Thursday, May 28, 2009

New Software Revolutionizes Computer Security

| Brett D. Arion |
Tizer Secure™ Beta released for free testing at

"The advanced technology and enhanced tools that drive Tizer Secure™ were all built to satisfy certain pain points of our clients which are all related to the core issues of protection, privacy and performance
Our clients quickly discovered that these specialized tools worked better than the malware removal applications that they had been using
They encouraged us to develop a new internet security application that combined all of these tools and thus Tizer Secure™ was born."

Chapel Hill, NC May 28, 2009 -- A Chapel Hill, NC-based technology company is entering the competitive internet security market with the release of Tizer Secure™ Beta, a robust computer security solution for Windows PC users that finds both verified and unverified malware threats, stops infections at the point of entry, protects privacy, optimizes a system's performance and removes hard-to detect rootkits.

"The cornerstones of Tizer Secure™ Beta are its Adaptive Heuristics for Early Detection (AHED) and its Hidden Process Rootkit Detection systems," says Joy Valentine, VP of X-Wire Technology, the Chapel Hill, North Carolina company behind the new internet security solution."

After Tizer Secure™ scans the computer and compares its files and processes to a database of active malware threats, its AHED scan uses its proprietary algorithm to identify any potentially harmful files, processes and rootkits that are not in the database.

Tizer Secure™ also has built-in reporting tools from which users can report unverified cases of malware to Tizer Secure's™ team of experts who analyze these files, verify actual threats and update the application, database and heuristic scan in real time to protect all users.

Built with AHED as its foundation, Tizer Secure's suite of sophisticated all-in-one internet security tools offer:

* Protection: Tizer Secure™ detects and removes malware--viruses, rootkits, spyware, adware and trojans--and provides real-time, pro-active protection against fresh infections at the point of entry using a combination of advanced security tools called VGuard.
* Privacy: It permanently removes private entries and online history, blocks keyloggers and shreds sensitive files in order to protect your privacy and prevent identity theft.
* Performance: Tizer Secure's™ Registry Optimizer cleans and repairs registry errors that consume system resources and slow down your computer. The software is also optimized to consume minimum CPU and memory so as not to slow down your machine.

Even though Tizer Secure™ Beta is new to the market, these internet security tools have been years in the making.

"The advanced technology and enhanced tools that drive Tizer Secure™ were all built to satisfy certain pain points of our clients which are all related to the core issues of protection, privacy and performance," says Valentine.

X-Wire Technology, an IT services outsourcing and marketing company, provided technical support to clients who found existing computer security products inadequate. In response, the company's developers created separate, specialized tools to satisfy clients' needs.

"Our clients quickly discovered that these specialized tools worked better than the malware removal applications that they had been using," says Valentine. "They encouraged us to develop a new internet security application that combined all of these tools and thus Tizer Secure™ was born."

The beta version of Tizer Secure™ can be downloaded for free from

About X-Wire Technology
Headquartered in Chapel Hill, N.C., and with offices in Mumbai, India, X-Wire Technology provides IT outsourcing and marketing to clients around the world. The company specializes in web design and development, technical support software development, customization, business automation, ecommerce solutions and engineering services

CIS issues free benchmark on iPhone security

| Brett D. Arion |
The nonprofit Center for Internet Security today released what it termed the industry's only consensus security benchmark for the iPhone, which is aimed at helping IT managers and users reduce the risk of data stored on the device from being compromised.

The benchmark is free with a required registration at the CIS Web site.

The document takes users through more than 20 simple recommendations for system settings, Safari settings and iPhone Configuration Utility settings, a spokeswoman said. Using the recommendations is designed to help reduce the the chance of a remote attack, with instructions on securely erasing data and setting up strong passwords.

A separate benchmark for multi-function device security provides configuration and deployment guidance for business printers, copiers, scanners and fax machines.

The iPhone benchmark applies to iPhone OS version 2.2.1 and the iPhone Configuratioin Utility version 1.1.043, CIS said.

Blake Frantz, chief technology officer at CIS, said the iPhone presents "security challenges" for enterprises. Some large businesses, such as Kraft Foods and Oracle Corp., have adopted the iPhone for workers on a large scale, although there have been some holdouts in the financial sector, including Bank of America, over security concerns.

Over the past year, CIS has had more than 1 million downloads of its benchmarks, which it develops according to a wide range of standards and with input from 150 members in corporations, government, universities and security organizations, the CIS Web site said.

