WISH YOU A HAPPY AND SECURE YEAR 2009

Friday, December 5, 2008

Quote of the day

Quote of the day


No one has ever succeeded in keeping nations at war except by lies.

Salvador de Madariaga

(1886-1978 )

Spanish diplomat, and historian, noted for his service at the League of Nations

New IT Term of the day

New IT Term of the day


spyware


(n.) Any software that covertly gathers user information through the user's Internet connection without his or her knowledge, usually for advertising purposes. Spyware applications are typically bundled as a hidden component of freeware or shareware programs that can be downloaded from the Internet; however, it should be noted that the majority of shareware and freeware applications do not come with spyware. Once installed, the spyware monitors user activity on the Internet and transmits that information in the background to someone else. Spyware can also gather information about e-mail addresses and even passwords and credit card numbers.

Spyware is similar to a Trojan horse in that users unwittingly install the product when they install something else. A common way to become a victim of spyware is to download certain peer-to-peer file swapping products that are available today.

Aside from the questions of ethics and privacy, spyware steals from the user by using the computer's memory resources and also by eating bandwidth as it sends information back to the spyware's home base via the user's Internet connection. Because spyware is using memory and system resources, the applications running in the background can lead to system crashes or general system instability.

Because spyware exists as independent executable programs, they have the ability to monitor keystrokes, scan files on the hard drive, snoop other applications, such as chat programs or word processors, install other spyware programs, read cookies, change the default home page on the Web browser, consistently relaying this information back to the spyware author who will either use it for advertising/marketing purposes or sell the information to another party.

Licensing agreements that accompany software downloads sometimes warn the user that a spyware program will be installed along with the requested software, but the licensing agreements may not always be read completely because the notice of a spyware installation is often couched in obtuse, hard-to-read legal disclaimers.

IT exec accused of $10m backup tape theft

THEFT : IT exec accused of $10m backup tape theft

800,000 virtual wallets

By Dan Goodin in San Francisco

2nd December 2008

http://www.theregister.co.uk/2008/12/02/missing_backup_tape/

A former IT executive for a Canadian marketing firm has been accused of taking a computer backup tape containing personal information of 3.2 million customers that could net as much as $10m on the black market, according to court records.

Nick Belmonte, who earned $150,000 as vice president of IT for Vancouver-based C-W Agencies (http://www.c-wgroup.com/), recently ordered an employee to deliver three backup tapes to his office for copying. When the employee returned later, only two tapes were found. In addition to names and other details, the missing tape contained credit card and bank account information of more than 800,000 customers.

"The information in the customer library is highly confidential to the plaintiff and its clients," a C-W executive wrote in an affidavit filed in court, according to The Vancouver Sun. "If the customer library data is sold, it cold have a devastating effect on CW's business and that of CW's clients worldwide."

After being accused of the theft, Belmonte went on leave.

It's unclear how many CW customers have been notified that their data has gone missing. US-based businesses are required to give such notifications to customers located in any one of 44 states, and presumably similar laws exist in Canada as well. Executives have known of the alleged theft since at least November 4. A CW employee hadn't returned a message seeking comment by the time of publication.

Attempts to reach Belmonte were unsuccessful. We'll be sure to update this story if either party gets back to us.

The episode is the latest to shine a light on the informal structure of IT departments that store detailed records on millions of us all over the world. While banks, hospitals and many types of businesses are required to follow basic security measures protecting records, plenty of others, ubiquitous marketers among them, are not.

Virtually every Windows PC at risk, says Secunia

RISK : Virtually every Windows PC at risk, says Secunia

Almost all PCs scanned by patch tool have an unpatched app; 46% have 11-plus

Gregg Keizer

Computerworld

December 3, 2008

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9122240

More than 98% of Windows computers harbor at least one unpatched application, and nearly half contain 11 or more programs at risk from attack, a Copenhagen-based security company said today.

According to Secunia APS, 98.1% of the PCs on which its Personal Software Inspector (PSI) utility was installed during the past week sport one or more applications that have security updates available for downloading.

PSI scans Windows systems for installed applications, then compares their version numbers to the most up-to-date versions; if they're different, it makes note, then provides a link to the patch update. To gather its numbers, Secunia tracked the results of each user's first PSI scan.

Since Nov. 25, when PSI left beta and entered Version 1.0, more than 120,000 people downloaded the utility, said Thomas Kristensen, Secunia's chief technology officer. The company randomly selected 20,000 of those installations, then tallied the number of unpatched applications PSI found.

"Most people keep Windows up to date because it's so easy to use Windows Update," said Kristensen. "Adobe Reader and Flash and Apple QuickTime are like that, too, as are browsers. But a lot of third-party [browser] plug-ins don't have any [update mechanism] and so people don't keep them updated."

The PSI data showed that while fewer than 1.9% of the users had completely clean PCs, 30.3% of the machines contained between one and five unpatched programs, 25.1% had between six and 10 at-risk applications, and 45.8% of the systems boasted 11 or more insecure programs.

