real time It there fore appears that cyber warfare is highly mo bile and when it is combined with the reliance on surprise favors the offense Ease of conscription In Offense Defense and War Stephen Van Evera states that technologies that favored mass infantry warfare e g cheap iron allow ing mass production of infantry weapons strengthened the offense because large mass armies could bypass fortifications more eas ily In cyber warfare the ease of constructing large botnets parallels the ease of raising and arming large armies Returning to the example of Estonia the attackers were able to quickly raise an army of as many as one million bots in a matter of days In another example in March 2006 attackers were able to generate as much as 1 3 gigabits per second during an attack against German domain register Joker com Even targets with firewalls and other sophisticated defenses in place would have a difficult time defending against this gigabit level Distributed Denial of Service DDOS attack As Joker com noted the DDOS attack was enough to overload our lines causing communication problems be tween our border routers and the upstream providers and thereby interru
103. d visit familiar websites Never notify The UAC slider www insecuremag com 29 Microsoft is committed to the UAC because it increases overall security and also forces ap plication developers to not only remove the annoying messages which are presented to users but also to create more secure and user friendlier applications with less demand for critical privileges As an increasing amount of software is now being built to support the UAC it is likely that this tool will work much better in Windows 7 and beyond Indeed the overall UAC experience is much improved in the new OS Fewer clicks and messages are presented to the user while having control over matters that are happening on your ma chine is provided in a way which limits the number of user interaction is needed As have already made clear running a ma chine without higher privileges can sometimes be extremely challenging since many applica tions still expect this wide ranging level of control in order to run correctly Whatever the case don t recommend the disabling of the UAC It is here to stay and we have to deal with it in the most appropriate and manage able way Increased support for strong authentica tion Compared to the alternatives working with passwords is a weak protection method Brute force attacks dictionary attacks etc are some of the weaknesses of this approach In deed for many organizations single factor authentication user
104. dible amount of configura tion to be done on the AirPcap device These configuration options are stored on a per adapter basis The configurable options include Interface Select the device you are using for your capture here Some advanced analysis scenarios may require you to use more than one AirPcap device to sniff simul taneously on multiple channels e Blink LED Clicking this button will make the LED lights on the AirPcap device blink This is primarily used to identify the specific adapter you are using if you are using multi ple AirPcap devices e Channel In this field you select the chan nel you want AirPcap to listen on e Extension Channel This option is only available on 802 11n capable AirPcap de vices AirPcap nX and allows you to select an extension channel e Capture Type The options are 802 11 Only 802 11 Radio and 802 11 PPI The 802 11 Only option includes the standard 802 11 packet header on all capture packets The 802 11 Radio option includes this header and also a radiotap header which contains additional information about the packet such as data rate frequency signal level and noise level The 802 11 PPI op tion includes all of the previously mentioned data along with information for multiple an tennas when supported e Include 802 11 FCS in Frames By default some systems strip the last four checksum bits from wireless packets This checksum known as a Frame Check Seq
105. ds the Acrobat PDF parser AcroRD32 dll Reader 9 0 installed there is absolutely no lf the PDF document contains a malformed user interaction required to trigger the JBIG2Decode stream object it will result in JBIG2Decode vulnerability When the PoC an access violation in the instruction at PDF file is on the disk it will be indexed by 0x01A7D89A Windows Indexing Services and the buggy JBIG2Decode code will be executed f Process Explorer Sysinternals www sysinternals com XP OO Administrator Fie Options view Process Find DLL Users Help HoH sex amp Tian ak Process PID CPU Description Company Name User Name A i MSIEXEC exe 2328 Windows installer Microsoft Corporation NT AUTHORITYSSYSTE searchindexer exe baz Microsoft Windows Search Microsoft Corporation NT AUTHORITYSSYSTE searchprotocolhost exe 2040 Microsoft Windows Search P Microsoft Corporation NT SUTHORITYSSYSTE searchtilterhost exe 3352 Microsoft Windows Search F Microsoft Corporation NT AUTHORITYSLOCAL lsass exe 700 LSA Shell Export Version Microsoft Corporation NT AUTHORITYSSYSTE mE EXE l M INIR inden E xplgss A Microsoft Cowatiorya POD A dpa AcroRd3 2 dll Adobe Reader 9 0 Adobe Systems Incorporat 9 0 0 332 AcroRdlF dll PDF Filter Adobe Systems Inc 9 0 0 0 SearchFilterHost exe Microsoft Windows Search Filter H Microsoft Corporation 0 6001 16503 nitdll ll NT Layer DLL Microsoft Corporation 6 1 2600 2180 kernel32 d
106. e com home html day Mon day lf we assume that the example site hasn t im plemented output validation for the day pa rameter a malicious user could replace Mon day with anything they wanted to The pa rameter s lack of validation could be exploited with something like this www examplesite com home html day lt sc ript gt alert document cookie lt script gt www insecuremag com lf a user were to access this URL a pop up that contained their cookie for the example site would appear This is a simple example but a malicious user could silently steal the cookie rather than show it to the user in a pop up box If the site had implemented URL en coding the threat posed by cookie stealing JavaScript would have been nullified as have shown below www examplesite com home html day 3C script 3Ealert 28document cookie 29 3 C script 3E A second type of encoding that should be considered is HTML Encoding The first en coding we looked at covered encoding of data in a URL If your data is going to be entered into a HTML page you should employ HTML Encoding have included two sets of code below The first piece of code has no output validation that could leave it vulnerable to attacks such as Cross Site Scripting usr bin perl use CGI my S cgi CGI gt new my name cgi gt param username print cgi gt header print You entered name The code will accept any text into the user name param
107. e forces is needed because it is widely assumed without critical analysis that cyber warfare is inherently offensive US Federal Government officials have widely acknowledged that both government and pri vate sectors are under sustained attack and www insecuremag com cyber warfare is inherently offensive by testing its key characteristics Attributes of cyber war fare will be examined with an eye towards de termining whether they favor the offense or the defense This analysis will in turn be used to determine whether the creation and deploy ment of cyber warfare strategies tactics and weapons Creates instability in the international system and makes war more likely 112 Characteristics of cyber warfare In an effort to determine its offensive or defen sive nature the following seven characteristics of cyber warfare will be analyzed terrain mo bility ease of conscription surprise duality of knowledge use of force and firepower Terrain As Jervis notes anything that increases the amount of ground an attacker has to cross or impedes his progress across it or makes him more vulnerable while crossing increases the advantage accruing to the defense In the context of cyberspace natural fortifications like oceans and mountains do not exist Nation states are connected by fiber optic ca bles delivering 1s and Os at the speed of light As a result attackers can deliver malicious code to a targeted system i
108. e more options and there fore encourages the use of force As a result it is possible conflict will be more frequent While digital conflicts are typically not bloody frequent cyber attacks between adversaries may well lead to escalations of force that result in conventional military conflicts 114 Firepower While the above attributes favor of the offense firepower appears to favor the defense Ac cording to Stephen Van Evera technology that gave defenders more lethal firepower e g the machine gun strengthened the de fense Cyber warfare strategies tactics weapons that target SCADA systems which operate critical infrastructure like power grids and oil and gas pipelines could generate technologies that favored mass infantry war fare e g cheap iron massive firepower through their capacity to effect massive eco nomic and physical damage Their generation of firepower could result in mutually assured destruction as nation states begin to under stand the threat to critical infrastructure posed by a rival s cyber warfare arsenal This sense of mutually assured destruction appears to fa vor the defense as nation states will be de terred from launching a first strike cyber attack for fear of an in kind response Prospects for instability Although the above list of cyber warfare char acteristics is not exhaustive on balance they demonstrate that cyber warfare is decidedly offensive The key characteristics of cy
109. e relevant and detailed information In the Windows 7 UAC the defined standard user can adequately perform most daily tasks such as using business applications browsing 21 the Internet and typing a letter in a word stances where he or she is asked to provide processor Indeed the only time a user will be appropriate credentials if they are required confronted with a dialog box will be in circum Date Friday March 27 2009 Time 1 31 33 PM _ Chpnge date and time _ Time zone UTC 01 00 Brussels Copenhagen Madrid Paris Daylight Saving Time begins on Sunday March 29 2009 at 2 00 AM The clock is set to go forward 1 hour at that time Notify me when the clock changes Get the latest time zone information and updates online How do I set the clock and time zone Program name WindowsGrep23 exe Publisher Unknown File origin Hard drive on this computer Program location C WindowsGrep23 exe A Hide details Help me decide Change when these notifications appear UAC warning message www insecuremag com 28 In many cases it will be perfectly clear to the that the default user account created during user that a prompt will appear because the the installation of Windows 7 is still a pro setting will have an icon in the form of a shield tected user albeit with slightly different UAC next to it This indicates that higher privileges settings This default user is only faced with are require
110. ecently happened to Amazon com when people started to tag AmazonFail not only on Twitter but lots of other social media as well Amazon created an online uproar when a technical glitch Caused gay and lesbian books to have their sales ranking removed and the books be classified as adult thus making the books harder to locate in a search bit ly 14miGx In just 24 hours the reaction was swift The hash tag AmazonFAIL was the number one search term on Twitter a Facebook group was created that had 1 200 members and there were 5 000 blog posts about the issue Talk about putting your company in damage con www insecuremag com trol overdrive While this was eventually cor rected by Amazon and apologies were given it goes to show what could happen when people want to spread viral complaints or mis information about your company Just think if these were positive things being said about your company Unfortunately as we all know bad news gets around more than the good news What s out there about your company A recent Sophos poll bit lytL8f2 revealed that 63 per cent of system administrators worry that employees share too much per sonal information that could put your company information at risk AS an example lets take a look at the three most popular social media and networking web sites that may have your specific company s confidential or proprietary information LinkedIn groups and company profile
111. ect activities fective policies and willing employees that i l resembling misuse or malice This can be per form a strong foundation to reducing the risk i formed using SSL inspection tools available in of compromise HTTPS was designed to pro the market for valid investigation purposes vide point to point integrity but like any other 1 i protocol it unfortunately has its hazards thus 1 Conclusion companies cannot block it entirely but have to i supervise it I l I l Mervyn Heng CISSP is a Security lead for the Asia Pacific region in a large American computing hardware manufacturer His main responsibilities include performing security risk assessments infrastructure reviews as well as carrying out incident handling and forensic investigations When he is not hunting for loopholes Mervyn is busy with his many hobbies such as photography and sports JOIN USHOVASR is a free and open community dedicated to improving application security for everyone Youll find free tools books articles best practices mailing lists conferences and local chapters around the world to help you build secure code www owasp org www insecuremag com 110 Software spotlight b EULAlyzer 2 0 www net security org software php id 754 EULAlyzer can analyze license agreements in seconds and provide a detailed listing of poten tially interesting words and phrases Discover if the software you re about to install displays pop up ads
112. ed about the Heartland breach What we have learned is something that many of us already know compliance does not equal security Credit card payment proc essers such as Heartland are already bound to follow a set of security standards known as the Payment Card Industry Data Security Standard PCI DSS covering issues such as maintaining secure networks protecting stored cardholder data and keeping antivirus software up to date 133 Heartland was certified as PCI compliant last year and other recent victims of break ins including RBS Worldpay can make similar claims The latest news reports that the mal ware was set to grab and transmit data pos sibly looking for transmissions that repre sented authorization requests that were un encrypted while in transit over private net works So Heartland could have been 100 compliant with PCI DSS while its systems harbored a known weakness in the standard that hackers have now targeted Bill Homa who stepped down as the CIO for the Hannaford retail chain after the company suffered a data breach in February 2008 that exposed 4 2 million payment card records told Storefront Backtalk www storefrontbacktalk com that he consid ers Microsoft s OS to be full of holes If you limit your exposure to Microsoft you re going to be in a more secure environment adding that Microsoft s philosophy is decentralized forcing IT to manage more points That means m
113. ed technical program for security professionals system and network administrators and researchers EVT WOTE 09 Frank Adelstein amp Golden G Richard Ill on Learning Reverse 2009 Electronic Voting Engineering A Highly Immersive Approach 2 Day Class Technology Workshop Patrick McDaniel amp William Enck on Building Secure Android Worksop Eoun TA Elections Applications August 10 11 2009 Phil Cox on Securing Citrix XenServer and VMware ESX Server CSET o9 2nd Workshop on Cyber Keynote Address Security Experimentation and Rich Cannings and David Bort of Google on the Android Open Test Source Project August 10 2009 WOOT 09 3rd USENIX Workshop on Offensive Technologies August 10 2009 26 refereed papers presenting the best new research in a variety of subject areas including malware detection and protection securing Web apps and applied crypto HotSec 09 5 ines maine i 4th USENIX Workshop on Jeremiah Grossman WhiteHat Security on Web Security Hot Topics in Security Alexander Sotirov on Modern Exploitation and Memory August 11 2009 Protection B j i i A MetriCon 4 0 David Dagon Georgia Institute of Technology on bots Fourth Workshop on Security Metrics August 11 2009 a ias avi omeees r 4 i H K i p Ea f Ts r l r Wy i gt i sl f ho Pa I i 4 f t Fl hae RTT ITET esti tite ty POR hew ti pe ban Y i A ay
114. edium is that the indus trial soy can create an account using fake par ticulars host the stolen information offsite and the buyers collect their goods without the need to physically meet Anonymous web proxies hosted externally by third parties furnish unauthorized Internet ac www insecuremag com Easy to use cess to users These Anonymizers are prohib ited from functioning effectively using web filtering technologies that block access to these domains These bypass tools have evolved to circumvent these filtering instru ments and UltraSurf is the most powerful one that is readily available on the Internet It is a standalone executable application that can be launched without needing to be installed The feature that differentiates it from other Anonymous Proxy tools is the use of possibly compromised DSL machines to relay out bound HTTPS requests The use of Zombies to act as web proxies is very sophisticated as most enterprises do not block DSL IP address blocks 108 amp Active Ports eee Fie Options Se ete o ee eet ae De a a a a a a a a a ee ee a a a a a a a e a a a a a a anana wee ow 1348 192168 163 122 1073 153253 269 ver ene 1348 192 168 153 128 1072 128 174 5 86 ve me 15 132 158 153 125 1063 123 1745191 wee at 1348 152 168 153 128 112 P0 231 154 186 Iep ene 1348 192 168 153 128 1074 133 250 222 2 ICE netiria e PE b0aC 2 TEP notion 5 boat D0 4 Teminat Procest Guip Names A user may na
115. ehaviors that normal users don t or shouldn t do but that we know fit common behaviors of mal ware or human attackers am a strong believer in the idea that we have to turn the tables on attackers and take away their ability to act with confidence If they can t scan the network for targets that reduces their target set If they can t access data on the servers and workstations because they don t know which ones are real and which ones are HoneyPoint Trojans then their ca pabilities are reduced again If they are sniff ing the network and our HoneyBees are put ting fake credentials on the wire then they don t know what accounts are real and what ones will trigger alerts Basically we keep chipping away at their capability to know what ig real and what is a trap until they become significantly less of a risk because we have reduced their options drastically You are very active both on Twitter and on your blog How have these means of communication shaped the way MicroSolved does business Twitter and other social networks have been great for us We are big fans of Seth Godin and the idea of building a tribe We have been able to grow the business even in down economies because we have focused on the idea that every single thing we do needs to bring value to customers and the tribe in gen eral Our partners often say that we are too fo cused on the clients and that we give a
116. elopment co uk www insecuremag com 86 WWW MISTIEUROPE COM INSECURE 44 0 20 7779 8217 AMCPARTLAN MISTIEUROPE COM Hear how other organisations are ensuring that their security strategy remains focused uncompromised and integral to the business Managing threats day to day and preparing for the future Be assured you aren t missing any tricks on how to manage information security al through periods of extensive change and development ROI to deliver information security projects Linking with internal and external customers Building teams that return money to business lines Unique learning via case studies high profile keynotes panel debates and roundtables will probe the CISO role and realities The CISO Roundtable is the unrivalled benchmarking forum for open debate into security s hottest challenges of the day with thought leaders Includes a NEW closed session where you can safely share solutions on existing security incidents Build trust based relationships with your security peers Expand your global security network with professionals who face the same set of challenges as you at Europe s premier event for CISOs SO ASIS Enterprise risk and compliance reporting by Gideon Rasmussen Modern companies are challenged by the need to demonstrate compliance mitigate risk and fund security initiatives Reporting is the pursuit of simple truth Like with many technical challenges t
117. em or what to do with the results the tool generates leading to the second stage 2 The Pit of Despair After a relatively brief period of panic companies revisit their secu rity investments and find the money they have spent has had only a minor impact on their security A few areas of the company may have benefited from the efforts but overall security is not pervasive in either the IT or business aspects of the organization The or ganization becomes security depressed as it bemoans T amp T investment and languishes while pondering what to do next During this stage organizations often see a reduction in tools usage as they try to figure out how to best leverage the investment made Tools amp Technology Low www insecuremag com Pit of Despair People amp Process or rethink it altogether Typically at this stage they do begin to invest in staff training im proved processes and utilization of security experts to help with planning and assess ments However they also tend to lower their budget on the tools and technology side Without major returns and faced with contin ual threats companies will remain in this stage until a major security mind shift occurs As procedures are detailed and driven by new security awareness and requirements senior business and IT staff finally begin to under stand the critical need to invest in long term and company wide security hygiene Often after enlisting the help of t
118. emag com INJSECURE Magazine contacts Feedback and contributions Mirko Zorz Editor in Chief editor insecuremag com Marketing Berislav Kucan Director of Marketing marketing insecuremag com Distribution IN JSECURE Magazine can be freely distributed in the form of the original non modified PDF document Distribution of modified versions of IN SECURE Magazine content is prohibited without the explicit permission from the editor Copyright HNS Consulting Ltd 2009 www insecuremag com Qualys adds Web application scanning to QualysGuard Qualys added QualysGuard Web Application Scanning WAS 1 0 to the QualysGuard Security and Compliance Software as a Service SaaS Suite the company s flagship solution for IT secu rity risk and compliance management Delivered through a SaaS model QualysGuard WAS delivers automated crawling and test ing for custom Web applications to identify most common vulner abilities such as those in the OWASP Top 10 and WASC Threat Classification including SQL injection and cross site scripting QualysGuard WAS scales to scan any number of Web applica tions internal or external in production or development environments Wwww qualys com Integrated protection for smartphones Kaspersky Mobile Security 8 0 The new version of Kaspersky Mobile Security provides protection against the wide range of threats facing smartphone users For instance SMS Find can locate the exact whereabouts of a lost sm
119. ents This end to end encryption may utilize partial en cryption of data fields and can be highly cost effective for selected applications like an e business data flow End to end encryption is an elegant solution to a number of messy problems It s not per fect field level end to end encryption can for example break some applications but its benefits in protecting sensitive data far out weigh these correctable issues The capability to protect at the point of entry helps ensure that the information will be both properly se cured and appropriately accessible when needed at any point in its enterprise informa tion life cycle End to end data encryption can protect sensi tive fields in a multi tiered data flow from stor age all the way to the client requesting the data The protected data fields may be flowing from legacy back end databases and applica tions via a layer of Web services before reaching the client If required the sensitive 136 data can be decrypted close to the client after validating the credentials and data level authorization Today PCI requires that if you re going outside the network you need to be encrypted but it doesn t need to be encrypted internally If you add end to end encryption it might negate some requirements PCI have today such as protecting data with monitoring and logging Maybe you wouldn t have to do that The PCI security Standards Council is looking at that in 2009
120. er Windows Vista had more impact on businesses and needed a solid plan of approach before users started to migrate to it With Windows 7 Microsoft wanted there to be compatibility with Vista a performance increase and an improvement of certain crucial features which Vista already offered Windows 7 RC performs better than its predecessor has an updated interface and offers more fine tuned functionality Neverthe less haven t been able to discuss all of the detailed changes in security here Combined features like Forefront Security more Group Policies to give you greater control over spe cific settings and Internet Explorer 8 are all important enhancements Reading this article will however hopefully have given you an overview of the changes that Microsoft has planned for Windows 7 Rob Faber CISSP CFI CEH MCTS MCSE is an information security consultant working for Atos Origin a global company and international IT services provider based in the Netherlands His specialization and main areas of interest are Windows platform security Microsoft Directory Services certificate infrastructures and strong authentication He maintains his own weblog at www icranium com You can reach him by e mail at rob faber atosorigin com rob faber icranium com or you can find him on the LinkedIn network for the community Our goal isa to Bene accurate skas x a information 3 S r gt a TSE X Ps A gt 5 a
