never-ever-****-with-my.net

Intelligence Online published a nice article (free registration required) on solutions to protect against the leaking of confidential data:

"Since early 2000 a number of American and Israeli start-ups have been offering solutions to protect against the leaking of confidential data. Initially based only on the search for keywords, the technology has evolved and now allows for the creation of digital fingerprints for any type of file (text, images, video, etc.). (...) A recent study by the U.S. firm Gartner estimated the market as being worth $60 million in 2006 and predicted it would increase five-fold by 2009. One after the other, two Israeli firms have been snapped up by industry heavyweights: McAfee acquired Onigma in October and WebSense finalized the acquisition of PortAuthority on Jan. 9. France’s Advestigo, the lone European player on the market - it was founded in 2002 by two former Atomic Energy Commission employees - is seeking a financial partner to boost its international sales."

At Hack.lu 2006, "a three days conference in the center of Europe for bridging ethics and security in computer science," Wietse Venema (author of Postfix, etc.) did a presentation on secure programming traps and pitfalls: he analyzed "a very small program that appears to be obviously correct, yet completely fails to perform as expected, for more reasons than many people can think of."

Wietse took the example of a broken file shredder, which is defeated by operating systems and hardware optimizations (e.g., caches, journaling file systems, etc.). The last three slides of his presentation (PowerPoint) are a must read.

Last Wednesday, Microsoft published Windows Vista Security Guide, which provides recommendations to harden computers that use specific security baselines for the following two environments:

1. Enterprise Client (EC)--client computers in this environment are
   located in a domain that uses Active Directory and only need to
   communicate with systems running Windows Server 2003--implementation of this security baseline is described in Chapter 1;
2. Specialized Security--Limited Functionality (SSLF)--concern for
   security in this environment is so great that a significant loss of
   functionality and manageability is acceptable--implementation of this security baseline is described in Chapter 5.

• Defend Against Malware--Chapter 2 includes information about how to most effectively use User Account Control (UAC), Windows Defender, Windows Firewall, Windows Security Center, Malicious Software Removal Tool, Software Restriction Policies, and Internet Explorer 7 security features (e.g., Protected Mode, ActiveX Opt-in, Cross-domain scripting attack protection, Security Status Bar, Phishing Filter, etc.);
• Protect Sensitive Data--Chapter 3 focuses on encryption and access control technologies that help protect mobile computing environments from potential loss and theft: BitLocker Drive Encryption, Encrypting File System (EFS), Rights Management Services (RMS) and Device control;
• Application Compatibility--Chapter 4 provides guidelines to preserve functionality of existing applications when using the new and enhanced security features of Windows Vista.

End of last week, NIST published four Draft Special Publications on e-mail security, intrusion detection and prevention, web services security, and cell phone forensics.

As pointed out by the ISC's Handler's Diary, and further to the ZDNet article reporting that Microsoft considers taking admin rights from employees (link posted last Wednesday), Microsoft published Standard User Analyzer, a tool that "helps developers and IT professionals diagnose issues that would prevent a program from running properly without administrator privileges.  On Windows Vista, even administrators run most programs with standard user privileges by default, so it is important to ensure that your application does not have administrator access as a dependency.

Using the Standard User Analyzer to test your application can identify the following administrator dependencies and return the results in a graphical interface:

• File access
• Registry access
• INI files
• Token issues
• Security privileges
• Name space issues
• Other issues"

Wired published an interesting article on Narus' deep packet-inspection technology said to be the basis of the NSA's internet surveillance:

"Narus' product, the Semantic Traffic Analyzer, is a software application that runs on standard IBM or Dell servers using the Linux operating system. It's renowned within certain circles for its ability to inspect traffic in real time on high-bandwidth pipes, identifying packets of interest as they race by at up to 10 gigabits per second.

Internet companies can install the analyzers at every entrance and exit point of their networks, at their "cores" or centers, or both. The analyzers communicate with centralized "logic servers" running specialized applications. The combination can keep track of, analyze and record nearly every form of internet communication, whether e-mail, instant message, video streams or VOIP phone calls that cross the network.

Brasil Telecom and several other Brazilian phone companies are using Narus products to charge each other for VOIP calls they send over one another's IP networks. Internet companies in China and the Middle East use them to block VOIP calls altogether."

1. BackTrack
2. Operator
3. PHLAK
4. Auditor
5. L.A.S. Linux - Local Area Security
6. Knoppix-STD
7. Helix
8. F.I.R.E.
9. nUbuntu
10. INSERT Rescue Security Toolkit

The Guardian published an interesting article where their reporter investigated how much information an identity fraudster could get about you from a simple airline stub, picked out of a bin near Heathrow:

"We logged on to the BA website, bought a ticket in Broer's name and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details - including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information.

