As proof that IT pros must update often and on-time, and many still don't, a certain patch that Symantec issued seven months ago for a vulnerability in their antivirus software is still being actively exploited throughout cyberspace. That means that a virus that should be dead and gone by now is still very much ALIVE!

As reported by The Register, this exploit turns user PCs into zombies that join other zombies to create a vast botnet used to spread spam and engage in denial-of-service attacks. And the only thing keeping this malware alive is other IT pros, pro as in procrastinators (although there are plenty of excuses, of course, as just about everything needs to be done yesterday).

The attack targets unpatched versions of Symantec Client Security and Symantec AntiVirus Corporate Edition. Symantec initially dismissed the flaw, saying it wasn't likely to be exploited, until the the worm resurfaced in November. And unlike many Symantec updates, which are installed automatically, the fix for corporate antivirus software has to be downloaded on the company's website and manually installed. Symantec is wisely re-evaluating this policy.

Let's face it, most IT professionals pay for protection so they can be free to worry about all the other things there are to worry about in a corporate computer system.

Tags: Security Updates, PC Zombies, Symantec Patch

Posted by pschooff in Better Protection • Patches • Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)

In a disturbing trend for the future of computer security, gone are the days of the lone hacker sitting in their basement looking to write the killer code that would one day make them famous, or better yet, infamous. Instead, they have been replaced by whole networks of organized hackers who quality test their efforts for maximum damage and also offer software updates and tips to other hackers using their programs. Why, you ask?

The answer is simple: money. No longer do hackers dream of making their name simply by hacking, but instead want to make their name the old fashion way: steal your money. And to do that requires a high level of expertise and professionalism, and as reported by Eweek, it represents the central threat against the future of computer security.

That means malware will become increasingly sophisticated as it searches for ever newer ways to hide inside seemingly legitimate applications and steal your vital information. Phishing schemes, or fake emails connected to fake sites that often look incredibly legitimate and try to trick you into giving out financial or password information, are also expected to proliferate.

As reported by McAfee Labs, another threat expected to rise in 2007 is the use of potentially unwanted programs to put adware on users’ PCs. These usually advertise themselves as simple games or helpful applications, but serve as a backdoor for all sorts of nasty software.

Botnets are expected to continue proliferating. Their success in spreading spam means they will probably be enlisted to carry out much worse crimes, as the fact that they comprise an entire network of computers makes it difficult to track down the source of the cyber-crime.

And with the explosive growth of video sharing and peer-to-peer sites, we can certainly expect malware writers to start focusing more of their efforts on them as well. MPEG files, which play video, are considered to become one of the major system for malware delivery to your computer. The recent discovery of the W32.Realor worm virus, hidden in media files, only confirms that.

Also, file-sharing sites continue to prove the adage that free is rarely if ever free. Nearly one third of all files on LimeWire and BitTorrent held hidden website redirects, although few of the files were found to be malicious. But I think the lesson to learn is, with Hacker Inc. now in business, don’t expect the era of harmless hacks to last long.

Tags: Security Trends, Hackers, Malware

Posted by pschooff in Hackers • Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)

While many expect Moore’s law, which states that data storage will double every 18 months, to hold fast for another couple of decades or so, there is no law that tells you what to do with your old and inadequate storage. And as this report from SearchSecurity indicates, when firms hire companies to upgrade their computers, they often have no idea what’s being done with the old storage devices.

Simon L. Garfinkel, a computer forensics expert and postdoc fellow at the Center for Research on Computation and Society at Harvard University, recommends physical destruction, which makes accessing the information impossible. After an extensive investigation, Garfinkel found a wealth of hard drives with volumes of sensitive information intact. Many hard drives are repurposed or sold, and some even end up on Ebay.

"Since 1998, I have purchased 1,000-plus hard drives on the secondary market and had them delivered by FedEx," Garfinkel said. Still on the hard drives he found thousands of credit-card numbers, financial records, medical information, trade secrets and other highly personal information. "You name it, we found it," Garfinkel said.

The main problem is, all down the line, each person trusted that someone else would take care of it, essentially a “buck-stops-nowhere” dilemma. Also, very few IT employees were properly trained in proper data destruction.

This is another good example of why companies need to firmly establish their data controls for the entire life-cycle of the information. And if the company hired to upgrade your memory storage does not have an appropriate plan for disposing of old hard drives (selling the old drives on Ebay is not considered an appropriate plan), a couple of hard shots with a baseball bat should do the trick.