Wednesday, May 27, 2009

New Websense Survey Reveals State of Web 2.0 Use, Policies and Security at Businesses Worldwide

| Brett D. Arion |
Websense Delivers Free Tools to Help IT Professionals Enable Web 2.0 in the Workplace While Mitigating Security Risks

Websense, Inc. (NASDAQ: WBSN) today revealed the findings from a global survey of 1,300 information technology managers across ten countries, asking about their perceptions of Web 2.0 in the workplace, testing their understanding of Web 2.0 technologies and assessing their organizations' level of security preparedness. Web 2.0 sites and applications allow user-generated content and comprise the majority of the top 100 most visited sites on the Internet, including search engines like Google and Yahoo!, resources like Wikipedia and news sites like CNN. Key findings from the Web2.0@Work(TM) survey include:

Web 2.0 in Business is Here to Stay

Web 2.0 has made an impact in the workplace and will continue to change the way organizations conduct business as more Web 2.0 applications make their way into the corporate environment. Though many Web 2.0 services were designed for consumer use rather than business use, organizations across all industries are already using them to increase collaboration and information exchange, streamline processes, engage key stakeholders and generate revenue. Specifically:

-- 95 percent of respondents currently allow employee access to some Web
2.0 sites and applications -- most commonly webmail, mashups and wikis
-- 62 percent of IT managers believe that Web 2.0 is necessary to their

IT Experiences Pressure from All Sides

Employees are clamoring for even more use of Web 2.0 in the workplace, leaving IT departments to find the right balance between preventing security risks while still allowing safe and flexible access. The pressure for more Web 2.0 access is coming not from rogue employees, but rather from lines of business and top-level executives:

-- 86 percent of IT managers reported feeling pressured to allow more
access to more types of Web 2.0 sites and technologies
-- 30 percent of respondents reported pressure coming from C-level
executives and director level staff
-- 34 percent reported pressure coming from marketing departments
-- 32 percent reported pressure coming from sales departments

IT Professionals Are Overconfident in Their Security

Though many organizations already allow access to some types of Web 2.0 sites and applications, a dangerous security gap exists. The majority of respondents reported feeling confident in their organization's Web security, though they admit to not having the necessary security solutions to protect from all threat vectors. Additionally, a surprising number of respondents appear to be confused on what exactly constitutes Web 2.0 -- and what they don't know could put their organizations at risk.

-- 80 percent of respondents reported feeling confident in their
organization's Web security, despite the fact that the numbers show
they are ill-equipped to protect from Web 2.0 security threats:
-- 68 percent do not have real-time analysis of Web content
-- 59 percent cannot prevent URL re-directs
-- 53 percent do not have security solutions that stop spyware
from sending information to bots
-- 52 percent do not have solutions to detect embedded malicious
code on trusted Web sites
-- 45 percent do not have data loss prevention technology to stop
company-confidential information from being uploaded to sites
like blogs and wikis, hosted on unauthorized cloud computing
sites, or leaked as a result of spyware and phishing attacks
-- Only 9 percent report having security solutions in place to
cover all threat vectors
-- There is confusion even among IT professionals about what constitutes
Web 2.0: Only 17 percent of respondents correctly identified all the
items in the survey that can be considered Web 2.0
-- Only half identified wikis, video uploading sites like YouTube and
hosted software/cloud computing sites like Google Docs to be Web 2.0
-- 47 percent of respondents report that users in their organization try
to bypass their Web security policies, demonstrating that new policies
are needed to provide the flexibility for employees to access the Web
for their jobs while preventing inappropriate use or security threats.

Research from Websense® Security Labs™ shows that 57 percent of data-stealing attacks are conducted over the Web. The nature of Web 2.0 sites, which allow users to create and post their own content, provides an easy vector for cyber criminals to launch their attacks on a large number of users. With more than 90 percent of organizations around the world reportedly lacking the security solutions necessary to prevent dynamic Web threats and data loss across all threat vectors, consumers should be wary of which businesses they trust with their personal data.

Say "Yes" to Web 2.0 at Work

Findings from the Web2.0@Work survey demonstrate that IT professionals around the globe are struggling to strike a balance between taking advantage of the benefits of Web 2.0 while mitigating the security risks. The reality of the business environment today is that organizations can no longer simply block access to Web 2.0. With members of the "millennial" generation now in the workforce, employees not only expect access to Web 2.0, but some even use it as their preferred method of communication.

"We've heard from many organizations that want guidance on establishing Web 2.0 usage policies and help determining the right Web 2.0 security solutions," said Jim Haskin, senior vice president of marketing and chief information officer, Websense. "For that reason, Websense is introducing free tools and best practice strategies to assist IT professionals in their desire to enable safe Web 2.0 access in the workplace. With our industry-leading secure Web gateway and Web 2.0 early threat detection and protection technology, Websense is uniquely qualified to help businesses say 'Yes' to appropriate use of Web 2.0 at work."

