Nothing new to see here but Firesheep may be news to some

Subject: General Tech | September 12, 2011 - 11:56 AM |
Tagged: firesheep, security, fud, https

About a year ago you may have read about FireSheep, a FireFox add-on which takes advantage of the unencrypted nature of many packets being sent to social networks to allow others to access your accounts.  It is specifically used on wireless connections, in what is called a man in the middle attack, as you surf using an unencrypted connection the laptop running Firesheep captures your data before it even hits your account.  That extension is still around and causing havoc, making the news recently with the revelation that packets sent via Google have a unique session ID sent in plain text which can be used to identify a Google acount and then access the search history of the acccount.   Check out The Register for more on this topic and consider HTTPS Everywhere for your laptop.

Firesheep.JPG

"Researchers have released a Firefox extension that demonstrates the risks of using Google search services on Wi-Fi hotspots and other unsecured networks: With just a few clicks, attackers can view large chunks of your intimate browsing history, including websites you've already visited."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

So you think nobody knows what you've been watching on the net?

Subject: General Tech | August 17, 2011 - 02:03 PM |
Tagged: security, fud, tracking cookie, super cookie, ETag value

KISSmetrics is a small company which is able to track your movements across sites like Hulu and Spotify, using what some call a super cookie but more accurately is an ETag value.  That ETag value is a unique identifier stored in both a browser's cache and metadata folders which can be sent to KISSmetrics via JavaScript along with a header, so that any time you visit a site partnered with KISSmetrics they will know it is you.

Of course, very soon after the technical documentation of the trick was released to the net KISSmetrics claimed that they were completely innocent and that it was all a misunderstanding.  According to the CEO of KISSmetrics the company has never tracked anyone nor shared the information with a third party, so either the company never plans to ever make any money or he is being very specific in his definitions of what "is is".  Even better, they claim not to use ETag values at all only first party cookies.  As well, they claim support for the Do Not Track header and a "consumer-level opt-out" for their tracking as well.  That is disingenuous in that there is no sign of how to start the opt out process on their site, nor is there any clear way that they could identify you in order to let you opt out without a cookie or ETag placed on your machine in the first place.

The Do Not Track header is a good idea, but in addition you should consider browser add ins such as BetterPrivacy, NoScript and Ghostery as essential and perhaps even get used to running Chrome in Incognito mode, if you do not want to be trapped.  Don't use them to disable the ads which fund your favourite websites, they should be used to identify and possible block violations to your privacy only.  You can follow the link at The Register if you would like to see the technical research that has lead to these questions about KISSmetrics.

supercookie.jpg

"A privacy researcher has revealed the evil genius behind a for-profit web analytics service capable of following users across more than 500 sites, even when all cookie storage was disabled and sites were viewed using a browser's privacy mode."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Nearly Half of Organizations Have Lost Sensitive or Confidential Information on USB Drives in Just the Past Two Years

Subject: General Tech | August 9, 2011 - 01:27 PM |
Tagged: security, fud

The next time your boss complains when you suggest that picking up secure USB sticks because of the price, you might want to reference this report from Kingston which details several horror stories of what happens with a lax policy towards portable storage.  We have seen Stuxnet recently, as well there is a long list of tricks that can be played with USB devices with the U3 autorun present on many USB devices. 

This goes far beyond just a complaint about using USB sticks received for free at trade shows or picked up on discount from Costco, the report cites an instance where unmarked USB sticks were left in obvious spots in government parking lots and over half of them ended up being plugged into the wok PC of the person who found it.   Maybe now spending a little extra on secure USB sticks will seem a little more attractive to the beancounters.

main_image.jpg

Fountain Valley, CA -- August 9, 2011 -- Kingston Digital, Inc., the Flash memory affiliate of Kingston Technology Company, Inc., the independent world leader in memory products, today announced the results of a study conducted by the Ponemon Institute looking at USB prevalence and risk in organizations. The study found that inexpensive consumer USB Flash drives are ubiquitous in all manner of enterprise and government environments ― typically with very little oversight or controls, even in the face of frequent and high profile incidents of sensitive data loss. The Ponemon Institute is an independent group that conducts studies on critical issues affecting the management and security of sensitive information about people and organizations.

The study underscores the pressing need for organizations to adopt more secure USB products and policies. A group of 743 IT professionals and IT security practitioners from global companies based in the United States were polled, and all acknowledged the importance of USB drives from a productivity standpoint. They cautioned, however, about the lack of organizational focus regarding security for these tools to meet appropriate data protection and business objectives.

The most recent example of how easily rogue USB drives can enter an organization can be seen in a U.S. Department of Homeland Security test in which USBs were ‘accidentally’ dropped in government parking lots. Without any identifying markings on the USB stick, 60 percent of employees plugged the drives into government computers. With a ‘valid’ government seal, the plug-in rate reached 90 percent.

