Your Ad Here

Saturday, November 29, 2008

CCNA Secuity Certification



CCNA Security Certification meets the needs of IT professionals who are responsible for network security. It confirms an individual's skills for job roles such as Network Security Specialists, Security Administrators, and Network Security Support Engineers. This certification validates skills including installation, troubleshooting and monitoring of network devices to maintain integrity, confidentiality and availability of data and devices and develops competency in the technologies that Cisco uses in its security structure.

Students completing the recommended Cisco training will gain an introduction to core security technologies as well as how to develop security policies and mitigate risks. IT organizations that employ CCNA Security-holders will have IT staff that can develop a security infrastructure, recognize threats and vulnerabilities to networks, and mitigate security threats.

Exam Description

The 640-553 IINS Implementing Cisco IOS Network Security exam is associated with the CCNA Security certification. This exam tests a candidate's knowledge of securing Cisco routers and switches and their associated networks. It leads to validated skills for installation, troubleshooting and monitoring of network devices to maintain integrity, confidentiality and availability of data and devices and develops competency in the technologies that Cisco uses in its security infrastructure.

Candidates can prepare for this exam by taking the Implementing Cisco IOS Network Security (IINS)course.

SANS OnDemand training free GIAC Certification attempt

Sign up for SANS OnDemand training before December 8, 2008, and you'll
receive the corresponding GIAC Certification attempt for free (a $499
value)! To register for this offer, go to
http://www.sans.org/info/35724 and use the discount code ODEY_GIAC.

Also for this limited time, receive free GIAC Certification attempts
with any OnDemand Flex Pass! Go to http://www.sans.org/info/35924 for
information on our OnDemand Flex Passes.

Sometimes the realities of limited travel budgets, or the difficulty of
being out of the office or home for a week, make it impossible to attend
a live training event. With SANS OnDemand online training and assessment
program, you have access to SANS' high quality, intensive, immersion
training at your convenience - anytime, anywhere. And according to
student feedback, OnDemand is simply one of the best tools to prepare
for GIAC exams.

"I have several GIAC certs. My highest exam scores are from when I use
OnDemand training." - Brad Fulton, SMS Data Products

Not sure online training is for you? Try any of our OnDemand course
demos at http://www.sans.org/info/35724
.

With SANS OnDemand, students receive:
- Up to 4-months access to our 24/7 online training and assessment system
- Full set of course books and hands-on CDs
- Synchronized online courseware and lectures
- Integrated assessment quizzes throughout the course
- Access to OnDemand Virtual Mentors
- Labs & hands-on exercises
- Progress Reports

If you have any questions about SANS OnDemand, write to
ondemand@sans.org or call us at (301)654-7267.

And remember that every SANS OnDemand purchase earns you points towards
future OnDemand training! http://www.sans.org/info/35729

Be sure to tell your friends and colleagues about this great
opportunity!

Kind Regards,

Kimie Cabreira
Director
SANS OnDemand

**************************

SANS is pleased to announce our new Training and Events Calendar - an
easy way to see what opportunities are available to you during the
coming month! The current calendars are now available for download from
http://www.sans.org/info/7926. For another option, consider SANS' seven
ways to Train Without Travel at: http://www.sans.org/info/28689.

SANS' Webcasts are free live Web broadcasts that allow you to hear a
knowledgeable speaker while viewing presentation slides that you
download in advance. To learn more or to subscribe to our Webcast
calendar go to http://www.sans.org/info/13271.

To change your subscription, address, or other information, visit
http://portal.sans.org. If you wish to have your name removed from our
mailing list, visit the site above, click on "update your account" and
check the box "Do not send any e-mail."

*******************************

Friday, November 28, 2008

10 Tips for Cyber Monday Safety

I have written and talk about the security issues associated with Cyber Monday which will occur on Dec. 1. 2008. Cyber Monday is the name given by online retailers and e-commerce experts to the Monday following the Thanksgiving holiday. With its Black Friday counterpart in actual store-based traffic, analysts have pointed to significant spikes in online shopping on Cyber Monday. Coined in 2005, Cyber Monday was fueled by promotions such as free gifts and free shipping as well as by the faster Internet connections many people had at home.

Here is an interesting article on how to stay safe this upcoming shopping year.

From: http://www.bankinfosecurity.com/

10 Tips for Cyber Monday Safety
November 28, 2008 - Linda McGlasson, Managing Editor


Financial institutions that want to help their customers avoid the season's thieves online will be ready & willing - ready with advice and willing to answer questions.

Here's a list of some of the top advice from computer security vendors and experts for those brave souls that will venture into Cyber Monday shopping expeditions.

1. Know Thy Seller. A good rule of thumb to follow is if the merchant isn't someone you've done business with before, be wary of them. If you got an unsolicited email touting their site, don't click on it or open it. A good way to check up on a merchant is to get information through the Better Business Bureau or through comparison shopping sites such as buysafeshopping.com.