Free tools for Safely Enabling Web 2.0 at Work

Visit to register for a free analyst report and a June 10 webcast on best practices for Web 2.0 at work. The complete 2009 Web2.0@Work survey results are also available on the site. Additionally, Websense has launched the "Web2.0@Work - Powered by Websense" page on Facebook as an interactive community for employees, employers and IT professionals to discuss the benefits and risks associated with Web 2.0, share stories of their organization's successful use of Web 2.0 and to read additional research on the topic.

Research Methodology

Independent research firm Dynamic Markets was commissioned by Websense to conduct 1,300 interviews with IT managers in Australia, Canada, China, France, Germany, Hong Kong, India, Italy, the UK and the US. One hundred interviews were collected in all countries, except the US where 400 were collected. Before and during the interviews, participants were not aware that Websense had commissioned the research. Respondents confirmed that their organizations had 250 or more PC users and also confirmed their level of seniority: 32 percent operate at CIO/director level and 68 percent are at manager level. None of the sample are clerical or admin-level IT staff.

Full details on the survey methodology can be found in the report "Web2.0@Work" on

About Websense, Inc.

Websense, Inc. (NASDAQ: WBSN), a global leader in integrated Web, data and email security solutions, provides Essential Information Protection™ for more than 44 million product seats under subscription. Distributed through its global network of channel partners, Websense software and hosted security solutions help organizations block malicious code, prevent the loss of confidential information and enforce Internet use and security policies. For more information, visit

Websense is a registered trademark of Websense, Inc. in the United States and certain international markets. Websense has numerous other registered and unregistered trademarks in the United States and internationally. All other trademarks are the property of their respective owners.

Monday, May 25, 2009

New Flash Security Prevents IP and ID Theft.

| Brett D. Arion |
LockLizard announces LockLizard Flashguard Flash Security, their latest product extending the range and reach of their DRM management systems to Adobe shockwave flash (SWF) files.

Flashguard is a unique flash protection product allowing companies that publish or sell flash files (SWF files) to ensure complete protection of their intellectual property. It prevents decompiling of flash files and controls what users can do with the displayed content.

Flashguard secures flash files against decompiling, unauthorized viewing, copying, sharing, modifying, saving, screen grabbing and printing. The source files (FLA files - multimedia objects, images and scripts that make up an SWF file) are always protected against editing and misuse.

Flashguard is able to prevent users from making unlicensed copies of flash files, whilst losing none of the flexibility and capability of the format that allows both creator and user to work in a flexible and highly interactive way.

It provides the usual DRM controls such as setting an end date for the use of a file (useful if a product is being rented rather than sold) and includes the ability to remove licenses in realtime if the recipient is misusing the product.

Flashguard is not an obfuscation product but a fully fledged Flash DRM protection system. Obfuscation products don't actually encrypt source code, they just alter the code and structure, often causing flash files to stop functioning correctly or at all.

Flashguard completely encrypts the source code (with AES 256 bit encryption) preventing programs decompiling your SWF files to FLA files. Your source code is not altered in any way - ensuring your flash files continue working as before they were protected. Content is only ever decrypted in memory and your nested scripts, objects, images, and animation are fully secured at all times. In addition Flashguard controls who can view your flash files, how long or how many times they can be viewed, and whether printing is allowed. It also stops screenshots of your flash files from being taken.

Flashguard has significant appeal to training course providers, who can now take realistic steps to protect what is very expensive development work for them.

So trainers can afford to develop many more courses that achieve the potential for user interactivity that these mediums present than was possible with the more static approaches in PowerPoint or PDF. But without giving it away.

Many flash games (and their underlying intellectual capability) are effectively 'given away,' because they cannot be adequately protected, whilst there continue to be markets, such as simulation exercises, which are more closely guarded secrets. Flashguard enables these markets through the introduction of a more effective layer of protection.

"The introduction of Flashguard allows many organizations that were previously unwilling to commit their IPR into flash because of security concerns, to move ahead," said Dr Mathews. "Many companies have realized the potential of flash as an interactive medium, but have been afraid to publish content in this format as there has been no means of protecting it. Now, more than ever before, the new technologies have to earn their promise of lowering cost and increasing profit. But without giving everything away."

LockLizard Flashguard flash security entry level pricing is just $2495 for a subscription license, with perpetual and own server licenses available. More information can be found at Flash security

About LockLizard
LockLizard is a DRM vendor that produces document security, pdf security, ebook security, copy protection, and web content encryption products that use DRM technology to protect information from intellectual property theft. Our DRM software prevents copying, printing, screen grabbing, and sharing of information without the use of insecure passwords. Find out more at LockLizard DRM security

Gartner warns of anti-spyware rip-off

| Brett D. Arion |
Gartner is warning companies not to be ripped off by vendors seeking to sell anti-spyware software as a standalone product.

