As both the quantity and quality of work being transmitted electronically grows exponentially, the cost of each data breach has soared.

An article at Search Security quotes a Ponemon Institute survey which estimates that the costs of such breaches average out at $182 dollars per compromised record, which is a 31% increase over 2005. The total costs ranged from less than $1 million to over $22 million.

Broken down, these costs include printing and postage of notification letters, hiring a law firm to address any legal issues, offering credit monitoring subscriptions to customers, implementing a support hotline and contract call center, as well as factoring in customer defections.

It was calculated that IT had no costs associated with a breach, as those costs tend to be up front, but one would imagine that one expensive data breach would lead a company to desire better data security controls. But Larry Ponemon, founder and chairman of the Institute, said, “A breach may expose a flaw in implementation, or a hole that can be addressed through training, but not necessarily a need for new direct investments.”

The study also revealed a lack of company guidelines for dealing with a data breach. While it was found IT was responsible for 53% of the breaches, no single group was put in charge of responding to a breach.

Finally, as more data is put at risk, and as more companies do business with consultants, outsourcers, and external partners (30% of breaches originated with outside sources), this problem is only going to grow.

What companies need to do is focus on preventing a breach, and have a plan in place and a person in charge if a breach does occur. Said Steve Roop, VP of San Francisco based Vontu Inc., “Technologies need to make end users more aware of security best practices, because employees need to know what the security policies of an organization are and if they are mishandling data.”

Tags: Data Breach

Posted by pschooff in Better Protection | Permalink | Comments (0) | TrackBacks (0)

The past two months have seen a significant increase in the volume of spam, reports Security Focus. The reason for the increase has to do with a major change in tactics, as spam black lists have realized some success with bulk spam mails sent from a single server, most new spam now originates from networks of compromised computers, also known as bot nets.

While Security Focus has found that spam has increased 35 percent in the past two months, Total Quality Management, which maintains spam black lists, reports an increase of 450 percent. Most of this increase was found to focus on stock and pharmaceutical mailings.

Bots and bot nets have emerged as one of the central threats to the internet, where tens of thousands of compromised computers can make up a single bot net’s network. Other bot net operators have boasted of running millions of infected computers.

To confirm that the rise in spam is actually the result of bot nets, Sunbelt Software analyzed junk email messages from a dummy account and found that the 1,100 blocked messages came from 160 different addresses, which signifies a network of machines acting together.

Even more disturbing, anti-spam provider Blue Security was targeted by a huge denial of service attack recently, which blocked internet access to Blue Security for days, until the company finally decided to get out of the anti-spam business altogether.

That is why my company, Message Partners, worked hard to develop an email platform that can effortlessly run a number of different spam scanners, even run two or three or more at the same time, which we have found essential in our battle to successfully fight the endless scourge of spam.

Another important point is that everyone should be strongly encouraged not to do business with spam of any kind. If no one bought a single thing from spam, then spam's reason to exist would simply disappear.

Tags: Bot Nets, Spam

Posted by pschooff in Spam | Permalink | Comments (0) | TrackBacks (0)

In what is starting to resemble nothing less than the gunfight at the OK Corral, the white hat firm of Authentium announced that they have created a new version of their product that circumvents PatchGaurd’s kernel protection technology. In an article at EWeek, The Palm Beach Gardens based company said that they have a new version of Authentium ESP Enterprise Platform that can bypass Patchguard without setting off desktop alarms. Expect the black hat hackers and internet nare-do-wells to soon follow.

In an attempt to stop hackers from attacking computers with rootkits, PatchGuard blocks any application from “hooking” Vista's kernel commands, a method also used by vendors for anti-tampering and behavior monitoring tools. But unlike McAfee and Symantec, which have demanded access to the kernel, Authentium has simply circumvented the feature. Whereas any program that attempts to modify the kernel will result in a blue screen computer stoppage, Authentium said they have been able to access the kernel without incurring a shut-down.

The loophole used to bypass PatchGuard is simply the result of Vista’s need to support older hardware. As Mike Rothman said on his Daily Incite blog, "This is the fundamental truth of Microsoft's problem. As long as they are constrained by requiring backwards compatibility, the problem is NOT going to get better and we are not going to make much progress."

