Monday, March 31, 2008
As many of you many know, I am a big Linux fan/user. Ubuntu being one of my favorite distributions, I often try to stay up with the latest information. My trial of Hardy Heron has been a good experience thus far. Even though it is still in Beta, I have seen some interesting improvements. I was compiling my review, but in an article by David Williams at ITWIRE, he covered my thoughts as well as added many more. So I will share his article with you all… Click Here to access his Ubuntu Review
Friday, March 28, 2008
Interesting news... ;)
Apple falls first in laptop hacking contest (Written by Andrew Charlesworth)
28 Mar 2008
A three-way hacking contest between Apple, Windows and Linux laptops has ended in the Mac caving in first - in just two minutes.
The contest was part of the CanSecWest security conference in Vancouver, and was won by Charlie Miller, one of the security researchers who cracked Apple's iPhone last year.
Miller walked away with the $10,000 prize put up by the organisers, along with the MacBook Air he hacked.
No one was able to hack into any of the machines by attacking them over the network on the first day of the contest.
But Miller succeeded when the organisers allowed hackers to direct human operators of the three machines to visit websites and open emails.
Miller's exploit code was on a website and the Mac fell within two minutes. He was only able to use software preinstalled on the Mac, so experts assume that the vulnerability must lay with Apple's Safari browser.
However, Miller signed a non-disclosure agreement which means that the exploit will not be made public until Apple has been informed.
At the time of posting, the other two machines remain intact.
Any company that stores, processes or transmits credit card data must comply with the PCI-DSS. The major credit card brands of Visa, Mastercard, Discover and American Express aligned their individual policy protection programs to create the PCI DSS, an industry wide framework for protecting consumers.
Below are some key aspects to becoming compliant with the PCI-DSS:
- Install and maintain a firewall
- Do not use vendor-supplied defaults for passwords.
- Develop configuration standards.
- Protect stored data
- Encrypt transmission of cardholder data across public networks
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Restrict access to data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Systems should be tested to ensure security is maintained over time and through changes
- Maintain an information security policy
For more information on security compliance click here...
Thursday, March 27, 2008
ISACA has asked me as a proud ISACA credential holder, to pass along this message. We thought you might be interested in joining the ranks of more than 55,000 audit, control and security professionals who already hold the CISA designation, and more than 8,000 information security management professionals who are CISMs. As I have already experienced, certification increase your standing in your organization and makes you highly desirable to potential employers.
If you are seeking worldwide recognition for your unique IT audit, assurance or security experience and knowledge and want to distinguish yourself from others in your profession, then it is time to pursue a certification from ISACA.
For 30 years, the Certified Information Systems Auditor™ (CISA®) credential has been preferred by individuals and organizations around the world. More than 55,000 audit, control and security professionals have achieved this globally accepted standard since 1978.
Since 2002, the Certified Information Security Manager® (CISM®) has defined the role of professionals who have information security management responsibilities. ISACA has certified more than 8,000 CISMs to date.
Independent surveys by Foote Partners and Certification Magazine have named both CISA and CISM among the highest-paying certifications; each program is also accredited under ISO/IEC 17024 for its credentialing procedures and adherence to rigorous standards of performance.
Register online today at www.isaca.org/examreg. Don’t wait and miss the 9 April deadline!
For those seeking recognition for IT governance related knowledge and experience, ISACA is now accepting applications for our new credential, Certified in the Governance of Enterprise IT™ (CGEIT™). It is designed for professionals who have management, advisory and/or assurance responsibilities relating to the governance of IT. For more information on CGEIT and how to earn certification without taking an exam through the grandfathering provision, please visit www.isaca.org/cgeit.
Note: Because of the extreme popularity of the CISA and CISM credentials the online registration process accepts payments and is the preferred method for submitting exam registrations. Those who wait until the final deadline date may experience heavy registration volume, and we ask for your patience.
Anyone seeking additional information is encouraged to please visit the ISACA web site at www.isaca.org/certification or contact the certification department, call +1.847.660.5660; or e-mail email@example.com.
ISACA Certification Department
With more than 65,000 members in 140 countries, ISACA (www.isaca.org) is a recognized worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA administers the CISA, CISM and CGEIT designations; sponsors international conferences; publishes the Information Systems Control Journal; and develops international information systems auditing and control standards.
In an article by Gregory Evans, I learned that hackers and tech savvy paparazzi are targeting the wireless networks of entertainers and their managers. Some of them have been able to retrieve personal photos, private financial and medical documents and other items of interest. Evans states, “They know that one picture can be sold for hundreds of thousands of dollars to tabloid newspapers all over the world”.
These malicious acts are capable by conducting war-driving activities at influential communities mainly populated by entertainers and their executive staff.