2. Run a Clean Machine. Having the latest updated anti-virus, anti-malware installed on your PC should be a priority. A whopping 20 percent of computers don't run these software or even have a firewall in place. If you need help, ask. It's better to be protected than fearing you'll look like a dummy because you don't know how to update your PC. Good places to get information about security software include the Department of Homeland Security's US-CERT.gov, StaySafeOnline.info or OnGuardOnline.gov. Be sure to buy your software from reputable, well-known AV companies.

3. If In Doubt, Delete! When opening email, be smart. Most people can recognize spam mail or email that doesn't belong in their inbox. When in doubt, delete an email. Spam or unsolicited email can often contain links, which if clicked on, can infect a PC.


4. Look For Security Signs. When on a company's Internet site, check for the following security signals to ensure you're where you're supposed to be. Note if the web address begins with "https" -- this means you're on a secure server using SSL encryption. Also look for a padlock icon at the bottom of the browser page. Click on it and you'll see the site address. The address will match the web site address at the top of the page. If they don't match, get off the site immediately. Using the latest browsers including Microsoft Internet Explorer 7 or Firefox 3 will allow you to see "green" visual cues on websites with extended validation (EV) SSL Certificates.

5. Check Your Credit Report.This isn't just something you should do during the holidays, but year 'round, and at minimum at least once a year with all three of the credit reporting companies, Experian, TransUnion, and Equifax. Regularly monitoring your credit card and institution account transactions online keeps unapproved users from pilfering your money and reduces the chance of you falling victim to identity theft.

6. Password Sharing A BIG No-No. This is one of the biggest problems that security professionals face at corporations, and consumers are just as lax with friends and families sharing passwords. If you do happen to share a password to a website with your family or a friend or two, don't use the same password for your online banking account or other sensitive site.

7. Don't Fall For A Cheap Price. The old adage "There's a sucker born every minute" was said long before the Internet was invented, but criminals are still out there plying their fake designer watches, clothes, electronics and other items to foolish shoppers who think they're getting the real deal at a discount price. If a website is offering an item for a extremely low price, beware. That $20 iPod Nano isn't worth the box it will arrive in. Usually the end result is only the disappointment of getting a shoddy knock-off. But paying with a credit card could also open you up to fraud and other charges on your card you didn't expect, and may also open you to identity theft if you've given out other information.

8. No Address or Phone Means No Deal. If you do find a small merchant that has just the item you're looking for at an unbelievable price, see if they've got an address and phone number. Call and ask for more information or a catalog. Your call goes to voice mail? Watch out; you may have wandered onto a criminal's website. If you do get someone on the phone, ask questions about their privacy policy and refunds or resolution policy. If you don't like what you hear, go somewhere else. Print out and keep receipts of all transactions to back up any return requests.

9. Use Credit, Not Debit. Credit cards are the safest method for online purchases. Experts advise not to use debit cards for online purchases because they pull money directly from your bank account. If something goes wrong, or turns out to be fraudulent, it can take months to get your money back. If you are able to get it back. The Federal Trade Commission says federal law limits liability to $50 in charges if someone uses your credit card fraudulently. You could also use third-party escrow services such as PayPal.

10. Shop At Home. Avoid sharing computers, just like you should avoid sharing passwords. Performing sensitive transactions such as giving out credit card numbers or checking your online bank account should be done at a computer only you use. Logging in and doing these transactions on shared computers at libraries or other places where anyone can use them is dangerous. Hackers can easily install a keylogger onto the computer, and it captures everything that is typed onto the keyboard, including sensitive information like passwords, credit card numbers and bank account numbers.

Thursday, November 27, 2008

Wednesday, November 26, 2008

Hackin9 Security Magazin - FREE Down load

This is a good magazine, I recommend you download it...


Hakin9 is one of the greatest security magazine. It present in depth articles on security testing and general security issues.

As a Thanksgiving gift you can download an issue in PDF format for FREE.

Click here to download your FREE issue

Take advantage of this offer to discover what the magazine is all about.

I am sure you will enjoy it.

Best regards

Clement Dupuis
Maintainer of www.cccure.org
The CCCure Family of Portals

MS08-067 - Worm is Attacking Windows Security Hole

Security researchers at Microsoft Corp. Tuesday warned of a significant climb in exploits of a Windows bug it patched with an emergency fix last month, confirming earlier reports by Symantec Corp.

Microsoft again urged users to apply the MS08-067 patch if they have not already done so.

The new attacks, which Microsoft's Malware Protection Center said began over the weekend but spiked in the past two days, use the same worm Symantec first spotted last Friday.

Dubbed "Conficker.a" by Microsoft and "Downadup" by Symantec, the worm exploits the vulnerability in the Windows Server service, used by all versions of the operating system to connect to file and print servers on a network. Microsoft patched the bug in an out-of-cycle update five weeks ago after it discovered a small number of infected PCs, most of them in Southeast Asia.

Full article at InfoWorld.com

McColo Shutdown Does Not Stop Spammers

In the spirit of entrepreneurship, spammers are finding new ways to send out their junk mail just weeks after the shutdown of a major web-hosting firm took many of them off the map.