Using this information and surfing publicly available databases, we were able - within 15 minutes - to find out where Broer lived, who lived there with him, where he worked, which universities he had attended and even how much his house was worth when he bought it two years ago. (This was particularly easy given his unusual name, but it would have been possible even if his name had been John Smith. We now had his date of birth and passport number, so we would have known exactly which John Smith.)"

Actually, as outlined in comments on Bruce Schneier's posting about this article, you could practice using Google Images.

"This document provides detailed information on developing, implementing, and maintaining effective log management practices throughout an enterprise. It includes guidance on establishing a centralized log management infrastructure, which includes hardware, software, networks, and media. It also discusses the log management processes that should be put in place at an organization-wide level, including the definition of roles and responsibilities, the creation of feasible logging policies, and the division of responsibilities between system-level and organization-level administrators. Guidance is also provided on log management at the individual system level, such as configuring log generating sources, supporting logging operations, performing log data analysis, and managing long-term data storage."

According to the Web Application Security Consortium (WASC), XSS and SQL injection remain the most popular attack vectors being exploited in public incidents. Further details can be found in the Web Hacking Incidents Database (WHID), which was updated today.

The chart below illustrates the number of public incidents registered per year:

A broader list of vulnerabilities is listed in OWASP Top Ten, which ranks the most critical web application security flaws.

BankInfoSecurity.com published the first part of an article (free registration required) which provides a general overview of the security investigation process, how it fits within the incident response process, the required preparation process, specific issues in banks that need to be considered and the relationship between this process and security intelligence activities.

Update 2006/4/27: Part two has been published.

As reported by Computerworld, Oracle released a tool designed to find default passwords in its database software (among several other critical patches).

While default accounts have been locked down in current versions of the database, Oracle 10g databases that have been upgraded from Oracle 7, Oracle8i, or Oracle9i may include them.

The Oracle Default Password Scanner consists in a SQL script accessible to Oracle customers in MetaLink Note 361482.1.

It should be noted that Cain & Abel carries features to crack and extract Oracle passwords.

• A MMC user interface replacing the current web-based UI,
• Improved filtering and views customization features,
• Simplified detection of required updates, and
• Better targetting capacities.

Computerworld published a great article which makes a parallel between biology and IT security:

"When a new virus strikes, some of us might fall ill, some might die and others will survive.  That's the beauty of us each having a unique immune system.

It's a concept that the computer security industry should take to heart, said Stephanie Forrest, a professor of computer science at the University of New Mexico (...).

Diversity of systems and applications can play a key role in safeguarding computers and networks from malicious attacks, Forrest said.  Her team published a paper last year on a system dubbed RISE (Randomized Instruction Set Emulation) (PDF) that randomizes an application's machine code to stymie would-be attacks, such as those launched via binary code injection.

(...)

What really has Forrest worried about computer security today ties into another biological concept: evolution.  'We already have malicious code that can replicate and spread itself.  The only thing we're missing in terms of real Darwinian evolution is mutation,' she said."

Forrest's team is using virtualization software to overcome some of the issues it encountered during its research.

BankInfoSecurity.com has an article (free registration required) on background checks in the US. Interesting highlights are the update frequency of the FBI’s National Crime Information Center database, and the typical hit/discrepancy rates for criminal records and resumes checks.

As reported by Computerworld, Musicrypt is using BioPassword's multifactor authentication software to secure its promotional music deliveries:

"During the War, the allies discovered a way to track German telegraph operators by identifying their particular style of typing code, something known as 'the fist of the sender.'  Forty years later, researchers SRI International, a nonprofit research institute spun out of Stanford University, applied this work to the keyboard and found that people could also be identified by the rhythm of their typing.

This technology eventually landed in the hands of BioPassword Inc., based in Issaquah, Washington.  After taking about nine samples of an 8- to 16-keystroke password, the company's software is able to identify the 'fist' of the typist."

Update 2006/04/17: I forgot to mention that I initially heard of the fist of the sender in The Code Book by Simon Singh, which gives a good historical perspective on cryptography.

FlexiSpy sells a monitoring application that records the activity of Symbian OS-based mobile phones (incoming/outgoing SMS as well as call history).

According to PC Inpact (in French), the publisher works on PocketPC and Blackberry ports of the application, and on a professional version that would record conversations.

Well, I now love my vintage Nokia phone even more.

As reported by Computerworld, three regional banks in the US were hacked in new spoofing attack:

"Earlier this month, attackers were able to hack servers run by the Internet service provider (ISP) that hosted the three banks' Web sites.  They then redirected traffic from the legitimate Web sites to a bogus server, designed to resemble the banking sites, according to Bob Breeden, special agent supervisor with the Florida Department of Law Enforcement's Computer Crime Center.

Users were then asked to enter credit card numbers, PINs (Personal Identification Numbers) and other types of sensitive information, he said.

