InfoSec Tools, Tips & Thoughts » Uncategorized

Staying safe on public Wi-Fi

William McBorrough, MSIA, CISSP, CISA, CRISC, CEH — Wed, 14 Apr 2010 17:04:02 +0000

Picture this: You’re at a café with your laptop and latte in hand, getting ready to review new sales leads and the quarterly financial projections. First you hop on the free Wi-Fi that the shop’s management provides. Then you connect your laptop to a projector so that the entire café can take a look, and finally you hand out some printed copies of your confidential product specifications to the other patrons so that they can follow along. That may sound ridiculous, but if you’re using public-access Wi-Fi without taking the proper precautions, you might as well be asking your coffee compatriots to partake in confidential company information.

That’s an abstract from a pretty good article in NetworkWorld. I previously also posted about the dangers of public wireless networks.

Consider however, how probably is it that a competitor or anyone else for that matter is lurking steal your data? You don’t know and neither do I. Just remember that it’s very easy to do so protect yourself.

Read full article: http://www.networkworld.com/news/2010/041310-how-to-stay-safe-on.html

CISSP All In One Book FIFTH EDITION has been released The fifth edition of this best-selling comprehensive CISSP training resources...
2010 CyberSecurity Watch Survey Cybercrime threats posed to targeted organizations are increasing faster than...
ISSA-NOVA Chapter December Meeting The Northern Virginia Chapter of the Information System Security Association...

NIST Guidelines for Secure Deployment of IPv6

William McBorrough, MSIA, CISSP, CISA, CRISC, CEH — Fri, 26 Feb 2010 19:17:17 +0000

If it ever happens……

Download link: http://csrc.nist.gov/publications/drafts/800-119/draft-sp800-119_feb2010.pdf

CISSP All In One Book FIFTH EDITION has been released The fifth edition of this best-selling comprehensive CISSP training resources...
More on Forensics… Follow what the NOVA Information Assurance Strike Team is up...
2010 CyberSecurity Watch Survey Cybercrime threats posed to targeted organizations are increasing faster than...

A Guide to Computer Security

Guest Blogger — Sun, 21 Feb 2010 21:58:42 +0000

As the number of people connecting to the Internet continues to increase at a rapid pace, more and more of us are now creating our own home computer networks.
With these we can enjoy the benefits of having high bandwidth, instant access to the Internet and make this connection available to multiple computers in and around the home.
But for those unfamiliar with computer security, they are completely unaware of the risks they may be exposing their computer to.
Without implementing a proper computer security solution, your computer may become infected with viruses, spyware, and/or adware. These are all forms of malware than can play a part in rendering a computer unusable, destroy valuable information your storing, provide complete control of a computer to another person, allow someone to steal the information on your computer, record your keystrokes and give a 3rd party access to your online bank account, allow someone to use your computer to attack a computer belonging to somebody else, etc.
And if you opted for a wireless network, you could be sharing out your Internet connection to your neighbors or that person who has been sitting outside your house in the car for the last few hours. What is more, you are increasing the risk of exposing your own computer to hackers as a result.
So What Are The Basics of Computer Security?

Make sure that the link between you and the Internet is safe.You need to have a hardware firewall installed between you and the Internet. Most recent devices that connect you to the Internet have one built in, but in any case you need to make sure that what you have is a stateful firewall.It should give your computer full access to the Internet, but block all traffic trying to access your network when originated from the Internet side.
Secure your Internet router.Change the administrator password and if possible the administrative account name as well. Everyone who has bought that device will know what the default account and password is, so you must change these and make them difficult to guess. This is especially important if you have a wireless network.
Install anti-virus software on your computer.Make sure it scans the computer for viruses at least once a week. Keep the software up to date and make sure that the virus definitions are updated every day. Also make sure that this is monitoring the computer all the time to help prevent it being infected in the first place.
Install a personal firewall on your computer.Not only should this help limit the damage malware can do to your computer, but it should also reduce the chances of this spreading to other computers. Get in the habit of checking the dialogues that you are prompted with and only allow Internet access to applications that really need it.
Install anti-spyware software on your computer.Make sure it fully scans your computer for spyware at least every week. Keep the software up to date and make sure that the definitions are updated every day. Also make sure that this monitors your computer all the time.
Keep up to date with the security patches for your Operating System.Microsoft release security updates for Windows every month. However, make sure your computer is configured to automatically check for downloads every day and at a time when your computer is most likely to be turned on.
Secure your wireless network.Do not broadcast your SSID (Service Set IDentifier). Although it can be learned by someone who is determined, there is no point making things easy. So make sure this is disabled. Restrict access to your wireless network based on the MAC (Media Access Control) address of your computer. Yes, these can be faked, once known, but why make things simple?Implement WPA (Wi-Fi Protected Access) or WPA2, if you can, to further secure your wireless network. And use a pre-shared key which is not easy to guess.

