Aug 11

In a Microsoft Security Bulletin released late last week, 12 new security updates have been planned for release this Tuesday. Seven of those updates have been labeled as critical and the rest are labeled as important. This bulleting came at the same time of the Black Hat conference.

During last week’s Black Hat conference, researchers Mark Dowd and Alex Sotirov discussed ways to bypass Windows Vista memory protection techniques like DEP. They use several browser functionality methods to do so. They don’t exploit any software vulnerabilities which means these flaws will be much harder for Microsoft to correct. Microsoft has yet to comment on the findings.

Posted in Vulnerabilities | No Comments »
Aug 8

Web 2.0 has become a huge buzz word on the internet in the last few years and it will only continue to grow over the next few. It provides a way for people to collaborate and share their ideas in ways they never could before. Generally speaking the internet has not changed much technically. But, since the introduction of Web 2.0, the way people use the internet has. Not only has the general public caught on to this idea of Web 2.0, but businesses are also seeing it as a great way for its employees to communicate, express their ideas, and promote teamwork. Today more than two-thirds of businesses are using at least one Web 2.0 application.

Information thieves have caught onto this fact and have begun looking into new ways to steal information and exploit weaknesses. Over the years we’ve seen many different ways for attackers to initiate attacks. Several years ago email attachments were one of the most prominent ways to spread a virus. But with the introduction of Web 2.0, attackers are seeing it as a new medium for malicious attack. Whereas before users would have to click on email attachments to execute them, now web protocols allow attackers ways to spread malicious code just when a user visits the web page.

Malicious code is not the only threat that Web 2.0 applications expose businesses to. Exposure of confidential information is one of the number one threats that face businesses that Web 2.0 directly exposes them to. More than a third of information leaks are through message boards or blogs that are found on the internet.

Controlling access to Web 2.0 applications has become a main concern for many IT departments. Content control is no longer just a concern for enterprise businesses. Today even small and medium sized businesses are having to look into solutions to control the access to certain content.

Posted in Content Filtering, Email, Information, Internet | No Comments »
Aug 7
More and more people today are taking their banking online. Some 42% of internet users do their banking online. Considering that this number is growing every year, banks and credit unions are looking at their online banking security and making sure that they are able to provide safe interactions with their customers. For those that don’t do their banking online claimed that their main reason for not doing so is the lack of online banking security. One of the reasons why they feel insecure about banking online is because of misinformation and not knowing the correct information on internet security.

A study from the University of Michigan by Atul Prakash looks at design flaws that many banking sites have today that fail to protect users who don’t know the basics about internet security. It looks at design flaws rather than actual application vulnerabilities. Design flaws are different from application vulnerabilities because they are based on decisions that were made when designing the website. Many of these decisions that the designers of banking sites have made promote insecure user behavior and because many users are uneducated about basic internet security, these flaws can be taken advantage of.

Some of the flaws of online banking security that were noted were things such as being able to access the site by using insecure HTTP, being redirected to an untrusted site, low security password thresholds, and emailing confidential data to users. These are all flaws that have been found that if a user is unaware of the risks that these designs pose, can lead to confidential data being leaked.

As far as user password information goes, many of the sites involved in the study don’t require password restrictions for users. Having low quality passwords invite themselves to being disclosed by brute-force attacks. But it is also noted that with the introduction of phishing sites and keyloggers, having a strong password doesn’t protect against those and many banks find it to be just an inconvenience for their users to force strong passwords. It is also claimed that by enforcing a ‘three-strikes’ lockout policy when incorrectly typing in a password makes brute-force attacks on low quality passwords unrealistic. But the study finds that even enforcing a lockout policy is not enough if low quality passwords are allowed. Parallel dictionary attacks can be used if a list of usernames are available where a string of authentication requests are run across all the usernames using common passwords.

The study also mentions websites that break the chain of trust. Often times bank websites will redirect to other websites without notice. Regardless of whether these sites are secured by using SSL, many times the certificates used are not affiliated with the bank at all and there is no way for the user to tell if they are still on the banks website or not. This makes it hard for even a knowledgable user to know if they are on a phishing site or not.

As mentioned, other sites present secure login options under insecure webpages. While their site may offer secure logins via SSL and HTTPS, that same webpage may be available insecurely under an HTTP version. While redirection to a secure page may occur, if the user had already entered in credential information under the insecure page, their credentials are at risk of being compromised.

For more information on this online banking security study, you can visit the following page: Analyzing Websites for User-Visible Security Design Flaws
Posted in Compliance, Encryption, Internet | 6 Comments »
Aug 6

Email is a part of everyday life in the business world. Even small companies will see thousands of emails pass through their servers each day. This means there is plenty of opportunity for attack against your mail server. So here are 5 good tips to help keep your email secure.

1) Change your SMTP banner: Most mail servers accept connections of port 25 for use with SMTP. If you telnet on port 25 to a mail server that is opened up on port 25, you will receive a response from that server. This response is called the SMTP banner. Usually by default (with Exchange) this banner will not only display the actual server name and domain, but it will also show the version number and software that is running on that server. This is crucial information that an attacker can utilize when planning an attack. It is important that if your server accepts connections on port 25 that you mask this banner with a canned message that doesn’t display sensitive information like that. For more information on changing this banner with Microsoft Exchange, read this Microsoft article: Changing your SMTP Banner

2) Enabled Relay Restrictions: This is usually set by default on mail servers so that only authentication or specified servers are allowed to relay email through your mail server. But, it is a good security measure to take to ensure that your mail server is not an open relay. If there are no restrictions set, spammers will have a field day with your server. Not only can this really cripple your server if not taken care of promptly, but it can also get your server blacklisted. Once blacklisted you will need to score which blacklists you are on and request to be removed once you prove to them that you are no longer spamming from your server. This can take weeks or months depending on which list you are on. If you aren’t sure if your server is an open relay, you can use this tool to check: Open Relay Checker

3) Make sure your server is up-to-date: Because your mail server is constantly in touch with connections to the outside world, it is crucial that your mail server is always up-to-date. A lot of IT professionals will ensure that their servers have the latest Windows Updates run on their servers, but don’t forget about Exchange updates and service packs as well. Automatic updates won’t keep that up-to-date and many times the security vulnerabilities needed to be patched with Exchange are more critical than your typical Windows update. While there is no excuse for an out-of-date server, if installing updates is something that takes up too much of your time, then look into a patch management solution. Microsoft offers a free solutions for all their software systems called Windows Server Update Services.

4) Protect your mail server with a front-end server: Another good idea for security is to set up a front-end server to act as either a proxy or relay between the mail server that stores your mail databases and the internet. The front-end server will handle all HTTP and SMTP requests for your main mail server. All emails will then be relayed from this front-end server to your main mail server. What this allows you to do is close off port 25 to your main mail server so that it is hidden behind your firewall. Many companies will even provide this service for you. Having your server behind a firewall and accepting connections from only internal mail clients and the front-end server will greatly increase the security of your server.

5) Spam and Virus Protection: I’ve listed both spam and antivirus under the same number here because I think we are at the stage where they both go hand in hand. It is important that you maintain antivirus and antispam software on your network. I recommend using a seperate appliance for spam as this will help catch spam emails from even reaching your mail server. If your mail server processes a lot of emails everyday, then this will help eleviate some of the strain that it carries. Making sure that both systems are up-to-date with the latest signatures goes without saying.

These are only 5 tips for helping maintain security on your mail server and there are a ton more. Hopefully these will get you on the right track and taking email security serious.

Posted in Antivirus, Email, Vulnerabilities | No Comments »
Aug 5

Keeping data secure at all times is crucial if you want to keep confidential files confidential. Any data that is stored on disk is at risk of being compromised in some way. It is important to learn ways to keep it as safe as possible and to encrypt it to ensure that if an attacker does gain access to files on your hard disk, then the encryption on the files will deter them from accessing your confidential data.

One program I use to encrypt my most confidential data files is called TrueCrypt. It is an open-source program that creates a virtual disk on your computer to access the files within the encrypted file and mounts it as an actual disk. When you dismount the disk, your files are kept securely within the encrypted file. It also has the ability to encrypt an entire partition and whole disk encryption. If you want to encrypt everything on your computer, it utilizes pre-boot authentication and allows you to encrypt the system partition as well.

The nice thing about the application is that you can put the program on a thumb drive and run the application from any PC without the need for installation. This allows you to carry the encrypted file with you anywhere and have access to your data while keeping it securely contained. There are a ton of great security features in the free download. Check it out and let me know what you think. It can be downloaded here: TrueCrypt.

Posted in Encryption | 1 Comment »
Aug 4

So there has been a lot of talk lately about Kaminsky’s DNS Poisoning Vulnerability. What is it and why is it such a hot topic, yet kept so secret at the same time. Well I can’t tell you exactly what the issue is. If I could then I’d probably be directly in touch with Dan Kaminsky and would be at Defcon with him at the end of the week. But there is a little bit of information out about the severity of it and why it is kept such a huge secret. There was a design flaw found with DNS that allows an attacker to poison the cache on a DNS server with invalid entries.