According to Message Labs , a division of Symantec , after Web-hosting company McColo Corp. was shut down two weeks ago, spam levels declined by 65 percent. Now new analysis finds spam levels are returning to two-thirds of what they were before the McColo Corp.

Full article at Infoworld.

Federal Tech News... [SecurityOrb.com]

Experts tackle guidance to stop cyber attacks

A group of information security analysts in government and industry plans to publish guidance in six months to identify the most effective protections against the vulnerabilities most often exploited in cyber attacks, according to John Gilligan, president of the Gilligan Group and former chief information officer of the Air Force and Energy Department. He leads the effort.

The ultimate goal of the organization, which has not yet been named, is to get the Office of Management and Budget to revise its security guidance and for agencies to incorporate those guidelines, Gilligan said Nov. 21 at a security conference sponsored by 1105 Government Information Group, which publishes Federal Computer Week.

Source: http://www.fcw.com/online/news/154505-1.html?topic=security


The Trusted Internet Connection

The Trusted Internet Connection initiative (also known as TIC, Office of Management and Budget (OMB) Memorandum M-08-05) is mandated in an OMB Memorandum issued in November of 2007. The memorandum was meant to optimize individual external connections, including internet points of presence currently in use by the Federal government of the United States. It includes a program for improving the federal government’s incident response capability through a centralized gateway monitoring at a select group of TIC Access Providers (TICAP).[1]

The initial goal for total number of federal external connections and internet points of presence was 50.[2]

National Cyber Security Initiative will have a dozen parts

President Bush's largely classified governmentwide cybersecurity initiative will have a dozen components designed to better protect computer networks and systems, and to improve information technology processes and policies, a Homeland Security Department official said on Thursday.

Comment on this article in The Forum.President Bush signed National Security Presidential Directive 54/Homeland Security Presidential Directive 23 — more commonly known as the Comprehensive National Cyber Security Initiative — in January, but few details have been made public. Work already is underway on some of the initiative's 12 components, said Steven Chabinsky, deputy director of the Joint Interagency Cyber Task Force, during a panel discussion at the Symantec Government Symposium.

Felony charges dropped against teacher in porn/spyware case

Interesting article from Elinor Mills at CNET.com about the recent ruling of a teacher accused of child porn. the actual link is here or you can read it below.

A Connecticut substitute teacher arrested four years ago for allegedly showing students porn on a classroom computer has been cleared of the felony charges--for now--after experts pointed the finger at spyware.

Julie Amero, 41, agreed to plead guilty to a misdemeanor count of disorderly conduct, pay a $100 fine, and surrendered her teaching license, according to the Hartford Courant. The ordeal left her hospitalized for stress and heart problems, the report said.

The Superior Court judge in Norwich on Friday tossed out the charges that she had endangered children by intentionally causing "pop-up" pornography to display on her computer and ordered a new trial after computer forensics experts presented evidence about the spyware. Judge Hillary B. Strackbein said the conviction was based on "erroneous" and "false information."

Despite the expert evidence, and the fact that state prosecutors never conducted a forensic examination of the hard drive, New London County State's Attorney Michael Regan said he remained convinced of Amero's guilt and was prepared to take the case to trial again.

The security expert who led a team of forensic volunteers in the case is outraged that officials are dismissing the evidence about the dangers of spyware.

"Regan's pronouncement of his certainty of her guilt speaks to his ignorance and unwillingness to learn the facts of this case, and the facts of what PC viruses can do to a computer and, in some cases, a life," Alex Eckelberry, chief executive of security firm Sunbelt Software, wrote on The Julie Blog, a site spawned by the Amero case and which is focused on seeking fairness in the intersection of law and technology.

"All of our forensic investigators felt it was a complete miscarriage. It was clear she was absolutely innocent," he told the Hartford Courant. "The mistakes and misinformation that occurred in that courtroom were astounding."

Amero suffered because the school system failed to keep the computer updated with software to block the pornography, experts said.

The case serves as an important lesson for everyone--use antivirus, antispyware, and other security software and update it regularly.

Linkedin Groups

Please join me in the following Linkedin groups below. I have additional information as well as free access to white papers, security presentation and much more...


SecurityOrb Group

or http://www.linkedin.com/e/gis/157386



Certified IT Security Practitioners

or http://www.linkedin.com/e/gis/1045907

Monday, November 24, 2008

Black Friday and Cyber Monday could bring disasters...

Black Friday and Cyber Monday could bring disasters...

The weekend after Thanksgiving marks the massive start of the holiday shopping season. But it’s also become the time when hackers come out to play, creating mischief and mayhem for unsuspecting computer users.

The term Cyber Monday refers to the Monday immediately following Black Friday, the ceremonial kick-off of the holiday online shopping season in the United States between Thanksgiving Day and Christmas. Whereas Black Friday is associated with traditional brick-and-mortar stores, "Cyber Monday" symbolizes a busy day for online retailers. The premise was that consumers would return to their offices after the Black Friday weekend, making purchases online that they were not able to make in stores. Although that idea has not survived the test of time, Cyber Monday has evolved into a significant marketing event, sponsored by the National Retail Federation's Shop.org division, in which online retailers offer low prices and promotions.