Because hackers will quickly copy this method of defeating Patchguard, Corey O’Donnell, vice president of marketing at Authentium, said that was why his company is not waiting to see what Microsoft’s APIs will allow for. Said O’Donnell, "Good and bad guys have the same job, to identify holes in whatever software is delivered and beat it."

Tags: Microsoft Vista, Authentium, PatchGuard

Posted by pschooff in Better Protection • Hackers • McAfee • Microsoft | Permalink | Comments (0) | TrackBacks (0)

As if any more evidence was needed that hacking has grown from a juvenile delinquent’s quest for attention to big-time crime, a report in EWeek has found that high-tech criminals using spyware have been victimizing discount brokerages on the order of tens of millions of dollars.

Earlier this month the SEC warned that hackers were taking over online brokerage accounts using remote locations. TD Ameritrade Holding Corp. revealed on Tuesday that they had become the latest brokerage to be scammed, costing them $4 million in the third quarter to restore customer accounts.

Even harder hit was E*Trade Financial Corp, which announced third quarter fraud losses of $18 million, which came from swindlers stealing clients’ identities and then manipulating their accounts.

Both brokerages guaranteed that their client fraud loses would be repaid, and both are ratcheting up their defenses.

"We've seen that level of fraud in the last three weeks or so reduced to almost zero as a result of the changes we're making," E*Trade CEO Mitchell Caplan said in last week's conference call. But Gwenn Bezard, an analyst with Boston-based consultant Aite Group, said E*Trade had previously made big efforts to bolster security and the $18 million increase was a sign of hackers' resiliency in flouting fraud prevention efforts.

Around 25 percent of U.S. retail stocks are traded online through roughly 10 million accounts, according to NASD. The identity theft usually occurs when a victim’s computer or public PC is loaded with a spy program that is able to capture vital keystroke information.

Said Gwenn Bezard, “It’s a reminder that though you may have stronger authentication it may not protect you from other types of scams.”

Tags: Online Brokers, Identity Theft

Posted by pschooff in Hackers | Permalink | Comments (0) | TrackBacks (0)

With a week for DBAs to get accustomed to Oracle’s October patch update and revamped bulletin, so far the reviews have been mixed. In its most recent quarterly update, Oracle fixed 101 security flaws and included an updated bulletin that provides more details on the flaws being fixed.

In an article at SearchSecurity.com, DBAs discussed their impressions of Oracle’s updated approach. Some said the more detailed bulletin made deploying patches easier, while others said it made little difference. Also, half of those interviewed said that Oracle still had a way to go to improve their security process.

Many complained about how long it took for Oracle to issue the patches. Arup Nanda, a database engineer for Starwood Hotels and Resorts, said, "Some of the vulnerabilities are so severe that one would expect a resolution in a matter of days, yet they took months, and only after exploits had been lingering around the Internet for a while. So yes, Oracle should beef up their process."

Nanda was also not impressed with the new bulletin format, while Chris Ruel, an Oracle DBA with Perpetual Technologies Inc., added that he couldn’t tell the difference between this bulletin and the last one.

"Typically I don't pay much attention to the bulletins," he said. "The patches come out and I'm simply required to apply them. I read the technical details on how to apply it, but to me, they are security flaws that simply must be patched, so I don't get as mired in all the flaw details. I couldn't have told you it was any different than last time."

Other DBAs said they did notice the more informative bulletins, and found them helpful. Brian Peasland, a DBA working as a contractor with the U.S. Geological Survey, said, "This part of the bulletin is much clearer and makes it easier for me to quickly locate the patch for my specific version and platform. Prior to this bulletin, one had to click on another Metalink note and then make one more click just to find the patch number to download. My opinion is that the October 2006 CPU bulletin is much cleaner than previous ones."

Jon Emmons, an Oracle database consultant and blogger of Life After Coffee, said, “Perhaps the most valuable new feature in the CPU bulletin is the executive summaries," Emmons said in an email interview. "These bulleted lists give a great high-level summary. At one point or another we've all had to explain to our boss why we need to apply these patches and now Oracle has given us the words to do it with."