Conclusion
Although, you can never make a computer 100% secure, the objective is to put as many obstacles in the way and put off the casual hacker. So by following these 7 basic steps you will have a more secure computing environment. And remember, by implementing proper computer security on our own computer, we are making the Internet a safer place to surf for everyone.

Author: David S McKone
Article Source: EzineArticles.com

SMB Cyber Security Alliance helps Small Businesses address Cyber Security Risks Across all industries, small businesses are increasingly facing new threats...
Interested in Computer Forensics? I recently went through an EC Council Computer Hacking Forensic...
Microsoft offering choice of browser to users in Europe Microsoft has been ordered to introduce the browser “ballot box”...

Defend your Small Business against Online Bank Fraud

William McBorrough, MSIA, CISSP, CISA, CRISC, CEH — Tue, 09 Feb 2010 00:08:34 +0000

Is your banking practices putting your business at risk? Protect your small business accounts from cybercriminals. The Wall Street Journal offers the following suggestions for small businesses seeking to ward off an attack:

Defend your Computer

Hackers often take aim at small firms’ computers because they are easier to infiltrate than banks’ systems. One common mode of attack is to send a “spear phishing” email containing an infected file or a link to a malicious Web site to employees with access to the firm’s financial accounts. Once the employee opens the attachment or goes to the Web site, malware is installed on the computer that allows criminals to access banking logins and passwords. While up-to-date antivirus software offers substantial protection against malware, it isn’t 100% effective.

Accessing your bank account through a computer that isn’t used for anything else—no email or Web surfing—and isn’t connected to the local network offers strong protection, says William Nelson, president of the Financial Services Information Sharing and Analysis Center, an industry group that collects and shares threat data.

Another option is to use an obscure computer operating system such as Ubuntu or Web browser such as Opera because attackers rarely create malware for them, security experts say.

If you use Microsoft Corp.’s Internet Explorer browser, make sure you have the latest version, IE 8, which includes security features to help prevent attacks. Consider using Explorer in “protected mode,” which restricts files that try to install on a computer without the user’s consent, and set your “Internet zone security” to “high,” which disables some of Explorer’s less-secure features, according to Microsoft.

Protect your Accounts

Ask your bank to set up “dual controls” on your account so that each transaction requires the approval of two people—a good guard against fraud, security experts say. Establish a daily limit on how much money can be transferred out of your account, and require that all transfers be prescheduled by phone or confirmed via phone call or text message. If possible, impose restrictions on adding new payees, security experts say.

Check bank balances and scheduled payments at the end of every workday, rather than the beginning, and immediately contact your bank if anything is amiss. Banks use the Automated Clearing House system to transfer funds to payees’ banks. These transfers usually aren’t paid until the next morning, so timely action could halt the completion of a fraudulent transaction, Mr. Nelson says.

Shop for a Bank

Review your agreement with your bank and know what rights you may be waiving by not using certain security measures. While agreements between banks and commercial customers typically absolve banks of responsibility for fraud losses, the bank down the street may offer better protections, so shop around. Also, consider adding insurance coverage for fraud losses.

Many banks, concerned about damage to customer relationships, have stepped up their defenses against cyberattacks, rolled out new protections for customers and begun sharing more threat information with each other and law enforcement, Mr. Nelson says.

An emerging motivator may be a growing number of lawsuits by small companies claiming their banks didn’t have “commercially reasonable” security.

A judge in a closely watched case involving a self-employed couple’s personal and commercial accounts said in refusing to grant a summary judgment that a jury might find fault with the adequacy of the bank’s defenses, which the plaintiffs argued weren’t state of the art at the time of the theft. The case—Shames-Yeakel vs. Citizens Financial Bank—was settled in late December under confidential terms. The plaintiff’s lawyer, John Soumilas of Francis & Mailman PC in Philadelphia, says he pursued the case as one of consumer-identify theft, where protections are ample.

Still, David D. Johnson, a digital-media lawyer at Jeffer, Mangels, Butler & Marmaro LLP in Los Angeles who wasn’t involved in the case, says the judge’s action suggests that “a bank can’t simply rest on its laurels, on its security measures that worked last year,” and avoid liability. The judge declined to comment, and Citizens Financial didn’t return a call for comment.

Reach Out

Connect with law-enforcement agencies before an incident occurs, suggests Mr. Henry. He says small businesses should consider joining the FBI’s InfraGard, a group of businesses, academic institutions and state and local law-enforcement agencies that seek to ward off cyberattacks and other threats by sharing information and intelligence.

He also urges companies to report all computer crimes immediately to the FBI. The agency has relationships with law-enforcement organizations around the world that are starting to bear fruit, he says, pointing to the recent arrest of 120 people tied to Romanian groups that allegedly stole money from U.S. companies and citizens.

“In the cases where we have put hands on somebody, it was the result of a victim company raising their hand and saying this happened,” Mr. Henry says. “If they hit you today, they’re hitting the guy down the street tomorrow.”

A Guide to Computer Security As the number of people connecting to the Internet continues...
Online Credit/Debit Card Security Failure Ross Anderson reports: Online transactions with credit cards or debit...
SMB Cyber Security Alliance helps Small Businesses address Cyber Security Risks Across all industries, small businesses are increasingly facing new threats...

Shmoocon 2010 Videos Online

William McBorrough, MSIA, CISSP, CISA, CRISC, CEH — Mon, 08 Feb 2010 03:23:05 +0000

Shmoocon was this weekend. Unfortunately,I couldn’t get a ticket this year. The darn things sell out too quickly. If I had known Washington, DC would be buried under more than two feet of snow, I wouldn’t have been upset at my supposed misfortune. For the first time, the presentations were streamed live over the internet as most who had gotten tickets would not have been able to make it due to the weather. The recorded presentations can be viewed at the Shmoocon web site.

Last chance for Shmoocon 2010 tickets! Every year since 2005, security professionals and aspirants gather in...
ClubHack 2009 Presentations ClubHack is an “international” hacker conference in India started in...
Black Hat DC -2010 is here! Black Hat, one of the biggest and most popular security...

Stop 11 Hidden Security Threats

William McBorrough, MSIA, CISSP, CISA, CRISC, CEH — Mon, 25 Jan 2010 23:48:32 +0000

Do you know how to guard against scareware? How about Trojan horse text messages? Or social network data harvesting? Malicious hackers are a resourceful bunch, and their methods continually evolve to target the ways we use our computers now. New attack techniques allow bad guys to stay one step ahead of security software and to get the better of even cautious and well-informed PC users.

These threats include shortened urls, scareware, rougue Wi-Fi hotspots, etc.

Don’t let that happen to you. Here are descriptions of 11 of the most recent and most malignant security threats, as well as complete advice on how to halt them in their tracks.

Read full article at http://www.networkworld.com/news/2010/012510-stop-11-hidden-security.html?page=1

2010 CyberSecurity Watch Survey Cybercrime threats posed to targeted organizations are increasing faster than...
More on Forensics… Follow what the NOVA Information Assurance Strike Team is up...
Cloud Security Alliance For more information on Cloud Computing Security, a good resource...

CISSP All In One Book FIFTH EDITION has been released

William McBorrough, MSIA, CISSP, CISA, CRISC, CEH — Fri, 22 Jan 2010 04:52:57 +0000

The fifth edition of this best-selling comprehensive CISSP training resources was released on January 15, 2010. After taking the CISSP certification examination, I found that this was by far the text that came closest to covering the breath of the concepts on the exam and in the appropriate depth. The CISSP exam is often referred to as “mile wide and inch deep” because it thrives to cover all aspects of information security without getting too far in the weeds.

This book is written by the bestselling author and a respected IT security trainer Shon Harris. It serves as both a comprehensive certification study guide and student work book, and a fundamental on-the-job reference. The included CD-ROM includes more than 800 simulated practice questions in a Windows-based test engine, an electronic book, and video training from the author.

I personally recommend it. Most people who had previously taken the CISSP exam told me how hard it was . I believed them. And as I did not intend to take it twice. I invested a lot of time ( 6 months ) in preparing. I left the exam hall after three and a half hours feeling pretty confident. Thanks, partly to Shon Harris, I was well prepared and found the exam to be relatively easy. More details on the text can be found here.

Other CISSP training can also be locate here.

Black Hat DC -2010 is here! Black Hat, one of the biggest and most popular security...
Interested in Computer Forensics? I recently went through an EC Council Computer Hacking Forensic...
ISSA-NOVA Chapter December Meeting The Northern Virginia Chapter of the Information System Security Association...

Beware of Haiti-Themed Scams and Attacks!

William McBorrough, MSIA, CISSP, CISA, CRISC, CEH — Thu, 14 Jan 2010 19:40:46 +0000

Our thoughts and prayers go out to all those affected by the tragedy in Haiti. To make matters worse, as is often the case with any incident that captures the attention of the multitudes, cyber-crooks are doing all they can to take advantage of the unsuspecting web browser looking for information of ways to help.

There are a large number of domains being registered and parked relating to the disaster. Not all of these are malicious naturally however if we learned anything from Hurricane Katrina, this is a precedent to cynical scams attempted to exploit the generosity of the unsuspecting. Scammers use a variety of means to drive traffic including promoting on social networks like Twitter, Facebook and MySpace, paid advertising, and search engine manipulation. Security Research Firm Websense reported that search terms relating to the earthquake are leading to a rouge anti-virus program. Since you should already have anti-virus software installed, updated and running on your computer, cancel out of any suspicious alerts and run a scan using your own anti-virus software. A video demonstrating search engine manipulation can be found here. Once on the site, attackers may also tempt users to download malware in the guise of video reports about the disaster.

Those looking to make donations will be well-advised to go directly to the web site of the International Federation of Red Cross and Red Crescent Societies. The FBI has also posted an alert warning of possible charity donation scams. The IRS also maintain a list of tax exempt charitable organizations. This can serve as a check as well.

Beware of Chile Earthquake Scams An 8.8 magnitude earthquake struck Santiago, Chile in the early...
Fake Security Software pose great risk Desktop Security 2010 is the proverbial wolf in sheep’s clothing....
If Microsoft can do it, why not McAfee? Yesterday, a faulty McAfee anti-virus update labeled a critical Microsoft...

Black Hat DC -2010 is here!

William McBorrough, MSIA, CISSP, CISA, CRISC, CEH — Sat, 02 Jan 2010 21:04:55 +0000

Black Hat, one of the biggest and most popular security conferences in the world, will have its DC event at the Crystal City Hyatt Regency from Jan 31 to Feb 3. Black Hat was founded by Jeff Moss, one of the most sought after security voices in the world. The conference is composed of two major sections, Presentations and Training. Regular tickets for the presentations ( referred to as briefings) go for $1495 (ouch) until Jan 15 and then for $1695 until Jan 30. Tickets will be sold on site for $1995. The list for speakers and topics can be found at www.blackhat.com. There are also a host of security related training courses held during the event. The course cost from $1800 to $3800 per course. The complete list can be found here.

An archive of presentations from previous years can be found at Black Hat Media Archives. This includes presentations from all Back Hat events.

Black Hat DC 2010 Presentations are now available If you couldn’t afford to make it to Black Hat...
ClubHack 2009 Presentations ClubHack is an “international” hacker conference in India started in...
Shmoocon 2010 Videos Online Shmoocon was this weekend. Unfortunately,I couldn’t get a ticket this...

ClubHack 2009 Presentations

William McBorrough, MSIA, CISSP, CISA, CRISC, CEH — Fri, 01 Jan 2010 16:02:01 +0000

ClubHack is an “international” hacker conference in India started in 2007. Although this is only the third year, some of the presentations are pretty interesting. See http://clubhack.com/2009/presentations

CISSP All In One Book FIFTH EDITION has been released The fifth edition of this best-selling comprehensive CISSP training resources...
More on Forensics… Follow what the NOVA Information Assurance Strike Team is up...
2010 CyberSecurity Watch Survey Cybercrime threats posed to targeted organizations are increasing faster than...

New Best Practices for Security Assurance in the Cloud

William McBorrough, MSIA, CISSP, CISA, CRISC, CEH — Fri, 01 Jan 2010 15:34:07 +0000

The Cloud Security Alliance (CSA) produced version 2 of its “Guidance for Critical Areas of Focus in Cloud Computing” whitepaper. CSA is a non-profit organization formed to promote the use of best practices for providing security assurance within cloud computing, and provide education on the uses of cloud computing to help secure all other forms of computing. The whitepaper outlines key issues and offers advice both to customers and providers in 13 strategic domains. This version takes into account experience and lessons learn from real world deployments over the past six months.

See www.cloudsecurityalliance.org/guidance.

Cloud Security Alliance For more information on Cloud Computing Security, a good resource...
Cloud Computing = Loss of Confidentiality? Interesting excerpt from article in ITWorldCanada: “Adi Shamir, a computer...
The real arguments for Cloud Computing As more vendors dive into the cloud computing market, every...

Happy New Year 2010!

William McBorrough, MSIA, CISSP, CISA, CRISC, CEH — Fri, 01 Jan 2010 03:18:15 +0000

Here’s to a more prosperous 2010.

Security Management Series – Part I -The Foundation The foundation of any security program should be based on...
United States Department of Defense Embraces Hacker Certification Mar 01, 2010 – The U.S. Department of Defense (DoD)...
More on Forensics… Follow what the NOVA Information Assurance Strike Team is up...

Last chance for Shmoocon 2010 tickets!

William McBorrough, MSIA, CISSP, CISA, CRISC, CEH — Wed, 30 Dec 2009 19:50:21 +0000

Every year since 2005, security professionals and aspirants gather in Washington, D.C. for Shmoocon. Shmoocon is an annual hacker convention held by the Shmoo Group. It is three days of informative, fun, entertaining presentations about new hacking exploits, methodology and technology. The 2010 convention will be held on February 5-7. Space is limited and it has sold out every year since its inception. Compared to other security conventions, it is very affordable. Tickets are sold from $100 to $300 in three rounds. The first two round sold out within 2-3 minutes. Even if you try to register at the very minute the tickets are made available, you might not make it as the demand is so great. I was one of those unfortunately souls hitting refresh feverishly during round two but didn’t make the cut. There is hope, however. Round 3 sales begin on January 1 at 12 noon. I shall certainly give it another go. I have thoroughly enjoyed the convention in the past and it’s a great bargain for the price.

The list of presentations are post here.

Shmoocon 2010 Videos Online Shmoocon was this weekend. Unfortunately,I couldn’t get a ticket this...
2010 CyberSecurity Watch Survey Cybercrime threats posed to targeted organizations are increasing faster than...
Black Hat DC -2010 is here! Black Hat, one of the biggest and most popular security...

Hack Attack Is Only Funny When It's Bill The Cat!

Guest Blogger — Wed, 30 Dec 2009 00:06:24 +0000

We were hacked. Bet the thought of it gives you shivers. It sure did me, and more!

As a web designer I use many tools to monitor my site and stats. I signed up for Google Webmaster Tools and was horrified to see a list of keywords that were pornographic AND not on my site. The first question, of course, was where on earth were these coming from.

The next step was to go through every page on the server and check for files / folders that appear suspicious. My main site was fine. What was not fine were archived folders (2) outside of my main site.

I downloaded one of the pages to view the code and saw that there was a script underneath. On further research (Google search) I discovered that these pages were simply jumping off points, due to the script, to actual pornographic sites. But there was my url listed with these awful pornographic words – in Google’s search index.

What I Did Once Found

I removed the files. I created a 400, 403, 404 page stating “PLEASE NOTE: WE HAVE HAD A PROBLEM RECENTLY OF FILES BEING UPLOADED TO OUR WEBSITE THAT WERE NOT CREATED BY THIS COMPANY AND CONTAIN OFFENSIVE MATERIAL. IF YOU ARE LOOKING FOR THESE FILES, THEY NO LONGER EXIST.”

Seeking Extra Resources

My next step was to go to upload an htaccess file loaded with all of words. So we went through all the keywords we had (don’t do this on a full stomach folks) and added to the list and put it up.

How Did This Happen?

It appears that malware has been downloading to unsuspecting websites with a software update.

What Can You Do To Check Your Site?

A good place to start is Google Webmaster Tools and Google Analytics because (increasingly) Google is using the Google Webmaster Tools to inform webmasters of problems with their sites. If you see strange page names being accessed and keywords that do not relate to your site you very well may have a problem. If this is the case contact your hosting company AND check every file in every folder.

Author: Jan Carroll
Article Source: EzineArticles.com
Provided by: Guest blogger

Skipfish-Web Scanning Security Tool from Google Google has released an open-source Web security scanner called Skipfish...
Pause your Google History Have you ever used your Google search history? If you...
Enter the Dragon browser, the more secure Google Chrome The open source engine that forms the basis for Google’s...

Merry Christmas, One and All!

William McBorrough, MSIA, CISSP, CISA, CRISC, CEH — Thu, 24 Dec 2009 20:41:40 +0000

Cloud Computing = Loss of Confidentiality? Interesting excerpt from article in ITWorldCanada: “Adi Shamir, a computer...
United States Department of Defense Embraces Hacker Certification Mar 01, 2010 – The U.S. Department of Defense (DoD)...
More on Forensics… Follow what the NOVA Information Assurance Strike Team is up...

Cloud Security Alliance

William McBorrough, MSIA, CISSP, CISA, CRISC, CEH — Thu, 10 Dec 2009 21:02:26 +0000

For more information on Cloud Computing Security, a good resource is the Cloud Computing Alliance, a “non-profit organization formed to promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing”. The list of founding members includes names from companies like Dell, PGP, McAfee, Sun, and a host of other recognizable names.

They also have a Google Group set up for discussion that anyone can view and/or participate.

New Best Practices for Security Assurance in the Cloud The Cloud Security Alliance (CSA) produced version 2 of its...
Cloud Computing = Loss of Confidentiality? Interesting excerpt from article in ITWorldCanada: “Adi Shamir, a computer...
Exploring Cloud Computing Information Leakage If you are in cloud computing security (or part of...

ISSA-NOVA Chapter December Meeting

William McBorrough, MSIA, CISSP, CISA, CRISC, CEH — Thu, 10 Dec 2009 00:42:24 +0000

The Northern Virginia Chapter of the Information System Security Association ( ISSA ) will be hosting its monthly chapter meeting for December tomorrow. The speaker with be LTC Ken Fritzshe, Phd, CISSP of the US Army. He will be discussing Application Security. More info at the ISSA-NOVA website.

United States Department of Defense Embraces Hacker Certification Mar 01, 2010 – The U.S. Department of Defense (DoD)...
CISSP All In One Book FIFTH EDITION has been released The fifth edition of this best-selling comprehensive CISSP training resources...
More on Forensics… Follow what the NOVA Information Assurance Strike Team is up...