Tags: Moore's Law, Hard Drive Disposal

Posted by pschooff in Better Protection • Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)

Found the following list at TaoSecurity and found it insightful. The 5 most common security mistakes follow:

1. Failure to maintain a complete physical asset inventory.
2. Failure to maintain a complete logical connectivity and data flow diagram.
3. Failure to maintain a complete digital asset/intellectual property inventory.
4. Failure to maintain digital situational awareness.
5. Failure to prepare for incidents.

The first three concern knowing your environment. If you don’t know where you data is, how it is transported, and what data you are actually trying to protect, this makes it difficult to protect and just about impossible to recover if the system ever gets breached.

Once you know the ins and outs of your environment, the next step, which is harder and more open ended, is to try and understand who as trying to exploit your vulnerabilities and how.

Finally, once an incident occurs, a company should have clear policies, techniques, and trained personnel ready to respond and recover.

And as I recently read a report from Symantec that found that for-profit hacking is here to stay for the foreseeable future, a data breach is no longer a matter of if, but when.

Tags: Security Mistakes, Symantec

Posted by pschooff in Better Protection • Hackers • Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)

I came across this interesting article at DarkReading.com regarding how, even with all the recent news about security mishaps and hacker misdeeds, corporate decision makers still view computer security as something non-strategic, as something more akin to an operational expense like building maintenance. But the fact that a serious security breech can undermine an entire company means that the folks working in security need to upgrade their approach.

The trouble with the old approach is that most IT departments tend to operate as silos, or wholly separate departments that tend to stay outside corporate politics. This is understandable, as in survey after survey, IT people continually rate office politics as the least desirable aspect of their job.

Compounding the problem, the folks in IT who focus on technology and security have a tendency to look at their vital work as above office politics. And the problem only grows from the fact that, on the other side, it is those executives who are least supportive of IT security that typically have the most boardroom influence.

Thus, the big bosses aren't shown how good security can directly impact customer confidence, buyer loyalty, and the value of the brand. All they are shown is how security can protect a business, not how it can help build a business.

The best way to change this is for an IT department to make sure that security matters are mapped alongside the company's business plan. This will enable top executives to see how their decisions affect security policy and vice versa, and therefore allow them to factor in security issues before new programs are undertaken.

Regrettably, the only way to do this is through office politics. And basically, in today’s corporate environment, an unwillingness to play politics simply translates into a willingness not to be heard.

Tags: Computer Security,

Posted by pschooff in Better Protection • Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)

While it is always tempting to go out and buy the latest technological bells and whistles to protect the all-important corporate network, a recent study by Symantec indicates that, in the eyes of the on-line outlaw, they still see the end user as the weakest link in corporate security and will stop at nothing to target them in an effort to extract illegal profits from your bottom line.

Though most large businesses have the money to cover all the ins-and-outs of system security, smaller enterprises who are looking for the biggest bang for their buck might consider first investing in security awareness training. Of course that doesn't mean you can ignore or overlook security software, and it remains of the utmost to always keep that software current and up-to-date.

But as I've pointed out in this column before, and as this article in Computer World points out, with even the best and newest security solutions employed, companies have to remain ever diligent on teaching their employees the dos and don'ts of computer security.

While Symantec's report focused mostly on the security threats and needs of the home user, it still holds true for businesses and government.

A company embarking on a security awareness program should focus on: acceptable-use policies, computer and network security, physical security, protected health information as well as remote security. This training should include both the corporate employees and outside consultants, as if is often the consultants, and their remote access devices, that pose the biggest threat.

Tags: Corporate Security, Security Awareness Training

Posted by pschooff in Better Protection • Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)

The risk of corporate networks being hijacked by hackers or employees sharing corporate devices with non-employees remains a considerable challenge for worldwide corporate security. While two out of three teleworkers said they were aware of the risk, many admitted that they continued to engage in dangerous activities such as sharing work computes with non-employees, opening unknown emails and piggybacking on a neighbors’ wireless connection.

Jeff Platon, vice president of security solutions marketing at Cisco, said, “To highlight the U.S. example, the unsafe behavior of 11 remote workers in a company of 100 can bring down a network or compromise corporate information and personal identities.”

From an article in CIO Today, a global study of 1,000 workers in 10 countries commissioned by Cisco found that remote workers often endangered network security because of a false sense of awareness.

One in five remote workers allowed friends, family, or other non-employees to use a corporate computer to access the Internet. While the global average was 11 percent, Germany (15 percent) and the US (12 percent) joined China, Italy, and Brazil in surpassing the average.

25 percent of remote workers admitted to opening unknown emails on work computers. Said Jeff Platon, "It only takes one security breach. For large enterprises with tens of thousands of workers, especially those with global workforces and differing business cultures, the potential risk is even more challenging."

Tags: CIO Today, Cisco,

Posted by pschooff in Better Protection • Cisco Systems • Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)

One in three people still jot down their computer password on a slip of paper, compromising a system’s security, says a study released by Nucleus Research, a global research firm, and KnowledgeStorm. Because of this, companies are being urged to adopt safer methods, like biometrics.

An EWeek article pointed out that companies attempts to tighten IT security by regularly changing and adopting more complex passwords (i.e. those with numbers and letters and symbols) are being undermined by employees still writing down their entire password on a slip of paper (if you recall, a recent blog of mine, Master the Password, recommended only writing down the key for each level of password).

David O’Connell, senior analyst at Nucleus Research, told Reuters, "This is really a lot like mom and dad buying a great new security system for the house and junior leaving the combination under the door mat."

Because of this, the study of 325 US employees found that single sign-on systems are about as effective as more complex schemes. "Passwords are high maintenance. People forget them, people lose them, they have to be reset. Resending passwords is time intensive and costly. It takes up time at a help desk," said O'Connell.”

The report suggested companies employ more sophisticated security methods such as biometrics, voice recognition, thumbprint scanners, or cognitive biometrics (which is the system that learns characteristics about you while you tell a story in the form of multiple choice answers).

Tags: Knowledge Storm, Nucleus Research, EWeek,

Posted by pschooff in Better Protection • Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)

Patches are now available to plug the security flaws found in the Bluetooth communications software that can give hackers the ability to compromise certain machines. Bluetooth technology allows computers to exhange information wirelessly over short distances (typically between 10 to 100 meters).

The problem resides in Bluetooth device drivers made by Toshiba Corp., drivers that are also present in a number of computers made by Dell. According to Secure Works, while an attacker would not need a computer’s login credentials on the target computer, they would need the Bluetooth address of the victim’s device, but that wouldn’t be a problem for computers configured to allow other Bluetooth devices to find it out (there are several readily available Bluetooth scanning tools that could easily be used).

Secure Works reported that the Toshiba drivers are also present in some Sony Vaio and ASUS computers. It was SecureWorks researcher David Maynor and independent researcher Johnny “Cache” Ellch who revealed the flaw, and said it could lead to the ominous “blue screen of death” to appear. Both acknowledged they were not able to use the bug to install programs on a vulnerable machine.

According to Elizabeth Clarke, a spokesperson for Secure Works, Maynor "was able to demonstrate a crash that could execute code on a Dell running a Toshiba Bluetooth stack." Apparently, Dell was the only hardware platform they tested the exploit on.

Dell said it has shipped updates to fix the problem on Latitude Models D820, D620, D420, and D520. Other Latitude models also are vulnerable, including the D810, D610, D410, D510 and X1 versions, but the company doesn't expect to ship updates for those models until Nov. 4.

While it is not likely that these vulnerabilities will be readily exploited anytime soon, it is always a good idea to make sure you have the most up-to-date Bluetooth drivers.

Dell patches can be found right here. Select “Latitude,” your model, the operating system you are using, then hit “find downloads.”

To see which version of Bluetooth you have installed, follow this from Brian Kreb’s Security Fix, where this article came from: “right-click the blue "Bluetooth Manager" icon in the task bar near the system clock, then select "Device Properties" and then "General." If that doesn't work, right click on the Bluetooth Manager icon, select "Options," then "General," then "Details." Users running version 4.20.01 should download and install the "PC Bluetooth Stack," available at this link. Toshiba users with Bluetooth versions 3.x through 4.00.36 should install the "PC Bluetooth Stack Security Patch 2,” downloadable from this link.

Tags: Bluetooth, Dell, Toshiba, Secure Works, Sony Vaio, ASUS, Patches

Posted by pschooff in Better Protection • Dell • Patches • Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)

An article from Search Security reports that no matter the size of your company, your IT must always keep tight control over authenticating users and controlling network behavior. But where large companies have the resources to implement controls such as two-factor authentication, smart cards and tokens, that technology is not always affordable to small and medium sized enterprises.

So many SMEs try to make best with the Network Access Controls (NAC) offered by Microsoft and Cisco Systems, two companies that recently announced plans to provide better interoperability between them. Many security vendors have also gotten in the game trying to entice midmarket companies with more affordable options.

Amer Deeba, VP of business development for Qualys, said that while some mid-sized companies may have decent internal controls, they often lack adequate NAC for their outside contractors, many who frequently sign-on to the network. "That's why NAC is becoming a big deal," Deeba stated.

Security vendors have been trying to develop inexpensive tools, and while that has created a growing number of choices, they often lack interoperability. Unfortunately, for SMEs, there is still no magic bullet. Todd Towles, an IT security consultant, was quoted saying, "Products that work in and of themselves and enable IT administrators to see the big picture are the most value." It is also important that the solution is scalable so they can accomodate a company's growth.

Also, the problem remains that midsized companies often don't view security as important or strategic, and it's hard to see any return on such an investment. Jonathan Penn, an analyst at Forrester Research in Cambridge, MA, said that it's up to IT professionals to help their bosses understand what's at stake. Penn also said, “IT professionals should frame the need for new investment not in terms of cost, but in terms of how it will help the company manage its risk."

If that doesn't work, there is always compliance to consider. The PCI Data Security Standard has motivated plenty of SMEs to take action. So no matter what sized company you are, in this day and age of twenty-four seven security threats, simple password verification just doesn't cut it anymore.

Tags:Search Security, NAS, Microsoft, Cisco, Qualys, Forrester Research, PCI Data Security Standard

Posted by pschooff in Better Protection • Cisco Systems • Microsoft • Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)

According to market analysts at Gartner, we are about to enter a brand new age of computer security. The company predicts that the third phase for the security market will integrate security into each new wave of technology as it enters the market, and not, as in its current phase, after the security attack has occurred.

Gartner believes that the current phase in security has fallen behind IT trends allowing hackers and cyber criminals too much room to exploit vulnerabilities. This has forced many security firms to react to each new threat and always playing catch-up.

John Pescatore, a vice president at Gartner, was quoted saying at OneStopClick, "This next phase of security is about building security in as the users' needs more forward, not chasing them."

While this certainly sounds good, to me it sounds a little too good to be true. The fact is, in this constantly changing security war (and it is a war), those who create computer security products aren't the only side with a say in the matter. Hackers and cyber criminals get their say as well, and they don't always follow a predictive pattern. And don't hackers, at least the successful ones, already take security into account and work tirelessly to circumvent it.

In an ideal world all software would come entirely hacker-free, but my sense tells me that with any semi-open system, sometimes the security will be ahead to the hackers, and other times the hackers will be ahead of us. Certainly, with Microsoft's new Vista, security will be much more at the forefront of new software, but in my experience, never discount the ingenuity of hackers.

Tags:Gartner, Microsoft

Posted by pschooff in Better Protection • Microsoft • Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)

As Microsoft continues to adhere to their plan of one set of patches per month, their list of security updates scheduled for today has grown to 11 (not exactly a record, which I believe is 22).

Of the eleven, six will be for Windows, four for Office (with both sets having patches deemed 'critical'), and the final one is for the company's NET Framework. This is according to Microsoft's Advance Notification bulletin on its Technet website. These updates can be found at Automatic Updates and will require a restart.

There has been some conjecture that one of the patches will actually be Internet Explorer 7, a long overdue corrective to IE6, and will give Explorer security features and web enhancements that are common with other browsers. While Microsoft refuses to confirm whether IE7 will be released today, they do say it is due out this month, and will feature tabbed browsing, RSS feeds, as well as tools to stop phishing. The new version also promises to shore up ActiveX, which helps with web interactivity, and which has been so abused by hackers they have come to call it HacktiveX.

And in Microsoft's well publicized move to a more secure (along with additional cost) platform with the upcoming Windows Vista, one of IE7's most useful security features, which they have deemed a containment wall, will only be available for those who upgrade to Vista.

Microsoft will also be releasing an updated version of its Malicious Software Removal Tool and will host a webcast Wednesday to answer any questions. Also, as these notices alert hackers as well as administrators, I’d recommend you implement the patches ASAP.

Tags:Microsoft,patches

Posted by pschooff in Patches • Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)

An article from CSOonline reports that Google's new source-code search engine will make it easier for hackers to search out software bugs, password information, and even proprietary code. Google's source-code search engine is different from their standard web search engine in that it directly accesses source-code files posted on the internet.