Most security software products include anti-spyware utilities, but Gartner analyst Neil MacDonald reports in a recent blog posting that he is still hearing about companies trying to charge customers extra for anti-spyware software.

"Most of the vendors in the anti-malware space understand the market dynamics and have moved to comprehensive endpoint protection platforms where the vendors provide a platform for multiple styles of protection to pick and choose from – firewall, anti-virus, anti-spyware, host-based intrusion prevention, application control, device control and so on," he said.

"There is no sustainable market for standalone anti-spyware, and no reason you should be paying separately for it."

MacDonald explained that the market for such software used to exist, but the idea of a standalone package is unnecessary given that spyware protections are built into most security code. He suggests changing supplier if a company tries to charge extra.

Microsoft's free anti-spyware tool is also a good reason not to pay, he said, adding that companies can install it themselves or use the code as a bargaining tool with their suppliers.

Network Security Auditing and Monitoring

| Brett D. Arion |
May 24, 2009 (Nsasoft) -- Nsauditor Version 1.9.1 updates network vulnerabilities detection database. Nsauditor is a complete networking utilities package (more than 45 network tools in one) that includes a wide range of tools for network auditing, scanning and monitoring. The product contains a built-in database of known network security vulnerabilities, which allows you to select the items for scanning and add custom entries. With Nsauditor Network Security Auditor, Systems Administrators are able to gather a wide range of information from all the computers in the network without installing server-side applications on these computers. It is a multi-purpose tool designed to scan networks and hosts for vulnerabilities, and to provide security alerts. Nsauditor Network Security Auditor significantly reduces the total cost of network management in enterprise environments by enabling IT personnel to audit and monitor remote network computers for possible vulnerabilities. The software network auditor module checks network for all potential methods that a hacker might use to attack it, discovers network services and checks them for vulnerabilities. Nsauditor Network Monitoring module shows you detailed listings of all TCP and UDP endpoints on your system, including the owning process name, remote address and state of TCP connections, country of origin and service name/description. When you start Nsauditor it will enumerate all active TCP and UDP endpoints, resolving all IP addresses to their domain name versions.
In summary, Nsauditor Network Security Auditor is a very complete network tools package

Pricing & Availability

Nsauditor runs under Windows 2000, XP, 2003, Vista. The product costs $69 (US) for a single-user license and available immediately through the Nsasoft store and its authorized resellers worldwide. Licensed users get free lifetime updates and premium technical support. More information is available from

About Nsasoft

Nsasoft LLC is a privately-held software company, specializing in network software, password and product key recovery solutions. Its premier products include (but not limited to) Nsauditor Network Security Auditor; SpotAuditor, an all-in-one password recovery solution; Product Key Explorer, product key recovery software; NetShareWatcher, a network access policy monitoring and management tool. The company was founded in 2004 and based in Yerevan, Armenia. For more information, visit


Product page link:
Download link:
Corporate website:

Cisco Expands Security Services Into the Cloud

| Brett D. Arion |
In today's changing world, businesses require a security strategy that accounts for the physical, virtual, mobile and global aspects of their business. As a result Cisco has announced new additions to its portfolio that bolster the network security infrastructure and the delivery of cloud security services. As companies continue to extend connectivity outside their office walls, businesses must focus on new ways to protect its data and communications. These new security offerings incorporate new threat defense products and services that will help customers protect against attacks, malware and botnets, no matter where they connect and communicate.

* Cisco Security Cloud Services: This service ties together services from multiple networks and applications, bringing together the cloud and the enterprise network for highly secure collaborative communications. The Cisco Security Cloud supports the recently announced Cisco IronPort Hosted Email Security Services as well as Global Correlation, a powerful new technique that powers security services integrated into Cisco's broad range of security offerings.
* Cisco IPS Sensor Software Version 7.0: Global Correlation for intrusion prevention system (IPS) harnesses the power of Cisco Security Intelligence Operations, a powerful threat-defense ecosystem, to achieve unprecedented threat-protection efficacy.
* Cisco ASA 5500 Series 8.2 Software: This offering in the Cisco Adaptive Security Appliances family is designed to enhance end-to-end security for offices of all sizes, improving threat mitigation and enabling companies to more securely connect, communicate and conduct business.
* Cisco SAFE: A security reference architecture that provides prescriptive validated design guides to help organizations plan, design and deploy security solutions across the network, such as campus offices, the Internet edge, branches and data centers. These blueprints provide defense-in-depth guidance and best practices for securing data and transactions as they traverse the network.
* Cisco Information Technology Governance, Risk Management, and Compliance (IT GRC) Security Assessment Services: These services help organizations establish a single program for reducing information security risk and the cost of compliance, by aligning business and technology strategies. With the Cisco IT GRC Security Assessment Services, organizations can establish a common control framework: a single, unified set of security controls that efficiently meet compliance obligations and protect organizations from threats.