The DBA did say that it’s important that the CPU clearly identifies the nature of the flaws and the specific products affected. Also, the harder it is to understand the bulletin, the longer it takes to start the deployment. While the actual patching process isn’t all that time consuming (usually only about 30 minutes), it’s the testing, and scheduling the downtime, that’s much more time intensive. All the more reason Oracle needs to be clear, concise, and timely with in order to properly serve a company’s most valuable informational asset, its data.

Tags: Oracle, DBAs, Security Patches

Posted by pschooff in Oracle • Patches | Permalink | Comments (0) | TrackBacks (0)

As popular as Apple’s iPod has become, many companies are developing policies or installing software that prohibits employees from plugging them into work machines to download music and videos.

In an article at Search Security, Rob Israel, CIO of John C. Lincoln Health Network out of Phoenix, Arizona, said he has long feared that such mobile devices could install malware onto his network.

"Tons of things can happen with iPods if you don't have the proper security measures in place," he said. "People could take up valuable disc space with music and video uploads, there's a risk of copyright infringement, and you could also upload malware." There's also the risk that someone could load confidential network data onto an iPod.

Apple’s acknowledgment last week that some of their iPods were infected with malware only confirmed Rob Israel’s views. On its website Apple acknowledged that 1% of Video iPods were carrying the RavMonE.exe virus, which typically affects computers running Microsoft Windows.

"So far we have seen less than 25 reports concerning this problem," Apple said on its Web site. "The iPod nano, iPod shuffle and Mac OS X are not affected, and all video iPods now shipping are virus free." But this is likely not the last time malware turns up on an iPod.

Rob Israel said that employees at his company must fill out a “device approval” to plug portable devices at his company, but they aren’t likely to get approval for an iPod. He also noted that with so many computers at so many different locations, they needed something more than just an honor system to enforce company policy. As he said, "As we looked at our policy, we concluded we couldn't enforce it 100% with 2,000 machines across 15 locations. So we put devices in place to block the activity."

The device they used was an appliance from Luxembourg-based SecureWave that blocks port access and keeps people from downloading or uploading not only music but also images from digital cameras.

Tags: Apple, iPod, John C. Lincoln Health Network

Posted by pschooff in Apple • Better Protection | Permalink | Comments (0) | TrackBacks (0)

While McAfee and Symantec have been battling furiously with Microsoft over the Vista operating system, Sophos’ believes, as quoted on the website Softpedia, that Symantec and McAfee have simply been caught unprepared by Microsoft's new operating system.

Richard Jacobs, CTO of Sophos, explained, “Symantec and McAfee may be struggling with HIPS because they haven't coded their solutions with 64-bit Vista in mind. We’ve taken a different approach to HIPS, by focusing more on catching bad behavior by analyzing code before it executes. Additionally, we are building our technology by making use of supported Microsoft interfaces rather than by trying to subvert the kernel by 'hooking' calls to it. That's why we're ready for 64-bit Vista, and others aren't."

Sophos’ believes Patch Guard is a positive step for Microsoft’s security and dismiss the claim of anti-competitiveness. Their conclusion, though, is dependent on Microsoft’s commitment to deliver a similar level of kernel support of third party integration as it does to its in house security team.

Sophos also declares Vista “more secure” but by no means completely secure, thereby justifying the need for additional security measures. Richard Jacobs continued, “PatchGuard is a step in the right direction for customers, and we believe that security vendors should embrace and work with PatchGuard rather than fight it."

Tags: Microsoft's Vista, Sophos, McAfee, Symantec

Posted by pschooff in McAfee • Microsoft | Permalink | Comments (0) | TrackBacks (0)

The risk of corporate networks being hijacked by hackers or employees sharing corporate devices with non-employees remains a considerable challenge for worldwide corporate security. While two out of three teleworkers said they were aware of the risk, many admitted that they continued to engage in dangerous activities such as sharing work computes with non-employees, opening unknown emails and piggybacking on a neighbors’ wireless connection.

Jeff Platon, vice president of security solutions marketing at Cisco, said, “To highlight the U.S. example, the unsafe behavior of 11 remote workers in a company of 100 can bring down a network or compromise corporate information and personal identities.”