121. er and day of registration Al though may prices seem steep at first glance if you come for the training or to the confer ence once it is very likely that you ll come next year as well Believe me you won t ask for the price Black Hat events are held in USA Europe and Japan on an annual basis From the very www insecuremag com beginning the European Black Hat is held in Amsterdam More precisely in the Movenpick hotel close to the main station in Amsterdam Same as last year Black Hat was divided into two parts The first part was reserved for train ing which took place during the first two days of the event The second part included the briefings Trainings are like workshops that focus on a specific topic where authors of tools or methods teach you in a very detailed way how to take advantage of it This time around trainings covered a wide range of top ics from testing RFID security to SAP pene tration testing Zac Franken and Adam Laurie held a very in teresting training session about RFID security Both men are legends in the security field During two days they taught RFID security and demonstrated man in the middle MiTM attacks using RFID 122 Adam Laurie Another compelling training session was about hardware hacking lead by Joe Grand also Known as Kingp1n Attendants learned how to open hardware devices and perform security analysis on them Four new vulnerabilities were disclosed during
122. ermine a hacker s profile on the basis of his behavior or types of intrusion www insecuremag com 37 The CERT C Secure Coding Standard By Robert C Seacord Addison Wesley Professional ISBN 0321563212 This book is an essential desktop reference documenting the first official _Tue CERT C release of The CERT C Secure Coding Standard The standard itemizes those SECURE CODING coding errors that are the root causes of software vulnerabilities in C and ee prioritizes them by severity likelihood of exploitation and remediation costs A Each guideline provides examples of insecure code as well as secure Pree alternative implementations If uniformly applied these guidelines will eliminate phe the critical coding errors that lead to buffer overflows format string 27 5wa csao yulnerabilities integer overflow and other common software vulnerabilities CISO Soft Skills Securing Organizations Impaired by Employee Politics Apathy and Intolerant Perspectives By Ron Collette Michael Gentile Skye Gentile Auerbach Publications ISBN 1420089102 COPERTE This book presents tools that empower organizations to identify those intangible Sse negative influences on security that plague most organizations and provides further techniques for security professionals to identify minimize and overcome these pitfalls within their own customized situations The book also discusses some proactive techniques that CISOs can utilize in order
123. ervice www insecuremag com 11 Search Companion _ Indexing Service When Indexing Service is enabled the files on your computer are indexed and maintained while your computer is idle so you can perform Faster searches Indexing Service is currently disabled Do you want to enable Indexing Service Yes enable Indexing Service No do not enable Indexing Service You may also want to x Name h 4 NOTEPAD a notepad E Change Indexing Service Y se e ja ts Start Although the service runs under the Local System account the actual calling of the IFil ters is done in a separate process that runs under the Local Service account this account has fewer privileges and can t take full control of the machine lve not analyzed other applications using IFil ters If you use SharePoint or another IFilter supporting application and you want to be safe unregister the Acrobat Filter And don t forget that depending on your Win dows version and CPU you re also protected by technologies like DEP and ASLR lt o Search Results Google Desktop Search doesn t use Filters unless you ve installed a special plugin to add Filter support to Google Desktop Search Conclusion It s possible to design malicious PDF docu ments to infect your machine without you ever opening the PDF file I ve yet to see such a malicious PDF document in the wild Be very care
124. es the management experience in enterprise organizations There is an option to switch between Public Home and Work networks and whenever you connect to a new network Windows will ask what kind it is Each network has its own fire wall profile which allows you to configure dif ferent firewall rules depending upon the secu rity requirements of a user s location You can use the Windows firewall with the Advanced Security s snap in filter to display only the rules for specific locations The corresponding firewall rule sets are Public Public Private Home Work and Domain when a domain connected workstation detects a domain con troller Where Vista distinguishes between Public and Private networks Windows 7 works with Home and Work in the default interface In fact Windows 7 has three types of network locations A Home network for your own network at home where you take part in the home group In these circumstances network discovery allows you to see other computers and de vices on your network and other network us ers to see your computer A Work network is for offices or other work related networks It has essentially the same features except you are unable to join a home group Finally a Public network is available for working in pub lic places Your computer is not visible to oth ers and traffic will be blocked Somewhat confusing is the fact that the nam ing of the networks in the Firewall MMC for
125. esoft unveiled StoneGate 5 0 its proactive network security man agement platform Stonesoft provides a single centralized command STON ESO FT center called StoneGate Management Center for proactive control of even the most complex networks This center manages the entire Sto neGate Platform including its firewall VPN IPS and SSL VPN solutions for physical and virtual environments www stonesoft com Strong authentication with biometrics for Windows 7 Gemalto has extended its support for strong authentication on Windows 7 using its NET Bio solution The solution enables multi factor authentication using biometrics by building on the foundation provided in the new Windows Biometric Framework for Windows 7 www gemalto com www insecuremag com 95 Strong authentication for mobile devices from VeriSign VeriSign launched the VeriSign Identity Protection Mobile Developer Test Drive yo Program which enables mobile application developers to explore how easily VeriSign and quickly they can provide users with an extra layer security that goes beyond standard secure log ins viodeveloper verisign com New secure software development credential from ISC 2 ISC opened registration for classes and exams for its Certified Secure Software Lifecycle Professional CSSLPCM which aims to stem the proliferation of security SC vulnerabilities resulting from insufficient development processes by establishing best practices and v
126. eter and then use this data in the print statement print You entered name You can clearly see that no validation has oc curred on this data The username data should have been subjected to both input and output validation prior to it being used in the print statement This example uses Perl which means we can make use of the HTML Entities Perl module to encode this data for us the code shown be low has implemented this module usr bin perl use CGI use HTML Entities my cgi CGI gt new my name cgi gt param username print cgi gt header print You entered HTML Entities encode name 19 Any data entered into the username field will now be HTML encoded prior to it being printed If a malicious user were to input the same JavaScript we used in the previous ex ample lt script gt alert document cookie lt scri pt gt it would be changed to the following amp lt script gt alert document cookie amp 1t script gt This would again nullify the threat posed by the malicious input The values that have been changed i e lt amp gt would still be written to the page but as a literal value instead of be ing used as a Special character This will allow you to implement strong validation techniques but also continue to display characters such as lt amp gt on your web page In addition to the encoding we have explored already we should always control the c
127. ettings Public Key Policies im File Action View Favorites Window Help e 20l a bl uA T Console Root 4 Local Computer Policy 4 i Computer Configuration Software Settings 4 _ Windows Settings _ Name Resolution Policy s Scripts Startup Shutdown my Deployed Printers 4 x Security Settings TA Account Policies a Local Policies C Windows Firewall with Advanced Security _ Network List Manager Policies 4 Public Key Policies C Encrypting File System BitLocker Drive Encryption OTP WWare DES LLO C Application Control Policies IP Security Policies on Local Computer C Advanced Audit Policy Configuration aly Policy based QoS Administrative Templates 4 User Configuration T Software Settings Windows Settings C Administrative Templates Object Type pting File System v Certificate Services Client Certificate Enrollment Policy al Certificate Path Validation Settings zal Certificate Services Client Auto Enrollment Possible recovery mechanism www insecuremag com 23 As with Windows Vista BitLocker in Windows 7 supports the storage of recovery information in the Active Directory meaning that you can centrally store the recovery password and key package of each user in AD DS The key package contains the encryption key pro tected by one or more recovery passwords It is possible to configure this feature via Group Policy although this means that a lot of data m
128. eveloped a capability to bypass or defeat these fortifications Use of force Any nation state with a cyber weapons arse nal has more response options than countries without cyber warfare capabilities It is widely believed that Russia as evidenced by the at tacks against Estonia and Georgia is able to field an impressive DDoS capability A DDoS capability allows a country to initiate more easily an economic or information embargo with digital weapons This DDoS or other cy ber warfare capability may allow an aggressor to easily use force with more precision and limit the use of conventional military weapons For example while the Georgia cyber attacks were conducted in association with a conven tional military assault the Estonia cyber at tacks were conducted without a conventional military parallel Despite these differences in both cases Russia attempted to compel its adversary to change its behavior Many experts argue that there is no evidence that the Russian government was directly re sponsible for organizing cyber attacks in Esto nia However recent admissions by Russian State Duma official Sergei Markov that his staff participated in the Estonia attacks indi cate these attacks occurred with at least tacit approval of the Russian government This abil ity for an aggressor to more easily use force against an adversary appears to favor the of fense as it lowers the barrier to entry into con flict gives the offens
129. f working on your local area network BranchCache also helps reduce wide area network WAN utiliza tion When BranchCache is enabled a copy of data accessed from intranet Web and file servers is cached locally within the branch of fice When another client on the same network requests the file the client downloads it from the local cache without downloading the same content across the WAN This is done without decreasing the security of the data access controls are enforced on cached files in the same way they are on original files Many believe patch releases should be more frequent Do you have any plans to intensify announcements after Windows 7 is released We continually evaluate the frequency in which we release security updates but we have no news to share at this time 48 2009 USENIX ANNUAL TECHNICAL CONFERENCE June 14 19 2009 SAN DIEGO CA Join us in San Diego June 14 19 2009 for the 2009 USENIX Annual Technical Conference USENIX Annual Tech has always been the place to present groundbreaking research and cutting edge prac tices in a wide variety of technologies and environments USENIX 09 will be no exception USENIX 09 topics include ew Networking Coding Security Open cae Virtualization Computing Solaris Join the community of programmers developers and systems professionals in sharing solutions and fresh ideas www usenix org usenix09 hnsa USEN IX QUALYS ON DEMAND SE
130. ffered by organizations and indi viduals who have actually taken the time to see what is being done within the application Anything else is little more than a guess SECURITY REQUIREMENTS SHOULD BE CLEARLY ARTICULATED AND THE METHOD FOR EVALUATING COMPLIANCE SHOULD BE PRECISE The power to know your promises are kept Privacy statements that accompany most Web facing transactions are meant to give users confidence in the protections that are in place to ensure the security of their private information In reality application level secu rity is almost never mentioned These statements created to address user concerns with network focused threats and unscrupulous business behaviors are com monly concerned only with communications protocols and disclosure policies As a result applications that are at the center of the customer experience are not cited or addressed Concurrently assertions are being made as to the protection and safety of that data The privacy promises you make to your customers shareholders and partners can only be kept if the security of your application source code is actively evaluated and maintained www insecuremag com The power to hold your outsourcers accountable Increasingly organizations are running their business using software or services that are provided by someone else This automation of business processes by an outside entity has typically happened without assessment and validation
131. ful when you handle malicious files You could execute it inadvertently even without double clicking the file That s why always change the extension of malware trojan exe becomes trojan exe virus and handle them in an isolated virus lab Outside of that lab encrypt the malware Didier Stevens CISSP GSSP C MCSD NET MCSE Security RHCT is an IT Security Consultant currently working at a large Belgian financial corporation He is employed by Contraste Europe NV an IT Consulting Services company www contraste com You can find open source security tools on his IT security related blog at blog DidierStevens com www insecuremag com 12 Emmen Dams Eee alt S A f PA ae n K be a rar be ag an i a a g m _ ma om peng ma m gpn E r A wk Taa A C i b ss gt An A H Fao 7 tt E g M Pe EEE ST f eae i gt is 2 ee ae Oe OF z g a one g b 3 J a b y S 4 E 4 Y Bac i j i 3 k y A 2 s To lower the security risk you need GFI LANguard a solution that provides network vulnerability scanning patch management and auditing in one integrated package This award winning solution allows you to scan detect assess and rectify vulnerabilities on your network faster and more effectively tel 1 888 243 4329 fax 1 919 379 3402 email ussales gfi com url www gfi com lannetscan April was a busy month for those workin
132. g blocks and can be easily adapted to identify and exploit new vul nerabilities This is the malware that exploits un patched servers poorly defined firewall rules the OWASP top ten etc This malware is really aimed at the mass market SMEs and consumers The other trend is the use of high end malware which employs the per sonal touch customization to specific com panies often combined with social engineer ing to ensure it s installed in the right systems This is the type of malware that got TJX Han naford and now Heartland according to a re cent report published on KnowPCl www knowpci com The point is the more we create concentrations of valuable data the more worthwhile it is for malware manufactur ers to put the effort into customizing a cam paign to go after specific targets So if you are charged with securing an enterprise sys tem that is a prime target or partner with outsource to a business that is a major target you need to ensure that the level of due dili gence that you apply to data security equals or exceeds that expended by malicious hack ers who are more than willing to work really really hard to access that data Reports about recent data breaches paint an ugly picture Reports about recent data breaches paint an ugly picture In mid March Heartland Security Systems has yet they claim to be able to de termine exactly how many records were com promised in the breach t
133. g com that is the focus of this article is the filtering of websites that contain explicit material The new agreement in Germany The most recent example of a country trying to combat child pornography on the Internet with filters is Germany On May 17th 2009 the German Minister of Family Ursula von der Leyen signed an agreement with five of the seven biggest Internet Service Providers ISPs in Germany to block websites that con tain child pornography This agreement was the result of long negotiations between the parties and not all ISPs supported the arrangements with the Ministry The ISPs Freenet and 1 amp 1 declared that the lack of a legal basis for such an agreement made it difficult for them to accept the con tract Also civil Society organizations like the Chaos Computer Club a hacker organization advocating privacy rights and data protection or MOGIS representing victims of child abuse stated that they were not in favor of the governmental approach Their central ar guments are that just cloaking websites does not solve the original problem and that there is a risk of introducing censorship on the Internet Indeed the Ministry plans do not in clude democratic control of what is going to be filtered Taking in consideration similar at tempts in other countries the success of filter ing child pornography remains disputable In recent years Scandinavian countries put in place filter regimes with the goa
134. g in the information security industry Two major events were held practically a couple of days apart RSA Conference 2009 in San Fran cisco and Infosecurity Europe in London My colleagues from Help Net Security were busy the entire month and did some fantastic cov erage from these shows As a result am now swamped with software applications and hardware devices given to me for review pur poses Within this latest bunch of security goodies first laid my eyes on the lronKey se cure flash drive have been using and testing a number of similar devices so was eager to see what lronKey had to offer lronKey at a glance The device used as a basis of this article is the IronKey Personal with 1GB of storage From the storage perspective this is the basic model but for this review storage is not an important factor lronKey drives come in three flavors Basic Personal and Enterprise Basic as the lower level offering is to be used primarily as a se cure storage device while Personal has some advantages These include Internet protection services the identity manager and support for www insecuremag com Review lronKey Personal by Mark Woodstone the Verisign Identity Protection VIP offering will talk about all these functions later in the review Just in case you are curious the En terprise version provides the following addi tional performance enforceable security poli cies remote device termination RS
135. gy RFID tags can be read without any manual in tervention and without requiring a line of sight or physical contact with the item RFID certainly raises the bar as an authentication or anti counterfeiting measure but the bar is only as high as the technical skills of counterfeiters which unfortunately are reaching new heights every day There are various types of RFID Basic pas sive RFID is prone to counterfeiting attacks A resourceful adversary can clone a basic RFID meaning the contents of a genuine RFID chip can be copied to another to appear the same as the genuine RFID chip An even simpler alternative would be for an adversary to record the exchanges between a basic RFID chip and a reader and replay them to mimic the original RFID chip Cryptography based RFID is secure though expensive for wide spread item level use Recently a new class of simple inexpensive and unclonable RFID chips was introduced to the market These RFID chips are based on a technology called Physical Unclonable Functions PUFs PUF is a silicon biometric www insecuremag com technology a kind of fingerprint or DNA for silicon chips This technology enables very strong and robust authentication of the RFID chips and also provides a way to prevent skimming and replay attacks Physical unclonable functions A Physical Random Function or Physical Un clonable Function PUF is a function that maps a set of challenges t
136. has al ready seen the value of being in Stage 3 ina previous company can often reduce the dura tion of the earlier stages and help the organi zation avoid common pitfalls The use of third party consultants and service providers The primary research for the ASM model was based on direct interac tion with organizations that have made the decision to employ external security experts These experts can demonstrate the value of more quickly embracing security as a core business process Seeing security as a competitive advan tage Some firms have chosen to embrace a pervasive security approach with its required increased investment in order to differentiate themselves from competitors with a more lackadaisical approach to security Typical Progression Curve High Large e Merchant No process early thought tools panacea 04 Built audit procedures and sought training 05 Now specializing toolkit and integrations 07 e O D pa o L O po Low Sample ASM model plots for Large E commerce Organization Organizations can leverage the ASM Model to e Determine their current location along the ASM curve Just knowing where an organiza tion falls on the curve is a Critical first step to www insecuremag com understanding and improving overall security With knowledge of where the company falls the company can understand o How it compares to others either competitors
137. hat didn t think was particularly useful because it was likely that there were only a few applications to which you might want to block access anyway Windows 7 however introduces the AppLocker which allows you to restrict program execution via the Group Pol icy More specifically the AppLocker helps to control how users can access and use files such as executables and specific scripts AppLocker essentially utilizes three types of rules Path Rules File Hash Rules and Pub lisher Rules The first two are not that new and can already be found in Vista s Software Restriction Policies Hash Rules use a crypto graphic hash of the executable to identify a www insecuremag com 295 legitimate program The major downside of this type of rule is that you have to modify it whenever you update the program If you change a program or executable it will also change the hash Hash policies are therefore only effective for as long as a file remains ina consistent state In daily operations however the reality is that applications are updated very frequently meaning that hash policies can become outdated in a matter of weeks as new versions of files are released This cre ates a lot of work in larger organizations with literally hundreds of applications being out in the field An improvement to this situation is that in Ap pLocker you can define a so called publisher rule which means that there is information in
138. hat gave attackers access to Heartland s systems used to proc ess 100 million payment card transactions per month for 175 000 merchants Given the size and sophistication of Heartland s business it is one of the top payment processing compa nies in the United States computer security experts say that a standard in the wild com puter worm or Trojan is unlikely to be respon sible for the data breach Heartland spokes people have said publicly that the company believes that the break in could be part of a widespread global cyber fraud operation According to a report in Digital Transactions and other news sources in January 2009 Heartland apparently managed to find mal ware neatly tucked away on one of its payment processing platforms after learning late in the Fall of 2008 that company might have a data breach in which unencrypted card www insecuremag com numbers were captured during the authoriza tion process The key question here for many security professionals is why and how it took so long to find the malware A post on a Wired News security blog claiming to come from a Heartland employee stated that Heartland might have caught it or even prevented it if we d known what the government and the in volved companies knew about some of the other recent breaches but that data hadn t been shared with us Unfortunately that prob lem is being repeated again with virtually no lessons learned information releas
139. he underlying complexity can be daunting This article addresses a variety of techniques to report risk and compliance statuses raise awareness and influence remediation I Preparation Mission vision Document each security function s mission as a first step towards reporting A mission can be loosely defined as the high level goals of a team A mission statement explains the pur pose of a team from a business perspective Vision can be defined as how the team accomplishes its mission A basic goal of reporting is to determine the effectiveness and current state of a given function It becomes easier to determine at a high level which elements should be included www insecuremag com in reporting by keeping the mission and vision statements in mind Reports and data sources Meet with each team or function and request access to their reporting Evaluate critically each report Determine whether the reporting accurately reflects the status based upon the mission At a high level risk and compliance reporting should meet the following goals e Reflect security posture and the associated risk to core business products services and strategic goals 88 e Consider assessment subjects from a variety of perspectives e Enable management to make informed decisions e Provide reporting in a timely manner preferably through real time automation Identify a point of contact associated with each subject finding Ac
140. helming Create a spreadsheet and sort them by data sources teams and tools audience throughout man agement tiers and metric implementation phases Dan Geer s Measuring Security Tutorial bit ly ocPM9 contains a wealth of information refer to it as well Risk priority Compliance is binary either a control is in place or not One missing control will result in a non compliant status which does not repre sent the risk associated to business Use risk scoring to assign potential business impact to each report finding Start by applying a risk rating to each baseline control Refer to the Microsoft Security Risk Manage ment Guide bit ly flzwG to determine impact levels and associated exposure ratings Fail ure Modes and Effects Analysis bit ly vctqM has risk scoring built in Define which ratings threshold should constitute a control that is risky and needs to be shored up Establish a common reporting language The meaning and related impact of high medium and low findings should be uniform throughout each report Refer to NIST 800 30 bit ly 9EO5i for sample risk impact definitions This interim approach assigns a risk value to each baseline control to assist with remediation priority Establish a compre hensive Enterprise Risk Management Meth odology and incorporate it into reporting ina future phase of development MANAGEMENT NEEDS THE ABILITY TO DRILL DOWN FROM HIGH LEVEL REPORTING TO SPECIFIC ISSUES ll