Mike Armstrong, vice president of products for Fortify Software, said, "You could also use that kind of search to look for things that are vulnerable and then guess who might have used that code snippet and then just fire away at it.”

Hackers will also be able to search for code vulnerabilities in password mechanisms as well as search for proprietary phrases within software, potentially uncovering source code that simply does not belong on the internet.

Security experts say that while the implications are noteworthy, they are not earth-shattering. Most skilled hackers were already able to do this, and this just makes it easier. For its part, Google recommends developers use generally accepted good coding practices including understanding the implications of the code they implement and testing it appropriately.

Tags:Google,Fortify Software, CSOonline

Posted by pschooff in Google • Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)

With many recent studies indicating that, no matter how great of a security system you have in place, most computer systems are likely to be cracked either by a con artist calling you directly and tricking you into giving them your password, or by someone using a simple password cracking program. What follows are some easy steps taken from CSOonline to creating nearly unbreakable passwords.

First, it is crucial to think of them not as passwords but as codes, codes as in plural, because when you have more then one password, if one of your passwords gets cracked you do not want to make it easy to guess the rest of your passwords. You should also think of it as a system, a system that is easy for you to remember but that creates codes that are nearly impossible to break.

The following steps will protect you from a number of different types of password breakers, from dictionary attacks, which cycles through every word in the dictionary until the right one is found, to a program that simply guesses each and every character. By using the following steps, you can increase the likelihood of your password being guessed from about one in a million to one in 10 trillion, which would take a password program that can guess a million words a second three months to guess all the possibilities.

Step 1. Pick a core phrase, one that is at least five words long. It can be a line from a song, a title, anything that sticks in your head, and from there you can use the first letter of each word to create your word. For example, aqotwf, which stands for, All Quiet on the Western Front.

Step 2. Develop a method where you replace lowercase letters with capital letters, numbers or symbols. Mix it up but keep it consistent (i.e. always write certain letters in capitals, or always replace an a with an @) so you don't have to write it down. My code is now @QotwF.

Step 3. While you can use the same core password, customize each password to each site or application. To do that, add one to three characters to insure that each password contains a number, and also make sure the code is at least seven characters long. To make this easier, base these additional numbers or letters on the website or program you are using. My password becomes L7@QotwF. That's taking the L from the last letter of Hotmail, and 7 for the fact that Hotmail has seven words.

Step 4. Write down your hint. As long as you understand your methodology, it will be easy to jog your memory to remember each of your passwords. Some recommend writing down all your passwords and keeping them in your wallet, as you always know when your wallet goes missing.

Step 5. Create different core phrases. You can do one for basic accounts, another for credit card transactions, and still another for online banking. While some suggest passwords be changed every 90 days, others say it’s enough to change them when Daylight Savings starts and stops.

Here’s an example of a wallet card reminder:

Basic: aqotwf
Shopping: ahwosg (A Heartbreaking Work of Staggering Genius)
Bank: himym (How I Met Your Mother)

While these steps might seem complicated at first, once you get your system in place and start using it, I assure you it becomes much easier.

Tags:Password, CSOonline

Posted by pschooff in Better Protection • Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)

An article today from the website Search Security reports on the difficulty of getting small and medium sized enterprises to recognize their need for computer security. While large companies have larger budgets and make larger targets, smaller companies have smaller IT budgets and often haven't experienced the security breaches that are the bane of larger enterprises.

But with the recent security breaches making the headlines, and with government oversight and compliance issues growing by the day, small and midmarket companies are starting to take notice. The question now is: what exactly should SMBs be most concerned with?

Chris Liebert, a security analyst with Boston-based Yankee Group, said: "You need a good URL filter and content controls. You need technology to monitor the network and alert you when someone is downloading a lot of files after hours. Companies that have these technologies are going to be in good shape."

Also, according to Liebert, midmarket companies are better off spending money on intrusion defense technologies than on new IT staff. "It makes more sense from a budget and effectiveness standpoint to use technology for this, than to spend money and time on human resources," she said.

But that's not always the best solution. Some companies have everyone on their IT staff deal with security issues along with their day-to-day responsibilities, which means no one can give security the full attention it deserves. Either way, midmarket executives are quickly learning that computer security is not just something for big businesses to be worried about.

Tags:Search Security, Yankee Group, SMB

Posted by pschooff in Small Medium Enterprise | Permalink | Comments (0) | TrackBacks (0)