Saturday, November 22, 2008

Myspace and Facebook Privacy

Online social network sites such as MySpace, Facebook and even personal blogs have became part of the interviewing process when companies are making a decision on bring someone on board.

It seems like President–elect Obama’s administration is following suit.

President-elect Barack Obama’s transition team wants to know all about job candidates' lives before giving them a post in his administration by asking information about spouses' jobs and children’s lives. Applicants must include any e-mails that may embarrass the president-elect, any blog posts and even links to Facebook and MySpace pages.

Friday, November 21, 2008

Upcoming Security Conferences for 2009

Upcoming Security Conferences for 2009

ShmooCon 2009
Feb 6 - 8, 2009
Wardman Park Marriott, Washington DC, USA
https://www.shmoocon.org/

First Annual BOSS Conference & Sourcefire Users Summit!
February 8-10, 2009
Flamingo Las Vegas!
http://www.bossconference.com/

Black Hat DC Briefings 2009
February 16-19, 2009
Hyatt Regency Crystal City
http://www.blackhat.com/html/bh-dc-09/bh-dc-09-main.html

8th Annual Security Conference
April 15-16, 2009
Las Vegas, NV, USA.
http://www.security-conference.org/

Wednesday, November 19, 2008

Apache HTTP Server mod_rewrite Vulnerability

Apache HTTP Server mod_rewrite Vulnerability

Description
A vulnerability exists in Apache that may allow for code execution or a denial of service.

Observation
Apache is a popular, open source web server application. A vulnerability is present in Apache that may allow remote code execution or a denial of service attack. The flaws reside in the mod_rewrite module through 1) allowing control of a portion of a rewritten URL and 2) no flag control is available such as Forbidden, Gone or NoEscape. The default installation of Apache is not vulnerable as it does not include use of this rewrite module.

Recommendation
The vendor has made updates available for remediation here: http://httpd.apache.org/ Sun Microsystems has released patches for affected Solaris 8, 9, and 10 systems. Please refer to the vendor's advisories for more information: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102662-1 http://sunsolve.sun.com/search/document.do?assetkey=1-26-102663-1

CVE
CVE-2006-3747

SANS/FBI top 20
No

IAVA
No

Tuesday, November 18, 2008

CNN.com Cross-Site Scripting Vulnerability

CNN.com Cross-Site Scripting Vulnerability

I love CNN, so I am not hating on them at all…

Just an FYI - I would probably refrain from browsing CNN for the meantime and definitely don't click on any articles within the My Recently Viewed Pages due to a cross site scripting vulnerability...

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. As of 2007, cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities. Often during an attack "everything looks fine" to the end-user who may be subject to unauthorized access, theft of sensitive data, and financial loss. (wikipedia.com)


Version Summary:

A cross-site scripting vulnerability exists on CNN.com that could potentially allow unauthenticated, remote attackers to modify content on the website, which could lead to further attacks.

_______________________________________________________________________________________________________________________________________
Description

_______________________________________________________________________________________________________________________________________

CNN.com is susceptible to a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary server-side scripting code.

The vulnerability exists due to an input validation error on certain parameters passed to the server. Attackers could inject arbitrary server-side scripting code into these parameters to perform the attack. The flaw specifically exists within the tracking cookie in the js_memberservices.mrv variable, which is set whenever the user clicks on an article within the My Recently Viewed Pages section. The cookie values are stored in a URI-encoded string, which is not properly filtered. The values accept arbitrary HTML, JavaScript, and double quotes, which allows the attacker to inject server-side scripting code.

While there have been no reported attacks, an exploit could potentially allow the attacker to modify content on CNN.com, such as posting false news stories or performing drive-by download attacks. Attackers could leverage this flaw to aid in spamming and phishing type attacks using CNN.com.

Administrators are advised to review the Cisco Applied Mitigation Bulletin: Understanding Cross-Site Scripting (XSS) Threat Vectors.

Monday, November 17, 2008

Spam drop could boost Trojan attacks

Interesting article from Infoworld.com

After rogue ISP McColo was taken offline global spam was estimated to have dropped from 50 to 80 percent, but spammers are starting to reconstitute botnets elsewhere

You can find the article here.

Obama BlackBerry Email Security Issue


President elect Obama may have to give up his Blackberry when he starts his new job at the White House. The concern comes in the form of e-mail security. In addition to concerns about e-mail security, he faces the Presidential Records Act, which puts his correspondence in the official record and ultimately up for public review, and the threat of subpoenas.

A decision has not officially been made on whether he could become the first e-mailing president, but aides said that seemed doubtful.

Friday, November 14, 2008

Security Tech Notes

SecurityOrb.com Security Tech Notes

Certified Information Systems Auditor (CISA) Exam

CISA Exam date is December 13, 2008.

Registration for the 2008 December CISA, CISM and CGEIT exams is now closed. Our next exam offering is 13 June 2009. Registration for the June exam is expected to open in December 2008, please check back then. Thank you for your interest.


