Enterprise Security Today

Targeted: Twitter Hit with Phishing Attack

Mon, 05 Jan 2009 14:09:29 -0500

Twitter, the popular microblogging site, has become the latest target of phishers. The company is warning its members to be careful of messages that redirect them to spoofed Twitter sites in an attempt to steal their user names and passwords.

"This particular scam sent out e-mails resembling those you might receive from Twitter if you get e-mail notifications of your Direct Messages. The e-mail says something like, 'hey! check out this funny blog about you ...' and provides a link," the company said.

Twitter went on to explain that the link redirects users to a site masquerading as the Twitter front page. Twitter advised its members to look closely at the URL field to see if it has another domain besides Twitter, but looks exactly like the microblogging home page. That, the company said, indicates a fraud.

If You Get Twicked

E-mail, cell phones, Facebook and now Twitter all have something in common: They are being used by fraudsters for phishing attacks, observed Marian Merritt, Symantec's Internet safety advocate.

"The scam messages, just like the phishing e-mails and Facebook phishing attacks, seem to come from someone you know and appear to be personal," Merritt wrote in the Norton blog.

For members who have clicked the link and given up their Twitter password to the phishers, the company said it is possible for the phisher to send out direct messages on your behalf that could trick your followers. In those cases, Twitter said users should proactively reset the passwords of their accounts.

"If you find yourself unable to log in to your account with your user name and password, please use the reset password link to regain access. This will send an e-mail to the address associated with your account, and you'll be able to create a new password," the company advised.

Will the Real Twitter Please Stand...

VeriSign Drops Vulnerable Certificate Algorithm

Fri, 02 Jan 2009 08:56:13 -0500

Following a recent report that an algorithm for creating secure Web-site certificates could be vulnerable, VeriSign has announced it will no longer use the algorithm.

On Wednesday, the provider of Internet trust assurances said it was transitioning from MD5 to the SHA-1 algorithm for its new RapidSSL brand certificates. It also pledged to reissue any RapidSSL certificates created with MD5, using SHA-1.

Fake Certificates in Three Days

Earlier this week, several teams of researchers presented research at the Chaos Communication Congress in Berlin about MD5 problems. The researchers included independent ones from California, as well as teams from the Centrum Wiskunde & Informatica (CWI) and Eindhoven University of Technology in the Netherlands, and the Ecole Polytechnique Federal de Lausanne in Switzerland.

The researchers were able to generate two messages with one digital signature, using MD5. Digital certificates are supposed to have unique signatures. Four years ago, Chinese researchers first identified the vulnerability when they created a similar collision attack.

At that time, the amount of computing power was considered formidable to anyone attempting to create false digital certificates. Researchers had estimated it would take more than 30 years of computer processing to generate such a fake certificate.

But the paper presented in Berlin showed there are more efficient ways. Using more than 200 Sony PlayStation 3 video-game machines in a cluster, the latest research effort was able to generate two fake messages with the same digital signature in only three days.

Observers had differing opinions on the impact of the research. The head of computer security at British Telecom, for instance, told news media that most people don't rely on digital certificates anyway.

Secure Phishing

But many others suggested the impact could be enormous. Although only some sites are using the older digital certificates, all browsers accept them. When visiting Web sites, a locked padlock in a browser...

Report: UK Database Could Be Privately Managed

Fri, 02 Jan 2009 07:22:45 -0500

A proposed British database intended to store details of every phone call, e-mail and Web site visit made in the U.K. could be managed by a private sector contractor under government plans, the Guardian newspaper reported Wednesday.

Such outsourcing would be accompanied by tougher legal safeguards to guarantee against leaks and accidental data losses, the newspaper said, citing a consultation paper.

However, involving the private sector in handling such sensitive data is bound to generate more trouble for the plan, particularly given a series of high-profile losses of computers, disks and hard drives storing such material in recent years. The steady stream of data blunders has kept the spotlight on the way the government handles -- or mishandles -- its citizens' information.