141. hird party firms such as consultants or security auditors or being burned by a data breach they move to the final stage 3 Security as a Core Business Process Having made the important shift to under standing security as core to a successful business organizations will begin to devote more budget and more importantly time and focus to the software tools required to ensure secure code in all phases of the software de velopment life cycle the training needed to educate developers and other non IT employ ees and the enhanced processes that place security into all business and IT activities Typical Progression Curve Security as Core Business Process High 74 a a a a Application Security Maturity Model ASM The ASM Model graphic above depicts a typi cal path an organization may take Time is overlaid left to right and the speed at which an organization passes along this curve var ies with their awareness investments and success of adopting new processes Also an organization s Pit of Despair may be deeper or elongated if they have difficulty adopting and integrating new tools and process The duration of each stage and the slope of the curve can very depending on many factors including The influence of security minded execu tives In many cases business or IT execu tives can drive the move to the third stage quicker than it would happen normally For example an incoming executive that
142. i rectAccess the intention is to give your ma chine seamless access to applications while you are on the road This means that you wouldn t have to make an explicit VPN con nection to phone back home because this new feature does it all for you in a stealth way It s a new solution which would enable your remote machine to stay connected to your business network as long there is an in ter network connection This idea is not new but it s finally making way forward to practical implementations From a technology standpoint it has also some advantages In this way your com pany s IT department could have updates in stalled change policies apply hotfixes up date virus scanners block immediately con nections or access all remotely without hav ing to bother the user could spend a lot of time telling you more about this but let me instead provide you with a direct link to the relevant technical documentation bit ly 96VGG so you can read about it yourself 31 Conclusion As far as security is concerned Windows 7 is an improvement on Windows Vista although it retains much of its kernel architecture In teresting and more strategic developments are the DirectAccess feature in combination with a Windows Server 2008 infrastructure and the improvements around the Network Access Protection features This really is something to keep an eye on The development process has again taken a step forward Howev
143. ibutors need specific findings that apply to the systems and applications they administer Prioritize risk and compliance statuses within each reporting tier Work closely with business and IT management to assign a remediation contact to each finding for accountability Each finding should also include details of the issue planned remediation activity and target remediation date Using the methodology detailed above an executive should be able to click down from the line of business to a high risk subject as sociated findings and remediation plans In practice that functionality is a powerful way to gain visibility and funding to address critical SSUES lil Present to management Finalize the Reporting Methodology docu ment This article can be used as a frame work Explain the rationale behind each report including data sources such as teams tools manual data entry automation and data re fresh periods Include the importance of risk mitigation over minimum compliance A meth odology document has utility for training continuity and audit Prepare a management slide presentation to introduce the reporting application executive dashboard and remaining implementation phases Conduct a live demo of the applica tion during the presentation Manage expecta tions up front Be transparent about current functionality and areas for improvement Provide a roadmap for future reporting enhancements An accurate reporti
144. ication functions The information verification piece of password re minder systems will often fail to demand enough information from the end user before granting them the account password It is a common mistake made by these systems and you should attempt to avoid this where possi ble Make sure that your systems require in formation from the user that isn t easily ob tainable such as an email address A second system often used during user ac count creation and management is CAPTCHAs Completely Automated Public Turing test to tell Computers and Humans Apart As the name implies these system are used to validate that a user as opposed to a computer is providing the input to your sys tem s but there have been many high profile failures of such systems CAPTCHA systems implemented by Google Microsoft and Yahoo have been broken which shows how difficult it can be to get this right If you do decide to util ize this technology you need to ensure that CAPTCHAS are not simple to guess i e What is 2 3 or clear enough to be read by OCR software The final thing to remember in this principle is the enforcement of authorization through least www insecuremag com privilege A simple application could have two levels of access user access and administra tive access and each one will have its own access requirements An obvious difference between the two levels of access is the authorization to use the administrative func t
145. ide training on a custom developed sys tem Is there a qualified internal team available to produce documentation for a custom devel oped system e Would it be acceptable to change current procedures and processes to fit with the packaged software Outsourcing Outsourcing can be a less cost effective ap proach in the long run and it will not solve the liability aspect 138 Outsourcing may also raise worries regarding security hidden costs loss of IT control net work bandwidth issues lack of interoperability vendor lock in and service level agreements In many cases it may be more effective from a cost and data security standpoint to protect the data in the current system without chang ing the applications or the infrastructure Re cent incidents suggest that cybercrooks are increasingly beginning to target payment processors Attacking a processor is much more serious than attacking a retailer A proc essor sits at the nerve centre of the payment process and processes and also potentially store far more payment card data than any retailer On the formal accounting side out sourcing can be charged as expense whereas the cost of developing an in house system is capitalized and may affect the capital budget Also look for efficiency gains when evaluating the cost effectiveness of solutions Central ized management of encryption keys reduces costs and complexity as well as potentially reducing system down ti
146. il mail It is only much later after the buyers start trading the material with others for free that it appears on the Internet For example on Usenet or on P2P servers both not af fected by DNS blocking of child pornographic websites The second aspect critics of Internet filter bring up is that blocking certain websites that contain child pornographic material will nei ther significantly influence the commercial market nor really reduce the distribution of the material as the majority of it is found in other places of the Web mentioned in the introduc tion of this article The 2008 report of the Brit ish Internet Watch Foundation IWF an nouncing a decrease of child pornographic websites must also be analyzed from this perspective It stays unclear if the suppliers of such mate rial really left the Internet or if they just switched from websites to other parts of the Net Besides that it is very easy to circumvent DNS blocking Instructions on how to do this can be found on several websites on the Internet Most of them are not even connected to child pornography they just deal with the question of filtering in general IT security specialists members of civil societies and police investigators in different countries complain about the ineffectiveness of Internet filters the lack of consistency of public institutions in going against the producers of child pornography and the disregard of democratic rights and
147. implement an enterprise protection strategy A holistic layered ap proach to security is far more powerful than the fragmented practices present at too many companies Think of your network as a mu nicipal transit system the system is not just about the station platforms the tracks trains switches and passengers are equally critical components Many companies approach security as if they are trying to protect the station platforms and by focusing on this single detail they lose sight of the importance of securing the flow of information It is critical to take time from managing the crisis of the moment to look at the bigger picture One size doesn t fit all in security so assess the data flow and risk envi ronment within your company and devise a comprehensive plan to manage information security that dovetails with business needs Careful analysis of use cases and the associ ated threats and attack vectors can provide a good starting point in this area It is important to note that implementing a se ries of point solutions at each protection point will introduce complexity that will ultimately cause significant rework Protecting each sys tem or data set as part of an overall strategy and system allows the security team to moni tor and effectively administer the encryption environment including managing keys and key domains without creating a multi headed monster that is difficult to control Centralized management of encry
148. in mind have at tempted to take on the challenge of providing clarity around the issue of secure develop ment by creating a set of secure development principles Secure development principles have analyzed many vulnerabilities and have created a set of secure development principles which feel will prevent the large majority of them have listed these principles below and will elaborate on each of them in the rest of this article Input Validation Output Validation Error Handling Authentication and Authorization Session Management Secure Communications Secure Resource Access Secure Storage CONOR WON Input validation This principle is certainly not a silver bullet but if you ensure that all of the data received and processed by your application is suffi ciently validated you can go along way to wards preventing many of the common vul nerabilities being actively exploited by mali cious users It is important for you to under www insecuremag com stand what data your application should ac cept what its syntax should be and its mini mum and maximum lengths This information will allow you to define a set of known good values for every entry point that externally supplied data could exist Two main approaches exist for input valida tion whitelisting and blacklisting It would be wrong to suggest that either of these ap proaches is always the right answer but it is largely
149. ing and Peer to peer P2P file sharing to tackle this menace In instances where a ban cannot SkyDrive Windows Live Mozilla Firefox Al Ect Yew igory Boohmatks Tous Help C a C SkyDrive Windows Live CE hitp lidydieive con Hore Profile Pw thle m E EY Windows Live Sky Drive People Mail Photos 25 GB of free storage on Windows Live its easy to store and snare i Once Atr TOST E One be enforced corporations attempt to monitor their traffic for hints of data leakage Microsoft offers free 25GB password protected online storage SkyDrive to its Windows Live users Users can store files in personal shared or public folders Shared folders are only acces sible to parties that the owner furnishes admit tance to SkyDrive is very simple to use and secure as the whole session except for public folders is protected using HTTPS Sign in jo New to Windows Live Sign up Already have a Windows Live ID Sign in Password protected Anywhere access keep your Tiles to yoursell or share Them with anyone you arnt Human error is commonly a contributing fac tor to security breaches An employee may mistakenly upload an important document onto their shared or public folder with devas tating consequences This facility can easily be used to siphon out corporate intellectual property right under the noses of employers and sold for a handsome profit to competitors The beauty of this m
150. ing the complexity of executing a successful attack on both the primary and back up systems Other policies that could decrease the possi bility of cyber war include defining explicit red lines A nation state should clearly state what critical infrastructure assets are of national im portance and explain to its adversaries that it will retaliate in kind to attacks on these assets 115 As demonstrated above a country with power Conclusions ful cyber weapons can rely on a deterrent ef fect to discourage its rivals from carrying out While it appears that the development and cyber attacks on its critical infrastructure tar deployment of cyber warfare strategies tac gets Aclear annunciation of values and re tics and weapons favors the offense and ex sponse options including attacks on SCADA acerbates the security dilemma stability can systems and critical infrastructure may work still be achieved Although cyber warfare is in tandem to deter an adversary from launch inherently offensive nation states can still de ing an attack and therefore ameliorate the se velop strategies and tactics that will ameliorate curity dilemma the security dilemma Ned Moran is an Adjunct Professor of Information Privacy and Security at Georgetown University Mr Moran also works with the Project Grey Goose team and investigates how nation states use cyberwarfare strategies tactics and weapons to compel and deter adversaries Ned can be found on
151. ions of the application The administrative functions should only be available to users in the admin group and the standard users must not have the capability to elevate their privi leges The user accounts used for your appli cation should be given the least amount of privileges required for them to function cor rectly The ideal starting point would be to configure access controls to deny all access and gradually increase the access until you find the right level for each user role You should always avoid using client side val ues to make access decisions avoid using information such as client side tokens URL values or hidden fields because they can be manipulated to give a user elevated privileges Session management When a user connects to your application you can force them to provide logon credentials If the user authenticates successfully they shouldn t be expected to provide these cre dentials again unless the logon times out or they are executing a privileged action 82 Session management allows your application to require the users to authenticate only once and also confirm that the user executing a given action is the user who provided the Original credentials To an attacker any weak nesses in the session management layer of your application can be an easy way to by pass the hard work we have done so far in the first four principles Attacks against sessions are often focused on obtaining a valid session
152. ireless network establishing connectivity isn t as simple as plugging in a cable physical security isn t nearly as easy as just keeping unauthorized individuals out of a facility and troubleshooting even trivial issues can sometimes result in a few expletives being thrown in the general direction of an access point That being said it shouldn t come as a surprise that analyzing packets from a wireless network isn t as uninvolved as just firing up a packet sniffer and hitting the capture button l I In this article I m going to talk about the differ Wired vs wireless networks I i ences between capturing traffic on a wireless network as opposed to a wired network There are a lot of obvious differences be l tween wireless and wired networks On a l __ ll show you how to capture some additional wired network each node has its own individ 1 Wireless packet data that you might not have ual cable allowing for predictable performance 1 i known was there and once you know how to and a dedicated amount of bandwidth both capture the right data I m going to jump into upstream and downstream I the particulars of the 802 11 MAC layer 802 11 frame headers and the different A wireless network is a shared medium mean 802 11 frame types ing that all nodes on that network compete for l bandwidth over a limited spectrum It is be 1 The goal of this article is to provide you with cause of this shared nature that a wireless l so
153. irritate users leads to many of them just clicking on OK even if they are unsure of the consequences In these circumstances the question must arise as to whether this ap proach is appropriate and if it has really re sulted in security improvements Human behaviour in these circumstances is of course something that cannot be solved by a computer Sometimes it s fine to download software even initiated by the user and in stall a program but on other occasions mal ware is trying to install itself on your machine In such a scenario the important and often technical decisions are up to you the end user to make This means that ultimately and yes you will probably have guessed this you will be presented with a dialog box asking you for confirmation and approval of some thing which may be damaging to your ma chine Years of pop ups and confirmation dia logs have literally trained the user to act like a monkey in an experiment act like this or push the red button and get a banana Why not click yes ok and next Off we go As a result of these issues some changes were made in Windows Vista SP1 In other words the UAC experience was relaxed a lit tle How much has this changed in Windows 7 Well Microsoft has decided to give a user the chance to change the UAC notifications to something more manageable and convenient level The user interface has also been im proved by the addition of mor
154. is run ning The recommendation is therefore to power a computer down when you are not in physical control of it for a period of time Such as leaving a hotel room for a couple of hours Therefore as long as you don t put the ma chine in some sort of hibernation or sleep mode you re safe 4 Windows Components 4 C ActiveX Installer Service C Application Compatibility C AutoPlay Policies C Backup biometrics 4 _ BitLocker Drive Encryption C Fixed Data Drives T Operating System Drives Removable Data Drives A Deny write access to removable drives not protected by BitLocker o od Deny write access to removable drives not protected Previous Setting Next Setting Not Configured Comment Enabled Disabled Supported on Options Do not allow write access to devices configured in another organization Windows 7 family Help This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive If you enable this policy setting all removable data drives that are not BitLocker protected will be mounted as read only If the drive is protected by BitLocker it will be mounted with read and write access re Deny write access to USB Controlling applications with AppLocker In the past Software Restriction Policies were used to control applications This was a fea ture t
155. ism when compared to alternatives The low cost and power consumption of PUF based RFID makes them suitable for item level use a significant advantage over cryptography based RFID Since the PUF RFID chips can not be cloned a simple authentication at the point of sale ensures only a genuine product is sold to the customer This requires a significantly simpler infrastruc ture compared to the complex infrastructure hardware and software required to imple ment solutions based on electronic pedigree With PUF based RFID authentication and identification is significantly improved based on the inability to tamper control clone or duplicate the chip Using unclonable RFIDs can deliver peace of mind to many product based industries from pharmaceutical and luxury goods to se cure IDs and transportation Professor Srini Devadas is the founder and CTO of Verayo Professor Devadas and his team invented PUF technology at Massachusetts Institute of Technology MIT Cambridge USA In addition to providing technical leadership and direction to Verayo Professor Devadas serves on the faculty of MIT as the Associate Head of the Department of Electrical Engineering and Computer Science Professor Devadas research interests in clude Computer Aided Design CAD of VLSI computing systems computer architecture and computer secu rity and he has co authored numerous papers in these areas Professor Devadas joined MIT in 1988 soon after c
156. ition module WVS can automatically login to a wider range of authentication forms using dif ferent authentication mechanisms while with the improved cookie and session handling WVS is now able to scan a broader range of dynamic web applications effectively www acunetix com OooOOOEGGGHG 5i FEES FE e eecaztvezeeevee q t t 1 gt Wi Fi kit for disaster response and temporary events Xirrus announced a portable pre packaged kit designed for the rapid and simple de ployment of Wi Fi networks in temporary applications Unlike other Wi Fi networking solutions which require many different components the Xirrus Wi Fi Array integrates everything needed to deploy a large coverage high density Wi Fi network supporting up to hundreds of clients into a single device This makes the Wi Fi Array the ideal fit for portable applications such as disaster re sponse command posts high density events such as conferences and expositions and short term events such as festivals markets and fairs www xirrus com PGP launches Endpoint Application Control PGP has announced PGP Endpoint Application Control a product that blocks malicious and unauthorized software including applications scripts and macros from executing on a user s system by automatically enforcing policies using whitelisting technology that explicitly allows only trusted and authorized software applications By leveraging PGP Endpoint Application Control as another layer of d
157. ively just want to spend some time on a non work related website using UI traSurf but unwittingly introduce malware as a result of this action Hackers would employ UltraSurf to mask their origin These techniques are even more potent when used in combination Imagine a hacker acquir ing LogMeln credentials from a victim then accessing the remote corporate machine us ing UltraSurf Once in control of the corporate machine they possess both the physical ma chine and all information deposited on it The attacker is at liberty to load the tools and scripts they need to target other systems within the same network Launching UltraSurf on the compromised remote client they will then proxy out of the corporate network to de posit all stolen information onto their SkyDrive repository Once the hacker is done they can either erase their tracks i e tools logs and browser cache or securely wipe the entire hard drive to destroy evidence Remediation The first step in tackling the threat posed by HTTPS is the documentation of clear policies on the usage of HTTPS and communicating them to users User awareness and under standing is essential to winning their coopera tion in order to reduce the margin of human error and inherent security risks Incorporating a Data Classification program is complimen tary as this evidently stipulates that informa tion be labeled based on their level of sensi tivity for proper identification and handli
158. l of combating child pornography on the Internet Norway started the first initiative in 2004 by using DNS blocking and closing down servers like it was suggested by the British Internet Watch Foundation IWF at that time Today the Norwegian block list contains around 8000 URLs and 18 000 hits are being blocked every day It is interesting to mention that not all ISPs in Norway are participating in the filter regime Some time later Sweden Denmark and Fin land also started using filters to block access to child pornography After the Scandinavian countries the Netherlands Switzerland and ltaly also introduced a similar system Also other non European countries like New Zea land South Korea Canada Taiwan and the USA use filter systems to block child pornography Unlike most of the other countries except for Finland and Italy Germany is going to force the remaining ISPs by law to participate in the filter regime So far the agreement is based on a more or less mutual understanding And with the majority of the big ISPs partici pating in it the big majority of the users will have to live with it The companies Deutsche Telekom Vodafone Arcor Alice HanseNet Kabel Deutschland and Telefonica O2 Ger many representing 75 of the German mar ket already signed the agreement The new draft of the law is already on its way to be discussed in Parliament Bundestag in the coming weeks The main aspects are the block lists
159. largely discussing how to educate developers on how to develop securely A common failure within organizations is the assumption that developers know how to develop securely and they subsequently fail to invest time and www insecuremag com money into education programs This will never lead to secure software and organiza tions have to realize that developer education is a step along the path to secure software The principles are shown in the image but won t dwell on this step this article explains the principles and why I have created them The code review step will mandate that a se curity focused code review be conducted for every development this review should evalu ate the code against these secure develop ment principles The final point to address is the testing of the development for security weaknesses This testing should be as com prehensive as possible and test for the vul nerabilities that the secure development prin ciples should protect against The important thing to remember for all of the steps is that it doesn t have to involve a large financial outlay to implement them have in cluded information below detailing on how 85 feel you can utilize free resources to build your secure development program SSDLC The Microsoft Security Develop ment Life Cycle SDL is one of the leading SSDLC processes in existence Microsoft has made a wealth of information available for free SO you can base