Mozilla Updates

Mozilla on Wednesday released Firefox 3.04, a security and stability update to its popular open source Web browser.

The update addresses nine Security Advisories, some of which cover multiple vulnerabilities. Four are rated "critical," two are rated "high," two are rated "important," and one is rated "low."
Source: http://www.informationweek.com/news/internet/browsers/showArticle.jhtml?articleID=212002397&subSection=OpenSource


Linux
Canonical announced it will port Ubuntu Desktop Linux to the ARMv7 architecture. Targeted at netbooks, the Ubuntu ARM distribution could set the stage for Intel to lose the "software advantage" that has enabled x86 to shrug off attacks from other architectures for the last 30 years.
Source: http://www.desktoplinux.com/news/NS8395222090.html

Google’s Chrome Update
After the recent updates from Firefox and Opera in the form of Firefox 3.1 Beta and Opera 9.6, its Chrome's turn to go under the knife. Most users might have noticed how Mozilla has concentrated on speed with the latest Firefox update. Opera, on the other hand, now has even more features under its belt, retaining its position as one of the most feature packed browsers available now - off the shelf. And yes, support for three Indian languages in Opera too has been a welcome addition.
Source: http://www.techtree.com/India/News/Chrome_Updated_Enhanced_Security_Performance/551-94643-643.html

Mac OS X
The Mac’s virtualization space for supporting Windows keeps progressing. Parallels Desktop Version 4, released on Tuesday, offers better performance, improved battery life, printer sharing and improved file management and access between the Mac and Windows desktops, the company said.
Source: http://blogs.zdnet.com/Apple/?p=2499




Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)
Widely Deployed Software

(1) CRITICAL: Microsoft XML Core Services Multiple Vulnerabilities (MS08-069)
(2) CRITICAL: Microsoft SMB Credential Stealing Vulnerability (MS08-068)
(3) CRITICAL: Mozilla Multiple Products Multiple Vulnerabilities
(4) CRITICAL: ClamAV Unicode Processing Buffer Overflow
(5) HIGH: Apple Multiple Products Multiple Image Processing Vulnerabilities
(6) HIGH: SAP GUI ActiveX Control Remote Code Execution Vulnerability

CRITICAL: Mozilla Multiple Products Multiple Vulnerabilities
Affected:
Mozilla Firefox versions 3.x
Mozilla SeaMonkey versions 1.1.x
Mozilla Thunderbird versions 2.x

Description: Mozilla Firefox contains multiple vulnerabilities in its
handling of a variety of inputs. Flaws in the processing of web pages,
script input, URIs, XML documents, JAR files, and other input can lead
to a variety of vulnerabilities including arbitrary code execution with
the privileges of the current user. Due to the shared codebase among the
various Mozilla products, Mozilla SeaMonkey and Mozilla Thunderbird are
also vulnerable to some of these issues. Full technical details for
these vulnerabilities are publicly available via source code analysis.

Status: Vendor confirmed, updates available.

References:
Mozilla Advisories
http://www.mozilla.org/security/announce/2008/mfsa2008-51.html
http://www.mozilla.org/security/announce/2008/mfsa2008-52.html
http://www.mozilla.org/security/announce/2008/mfsa2008-53.html
http://www.mozilla.org/security/announce/2008/mfsa2008-54.html
http://www.mozilla.org/security/announce/2008/mfsa2008-55.html
http://www.mozilla.org/security/announce/2008/mfsa2008-56.html
http://www.mozilla.org/security/announce/2008/mfsa2008-57.html
http://www.mozilla.org/security/announce/2008/mfsa2008-58.html
Mozilla Home Page
http://www.mozilla.org
SecurityFocus BID
http://www.securityfocus.com/bid/32281

Firefox Updates to 3.0.4

Firefox users are getting an browser today to Firefox 3.0.4. InfoWorld.com has the full story here:


Mozilla on Wednesday patched 11 vulnerabilities in Firefox 3.0 -- and 12 bugs in the older Firefox 2.0 -- that could be used to compromise computers and steal information.

Wednesday's update patched virtually the same number of vulnerabilities as the last security upgrade seven weeks ago.

Firefox 3.0.4, the fourth update since Mozilla launched the browser in June, fixes six flaws marked "critical," two "high," two "moderate," and one "low" in Mozilla's four-step scoring system. Most of the critical bugs could be used by hackers to introduce their own malicious code into a vulnerable system.

Thursday, November 13, 2008

FISMA Security Assessment

FISMA Security Assessment

The Federal Information Security Management Act (FISMA) was established in 2002 as a Federal law designed to increase the security posture of Federal Systems and their supporting entities. Since its establishment, an increasing number of Federal information systems and databases have been integrated into non-Federal agencies, including municipalities, law enforcement, and contractors.

Black Hat DC CFP Open Now

BLACK HAT WASHINGTON DC CFP NOW OPEN

Held February 16-19, 2009 at the Hyatt Regency Crystal City, Black Hat DC is the leading security conference focused on the needs of government and infrastructure security professionals, with tracks focused on Hardware and Embedded Devices, Reverse Engineering and Malware, Client Wars and Application Security, and Forensics and Network Protection. We hope to see you there for another highly technical and refreshingly vendor-neutral event.

