InfosecBlurb.com

I ran into someone recently who said they found my blog, and that I haven’t updated it it a year !!!, — well I have a few days left, so here is a post right before the year gap of posting I have another blog that is more active then this one. www.paymentsystemsblog.com While I might make infrequent posts here, most of my blogging will be related to payment systems and payment systems security.

Come on over.
DB

From the TJX Credit Card Theft Story: www.msnbc.msn.com/id/17853440/

TJX Cos., the owner of about 2,500 stores, said in a regulatory filing late Wednesday that about three-quarters of those cards had either expired at the time of the theft, or data from their magnetic strips had been masked — stored as asterisks rather than numbers.

The whole expired card thing is funny. It is spin. Just like stating a lost laptop was “password protected” and that the data was safe because its required a password.

TJX states - Hey don’t worry these were expired cards, 75% of them were !!! — Implying that these cards have no use to the attackers.

Have you ever noticed what happens when your card expires ?

Here is the answer, you don’t get a new account number, your expiration date is incremented by a few years. Further yet, most authorization hosts do not match the expiration date on the card, they check the provided expiration date to the current date, and if it occurred in the past you get an expired card response code.

Sigh…

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9015138

The Windows zero-day bug now being used by attackers is extremely dangerous, security researchers said today, and ranks with the Windows Metafile vulnerability of more than a year ago on the potential damage meter

“This is a good exploit,” Roger Thompson, CTO of Exploit Prevention Labs, said in an instant message exchange. “It’s very dangerous. One of the reasons is that there’s no crash involved…it’s instantaneous. And all it takes is visiting a site.”

and SANS InfoCon has been raised to Yellow because of this.

I’m sure everyone is familiar with the T.J. Maxx and Credit Card loss. MSNBC has an article here. There was one paragraph that caught my eye :

“But TJX acknowledged it still knows little about the full scope of the breach, in part because the hacker or hackers accessed TJX’s encryption software and could have known how to unscramble the information”

What you mean, encryption isn’t the end all solution !?!

My biggest complaint against “encryption” is a number a factors, including key management, but here is the biggest:

Encryption does not protection against application layer attacks. With encrypting databases you have two options:

• Column Level Encryption:
• Transparent Encryption or Disk Encryption.

If attacks impersonate the application, using column level encryption a SQL injection attack could call the decrypt function or stored procedure (a little harder to do, depending if you encryption logic is contained in the database or application itself), and if your using not using column level encryption, the information from the database is decrypted when it is read, File level encryption is great for lost hard drives and hardware.

Guess what is easier to implement ? and doesn’t require re-writing code? Guess what most people implement? Guess what will still happen in the future, - Injection attacks against “encrypted” databases and credit card breaches…

Some good comments on Wireless Security and those items that are security theatre:

It’s been two years since I wrote “The six dumbest ways to secure a wireless LAN,” and it’s probably been one of my more successful blog entries ever, with two flashes on Digg. Since that time, I’ve written a free electronic book on enterprise wireless LAN security for anyone to use and download from TechRepublic. Since it has been two years, I’m going to update the information with more defined categories and better explain why they’re so bad from an ROI (return on investment) and security perspective.

http://blogs.zdnet.com/Ou/?p=454

Posted by George Ou at Zdnet

MetaSploit 3 - is released: www.metasploit.com/

“The Metasploit Framework (”Metasploit”) is a development platform for creating security tools and exploits. Version 3.0 contains 177 exploits 104 payloads 17 encoders and 3 nop modules. Additionally 30 auxiliary modules are included that perform a wide range of tasks including host discovery protocol fuzzing and denial of service testing.

Metasploit is used by network security professionals to perform penetration tests system administrators to verify patch installations product vendors to perform regression testing and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler. “

I really like the new web interface.

Here are some links to some videos and screenshots of it in action:

http://sugar.metasploit.com/msf/gallery.html

Ten dangerous claims about smart phone security

I’m looking into getting a smart phone to replace my normal cell. I came across this article. Beware that smart phones and have security risks too.

Surprise, Microsoft Listed as Most Secure OS

From: www.internetnews.com/security/article.php/3667201

The report found that Microsoft Windows had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006.

While this is really based upon the # of vulnerabilities (12 of MS were severe, MAC 1, RHEL 2), and not their severity, it is good news that the the world most popular OS is improving a little.

Bottom line Patch Management is O/S agnostic.

I received a copy of “PC Magazine” in the mail yesterday. What caught my eye was two different things. First - in the top it states “Special Double Issue” - I guess I was thinking that this would make the issue thicker. Is is just me or wasn’t PC Magazine normally like 1″ inch thick in the past?