160. lation and configuration auditing from one platform We call this Unified Security Monitoring 94 SECURITY AND HACKER CONFERENCE mee BRUSSELS 18 19 SEPTEMBER eung TEM A I ERNST amp YOUNG HaHins Memm Quality In Everything We Do ee A A HELP NET 3 SECURITY DIMENSION DATA at WWW _NET SECURITY ORG La UAL 1 a IM Ty Infosecurity Europe 2009 gathered security professionals in London in April This huge event had over 12 500 attendees and we were among them Here are some details from the show Apani entered into a new partnership with Telvent which will offer Apani Epi Force as a security overlay to its OASyS DNA 7 5 Supervisory Control and Data Acquisition SCADA platform Deployed in many of the largest oil gas and electric companies in the world OASyS is a real time distributed solution suite incorporating interoperable applications linked through standard interfaces Alcatel Lucent s new secure voice offering comprising its VPN Fire wall Brick platform with an Alcatel Lucent IP telephony platform Alcatel Lucent AY i safeguards and guarantees quality of service for VoIP calls and pro tects web facing IP telephony applications such as contact centre mo bility and unified communications tools _ PGP released PGP Command Line for IBM Power Systems PGP is continuing to ex GIP tend its support for various operating systems including midrange an
161. lations it s that simple Newer regulations that focus on data and data protection like the PCI DSS are becoming the IT security standards of due care They require proof that critical data assets have been secured most notably at the appli cation level Earlier attempts at regulation had often mandated required technologies or con figurations and these quickly became out paced by changing attack methods This new data centric approach mandates the protection of individual data elements as in the case of credit card record or potentially linked items which when combined can re veal personal identity or confidential informa tion The regulations focus on the appropriate treatment of these data elements in acquisi tion transfer storage access and destruc tion As a result compliance requires an in depth understanding of the actual behavior of the application Knowing where your data goes requires knowing all the paths and end points with certainty This certainty requires analysis of the source code The PCI is by no means alone in its increased sophistication and focus on secure treatment of data elements and services Other regula tions like GLBA HIPAA and the UK s Data Protection Act focus on the confidentiality of personally identifiable information while Sarbanes Oxley and Basel Il assert the ne cessity of integrity of data and financial sys tems Attestations of compliance can only be credibly o
162. ll Windows NT BASE API Client DLL Microsoft Corporation 6 1 2600 3119 ADVAPI32 dll Advanced Windows 32 Base API Microsoft Corporation 6 1 2600 2180 v In other words if you ve a malicious PDF Stalled and a file sharing service FTP IIS document on a machine with Windows Index P2P Uploading a specially crafted PDF ing Services it can infect your machine And document to this machine will give you a local you don t need a user to open or select the system shell PDF document To disable Windows Indexing Services capa The good news is that Windows Indexing bility to index PDF documents unregister the services is not started on a default Windows Filter regsvr32 u AcroRdlf dll XP SP2 install But after you ve executed a search as local admin you ll be asked if you But IFilters are also used by other software want to make future searches faster If you answer yes Windows Indexing Services will e Microsoft Search Server 2008 be automatically started e Windows Desktop Search e SharePoint The bad news is that Windows Indexing Serv e SQL Server full text search ices runs under the local system account on Windows XP SP2 This results in a privilege My PoC PDF file also triggers in JBIG2De escalation code in Windows Desktop Search I tested version 4 0 But Windows Desktop Search Consider a Windows machine with Windows has a better security architecture than the Indexing Services running Adobe Reader in Windows Indexing S
163. me Centralized pol icy enforcement reporting and alerting sup ports compliance efforts and simplifies man agement chores as well as reducing risk and the costs of producing reporting for auditors A cost effective approach can be to use a sin gle solution and process to provide a high quality of data across development testing and staging environments and to protect sen sitive data across development testing stag ing and production environments Focus initial efforts on hardening the areas that handle critical data and are a high risk target for attacks Continue to work your way down the list securing less critical data and systems with appropriate levels of protection Be aware though that the conventional Linked Chain risk model used in IT security the system is a chain of events where the weakest link is found and made stronger isn t the complete answer to the problem There will always be a weakest link Layers of security including integrated key manage ment identity management and policy based www insecuremag com enforcement as well as encryption of data throughout its entire lifecycle are essential for a truly secure environment for sensitive data It is critical to have a good understanding of the data flow in order to select the optimal protection approach at different points in the enterprise By properly understanding the da taflow we can avoid less cost effective point solutions and instead
164. me important building blocks necessary for network employs a different means of han i properly analyzing wireless communications dling the transmission of data I l I l I www insecuremag com 40 CSMA CD CSMA CA Dedicated bandwidth Shared medium Predictable Performance decreases on load The sharing of the wireless medium is done through an access method called Carrier sense Multiple Access with Collision Avoid ance CSMA CA CSMA CA is implemented as an alternative to Carrier Sense Multiple Access with Collision Detection CSMA CD which is used in wired networks An Ethernet network has the ability to transmit data while monitoring the network for collisions At this point it can pause wait a certain period of time and resend the data again In a wireless network a wireless network interface card cannot transmit and receive data synchro nously so it must use collision avoidance rather than collision detection This process is handled at layer two of the OSI model Layer 2 Where the meat is The second layer of the OSI model often called the Data Link layer or the MAC layer is where 802 11 implements all of the features that make communication through the air possible This includes tasks such as ad dressing authentication and association fragmentation arbitration CSMA CA and encryption All of these things are what make the data link layer important to us and what we will be spending our time together here
165. mer service department letting me know how to contact them so they could assist me Fantastic Just by sending me a simple message over Twitter they made the situation better and will en courage my friends and family to use this par ticular company because they made a proac tive effort to improve my customer experience Risks and threats We talk a lot about risks and threats in the normal security world but how do these same issues carry over to the world of social me dia Businesses specifically have certain www insecuremag com unique risks and threats that need to be ad dressed brand impersonation information leakage and damage to corporate reputation Brand impersonation Brand impersonation is a significant concern for any type of business This is especially important for national or worldwide brands that are well known outside of social net works However even a small company can be impersonated on social networks Spam mers are often to blame for impersonations on social networks by hijacking names that aren t already taken On Twitter for example it s as easy as searching to see if a particular name is available If it is the soammer might regis ter it and start using tools and scripts to gen erate a large follower list to use for spamming The good news is that Twitter and other social networks have policies against impersonation and if you find out that your brand has been hijacked you can request
166. monstrated security mistakes in the OpenOffice suite As OpenOffice gained popularity in office suites market the analysis of this software was long overdue Eric pre sented a thorough security analysis ranging from design weaknesses to bugs The conclu sion You don t need to migrate to other office suites From a security perspective there isn t a better one 124 Rob Havelt demonstrated the 802 11 FHSS wireless standard and made a thorough secu rity analysis Benjamin Caillat made a nice lecture about shellcode art during which he demonstrated his own shellcode tool called WiShMaster Bernardo Damele Assumpcao Guimaraes talked about advanced techniques in SQL in jections He talked mainly about how to better exploit SQL injections in different databases Bernardo is the author of sqlmap tool for ex ploiting SQL injection attacks As Black Hat is a commercial type of gather ing there is no side content as on under ground counterparts Defcon or CCC for ex ample It consists mainly of parties organized by different vendors Traditionally the most interesting party is the Core party It s worth noting that Google was not present at Black Hat this year It may suggest that Google is suffering from the financial crisis just like many other companies This is probably the last time that the Euro pean Black Hat conference was held in Am sterdam The conference grows every year and the organizers want to expan
167. more advanced options and filter settings has not changed Under the Windows Filtering Platform WFP architecture APIs are available for the fire wall The idea is that third parties can take advantage of aspects of the Microsoft Win dows Firewall in their own products Manage the advanced Firewall settings Like in Windows Vista there is a GUI for the configuration of the Windows Firewall item in www insecuremag com the Control Panel This is rather simplistic and not particularly useful to enterprise organiza tions because you can configure the basic settings but not enhanced features Accord ingly for more in depth elements the many Group Policy settings which can be reached by firing up the Group Policy editor snap in can be used Moreover the new Windows Firewall can also be configured with a Win dows Firewall MMC snap in With this Windows Firewall with Advanced Security snap in administrators can configure settings for the Firewall on remote computers In enterprise organizations however it is more likely that you will use the Group Poli cies to do this centrally For command line configuration of the Fire wall s advanced settings commands within the netsh advfirewall can be used This option can also be applied if you want to script changes DirectAccess feature There s a new feature that could be significant in the longer term The whole experience of using applications is changing and with D
168. n import java net URL public class Test public static void main String args String urlStr http securityninja co uk no exist html try URL url new URL urlStr InputStream is url openStream is close catch Exception e Print out the exception that occurred System out println Error requesting e getMessage In this example we have received a request for no_exist html which doesn t exist on the server The catch part of the code will ensure that the user is presented with the following sanitized error message Error requesting http securityninja co uk no exist h tml You should always ensure that your own code provides error messages similar to the one above Authentication and authorization If you fail to build strong authentication proc esses into your application an attacker could access sensitive content without having to authenticate properly Although this sounds like an issue principle number 7 Secure Re source Access should address there is a clear difference between the two The Authentication and Authorization principle will aim to remove the following risks this is not an exhaustive list e Lack of an appropriate timeout The use of weak passwords The use of weak secret question systems The use of broken CAPTCHA systems Failure to protect credentials in transit Failure to implement least privilege access
169. n Control Policies AppLocker tors can control the versions of applications that users can install and use scripted and via Group Policy www insecuremag com 26 However AppLocker cannot be used to man age computers running earlier versions of Windows There might also be some minor performance degradation because of the run time checks Publisher Rules allow you to work in different ways You can restrict the execution of a program to the publisher for example Microsoft to the product name MS Office to the file name wordpad exe or to the file version 3 5 0 8 Because AppLocker gets its information from the digital signature that is bound to the program executable end users cannot circumvent this by simply re naming the executable All the three rule types Path Rules File Hash Rules and Publisher Rules can be applied to executables exe to scripts cmd vbs js to installer files msi msp and to system li braries dll Streamlining User Account Control UAC in Windows 7 Windows users are accustomed to working with a high number of privileges This freedom does however have a major downside ina corporate environment namely that more help desk calls are made because of acciden tal or deliberately made modifications to the OS with a variety of errors being the out come In addition malware and other soft ware with malicious intent can copy this type of behavior The result of such
170. n just starting its ASM journey e Companies may not follow the path directly though evidence suggests that most compa nies will adhere to the basic curve unless they have actively decided to influence it in a se vere fashion by specific investments or panic Understanding the ASM model The ASM Model has three distinct phases based on a company s investment in Tools amp Technology and People amp Processes The phases are 1 The Panic Scramble Most immature or ganizations are in this stage They start their security journey by responding to some event perhaps a loss of confidential data a Web site breach or the discovery of a network intruder They may also enter this stage as a response to external events such as a very public se curity breach at a competitor or media reports of massive data losses Another potential catalyst is a new government or industry regulation Organizations that have found themselves in the Panic Scramble respond to the immediate security issues by spending money on soft ware security tools and technologies that hold the promise of immediate impact to mitigate the perceived or real threat However such an investment without the requisite investment in P amp P usually provides little overall return and limited security improvements in fact many times tools become shelfware sitting un used because the developer or information security professional doesn t know how to use th
171. n near real time Although defenders can develop fortifications in cyberspace via the implementation of fire walls and intrusion detection or prevention systems these tools are by no means fool proof With appropriate research a knowl edgeable attacker can design an assault that either circumvents or defeats these defenses For example during the cyber attacks in Esto nia defenses were constantly overwhelmed by the aggressors According to Wired Maga zine s account of the Estonia cyber conflict the attackers were constantly tweaking their malicious server requests to evade the filters This example demonstrates that in cyber war fare terrain clearly favors the offense as at tackers can quickly close on their targets and overcome defenses with relative ease WHILE ZERO DAYS CAN BE USED TO CONSTRUCT BOTNETS THEY CAN ALSO BE USED TO LAUNCH DEVASTATING ATTACKS AGAINST SCADA SYSTEMS THAT CONTROL CRITICAL INFRASTRUCTURE TARGETS Surprise According to Robert Jervis weapons and strategies that depend for their effectiveness on surprise are almost always offensive In cyber warfare zero day exploits are effective precisely because the defense is not prepared for cyber weapons A zero day exploit is mali cious code that exploits a previously unknown or un patched vulnerability in computing soft ware The initial variant of the Conficker worm that has as of now infected approximately 10 million computers exploited a previousl
172. n the dancing gnome and get a nasty infection then we have to design user IT environments and server data connectivity in such a way that we maintain confidentiality integrity and availabil ity even when some machines in the user base are compromised Ideally we would con tinue to strive for prevention but increase our Capabilities in detection by moving away from heuristics and identifying abnormal behaviors and then create automated responsive proc esses that allowed components in the IT envi ronment to defend themselves while humans enable greater controls and take deeper pro tective actions Until we can embrace this type of security at the system network and application level attackers will continue to have the upper hand We rely on user awareness to solve problems that awareness won t solve like malware What type of developments do you see ahead What keeps me up at night is embedded de vices and their applications We have just seen malware that turns small modems and routers into bots but what happens when the blender coffee maker refrigerator and your house are all smart components We have already seen small scale infections of auto mobile computers and cell phones so what kinds of embedded targets are we creating every day From the smart energy grid to our dependence on our cell phones and from embedded network devices to smart appli ances we are going to see a world where all things are connec
173. nable be successful in the enter prise We combine credentialed network and passive vulnerability and configuration audit ing into one platform There are many cases when scanning a network to find security is sues is fine However you may also need to be able to audit what is going on inside a host And you may have other situations where you aren t even allowed to touch a network re source for some technical or political reason In this case we use passive scanning technol ogy which looks at packets to produce an inventory of systems applications and vulnerabilities We feel this blended approach will suite Ten able well for the next five years against new types of security threats as well as political threats to the audit process as well You are very active on the Tenable blog Has this way of communicating with your clients in any way changed the way Ten able does business Could a blog post www insecuremag com with no marketing hype replace a press re lease in the future The blog is very unique medium It allows us to address Nessus home users Tenable cus tomers competitors industry analysts the media the government and several other venues all at the same time We also recently added a professional discussions forum where Nessus users and Tenable customers can ex change information and strategies on using Nessus gathering logs performing security audits and much more A blog post will never replace a
174. nce the hosting of the files outside of national legislation makes it difficult to act against the server that offers the content filtering is a method to limit ac cess to it as much as possible Members of the BKA justify the law by stating that the greater part of child pornography us ers are not part of organized child abuse cir cles whose members would and will invest time and energy into finding ways of circum venting the filters Following the reasoning of BKA President Jorg Zierke 80 of the users of child pornography websites will be scared off by the stop website and give up looking for such content He classifies the rest of them as hardcore users who will try to find a way to go around the filters This group he says will have to be confronted with other means of in vestigation Another argument is the self regulation of the market Therefore the reduc tion of clicks on certain content will equal re duction of demand and at last the ebbing of supply 128 What supply the critics are asking under lining that the largest quantity of child porno graphic material is not being traded over web sites but within other spheres of the Internet or even in very traditional ways by mail This is especially true for producers of such mate rial who work on a commercial level The communication between producers and buy ers happens on the Internet but the transport of the material on a DVD is executed by sna
175. nd acts as an I O proxy between client applica tions and the biometric device meaning that programs cannot directly gain access to the biometric data In a similar way the Biometric Frameworkprint makes it easier for developers to include bio metric security in their applications Also there is a new item in the Control Panel which is to be used for managing fingerprints The combination of Windows 7 Vista as well Server 2008 and certificate lifecycle man agement means that there are some great opportunities to introduce more simplified yet stronger authentication solutions to your or ganization by working with smart cards or smart tokens and rolling out and using certifi cates from a Microsoft Public Key Infrastruc ture Windows 7 firewall The Windows Firewall was introduced with Windows Vista and at the time represented a major improvement over XP As a result it be came a more serious competitor in the per sonal firewall market Along with the former AntiGen product range now called Forefront client security this is really a development that requires further attention Overall the firewall in Windows 7 is only slightly better than the one in Windows Vista It still supports filtering for outgoing traffic as well as application aware outbound filtering which gives it full bi directional control 30 Furthermore the Windows 7 firewall settings are configurable by way of the Group Policy which simplifi
176. ng This prevents employees feigning innocence when they are in breach of clearly communi cated policies and strengthens the company s position in the eyes of the law www insecuremag com Ste g LU Wall LP LU Doouments and Sethe Admndtiatar end LOSE WAIT CP C Documents and Setting Adminntiator Desk 4 ro WAIT P C Doosrernts ads etl Adnana atc Dask Ja A43 ESTABUSHEL ILP L Doouments and Sethe Adrenetiata Oe 643 LOSE WAIT TCP CADoouments and Sethe Admunatiator Desk LISTEN TOP CAWINNT SpttemS2wetevreirio exe Forget about attempting to block tools There will always be intelligent people who will cre ate or source for a new tool to suit their needs Existing tools can also be manipulated to easily evade detection In the case of UI traSurf for example the use of packers to compress the original payload results in a dif ferent hash of essentially the same tool to ob fuscate its appearance The tool author of fering upgrades to a newer version is equally as effective at defeating discovery Blacklist or whitelist IT practitioners have been conditioned to tackle security issues us ing a blacklist approach Blacklisting can be employed but is not advisable as it requires administrators having to constantly monitor new trends and reacting Blacklisting is the road to futility Whitelisting authorized out bound HTTPS traffic is the most practical and proactive option to managing this protocol Identify
177. ng system is bound to identify high risk findings Encourage man agement to foster a culture where high risk findings are permissible providing remedia tion contacts and target remediation dates are promptly identified IV Maintenance Reporting must evolve to adapt to changes in business practices technology and emerging threats Keep acceptable risk and compliance ranges tied to a methodology based upon risk and reward versus tightening ranges as met rics improve Future phases of development can include feeds from other departments e g audit inclusion of financial risk reporting and implementation of new metrics lf a security department does its job well nothing happens Business continues to func tion without disruption or impact Therein lies the challenge especially in a tight budget year Reporting reduces subjectivity and un certainty Comprehensive reporting demon strates the value of the information security program and helps drive future initiatives and funding Gideon T Rasmussen is a Charlotte based Information Security Vice President with a background in Fortune 50 and military organizations His website is www gideonrasmussen com aS www net security org L eo C A Get up to date security information now www insecuremag com 91 Events aroune the Worle CyberSecurity Malaysia Il SecureAsia Kuala Lumpur 7 July 8 July 2009 www informationsecurityasia com Brucon 2009 18 Sep
178. nsights to customers about potential threat vulnerabilities and recommending new technologies to enhance email and Web security Masiello has more than 18 years of e mail systems and IT management experience including nearly 10 years network and security systems management He is an active member of the international MAAWG Messaging Anti Abuse Working Group organization and is a cur rent co chairperson of the Zombie and Botnet subcommittees www insecuremag com 35 SecureAsia KL Conference amp Exhibition 7 amp 8 July 2009 Kuala Lumpur Convention Centre www informationsecurityasia com Cyber Security Malaysia and ISC is proud to bring you Asia s definitive information security Conference amp Exhibition SPONSOR or EXHIBIT at this niche event where we bring you the target audience under one roof The Exhibition is set to show off the latest technology products and professional services in information security Our exhibitor profile includes Enterprise Security Management Business Continuity Management Encryption Application Devices information Risk Management Software Application Developers CIIP Solutions Disaster Recovery and many others Happenings at a glance e VISTA Forensics Workshop for Law Enforcement Agencies e Critical Information Infrastructure Protection CIIP Workshop e Information Security Leadership Awards ISC e Internet Security Awareness Conference Secure your participation at