From an article in CIO Today, a global study of 1,000 workers in 10 countries commissioned by Cisco found that remote workers often endangered network security because of a false sense of awareness.

One in five remote workers allowed friends, family, or other non-employees to use a corporate computer to access the Internet. While the global average was 11 percent, Germany (15 percent) and the US (12 percent) joined China, Italy, and Brazil in surpassing the average.

25 percent of remote workers admitted to opening unknown emails on work computers. Said Jeff Platon, "It only takes one security breach. For large enterprises with tens of thousands of workers, especially those with global workforces and differing business cultures, the potential risk is even more challenging."

Tags: CIO Today, Cisco,

Posted by pschooff in Better Protection • Cisco Systems • Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)

One in three people still jot down their computer password on a slip of paper, compromising a system’s security, says a study released by Nucleus Research, a global research firm, and KnowledgeStorm. Because of this, companies are being urged to adopt safer methods, like biometrics.

An EWeek article pointed out that companies attempts to tighten IT security by regularly changing and adopting more complex passwords (i.e. those with numbers and letters and symbols) are being undermined by employees still writing down their entire password on a slip of paper (if you recall, a recent blog of mine, Master the Password, recommended only writing down the key for each level of password).

David O’Connell, senior analyst at Nucleus Research, told Reuters, "This is really a lot like mom and dad buying a great new security system for the house and junior leaving the combination under the door mat."

Because of this, the study of 325 US employees found that single sign-on systems are about as effective as more complex schemes. "Passwords are high maintenance. People forget them, people lose them, they have to be reset. Resending passwords is time intensive and costly. It takes up time at a help desk," said O'Connell.”

The report suggested companies employ more sophisticated security methods such as biometrics, voice recognition, thumbprint scanners, or cognitive biometrics (which is the system that learns characteristics about you while you tell a story in the form of multiple choice answers).

Tags: Knowledge Storm, Nucleus Research, EWeek,

Posted by pschooff in Better Protection • Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)

Patches are now available to plug the security flaws found in the Bluetooth communications software that can give hackers the ability to compromise certain machines. Bluetooth technology allows computers to exhange information wirelessly over short distances (typically between 10 to 100 meters).

The problem resides in Bluetooth device drivers made by Toshiba Corp., drivers that are also present in a number of computers made by Dell. According to Secure Works, while an attacker would not need a computer’s login credentials on the target computer, they would need the Bluetooth address of the victim’s device, but that wouldn’t be a problem for computers configured to allow other Bluetooth devices to find it out (there are several readily available Bluetooth scanning tools that could easily be used).

Secure Works reported that the Toshiba drivers are also present in some Sony Vaio and ASUS computers. It was SecureWorks researcher David Maynor and independent researcher Johnny “Cache” Ellch who revealed the flaw, and said it could lead to the ominous “blue screen of death” to appear. Both acknowledged they were not able to use the bug to install programs on a vulnerable machine.

According to Elizabeth Clarke, a spokesperson for Secure Works, Maynor "was able to demonstrate a crash that could execute code on a Dell running a Toshiba Bluetooth stack." Apparently, Dell was the only hardware platform they tested the exploit on.

Dell said it has shipped updates to fix the problem on Latitude Models D820, D620, D420, and D520. Other Latitude models also are vulnerable, including the D810, D610, D410, D510 and X1 versions, but the company doesn't expect to ship updates for those models until Nov. 4.

While it is not likely that these vulnerabilities will be readily exploited anytime soon, it is always a good idea to make sure you have the most up-to-date Bluetooth drivers.

Dell patches can be found right here. Select “Latitude,” your model, the operating system you are using, then hit “find downloads.”

To see which version of Bluetooth you have installed, follow this from Brian Kreb’s Security Fix, where this article came from: “right-click the blue "Bluetooth Manager" icon in the task bar near the system clock, then select "Device Properties" and then "General." If that doesn't work, right click on the Bluetooth Manager icon, select "Options," then "General," then "Details." Users running version 4.20.01 should download and install the "PC Bluetooth Stack," available at this link. Toshiba users with Bluetooth versions 3.x through 4.00.36 should install the "PC Bluetooth Stack Security Patch 2,” downloadable from this link.