Submitters will have until January 1 to get their papers into the Black Hat CFP system at :
https://www.blackhat.com/html/bh-dc-09/bh-dc-09-cfp.html

We expect to have the final selections for speakers and trainers made by
January 15, 2009.

Call for Paper Open - Hacker Halted USA 2009

Call for Paper Open - Hacker Halted USA 2009

Hacker Halted USA 2009
Sep 20 - 24, Miami, FL
www.hackerhalted.com/usa

The objective of the global series of Hacker Halted conferences is to raise international awareness towards increased education and ethics in IT Security. It is well known to be a vendor neutral platform where IT security professionals gather for knowledge exchange and to network. Since 2004, Hacker Halted has been organized in many cities around the world including Kuala Lumpur, Singapore, Dubai, Taipei, Mexico City, Guangzhou, Myrtle Beach, and most recently, Tokyo.

Hacker Halted USA made its debut in Myrtle Beach this summer. In Miami next year, we will see the launch of Hacker Halted | Academy - where we put together the most sought after trainings led by some of the top trainers around the world.

We sincerely invite subject matter experts in the information security space to submit papers to be presented at the conference.

For more details, please email info@ hackerhalted.com or visit the website - www.hackerhalted.com/usa .

IT Security Certifications

IT Security Certifications are becoming more and more popular and necessary as the job economy becomes tougher. IT Security Professionals are trying to distant themselves from their competition while companies are looking for the best and brightest in the field. Below are some of the certifications I am researching for a bigger IT Security Certifications project.

CCSA -- Certification in Control Self-Assessment
The CCSA demonstrates knowledge of internal control self-assessment procedures, primarily aimed at financial and records controls. This cert is of primary interest to those professionals who must evaluate IT infrastructures for possible threats to financial integrity, legal requirements for confidentiality and regulatory requirements for privacy.
Source: Institute of Internal Auditors

CFE -- Certified Fraud Examiner
The CFE demonstrates ability to detect financial fraud and other white-collar crimes. This cert is of primary interest to full-time security professionals in law, law enforcement or those who work in organization with legal mandates to audit for possible fraudulent or illegal transactions and activities (such as banking, securities trading or classified operations).
Source: Association of Certified Fraud Examiners

CFSA -- Certified Financial Services Auditor
The CFSA identifies professional auditors with thorough knowledge of auditing principles and practices in the banking, insurance and securities financial services industries. Candidates must have a four-year degree or a two-year degree with three years of experience in a financial services environment, submit a character reference and show proof of at least two years of appropriate auditing experience. To obtain this certification, candidates must pass one exam.
Source: The Institute of Internal Auditors

CGAP -- Certified Government Auditing Professional
The CGAP identifies public-sector internal auditors who focus on fund accounting, grants, legislative oversight and confidentiality rights, among other facets of internal auditing. Candidates must have an appropriate four-year degree or a two-year degree with five years of experience in a public-sector environment, submit a character reference and show proof of at least two years of direct government auditing experience. To obtain this certification, candidates must pass one exam.
Source: The Institute of Internal Auditors

CIA -- Certified Internal Auditor
The CIA cert demonstrates knowledge of professional financial auditing practices. The cert is of primary interest to financial professionals responsible for auditing IT practices and procedures, as well as standard accounting practices and procedures to insure the integrity and correctness of financial records, transaction logs and other records relevant to commercial activities.
Source: Institute of Internal Auditors

CISA -- Certified Information Systems Auditor
The CISA demonstrates knowledge of IS auditing for control and security purposes. This cert is of primary interest to IT security professionals responsible for auditing IT systems, practices and procedures to make sure organizational security policies meet governmental and regulatory requirements, conform to best security practices and principles, and meet or exceed requirements stated in an organization's security policy.
Source: Information Systems Audit and Control Association

ECSP -- EC-Council Certified Secure Programmer
The ECSP identifies programmers who can design and build relatively bug-free, stable Windows- and Web-based applications with the .NET/Java Framework, greatly reducing exploitation by hackers and the incorporation of malicious code. Candidates must attend a Writing Secure Code training course and pass a single exam.
Source: EC-Council

Security5
Security5 certification identifies non-IT office workers and home users who understand Internet security terminology, know how to use defense programs such as antivirus and antispyware applications, can implement basic operating system security and follow safe Web and e-mail practices. Candidates must attend a two-day course and pass one exam.
Source: EC-Council

Wednesday, November 12, 2008

DeepDyve Search Engine: What does it mean for Internet Privacy

A new search engine named DeepDyve, is planning to come online to take on the likes of Yahoo!, MSN and even Google. It will be able to find information that are hidden or cannot be found on the existing search engines. It is going to be interesting to see how the Internet Privacy advocates have to say about DeepDyve. eWeek.com has an interesting article on it here.

http://www.eweek.com/c/a/Search-Engines/DeepDyve-into-the-Deep-Web/

Tuesday, November 11, 2008

Google Phone Fixes Flaw: SANS Report

VULNERABILITIES
--Google Fixes Android Flaw
(November 7 & 10, 2008)
Google has fixed a critical vulnerability in its Android operating
system. The flaw can cause keystrokes to pass directly to the root
shell and be executed with root user privileges. For instance, texting
the word "reboot" would actually cause the device to reboot. The flaw
affects G1 handset users running Android firmware updates RC 29 and
earlier. Google is rolling out the fix to all G1 devices.