What poisoning is refered to in IT is when entries in a cache system are replaced with fake or incorrect entries on purpose from an attacker. With DNS what this results in if someone were to take advantage of it is the attacker could revert any traffic to any particular website hosted on the compromised DNS server to any other web server on the internet. This means the attacker could place a phishing web page at the new destination. Email could also be compromised by poisoning MX records and then having confidential emails redirected to another email server on the internet. Basically the internet would become compromised.

But, thanks to a collaboration of some of the best minds in the industry, this issue has been kept secret and has given everyone hopefully enough time to patch the vulnerable systems. Here is a little more information on the DNS vulnerability at hand.

Posted in Information, Vulnerabilities | No Comments »
Aug 1

No computer network can be 100% protected from threats that the internet and attackers can bring. But with a smart IT security policy and using a layered approach, you can reduce your company’s risk to attack.

Viruses today are more blended and have a higher payload than ever before. This means that they are easier to distribute and can do greater damage. Viruses today can attack networks at even the lowest level which means they can bypass desktop and server antivirus software. Software antivirus no longer provides the complete protection that it once did.

So what is layered antivirus and network security and how should you approach it? Simply put, it is like placing a defense barricade at every possible entry point onto your network. A typical layered antivirus solution will include server AV, desktop AV, gateway AV, email AV, and sometype of intrusion detection/prevention service (IDS, IPS).

This approach will not only protect from threats that come in at the computer and file system level, but will also protect your network from denial of service and other network level attacks.

A layered approach also helps provide efficiency and load-balancing on your network. If you find that your email server is getting pounded by daily phishing or virus emails, then having gateway antivirus can help take some of the load off of your email server by stopping those emails from ever reaching the server.

Protecting your network with a layered approach is now not just a security design for enterprise networks, it is a requirement for all business networks.

Posted in Antivirus | 9 Comments »
Jul 31
Public Wi-Fi networks are everywhere today. The nearest hot-spot in your city is probably only a block away. With so many employees on the road and working out of the office today, IT departments are finding the need to provide external access to network resources. The need to stay productive while out of the office is crucial.

Anytime an end-user is accessing corporate data on a public network, security is a big concern. You never know
when your confidential data may be compromised. If your company provides access to data from outside of the corporate environment, you must make sure that you take the necessary steps to ensure that data is secure.

When on a public network, any data that is sent to and from an end-user’s laptop is generally visible to anyone else that is on that same public Wi-Fi network. What this means is that those traffic streams are open to what is called a man-in-the-middle attack. A man-in-the-middle attack utilizes a natural security flaw in the Address Resolution Protocol (ARP). The flaw allows an attacker to secretly respond to an ARP request of a computer initiating a connection with another node. The attacker then makes private independent connections with the two nodes. Once this is done then all traffic is relayed through the attacker’s computer and the end-user will be unaware that this has occurred. If this attack is done between a laptop and an internet gateway, then that attack is able to sniff every packet that the end-user sends out to the internet, including confidential corporate data.

So how do you protect your private data from attacks like these? Encryption is one of your biggest defenses. However you decide to provide access to network resources to employees on the road, whether it be via a VPN or a web portal, encryption is a must. If your company uses VPN software to provide access to the network from outside it, then once the VPN tunnel is negotiated all traffic that is passed between the laptop and the corporate network is encrypted. This means that even if the attacker were to sniff out those packets sent, they will be encrypted and the attacker will find it nearly impossible to gain access to that data without knowing the key used to encrypt it.

If your company uses a secure web portal to provide access to network resources, then there are a few things that should be known. First off, most web portals that are secured using the HTTPS protocol use certificates to authenticate the encryption process. If the attacker is using the right tools, he or she can send a spoof certificate to the end-user. If the end-user accepts this certificate, then they will be opening secure communications with the attacker. The attacker then sends the real certificate request on to the corporate web server and opens secure communication with the web server. Once this is done, then the attacker is able to see all traffic that the end-user sends before it is encrypted and sent on to the corporate web server. To prevent this, it is important that you use certificates that are generated from trusted sources such as Verisign or Geotrust. Then if the end-user receives a certificate that is from an untrusted source, the end-user will be alerted to this.

It goes without saying that any end-user that is going to be accessing corporate data from outside the internal network should be trained on basic security. With the proper security infrastructure in place and users trained, then the IT staff should be able to rest easy knowing that corporate data is safe.
Posted in Encryption | No Comments »
Jul 30

The Sarbanes-Oxley Act (SOX) is one of the most comprehensive compliance acts to ever affect corporate business. Because today most information in a business is stored and sent electronically, the IT department must create an encompassing security policy to ensure that their company is compliant with SOX.