Today's numbers were even more dismal than those Secunia collected last January, when it surveyed a similar number of PCs that had just installed PSI. Then, approximately 4.5% of the machines were free of unpatched programs, more than twice as many as in the newest survey.

Kristensen explained the decline. "We've had a change in the user base and managed to reach a much broader group of users," he said. PSI's early adopters were mostly tech-savvy types, but as word has spread about the utility, "it's reached a completely different group of users, many who never patch their PCs," Kristensen noted.

Since Secunia launched the free utility in mid-2007, about 900,000 users have downloaded the program. "We should clear 1 million around the first of the year," Kristensen said.

Major Gaps In Cybersecurity

GAPS : Major Gaps In Cybersecurity

December 3, 2008

http://crealis.es/2008/12/major-gaps-in-cybersecurity.html

(Crealis) -- A recent Carnegie Mellon University CyLab survey of corporate board directors reveals a gap in board and senior executive oversight in managing cyber risks.

Based upon data from 703 individuals (primarily independent directors) serving on U.S-listed public company boards, only 36 percent of the respondents indicated that their board had any direct involvement with oversight of information security.

The survey also said that cybersecurity issues need to be seen as an enterprise risk management problem rather than an IT issue.

"Managing cyber risk is not just a technical challenge, but it is a managerial and strategic business challenge,'' said Pradeep K. Khosla, dean of Carnegie Mellon's College of Engineering and CyLab founder.

"There are real fiduciary duty and oversight issues involved here,'' said Jody Westby, adjunct distinguished fellow at Carnegie Mellon CyLab and the survey's lead author. "There is a clear duty to protect the assets of a company, and today, most corporate assets are digital.''

"We also found that boards were only involved about 31 percent of the time in assessment of risk related to IT or personal data — the data that triggers security breach notification laws,'' said Westby, who is also chair of the American Bar Association's Privacy and Computer Crime Committee.

Only 8 percent of survey respondents said their boards had a risk committee that is separate from the audit committee, according to Westby.

"Without the right organizational structure and interest from top officials, enterprise security can't be effective no matter how much money an organization throws at it,'' said Richard Power, co-author of the report and a distinguished fellow at Carnegie Mellon CyLab.

Power said the survey also shows that senior management has not budgeted for key positions requiring expertise in cybersecurity or privacy areas. "No wonder the number of security breaches has doubled in the past year — only 12 percent of the respondents have established functional separation of privacy and security, and most companies don't have C-level executives responsible for these areas," Power added, comparing the survey results to the breach chronology maintained by the Privacy Rights Clearinghouse (http://www.privacyrights.org/ar/ChronDataBreaches.htm).

To help company boards improve corporate governance of privacy and security, the survey recommends broad operational changes from establishing a board risk committee separate from the audit committee to reviewing existing top-level policies to creating a culture of security and respect for privacy.

Cyber crooks make a killing in 2008

LOOT : Cyber crooks make a killing in 2008

F-Secure reports huge rise in malware for profit

Ian Williams,

vnunet.com

03 Dec 2008

http://www.vnunet.com/2231869

http://www.vnunet.com/vnunet/news/2231869/cybercrime-profits-hit-2008

2008 has been a bumper year for cyber criminals, who have raked in more cash than ever before, according to security firm F-Secure.

The company's annual data security wrap-up report said that the level of malware detections tripled over the year to equal the total amount of malware accumulated over the previous 21 years.

Criminal activity for financial gain has remained the driver for this increase, and most malware is being produced by highly organised criminal gangs using increasingly sophisticated techniques.

2008 has also seen an increase in botnet activity around the world, giving cyber criminals access to vast amounts of computing power to distribute spam and malware as well as launch targeted denial-of-service attacks.

Mikko Hyppönen, chief research officer at F-Secure, warned that online crime is now more prevalent and more professional than ever before, and put the blame on the inability of national and international authorities to catch, prosecute and sentence these criminals.

"The bottom line is that too few of the perpetrators of internet crime are either caught or punished," he said. "We believe that the result of no action being taken sends the wrong message to these criminals that internet crime is an easy way to make a lot of money and they will never be caught or punished."

Hyppönen is calling for the establishment of Internetpol to tackle online crime, an initiative that has received great interest and support internationally.

However, although online crime is still a major challenge, the F-Secure report highlighted some notable successes by agencies trying to catch and convict criminals over the course of the year.

These included an FBI operation to close down Dark Market, which acted as an online marketplace for stolen credit card details and illegal internet services, and a campaign that led to the demise of botnet host McColo resulting in a temporary fall in worldwide spam levels.

Microsoft, meanwhile, filed a number of lawsuits against the purveyors of rogue security applications who were attempting to scam users into buying worthless products.

Thursday, December 4, 2008

How to send a voice mail to your friend using Windows XP?

How to send a voice mail to your friend using Windows XP?

E-mail is a most popular and effective way to communicate with others through the internet. You can send documents, pictures and other types of files to any destination but the interesting thing is that you can send also your voice in a mail by attaching the file with e-mail. In windows XP, you can record your voice using Sound Recorder and a microphone options.

Follow the given steps to record your voice in windows XP:

To use this feature, you will need to be logged into your computer with administrative

rights.