President-elect Barack Obama's Pledged to Appoint a National Cyber Security Adviser

President-elect Barack Obama's pledged to appoint a national cyber security adviser who will report to him directly. In a speech made during his run to office at Purdue University, President-elect Obama stated, "As president, I'll make cyber security the top priority that it should be in the 21st century." He also stated, "I'll declare our cyber-infrastructure a strategic asset, and appoint a national cyber adviser, who will report directly to me. We'll coordinate efforts across the federal government, implement a truly national cyber security policy and tighten standards to secure information -- from the networks that power the federal government to the networks that you use in your personal lives."

This would be a monumental improvement to the Bush’s administration since the cyber security chief is under many layers of the organizational chart within the Homeland Security Department.

Among those advising President-elect Obama on cyber security matters is Richard Clarke, former counterterrorism czar in the Clinton administration.

Cyber-Extortion: A Review

Cyber-Extortion is the use of computers and communication systems to obtain or attempt to obtain unauthorized access to money or financial gain by threat. Cyber Extortion is so common in the information security arena that it doesn't raise the same attention as in the past.

There are various forms of cyber-extortion, but in general if the hacker’s demand is not met, than an adverse event will occur to the victim or company.

Just recently, Express Script became a victim of a cyber-extortion attack from an incident that occurred in early October of 2009. Express Script received a letter claiming that the company's network had been breached and threatening to release millions of customer records unless the firm paid money to the thieves. The letter listed personal information on 75 of Express Script's members, including their names, dates of birth, social security numbers, and in some cases, their prescription information, the company stated. Express Scripts added that it had reported the crime to the FBI, which is currently investigating.

Often companies will just pay the cyber-extortionist in hopes of having the matter go away without public knowledge. This is due to being penalized by federal regulators, having to notify customers of the matter, the process of conducting damage control, the cost in resolving the matter and losing customer confidence in that industry.

Below are some major cyber extortion events that has occurred world-wide. These were obtained from www.acapsecurity.com:



Barclays Bank, a major international bank, was broken into by a cyber-criminal whose attack focused on the bank's Barclaycard division, which with 8 million cardholders is Europe's largest credit card system. Allegedly the attack included the theft of credit card numbers and valuable customer information, with law enforcement reporting the cyber-criminal did make a $25 million extortion demand on Barclays Bank. The matter is before the courts in London.
Guardian, Oct 19, 2001. Underline added.

A cyber-thief from Kazakhstan broke into the computer networks of the Bloomberg financial news service owned by Michael Bloomberg the current Mayor of New York City. Thereafter the thief became a Cyber-Extortionist by demanding an extortion payment.
U.S. Attorney's Office Press Release, Aug 14, 2000. Underline added.

A cyber-thief broke into the computer networks of Parametric Technology Corporation and thereafter made an extortion demand for $1 million plus $40,000 per month.
St. Petersburg Times, Aug 24, 2000. Underline added.

The Secret Service and the FBI reported that a cyber-criminal had broken into the computer system of Online Resources, a company that offers online banking, electronic payments and other financial services to 525 financial institutions in the U.S. The cyber-thief as part of the attack stole customer records that included names, addresses and bank account numbers. The theft was followed by an extortion demand on at least one bank.
InfoSec News, Feb 8, 2002. Underline added.

On August 21, 2001 a cyber-thief broke into a unit of Ecount, an electronic payment company and allegedly stole 350,000 credit card numbers and thereafter made an extortion demand on the company.
ZDNet News, Oct 11, 2001. Underline added.

Two Russian cyber-criminals broke into hundreds of computer systems, stole sensitive client and financial information and then made extortion demands on the victimized companies.
InfoSec News, Oct 18, 2001. Underline added.

Cyber-criminals broke into the British division of Visa, the major credit card company, and stole data. Visa claims the stolen data was useless information. Obviously the cyber-criminals believed the data was valuable as they made an extortion demand on Visa for approximately $14 million U.S.
InfoSec News, Jan 20, 2000. Underline added.

A cyber-criminal made an extortion demand on CD Universe, an Internet music retailer, claiming he had stolen as many as 300,000 credit card numbers. The alleged cyber-extortionist was suspected of operating from a base in Eastern Europe. On Christmas day the cyber-criminal began posting more that 25,000 of the allegedly stolen card numbers on a web site. Thousands of customers who had shopped at CD Universe cancelled their credit cards.
Mercury News, Jan 26, 2000. Underline added.

A cyber-criminal from Russia broke into one of the New York bank's computer systems stole confidential customer information and extorted money for not releasing the customer information.
Associated Press, Jan 24, 2002. Underline added.