The security policy must govern everything from network security, to access controls, logging, encryption, and alerting. These policies and guidelines must be documented and the IT department must be able to display these documents and show that these policies are in place and being used in the event of an audit.

Because a lot of data today is transferred via email, it naturally plays a very large role in ensuring that your company is compliant with SOX. So much data is transmitted via email network protocols today, yet it remains one of the most insecure realms of the network. This is why IT professionals must pay close attention to how emails are sent and received on their network.

SOX requires that all malicious emails are seized both inbound and outbound on the network and removed before any internal data is compromised rather than just alerting IT staff as violations occur. Email security compliance includes every aspect of your email system and email must remain secure at all points of transmission. This means that emails that contain financial information must be encrypted during transmission to the recipient as well as have access controls in place while the emails reside on a local system for storage.

Anti-spam and anti-phishing systems must be in place and integrated with your email system. The system must be configured to prevent emails detected as malicious from reaching workstations on the network.

Email archiving is also required for Sarbanes-Oxley Act compliance. All emails must be archived so that any email received by the company’s system can be retrieved at a later date. Emails should be archived prior to being received by the client to ensure that information is not deleted or removed from the system before archiving can take place.

It is important that if the Sarbanes-Oxley Act affects your company, then not only should your IT staff become familiar with SOX, but the whole staff should be trained on the basics of what SOX compliance is required of them. As an IT professional, your network security policy should be well documented and enforced.

Posted in Compliance | 1 Comment »
Jul 29

Social engineering is the term used for manipulating company employees to gain access to unauthorized areas. Whether those areas are physical locations in the building or they are network file storage locations or network access, it does not matter. A social engineer attack is every bit as dangerous and can even be much more crippling than a computer virus or network hack. Some of the most dangerous attacks thefts have used have been based around social engineering. One of the reasons why social engineering works so well is because IT experts spend most of their time patching systems and securing their network rather than taking time to train the employee base on the basics of information security. The idea behind information security covers much more than just network and computer security, but also covers employee training and physical security as well.

Below are common flaws found in many corporate environments today and things that can be done to fix those vulnerabilities.

1) Website Information: When it comes to gathering information about a company, the first place that just about anyone will start at is the company’s website. Many companies post valuable information on their website not realizing that it is in fact a security risk. Things like phone numbers, employee names, and email addresses can all be found on these websites. These things should all be limited to outsider access. Phone numbers that are listed should always be to just main number call center numbers and not individual direct dial numbers. One common major mistake is to have active links to employee email addresses. For most companies, the user name in an email address is the same as their network logon. The theif already has half of what they need for network access.

2) Outside Contractors: Workers from outside companies visiting the premises to do temporary work should always be accompanied by a security liaison. Security liaisons should be told what the contractor is there to do and be familiar with what it takes to complete the task. This is so that they know when the contractor is completed with their work and that they don’t enter areas that don’t need to be entered to get the job done. The security liaison should also be aware if the contractor is removing items from the premises.

3) Telephone Scams: Phone scams are common as it is an easy way to make contact with company employees without being in face to face contact. Employees need to be trained to be helpful to callers, but at the same time cautious. A common phone scam is when the caller poses as a computer salesperson. They inquire about what type of systems the company uses, if there is a wireless network, and what type of operating systems are used. All this information is used to plan out a network attack. Employees need to be trained to always forward any type of network related questions or calls to the IT staff.

4) Dumpster Diving: A common way of getting any information about anyone or company is to go through the trash. Companies should always have private information shredded. Service companies that handle the shredding of documents and computer data should be hired. The trash dumpsters should never be left in an open unsecure area and surveillance cameras should be kept on the dumpsters on a 24 hour basis.

5) Password: It is imperative that there is a company policy regarding passwords. An IT tech should never call another employee and ask them for their username and password and all employees should know that. Passwords should also never be placed on sticky notes or anywhere else visible and written down. A password rotation should also be in effect so that old passwords get phased out.

6) Logging Off: A thief can use social engineering to gain access to buildings and there they can usually find workstations that are still logged in with a user account. Many times these user accounts will have access to a lot of confidential information. It should be a company policy that whenever someone leaves their desk, they must lock or log off their computers. IT should also enforce the issue with network security policies that automatically lock a computer after a short period of inactivity.

7) Employee Training: Finally, when all is said and done, it all comes down to training. It is important to hold annual or bi-annual training sessions regarding the network security policy of the company. Everything from the physical building security to how each workstation is configured to email policy should be covered.

The more layers you add to your security policy and the more your employees are trained on all their aspects, the harder it will be for a social engineering thief to steal information.

Posted in Social Engineering | No Comments »

« Previous Entries Next Entries »