179. nu and placing a checkmark next to the Wireless Toolbar option As you can immediately determine this tool bar makes a lot of the configuration options from the AirPcap device readily available from within Wireshark The only major difference of any concern to us is the added functionality of the decryption section In order to take advan tage of this you will need to set the Decryp tion Mode drop down box to Wireshark and add your appropriate encryption key by click ing the Decryption Keys button clicking New selecting the key type and entering the key itself Decryption Keys None v Type NEP 123456 Select Decryption Mode The 802 11 header When you think about it Ethernet really has it easy All the MAC layer has to do is worry about a single source and destination ad dress An 802 11 MAC header on the other hand has a lot more going on The illustration on the following page depicts the basic components of the MAC header Frame Control This section specifies the type and subtype of the MAC frame as well as other options such as whether or not the packet is a fragment whether power man agement is being used or if WEP encryption is being used There are three main types of MAC frames First management frames are used for tasks such as associating to an ac cess point Control frames are second and they are used to control the flow of data and handle things such as acknowledgement packets Da
180. o Subtype 0000 Data This is by no means a definitive guide on ana lyzing wireless traffic but it should give you all of the information you need to get off on the right foot We have covered why capturing layer two traffic is important to effectively ana lyzing wireless communications as well as the structure of these 802 11 frames The best thing you can do with the information presented here is to begin capturing packets on your own wireless networks Once you start looking at common tasks such as asso ciating to a network or completing an authen tication request at the packet level you should really get a sound grasp on what s happening in the air around you Chris Sanders is a network consultant based in western Kentucky Chris writes and speaks on various topics including packet analysis network security Microsoft server technologies and general network administration His personal blog at www chrissanders org contains a great deal of articles and resources on all of these top ics Chris is also the founder and director of the Rural Technology Fund www ruraltechfund org a non profit organization that provides scholarships to students from rural areas who are pursuing careers in information technology www youtube com helpnetsecurity Subscribe to our YouTube channel Get notified when we add security videos www insecuremag com 46 by Mirko Zorz Paul Cooke is the Director of Windows Product Management at
181. o a set of re sponses based on an intractably complex physical system this static mapping is a ran dom assignment with the randomness com ing from the intrinsic variations of the physical system The function can only be evaluated with the physical system and is unique for each physical instance 66 PUFs can be implemented with various physi cal systems In the case of RFID PUFs are implemented on silicon Silicon based PUFs SPUFs are based on the hidden timing and delay information of integrated circuits ICs Even with identical layout masks the varia tions in the manufacturing process cause sig nificant delay differences among different ICs Silicon based PUFs derive secrets from com plex physical characteristics of ICs rather than storing the secrets in digital memory Since silicon PUFs tap into the random variation during an IC fabrication process the secret s are intrinsic to the silicon itself are extremely difficult to predict or program in advance of manufacture and are essentially non replicable from chip to chip PUFs thus signifi cantly increase physical security by generat ing volatile secrets that only exist in a digital form when a chip is powered on and running This means that an adversary rather than merely examining an IC s memory to read its stored secret would instead need to mount an attack while the chip is running and using the secret a significantly harder proposi
182. o extract than non volatile information With practically un limited numbers of challenge response pairs available each pair can be used only once This essentially serves as a one time pad A side channel or replay attack would fail since the adversary cannot predict the challenge and responses to be used for the next authentication event Simple robust authentication PUFs do not require any complex key storage and crypto graphic computation for authentication PUF challenge response pairs can be generated and stored at a secure location or multiple locations by independent parties that do not share information Thereafter it does not matter whether a sup ply chain was compromised or not a PUF RFID tagged product can be authenticated by simply comparing the response generated during an authentication event with the re sponse recorded at the secure location Low cost low power consumption A PUF circuit is a fairly lightweight addition to the RFID chip The initial implementation of a ba sic 64 stage PUF circuit and surrounding con trol logic added less than 0 02mm in the 0 18 technology PUFs consume minimal ex tra power Chip size cost and power con sumption are key market acceptance parame ters for RFID PUF based RFID enhances the capabilities of basic RFID in a very cost effective way even for item level use Summary PUF based unclonable RFID provides a simple and robust anti counterfeiting mecha n
183. oited site or applica tion the results could be much more sinister Up to this point there have been several high profile Clickjacking vulnerabilities identified in widely used applications such as Mozilla s Firefox and Google s Chrome browsers and 34 Adobe s Flash Player Few serious exploits have been found in the wild taking advantage of these vulnerabilities however an absence of an exploit is not intended to minimize the seriousness of the threat A recent vulnerabil ity found on the popular micro blogging web site Twitter resulted in unintended messages or tweets being sent out by users who clicked on a web site button labeled Don t Click that was actually an exploit of the soft ware flaw This particular exploit did not result in theft of account credentials or other per sonal information but served as a powerful proof of concept that Clickjacking exploits could easily be used for much more malicious purposes than sending out messages through a web site Despite their potential for damage Clickjack ing vulnerabilities can be mitigated easily by web site developers as well as end users One of the methods that site developers can employ is Known as frame busting JavaScript Recall that one way Clickjacking manifests itself is through malicious content being ren dered on top of legitimate content If the code sitting behind a web site regularly checks to ensure that the legitimate content layer is al
184. omes to pro viding the most user friendly and quality member services on a global basis Security is often overlooked and with the recession biting the budget out of every section of the enterprise how should a company approach savings in this de partment Security must be viewed as a total cost of op eration that has a positive ROI in the long run This is a difficult area to assess because it requires SO many assumptions thus the es timate of overall ROI becomes quite subjec tive More tangible results can be found by looking at research figures some of which es timate that data breaches up to around 100 000 records have risen to over 200 per record a figure which mostly accounts for 63 administrative costs for remedying the breach A step that is often overlooked in the calcula tions is that a breach can actually be fatal toa company particularly in today s economy with competition being very fierce Reputation is everything Determining adequate security is tricky business that involves saving dollars but sometimes it involves saving your com pany Ask yourself the question How much risk can afford 20 million will buy a lot of security protection What security threats should be most im portant to organizations of any level this year While most IT attacks today are for monetary gain the type of threat depends in part on the type of organization For companies such as banks it s abo
185. ompleting his Ph D at University of California Berkeley He received his Bachelor s degree in Electrical Engineering from IIT Madras India www insecuremag com 69 q1 O 7 010101 m O10 1001 0010101001015 O 1 O 10010101110100 O1 10O1001010101010100 01 011101 ioe 01010101110 os 010 101019 91010107000 ke 01010107 oor 1010101010101040 101 or a 010 10101 01 01 01010 A yooto101 10101010101 0011 Stay Ahead of the Compliancy Curve The need to maintain regulatory compliance by securing consumer and business critical data is at the forefront in every financial institution today Security breaches reduced consumer confidence negative publicity and millions in lost revenues and fines are happening at record rates SSH Communications Security has been protecting file transfers and data in transit with strong encryption robust authentication centralized security management and audit data support for over a decade with time tested proven technology that works Visit www ssh com to register for our SSH Tectia Webinar Series Our SSH Tectia security solution secures passwords mission critical data and network based applications without modification to the existing infrastructure or applications in environments including IBM Mainframes UNIX Linux and Windows systems SSH Tectia features centralized management for internal and external auditing to help maintain regulatory compli
186. on Control Policies a TA AppLocker Rules 0 Executable Rules Windows Installer Rules Lf Script Rules Al Windows Installer Rules Rules 0 ay iP security Folicies on Local Computer C Advanced Audit Policy Configuration Al Script Rules s 1 Enmore rues Dut alow setting to be ovemade wl Policy based QoS i Enforce rules but allow setting to be overridden Filcani hatalar ri P O aE EREN t Administrative Templates Rules Q g User Configuration Bie nin mesial a ENEN n i Enforce rules but allow setting to be ovemidden Send Feedback AppLocker Properties Enforcement Advanced Specify whether AppLocker rules are enforced for each rule 1 Enforce rules but allow setting to be ovemidden colection Executable rules Audit only i EMTOrce rules DUT alow SeniIng to De OVEMadE CA gt Script rules i Enforce rules but allow setting to be overidde v Configure Rule Enforcement A After you create rules you must configure the enforcement for each Rules within a rule collection are enforced by default gt Configure rule enforcement Leam more about rule enforcement and auditing More about rule enforcement OK Cancel new AppLocker policies Windows 7 provides you with AppLocker You can find it here Group Policies which means that administra Computer Configuration Windows Set tings Security Settings Applicatio
187. ontent encoding method used by the web browser We can configure this in two places Firstly in the HTTP response header Content Type text html charset utf 8 And secondly in the Meta tags lt META HTTP EQUIV CONTENT TYPE CONTENT text html charset UTF 8 gt This will ensure that the browser correctly en codes your data The final point to remember when you are implementing output validation is length validation As we saw for input vali dation we should define the minimum and maximum lengths for all of our data Error handling Every application will eventually have to deal with an exception and it is vital that these are handled securely If an attacker can force ex ceptions to occur and you fail to correctly handle these situations you will expose sensi tive information about the inner workings of the application These detailed error mes sages will help attackers build a picture of your application and fine tune their attacks An attack such as an SQL Injection will be come significantly easy to exploit if an attacker www insecuremag com can view the internal server error messages have included an example of an attempted attack and the un sanitized error message that is returned to the attacker below http www examplesite com home html day Monday AND userscolumn 2 You can see that the attacker appended AND userscolumn 2 onto the URL to test for an SQL Injection vulnerability The attacker
188. or best of breed companies o Its likely ASM path o The time frame expected for the stage it is in o Their investment ratio e Circumvent the traditional curve to acceler ate activities By understanding their current location companies can then decide how to influence their own curve For example a ClO may aggressively avoid the Pit of Despair stage by embracing the proper mix of invest ments in tools technology people and proc esses That CIO may use the graph and the organization s current plot to help influence security investments demonstrating the po tential changes to curves as a result of too little or too late investment in all aspects of security e Chart the ASM path along the curve over time A critical aspect of any security program is auditing systems and charting the progress of the organization s dedication to security should also be undertaken By periodically plotting the company s location on the ASM Model a company can track its improvements as well as its efforts in relation to the average curve The easiest way to begin is with a self assessment Ask yourself where your organi zation is in respect to the T amp T and P amp P analysis areas 1 Version control 2 Source code scanning 3 Defect Management 4 Test Automation 5 Web Security vulnerability scanning 6 Application layer security mitigation e g a Web application firewall 7 Secure SDLC activities for development
189. ore license fees for Microsoft and more po tential security gotchas for the CIO He also said that he thinks it is astonishing that cur rent PCI regulations do not require end to end encryption Homa also added that he believes there s no such thing as a secure network If you think your network is secure you re delusional That brings us back to our risk based plan to protect data itself rather than focusing all our attention on securing the systems that the data resides on Most data breaches are caused by external sources but breaches attributed to insiders though fewer in number typically have more impact than those caused by outsiders Nearly three quarters of the breaches exam ined in the Verizon Business 2008 Data Breach Investigations Report bit ly ADwCy were instigated by external sources Just 18 of the breaches were caused by insiders but the insider incidences were much larger in terms of the amount of data compromised The average number of records per breach was approximately 1 2 million The cases included in this study encompass an astounding 230 million compromised re cords a large portion of publicly disclosed re cords were breached during the four year time frame of the study The average number of records per breach was approximately 1 2 million The median however is much lower at 45 000 indicating a skew in the dataset to ward a few very large breaches Even so over 15 percent of c
190. ou opening the PDF document Under the right circumstances a Windows Explorer Shell Extension will read the PDF document to provide extra informa tion and in doing so it will execute the buggy code and trigger the vulnerability Just like it would when you would explicitly open the document In fact we could say that the document is opened implicitly because of your actions with Windows Explorer You can find a movie on my website where demonstrate three circumstances under which a PDF Shell Extension will act and thereby A Metadata hoover demo pdf 2KB Adobe Acrobat Document OKB Text Document When you install Adobe Reader a Column Handler Shell Extension is installed A column handler is a special program a COM object that will provide Windows Explorer with addi tional data to display in extra columns for the file types the column handler supports The PDF column handler adds a few extra col umns like the Title When a PDF document is listed in a Windows Explorer window the PDF column handler shell extension will be called by Windows Explorer when it needs the addi tional column info The PDF column handler will read the PDF document to extract the necessary info like the Title Author etc Date Modified Title 03 03 2009 13 44 06 04 2009 10 50 iMetadata hoover demo trigger the vulnerability One important detail you have to know when the exception occurs in the Adobe Acrobat code it is trapped by Wind
191. out your brand recogni tion lately If you are a company that is just starting out and you want to get your brand out to the masses social media is perfect for this task Even if you are an established brand having your brand noticed on social networks can give you an advantage over your competition with instant recognition As a customer am usually looking for ways to quickly let a business know of a problem or to provide feedback on a product or service With social media this feedback can be in stant Take Twitter for example If your com pany has a Twitter account even better when tied to your brand you can literally receive feedback within minutes while other technolo gies like email telephone and snail mail can take much longer to interact with customers We talk a lot about risks and threats in the normal security world but how do these same issues carry over to the world of social media Social media is just another outlet to promote your business and interact with your custom ers Using a social network to interact with customers adds more of a personal touch to the customer service experience Here is a great example had to return a defective product and was a little upset about the item breaking so sent a message on Twitter com plaining about the problem Although didn t direct this message toward the company re ceived an instant reply from someone that worked in the company s custo
192. over time in some companies for as little as 12 months in most over a span of 3 5 years The combined ten year experience of the Se curity Innovation team and its academic predecessor means that we have access to and continually generate a wealth of infor mation about how organizations approach the software security challenge By analyzing all of our primary data it became evident that there are two critical categories of invest ments that can impact how well any company meets the challenge Technology amp Tools T amp T These investments include the various soft ware tools and applications an organization licenses or acquires to secure software during all stages of the software development life cy cle SDLC from creating application or sys tem requirements through final deployment This is typically the area where most organi zations when faced with the threat of a secu rity breach or looming regulatory pressures first invest their dollars www insecuremag com Specific investment in this area includes tools for e Version control e Source code scanning e Defect Management e Test Automation e Web Security vulnerability scanning e Application layer security mitigation e g a Web application firewall In each area above organizations were ana lyzed for both depth and breadth of applica tion for example in source code scanning organizations were examined on several factors including
193. ow and logs prior to any deletion or truncation step Hash algorithms are one way functions that turn a message into a fingerprint at least twenty bytes long binary string to limit the risk for collisions The Payment Card Industry Data Security Standard PCI DSS provides standards for strong encryption keys and key management but is vague in different points regarding hashing Hashing can be used to secure data fields in situations where you do not need the data to do business and you never need the original data back again Un fortunately a hash will be non transparent to applications and database schemas since it will require long binary data type string An attacker can easily build a rainbow table to expose the relation between hash values and real credit card numbers if the solution is not based on HMAC and a rigorous key man agement system Salting of the hash can also be used if data is not needed for analytics Done properly data classification begins with categorization of the sensitivity of data i e oublic sensitive confidential etc Clas sification goes on to include the type of data being classified for example sensitive mar keting program and where applicable the countries to which the data classification ap plies The classification allows the organiza tion to automate the routines for flagging re moving or archiving applicable data Pay par ticular attention when automating
194. ows Explorer without any alert That s why in the demos attached a debugger ODBG to Windows Explorer to intercept and visualize this exception So each time the vul nerability triggers the view switches to the debugger to display the exception In the first demo just select the PDF docu ment with one click This is enough to exploit the vulnerability because the PDF document is implicitly read to gather extra information File Edit view Back 7 Address C C Demo PDF File and Folder Tasks mj Rename this file ay Move this file A Copy this file 9 Publish this file to the Web om sh hak www insecuremag com Favorites Tools Help i P Search Tp Folders Hab BIG2Decode PotC no obfusca 4dobe Acroba We zument tse In the second demo change the view to displayed in a thumbnail Rendering the first Thumbnails view In a thumbnail view the first page implies reading the PDF document and page of a PDF document is rendered to be hence triggering the vulnerability PDF File Edit View Favorites Tools Help Y i F f ra v Back is wi A Search iZ Folders Address B C Demo PDF mere aed Tiles JBIG2Deco File and Folder Tasks Pera Icons i KB List TJ Make a new folder Details Z Publish this Folder to the Web tat Share this folder In the third demo use a special PDF document with the malformed stream object in the metadata pS HBV
195. pher text from previously en crypted blocks of data will be used in the en cryption of the next block By default Win dows 7 BitLocker Drive Encryption uses AES encryption with 128 bit encryption keys and the Diffuser BitLocker in the enterprise environment There can be circumstances where you have to remove a hard drive from one machine and to install it into another computer For exam ple the laptop display is damaged and the support organization has a spare computer for the affected user This can however be a problem since a blueprint of the original sys tem will have already been created because the TPM and the hard drives are logically connected to each other on that specific ma chine The encryption keys with which to de crypt the volume are also stored in the TPM of that particular device so how can this prob lem be resolved When BitLocker was enabled in Windows Vista we could use the recovery mode which required the generation of a recovery key That key is specific to that one machine meaning that there will be one for every com puter in a company Enterprise organizations will need the infrastructure with which to man age and store all of the specific recovery keys in the Active Directory The reality is that within large businesses such maintenance can be a painful exercise in terms of manageability i Consolel Console Root Local Computer Policy Computer Configuration Windows Settings Security S
196. pport the Linux Wireless Extensions interface so that you can configure them directly from a command shell with no additional software required In order to de termine if the wireless NIC you are using is supported by these wireless extensions you can use the command iwconfig As you can see in the iwconfig output below the eth1 interface supports Linux Wireless Ex tensions and displays information about the current configuration of the wireless NIC We can easily see that the card is associated to a network with an SSID of SANDERS and that the card is in managed mode In order to change the card to monitor mode switch to a root shell and use this command iwconfig ethl mode monitor You can verify the mode of the wireless NIC by running the iwconfig command once more At this point you should be able to capture the appropriate data link layer wireless informa tion www insecuremag com Shell Konsole lt 2 gt iwconfig no wireless extensions no wireless extensions IEEE 802 119 ESSID wildcat Frequency 2 437 GHZ Tx Power 20 dBm Mode Managed Bit Rate 54 Mb s Retry limit 7 ARTS thr off Encryption key off Power Management off Access Point 00 13 60 CE CE 63 Sensitivity 8 6 Fragment thr off Link Quality 82 100 Signal level 49 dBm Noise level 90 dBm Rx invalid nwid 0 Rx invalid crypt Rx invalid frag 0 Tx excessive retries 0 rtapo no wireless extensions iwconfig ethl mode
197. press release because there are many business partners and media outlets whose primary source of information is read ing press releases However most customers and Nessus users don t really read press re leases As a company what challenges does Ten able face in the marketplace What do you see as your advantages especially with the economic downturn Tenable is in its sixth year of business We ve had tremendous growth each year and consis tently increased our Nessus and enterprise customers along the way as well Our biggest strength is execution Our products continually get better We have been able to add features such as auditing anti virus configurations MS SQL databases settings and searching for so cial security numbers in documents to Nessus without a performance hit or a cost increase to our customers In the same way our enterprise products have also grown Our main management console the Security Center was the first traditional vulnerability scanning platform to the certified by the government to perform configuration audits Our log analysis products now gather compress and search logs just as fast if not faster than our competitors As the economy has had a downturn this has helped Tenable Our existing customers have always recognized all of our different types of enterprise products but now with limited budgets organizations are finding they can perform scanning patch auditing log analysis corre
