Tuesday, November 3, 2009

Monday 11/02/09

Trade talks hone in on Internet abuse, ISP liability
ISPs around the world may be forced to snoop on their subscribers and cut them off if they are found to have shared copyright-protected music on the Internet, under an international agreement being promoted by the U.S.

----------

Catbird tunes security software for virtual environments
Catbird has announced a new version of its security software for virtual environments that is tweaked to perform vulnerability monitoring of resources running in Amazon's EC2 cloud.

----------

Software shields online banking on infected PCs
Cybercriminals are developing increasingly sophisticated software that, in what is known as man-in-the-middle or man-in-the-browser attacks, can intercept online banking transactions while in progress and transfer funds with the user believing nothing is awry.

SafeOnline installs its own kernel-level driver on Windows PCs. During a secure browsing session, all information from the keyboard is routed through that driver, which defeats attempts to record keystrokes or other interference, said Mel Morris, Prevx's CEO and CTO.

----------

Password rules: Change them every 25 years
There are four basic ways for a bad guy to get your password:
(a) Ask for it. So-called "Phishing" and "Social Engineering" attacks still work, and always will
(b) Try dictionary words at the login prompt in the hope to get lucky ("Brute Force")
(c) Obtain the encryped/hashed password somehow, and crack it
(d) Leech the password off your computer with keylogger malware

None of these four scenarios becomes less likely if you change your password every 90 days. If the bad guy can't break the password hash (c) within a couple days, he'll likely just look for an easier target. Attack (b) is also out for quick wins - either it works within the first couple dozen passwords tried, or the bad guy moves on to easier prey. If (b) or (c) are successful, or the attacker already has the password through (a) or (d), 45 days on average is more than enough to empty out your bank account or use your email address for a big spam run.

The concept of password expiry remained the same for the last 25 years or so. Infosec professionals, auditors, PCI, ISO27002, COBIT, etc all keep requiring it, unchanged, even though the threats have changed quite a bit. Forcing a user who had a weak password to change it will just make him pick another weak one. Forcing a user who had a very strong password to change it will eventually annoy the user into using simpler passwords.

So what gives? There is one practical benefit. If someone has your password, and all they want is to read your email and remain undetected, they can do so forever, unless you eventually change your sign-in secret. Thus, regularly changing the password doesn't help much against someone breaking in and making it off with your goods, but it DOES give you a chance to shake off any stalkers or snoopers you might have accessing your account. Yes, this is good. But whether this benefit alone is worth the hassle and mentioned disadvantages of forcing users to change their password every 90 days, I have my doubts.

Infosec risk management is about identifying threats and vulnerabilities, and then picking a countermeasure. But if the chosen countermeasure doesn't in fact make the identified threats less likely, all we do is play security theater, and the countermeasure is one that we don't need.

Unless, of course, "best practice standards" and audits force us to have it.

----------

Nation's School Districts are Failing to Protect Children's Privacy
A Fordham Law School study found that state educational databases across the country ignore key privacy protections for the nation’s school children. The study reports that at least 32% of states warehouse children’s social security numbers; at least 22% of states record student pregnancies; and at least 46% of the states track mental health, illness, and jail sentences as part of the children’s educational records. Some states outsource the data processing without any restrictions on use or confidentiality for children’s information. Access to this information and the disclosure of personal data may occur for decades and follow children well into their adult lives. These findings come as Congress is considering the Student Aid and Financial Responsibility Act, which would expand and integrate the 43 existing state databases without taking into account the critical privacy failures in the states’ electronic warehouses of children’s information. For more information on children’s privacy issues see Children’s Online Privacy Protection Act.

----------

Cable modem hacker busted by feds
According to the U.S. Department of Justice (DOJ), Ryan Harris, 26, ran a San Diego company called TCNISO that sold customizable cable modems and software that could be used to get free Internet service or a speed boost for paying subscribers.

Harris, also known as DerEngel, was charged on Aug. 16, but the grand jury indictment was not unsealed until Monday, several days after his Oct. 23 arrest. He faces a maximum sentence of 20 years in prison and a $250,000 fine, the DOJ said. The six-count indictment charges him with conspiracy, computer intrusion and wire fraud. He was charged in U.S. District Court for the District of Massachusetts.
...