SearchMobileComputing.com defines war driving as the act of locating and possibly exploiting connections to wireless local area networks while driving around a city or elsewhere. To do war driving, you need a vehicle, a computer (which can be a laptop), a wireless Ethernet card set to work in promiscuous mode, and some kind of an antenna which can be mounted on top of or positioned inside the car. Because a wireless LAN may have a range that extends beyond an office building, an outside user may be able to intrude into the network, obtain a free Internet connection, and possibly gain access to records and other resources.
The need to properly secure wireless networks in the home or business is paramount. Not only will your personal data be at risk, but national security may also be an issue.
For more information on the risk to national security and insure wireless networks, go to: http://www.securityorb.com/
Wednesday, March 26, 2008
One of the key aspects of conducting digital forensics pertains with the proper collection and authentication of the evidence. If the evidence is not collected properly, there is a very good chance the results of the examination will be questioned. Following digital forensic best practices, we typically conduct our examination on copies, often referred to as "forensic images" of the original evidence. By doing so, the original data is protected from alteration and can be used to verify authenticity of an analysis.
Tuesday, March 25, 2008
Microsoft has warned the user community of a new, undocumented vulnerability in Microsoft's Excel spreadsheet program which is being used to launch computer attacks against specific targets. This vulnerability is being exploited to load a Trojan on select computer targets and has been rated "extremely critical" by Secunia.
According to eweek.com “The attackers are using booby-trapped Excel documents, sent by e-mail to the target's mailbox. If a rigged .xls document is launched, the exploit happens silently in the background, infecting the machine with a Trojan downloader that opens a backdoor and waits for instructions from a server controlled by the attacker”.
Microsoft has released and an advisory on this issue.
For a more detailed story please access:
Sunday, March 23, 2008
Saturday, March 22, 2008
Kubuntu 8.04 (Hardy Heron) Beta Released
By Kellep A. Charles
Published on March 22, 2008, 5:44 PM EST
As an avid Linux user (Ubuntu and SuSE), I was pleased to see the release of Hardy Heron which is the successor to Ubuntu 7.10.
Kubuntu 8.04 is scheduled to be released towards the end of April 2008. This release will introduce the future of desktop computing by incorporating the new KDE 4 desktop as well as providing continued support for the KDE 3.5 desktop.
You can install Kubuntu 8.04 by downloading the .iso file or you can upgrade from Kubuntu 7.10 to 8.04 Beta over the internet by following these few simple steps [Upgrade Instructions].
I am in the process of conducting both and will provide a full review soon.
Rod Beckstrom announced as first Director of the National Cyber Security Center (NCSC)
On Thursday, Homeland Security Secretary Michael Chertoffon recently announced Rod Beckstrom as the first Director of the National Cyber Security Center (NCSC). Chertoffon stated, “Rod will serve the department by coordinating cyber security efforts and improving situational awareness and information sharing across the federal government”.
Friday, March 21, 2008
The debate on whether vulnerabilities should be disclosed to force a vendor to fix the problem in a reasonable period or kept covert until a fix has been implemented has been a big discussion in the Information Security field. Black Hats, White Hats and even Grey Hats have their opinions. I personally have disclosed a vulnerability I discovered to vendor and known others who have as well, too only witness slow responses to rectify the matter to no responses at all.
In an Enterprise IT Planet Staff.com article, one group feels immediate disclosure effects change at a brisker pace (WMF again) and encourages vendors to tighten up their development practices. While other point to the complexity of software today, where yesterday's feature becomes today's liability. They would say that out of respect for users, and the community at large, vendors should be given a chance to make things right.
What do you think?
Thursday, March 20, 2008
Classified Information Classification
I’ve often looked at the technological aspects of information security, but from some recent events, I will be spending the next few days focusing on some non-technical function of information security and protecting information assets.
Classified information can be categorized in these three areas, top secret, secret and confidential.
Their descriptions are listed below:
Top Secret – The unauthorized disclosure of information can be expected to cause grave damage to national security.
Secret – The unauthorized disclosure of information can be expected to cause serious damage to national security.
Confidential – the unauthorized disclosure to information can be expected to cause damage to national security.
A person can access classified information provided that a favorable determination of eligibility for access has been made by an agency (Clearance), the person has a signed and approved nondisclosure agreement and the person has a “need-to-know” to access the information.
This is a very serious process and necessary to access classified information.
Thursday, March 13, 2008
Microsoft has released four critical patches this past March 11 on “Patch Tuesday”. The patches fix problems contained in the MS Office products from all Microsoft Office versions, Outlook, Visual Studio .NET, BizTalk Server, Commerce Server, and ISA Server.
There are no patches for the Mac OS X system or application.
IT Security Policy The First Line of Defense
By Kellep A. Charles
Published on March 12, 2008, 12:34 AM EST
As a security professional, I am amaze when I find that an organization does not have an IT security policy in place.
An IT security policy is a statement by management to how the organization will protect their recourses from unauthorized access, alteration, or destruction. The IT security policy also provides a blueprint of management’s strategy as regards information security.
An IT Security policy usually consist of the following categorizes:
1. Corporate Policy
2. Information Security Policy
3. Personnel Security Policy
4. Physical and environmental security policy
5. Computer & Networks Security Policy
* System Administration
* Network Policy
* Application Development Policy
6. Business Continuity Planning
The Purpose of an IT Security Policy
The purpose of the information security policy is to establish a corporate-wide approach to information security. To also prescribe mechanisms that help identify and prevent the compromise of information security and the misuse of corporate data, applications, networks and computer systems. Lastly, to implement effective controls for responding to incidents and external complaints.
Tuesday, March 11, 2008
Safari Web Browser and Online Fraud
PayPal says no…
By Kellep A. Charles
Published on March 11, 2008, 12:38 AM EST
PayPal the leading e-commerce business allowing payments and money transfers to be made through the Internet recently did not recommend Apple’s Safari web browser when conducting tractions on their website. Safari currently does not have two very important anti-phishing security features that detects and prevents online fraud to occur. Internet Explore 7, Firefox 2 and Opera do have these critical anti-phishing features and have made the PayPal recommended list.
Michael Barrett, Chief Information Security Officer at PayPal stated, “Apple, unfortunately, is lagging behind what they need to do, to protect their customers”.
My recommendation to Mac OS X user on protecting yourself from online fraud is to not use Safari until Apple adds the anti-phishing capabilities. Even though Safari is the default web browser on the Mac OS X platform, Firefox and Opera are viable solutions.
Send an email to Apple and tell them to get on the ball…
Thursday, March 6, 2008
A look into the ATM Risk
By Kellep A. Charles
Special to SecurityOrb.com
Published on March 7, 2008, 5:19 AM EST
Automated teller machines (ATMs) are again on the radar of many malicious computer hacking groups. Many ATMs faces the same risk of infection as many of our desktop computers. This is due to the reliance on desktop PC technology and Operating Systems. Greater risk can be attributed to systems being linked to other machines, some connected to the Internet, in the bank's network.
History has shown the weaknesses from 2003 when the Nachi Internet worm infiltrated "secure" networks and infected ATMs from two financial institutions, while the SQL Slammer worm indirectly shut down 13,000 Bank of America ATMs.
Nick Heath of Silicon.com states "It says the most effective way to protect against these new threats is to use a multifunction device with routing, firewall, intrusion detection system/intrusion prevention system and VPN (virtual private network) capabilities, positioned in front of, and protecting, the ATM network.
Such a device, the company said, should be separated from the rest of the bank's network, and all traffic coming out of the ATM should be encrypted."
Wednesday, March 5, 2008
The Internet has made it possible for people to communicate with anyone anywhere in the world. That is a scary thought when it comes to thinking about child safety on the Internet. On a daily basis, kids are on line communicating on chat rooms without adult supervision not really knowing the person on the end is who they claim to be.
In the real world, we tell kids not to talk to strangers; the same idea needs be enforced when it comes to using the Internet if not more so… The numbers of predators and the anonymity they are able to obtain make the matter just that much more dangerous.
Some of the difficulties parents are facing deals with education and technology. When it comes to technology, kids are usually ahead of their parents in the computing knowledge. Many of their activities such as chatting and online video conferences are easily hidden from the parents. Then you have the parents that do apply some form of security or privacy controls such as content filters for protect to only have them bypassed the kids.
It is a well-known fact that kids talk about way to bypass the controls put in place to protect them.
Of the most victimized group of Internet
Teenage girls are most often victimization of all the groups. Some of the techniques used by an online predators are to:
1. Use seduction techniques
2. Try to win their confidence
3. Go after problem kids
4. Go after kids with low self-esteem
5. Go after kid with very little friends
The Internet predator will play with their emotions so the child will think this person understands them and be more open to further a relationship.
To report any suspicious activities, one of the best resources I can recommend is:
“The National Center for Missing and Exploited Children” at www.missingkids.com.
They have law enforcement, state and federal agencies that can assist with these matters.
Some tips that should help in protecting our kids:
1. Tell them to never give any personal information of any kind, make a list of questions that should not divulge.
2. Educate yourself and monitor what your kids are doing.
3. Pay attention to their Internet usage, if they are spending more time on the Internet than eating, playing or talking to friends, then something may be going on.