Tuesday, May 19, 2009

Report: Over 60 Percent of Websites Contain Serious Vulnerabilities

| Brett D. Arion |
Newly released client d

Image representing WhiteHat Security as depict...Image via CrunchBase

ata from White Hat Security finds organizations are slow to close known security holes in their Websites

Most Websites harbor at least one major vulnerability, and over 80 percent of Websites have had a critical security flaw, according to new data released today by WhiteHat Security.

The Website vulnerability statistics, based on Website vulnerability data gathered from WhiteHat's own enterprise clients, show that 63 percent of Websites have at least one high, critical, or urgent vulnerability issue, and there's an average of seven unfixed vulnerabilities in a Website today.

"What we know from this report is that the Web is at least this insecure," says Jeremiah Grossman, CTO of WhiteHat.

The top ten classes of vulnerabilities hasn't changed much from WhiteHat's findings in the fourth quarter of 2008. The pervasive cross-site scripting (XSS) flaw still leads the pack as the most likely vulnerability in a Website, with a 65 percent chance that a Website has XSS bugs, followed by information leakage, with 47 percent.

And the average number of vulnerabilities per Website over its lifetime is 17, according to WhiteHat's data.

"Customers are fixing large swaths of vulnerabilities, but it's really tough to wipe out 100 percent of vulnerabilities, even by class and severity," Grossman says. "And even if you fix nine of 10 cross-site scripting vulnerabilities, you still have one. That's why the percentage of sites likely to have cross-site scripting vulns is" so high, he says.

And all it takes is one XSS vulnerability for an attacker to do his dirty work, he says.

Around 30 percent of Websites are likely to contain content spoofing bugs; 18 percent, insufficient authorization; 17 percent, SQL injection; 14 percent, predictable resource location; 11 percent, session fixation; 11 percent, cross-site request forgery (CSRF); 10 percent, insufficient authentication; and 9 percent, HTTP response-splitting flaws, according to WhiteHat's latest counts.

But Grossman says CSRF flaws are actually much higher than 11 percent (it was 10 percent in the fourth quarter of 2008): "We know it's actually a lot higher than that," he says. "Unless you're doing a manual process [to find CSRF], that number goes under-reported."

Around 82 percent of Websites have had at least one high, critical, or urgent vulnerability as of the first quarter, and 63 percent still have at least one of these types of flaws on their sites.

Social networking companies have an 82 percent chance of having unresolved high, critical, or urgent flaws in their Websites; IT firms, 75 percent; financial services, 65 percent; insurance, 64 percent; retail, 61 percent; pharmaceutical, 59 percent; telecommunications, 54 percent; and healthcare, 47 percent.

Another problem plaguing Website owners is fixing the vulnerabilities they find in a timely manner. Today, there is an average of seven unresolved vulnerabilities on a Website, and only 60 percent of all vulnerabilities discovered in Websites by WhiteHat are fixed. Insufficient authentication weaknesses can take over two months to get fixed; information leakage, 85 days; and XSS, 58 days, for example. The quickest turnaround was SQL injection, at 38 days.

"The time-to-fix is still weeks, months, or never," Grossman says. "These numbers are likely to grow because we can only count the time-to-fix when they are actually fixed."

Grossman says how an organization prioritizes its vulnerability remediation varies from company to company. "How do you judge risk, allocate your resources? You need two strategies -- one for the Websites that have not yet been built, and another for ones that are currently live."

And IT security often struggles with keeping up on all of the Websites their organization is building. "One of the biggest things they are grappling with is knowing what Websites they have. Security guys may not know when a new Website goes live," Grossman says.

WhiteHat will host a Webinar on its latest findings tomorrow, May 19 at 11am Pacific and 2pm ET.
Reblog this post [with Zemanta]

IIS6 vulnerability exposes protected data

| Brett D. Arion |
Microsoft has issued an advisory to address public reports of a remote authentication bypass vulnerability that exists because of how the WebDAV extension for IIS (Internet Information Services) deals with HTTP requests. If exploited, an attacker would have access to password protected folders and the ability to list, download, and upload files into protected WebDAV folders.

Discovered and disclosed by Nikolaos Rangos, the vulnerability exists because the “…Web Server fails to properly handle unicode tokens when parsing the URI and sending back data,” he said in his report.

Affected are IIS 5.0, IIS 5.1, and IIS 6.0. However, in their posting on the SRD Blog, Microsoft said that some IIS configurations are not vulnerable. If a server isn’t running WebDAV then it is immune from this attack, such is the case with Server 2003, where IIS 6 shipped with WebDAV disabled by default. Likewise, if a server is not using IIS permissions, which restrict access to content, then it too is not vulnerable.