----------

Microsoft links malware rates to pirated Windows
"There is a direct correlation between piracy and the malware infection rate," said Jeff Williams, the principal group program manager for the Microsoft Malware Protection Center. Williams was touting the newest edition of his company's biannual security intelligence report.

----------

Swedish Government Promises Citizens 100MB Broadband

by TechCrunch Europe on November 3, 2009
[Sweden] The Swedish government is following in the footsteps of the Finns (well almost), as their IT-ministry is now promising that 90 percent of all Swedish homes will have access to a 100 mbit/s broadband connection before 2020.

----------

US cyber center opens to battle computer attacks AP – Fri Oct 30, 7:38 pm ET
WASHINGTON - The United States is well behind the curve in the fight against computer criminals, Sen. Joe Lieberman said Friday, as Homeland Security officials opened a $9 million operations center to better coordinate the government's response to cyberattacks.

----------

Researchers Create Hypervisor-Based Tool For Blocking Rootkits Nov 03,2009 New technology 'patches' the operating system kernel, protects it from rootkits

----------

Delayed Again: Red Flags Rule Deadline Now June 1, 2010
Bowing to Congressional pressure, the FTC is delaying enforcement of the Red Flags Rule until June 1, 2010, for financial institutions and creditors. Here, IT security pros weigh in on what the rule means for them.

The FTC made the announcement Friday, the same day the U.S. District Court for the District of Columbia ruled that the commission can't apply the rule to attorneys.

The Red Flags Rule was instituted under the Fair and Accurate Credit Transactions Act, where Congress ordered the FTC and other agencies to make regulations forcing creditors and financial institutions to address security holes that could lead to identity theft. The rule requires all such entities that have covered accounts to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities -- known as red flags -- that could indicate identity theft.

----------

Congress locks radio stations, record labels into boardroom
by Nate Anderson Posted in: Law & Disorder
Radio doesn't want to pay more to play music; music labels don't want radio to keep free-riding. How to settle this blood feud? Congress has ordered both sides into a Capitol Hill conference room for two weeks, and it will vote on whatever emerges.

----------

...
But the Wisconsin men won. They won big. They won $1.26 billion dollars.

How did they win? By default judgment. PepsiCo’s lawyers never responded to the complaint, and the judge awarded the Wisconsin plaintiffs a default judgment.

Why did the Pepsi people never respond? Meet PepsiCo legal secretary, Kathy Henry.
Continue reading "Legal Secretary of the Day: Pepsi’s $1.26 Billion Mistake"

----------

Jailbroken iPhones held for $5 ransom
Dancho Danchev: A message popped up on the screens of a large number of automatically exploited Dutch iPhone users, demanding $4.95 for instructions on how to secure their iPhones and remove the message from appearing at startup.

----------

COMPUTER AGE LITIGATION. There may be hope for old forms of communication after all. An extremely odd dispute in Arizona may bring hope to the makers of pen and paper. The tale is told in an Arizona Supreme Court opinion called Lake v. City of Phoenix in which the city insisted that even though it had to turn over a public record, it didn't have to turn over the public record's "metadata." Really. The city's lawyers were arguing that the code showing the history of a document wasn't actually part of the public record even though the document was. And this dispute went all the way to the state supreme court. Apparently no one was too concerned that this really looked like someone was trying to cover something up. The court thought this was silly, ruled against the city, and then offered an out for future coverups that old media lovers should appreciate: "That a public record currently exists in an electronic format, and is subject to disclosure in that format, does not itself determine whether there is a statutory obligation to preserve it electronically." A lot of agencies and companies will be going back to pencils and erasers.

----------

Mossad Hacked Syrian Official’s Computer Before Bombing Mysterious Facility
The intelligence agents planted a Trojan horse on the official’s computer in late 2006 while he was staying at a hotel in the Kensington district of London, the German newspaper reported Monday in an extensive account of the bombing attack.

The official reportedly left his computer in his hotel room when he went out, making it easy for agents to install the malware that siphoned files from the laptop. The files contained construction plans for the Al Kabir complex in eastern Syria — said to be an illicit nuclear facility — as well as letters and hundreds of detailed photos showing the complex at various stages of construction.

----------

First Test for Election Cryptography
By Erica NaoneMonday, November 02, 2009
Novel voting technology will be used in a local government election.

----------

No comments: