Your Ad Here

Thursday, July 17, 2008

Computer Malware and Preventive Recommendations

It’s often what we don’t know can hurt us the most…

That is the case when it comes to the effects of malware such as computer viruses, worms and Trojans.

Botnets are one of the fastest growing and the most dangerous threat on the Internet today. “Bot” stands for robot, which is a piece of software with some intelligence to perform a task and the “net” stands for network which is the collection of these bots.

Not all bots are bad, for example, intelligent software agents used in Microsoft Word or the ones used by search engine sites like Google are here to help the end user, whereas bots such as the Storm and Kragen botnet collection are here to disrupt end user activities.

The bots are small executable files that are very easy to spread. They can be spread through spam, music files located on file sharing systems, various Microsoft vulnerabilities that are not patched and host on a web site that pushes it to visitors in a technique call “drive-by download” (Very nasty and stealthy).

The thing that makes these bots so dangerous is their exponential growth factor. As more systems are infected, they also begin to scan to look for vulnerable system. Since additional computer systems use their recourses to recruit other systems, the growth can be enormous in a short period of time.

My recommendations are:
* Use a Mac OS X based system or even a Linux-based system if possible, if not

1. Make sure you have security controls in place (eg. Firewall, Anti-Virus, Anti-Spyware and IDS)
2. Make user they are licensed and updated regularly
3. Make sure you run them frequently or have them run at a time your computer will be on
4. Do not download free miscellaneous software from the Internet (eg. Screensavers and games)
5. Do not open attachments if you do not know from whom it is from or what the attachment is.
6. Be smart

For more information on botnets, their effects and detailed recommendation to prevent and remove malware, check out

Tuesday, July 15, 2008

States require a license to conduct data forensics

First off, I would like to apologize to Linda Musthaler and Brian Musthaler as well as IDG for not following the proper Blog etiquette on this posting by copying and pasting a entire article without providing my comments before hand. Linda brought this matter to my attention and I have edited this posting to be in “Blog Compliance”

The reason, I choose and posted this article, about 4 years ago while taking an instructor training course for AccessData in Texas, there was a discussion that Georgia was trying to implement similar requirements to conduct forensic examinations and how more and more states are passing laws that some people interpret as a requirement for Computer Forensic examiners to be licensed Private Investigators.

As more cases are performed and botched by inexperienced examiners, I feel there will be some licensing requirements for computer forensic examiners.

I have enclosed a link to a very interesting article which discusses some current issues on this topic:

Article can be accessed at:

Entire Article:

Laws in place to protect the chain of custody during any type of forensic investigation

Technology Executive Alert By Linda Musthaler and Brian Musthaler , Network World , 07/14/2008

In 2007, the state of Texas updated a law called the "Private Security Act" to insert a new clause that specifies that anyone who conducts computer data forensics that could potentially be used in a legal proceeding in the state must be a licensed PI.

The basic tenet of the new stipulation in the law is the protection of the chain of custody during any type of forensic investigation. If digital forensic data is to be used for a legal proceeding, it needs to be done by a professional who is trained and licensed in the practice of securing evidence and chain of custody. Traditionally, these people are law enforcement officials, lawyers and paralegals, and licensed private investigators.

An opinion written by the State of Texas Private Security Bureau is that “Computer repair or support services should be aware that if they offer to perform investigative services, such as assisting a customer with solving a computer-related crime, they must be licensed as investigators. The review of computer data for the purpose of investigating potential criminal or civil matters is a regulated activity under Chapter 1702 of the Texas Occupations Code, as is offering to perform such services.”

This law has broad ramifications for many people in IT professions, including hardware and software technicians and auditors. These people routinely analyze log data and other information on computers that may eventually be used in reports that could, someday, be called into question in court.

Related Content

For example, suppose the owner of a small business suspects one of his employees is creating bogus accounts and sending payments to those accounts. The business owner might ask a computer technician to study the computer logs to see what this employee is up to. The technician finds a clear digital trail of misconduct that points to the suspect employee and provides the “evidence” to the businessman in the form of a report. The business owner uses the information to dismiss the employee, who then sues his former employer for wrongful termination.

Unless the computer technician is a licensed PI, none of the information he dug up is admissible in court. Worse, both he and the business owner who used his services face misdemeanor charges for violating the Texas Private Security Act.

Several computer technicians from Houston and Austin have filed a lawsuit against the state, alleging that the law may inadvertently harm their businesses. An attorney handling the lawsuit says the law is so vaguely worded that it could be enforced broadly by the Private Security Board, the Texas agency that oversees licensing for the private security industry. The board interprets the law to cover any data retrieval for a “potential” civil or criminal matter. For all practical purposes in our litigious society, that is virtually everything.

Computer technicians aren’t the only ones concerned about the impact of this law. Auditing firms and law firms may also be ensnared by the law that requires licensing for anyone doing data retrieval and analysis for outside companies. (Companies can use their own employees to conduct internal investigations, but they cannot hire an unlicensed outsider to perform the same work.)

Texas isn’t alone in its efforts to have licensed investigators handle digital forensics. Georgia, New York, Nevada, North Carolina, South Carolina, Virginia and Washington also are pursuing digital forensic experts operating in their states without a PI license. Given the number of states with digital forensics laws and the vast extent of interstate commerce, these laws can have broad impact on IT professionals all across the country.

We don’t mean to downplay the importance of in-depth knowledge of the chain of custody of evidence. Of course it is important that evidence be properly collected and preserved if it is intended to be used in civil or criminal matters. But laws like the one in Texas could be creating a large and sharp dual edge sword for the digital forensic community  time and legitimacy.

Related Content

In Texas, a person must earn a criminology degree or undertake a three year apprenticeship with a licensed PI to attain a PI license. To specialize in an area of computer data forensics, the person also must master the intricacies of a combined Unix / Windows environment with its plethora of tools to monitor and control traffic / data, combined with all the tools required to extract digital evidence. He also must learn to analyze and interpret the data and ultimately opine on it. It can take years to understand enough about computers to be an expert.

With the Texas law, any licensed private investigator can take a class to learn how to use EnCase, a popular computer examination tool, and then declare himself to be a forensic expert. There are no further requirements for a technology-related degree or IT certification, experience or training.

To maintain legitimacy and comply with the law, large firms involved in digital forensics (e.g., law, audit, accounting and forensic firms) will hire a licensed PI that (in theory) oversees all of the digital forensic activities, and technically these firms will be following the letter of the law. Small service providers can’t afford to take this route, however, and this is the crux of the Texas lawsuit.

There are no easy answers, and we’ll just have to see how this one plays out. Meanwhile, be aware of the laws that may cover your business so you don’t run afoul of the law.

Article can be accessed at:

All contents copyright 1995-2008 Network World, Inc.

Monday, July 14, 2008

Storm worm exploits U.S., Iran tensions

McAfee warns users to be wary of e-mails with the headers 'The beginning of World War III' and 'USA declares war on Iran'

By Oliver Garnham, IDG News Service
July 10, 2008

The authors of Nuwar -- also known as the Storm worm -- are exploiting the escalating political tensions between the U.S. and Iran to encourage users to download the malware, according to McAfee Avert Labs.

The security firm has warned people to be wary of e-mails with the headers "The beginning of World War III" and "USA declares war on Iran." The e-mails promise to link to a video showing the beginning of World War III, but clicking on the link actually triggers an automatic download of the file iran_occupation.exe, McAfee said.

The Storm worm was first detected in January 2007, but has reappeared in various guises several times over the past 18 months.

The malware has been used in a confirmation spam scam and has been employed in blogs and Web message forums. It also hit the headlines in April when malware makers gave it an April Fool's Day theme.

Friday, July 11, 2008

Licensing Changes Coming for the Nessus Vulnerability Scanner

Licensing Changes Coming for the Nessus Vulnerability Scanner

Tenable, vendor of Nessus, has changed its licensing structure for the vulnerability scanner. Starting August 1, 2008, the 'RegisteredFeed', used to obtain signatures, will no longer be available. Users of the product have the option of obtaining either the 'HomeFeed' or the 'ProfessionalFeed'. HomeFeed remains free and is licensed only for use on personal home networks. It has the same vulnerability updates contained in the ProfessionalFeed. The new licensing policy does not allow commercial and government users to scan with the latest updates without an upgrade to ProfessionalFeed. The cost of the ProfessionalFeed will be $1200 a year, and includes compliance checks (PCI, etc.). The ProfessionalFeed also provides subscribers with the latest vulnerability and patch audits, configuration and content audits, and commercial support for their Nessus 3 installation.

For Additional Information Refer to:

The Continuing Threat: Identity Theft

Identity Theft is a continuing threat that has brought great inconveniences and expenses to many victims.  Dept of Justice stated Identify Theft is the fastest growing white collared crime in recent the past five years.

The accessibility of the internet has given identity thieves access to a wealth of personal information.  Online brokers gather data such as social security numbers, driving records and employment information from publicly available records, customer provided forms and credit card applications.

Identity thieves purchase reports with stolen credit cards and use the information to obtain phony documents and credit cards.

Furthermore, social engineering, malware infections and dumpster diving has all led to the growing issues of identity theft.

Tuesday, July 8, 2008

FISMA is taking on new life only this time, in the form of "FISMA II" or "FISM

FISMA is taking on new life  only this time, in the form of "FISMA II" or "FISMA Phase II."

By Shawn P. McCarthy

"They mean the same thing, although, unfortunately, the name itself is a bit confusing. The original (and still current) Federal Information Systems Management Act of 2002 was a major piece of legislation that continues to have an impact on the way agencies handle their security audits and reporting. Among other things, FISMA sets mandatory processes to be followed by all government IT systems, whether they are operated by the government or by a federal contractor.

FISMA II, on the other hand, is not an act of Congress, nor is it an official update of FISMA. Instead, it's an informal term for a federal credentialing program coordinated by the National Institute of Standards and Technologies' Computer Security Division. Think of it as an effort to build a set of qualifications that can be used to establish the credentials for the people who provide security assessments.

Adding to the confusion: There have been bills proposed in Congress that include updates to security rules. Some of those have unofficially been referred to as FISMA II while under discussion. However, no legislation has been passed, nor can any bill be considered a serious contender, as a replacement for the famed FISMA.

But regardless of the confusion, it's not fair to call FISMA Phase II a misnomer. It's a genuine effort to extend the effectiveness of FISMA by helping federal agencies choose the right people to conduct their security audits and improve the overall security of their systems.

FISMA Phase II is an increasingly formalized accreditation process for FISMA compliance assessment teams. Requiring such teams to show that they have a full understanding of and competence in NIST's Risk Management Framework should assure better long-term compliance with FISMA.

In the past few years, many agencies have moved toward a risk-management approach to security, making sure they address their most risky and vulnerable issues first. Agencies typically hire contractors to help them certify and accredit their systems to meet FISMA requirements. It is important that they be confident that the contractors they hire can assure the NIST framework is being met.

According to Ron Ross, senior computer scientist, "FISMA is really a three-legged stool." He said it consists of the legislation, the associated standards and guidelines developed by NIST with help from agencies, and the monitoring and reporting process that leads toward assessment and improvement.

To make sure assessment teams are monitoring the right things, NIST is developing training programs, testing programs and establishing ways for such teams (whether they are government employees or commercial service
providers) a way to demonstrate competence. They also want to be sure monitoring teams conduct on-site inspections, are capable of doing product-level evaluations, and that they understand things such as the Security Content Automation Protocol, the Federal Desktop Core Configuration initiative and more.

The idea for such credentialing has been around since at least 2006, and last fall NIST launched a formal project to develop security credentials based on its FISMA security and risk management guidance.

One criticism of FISMA is that it encourages and certifies compliance, but that doesn't necessarily mean improved security.

"We hear that a lot," said Ross. But he stressed that certification and compliance are a major step toward more secure systems. "It's our hope that we get to the point where compliance equals security." Essentially that would mean measuring the right set of things at the right time to assure very tight security under the NIST risk management framework for IT systems.

Next on the organization's agenda: a joint project with the Director of National Intelligence and Defense Department to transition to a single set of standards and guidelines for security certification and accreditation."


Thursday, July 3, 2008

"Google Gives Away Free Web Application Security Scanner"

"Google Gives Away Free Web Application Security Scanner"

Jeremy Kirk, IDG News Service
Thursday, July 03, 2008 5:20 AM PDT

Google has released for free one of its internal tools used for testing
the security of Web-based applications.

Ratproxy, released under an Apache 2.0 software license, looks for a
variety of coding problems in Web applications, such as errors that
allow a cross-site scripting attack or cause caching problems.

"We decided to make this tool freely available as open source because we

feel it will be a valuable contribution to the information security
community, helping advance the community's understanding of security
challenges associated with contemporary web technologies," wrote
Michal Zalewski on a company security blog.

Ratproxy -- released as version 1.51 beta -- is quick and less intrusive

than other scanners in that it is passive and does not generate a high
volume of attack-simulating traffic when running, Zalewski wrote. Active

scanners can cause problems with application performance.

The tool sniffs content and can pick out snippets of JavaScript from
sheets. It also supports SSL (Secure Socket Layer) scanning, among other


Since it runs in a passive mode, Ratproxy highlights areas of concern
"are not necessarily indicative of actual security flaws. The
gathered during a testing session should be then interpreted by a
professional with a good understanding of the common problems and
models employed in web applications," Zalewski wrote.

Google has posted an overview of Ratproxy as well as a download link to
the source code. Code licensed under the Apache 2.0 license may be
incorporated in derivative works, including commercial ones, but the
origin of the code must be acknowledged.

Weak web application security continues to embarrass companies,
potentially causing the loss of customer or financial data.

A 2006 survey by the Web Application Security Consortium found that
percent of 31,373 sites were vulnerable to cross-site scripting attacks,

26.38 percent were vulnerable to SQL injection and 15.70 percent had
faults that could lead to data loss.

As a result, security vendors have moved to fill the need for better
security tools, with large technology companies acquiring smaller,
specialized companies in the field.

In June 2007, IBM bought Watchfire, a company that focused on Web
application vulnerability scanning, data protection and compliance
auditing. Two weeks later, Hewlett-Packard said it would buy SPI
a rival of Watchfire whose software also looks for vulnerabilities in
Web applications as well as performing compliance audits."

See also