In Chicago, Aaron Cohen has started Hacker Academy, a school that purports to teach the "good guys" all the bad stuff in an effort to enable them to keep the "bad guys" out. According to Cohen - "If you're able to think like a hacker, you're able to prevent some of the attacks that are happening.". Graduates are given certificates in "ethical hacking".

A new wave of attacks makes this kind of expertise even more necessary than before. Second generation phishing attacks leveraging cross site scripting and ransom attacks are far more subtle and immensely difficult to contain.

"Subtle attacks are way up," says Mark McManus, vice president of research for Computer Economics. "There are more targeted attacks, and people are less likely to want to report them." With ransom attacks, for instance, hackers will infiltrate a company's networks, and threaten to unleash devastation or give the information to a competitor unless they're paid.

Meanwhile, expect courses like the ones Aaron Cohen offers to become more prevalent as the good guys catch up.
It's not too late to sign up...

Posted by andreyee in | Permalink | Comments (0) | TrackBacks (0)

A number of security experts have recently reported on a major flaw in the Web browser plug-in for Adobe's Acrobat Reader program. The problem was first discovered by researchers Stefano Di Paola and Giorgio Fedon, who presented a paper on security issues related to Web 2.0 technologies such as AJAX (Asynchronous JavaScript and XML).

The issue centers around how Adobe Reader browser plugin can be made to execute JavaScript code on the client side. This code can then be the trigger for any number of malicious activities. A well written, detailed explanation plus code is available here at GnuCitizen.

The use of Javascript in cross site scripting is raising numerous headaches for security managers, especially with phishing attempts. By taking advantage of cross site scripting vulnerabilities, an attacker may launch malicious code referencing a URL that points to a carefully constructed phishing Web page. So for instance, when you're downloading a pdf report at your online broker's webpage, the attacker could take launch a script to throw up what looks like an official, legitimate request to validate your account number and password. That, my friends is what makes this so scary. The self righteous among us may have sneered in disdain at friends and family that fall for the unsophisticated phishing attempts. But this ability to perform highly contextualized phishing will fool any of us.

While you ponder about the possibility of that exposure, make sure you do this - download Acrobat 8.0 which fixes the vulnerability in the first place.

Posted by andreyee in Alerts/Warnings | Permalink | Comments (0) | TrackBacks (0)

Washington Post's Brian Krebs makes the claim that for 284 days in 2006, there were IE related exploits "in the wild" for which there were no patches available

"For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users"

Does this surprise you? It shouldn't...and it's not all Microsoft's fault either. It's the very nature of the world we live in today where vulnerabilities are discovered and exploits are released weekly. Microsoft just happens to have more software deployed than any other vendor so they're exposed a little more.

A couple of other points -

First, the situation in reality is worse than the 284 days of exposure because most organizations cannot or will not keep up with patching. When you consider databases, application server software, ERP systems on top of the Microsoft OS desktop software, we are reaching a point where patching as a proactive solution to security exploits is hitting a critical juncture. The rate of known vulnerabilities and exploits are reaching a level whereby to keep up a security mananger would have to patch almost every day.

Second, since patching is not a seamless exercise in the life of an enterprise IT organization, most companies patch regularly at fixed intervals - sometimes monthly or more. Mucho exposure. If you ever wonder why you need an IPS system - this "patch gap" window is exactly why. You need to be protected until you get your systems patched ...and by then the patch gap window exposure has moved on.

Posted by andreyee in Alerts/Warnings | Permalink | Comments (0) | TrackBacks (0)

I know I haven't blogged in a while but I've been a little preoccupied. As reported on various news outlets including ebizQ, NFR Security will be part of Check Point moving forward.

Let me offer this brief perspective - this is a win-win scenario for both companies. NFR has always had great IPS technology with limited sales distribution channels. Check Point is a very impressive company in terms of its security heritage, expertise and global presence... but it doesn't have an IPS product. Seems like a perfect fit to me.

The bottom line is that the IPS space is consolidating into a big company play. Besides a great product, you need marketing visibility and distribution channels to keep up. Here's another trend - even among best of breed proponents, point products are becoming less interesting. What enterprise security buyers are looking for is a security platform or suite of products that are best in class, yet complementary and integrated.

So I'm back with a renewed commitment to blog more frequently in 2007. Happy New Year.

Posted by andreyee in Industry Trends | Permalink | Comments (0) | TrackBacks (0)