Tags: Bluetooth, Dell, Toshiba, Secure Works, Sony Vaio, ASUS, Patches

Posted by pschooff in Better Protection • Dell • Patches • Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)

In news from Infoworld, IBM just completed their buyout bid for Internet Security Systems, Inc. Yesterday IBM's shareholders approved a $1.3 billion dollar cash offer for ISS, the Atlanta company whose security services aim to protect networks, servers, desktops and laptops by preemptively blocking Web threats like spam and viruses. IBM announced that ISS will become part of IBM Global Technology Services division and plans to keep their 1,300 employees.

Also on Monday, McAfee announced their security risk management strategy which entails acquiring Onigma for $20 million, an Israel-based data leak prevention vendor, which rounds out their buyouts of Foundstone, Preventsys and Citadel.

McAfee plans to offer an integrated solution that addressed both security and compliance issues. Vimal Solanki, senior direction of marketing, said to CRN Canada, “What’s challenging about these areas is that they’re largely being attacked on an individual basis. There’s little automation between the two, and that’s becoming an inhibitor.”

Onigma uses agent software to prevent confidential data from slipping out (data leaks becoming a key compliance issue) through copy/paste, screen capture, printed documents and USB drives. This provides a more complete solution then a mere gateway approach, which only sees traffic as it’s leaving the network and can’t look within an enterprise.

Tags:IBM, McAfee

Posted by pschooff in Better Protection • IBM • McAfee | Permalink | Comments (0) | TrackBacks (0)

Take a second to listen to the background sounds of your office. Then imagine that beneath those random office sounds of air vents and printers and doors opening and closing a secret message was being transmitted.

That is pretty much the solution arrived at by two researchers at Princeton University. A report from ZDNet Asia details the technique that relies on transmitting data within the "noise" of a fiber-optic network. A fiber-optic network inevitably experiences low levels of random light waves and various jitters. The breakthrough comes in hiding the encrypted message within that "noise."

First, the sender must convert the message into a short pulse of light, which a Code Division Multiple Access (CDMA) then converts into a faint stream of optical data. The new approach then takes that optical data and makes it fainter than that of the noise and random jitters on the fiber-optic cable.

At the other end, the recipient simply must decode the message with a key that details how that information was diluted into the noise. Thus the message is secure because even if an eavesdropper knew a secret message was being sent at that time, any slight imperfection in their knowledge of how the signal was blended into the noise would make the message impossible to separate from the noise.

This technique was developed by researchers Wu and Evgenii Narimanov of Princeton University and was presented this week at the annual meeting of the Optical Society of America.

Tags:ZD Net, Princeton

Posted by pschooff in Better Protection | Permalink | Comments (0) | TrackBacks (0)

To most people, patch Tuesday means a chance to shore up their Microsoft programs and hopefully make their desktops more secure. For hackers, it means Microsoft is pretty much finished fixing their vulnerabilities for a month, so why not maximize the time they have for the next series of exploits. So, according to Brian Krebs Security Fix, as regular as patch Tuesday has become, the day after has become known as exploit Wednesday.

The day or two after, the hacker bulletin boards light up with the newest found flaws. Just yesterday hackers revealed a serious flaw in the Powerpoint files of Office 2003, which means someone up-to-no-good can install malicious software on your computer just by having you open a document. For it's part, Microsoft has acknowledged reports of a possible vulnerability.

To me, it seems like it's time to stop this too predictable cycle. While I know it's not practical to have IT administrators updating their systems daily, and it is good to have a deadline for patches, it's not like we're ever likely to see the following announcement from our IT Admins: Employees, please turn off your computers between 3 and 4 PM today because cyber criminals have told us they're going to be launching an attack. Microsoft needs to adopt an approach that is as dynamic and unpredictable as those of the hackers.