198. pting all serv ices This ease of conscription of cyber infan try and ability to launch high volume attacks confer a considerable advantage to the offense Duality of knowledge Cyber warfare unlike other forms of conven tional and unconventional warfare is solely a knowledge based activity Weapons and forti fications are virtual and access to expensive physical resources is not needed During the Cold War a nation state s military power was measured by its conventional or nuclear arse nal To build a conventional and nuclear arse nal large investment in raw materials human capital and money were required In contrast with cyber warfare the only resources required are access to computer hardware an Internet connection and knowledge in computer sci ence Further the knowledge used to build for tifications such as firewalls or intrusion detec tion systems can be easily used to create www insecuremag com weapons designed to bypass and defeat these fortifications This type of dual use knowledge appears to favor the offense in that the adver sary will be incapable of distinguishing be tween offensive and defensive postures Fur ther this type of dual use knowledge aptly de scribes the security dilemma that occurs when one state s enhanced security measures result in a loss of security for its rivals In cyber war fare as defenders build online fortifications rivals are threatened because defenders have also d
199. ption keys can provide the most cost effective solution for an organization with multiple locations heterogeneous operating systems and data bases All standards now require rotation of the Data Encryption Keys DEK s annually and some organizations choose to rotate some DEKs more frequently Such as a dis connected terminal outside the corporation firewall such as a Point of Sale system 139 Manual key rotation in a point solution would require an individual to deliver and install new keys every year on all the servers Automated key rotation through a central key manage ment system reduces most of this cost and can potentially reduce the down time Distributed point solutions for key manage ment would include an initial investment for each platform integration effort maintenance and operation of several disparate solutions It is Our experience that manual key rotation in a point solution environment inevitably leads to increased down time increase resource re quirements and rework Key management and key rotation is an important enabler for several of the protection methods discussed above Centralized management of reporting and alerting can also provide a cost effective solu tion for an organization with multiple hetero geneous operating systems and databases This solution should track all activity including attempts to change security policy and en crypted logs to ensure evidence quality audit ing Just a
200. r The secure browsing function alone would be enough for me to get this handy device Let s start lronKey installation lronKey s packaging reminds me of Apple s concept a dark box with simple insides that contain a metal cased device In addition to the device you get a folded instructions book let and a lanyard lronKey works on multiple operating systems Microsoft Windows 2000 S IRONKEY Applications OR TILILY Hangger 6 Secure Files 5 Secure Backup e my ironkey com Ey Settings a Online Help Lock Drive XP and Vista Linux 2 6 and Mac OS X 10 4 The Windows usage offers the maxi mum from IronKey while on Linux and Macs you will be able just to use it for secure stor age My operating system of choice for this review was Microsoft Windows XP The first stage of the installation process is done locally on your computer and you will need to initialize the device The process is fairly straightforward after entering the nick name for the device you need to setup a password There aren t any special positive enforce ment limitations like with some secure flash drives the password just needs to be at least four characters long and you don t need to punch in any special characters or uppercase characters If you are initializing the gadget from a non trusted computer you can use the virtual keyboard icon located near the pass word input field and you won t need to worry about keylogge
201. r eS azai A NORT TEN oe bie nom N hentia E rm Rag ta ee re f N oh Adley ine P bS S Lavea OE gt A i Ae ZN D Roemer a d fe A ea oe In his seminal article Cooperation Under the Security Dilemma Robert Jervis notes that many of the means by which a state tries to increase its security decrease the security of others This is particularly true when a nation state adopts strategies tactics and weapons that are perceived to favor the of fense Jervis also notes that whether defensive weapons and policies can be distinguished from offensive ones and whether the defense or the offense has the advantage determine the likelihood of instability and conflict in the international system As the US and other nation states debate how to integrate cyber warfare strategies tactics and weapons into its arsenals the framework of analysis provided by the security dilemma may help determine whether or not instability and war are more or less likely currently there is little to no ability to defend against these attacks If this perception that cyber warfare favors the offense at the ex pense of the defense takes root among na tional security policy makers then the pros pects for global instability will likely increase A careful assessment of cyber warfare in the This article seeks to test the perception that context of the security dilemma and the bal ance between offense and defens
202. r the model is based on Extensive software security research at Florida Institute of Technology FIT Led by Dr James Whittaker FIT project teams ex amined the security issues of software devel opment processes as well as the underlying testing procedures and processes that were 71 Eoee M a a a a Rc a a a i ee a a failing to catch so many critical software bugs This work began in 1999 and conclusions were drawn from direct exposure to the tools developer mindset and skill set and devel opment processes used In depth consulting engagements with Se curity Innovation clients Security Innova tion was founded by Dr Whittaker in 2002 and since its inception has expanded on the initial FIT research The company s staff of security experts has helped understand as sess and classify thousands of software bugs Its employees have written books and created methodologies adopted by leading software developers As with the initial FIT re search the knowledge and expertise from Security Innovation staff comes from real world experience Detailed analysis of data collected via in terviews and SDLC software development lifecycle assessments This data was col lected from over 200 organizations many of which are Fortune or Global 500 companies Interview data was validated and expanded upon by direct inspection and inquisition of tools systems and staff In each case base line metrics were defined and tracked
203. re solution to combine universal Format Preserving Tokenization encryption and unified key BRIDGES management in one platform agnostic package The product is for enterprises that need to protect volumes of personally identifiable information and payment card numbers from theft while simplifying compliance management www insecuremag com 51 QualysGuard PCI Connect is the industry s first SaaS ecosys tem for PCI compliance connecting merchants to multiple part ners and security solutions in order to document and meet all 12 requirements for PCI DSS It is an on demand ecosystem bringing together multiple security solutions into one unified end to end business application for PCI DSS compliance and validation As a new addition to the QualysGuard PCI service PCI Connect streamlines business operations related to PCI compliance and validation for merchants and acquirers all from a combined collaborative application with automated report sharing and distribution Aladdin Knowledge Systems announced Aladdin eToken PRO Anywhere the first smartcard based strong authentica tion solution to combine the security of certificate based technology with plug and play simplicity for end users The device enables remote access with strong two factor authentication from any computer with an Internet connec tion and USB port A clientless device eToken PRO Anywhere eliminates the need to install end point software for remote access pro
204. ring The threat from internal sources including administrators will require solutions that go beyond traditional access controls Effective encryption solutions must provide separation of duties to prevent a DBA to get hold of the keys A centralized solution can also provide the most cost effective strategy for an organi zation with a heterogeneous environment Although some of the legal data privacy and security requirements can be met by native DBMS security features many DBMSes do not offer a comprehensive set of advanced security options notably many DBMSes do not have separation of duties enterprise key management security assessment intrusion detection and prevention data in motion en cryption and intelligent auditing capabilities This approach is suitable for protection of low risk data Tokenization The basic idea behind tokens is that each credit card number that previously resided on an application or database is replaced with a token that references the credit card number A token can be thought of as a claim check that an authorized user or system can use to obtain the associated credit card number Rule 3 1 of the PCI standard advises that or ganizations Keep cardholder data storage to a minimum To do so organizations must first identify precisely where all payment data is stored While this may seem simple for many large enterprises it is a complicated task be cause the data discovery process can t
205. rivacy Edition DT VP 3 USB Flash drive is now compatible with Mac OS X Data onboard the 3 DTVP is secured by hardware based on the fly 256 bit AES The drive amp J e has fast data transfer rates and is protected from brute force attacks by locking down after 10 unsuccessful login attempts The DT VP is made of aluminum and is waterproof up to a depth of four feet Www kingston com Organize and secure audit data with Secure Audit Vault izes and secures audit data for supporting auditing control compliance and e discovery processes www kinamik com Kinamik Data Integrity launched the Secure Audit Vault a tool that organ Nintendo partners with Astaro for Web security Astaro will use its content filtering technology to deliver an Internet security service for the new Nintendo DSi Browser The Nintendo DSi Browser can be downloaded onto the Nintendo DSi and offers users mobile internet access Consumers can then opt into Astaro s internet security service by adjusting their browser settings Nintendo will use Astaro s content filtering and Web security technology to provide additional paren tal control services to its customers and protect the Internet browsing experience for younger users Wwww astaro com www insecuremag com 99 Establishing your social media presence with security in mind by Tom Eston Social media and social networking is the fastest growing technology tha
206. rotection of high risk data is discussed below Experience from some organizations has shown that the added performance overhead for this type of database encryption is often less than 5 However before deciding on any database file encryption solution you should test its performance in the only envi ronment that matters your own End to end encryption is an elegant solution to a number of messy problems Field level encryption and end to end encryption Field level full or partial encryption tokenization can provide cost effective protec tion of data fields in databases and files Most applications are not operating on and should not be exposed to all bytes in fields like credit card numbers and social security numbers and for those that do require full exposure an appropriate security policy with key manage ment and full encryption is fully acceptable This approach is suitable for protection of high risk data Continuous protection via end to end encryp tion at the field level is an approach that safe guards information by cryptographic protec tion or other field level protection from point of creation to point of deletion to keep sensi tive data or data fields locked down across applications databases and files including ETL data loading tools FTP processes and EDI data transfers ETL Extract Transform and Load tools are typically used to load data www insecuremag com into a data warehousing environm
207. rs would suggest selecting the Backup my password online in case for get it checkbox as it can prove to be invalu able when bad karma strikes OZ CIPero lronKey control panel with two default applications www insecuremag com After punching in the initial data the setup process will take a few minutes before you are prompted to go online Activation is completed after successfully creating an online account located on hitps my lronKey com By the way in the installation process you might come across an alert box saying your autorun ing has been altered and that it is suggested to scan computer and IronKey for viruses looked into this in details and it proved to be a false alarm Now back to the online part of the activation process lronKey online activation stronghold Activating IronKey s online account is not mandatory but it is undoubtedly a good way to go By creating an account and linking it to your device you can harness the full power of lronKey backing up your passwords online requesting the lost device authorization phrase as well as doing a secure update with newly released software The company up dates the software from time to time In late April they did a major update and it brought some changes mentioned later in the article lronKey Login Username insecuremag Password KERRKEEE The online step by step activation guide is one of the most impressive of its kind was posi ti
208. rve OS Command Structure Failure to Constrain Operations within the Bounds of a Memory Input Validation Cross Site Scripting Injection Flaws Malicious File Execution Cross Site Scripting SQL Injection Content Spoofing Buffer Failure to Control Generation of Code Client Side Enforcement of Server Side Security Output Validation Cross Site Scripting Cross Site Scripting Improper Encoding or Escaping of Output Failure to Preserve Web Page Structure Error Handling Information Leakage and Improper Error Handling Information Leakage Error Message Information Leak Authentication and Broken Authentication and Session Management Insufficient Authorisation Insufficient Improper Access Control Hard Coded Authorisation Authentication Abuse of Functionality Password Insecure Permission Assignment for Critical Resource Execution with Unnecessary Privileges Session Management Broken Authentication and Session Management Cross Site Request Forgery Cross Site Request Forgery Use of Cross Site Request Forgery Insufficiently Random Values Secure Insecure Communications Use of a Broken or Risky Cryptographic Communications Algorithm Cleartext Transmission of Sensitive Information Use of Insufficiently Random Values Secure Resource Insecure Direct Object Reference Failure to Restrict Predictable Resource Location External Control of File Name or Path Access URL Access Untrusted Search Path Secure Storage Insecure Cr
209. s Representatives of the music industry have already shown high interest in the new Ger man law and claimed that file sharing web sites should be banned from the net as well This already happened partly with the Pirate Bay website in Sweden and Denmark In Fin land Internet activist Matti Nikki s website on which he informs the public about censorship on the Internet became the target of the na tional filter regime after he got hold of and hosted the block list of the responsible police agency In Germany the current debate is not the first regarding Internet filtering In 2002 public authorities managed to block two websites that were hosted in the USA and contained neo nazi material The result Thanks to the available information about the methods of bypassing filters these two websites had even more visitors than before Daniel Oppermann is a political scientist from Germany currently writing his PhD thesis on Internet Govern ance Cybercrime and Internet filtering He is a research fellow at the Observatorio Politico Sul Americano in Rio de Janeiro and can be reached at dan oppermann at gmail com Get the largest selection of security software for Windows Linux and OS X 20 CATEGORIES MILLIONS OF PROTECTED SURFERS www net security org www insecuremag com 130 A risk based cost effective approach to holistic security by Ulf Mattsson Data security plans often center around the more is better concep
210. s LinkedIn is a social network specifically for building business relationships and to provide professional networking There are two inter esting aspects of LinkedIn that may hold very specific information about your company LinkedIn groups and company profiles LinkedIn groups can be created by anyone and can be about virtually any topic Most of the groups out there are focused on current and former employees college networks re cruiting and marketing You can do a search for your company by clicking on Search Groups at the top of the main LinkedIn page When searching for group information try dif ferent ways your company name may be dis played or known Based on your results look at each group carefully you might be sur prised at some of the information you find The next area of LinkedIn that may have juicy information about your company are the com pany profile pages To search for your com pany profile simply click on Search Com pany at the top of the main LinkedIn page Just like when searching for company specific groups you might be surprised at the wealth of information about your company in these profiles 102 Just like groups company profiles can be created by anyone and can contain informa tion and details about your company One thing you may not know is that these com pany profiles act as Wiki type pages where anyone on LinkedIn with a verified company email address can make changes
211. s time and solves a bunch of other issues and minimizes additional problems as you can sometimes see happen with other products for disk encryption where you have to decrypt the disk first To encrypt the drive BitLocker uses either the Trusted Platform Module TPM chip from the computer version 1 2 or higher or a remov able USB memory device such as a flash drive If your machine doesn t have the TPM www insecuremag com chip available BitLocker will store its encryp tion and decryption key on the flash drive so that it is separate from your hard disk BitLocker Drive Encryption seals the symmet ric encryption key in the Trusted Platform Module TPM 1 2 chip This is the so called SRK or Storage Root Key which encrypts the FVEK or Full Volume Encryption Key The FVEK is then stored on the hard drive in the operating systems volume Every time you boot the TPM conducts an integrity check to ensure that specific components haven t been changed What s more there is also the option to save a Recovery Key which is nec essary in the event that the USB flash drive is lost because it otherwise wouldn t be possi ble to access your data Overall BitLocker has three modes of operation Transparent operation mode To provide a solution that is enterprise ready the Trusted Platform Module TPM 1 2 chip is used and required to store the keys which encrypt and decrypt sectors on the hard drive User authen
212. s a complete listing and rapid access to data that meets the de fined criteria used in the scanning and classi fication process Most often the indices cre ated for files or data reflect the classification schema of data sensitivity data type and geographic region High risk data residing in places where many people can could access it is obviously data that needs the strongest possible protection When the classification schema is linked to the retention policy as described above re tention action can be taken based on file indi ces Additionally the reports based on the in dices can be used to track the effectiveness of the data retention program While we re discussing data retention policies its Important to remember that data disposal also needs to be a secure process usually you ll opt to delete truncate or hash the data the enterprise no longer needs to retain Truncation will discard part of the input field These approaches can be used to reduce the cost of securing data fields in situations where you do not need the data to do business and you never need the original data back again It is a major business decision to destroy www insecuremag com truncate or hash the data Your business can never get that data back again and it may be more cost effective to transparently encrypt the data and not impact current or future business processes In addition the sensitive data may still be exposed in your data fl
213. s randomly chosen challenges to obtain unpredictable responses The trusted party stores these challenge response pairs in a database for future authentication operations This database is indexed by the unique identifier normally as sociated with each RFID and or product For example an EPC code that is stored in non volatile memory on the RFID The identifica tion of the RFID and product is based on this conventional identifier To check the authentic ity of an RFID and the associated product later in the field the trusted party selects a challenge that has been previously recorded but has never been used for an authentication check operation and obtains the PUF re sponse from the RFID If the response matches i e is close enough to the previ ously recorded one the RFID is authentic be cause only the authentic IC and the trusted party should know that challenge response pair To protect against man in the middle at tacks challenges are never reused There fore the challenges and responses can be sent in the clear over the network during authentication operations Note that the challenge response database can be re charged with new challenge response pairs to increase the number of authentication events 1 Send RFID Tag ID 2 Receve chatenge send Challenge to RFID tag 3 Receive respones fom RFID tag send to server 4 Receive authentication result from server Figure 2 Overview of the PUF based RFID
214. s resistant to both tampering and cir Cumventing the protections within the system 47 What has been the response of the secu rity community to Windows 7 releases so far Are you satisfied with the feedback What have you learned The response by the security community to Windows 7 has been great so far There has been some confusion about UAC and the changes we made there but it provides a great example of how we can listen and work with the community to provide a product we can all be proud of What are the core differences between Windows 7 and Windows Vista when it comes to security Windows 7 builds upon the security founda tions of Windows Vista and retains the devel opment including going through the Security Development Lifecycle and technologies that made Windows Vista the most secure Win dows operating system ever released Core security enhancements from Vista like User Account Control UAC Kernel Patch Protection Windows Service Hardening Ad dress Space Layout Randomization ASLR and Data Execution Prevention DEP etc are all retained In addition we have added new security fea tures like AppLocker to help control the appli cations that run in their environment We have enhanced the core BitLocker Drive Encryption to make it easier for IT to deploy and manage the technology in their environment In addi tion we have responded to customer requests to extended support for BitLocker to remo
215. s the keys should not be managed by the system and business owners they should not have access to or control over the reporting and alerting logs A system with manual or nonexistent alerting and auditing functionality can increase the risk of unde tected breaches and increase audit and reporting costs Find the right balance between cost and security by doing a risk analysis Although it s always admirable to get the most for less it s important to keep the return on data security investments in perspective A recent report by the Ponemon Institute a pri vacy and information management research firm found that data breach incidents cost 202 per compromised record in 2008 with an average total per incident costs of 6 65 million Find the right balance between cost and security by doing a risk analysis For ex ample field level encryption with good key management may lower the probability of card exposure for example from 2 to 1 for a given year A breach cost may be viewed to be 200 per card 30 305 according to Gartner and Forrester April 2008 If 1 million cards would be exposed an appropriate investment in a file protection solution with an integrated and sophisticated key management and protection system would be about 2 million All security spend figures produced by gov ernment and private research firms indicate that enterprises can put strong security into place for significantly less expenditure
216. se is stronger than the defense instability reigns and war is increasingly likely Historians typically point to World War as an example of conflict that was a direct result of the security dilemma Prior to World War France entered into a series of entangling alliances that were designed to bolster its security These alli ances caused Germany to feel less secure and it responded by creating rival alliances These successive moves and countermoves exacerbated the security dilemma and laid the groundwork for war Promoting stability lt is therefore essential that national security policy present a concerted effort to develop policies designed to ameliorate this burgeon ing security dilemma Policies that could re duce tensions as cyber warfare forces are de ployed include improving the redundancy and resiliency of critical infrastructure targets For example if the redundancy and resiliency of SCADA systems governing the power grid were improved so that an attack on the power grid would cause minimal damage then de fenders would be less threatened by a rival s build up of cyber weapons and attackers would have less motivation to build up cyber forces In this instance although an attack against a power grid may successfully destroy it the target s backups would stand ready to replace the fallen primary systems These backup systems could be designed dif ferently and protected by a separate line of defense thereby increas
