Apr 9

I have been doing a lot of reading lately about the history of security research and the issue of full disclosure. It is a huge debate issue and it was something that before I started getting into security, I was completely unaware of. It isn’t something that hits the news often and when a vulnerability makes the news, the background issue about the disclosure of it is usually so controversial that nobody touches on it in the mainstream.

So what is it exactly? Well it is in regard to when a security vulnerability is discovered, the debate revolves around whether or not knowledge of that vulnerability should be open to the public. Some people say that making sensitive information like that public only put the customers and general public more at risk by releasing that information out into the wrong untrusted hands. Others say that untrusted individuals already had that information and that releasing it to the public will help speed up the process of getting a proper fix for the vulnerability out to the people that need it.

No matter where you stand on the issue, both sides seem to agree that one of the greatest issues is communication. There are generally two parties involved with the issue. One being the vendors that make the software at risk, the others being the security researchers that initially discovered the vulnerability. These parties must communicate in such a way that is in the public’s best interest. However, poor communication between the two can deteriorate relations and can lead to the disclosure of sensitive vulnerability information. Vendors typically claim that they are not given enough time to get a fix properly release. The security researches sometimes claim that waiting too long to get a patch to the general public is putting the public at an increased risk with each day that goes without a proper patch.

There have been many disclosure policies that have been developed over the last decade that are aimed at helping develop proper communication between all parties involved such as RFP, OIS, and ZDI. Many of these are just guidelines and are there just out of general respect for both sides. Neither side, however, is obligated to follow those guidelines. They do help give each side of the fence a certain set of expectations. If one side is following a specific policy and staying within the guidelines set, then the other side will know what to expect. It also helps open lines of communication that may not have been there before the policies were put in place. Many times, when a security researcher discovered a flaw in a piece of software, they’d have no idea where to turn to to get the flaw fixed.

After reading more and more about the history of this issue, when I see events that happen, like the DNS vulnerability that Dan Kaminsky and the associated vendors handled, it really amazes me how well everyone involved were able to communicate and help get the issue resolved. Without open lines of communication from both sides, we just won’t be prepared enough to handle wide spead isssues properly when they arise.

Posted in Information, Vulnerabilities | No Comments »
Mar 18

Social networks today, such as Facebook, MySpace, and LinkedIn, have been growing at a tremendous rate. It has recently become the target of IT professionals as a security threats on company networks. Not only is it seen as a contributor to productivity loss, but it is also a security threat for data loss and data compromise. It is a great tool for hackers to use to gain entry to corporate networks where these social networks are used. These networks have built up trust with their users and these users take them into the corporate networks with that same level of trust. So those applications that can pose a security risk at home will pose an even greater threat in the office.

So IT professionals are taking a much deeper look into social network security and their corporate networks. They are finding that not only does the issue come from the 20-somethings in their network, but a growing population of older individuals are venturing into social networking. The problem is that many of the older individuals may not be as savvy as the younger generation when it comes to network security common sense.

An ethical hacking firm, Netragard, claims that they can gain access to any data at any corporate network very quickly. They claim to be able to do this through social networking sites. They offer their services for a fee to prove this claim and offer ways to help improve social network security and how to curb its threat on your corporate environment. Regardless at legitimate their claim may be, it is still an alarming statement that should be taken seriously.

Social network sites are great for helping people with similiar backgrounds meet and stay in touch. The problem for corporate users is that inside large enterprises where no one person knows everyone in the company, it is easy for someone with a fake ID to establish trust with individuals in a company due to the basic fact that they claim to be a colleague. From there it is a simple matter of setting up a phishing scheme. The problem with this form of attack is that there is no evidence of a breach and not log of what data was even stolen.

With these new methods of data breach that social network security brings to the table, it is imperative to take a new approach to network security than was taken in the past. IT professionals can no longer look at networks in a segregated way. There is no longer a boundary between the corporate network and the internet. They must be treated as one and have a policy that encompasses them both. Also, when introducing new technology into a network environment, you must look at where that technology stands from a security stand point and in what ways it increases your security risks. Create a security policy that includes social network sites. Prevent the access to these sites from inside the corporate network and also have a company policy about what employees are allowed to say about the company whether they are currently on duty or not. Finally, be sure to run penetration tests from both inside and outside the network and be sure that the tests included some form of social engineering. Hackers don’t have any boundaries, so chances are that if a tool that follows rules is able to break into your network, it will be even easier for a hacker to do so.

Posted in Data Protection, Information, Social Engineering | No Comments »
Sep 2
Come September 2nd, Google is going to release a beta version of their new browser called Chrome. So what does this new browser mean for security? Here are some of the features that this new browser with entail.