According to the Ponemon study, more than 40 percent of organizations surveyed report having more than 50,000 USB drives in use in their organizations, with nearly 20 percent having more than 100,000 drives in circulation. The study finds that a whopping 71 percent of respondents do not consider the protection of confidential and sensitive information on USB Flash drives to be a high priority. At the same time, the majority of these same respondents feel that data breaches are caused by missing USB drives.

The Ponemon study concluded that a staggering 12,000 customer, consumer and employee records were believed to be lost on average by these same companies as a result of missing USBs. According to a previously released Ponemon report, the average cost of a data breach is $214 per record, making the potential average total cost of lost records to the organizations surveyed for the Ponemon USB Flash drive study, reach upwards of $2.5 million (USD). Other key findings in the report include:

Evidence of widespread compromise is apparent:

  • Nearly 50 percent of organizations confirmed lost drives containing sensitive or confidential information in the past 24 months.
  • The majority of those organizations (67 percent) confirmed that they had multiple loss events – in some cases, more than 10 separate events.

Oversight and control of USBs in enterprises can be better:

  • Free USB sticks from conferences/trade shows, business meetings and similar events are used by 72 percent of employees ― even in organizations that mandate the use of secure USBs.
  • In terms of policies and controls, of the hundreds of IT professionals and IT security professionals polled, only 29 percent felt that their organizations had adequate policies to prevent USB misuse.

“An unsecured USB drive can open the door for major data loss incidents,” said Larry Ponemon, Chairman and Founder of the Ponemon Institute. “Organizations watch very carefully, and put a plethora of controls around, what enters their businesses from cyberspace. This study drives home the point that they must also take a more aggressive stance on addressing the risks that exist in virtually every employee’s pocket.”

“Kingston believes a lack of oversight, education and corporate confusion are factors that lead to the overwhelming majority of data loss when it comes to USB Flash drives,” said John Terpening, Secure USB business manager, Kingston. “Organizations fear that any attempt to control a device like a USB is likely to be futile and costly, both in terms of budget and loss of productivity. However, a simple analysis of what an organization needs and the knowledge that there is a range of easy-to-use, cost-effective, secure USB Flash drive solutions can go a long way toward enabling organizations and their employees to get a handle on the issue.”

The full report can be downloaded from the Kingston Web site.

Source: Kingston

Counter-terrorism Expert States Cyberthreats Should Never Be Taken Lightly

Subject: Networking | August 4, 2011 - 02:01 AM |
Tagged: security, networking, cyber warfare

Computer World posted a short news piece quoting the former director of the CIA’s Counter-terrorism Center Cofer Black as he explained why Cyberthreats needs to be taken more seriously by the nation. Cofer Black played a key role during the first term of the George W. Bush administration and was one of the counter-terrorism experts made aware of a likely attack on American soil prior to the September 11th attacks.

Black noted that the people in a position with the power to act on these warnings were unwilling to act without some measure of validation. He goes on to say that while the general public was blindsided by the September 11th attacks, “I can tell that neither myself nor my people in counter-terrorism were surprised at all.”

binary numbers

With cyber warfare becoming increasingly utilized as an attack vector to foreign adversaries, the need for quick responses to threats will only increase. Further, the demand on security professionals to search for and validate threats for those in power to enact a response will be a major issue in the coming years. “The escalatory nature of such threats is often not understood or appreciated until they are validate,” Black offered in regards to the challenges decision makers face. He believes that the decision makers do listen to the threats; however, they do not believe them. This behavior, he believes, will hinder the US’ ability to properly respond to likely threats.

With the recent announcement by the Department of Defense that physical retaliation to Internet based attacks (in addition to counter attacks) may be necessary, the need to quickly respond to likely threats proactively is all the more imperative.  Do you believe tomorrows battles will encompass the digital plane as much as real life?

With Intel's recent purchasing habits, could crossdressing be in their future?