Tags:Brian Krebs Security Fix, Microsoft

Posted by pschooff in Hackers • Microsoft • Patches | Permalink | Comments (0) | TrackBacks (0)

An article from Search Security reports that no matter the size of your company, your IT must always keep tight control over authenticating users and controlling network behavior. But where large companies have the resources to implement controls such as two-factor authentication, smart cards and tokens, that technology is not always affordable to small and medium sized enterprises.

So many SMEs try to make best with the Network Access Controls (NAC) offered by Microsoft and Cisco Systems, two companies that recently announced plans to provide better interoperability between them. Many security vendors have also gotten in the game trying to entice midmarket companies with more affordable options.

Amer Deeba, VP of business development for Qualys, said that while some mid-sized companies may have decent internal controls, they often lack adequate NAC for their outside contractors, many who frequently sign-on to the network. "That's why NAC is becoming a big deal," Deeba stated.

Security vendors have been trying to develop inexpensive tools, and while that has created a growing number of choices, they often lack interoperability. Unfortunately, for SMEs, there is still no magic bullet. Todd Towles, an IT security consultant, was quoted saying, "Products that work in and of themselves and enable IT administrators to see the big picture are the most value." It is also important that the solution is scalable so they can accomodate a company's growth.

Also, the problem remains that midsized companies often don't view security as important or strategic, and it's hard to see any return on such an investment. Jonathan Penn, an analyst at Forrester Research in Cambridge, MA, said that it's up to IT professionals to help their bosses understand what's at stake. Penn also said, “IT professionals should frame the need for new investment not in terms of cost, but in terms of how it will help the company manage its risk."

If that doesn't work, there is always compliance to consider. The PCI Data Security Standard has motivated plenty of SMEs to take action. So no matter what sized company you are, in this day and age of twenty-four seven security threats, simple password verification just doesn't cut it anymore.

Tags:Search Security, NAS, Microsoft, Cisco, Qualys, Forrester Research, PCI Data Security Standard

Posted by pschooff in Better Protection • Cisco Systems • Microsoft • Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)

According to market analysts at Gartner, we are about to enter a brand new age of computer security. The company predicts that the third phase for the security market will integrate security into each new wave of technology as it enters the market, and not, as in its current phase, after the security attack has occurred.

Gartner believes that the current phase in security has fallen behind IT trends allowing hackers and cyber criminals too much room to exploit vulnerabilities. This has forced many security firms to react to each new threat and always playing catch-up.

John Pescatore, a vice president at Gartner, was quoted saying at OneStopClick, "This next phase of security is about building security in as the users' needs more forward, not chasing them."

While this certainly sounds good, to me it sounds a little too good to be true. The fact is, in this constantly changing security war (and it is a war), those who create computer security products aren't the only side with a say in the matter. Hackers and cyber criminals get their say as well, and they don't always follow a predictive pattern. And don't hackers, at least the successful ones, already take security into account and work tirelessly to circumvent it.

In an ideal world all software would come entirely hacker-free, but my sense tells me that with any semi-open system, sometimes the security will be ahead to the hackers, and other times the hackers will be ahead of us. Certainly, with Microsoft's new Vista, security will be much more at the forefront of new software, but in my experience, never discount the ingenuity of hackers.

Tags:Gartner, Microsoft

Posted by pschooff in Better Protection • Microsoft • Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)

As Microsoft continues to adhere to their plan of one set of patches per month, their list of security updates scheduled for today has grown to 11 (not exactly a record, which I believe is 22).

Of the eleven, six will be for Windows, four for Office (with both sets having patches deemed 'critical'), and the final one is for the company's NET Framework. This is according to Microsoft's Advance Notification bulletin on its Technet website. These updates can be found at Automatic Updates and will require a restart.

There has been some conjecture that one of the patches will actually be Internet Explorer 7, a long overdue corrective to IE6, and will give Explorer security features and web enhancements that are common with other browsers. While Microsoft refuses to confirm whether IE7 will be released today, they do say it is due out this month, and will feature tabbed browsing, RSS feeds, as well as tools to stop phishing. The new version also promises to shore up ActiveX, which helps with web interactivity, and which has been so abused by hackers they have come to call it HacktiveX.

And in Microsoft's well publicized move to a more secure (along with additional cost) platform with the upcoming Windows Vista, one of IE7's most useful security features, which they have deemed a containment wall, will only be available for those who upgrade to Vista.