The other item was the title, “The Complete Guide to Security.” while this was a good basic overview I think that the title should of been called: “Spyware, AntiVirus, Firewall, Parental Control, and a Review of Security Suite Software.” It wasn’t really the “complete guide that I had hoped for.

You can read the article - there is a link below or on the image to the right.

Here is a list of the article’s Top 10 Security Threats — I’ll add some of my personal comments inline below:

For the PCMag.com article click here.

10 Spam Mail
While it’s annoying, it’s not a security threat unless it comes with a malicious payload. Your e-mail service may filter out spam automatically. If not, Outlook’s built-in “Junk E-Mail” filter is as effective as the spam protection in many suites.

Not everyone has there own domain or hosts their email server on linux in their basement, but I use MailScanner that provides gateway level AV, Spam, other filtering on email.

9 Phishing Mail
Phishing messages pretend to be from eBay, PayPal, your bank, or the like. If you log in to their fake sites, they steal your username and password and you’re sunk. However, both IE7 and Firefox 2 have phishing detection built in.

Again I use MailScanner to detect links to fake web sites, and highlighting these in the messages you deliver to your users.

An example of the alert is here, where the thieves site “www.nasty.com” is pretending to be “www.bank.com“: To access your account, click on MailScanner has detected a possible fraud attempt by “www.nasty.com” claiming to be www.bank.com.

8 Wireless Attack
If you’re not careful, anybody in range can mooch bandwidth from your wireless network and can rummage through your files, because they’re inside your network. Your router’s WPA/WEP encryption can stop the mooching—but you have to use it.

Don’t use WEP it is broken, WPA-2/TKIP is better with a strong key, 802.1x is better yet, but not supported in many consumer WAP’s

7 Hacker Attack
Hackers don’t care about your puny computer enough to attack it directly. They might broadcast a network virus or release a Trojan, but a personal attack is highly unlikely. Your security suite’s firewall and malware protection should keep you safe.

An automatic script attack from a bot doesn’t care and if it gets enough “puny” computers it creates a nice botnet. Don’t “hope” your firewall will keep you safe, test it. Perform an external port scan or use a “firewall tester” : www.google.com/search?hl=en&q=firewall+test do you have any ports open? do you understand why these ports are open ?

6 Web Exploits
Some Web sites include malicious code to exploit vulnerabilities in your browser or operating system. Just visiting the site can infect or damage your system if the vulnerability hasn’t been patched, so keep Automatic Updates on.

Firefox ? Web content Filtering Software, Open DNS ?

5 Adware
Simple adware pops up ads that get in your face. More sinister adware shadows your online activity, phones home, and tailors ads for you. Up-to-date antispyware is the solution.

Pop-up blockers help a little here as well. Also keep the Anti-Spware up-to-date and run it periodically.

4 Viruses
Viruses are insidious. They hide and use your computer to infect other computers. At some predefined point they strike. Modern antivirus programs are quite good, but add a non-signature anti-malware program to help with brand-new threats.

Also keep the Anti-Virus up-to-date and run it periodically. AV filtering at the gateway has stopped a lot of this. BTW, anyone remember the “monkey” virus from floppies

3 Spyware/Trojans
Spyware spies on everything you do and steals private information. Trojan horse programs pretend to be useful but can turn your computer into a spam-spewing zombie. Antispyware plus non-signature anti-malware should keep out these threats.

2 Identity Theft
It’s not just about your computer when they use your credit cards, divert your paycheck, and change your vehicle registration. A full-powered security suite should block all computer-related avenues for identity theft.

Identity Theft is still more prevelant via non-eletronic means - also, a stolen CC number is not the same as Identity theft. Shred your mail, use strong passwords, and don’t use the same password and username for all of your online accounts. Also do this www.annualcreditreport.com/ for free one a year as well to monitor you identiy and credit.

1 Social Engineering
The number one threat to your computer’s security is—you! Use common sense. Don’t take programs from strangers, don’t go to “iffy” Web sites, and if your security software pops up a warning, READ IT before you click.

Two examples of how bad this is:

www.theregister.co.uk/2003/04/18/office_workers_give_away_passwords/

www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1

I guess all I can say is common sense, and training, training, training on Information Security Awareness.

I just saw this article and it didn’t surprise me. Goes to show how important computer security is and how much pain you are saving just by keeping computers updated and having the right security policies in place:

Stolen Identities Sold Cheap on the Black Market

Hackers selling IDs for $14, Symantec says

Also: from the last link: Watch the Exploit: A Targeted Attack Video pretty scary stuff.