“We are still investigating different attack ideas possible using this vulnerability but the original report claimed files could be uploaded and modified. However, what we have found is that the IIS installer applies an NTFS access control entry to explicitly deny write access to the anonymous account (IUSR_[MachineName]) in wwwroot and subdirectories that inherit wwwroot’s ACL. So in the default case, this vulnerability will not allow a malicious attacker to upload or modify webpages,” the SRD blog says.

Microsoft says that they are unaware of any attacks using this vulnerability, but an advisory from CERT says that they have reports of active attacks using published code. Even if there are not active attacks at this time, the cat is out of the bag and the nature of slow patching that is prevalent within IT means this is just another vector to attack with.

Advisory 971492 explains some steps to take in order to mitigate any attack on systems running IIS. The main suggestions are to disable WebDAV and to alter ACLs to deny access to the anonymous user account, should WebDAV be required.

Christopher Budd, security response communications lead for Microsoft said in a statement that, “Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.”
In addition, he said they are working with everyone involved with MAPP, as well as the Security Response Alliance.

Thursday, May 14, 2009

NVlabs, Friends of HackersCenter, Release Bootkit Code Targeting Windows 7

| Brett D. Arion |

Wednesday, May 6, 2009

"Government networks still have weak links"NO DUH!!

| Brett D. Arion |
WARNING, RANT TO FOLLOW (These views are mine and mine alone and in no way reflect the thoughts or feelings of the other staff members of or any other affiliated organization of

Ok, so here is the Trillion Dollar Question....Is there any entity that has a connection which in any way shape or form is connected to another entity, the world wide web, or even a phone line,, not have weak links? If I remember correctly, if you really want to be C2 compliant (I know, I'm showing my age), then you shouldn't connect a computer to ANYTHING. As a security professional (ok, so I think I'm a professional, smile), I for one am getting tired of news agencies and press releases that state "/ENTER ANY NAME HERE/ Susceptible to Cyber Attacks". I for one am done as we all know that there is nowhere safe to hid from people who are going to exploit technology for fun or profit. Let us move past this sensationalism in the press, and start publishing ideas on how to better secure our on-line assets, and just stop pointing out the obvious (and I'm not singling out GCN, I happen to like their publication very much).

This issue of weakness in technology not only affects the American Government, but any and everyone with any type of technology that is connected to a relaying entity such as a phone company, satellite, external network, or internet ISP. What we are not seeing is the collaboration necessary to encourage a change in the culture and behavior of cyber criminals, vandals, miscreants, or plain genius' with nothing better to do with their time. Crime is always going to be an issue in this industry, and the only way we can combat it is to give better incentive to companies to produce higher quality products more thoroughly tested and secured. Yes, this means that it will be a lot more expensive to ensure that a product is vetted in order to limit the exposure, but I also believe there should be some guarantee that comes along with that product from the producer, much like what Surge Protector companies offered if their product failed to protect your assets from a power surge. Note I say limit, as there will always be ways to circumvent technology and the programming that is done by human minds in a logical/structured manner. What cannot continue to happen is that companies rush to get the product to market and worry about the ramifications later by supplying updates, patches, and hot fixes. I know I am not stating anything that has not been thought of or stated before now, but I am just really tired of this type of reporting. The media now a days is obsessed with sex, violence, AND CYBERCRIME. At some point, media outlets will have to be the ones to affect change by not sensationalizing the issues at hand, but work in a way to better educate their constituents on how to better protect themselves and their organizations. It is my hope to actually see this type of news decline before I leave this world for a much better and technologically secure place!! (Ok, I'm finished, putting the soapbox back in the basement!!) I encourage comments(or backlash) to this post. I am really interested in how others feel about this, and if there are other ideas as to how to move past this dark-spot in our cultures.

GCN Article:Government networks still have weak links

* By William Jackson
* May 06, 2009

Despite efforts to improve security, experts say government information systems remain vulnerable

House lawmakers who held a hearing on threats to the country’s information infrastructure May 5 heard a familiar tale of inadequately protected government systems facing a growing array of increasingly sophisticated threats.

“In the absence of robust security programs, agencies have experienced a wide range of incidents involving data loss or theft, computer intrusions and privacy breaches, underscoring the need for improved security practices,” testified Gregory Wilshusen, director of information security issues at the Government Accountability Office.

GAO and agency inspectors general have repeatedly identified vulnerabilities in the form of inadequate information system controls, Wilshusen said. At the same time, the number of incidents federal agencies have reported to the U.S. Computer Emergency Readiness Team has increased dramatically. In the past three years, such incidents have more than tripled — from 5,503 in fiscal 2006 to 16,843 in 2008.