To start recording process, first make sure you have attached a microphone

to your computer.

First click on Start button> All programs> Accessories> click Entertainment and then click on Sound Recorder option.

Now a small "Sound - Sound Recorder" will appear, go to File menu and click on New to start a new file for recording.

Click on Record button to start recording process and start talking then click on Stop button to stop the recording.

Now again click on File menu to save this file with .wav extension to a folder of your choice.

Now send this voice file as an attachment via e-mail message to your friends.

Contributed by:
Giri

How to display text message warning before windows Logon?

How to display text message warning before windows Logon?

You can insert legal warnings or any interesting messages for others just before logon to windows based computer. This is very useful if you want to give a message to new users about the uses of computer. You can create this banner message using the windows registry editor but make sure before modifying your system Registry about its backup because Registry contains all information how your system runs. This backup will help you to restore Registry in case any problem occurs after modifying.

To edit the computer registry, first you should log onto your computer with administrative rights.

Click Start button then type regedit in Run option then press Enter for next.

Here locate the location to:

HKeyLocalMachine\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinLogon

Here in right side panel, double click on the key LegalNoticeCaption and give it a value you want to see in the menu bar. For example “Welcome Screen for All Users”.

Now again in right side panel, double click on the key called LegalNoticeText and change the value you want to see in the dialog box. For example “You may not succeed later when trying to logon without a password.”

Now close the registry editor and restart your computer after any changes to go into effect.

Contributed by: Giri

How to create your own shortcut key for favorite programs?

You can create your own keyboard shortcut to open any your favorite programs, files and folders. This tip is very useful, if you want to create quick keyboard shortcuts to open most often used programs. But note that you can create keyboard shortcut only with program shortcut on your desktop or the start menu programs.

Follow the giving steps to create keyboard shortcut for your favorite program:

  • First right click on desktop shortcut or on any start menu program and choose Properties from the menu.
  • Here under the shortcut tab, click in Shortcut key box.
  • Now press any key on your keyboard that you want to use as combination with CTRL+ALT. For example, if you want to create keyboard shortcut to open MSN Messenger, simply press 9, your keyboard shortcut for MSN Messenger will be CTRL+ALT+9.
  • Now press OK button and test your shortcut key.

Contributed by: Giri

Wednesday, December 3, 2008

Quote of the day

Quote of the day


The smart way to keep people passive and obedient is to strictly limit the spectrum of acceptable opinion, but allow very lively debate within that spectrum.

Noam Chomsky

(1928- )

Institute Professor Emeritus of Linguistics

New IT Term of the day

New IT Term of the day


spoof


(v) To fool. In networking, the term is used to describe a variety of ways in which hardware and software can be fooled. IP spoofing, for example, involves trickery that makes a message appear as if it came from an authorized IP address.

Spoofing is also used as a network management technique to reduce traffic. For example, most LAN protocols send out packets periodically to monitor the status of the network. LANs generally have enough bandwidth to easily absorb these network management packets. When computers are connected to the LAN over wide-area network (WAN) connections, however, this added traffic can become a problem. Not only can it strain the bandwidth limits of the WAN connection, but it can also be expensive because many WAN connections incur fees only when they are transmitting data. To reduce this problem, routers and other network devices can be programmed to spoof replies from the remote nodes. Rather than sending the packets to the remote nodes and waiting for a reply, the devices generate their own spoofed replies.


5 Essentials of Banking Security in Tough Times

SAFE BANKING : 5 Essentials of Banking Security in Tough Times
Keep a Sharp Eye on Compliance, the Insider Threat and Phishers
November 25, 2008

Linda McGlasson, Managing Editor
http://www.bankinfosecurity.com/articles.php?art_id=1074&opg=1

Bank mergers and failures. Market fluctuations. Looming layoffs. The new administration and the changes it will bring to financial services regulation.

There is much in the news these days for financial institutions - and their customers - to consider. But at a time when consumer confidence in banking is at a critical juncture, so many of those aforementioned influences are outside of a banking/security leader's direct control.

But here are five factors you can control to ensure security and reassure shareholders and customers of your institution's safety and soundness.

1. Regulatory Compliance: Focus on the Basics

Bad economy? Doesn't matter to banking regulators. Even if your institution is affected by bad loans or investments and you're dealing with the aftermath, regulators will still be examining your programs for compliance - and you'd better be prepared, says David Schneier, Director of Professional Services at Icons, Inc., a risk assessment firm based in Princeton, NJ.

"There isn't very much room to maneuver or modify what needs to be done," says Schneier, who spends much of his time working with banking institutions on their compliance efforts. "GLBA compliance is still required to continue operating. We've heard nothing from the field thus far that indicates that examiners are easing up in any way, nor should that be expected."

In challenging times, the spirit of GLBA is that much more relevant ,particularly as market conditions deteriorate and people grow desperate. "Accordingly, information security practices become much more significant to ensure the protection of both customer/member data and the institutions assets," Schneier says.

Also at the top of the list for all institutions should be the ID Theft Red Flags Rule, which covers the basics of identity theft prevention and awareness programs. "This will provide the critical safeguards to ensure that potentially fraudulent activity is being identified and managed."

2. Risk Management: Be Proactive

By taking a proactive approach to risk, Corporate One FCU in Columbus, OH managed to position itself to survive in this troubled economy.

"Corporate One's focus on managing risk developed long before these issues began," says Joe Ghammashi, Chief Risk Officer at the $5.16 billion corporate credit union. This is supported by the credit union's diversified investment portfolio. "Additionally, our appropriate pricing of risk has allowed us to build our capital base, as well as establish a strong earnings run-rate. We also have been proactive since last summer in developing and enhancing our liquidity sources. Consequently, we are not facing the issues that have hit other institutions."

The credit union's biggest challenge is perception - members' questions about the safety and soundness of all institutions. "We are making sure that our members understand that the assets we hold are of the highest quality and that we have ample liquidity to carry them for as long as we need," Ghammashi says.

Corporate One's work over the past three years on an enterprise wide risk management (EWRM) program has also paid off. "We integrated our business owners into the IT governance process and brought IT out of its silo into the environment of its business partners. We have adapted the COSO and COBIT frameworks to manage our systems, people and processes to, among other things, integrate technology and business together."

Ghammashi stresses it was critical for the credit union to have proactively engaged in these activities to position it in the solid position that it is in today. "It would be extremely difficult for someone to try and implement such a program at this time," he says. "The biggest challenge facing anyone attempting to implement EWRM is the difficulty in developing financial models that justify the incremental cost of EWRM. But when times are as difficult as they are today, it becomes evident that adopting sound risk management principles as a component at every level of the organization's business plan is critical for its survival."

3. The Insider Threat: Tighten Internal Controls

When it comes to fighting the insider threat, financial institutions fall into type A or B personalities just like most human beings, says Sai Huda, Chairman and CEO of Compliance Coach, a San Diego, CA-based compliance company backed by three of the nation's top 10 banks (Wells Fargo, Bank of America and Citigroup).

The Type A financial institution sees information security as a mission critical item. "At the Type A institution, security starts at the top with the board of the directors. They are very aggressive in complying fully with regulatory requirements and information security policies," Huda says. This is especially needed in the current environment where fraud is on the rise, and insider theft of information is at a high risk probability. The Type A institution focuses on insiders and asks who has access to what, why? They also focus on terminated employees. "Are they leaving with any confidential information?"

On the other hand are the Type B financial institutions that have a relaxed, laid back approach to information security. "They see it as something regulators require them to do, so they do it. They are not proactive. No news is good news. If there is no news of any breach, then everything must be okay with information security," says Huda. Their biggest failure is they are more trusting of insiders. They are focused more on outsiders. "It is business-as -usual with any layoffs. There is no enhanced scrutiny of practices to make sure insiders do not leave with confidential information," Huda notes.

Given the current economic conditions, insider theft of information is an increasing risk that all financial institutions face. Why? Because insiders have access to customer information and may be tempted to transport or sell for economic or vindictive reasons, especially if they are laid off from the financial institution. They also have intimate knowledge of information security policies and procedures and know what are the institution's strengths and vulnerabilities.

Here are three things Huda says every single financial institution should proactively implement to thwart the insider threat:

1. Quarterly review of who has access to what and why. Tighten up and restrict access in light of increasing security risks. Focus on those business units that may have reductions in staffing in the next quarter.

2. Take a very close look at employee termination procedures. What are measures in place to make sure terminated employees do not leave with any information?

3. Whenever employees are terminated who had intimate knowledge of information security policies and procedures and knew the institution's strengths and vulnerabilities, revise the policies and procedures immediately to plug the holes. "Remember, a terminated knowledgeable insider can become your worst outsider enemy," Huda concludes.

4. Phishing, Fraud: Be Vigilant, Educate Customers

Criminals don't take vacations, and the business of fraud is growing, says Debra Geister, Director, Fraud Prevention & Compliance Solutions at Lexis-Nexis. "While banks feel contraction during the current economic challenges, the business of fraud continues to grow."

Now more than ever, it is critical to catch fraud as early as possible -- ideally, to prevent it before it occurs. "Since the Identity Theft Red Flags Rules is in place, many institutions are finding ways to bring their fraud and compliance systems together in a more formal way to fight identity theft," Geister observes. In addition, as banks evaluate their systems, many are starting to merge AML initiatives with their fraud and identity theft initiatives, she says.

Phishers are among those fraudsters who are as busy as ever, says John LaCour, CISSP, Director of AntiPhishing Solutions at MarkMonitor and contributing analyst to the Anti-Phishing Working Group (APWG) Phishing Activity Trends Report.

"Phishers seem inexhaustible," LaCour says. While the number of unique URLs declined by nearly one-third earlier this year due to lower Rock Phish activity, the actual number of attacks as measured by a combination of brand and phishing domain names increased 11 percent. "This indicates that traditional phishing is as strong as ever and increasing," LaCour concludes.