According to Breeden, the affected banks are Premier Bank, Wakulla Bank, and Capital City Bank, all small regional banks based in Florida."

As reported by Computerworld, the US Army is using SRS Technologies' Document Detective to sanitize documents and avoid inadvertent exposure of sensitive or extraneous information.

The product's functionalities clearly go beyond metadata cleansing (i.e. Microsoft's free Remove Hidden Data tool for Office) as it is possible to convert embedded objects into safer object types (i.e. when an entire Excel workbook ends up in a PowerPoint presentation although you only intended to paste a summary chart). Document Detective also implements workflows to transfer documents from one security domain to another.

It should be noted that SRS Technologies maintains a suggested reading list that contains articles and information regarding electronic document security and incidents that occurred because of improper or incomplete reviews.

Update 2006/10/14: Marco Casario points out a number of interesting resources to remove sensitive information from Acrobat PDF documents. In particular, have a look at Adobe's Technical Note on Redaction of Confidential Information in Electronic Documents (Acrobat PDF).

This interesting article (in French) outlines best practices to protect Blackberry devices.

As reported by many web sites, Philip Zimmermann has a new project: Zfone. This beta software allows encryption of SIP-based VoIP systems (i.e. Gizmo, Wengo, etc.), without the need of a PKI. In the future, Zimmermann expects the underlying protocol will be integrated into standalone secure VoIP clients.

Currently, binaries are available for Mac OS X and Linux. A Windows build should be released around mid-April.

Update 2006/5/23: they finally have a Windows XP version. :-)

As reported by Computerworld, by surveying 600 IT managers in the US, IBM found that the threat of cybercrime is now perceived more real and more urgent than the risk of physical crime. Also, three quarters of the respondents believe threats to corporate security now come from inside their own organizations.

Computerworld reports on a press briefing at the CeBIT trade show in Hanover, Germany, where Viviane Reding, European commissioner for information society and media, declared that:

"RFID is very important to businesses and it is very important to citizens, but it also raises concerns about trust. (...) Citizens have to be sure they are in control of their data, and to have this control we must have worldwide legal certainty."

The bottom-line is the EC will consider revising the existing directive on e-privacy if new threats to EU citizens' privacy are identified.

Burton Group released a paper on Skype corporate usage three weeks ago, but my subscription does not include their Network & Telecom publications. Computerworld summarizes the findings: if the financial incentives and better integrated communications outweigh the risks inherent to proprietary P2P technologies, consider Skype as part of your overall communication strategy.

SecurityPipeline published an interesting review of 802.1X authentication servers, which features clear tables and diagrams for your understanding.

The review focuses on four commercial port-based servers and services.

Microsoft released an anti-cross site scripting library for its .NET Framework. It can be freely downloaded here.

As reported by the OpenBSD Journal, a straightforward IPSec with OpenBSD How-to has been published by SecurityFocus.

This is useful as the official FAQ IPSec guidance became obsolete long ago.

As outlined by BankInfoSecurity.com (free registration required), the DoJ issued an interesting guidance on legal aspects of IT forensics investigations: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations.

As reported by Computerworld, the FTC settled with CardSystems over last summer's data breach, which may have exposed 40M credit cards.

CardSystems must adopt security measures, undergo independent audits for the next 20 years. It still faces potential liability for millions of dollars in private lawsuits for losses.

As reported by Computerworld, Gartner warns the latest version of Google Desktop poses security risks, as Google's servers may store an index of the files contained on the workstation where it is installed.

The workaround is to install the enterprise version, which lets IT administrators decide which features should be enabled or not (using GPOs).

Likewise, an enterprise version exists for the latest version of Google Toolbar (still in beta), and lets IT admins deactivate sensitive functions (i.e. PageRank display or AutoFill).

I discovered through word of mouth an interesting tool to control local administrator privileges: DesktopStandard's PolicyMaker Application Security.  It allows your regular users to run a particular set of applications with admin permissions, or to downgrade your admin users' privileges when they carry out sensitive tasks, i.e. browsing the web or checking e-mail.

The product used to be called NeoExec--the technology is actually licensed from NeoValens, a company managed by Marco Peretti, SecureWave's "former" founder & CEO (another great publisher of Windows security software, which is based in Luxembourg too).

Update 2006/10/27: Another one bites the dust: DesktopStandard has been acquired by Microsoft. While most products will be integrated in Microsoft's GPMC or other products, PolicyMaker Application Security will be sold as Privilege Manager by BeyondTrust. I guess Microsoft left out PolicyMaker Application Security due to licensing issues (see above), and above all, because they already have a competing product in their portfolio: Protection Manager from Winternals Software.

This interesting article (in French) warns webmasters about the "latest" spammers' techniques to exploit e-mail forms (i.e. FromMail.pl).  It consists in injecting recipients in the From: field.  We told you before: you shall never trust user input. :-)