Wilshusen made his statements before the House Oversight and Government Reform Committee’s Government Management, Organization and Procurement Subcommittee. He cited numerous GAO recommendations for improving cybersecurity and a number of recent initiatives that offer hope for improvement.

Other witnesses called for the White House to take a stronger leadership role in forming a national cybersecurity strategy.

“To date, there has not been an ongoing, coordinated, national approach with senior White House leadership that would drive strategy development and cohesive implementation, bringing the strengths and capabilities of the various agencies and the concerns and input of stakeholders to bear,” said Liesyl Franz, vice president of information security programs and global public policy at information technology industry group TechAmerica.

Threats have evolved in recent years from rapidly spreading worms and often obvious hacks to more targeted attacks that use a combination of technical and social tricks to get past defenses. Increasingly, the attacks are the work of organized criminals seeking financial gain. Espionage by foreign nations is also suspected as more breaches in government systems are discovered.

The Obama administration recently completed a review of the country’s cybersecurity initiatives and is expected to release a report with recommendations for revamping policies soon. Melissa Hathaway, who led the review, has said that the reviewers will recommend that the White House direct cybersecurity policy and agencies manage operational activities.

Franz agreed that White House officials cannot be expected to direct the operational details of cybersecurity.

“As part of the public dialogue on cybersecurity, some have expressed concern that a new adviser in the White House would take authorities or responsibilities away from the Department of Homeland Security or other agencies, but we do not believe that is the case,” she said. “Certainly, DHS and other agencies will have a large role to play in providing strategy input and implementing key elements of it.”

Franz also said TechAmerica officials believe the Federal Information Security Management Act needs to be reformed to emphasize risk management and security monitoring rather than more static certification and accreditation programs.

Witnesses described information security as crucial to the country’s economic development. Retired Air Force Lt. Gen. Harry Raduege Jr., chairman of the Deloitte Center for Network Innovation, said the government must lead by example, and it needs to start now.

“The federal government must become a model for cybersecurity, and it must start by securing our networks and information as quickly as possible,” Raduege said. “Improving the security of our federal networks and nation’s digital infrastructures will be a long-term effort, but immediate focused attention on this significant challenge is absolutely critical.”

Wilshusen cited widespread shortcomings in current information security programs. “Federal systems are not sufficiently protected to consistently thwart cyber threats,” he said. “Serious and widespread information security control deficiencies continue to place federal assets at risk of inadvertent or deliberate misuse, financial information at risk of unauthorized modification or destruction, sensitive information at risk of inappropriate disclosure, and critical operations at risk of disruption.”

He said that for years, most agencies have not implemented the security controls necessary to detect or prevent unauthorized access to IT resources. In fiscal 2008, weaknesses were reported in those controls at 23 of 24 major agencies.

“Over the past several years, we and the IGs have made hundreds of recommendations to agencies for actions necessary to resolve prior significant control deficiencies and information security program shortfalls,” Wilshusen said.

Auditors found deficiencies in user identification and authentication, authorization, boundary protections, cryptography, auditing and monitoring, physical security, configuration management, segregation of duties, and contingency planning.

“We have also recommended that agencies fully implement comprehensive, agencywide information security programs by correcting shortcomings in risk assessments, information security policies and procedures, security planning, security training, system tests and evaluations, and remedial actions,” he said.

He also cited efforts such as the Comprehensive National Cybersecurity Initiative, the Information Systems Security Line of Business the Office of Management and Budget established, OMB’s Federal Desktop Core Configuration, and the General Services Administration’s SmartBuy program as opportunities for improving security.

“Until such opportunities are seized and fully exploited and GAO recommendations to mitigate identified control deficiencies and implement agencywide information security programs are fully and effectively implemented, federal information and systems will remain vulnerable,” Wilshusen said.

© 1996-2009 1105 Media, Inc. All Rights Reserved.

Reblog this post [with Zemanta]

Want to know what some of the largest players in Security had to say at RSACON 2009?

| Brett D. Arion |
If you do, you are in luck, Information Security Media Group interviewed 94 technology and security vendors at the conference this year. Some of the big players such as McAfee, CA, IBM ISS, HP, and Verisign were represented. The interviewees had no idea as to what they were going to be asked before hand, so the responses were truly spontaneous. The questions covered were:

- What does your company do?
- How do you do it? How does the product/service work?
- Why do prospects approach your company, what are their greatest security concerns?
- How has the economy impacted the way existing customers or prospects approach your company?
- Can you offer a bit of advice or "words of wisdom" for our users?

You can check out the answers to the questions from the companies represented here.