The number of brands being attacked increased by 7.6 percent, and financial services still remains the most targeted industry, according to the Phishing Activity Trends Report issued each quarter by the APWG. The group also reports crimeware-spreading URLs infecting PCs with password-stealing code rose 93 percent in the first quarter to 6,500 sites, nearly double the previous high of November 2007 -- and an increase of 337 percent from the number detected in the first quarter of 2007. Institutions need to have a phishing takedown plan in place in the likelihood their brand is attacked.

To illustrate the growth in phishing attacks one only needs to look at a recent report released by Cyveillance, a information security research company that also provides takedown services for financial institutions. In the first quarter of 2008, Cyveillance reports it typically saw a daily average number of phishing attacks in the low-400 range. In October that average increased to more than 1,750, with record peaks as high as 13,209 in a single day.

During the first half of this year, the quantity and frequency of the attacks have steadily increased, averaging 400 to 500 per day, with spikes at times reaching nearly 1,000 per day. Though the summer of 2008 saw an overall slowdown in attacks, there has been a significant increase in attack volumes and frequency of spikes since September. Cyveillance researchers join those in the information security industry that say these increased volumes can be linked to many outside influences, the worldwide financial crisis and the phishers constantly changing direction and attack methods to avoid being caught.

Institutions need to have a phishing takedown plan in place in the likelihood their brand is attacked. Included in the plan should be how to communicate to customers. Put an announcement message on the website's front page. Give the facts to all customers, telling them about the phishing attack. Tell them what you're doing to stop it. Tell them to contact the institution when they receive any suspicious email or phone call purporting to be from the institution. Regular reminders on statement stuffers and in general correspondence will also educate customers to be wary of any unsolicited phone calls or emails.

TowerGroup's George Tubin sees no end in sight for these types of attacks against banking customers such as the increased number of phishing and "vishing" attacks perpetrated on a wide number of consumers across the country in the last three months.

Tubin, Senior Research Director, Delivery Channels and Financial Information Security at the Needham, MA-based research firm, sees that the current economic crisis hasn't dampened criminal efforts against financial institutions or their customers. "They're definitely not taking a pity break or slowing down their efforts. In fact, they are actually stepping up their efforts to phish for victims at merged banks and at other banking brands during these uncertain times," he adds.

Tubin recommends institutions remain focused on fighting fraud. "There's not a lot of room to move. Criminals are still trying to exploit banks, so it's not an area that banks can take a breather on," he observes. While other areas of the institution may face cutbacks in their budgets, Tubin sees that institutions will keep spending in the security and fraud space. "With every month that passes, the criminals get better at what they do. They work on refining their attacks, get rid of what doesn't work and then increase what does work and then continue down that path."

The first issue that financial institutions should be worried about is fraud, says another risk management expert who works with financial institutions across the Midwest. "Fraud follows a basic triangle of 'Rationalization, Pressure and Opportunity.' And with financial institutions getting into trouble or merging and employees having the fear of getting laid off, losing their houses, etcetera, this opens up the pressure part of the triangle," says Ken Stasiak, CEO of SecureState, a Cleveland, OH-based risk assessment firm that focuses on the financial services industry.

5. Physical Threats: Protect Your ATMs

Schneier of Icons makes a final prediction that "old-fashioned holdups" will increase during these trying times. "The difference between what we're dealing with now versus 80 years ago is that whereas in 1927 there was a run on the bank to get your money out, the threat now is a run on the bank to get someone else's money out."

He observes that with so many digital pathways into and out of financial institutions, it makes it easy to forge financial documents, making the likelihood of fraud much greater. And then there is the prospect of targeting the unsuspecting ATM customer. "With ATM's in virtually every pocket of society these days, it's possible to see a marketable increase in good, old-fashioned criminal 'hold-em up' scenarios," Schneier says.

Institutions should begin reducing ATM crime and the increased threat of physical crime via a two-pronged approach. First and foremost is education. All financial institutions have pamphlets and programs designed to educate their customer/members regarding ATM safety (e.g. pulling the locked door closed behind you, counting your money after leaving the area, etc.) and they need to make sure this gets put out in front of their audience again, says Schneier. Second is a physical deterrent such as video cameras, sufficient lighting, un-obscured placement (move those shrubs), security mirrors (to see behind you) and functioning locked doors. Remind customers at drive thru ATMs to always make sure that the car in front of them has cleared the lane, don't put the car in park (keep it in gear and a foot on the brake) and to check side-view and rear mirrors before initiating the transaction.

Regarding robberies at teller windows, there's already training available providing clear guidance on steps to be taken, Schneier says. But financial institutions need to be more aggressive in conducting their training drills and perhaps increasing their frequency. It's also important that they think beyond only training the tellers. "In one institution recently, a non-business person was discussing how they often pass through the lobby and wouldn't know what to do if they encountered a hold-up," Schneier says. "Considering that all it takes if for one person to react inappropriately to send things out of control, this is an important consideration. All of the institutions employees need to know what to do."

Lastly, Schneier advises vigilance is the best control to have when dealing with the threat of criminal activities. "Knowing when someone or something appears out of place, knowing what to do about either a potential or confirmed incident is the surest way to navigate through the event."

Mobile Handsets Becoming A 'Smoking Gun'

RISK : Mobile Handsets Becoming A 'Smoking Gun'

Rise in mobile devices in the enterprise adds new challenges to incident response

By Kelly Jackson Higgins

DarkReading

Dec 01, 2008

http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=212201218

You have to be fast when seizing a mobile handheld device in the wake of a security breach -- a dead battery or still-live signal could wipe out or taint the evidence stored on it.

As handheld devices gain more data features and storage, they also are increasingly becoming a smoking gun in an enterprise data breach, especially when it comes to the insider threat, security experts say. But getting hold of these devices and freezing the evidence on them isn't so easy.

"The biggest data breach [with handhelds] today is probably lost or stolen handhelds," says Randy Abrams, director of technical education at Eset. "The fact that many of these devices support MicroSD card of at least 2 gigabytes of capacity makes them extremely agile for transporting data. Insiders have no problem copying large amounts of data from a PC to their smartphone. Even if the possession of the data is legitimate, a lost device with unencrypted data can be a gold mine for the finder."

But the evidence on the devices can be easily lost or tainted. Amber Schroader, president and founder of Paraben, says the key is to maintain power on the device and protect it from any changes that could contaminate the evidence on it. "You can put aluminum foil around it to make sure the signal is blocked" or put a Faraday cage around it to protect the evidence, she said during a presentation at the recent CSI 2008 conference.

The first responder to a handheld device could have less than a minute to properly seize and contain one of these "volatile" devices, she says. If the battery dies, so does the forensics data that was on a Windows Mobile device, for instance, Schroader said. "Every three days a new digital device goes into the consumer market," she said, and there aren't enough forensic examiners to keep up with them.

Schroader noted that in many cases today, investigators are conducting full forensics analysis in the field and don't have the luxury of sending the device off to a lab. "They're doing more live-on-the-scene instead of processing it in the lab, which can take over nine months with an analysis," she said. Instead, you can process and grab evidence off of a handheld right then and there, she said.

"The biggest IP [intellectual property] leaks are in...my pocket," she said. And with 2-GB SIM cards arriving next year, one of these devices could store an entire customer list that could be lost, stolen, or sold, for instance.

Aside from locking down the handheld by maintaining a power supply and cutting off its wireless signal, investigators also should seize any accessories to the device that could contain evidence, Schroader said. That includes synch stations, cases, SIM and media cards, and headsets. Off-site data storage and synchronization as well as service providers could also have critical data to a forensics investigation.

Forensic tools then help gather images and other data for the investigation. Ideally, these tools provide a repeatable process that can also verify the results, according to Schroader.

What about malware attacks via a handheld device? "Antimalware for these devices is a low-cost layer of defense," says Eset's Abrams, whose company recently released an AV product for smartphones. "But encryption and data access control are what the IT manager should be really concerned with today."

Still, handheld devices can spread malware to the enterprise. "Autorun works great with MicroSD cards," Abrams says. "I would disable autorun in a corporate environment if security was my mandate."

Metadata - An Invisible CAPTCHA

TECHNOLOGY : Metadata - An Invisible CAPTCHA

Soon you may not need to squint at distorted letters to prove your humanity.

Andy Greenberg,

Nov 25 2008

http://www.forbes.com/security/2008/11/25/captcha-pramana-bots-tech-identity08-cx_ag_1125captcha.html

Sanjay Sehgal thinks the average CAPTCHA, that collection of deformed characters that Web sites ask users to type out when registering for an account, is both too easy and too demanding. The image tests designed to weed out spam-spewing bots often annoy real people--and rarely keep out determined spammers.

The company Sehgal founded a year ago, Pramana, takes a different approach. Instead of submitting users to a test, the Atlanta-based company's technology plugs into Web sites and invisibly analyzes users' online behavior to determine who's a human and who's a bot. "We don't demand that users prove they're human," Sehgal says. "We simply watch them and decide for ourselves."

Pramana, which means "proof of reality" in Hindi, is currently in "stealth" mode, and won't reveal much about its customers or just how it works. The company isn't just media-shy--it also wants to prevent bot creators from figuring out how to evade its analysis.

David Dagon, a professor of cybersecurity at Georgia Tech who's familiar with Pramana, hints that the technology may involve tracking mouse movements for signs of human timing. Another key element to Pramana's approach is secretly cycling through changes in the criteria to keep spammers from cracking the code.

Those tactics might not stop spammers altogether, Dagon says, but they could make Web services much harder to access with automated software. "If we can shorten the cycle so that new kinds of measurement can be pushed out rapidly to many sites, the period of time when the CAPTCHA is broken by miscreants shrinks," he says. "We need to reduce the shadows in which malicious software thrives."

Pramana, like any CAPTCHA, will likely remain vulnerable to teams of humans paid small amounts to crack the tests. But Sehgal points out that his approach could make that business less profitable.

In traditional CAPTCHA situations, a spammer only needs a human to participate in one step of the account registration process: answering a CAPTCHA's questions. But with Pramana's system in place, spammers would have to pay humans to complete every element of the registration--if a bot took over at any point, the spammer would be revealed.