It runs each new browser tab in a seperate sandbox. Each tab gets its own process and memory space. This means that one tab cannot crash another, so you won’t lose all your sessions if just one of them hangs. This also means that
applications from one tab does not have direct access to stored memory data of another browser tab. This increases the protection provided by the browser from rogue sites.

This ’sandboxing’ technique that it uses Google claims to protect against malicious data from websites. If a website is causing an issue, it is contained within Chrome and simply closing the browser will protect your PC. However, Google admits that installed plugins in the browser bypass this security feature.

It also features a privacy mode. This is similiar to Microsoft’s InPrivate mode. No user information is recorded while in this mode. No usernames, passwords, website history, form data, etc, are recorded or stored while in this mode. This is useful for users using a public PC and can’t guarantee privacy. This does not protect against your data once it leaves the PC however. Once the data leaves the PC it is still vulnerable to attackers sniffing out data over the network.

Similiar to current features in Internet Explorer, Chrome will also download the latest list of known phishing sites to protect and warn users from unknowingly accessing a phishing site.

All these security features however are nothing new with Internet Explorer and Firefox already in the market and claiming their stake in the “high security” web browser market. It will take something new and extraordinary from Google to take market share away from Microsoft and Mozilla.
Posted in Information, Internet | No Comments »
Aug 19

On August 8th I posted about the security issues around Web 2.0 collaboration websites. Businesses are beginning to see many benefits in adding Web 2.0 tools to their company to allow employees to share information easier. But anytime information is shared over a network, security is a big concern.

I was reading Information Week and found this rolling review they are doing on several Web 2.0 platforms. They go over several points of interest for Web 2.0 tools regarding who has access to the data, how secure it is, what the costs are, and how well the support is for the platform from the vendor.

Posted in Information | No Comments »
Aug 8

Web 2.0 has become a huge buzz word on the internet in the last few years and it will only continue to grow over the next few. It provides a way for people to collaborate and share their ideas in ways they never could before. Generally speaking the internet has not changed much technically. But, since the introduction of Web 2.0, the way people use the internet has. Not only has the general public caught on to this idea of Web 2.0, but businesses are also seeing it as a great way for its employees to communicate, express their ideas, and promote teamwork. Today more than two-thirds of businesses are using at least one Web 2.0 application.

Information thieves have caught onto this fact and have begun looking into new ways to steal information and exploit weaknesses. Over the years we’ve seen many different ways for attackers to initiate attacks. Several years ago email attachments were one of the most prominent ways to spread a virus. But with the introduction of Web 2.0, attackers are seeing it as a new medium for malicious attack. Whereas before users would have to click on email attachments to execute them, now web protocols allow attackers ways to spread malicious code just when a user visits the web page.

Malicious code is not the only threat that Web 2.0 applications expose businesses to. Exposure of confidential information is one of the number one threats that face businesses that Web 2.0 directly exposes them to. More than a third of information leaks are through message boards or blogs that are found on the internet.

Controlling access to Web 2.0 applications has become a main concern for many IT departments. Content control is no longer just a concern for enterprise businesses. Today even small and medium sized businesses are having to look into solutions to control the access to certain content.

Posted in Content Filtering, Email, Information, Internet | No Comments »
Aug 4

So there has been a lot of talk lately about Kaminsky’s DNS Poisoning Vulnerability. What is it and why is it such a hot topic, yet kept so secret at the same time. Well I can’t tell you exactly what the issue is. If I could then I’d probably be directly in touch with Dan Kaminsky and would be at Defcon with him at the end of the week. But there is a little bit of information out about the severity of it and why it is kept such a huge secret. There was a design flaw found with DNS that allows an attacker to poison the cache on a DNS server with invalid entries.

What poisoning is refered to in IT is when entries in a cache system are replaced with fake or incorrect entries on purpose from an attacker. With DNS what this results in if someone were to take advantage of it is the attacker could revert any traffic to any particular website hosted on the compromised DNS server to any other web server on the internet. This means the attacker could place a phishing web page at the new destination. Email could also be compromised by poisoning MX records and then having confidential emails redirected to another email server on the internet. Basically the internet would become compromised.

But, thanks to a collaboration of some of the best minds in the industry, this issue has been kept secret and has given everyone hopefully enough time to patch the vulnerable systems. Here is a little more information on the DNS vulnerability at hand.

Posted in Information, Vulnerabilities | No Comments »
Jul 28

Thank you for visiting this new site that is filled with quality information for anyone involved with network security. Network security is one of the hottest topics today in the IT industry. Here you will find anything from news, security information, tips, how-to guides, product reviews, videos, discussions, and much more; all of which relates to network security.

Posted in Information | No Comments »