Types of Wireless Attacks

Standard wireless communication occurs when the end user and the wireless access point are able to communication on a point-to-point basis without interruptions. There are many attack variations in existence against wireless networks that breaks the standard communication format. These attacks includes the denial of service attacks, the man in the middle attacks and the WEP key-cracking attack to name a few and are described below.

Denial of Service (DoS) attacks
The objective of a Denial of Service (DoS) attack is to prevent authorized users access to legitimate network resources by denying them service. A DoS occurs when the malicious attacker sends an abundant of garbage data to the wireless access point choking all other communications to legitimate users.

Man-in-the-middle attacks
A man-in-the-middle attack consists of a malicious user (hacker) inserting themselves into the data path between the client and the AP. In such a position, the malicious attacker can delete, add, or modify data. The man-in-the middle attack also enables the malicious attacker access to sensitive information about legitimate users such as username and passwords, credit card numbers and social security.

War driving
Wardriving is the mapping of wireless access points (WAP) by driving or walking through populated areas carrying wireless equipment such as a laptop or a PDA to detect active wireless access points. The tools used for this are available freely off the Internet in the form of Netstumbler and Ministumbler (http://www.netstumbler.com/). Once the malicious attacker located vulnerable wireless access points, they are able to mount attacks to other locations under the cover the compromised network.


Wired Equivalent Privacy (WEP)
The Wired Equivalent Privacy (WEP) authentication consists of each frame being encrypted as it is transmitted to the wireless access point. WEP possess many deficiencies such as the ability to be compromised within a short period of time. Hackers can fairly easily decode WEP-encrypted information after monitoring an active network for less than one day. An application such as WEPCrack (wepcrack.sourceforge.net/) is a freely available tool often used to implement such an attack.

Monday, November 10, 2008

America Continues to be Target of Cyber Attacks

America Continues to be Target of Cyber Attacks

By Kellep A. Charles, CISA, CISSP
2008-11-10

America continues to be a target of cyber attacks from both major well-funded nations as well as 3rd world countries. Recent events in the past year have illustrated this to be an ongoing problem that needs to be addressed.

For example, The Federal Bureau of Investigation warned both the Obama and McCain campaigns that their computer networks had been hacked into by a foreign organization during the presidential contest. It seemed these hackers were trying to obtain information about both candidates view on various foreign issues to use in future negotiations.

There is also a recent report that hackers had penetrated the computer networks of the White House on more than one occasion. An undetermined amount of confidential e-mails between government officials had been stolen before computer experts were able to fix the problem.

And of course last year network penetration of the Department of Defense's computer network.

Due to the nature of the attacks and information gathered, many computer experts believe theses attacks are originating from China.

The National Cyber Investigative Joint Task Force confirmed that the attacks originated from computers hosted on servers located in China IP space but cannot pinpoint exactly where.

It is not exactly clear what information the Chinese are now privy too, but there is a pattern developing.

Information Security Issues and the 2008 Presidential Election


This 2008 presidential election brought many first time events to the national scene. There was the 5.5 billion dollars spent by both parties trying to get to the White House, the total number of voters that came out vote, the unforgettable long lines many voters had to wait on in order to cast their ballots. Some voters waited as long as three to four hours before they were able to vote. Of course, one of the biggest first time events was the voting in of America’s first African-American President… “Barack Obama”.

There is another first time event that has not received as much national press as the previously stated item and it deals with information security issues. The information security issues involved in this election has raised a lot of concern and should be one of the top agendas of president elect Obama. He needs to make sure appropriate processes; procedures and laws are implemented to help protect our nation’s computing infrastructure. America’s previous two presidents, Clinton and Bush (W), acknowledge there were problems in the way our nation protected the critical infrastructure and implemented controls such as The National Plan for Information Systems Protection and Federal Information Security Management Act (FISMA). However, with our new economy and our reliance in information technology, we have to do a better job to protect it.

This 2008 Presidential election saw its fair share of information security issues. First, there was the Sarah Palin Yahoo! Email breach were a student names got access to here account via answering the security questions correct.

Than shortly after President Elect Obama won the election, hackers were sending out SPAM emails with malicious attachments asking the recipients to view his acceptance speech. Moreover, just recently, the FBI has confirmed foreign entities hacked into the computers of both Obama and McCain last summer in an attempt steal information about their foreign policies for future negotiations.

It seems like America is losing the cyber security against major powered nations as well as smaller and not as well funded nations.

Thursday, November 6, 2008

Interesting article from Sophos.com

Barack Obama exploited in malware spam attack

Many Americans will have woken up today with a headache - either from celebrating the victory of Barack Obama or drowning their sorrows at John McCain’s loss of the White House.

One thing is clear though - malware authors haven’t been slow reacting to the news, and President Elect Barrack Obama is already being used as a lure for infecting unsuspecting internet users.

Here is a typical piece of spam that is being seen in our spam traps around the world:










Were you to click on the link you would find yourself on a website pretending to be a news site offering information and a video of Barack Obama’s historic win. However, the site tries to fool you into installing what it claims is an update to Adobe Flash to view the video.