Detecting all automated behavior could force spammers to replace cheap software with relatively expensive humans. And that, after all, is just what CAPTCHAs are meant to achieve.

e-ticketing fraudsters nabbed by Pune police

e-FRAUD : e-ticketing fraudsters nabbed by Pune police

By Subroto Roy

2008-12-02

http://www.mid-day.com/news/2008/dec/021208-News-Pune-Amol-Palkar-Pune-police-nab-crooks-Rs-60000-fraudsters-e-ticket.htm

Pune police nab crooks who duped actor Amol Palekar of more than Rs 60,000

The e-booking system of air tickets has proved to be a costly affair for a number of credit card users in the country, including noted cine personality Amol Palekar. The actor, like many others has been charged for Rs 60,000 worth air tickets he never bought.

Palekar registered a case with the Pune police this February. Additional commissioner of police, crime (economic and cyber) Rajinder Singh told MiD DAY that his department has cracked the case. "We have trapped the criminals," he said.

A gang of three criminals had been apprehended by the crime branch (economic and cyber) of Pune city police last Thursday and produced before the judicial magistrate first class (JMFC) Pune court.

Cyber criminals reportedly bought the credit card verification value (CVV) through their sources at petrol pumps, restaurants, hotels, malls, among other places where customers swipe their cards.

"They purchased air tickets through the e-system from Flight Raja, and Akbar Travels to travel to Goa, Bangalore and other destinations using stolen CVVs of credit card users," said assistant commissioner of police (ACP) crime, economic and cyber crime Rajendra Hadale.

ACP Hadale advises that the CVV needs to be kept a secret, as they can be copied and later sold to criminals.

Hadale said the three Hassan Iqbal Shaikh of Vasai, Rauss Adman Pareira and Nazneen Rauss Pareira alias Muskaan from Mira Road were trapped by the police. Rauss Pareira is an IT expert, while the other two were accomplices in the crime.

Investigating officer assistant police inspector Krantikumar Patil, who returned from Mumbai on Monday, said that it has been the trio's business for the last couple of years to steal CVVs and book air tickets to travel across the length and breadth of the country.

"They are unemployed and indulge themselves in flying from one city to the other using others' credit cards," Patil said.

Patil intercepted phone calls and Internet booking verification points and thus traced the accused.

Hadale said Palekar will be invited to the commissioner's office soon. "He has expressed a desire to hold a press conference in this regard," he said.

However, others who have been duped like Palekar will have to wait until further investigations are over.

Cyber criminals who used CVVs to defraud Palekar have used the same modus operandi in at least 10 other cities in the country amounting to Rs 10 lakh.

Inspectors Netaji Shinde and Prakash Lagad are conducting further to ascertain the exact total of the fraud the threesome has committed in India.

Monday, December 1, 2008

Quote of the day

Quote of the day


There is a wonderful mythical law of nature that the three things we crave most in life -- happiness, freedom, and peace of mind -- are always attained by giving them to someone else.

Peyton Conway March

(1864-1955)

US Army Chief of Staff during the final year of WWI

New IT Term of the day

New IT Term of the day


split tunneling


The process of allowing a remote VPN user to access a public network, most commonly the Internet, at the same time that the user is allowed to access resources on the VPN. This method of network access enables the user to access remote devices, such as a networked printer, at the same time as accessing the public network.

An advantage of using split tunneling is that it alleviates bottlenecks and conserves bandwidth as Internet traffic does not have to pass through the VPN server. A disadvantage of this method is that it essentially renders the VPN vulnerable to attack as it is accessible through the public, non-secure network.

Employers need to educate employees on security policy

NEED : Employers need to educate employees on security policy

SC Staff

November 26, 2008

http://www.scmagazineuk.com/Employers-need-to-educate-employees-on-security-policy/article/121576/

Human error is the main security issue for IT directors.

According to research by Clavister, 86 per cent of IT directors believed that the most likely cause of an IT security issue came from their own employees.

The main reasons for this according to IT directors, were down to staff ignoring security policies and not being made aware of, or not being sufficiently trained on them, as well as making mistakes or committing industrial espionage.

Andreas Åsander, VP product management at Clavister, said: “The purpose of a security policy is rather simple - to keep malicious users out of a network while monitoring potential risky users within an organisation.

“To ensure compliance, however, is no simple task. Security policy documents tend to be very long and technical, and not written in a way which has meaning or importance for the average employee.

“For security rules to be adopted, users need to understand why they are important, and what the rules mean to them personally and professionally.”

Ed Gibson, chief security advisor at Microsoft UK, said: "An evaluation of data losses reveals a common theme - an unsecured device accidentally left somewhere. Training can help ensure our colleagues have the whereabouts of their devices at the forefront of their minds, and that proper encryption processes have been put in place."

CCTV to predict crime before it happens

TREND : CCTV to predict crime before it happens

November 28th, 2008

http://www.esnews.co.uk/?p=2351

What sounds like something from the sci-fi movie ‘Minority Report’ is to become a reality on Britain’s streets - smart CCTV that can predict crime before it happens.