About ISMG:
Based in Princeton, N.J., Information Security Media Group publishes,, and, which are your one-stop portals for the latest news, insights and education on the top information security issues facing U.S. financial institutions and government agencies today. Through articles, webinars, podcasts, blogs and news alerts from federal regulatory agencies such as the FDIC, NCUA, NIST, OCC, FRB and OTS, our team is committed to providing up-to-date information on the security regulations, threats, solutions, training and career trends that most impact banks, credit unions, government agencies and other related enterprises. Leading companies supporting and benefiting from these initiatives include CA, Fortify, RSA Security, Secure Computing, Symantec and VeriSign.

McAfee highlights bots and Spam in Q1 Report

| Brett D. Arion |
McAfee’s latest Threat Report which covers the first quarter of 2009, highlights a fifty percent growth in bots, and confirms the increase of Spam levels as Spammers recover from the loss of McColo. In addition, the report kick-starts what will be a growing trend, a full on backlash against Conficker.

McAfee launches their recent report with the discovery of 12 million new IP addresses operating online as part of a botnet. The bots can be used to send Spam, which most of them are, but they can also be used to spread Malware and to launch attacks. The existence of bots or their growth is nothing new to the security sector, but the fact there was such a growth, fifty percent according to McAfee, means that end user systems are still under patched and over exposed.

Of the IP addresses observed as a bot, 18 percent of them were in the U.S. and 13 percent were in China. For the first time, Australia makes the list, rounding out the top three with six percent. Since most of the bots observed were sending Spam, McAfee said that this is a clear example of the criminals recovering from the loss of McColo. Recent reports from IBM confirm this trend, especially when it comes from image-based Spam.

“…spam volumes have already recovered about 70 percent since McColo Corp. went offline. Compared with the same quarter a year ago, spam volumes are 20 percent lower in 2009 and 30 percent below the third quarter of 2008, which had the highest quarterly volumes recorded to date,” a company statement said.

On the Malware related side of things, Koobface was the popular Malware for the quarter, with 800 new variants discovered alone in March. Also noted was the growth in legit websites being used to host Malware. Most of those sites, where the reputation is a factor and one the criminals hope to exploit, were located in the U.S., with China and Germany falling in second and third place respectively.

Lastly, McAfee looks to start a trend among the larger security vendors, by pointing out that Conficker earned the most news coverage, but only accounted for a small portion of the actual threat landscape online. According to McAfee’s numbers, AutoRun related Malware, which is used by some of the variants of Conficker, only accounted for ten percent of detections in Q1.

McAfee’s full report is online here.

Reblog this post [with Zemanta]

Tuesday, May 5, 2009

Virginia Health Data Potentially Held Hostage

| Brett D. Arion |
An unknown hacker posted an extortion demand on WikiLeaks and seeks $10 million to return more than 8 million patient records and 35 million prescriptions allegedly stolen from Virginia Department of Health Professions.

The note reads: "ATTENTION VIRGINIA I have your sh**! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :("

The note goes on to demand $10 million within seven days, presumably from the time the data was apparently seized on April 30, in exchange for the key to decrypt the encrypted backup.

"If by the end of 7 days, you decide not to pony up, I'll go ahead and put this baby out on the market and accept the highest bid," the note says.

It seems as though a notice has been posted on the DHP Web site stating that the site "is currently experiencing technical difficulties which affect computer and e-mail systems."

It seems that extortion demands of this sort have become relatively common in data breach cases. For instance, Express Scripts, a prescription drug management company based in St. Louis, received a letter that threatened the release of millions of patient records. The attack technique -- capturing data, encrypting it, then selling access to the former owner -- has become popular enough to earn its own name: cryptoviral extortion.

Sandra Whitley Ryals, director of the Virginia Department of Health Professions, said in an e-mail to Informationweek that "a criminal investigation is under way by federal and state authorities. We cannot speak to the details because of the ongoing criminal investigation."

Reblog this post [with Zemanta]

Monday, May 4, 2009

Movie body site hacked to show Pirate Bay

| Brett D. Arion |
The Pirate Bay trial may be over, but that doesn't mean those fun-loving kids have to cut out the fun altogether, particularly when the copyright authorities are involved.

With an eye on making a point, rather than doing any serious damage, some clever coder has managed to hack the website of the Motion Picture Association of America (MPAA) to make it show links to the latest illegal movie torrents.

Instead of a poll result, the MPAA site then prominently featured a list of Pirate Bay torrent files and that website's logo. The stunt was apparently achieved using XSS, or Cross-site scripting, to insert new content over the original material.

The attack has already been repelled, but we imagine the MPAA has heard the pirates' message loud and clear.

Reblog this post [with Zemanta]

Free Security Magazines