Subject: Editorial | July 20, 2011 - 06:10 PM |
Tagged: vpro, TPM, speculation, security, mcafee, intel txt, Intel, infineon, amt

Not too long ago the tech world was buzzing with the news that Intel had aquired McAfee for $7.68 billion.  This gave them the knowledge base to start thinking about putting antivirus technology directly onto their chips, which seemed far more likely than an Intel branded software antivirus product.  When Intel CTO Justin Rattner started talking about technology that resembled the failed attempts at digital rights management, such as Microsoft's Palladium, or the Trusted Platform Module, aka TPM, a different idea was promoted with its own acronyms; Intel Active Management Technology (AMT) and Intel Trusted Execution Technology (Intel TXT).  This theory was lent credence by the mention of Intel's vPro and a desire by Intel to move security to the top of their list of priorities.  By integrating security software directly into vPro architecture, it might not even be necessary to place antivirus code directly on their hardware. Adding optimization to product architecture that Intel trusts absolutely, as they made it themselves, and the overall level of security on an Intel based virtual machine would be greatly increased.

vpro.jpg

Then Intel went and muddied the water with the $1.9 billion purchase of Infineon Technologies AG’s wireless business, which doesn't own manufacturing facilities but does own the intellectual property and patents for chips providing wireless communication.  Suddenly some discarded theories about the purchase of McAfee seemed valid again.  One possibility that was bandied about was the idea of Intel moving into ARM territory in the cell phone business.  With Intel's new focus on low power chips, with Atom being the starting point, the idea of Intel moving into providing secure CPUs appropriate for cell phones and tablets became much more believable.  With the current rise of viruses targeted at those mobile platforms and the vulnerabilities present in Android and Windows based phones having hardware based antivirus, or at least optimized hardware, makes a lot of sense.  

It also differentiates them from ARM, who has more market experience making ultra low power chips but certainly does not own an antivirus vendor.  The security concerns with cell phones and tablets will continue to increase at the same pace as the capabilities of the devices increase.  Where once bluejacking was the biggest concern of a cell phone user, a smart phone user can browse the world wild web and expose themselves to all sorts of nastiness, including more than just the nastiness they intended to browse for.  A hardware solution would leave more processing power for the user; running Norton 360 on a cell phone or tablet would chew up a lot of cycles.

cell_killer.jpg

Today those muddied waters were stirred up even more as Intel announced it is planning to buy Fulcrum Microsystems, maker of high end 10Gbps and 40Gbps ethernet switches.  This purchase would support the theory decided before the purchase of Infineon's wireless group; that Intel is taking a serious look at a total TPM ecosystem.  In order to truly trust your platform you need to do more than secure your endpoints.  If your server is running AMT or Intel TXT, then you can be assured that any virtual machine running on it can be trusted.  As well, if both the server and client are running processors capable of Intel's TPM (sounds so much better that DRM, eh?)  again both machines can be considered trusted platforms. 

That does not help with trusting data which has been transferred over a WAN, or in some cases even a LAN.   Data transfer allows an attacker a means of entry, or at least a way of denying data transfer.  With a trusted platform, any data which does not match what is expected by the receiving machine will be prevented from running, so a successful man in the middle attack might not allow remote code execution or privilege escalation but would certainly act as a DoS attack as the TPM client refuses to accept the incoming data.   Once the routers and switches involved in the data transfer are secured with the exact same TPM specifications, the entire route is protected and can all be considered part of the same Trusted Platform.  The network devices would reject any code injection attempted on the data during transfer, allowing data to flow freely inside a LAN as well as customized WANs. 

intel_AES.jpg

Returning to the secure cell phone theory, we can now consider the possibility of a TPM compliant cell phone thanks to the theoretical integration of Intel processors into your phone and tablet. Now you would be able to include your mobile communications into your TPM ecosystem.  Properly implemented that security and not only will you challenge ARM 's market share by out-securing them, you could topple RIM's share of the business market as a BlackBerry may be handy to the sales team but they are a nightmare for the IT/IS security team.  Nothing is perfect but that would be a huge step towards defeating the current attack vectors that effect business systems.  So far Intel is not saying much, so all we can do is speculate ... which is fun.

 

Don't you love it when Patch Tuesday hits double digits

Subject: General Tech | June 13, 2011 - 11:47 AM |
Tagged: microsoft, patch tuesday, security, windows, internet explorer, silverlight

Tomorrow will see the arrival of 9 critical security patches and 7 recommended ones, covering Windows, IE, Silverlight and Office.  The critical patches all resolve remote code execution vulnerabilities, the recommended vary from the same type as well as privledge escalation and denial of  service vulnerabilities.  WinXP through Win7 as well as server OSes will all be affected so be warned that your Tuesday and Wednesday might not be very fun.  Follow the link from The Register to see Microsoft's pre-release document for yourself.

Adobe, obviously not wanting to seem lazy, is also pushing out a patch for both Reader and Acrobat.

band-aid.jpg

"Microsoft is preparing a bumper Patch Tuesday for next week, with 16 security bulletins that collectively address 34 vulnerabilities.