The cameras monitor people’s movements and then alert the police or security staff to suspicious activity, such as a car thief loitering in one area or small groups coming together for drug deals.

Officers or security guards can then confront potential offenders before a crime is even committed.

The cameras used specially developed software that can identify suspicious behaviour, such as a man loitering in car park, or a car moving slowly down a road.

If someone is seen lurking in a particular area, the computer will send out an alarm to a CCTV operator.

Nick Hewitson, managing director of Smart CCTV, which is behind the software, said it lets security staff stay “ahead of the curve”.

He said: “If there is a person hanging around, you can send someone down there to challenge them. Ultimately you can get there before anything happens.”

So far half a dozen cameras have been fitted with the new technology by the local council in Portsmouth.

If the system proves successful, it could be rolled out across as many as 600 of the boroughs 1,000 CCTV cameras.

Jason Fazackarley, a councillor in Portsmouth, said: “It’s the 21st century equivalent of a nightwatchman, but unlike a nightwatchman it never blinks, it never takes a break and it never gets bored.

“It’s an eye in the night. The darkness is no longer a place where criminals can hide.”

The software – known as known as video content analysis – is tipped to be the next big thing in automated security and it is expected that its use will grow considerably over the next few years.

Civil liberties groups have already raised concerns that the technology could lead to more people being challenged by police and security staff for going about their business.

A spokesman for the No2ID campaign said: “As ever the problem is not when the camera acts like a nightwatchman; it is when it records information about individuals that isn’t immediately used for the detection of crime, but is kept ‘just in case’.

“This makes us all into permanent suspects. The idea that all our behaviour in public places is to be recorded and interpreted by machines, and may be used to focus police on us if we ‘look odd’ is more of a disciplinarian fantasy than a realistic contribution to criminal justice in a free society.”

Liberty’s Campaigns Coordinator Sabina Frediani added: “Bringing expensive Hollywood sci-fi to our car parks will never be as effective as having police on the street lead the fight against crime.”

Conservative Shadow Home Secretary Dominic Grieve said: ‘We will look at this carefully… but there is no argument for CCTV that invades your privacy without being effective in the fight against crime.’

US central command hit by malware

ATTACK : US central command hit by malware

Dan Raywood

Dec 1, 2008

http://www.securecomputing.net.au/News/129825,us-central-command-hit-by-malware.aspx

The United States central command was hit by an attack and affected computers in combat zones in the Middle East.

Military leaders briefed President Bush following suspicions that the attack may have originated in Russia, posing unusual concern among commanders and potential implications for national security.

U.S. central command is the headquarters that oversees U.S. involvement in Iraq and Afghanistan, though defence officials would not describe the extent of damage inflicted on military networks.

Military computers are regularly hit by hackers, computer viruses and worms, but Defence officials said the most recent attack involves an intrusive piece of malware that was apparently designed specifically to target military networks.

Electronics experts have not pinpointed the source or motive of the attack and could not say whether the destructive program was created by an individual hacker or whether it had Russian government sponsorship.

One defense official said the military has also not learned whether the software's designers might have been specifically targeting computers used by troops in Afghanistan and Iraq. Speaking anonymously, the official told the Baltimore Sun: “This one was significant; this one got our attention.”

Although officials are withholding details of the attack, the seriousness of the response underscores the increasing danger and potential significance of computer warfare, which defence experts say could one day be used by combatants to undermine even a militarily superior adversary.

The invasive software, known as agent.btz, has circulated among nongovernmental U.S. computers for months, but only recently has it affected the Pentagon's networks. It is not clear if the version responsible for the cyber intrusion of classified networks is the same as the one affecting other computer systems.

The malware is able to spread to any flash drive plugged into an infected computer. The risk of spreading the malware to other networks prompted the military to ban the flash drives.

Andhra police website hacked by Pakistani group

HACK : Andhra police website hacked by Pakistani group

Newkerala.com

26 November 2008

http://www.newkerala.com/topstory-fullnews-51804.html

Hyderabad, Nov 26: The website of Crime Investigation Department (CID) of the Andhra Pradesh police was Wednesday hacked by a group of hackers that claimed to be from Pakistan.

Exposing flaws in the cyber security of a key department, a group called itself Zombie_KSA defaced the website www.cidap.gov.in and pasted offensive messages.

It claimed that its action was in response to the hacking of website of Pakistan's Oil and Gas Regulatory Authority (OGRA) by an Indian group HMG.

"You guys hacked Paki OGRA website. Don't hack small Paki sites," said the message.

The group also claimed to have hacked the websites of a leading Indian bank and a television channel.

The hackers also tampered with the information about 10 most wanted criminals, which included some suspected terrorists. The site could not be restored till late in the evening.

The police clarified that CID had not lost any secret information. "It was all open information about crime and criminals. We have not lost any secret information," said A. K. Khan, additional director general of police (law and order).

The police have ordered an inquiry as to how the hackers could break into the website. They were in touch with a private firm, which hosts the CID website.

This Day in History

Thanks for your Visit