217. sed his presentation from Black Hat DC He demonstrated attacks related to HTTP and HTTPS connections on web pages It was very interesting hearing about the details related to the attacks as well as about the reactions he got from vari ous people You can download his tool sslstrip from his web page Sslstrip is a proof of concept implementation of the attack he covered Emmanuel Bouillon talked about common er rors in the implementation of Kerberos and how those errors can be exploited during at tacks Kerberos is used in both Windows and Unix Linux worlds so this lecture got a lot of attention Roelof Temmingh and Chris Bohme authors of the popular Maltego tool presented the lat est features of Maltego It was an interesting lecture during which Roelof and Chris demon strated how dangerous 2 0 services could be like Facebook and or Gmail to the privacy of the employee N aa Black Hat digital self defense Fa Ti p pe e VSA EUROPE ASIA Jeff Moss Roberto Gassira and Roberto Piccirillo from Mobile Security Lab demonstrated a practical attack consisting of hijacking mobile data connections The attack exploits a few design and configuration vulnerabilities through SMS configuration messages The attack depends on user to accept sent configuration mes sages That means you should think twice about automatically accepting such messages when they come www insecuremag com Eric Filiol de
218. society at large With today s youth using more connected technology than ever before they are being exposed to a variety of dangers their parents may never see The Safe amp Secure Online program consists of an hour long interactive presentation de signed to educate school children ages 11 14 about how to protect themselves from online www insecuremag com dangers in an increasingly electronically connected world The presentations are made by ISC certified professionals using materi als developed by Childnet International a charity that aims to make the Internet a safe place for children Safe amp Secure Online was first introduced in the United Kingdom in 2006 then expanded to Hong Kong in 2007 In early 2009 it was introduced to the U S as a pilot program in Washington state and is currently in the proc ess of being rolled out to other U S cities na tionwide To date more than 200 ISC certi fied members have reached more than 20 000 students More information can be found at www isc2 org awareness 65 A NANECO RFID a technical overview by Srini Devadas RFID has advanced beyond being just an identification technology it is now an identification and authentication technology RFID has advantages over traditional product authentication and anti counterfeiting mechanisms such as color shifting inks holograms and 2D barcodes etc RFID is a more effi cient and reliable technolo
219. st for changing the application code can be hard to justify by the level of risk re duction The risk of changing already working application code can also be hard to justify This approach is suitable for protection of high risk data Please see the discussion of tokenization at bit ly 4bcZz File level database encryption File level database encryption has been proven to be fairly straight forward to deploy and with minimal impact on performance overhead while providing convenient key management This approach is cost effective since it installs quickly in a matter of days utilizes existing server hardware platforms and can easily ex tend the protection to log files configuration files and other database output This ap proach is the fastest place to decrypt as it is installed just above the file system and en crypts and decrypts data as the database process reads or writes to its database files This enables cryptographic operations in file system by block chunks instead of individu ally row by row since the data is decrypted before it is read into the database cache Subsequent hits of this data in the cache incur no additional overhead Neither does the solu tion architecture diminish database index ef fectiveness but remember that the index is in clear text and unprotected within the database This approach can also selectively encrypt individual files and does not require that the entire database be encrypted Dat
220. st they are in transit The storage location for the session IDs should be a secure loca tion Refer to the principle of least privilege we have outlined earlier for guidance on how to secure access to this location The next point we need to secure is the transmission of the session IDs and a simple answer exists for this if the session ID is transmitted via HTTP it can be easily intercepted and re used by an www insecuremag com attacker by using HTTPS instead you can protect the session ID in transit At this point we should have a session ID that is resistant to prediction brute force and inter ception attacks but we do have a few more protection measures to implement before we can be comfortable with the security surround ing our session management There are many examples of applications verifying whether a session ID exists but not checking whether this is a genuine ID If the application performs this minimal level of session ID checking an attacker can perform session fixation attacks against your users You should always man date that session IDs are only accepted if they are generated by your application server and overwrite those values which are present in requests but not provided by your application The final two session protection mechanisms you need to provide are timeouts on sessions and changes of session IDs when users carry out sensitive actions We have already dis cussed the requirement for timeouts of
221. t These call for locking everything down with the strongest available protection and results in unnecessary expenses and frequent availability problems and sys tem performance lags Alternatively IT will sometimes shape their data secu rity efforts around the demands of compliance and best practices guidance and then find themselves struggling with fractured security projects and the never ending task of staying abreast of regulatory changes There is a better way a risk based classifica tion process that enables organizations to de termine their most significant security expo sures target their budgets towards address ing the most critical issues and achieve the right balance between cost and security In this article discuss the risk analysis proc esses that can help companies achieve cost savings while measurably enhancing their overall data security profile by implementing a holistic plan that protects data from acquisition to deletion Step 1 Determine data risk classification levels The first step in developing a risk based data security management plan is to determine the www insecuremag com risk profile of all relevant data collected and stored by the enterprise and then classify data according to its designated risk level Sounds complicated but it s really just a mat ter of using common sense Data that is re salable for a profit typically financial per sonally identifiable and confidential informa
222. t is being used on the Internet today In a recent report by Nielsen social network ing is now the fourth most popular online activity even ahead of email It s no surprise that services like Facebook Linkedin and Twitter are being used by large and small businesses and millions of people every day If you own or manage any size business you may wonder where your business fits in and how you can use social media to promote your business While many companies have jumped on board the social media band wagon there are several risks and security threats that busi nesses need to be aware of Unfortunately security is often overlooked when most busi nesses think about using social media The truth is that the threat landscape is con stantly changing The massive increase of people using social media is driving a huge increase in SPAM malware and other mali cious attacks targeting social media and its users But all hope is not lost With some ba sic awareness about these risks and threats you can make a more informed decision on the strategy that your company may want to take to establish a social media presence with security in mind www insecuremag com What is social media Tim Gasper CMO and cofounder of Cork Share www corkshare com says Media is a means for communication It involves a con tent medium like pictures sounds videos or text and it conveys meaning and information to an audience Sometimes that
223. ta frames are the final type and they contain the data being transmitted across the transmission medium www insecuremag com Duration When this is used with a data Address 3 Receiving station address frame this will specify the duration of the destination wireless station frame Address 4 Transmitting wireless station e Address 1 Source address Frame Body Data contained in the frame e Address 2 Destination address FCS The Frame Check Sequence dis cussed earlier Analyzing Wireshark dissection of the components of the wireless header The 802 11 header frame depicted below is a standard wireless data frame We can immediately determine With this background knowledge we can take this by looking at the Type listing under the a look at an individual packet that has been Frame Control section of the packet dissected by Wireshark and find the different i rme sender v0 Length 20 IEEE 802 11 QoS Data Flags 3 frame Control 0x4288 Normal version 0 Type Data frame 2 Subtype 8 3 Flags 0x42 Frame OS status Frame from OS to a STA via AP To 05 O From 05 1 0x02 Control 0 More Fragments This is the last fragment 0 Retry Frame is not being retransmitted PWR MGT STA will stay up More Data No data buffered Protected flag Data s protected Order flag Not strict Duration r Address 1 Bis Destination adcress inteicor_0d 33 5c 00 2 0a 00 33 9C Address 2 B55 Id
224. tection was measured by evaluating defensive resiliency against live or simulated attacks This protection has proven to be insufficient as the escalating frequency and impact of successful exploits are proving that IT assets and ultimately business assets and intellec tual property are not yet secure The ever changing population of software components at the application layer likely leaves you inadequately informed as to where and how your data may be exposed Where can you turn next to help protect the security of your critical data assets Since 75 90 of all Internet attacks target the applica tion layer it is clearly about time that you lis ten to what your applications are trying to tell you about data security Applications are the front line in the battle for your data If you know what to look and listen for your applications can provide you with a wealth of information about their strengths weaknesses and methods This is the infor mation you are or will soon be required to provide to regulators your customers your boss and your board The knowledge you need can come from the very foundation of the application the source code Therein lays the facts of the real state of your data security That knowledge will give you the power to make truly informed risk management decisions www insecuremag com The power to know you re compliant Breaches breed regu
225. ted and all things are a tar get Malware at the embedded level may well be the scourge of information security when the young professionals we are mentoring to day reach the season of their careers Such attacks and infection capabilities could make bots seem nostalgic like some of us look upon defacements of days gone by today Of course that said there is good news here too The future is not all about fear We are getting better at designing for security We will likely create much more secure applications and computing platforms in the future Even while attackers continue to evolve their craft so too do the developers programmers and engineers There will be new bugs for sure but there will also be innovations in protective www insecuremag com technologies that help reduce our overall ex posures to these technical risks What do you see as the areas of true innovation when it comes to computer security really hope that people move away from signature based technologies Today when do forward looking talks it is usually around the two core ideas of finding new ways to design engineer for failure tolerance and the idea that behavioral detective tools are much smarter We know what attackers do and we know how they behave There are really very few game changing attack techniques This was the reason built HoneyPoint in the first place We have created a toolset around the ideas of capturing and detecting b
226. tember 19 September 2009 www brucon org 6th Annual CISO Executive Summit amp Roundtable 2009 10 June 12 June 2009 www mistieurope com ciso 2009 USENIX Annual Technical Conference USENIX 09 14 June 19 June 2009 www usenix org events usenix09 Mastering Computer Forensics 22 July 23 July 2009 www machtvantage com computerforensics html 18th USENIX Security Symposium USENIX Security 09 12 August 14 August 2009 www usenix org events sec09 ICDF2C 2009 The 1st International ICST Conference on Digital Forensics amp Cyber Crime 30 September 2 October 2009 www d forensics org 23rd Large Installation System Administration Conference LISA 09 1 November 6 November 2009 www usenix org events lisa09 www insecuremag com 92 ee d Q amp A Ron Gula on Nessus and Tenable Network Security Eee _ by Mirko Zorz wt P Ron Gula is the CEO and CTO of Tenable Network Security He traces his pas sion for his work in security to starting his career in information security at the National Security Agency conducting penetration tests of government networks and performing advanced vulnerability research In this interview he discusses Nessus a security tool that doesn t need an introduction Nessus is one of the most popular security tems like Tivoli However rather than try and tools in the arsenal of many Do you have support all of these various use cases for tick an estimate on the number of users eting
227. they had a clear set of secure development princi ples The projects that do detail how to de velop securely are often bloated and cover hundreds of pages which still leaves the ma jority of developers with one question How do develop securely Providing an answer to that question is my motivation for this article and the work that will follow Secure development education does not need to be complicated nor does it need to explain specific vulnerabilities That last point might seem like an alien concept to some people but have recently been asking several T7 experienced developers and myself whether developers need to understand specific vul nerabilities don t think teaching developers about specific vulnerabilities is the most effec tive way to reach the goal of secure develop ment A developer s education should evolve towards knowledge of the intricate details of attacks such as SQL Injection yet almost all education efforts begin here This is certainly an area that would benefit greatly from the KISS principle Keep It Short and Simple by avoiding unnecessary complexity The three most popular top x lists have 45 vulnerabilities listed between them 42 of them have unique names despite the fact they do not represent 42 individual vulnerabilities This only increases confusion and uncertainty in stead of clearly detailing how one should build a secure application With the above paragraph
228. this premier information security event Exhibition Enquiries Conference Enquiries Ms Karen Dass Ms Michelle Lim karendass protempgroup com michelle protempgroup com 603 6140 6666 Tel 603 6140 6666 Brought to you by Endorsed by Gold Sponsor Media Partner HELP NET cyber soy PSRs PA A EEE EEEa 269 mant maitaan MOOS TI n ECUNI Latest additions to our bookshelf Security Standards for a Web 2 0 World clearly demonstrates how existing security solutions are failing to provide secure environments and trust between users and among organizations Bringing together much needed information and a broader view on why and how to deploy the appropriate standards This book supports a shift in the current approach to information security allowing companies to develop more mature models and achieve cost effective solutions to security challenges By Raoul Chiesa Stefania Ducci Silvio Ciappi RAOLL CHESA STRPANIA DLOU SOATI Providing in depth exploration into this largely uncharted territory and focusing on the relationship between technology and crime this volume offers insight into HACKERS the hacking realm by telling attention grabbing tales about the bizarre characters Sens who practice hacking as an art Applying the behavioral science of criminal profiling to the world of internet predators the text addresses key issues such as the motivation behind hacking and whether it is possible to det
229. tica tion features like biometrics and a pin code There is also a variety of accessible tools such as TrueCrypt or the commercial solution Privatecrypto from Utimaco which supports encryption on USB storage devices Until now however it has not been possible to use Bitlocker in combination with removable disks The release of Windows 7 changes this and in the future support for the encryption of www insecuremag com portable hard disks and flash memory devices will be available This portable solution is called BitLocker to Go While it is true that USB devices are useful they also carry a serious risk especially since the storage of sensitive data on USB keys has become popular The theft or loss of corpo rate intellectual property is an increasing problem and tops the list of concerns in most IT departments particularly when it comes to mobile computers laptops and other small flash memory devices An organization can make use of the ability to require encryption prior to granting write ac cess to a portable data device such as a USB flash drive If this policy is enabled users will be unable to store information on the portable device if they insert an unencrypted portable data drive This will give them the option to encrypt the device first or to open it without having write access to it This approach can be used in tandem with the option of blocking USB devices at workstations You can find the poli
230. tication mode To be able to load the OS this mode requires the user to provide some authentication to the pre boot environment Two such methods are sup ported a pre boot PIN entered by the user or the insertion of a USB device that contains the required start up key e USB Key To be able to boot the protected OS the user must insert a USB device that contains a start up key into the computer In this mode the BIOS on the protected ma chine must support the reading of such tools in the pre OS phase Preparing for BitLocker Since it is user friendlier than Vista and be cause the Preparation Tool does the work for you behind the scenes you only have to fire the wizard up to turn BitLocker on in Windows 7 BitLocker Drive Encryption supports 128 bit and 256 bit encryption although the former will be most commonly used As you already know the longer the encryption keys the more enhanced the level of security Be aware however that longer keys demand more calculation power and can slow your 22 machine down when it s in the process of encryption and decryption BitLocker supports and implements a diffuser algorithm to help protect the system against ciphertext manipulation attacks to discover patterns or weaknesses This means that plain text is XORed with a key then put through a diffuser and finally encrypted with AES 128 bit encryption in CBC mode CBC stands for Cipher Block Chaining and in this mode the ci
231. tion than discovering non volatile keys An invasive physical attack would need to ac curately measure PUF delays from transistor to transistor without changing the delays or discovering volatile keys in registers without cutting power or tamper sensitive circuitry that clear out the registers In addition to its inher ent physical security even the IC manufac turer cannot clone PUF enabled ICs That is because the random component of manufac turing variation cannot be controlled or pro grammed in any conventional sense by the manufacturer it is inherent to the process itself Response Figure 1 How PUFs work PUFs can be implemented in many different ways but all PUF implementations provide a mechanism to extract the unique characteris tics or secrets from the ICs Some PUF im plementations use a challenge and response protocol to extract these secrets Figure 1 above shows a MUX and arbiter based PUF implementation MUX PUF The MUX PUF takes a random number input as a challenge The bit length of the challenge is implementation specific The example above assumes a 64 bit challenge For each chal lenge input the MUX PUF generates a re sponse The bit length of this response is again implementation specific the example above assumes a 64 bit response These challenges and responses have the following characteristics The number of challenge and response pairs for each IC can be arbitrarily large 264 in this
232. to such projects as the bible for developers wanting to learn how to develop securely and championed various approaches to secure development but one has to question whether current approaches actually help developers to produce secure software We have seen the amount of recorded given a CVE number SQL Injection and Cross Site Scripting vulner abilities increase from 8 6 of all vulnerabili ties in 2007 to 33 46 in 2008 This growth has not slowed in 2009 with these two vul nerabilities accounting for 35 23 of all vul nerabilities this year so far These statistics alone must raise the question of whether the secure development projects are getting their message across to develop ers More to the point are these projects get ting the right message across feel that these projects do a good job of telling devel opers what problems can occur and how to exploit these flaws but they don t follow this up with useful guidance on how to develop appli cations that reduce the chance of these flaws www insecuremag com occurring think this derives from the fact that the people who contribute to these projects like to be the hacker and often neglect the boring work of detailing the preventative measures that developers actually need to know The work required to detail the preven tative measures is tedious but essential de velopers would not need to read and interpret multiple lists of top x vulnerabilities if
233. to avoid is the hard coding of keys into your code The principles place in secure development The principles have outlined so far will help you to develop secure software but this should be just one step in a wider secure develop ment process They will provide a good level of security for your application but they should not be used in isolation have included an image below that shows the steps feel need to be followed in the pur suit of a secure application and where these principles fit in Security Testing Code Review Session Secure Secure Input Output Secure Managem Communi Resource Validation Validation Storage ent cations Access Developer Education SSDL The foundations underpinning any secure de velopment efforts must be a clearly defined Secure Software Development Life Cycle SSDLC and developer education If you do not know where when and how security will fit into your development life cycle then it is very difficult to have security ingrained into re quirements and designs The failure to design applications securely will lead to project delays when the code reaches the security code review and testing steps Each phase of the SSDLC should have some level of security input and sign off but will not go into details on how to build an SSDLC in this article see my article in IN SECURE magazine issue 18 Developer education should be self explanatory this entire article is
234. to effectively secure challenging work environments Reflecting the experience and solutions of those that are in the trenches of modern organizations this volume provides practical ideas that can make a difference in the daily lives of security practitioners Cyber Crime Fighters Tales from the Trenches By Felicia Donovan Kristyn Bernier Que ISBN 0789739224 Written by cyber crime investigators the book takes you behind the scenes to reveal the truth behind Internet crime telling shocking stories that aren t covered by the media and showing you exactly how to protect yourself and your children This is the Internet crime wave as it really looks to law enforcement insiders the truth about crime on social networks and YouTube cyber stalking and criminal cyber bullying online child predators identity theft even the latest cell phone crimes Here are actual cases and actual criminals presented by investigators who have been recognized by the FBI and the N H Department of Justice Chained Exploits Advanced Hacking Attacks from Start to Finish By Andrew Whitaker Keatron Evans Jack B Voth Addison Wesley Professional ISBN 032149881X Chained Exploits demonstrates this advanced hacking attack technique through detailed examples that reflect real world attack strategies use today s most a common attack tools and focus on actual high value targets including credit ocea hating card and healthcare data Relentlessly thorough
235. to your company profile page One problem found is that many former em ployees still have a company email address in their LinkedIn profile and can still edit the pro file pages for a former company The only mitigating control have found is that LinkedIn will put a Last edited by note on the profile so people will Know who made the last edit can only imagine the interesting things a for mer employee or a hijacked profile could do to a company profile Facebook Groups and Pages Now that Facebook has grown to over 200 million users it would be no surprise if you found lots of information about your company on Facebook Facebook is not just a social network application for friends and family to stay in touch anymore Facebook has recently evolved to embrace businesses and company information Yes it s true Facebook would love to have your company and personal data to aggregate and collect Facebook groups are similar to groups in LinkedIn however they are only visible to Facebook members and they are not searchable outside of Facebook Facebook groups can be made private and can also be set to have a moderator approve group mem bership These groups provide a discussion forum as well as the ability to post photos and other multimedia Facebook pages on the other hand are slightly different These pages can be searched on through a regular search engine like Google and provide the page owner with detailed tr