Nine of the bulletins earn the dread rating of critical, while the other seven grapple with flaws rated as important. All supported versions of Windows will need patching on 14 June along with various server-side software packages and applications, including the .NET framework and SQL Server. Internet Explorer, which is affected by two bulletins, will also need some fiddling under the bonnet."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Not the kind of sharing we like to see, the Blackhole exploit kit is available for free

Subject: General Tech | May 25, 2011 - 11:48 AM |
Tagged: fud, security

The Blackhole exploit kit, which until now required you to have a pocketful of money and enough hacker cred to get onto the sites where was available for sale, is now freely available to any and all.  The exploit kit is a tool that allows misanthropes to commit a type of drive by attack, where clicking on a 'tainted' iframe will allow remote code execution to install a payload on your system.  It was part of the famous US Postal Service attack that occurred recently as well as other incidents The Register mentions.  Even better, the source code for ZeuS was also jsut made available.  Patch early, patch often.

biohazard.png

"A free version of the Blackhole exploit kit has appeared online in a development that radically reduces the entry-level costs of getting into cybercrime.

The Blackhole exploit kit, which up until now would cost around $1,500 for an annual licence, creates a handy way to plant malicious scripts on compromised websites. Surfers visiting legitimate sites can be redirected using these scripts to scareware portals on sites designed to exploit browser vulnerabilities in order to distribute banking Trojans, such as those created from the ZeuS toolkit."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Crikey! Open source Android might be just a wee bit too open with your data

Subject: General Tech | May 17, 2011 - 01:23 PM |
Tagged: Android, security, clientlogin, impersonation, fud

Researchers at Germany's University of Ulm have discovered a vulnerabliity in Android's authentication protocol, known as ClientLogin which should protect your login credentials to apps like your contact list and your calendar.  It seems that while your request is encrypted, the response which includes your credentials is sent back in plain text, and those credentials remain valid for 2 weeks.  The new versions of Android have fixed this flaw but according to the story at The Register connections to Picassa still return in plain text.

 

android-fud.jpg

"The vast majority of devices running Google's Android operating system are vulnerable to attacks that allow adversaries to steal the digital credentials used to access calendars, contacts, and other sensitive data stored on the search giant's servers, university researchers have warned."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Sony relaunches much of the PSN, other services oncoming

Subject: General Tech | May 15, 2011 - 04:29 PM |
Tagged: security, PSN

Some of you may have heard of a recent computer break-in to Sony Computer Entertainment involving some total theft of personal information and uniformly increased grades of University final exams. Approximately three weeks and a few missed deadlines later: portions of the PSN are finally back online and awaiting the eager college students who are finished with their finals to scratch the itch on all the games they missed in the outage. Just kidding, they are going to play Call of Duty again. 

15-Kaz.jpg
“… and then Kevin Butler crushed their heads.” (Quote accuracy disputed.)
 
Sony uploaded a video to Youtube on May 14th announcing that access has been regained to the following services:
  • Sign in for PSN and Qriocity
  • Online gameplay for PS3 and PSP
  • Music Unlimited (if you are a current subscriber) for PS3 and PC
  • Access to Netflix, Hulu, Vudu, and MLB from PS3
  • Friends list, chat, trophy comparison, and PlayStation Home 
Gamers returning to their PlayStation are required to change their account passwords prior to reconnecting to the PlaysStation Network and, as reported by PCMag, install a firmware update for their console. It has been a long and hard journey for fans of Sony’s console but it appears as if tangible progress has been made. Go forth, play Portal 2 Co-op, give Atlas a big hug, and let them eat cake. It has been a harsh famine.
Source: PCMag

Potential LastPass Break-in Disclosed by LastPass

Subject: General Tech | May 5, 2011 - 06:05 PM |
Tagged: security, lastpass

One of the most important parts of security is authentication. A lot of our methods of authentication online revolve around passwords. There is an expectation these days that you are required to remember large passwords composed of completely random characters including numbers and symbols each unique from each other in the event that one source compromises the password you provide it. This necessity confronts our human nature of having terrible memory. Many programs have made attempts at solutions by storing and generating secure passwords for you.

lastpass.png

                           ^second

LastPass is currently one of the most popular platforms for that such need. Wednesday, Lastpass announced on their blog that they have noticed on odd behavior on Tuesday morning in their network traffic without being able to track the source. The security firm claims that while they are unable to tell if user data was compromised that there was a possibility that their list of user email addresses and the corresponding salted and hashed, an algorithm designed to encode data in a way that is almost impossible to ever decode, passwords. Passwords are hashed since the server does not need to know what the password is, only whether it is the same as what was input by the user, so storing the password itself is just asking for trouble in case of intrusion.
 
LastPass is claiming that they will require their users to change their master password especially in the event that your LastPass password is easily guessed. Currently I have not received such notification on my account but comments on their blog suggest that some have been notified of this requirement. If anything this potential break-in illustrates just how hard actual security is and how much of a concern it should be for the general population at all times that valuable information is being handled.