Microsoft will also be releasing an updated version of its Malicious Software Removal Tool and will host a webcast Wednesday to answer any questions. Also, as these notices alert hackers as well as administrators, I’d recommend you implement the patches ASAP.

Tags:Microsoft,patches

Posted by pschooff in Patches • Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)

An article from CSOonline reports that Google's new source-code search engine will make it easier for hackers to search out software bugs, password information, and even proprietary code. Google's source-code search engine is different from their standard web search engine in that it directly accesses source-code files posted on the internet.

Mike Armstrong, vice president of products for Fortify Software, said, "You could also use that kind of search to look for things that are vulnerable and then guess who might have used that code snippet and then just fire away at it.”

Hackers will also be able to search for code vulnerabilities in password mechanisms as well as search for proprietary phrases within software, potentially uncovering source code that simply does not belong on the internet.

Security experts say that while the implications are noteworthy, they are not earth-shattering. Most skilled hackers were already able to do this, and this just makes it easier. For its part, Google recommends developers use generally accepted good coding practices including understanding the implications of the code they implement and testing it appropriately.

Tags:Google,Fortify Software, CSOonline

Posted by pschooff in Google • Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)

With many recent studies indicating that, no matter how great of a security system you have in place, most computer systems are likely to be cracked either by a con artist calling you directly and tricking you into giving them your password, or by someone using a simple password cracking program. What follows are some easy steps taken from CSOonline to creating nearly unbreakable passwords.

First, it is crucial to think of them not as passwords but as codes, codes as in plural, because when you have more then one password, if one of your passwords gets cracked you do not want to make it easy to guess the rest of your passwords. You should also think of it as a system, a system that is easy for you to remember but that creates codes that are nearly impossible to break.

The following steps will protect you from a number of different types of password breakers, from dictionary attacks, which cycles through every word in the dictionary until the right one is found, to a program that simply guesses each and every character. By using the following steps, you can increase the likelihood of your password being guessed from about one in a million to one in 10 trillion, which would take a password program that can guess a million words a second three months to guess all the possibilities.

Step 1. Pick a core phrase, one that is at least five words long. It can be a line from a song, a title, anything that sticks in your head, and from there you can use the first letter of each word to create your word. For example, aqotwf, which stands for, All Quiet on the Western Front.

Step 2. Develop a method where you replace lowercase letters with capital letters, numbers or symbols. Mix it up but keep it consistent (i.e. always write certain letters in capitals, or always replace an a with an @) so you don't have to write it down. My code is now @QotwF.

Step 3. While you can use the same core password, customize each password to each site or application. To do that, add one to three characters to insure that each password contains a number, and also make sure the code is at least seven characters long. To make this easier, base these additional numbers or letters on the website or program you are using. My password becomes L7@QotwF. That's taking the L from the last letter of Hotmail, and 7 for the fact that Hotmail has seven words.

Step 4. Write down your hint. As long as you understand your methodology, it will be easy to jog your memory to remember each of your passwords. Some recommend writing down all your passwords and keeping them in your wallet, as you always know when your wallet goes missing.

Step 5. Create different core phrases. You can do one for basic accounts, another for credit card transactions, and still another for online banking. While some suggest passwords be changed every 90 days, others say it’s enough to change them when Daylight Savings starts and stops.

Here’s an example of a wallet card reminder:

Basic: aqotwf
Shopping: ahwosg (A Heartbreaking Work of Staggering Genius)
Bank: himym (How I Met Your Mother)

While these steps might seem complicated at first, once you get your system in place and start using it, I assure you it becomes much easier.

Tags:Password, CSOonline

Posted by pschooff in Better Protection • Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)

Microsoft, which has been downplaying a recently discovered VML (vector markup language) vulnerability, has "rush released" a patch to resolve the problem, making one believe that it was more critical then they let on. The vulnerability primarily targets those who are logged on that have full administrative rights, and an attacker could gain complete control over an affected system where they could install programs, view, change, or delete data, and even create new accounts with full rights. Users without full rights are less vulnerable, and now that zero-day attacks have become a real possibility, Microsoft recommends that the update is applied immediately. You can download the update here.