236. twitter at www twitter com moranned sfecnsdnaesnate Ni Aaa 4 dhe AAG S N a O _ i ee gt re www twitter com helpnetsecurit www insecuremag com 116 HELP NET SECURITY WWW NET SECURITY ORG i a ean SON gt gt ni piina u i ba m vulnerabilities with the 1 velnerebiiity scanmer Q amp A Brent Huston on security in general CEO challenges and MicroSolved by Mirko Zorz Unlike what I d call a regular CEO you enjoy quite a bit of technical tinkering and dwell into security research What drives you was a technician to start with have always been a technical security guy and spent my early years at MicroSolved doing hands on penetration testing exploit development and security research guess you could say grew into being the CEO after we hired a per son to be the CEO and he left the company 28 days later It was a necessity that someone do it so took it on That led me to a focus on growing my marketing and leadership skills as well as my technical skills My wife would say it made me a more rounded person but the truth is enjoyed learning the business skills as much as read ing packet dumps really like helping man agement and board folks understand the real world threats in their own language and am very happy that that has proven to be a talent of mine www insecuremag com How does
237. uence FCS is used to ensure that packets have not been corrupted during transmission Unless the application you are using for interpreting packet captures has difficulty decoding packets with FCS check this box to include the FCS checksums e FCS Filter This option will allow you to filter out packets based upon whether they have a valid or invalid FCS Aside from these configuration options you will also notice a Keys tab where you can en ter and manage WEP keys for the decryption of WEP encrypted traffic Most up to date wireless networks will not being using WEP for encryption and because of this you may www insecuremag com E tery eatteed hoeecheegy ees ees eres al initially come to the conclusion that the AirP cap device is limited and or dated but this is not the case It is important to realize that AirPcap supports decryption of wireless traffic in two modes Driver mode configurable from the AirPcap Control Panel only supports WEP That being the case it is recommend that de cryption keys be configured using Wireshark mode which supports WEP WPA and WPA2 and is managed from the wireless toolbar in side of Wireshark The wireless toolbar is used to configure a lot of the options we have already learned about within the Wireshark program itself You can enable this toolbar when you have an AirPcap adapter plugged into your analysis computer by opening Wireshark going to the View drop down me
238. ultural values of all countries For example what may be an ethical practice in the U S could be totally unacceptable in Singapore Finally we must adapt our pricing for all products to local economies Our major advantage comes from the com mon interest and passion for meeting the challenges in the IT security environment In all the areas have visited the dedication to sound security practices just seems universal Being recognized as the global Gold Stan dard is also very beneficial to our organiza tion Another one of our strongest assets are our dedicated members who are ambassadors of information security With a strict adherence to the ISC Code of Ethics as a requirement to maintaining certification our members not only instill best practices in their organiza tions but are encouraged to help develop pro fessionals in all parts of the world instill ethics in others and educate private citizens about the best methods to protect themselves ISC S MISSION TO MAKE THE ONLINE WORLD A SAFER AND MORE SECURE PLACE INCLUDES ENCOURAGING ITS PROFESSIONALS TO BECOME INVOLVED IN HELPING SOCIETY AT LARGE ISC has a volunteer program in the U S designed to address the issue of online dangers facing children Can you give our readers some details on the program ISC s mission to make the online world a safer and more secure place includes en couraging its professionals to become in volved in helping
239. ure you that you are at the real my IronKey com website In order to secure you login into the online ac count and enter your username the system automatically fetches your selected image and if it s the same one you selected you can en ter the password knowing that you are inside the real lronKey web user interface The chances of someone mimicking the lronKey web site and targeting you might be slim but it s better to be safe than sorry The Secret Phrase that you need to type in will be presented to you in the subject line of every email you receive from lronKey regard ing your account With this lronKey just shows that they are really passionate about stringent security methods surrounding their little USB device Secure Files basic usage The adoption rate of USB flash drives espe cially the encrypted ones is on the rise They are not so expensive especially when you compare them with standard drives of the same size Almost every security flash drive on the market is mainly concentrated on being New Folder a secure vault for private data IronKey is defi nitely not principally focused on this role but fully supports it by default The Control Panel application that gets called off from the device is user friendly Its first management role is Secure Files When selecting this option the Windows Explorer window will open and you can drag and drop files to it Everything inside the folder is automaticall
240. user logons and the same protection must be in place for sessions You will need to identify the maximum age of any given session ID as well as a timeout for sessions There is often the requirement to re authenticate users dur ing a session for example an online bank ap plication would re authenticate the user prior to transferring funds This second authentica tion should also prompt the creation of a sec ond session ID and the destruction of the original ID Secure communications We have mentioned in previous principles the importance of protecting specific pieces of in formation whilst they are in transit and we will expand on that now The requirement to pro tect data in transit is not a new requirement but it is something that applications often fail to implement correctly This is perhaps the simplest principle to get right Make sure your applications enforce the use of secure transport mechanisms such as SSL TLS or SSH You must also make sure that your application enforces specific secure versions of these mechanisms such as SSL version 3 or SSH version 2 83 If this principle is so simple how do develop ers get this wrong The problems often arise from two main decisions 1 When to use these mechanisms 2 Which version to use The common failure surrounding decision number 1 is the failure to protect the start of a session and the session information after an authentication You must start the protection
241. ust be put into the Directory An interesting announcement has however referred to a Data Recovery Agent DRA for BitLocker in Windows 7 Unfortunately despite searching for more details of this there have only been brief mentions of its existence in presenta tions such as those from WinHEC 2008 A DRA could work for BitLocker like the En crypting File System EFS does meaning that there is a master key that can be used to decrypt all files in an enterprise wherever you may be This key is associated with a specific administrator account and if it is used ata workstation any EFS file can be decrypted This is likely to be Microsoft s approach to this issue particularly since there is a special folder for the BitLocker certificate in the Local Security Policy next to the EFS folder This is used to configure the Data Recovery Agent and maybe gives us a clue about how the Bit Locker recovery procedure might be imple mented Naturally we will have to wait until the final release to see if this will actually happen lt is also interesting that there are many new Group Policies available for the fine tuning and management of BitLocker operations One example is the policies connected to the BitLocker to Go feature Portable media encryption has been around for quite a long time now Many portable stor age devices come with their own encryption software integrated hardware and this is sometimes combined with strong authen
242. ut protecting personal identity and proprietary information and preventing against attacks like denial of service and ex tortion Government and critical infrastructure agencies must worry about cyber terrorism While the government is on the front end of protecting us against cyber terrorists many of the organizations who are in charge of our na tion s critical infrastructures are run by the pri vate sector thus they share this common threat Finally all organizations in the public and private sector must increasingly worry about Web 2 0 smartphones Twitter and other exponentially growing tech advances As these technologies continue to accelerate the risk posed to organizations only in creases because most employees use these tools without thinking through the security pieces DETERMINING ADEQUATE SECURITY IS TRICKY BUSINESS THAT INVOLVES SAVING DOLLARS BUT SOMETIMES IT INVOLVES SAVING YOUR COMPANY What security technologies do you find exciting and why Any that track advancing technologies are in teresting to me In almost every aspect of our lives today there is very likely an IT compo nent Unfortunately we have not reached the point where we consistently challenge a new technology with the what if security ques tions Do we want anyone to be able to ac cess a program that controls the technology that powers things am especially fascinated by advances in bio technology with the integration of
243. v able storage devices through BitLocker To Go Finally Windows 7 coupled with Internet Ex plorer 8 provides flexible security protection against malware and intrusions for the prolif eration of web based attacks that occur today The response by the security community to Windows 7 has been great so far Features that remote workers will appreci ate are DirectAccess and BranchCache How do they work and how do they secure the data DirectAccess is a breakthrough technology that enables workers who have Internet ac cess to seamlessly and securely connect to their corporate network DirectAccess works by automatically establishing bi directional secure connections from client computers to the corporate network It is built on a founda tion of proven standards based technologies like Internet Protocol security IPsec which is a protocol that helps secure IP based traffic through authentication and encryption and Internet Protocol version 6 IPv6 IPsec is used to authenticate both the computer and user allowing IT to manage the computer be fore the user logs on and IT can require a smart card for user authentication if they de sire DirectAccess also leverages IPsec to provide AES encryption for communications across the Internet www insecuremag com BranchCache can help increase network re sponsiveness of centralized applications when accessed from remote offices giving users in those offices the experience o
244. validation best practices e Apply whitelists known good values where possible e Reduce the data received to its simplest form If the validation function only searches for UTF 8 input an attacker could use another encoding method like UTF 16 to code the malicious characters and bypass the valida tion function e Check for content i e 0 9 minimum and maximum lengths and correct syntax of all in puts Output validation In addition to validating all of the data your application receives you should also follow similar processes for the data your application will output some attacks such as Cross Site Scripting can take advantage of poorly validated output to attack unsuspecting end users through your application There are three main issues as sociated with output validation that you should always aim to address in your application data encoding data format and length The data encoding process is slightly different depending on where your output is going to end up For example if your data is going into a URL you need to ensure it is URL encoded have included an example below of a mali cious value appended to a URL and how URL encoding of this data would remove the threat The example site has a parameter in the URL called day this parameter will contain the cur rent day and it will then write this into the homepage This allows the homepage to al ways display the current day for the user www examplesit
245. value through either exploiting your users or taking advantage of weaknesses in the session management func tionality itself Knowledge of the methods used by attackers isn t required if you Secure your sessions based on the advice in this principle The session values used in your application should follow similar principles to the secure password requirements outlined earlier The session IDs used to identify individual authen ticated users should be of a sufficient length to prevent brute force attacks This length is go ing to be determined by the sensitivity of the data or resource you are trying to protect do have to stress that session ID length isn t enough to provide protection by itself you also need to have a high amount of entropy per character in the session ID The entropy of each character position must be considered in your creation of sessions IDs with higher en tropy per character being more secure A ses sion ID should be constructed from a large character set without any obvious patterns in the IDs A pattern such as character positions 1 4 and 5 always containing the letter C would be easily identified by automated tools and will reduce the computation time required to brute force genuine IDs If the above steps have been followed each user should have a strong session ID that cannot be predicted easily by attackers We now need to ensure that these IDs are se cured both on the application server and whil
246. vely surprised with the layers of extra secu rity developers were thinking of when creating this web application The process starts with a typical input scheme where you setup your username and pass words Afterwards you need to tie in one of your e mail addresses and setup a secret question answer phrase always hated appli cations relying solely on this Q amp A scheme to make someone retrieve a lost password In the era where people are sharing practically everything over social networking profiles and when Google is indexing almost everything that appears online this password retrieving scheme can only create more security prob lems Well lronKey s developers thought of that and are asking at least three questions Some questions are given by default but you can easily refresh them and get a new set of data If you are still paranoid why not use ad ditional questions You can add as much as you want 2 Enter the text from the image below YCUG ERS G oain Logging in to the IronKey online account You thought that was it Wrong there is an other layer of security just waiting to be intro duced Phishing can be a drag and IronKey is not intended only for those well familiar with the basic security principles Therefore before www insecuremag com finalizing your activation you need to setup a secret phrase and a photo image The secret image will be displayed every time you log in to help ass
247. viding a seamless simple user experience that enables secure access to sensitive data applications and services from any location www insecuremag com and Ema Security Expe Enforce Mpliance eloken 52 Managed Web application firewall service from SecureWorks SecureWorks launched a Web Application Firewall WAF SecureWe rks management and monitoring service that detects and blocks a threats targeting Web applications found on corporate Web sites With SecureWorks Managed Web Application Firewall service Web applications such as online shopping carts login pages forms and dynamically generated content are protected against application layer attacks that bypass traditional network and host based security controls SecureWorks currently supports full lifecycle management maintenance and monitoring of Imperva SecureSphere appliances as well as monitoring for other WAF appliances that organizations may have www secureworks com QUALYS ON DEMAND SECURITY Quatys THEATER www insecuremag com 53 FaceTime Communications introduced visualization and reporting software Face Time Insight Using tree mapping and a modular re porting infrastructure it provides a in depth visibility into all facets of enterprise Web browsing FaceTime Insight interfaces with the Uni fied Security Gateway to provide enterprise data visualization Secure Data in Transit Now Past Track to Low Cost
248. way too much software knowledge and tools for free We feel just the opposite that the cus tomer has to be the focus and that value is real way that we earn their trust Twitter and other social networks the stateofsecurity com blog and all of the public education pro bono work and stuff we do are the keys that unlock the true value of our relationship with our cli ents and the tribe at large think every CEO should talk to customers as much as possible think too many CEOs are locked away from the public and their client base Should more CEOs take a moment to talk to their peers and customers this way think every CEO should talk to customers as much as possible think too many CEOs are locked away from the public and their client base You have to be engaged with them you have to work in the trenches with your tribe and at the same time have enough vision to make strategic decisions don t think enough com panies operate this way treasure hearing from clients and having them pull me aside for conversations love hearing from them on twitter or through the blog Heck unlike some other CEOs you can even call me on the phone Clients are the center of MicroSolved and wouldn t have it any other way You recently released HoneyPoint Per sonal Edition v2 How long did the devel opment process take Going from 1 0 to 2 0 took about 30 days of
249. y encrypted and as soon as you plug off the device the data goes with it The only thing that bothered me a bit is that couldn t delete the autorun file from this location Secure backup When working with sensitive information es pecially relying on one device to hold a collec tion of important data you always need to think about backup lronKey s secure backup option will dump data from your flash drive to an encrypted archive located on a local com puter or a network share It automatically cop ies all the secure files as well as private data that is marked as hidden on Windows computers File Edit View Favorites Tools Help Back 7 LO FANew Folder x TEEPE Folders DE 612 ANS itusers i Desktop Au J My Documents My Computer I 3 5 Floppy 4 Local Disk C 5 CD Drive D Ironkey Unlocker E L Ironkey USB F CO New Folder eerie ttt eeET CSIC TTT wi 4 Search I Folders Hak A WYSSingleScan pdf 9 Pee eee eee Secure documents located on the device Before testing thought the software creates some kind of an encrypted archive but as it turns out it just mirrors the existing folders It looked like this didn t work as the backed up www insecuremag com files had the same extensions and icons but the mismatched file sizes and the always handy diff application have clearly shown that the files are fundamentally different From my perspective
250. y on the Internet in several hundreds of cases The question is if these cases are really worked on by the investigators Christian Bahls from the German organization MOGIS which represents victims of child abuse states that his organization is aware of sev eral servers in Germany which offer child por nographic material Although he was able to track down the location of the servers the police did not close them down Furthermore Bahls underlines that the intro duction of filters cannot be combined with the German constitutional law Similar criticism regarding the lack of police activity comes from the Netherlands where the journalist Karin Spaink found a considerable number of 129 child pornographic websites that were hosted in the Netherlands Some of them even ap peared on the block list of one the Dutch ISPs but there were no attempts by the police to shut them down Spaink also pointed out in an article published on her own website that cooperation between European countries was insufficient To prove the point she men tioned the example of the Finnish block list that showed 138 Dutch websites offering child pornography Even though both countries are fighting against child pornography their activities were obviously limited to covering websites and they were not cooperating to investigate the servers or the producers Conclusion For the German government and probably for other governments as well it
251. y un Known vulnerability in the Windows family of operating systems While zero days can be used to construct bot nets they can also be used to launch devas tating attacks against Supervisory Control and Data Acquisition SCADA systems that con trol critical infrastructure targets Engineers at the Department of Energy s Idaho National Labs used a zero day exploit that remotely disabled a power generator during a simulated cyber attack code named Aurora These zero day attacks are successful solely be cause defenses are not designed to stop www insecuremag com them As a result cyber weapons reliance on surprise for effectiveness inherently favors the offense Mobility Mobility is closely linked to terrain in the con text of the speed of attack Military analysts generally agree that mobility favors the of fense as it enables aggressors to initiate sur prise attacks and quickly overwhelm the de fense In Grasping the Technological Peace Keir A Lieber notes that in military terms mobility is the ability of troops and equipment to from one place to another Germany s use of highly mobile tanks during the opening stages of World War II demon strates the offensive advantages of mobility Cyber armaments are also highly mobile weapons systems They can be launched from multiple computers irrespective of geographic location and can close on their designated targeted in near real time For example the botnet use
252. years we have been in business that we just continually strive to give back What are your future plans You will see more HoneyPoint stuff from us and more work on identifying emerging threats You can count on us to keep looking for new ways to fight the insider threat and to help clients and members of the tribe make more rational choices about security risk and compliance You can read Brent s Twitter stream at www twitter com lbhuston Want to reach a large audience of security professionals by writing for IN SECURE Send your idea to editor insecuremag com www insecuremag com Black Hat Europe 2009 by Viatko Kosturjak There is no need to explain Black Hat to the security community For those who don t know Black Hat is a common place where security researchers present 0 day vulnerabilities or new methods of discovering vulnerabilities In other words a deeply technical conference Black Hat is actually a commercial version of hacker gatherings like the Chaos Communi cation Congress CCC Defcon or Hackers on Planet Earth HOPE The attendance fee is the biggest argument for the commercial attribute The attendance fee for most of the hacker underground conferences doesn t go over 100 EUR while for Black Hat briefings it can be around 2000 EUR if you apply for it on the day before the event starts The price for trainings ranges from 1000 EUR to 3000 EUR depending on workshop com plexity lectur
253. your users it will be pos sible for anyone to access it To understand how to enforce security on these resources please refer to principle number 4 Authentica tion and Authorization Secure storage The final principle is secure storage We have secured our inputs and outputs implemented sanitized error messages created strong ac cess control for all of our resources and pro tected information in transit but we cannot neglect the security of data at rest The re quirement to securely store data such as credit card numbers is obvious but we must also secure data such as passwords and ses sion details whilst they are at rest You not only need to identify what data needs to be protected but also which mechanisms you will use to provide the protection The selection of the protection mechanism should follow the same guidelines as the se lection of one for secure communications never create your own and do not use weak mechanisms such as DES MD4 and SHA O 84 do not want to turn this principle into a cryp tography lecture but you should ensure that the following bit sizes are used for Symmetric Asymmetric and Hash mechanisms e Symmetric 256 bits or above e Asymmetric 2048 bits or above e Hashes 168 bits or above You should also provide a secure location for any encryption keys you are using storing them on the application servers generally does not provide a secure location The final thing
254. yptographic Storage Use of a Broken or Risky Cryptographic Algorithm Cleartext Transmission of Sensitive Information External Control of Critical State Data Code Security Flaw Matrix version 2 0 April 2009 David Rook www securityninja co uk based on description from WhiteHatSec based on description from Sans CWE started this article with a proverb and would like to end it with one of my own The reason have created the secure development princi a vulnerability and he will prevent it teach him how to develop securely and he will prevent many vulnerabilities would like to use this article as the basis for a secure development principles guide to help developers write se cure code If anyone wishes to help me con tact me davidrook securityninja co uk ples is to help developers create applications that are secure and not just built to prevent the current common vulnerabilities feel this proverb sums it up Teach a developer about David Rook works as a Security Analyst for Realex Payments in Dublin He is a contributor to several OWASP projects including the code review guide and the browser security framework working group David is a mem ber of the Irish Internet Association Web Development Working Group helping to publicize web application se curity within Ireland David has his own security website and blog www securityninja co uk blog and a Secure Development Principles website www securedev
Download Pdf Manuals
Related Search