Also, the Patch Adams in the title refers to the reported Javascript flaw in Mozilla, which was announced by two presenters at the ToorCon hacking convention in San Diego, was, like the doctor who healed through humor, actually intended as a joke. Said the 19 year old Mischa Spiegelmock, "The main purpose of our talk was to be humorous...the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has."

Tags:Microsoft, Patches

Posted by pschooff in Microsoft • Patches | Permalink | Comments (0) | TrackBacks (0)

A new anti-phishing site, Phishtank, a service from OpenDNS, is determined to put an end to phishing - which are emails that impersonate legitimate messages from customer-service or financial or ecommerce sites but were actually created to scam you out of your password or financial information. Phishtank plans to accomplish this by creating a database of suspicious emails then having users vote on their legitimacy.

While many of the digerati think this just might be the trick to fight phishing, others are not so sure. The Browser doubts that this will motivate typical email users, who are already busy answering email and fighting spam, to take time out of their day to report on and grade suspect emails.

Some believe that for Phishtank to be successful, they need to collaborate with large email providers who already have more than their share of phishing samples. Because phishing remains a fact of life, what follows are tips to avoid ending up phish food:

1. If you get an email or pop-up message asking for personal or financial information and you have any question regarding it's legitimacy, call or contact the company directly via the phone or by going to the company's verified website (do not click on the link enclosed in the phishing email and assume that will take you to the company's actual website).

2. Always use anti-virus software and a firewall, and keep them up to date, as some phishing emails contain software that is harmful to your computer.

3. Never email personal or financial information. If you are looking to complete an internet transaction, go directly to the company's secure website.

4. Closely review credit card and bank account statements as soon as you get them.

5. Be cautious about opening any attachment or downloading any files from any emails you receive, regardless of who sent them.

6. Forward spam that you suspect is phishing to spam@use.gov and to the company, bank, or organization impersonated in the phishing email.

7. If you believe you have been scammed, file a complaint with the Federal Trade Commission.

Tags:Phishtank, Phishing

Posted by pschooff in Phishing | Permalink | Comments (2) | TrackBacks (0)

An article today from the website Search Security reports on the difficulty of getting small and medium sized enterprises to recognize their need for computer security. While large companies have larger budgets and make larger targets, smaller companies have smaller IT budgets and often haven't experienced the security breaches that are the bane of larger enterprises.

But with the recent security breaches making the headlines, and with government oversight and compliance issues growing by the day, small and midmarket companies are starting to take notice. The question now is: what exactly should SMBs be most concerned with?

Chris Liebert, a security analyst with Boston-based Yankee Group, said: "You need a good URL filter and content controls. You need technology to monitor the network and alert you when someone is downloading a lot of files after hours. Companies that have these technologies are going to be in good shape."

Also, according to Liebert, midmarket companies are better off spending money on intrusion defense technologies than on new IT staff. "It makes more sense from a budget and effectiveness standpoint to use technology for this, than to spend money and time on human resources," she said.

But that's not always the best solution. Some companies have everyone on their IT staff deal with security issues along with their day-to-day responsibilities, which means no one can give security the full attention it deserves. Either way, midmarket executives are quickly learning that computer security is not just something for big businesses to be worried about.

Tags:Search Security, Yankee Group, SMB

Posted by pschooff in Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)

A recent report from McAfee reveals that a number of European enterprises are literally drowning in security products. While many of the IT managers at those companies say they wished they had a single solution, the reality is that nearly half employ four or more solutions.

Besides being both inefficient and expensive, one of the main problems this poses is trying to keep everything up-to-date, which is essential to a security solution's effectiveness. And while you might think using that many security solutions would at least bring some sense of security, less than a quarter of the respondents reported they were pleased with their solutions.

Most companies sited functionality as the main reason for their purchase of security products, with cost mentioned as the reason for only 13 percent of the purchases. It makes you wonder when ease and efficiency are going to start being considered a necessary feature for already overwhelmed IT Administrators. One of our main focuses at Message Partners was trying to simplify the issues of multiple products for system administrators.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)