Britain's Home Office will consult the public and communications industry on the proposals starting next month, but declined to say on Wednesday whether an option for a private company to manage the database will be included in documents circulated for discussion.

The government previously dropped plans to include the proposal in the annual legislative program announced earlier this month, saying more debate was necessary.

Civil liberties groups have expressed concern about the database, which would create an unprecedented store of information on each individual's private communications in hopes of tracking the movements of criminals or terrorists.

Ken Macdonald, who stepped down as Britain's director of public prosecutions in October, said the plans to create a database are the stuff of a "paranoid fantasy."

"No other country is considering such a drastic step," Macdonald was quoted by the Guardian as saying.

Such a database would provide "a complete readout of every citizen's life in the most intimate and demeaning detail."

"The notion of total security is a paranoid fantasy which would destroy everything that makes living worthwhile," he was quoted as saying. "We must avoid surrendering our freedom."

Intelligence...

Microsoft's Windows Vista: The 64-Bit Question

Mon, 05 Jan 2009 07:18:08 -0500

Buy a new copy of Windows Vista or a new computer today, and you'll have a decision to make: Should you go for the 64-bit version of Windows Vista, or the 32-bit version?

We've all been using various 32-bit versions of Windows for years now, but clearly the future belongs to 64-bit computing. What do you need to know before you get a jump on destiny? Here are some answers.

Q: Why would I want to run 64-bit Windows?

A: You'll get access to more system memory. The 32-bit versions of Windows -- Vista and XP -- can access a maximum of 4 gigabytes (GB) of system memory. In practice, however, some of that system memory is reserved for the operating system and other processes, so your applications end up with significantly less. It's not uncommon for a computer with 4 GB of memory installed to have only 3 GB available once the operating system and other processes stake their claim to the memory.

While 3 GB may have seemed like a lot of memory a few years ago, today all you need to do is run a memory-hungry photo program, load a half-dozen large files, and you could be pushing the limits of your installed memory.

The 64-bit version of Windows Vista can access much more than 4 GB of RAM. Vista Ultimate, Enterprise, and Business can access 128 GB of RAM. Home Premium can access 16 GB, while Home Basic will max out at 8 GB.

Having the ability to access more memory in your computer gives you a couple of advantages. First, you can load more applications and more files within those applications. Second, your overall computing experience should be smoother, since swapping from one application to another will hopefully take place in memory and not rely on caching data to the hard...

Putting the 'I' in Enterprise IT Compliance

Wed, 31 Dec 2008 07:33:17 -0500

Today's information-security and privacy-compliance programs address a wide range of internal requirements dictated by business partnerships, established service-level agreements (SLAs), known and emerging threats, and other factors driven by both business and technology.

The most effective method to manage compliance in today's complex world is through a disciplined, holistic approach that addresses compliance not as a reactive, point-in-time event, but as a proactive program. In the field of information assurance, IT has been focused on factors such as operational efficiency and performance. Security of information rarely came to the forefront, although some early regulations, such as the Federal Education Rights and Privacy Act, established a baseline of explicit data privacy and implied security. Security and privacy regulations tended to emerge first in industries that were already highly regulated, such as financial services and utilities, and were limited in scope. Sanctions were often missing from these regulations, meaning organizations might not even suffer penalties for non-compliance.

In 1996, the Health Insurance Portability and Accountability Act (HIPAA) changed the landscape of information security and privacy compliance; it was one of the first broad regulations that contained significant information security and privacy requirements. Because HIPAA integrated provisions for many different business areas-IT operations, information security, HR and audit-it forced organizations (many for the first time) to establish a program approach to compliance, bringing diverse groups within the organization together to achieve specific cross-functional compliance goals. HIPAA, along with emerging frameworks for managing information assurance such as ISACA's COBIT and IS017799, helped organizations establish a more comprehensive approach to information security and privacy compliance management.

As far as regulatory compliance for information security goes, the Sarbanes-Oxley Act of 2002 (SOX) became the gold standard for every publicly traded company in the United States. Not only civil sanctions, but also criminal sanctions were mandated for certain conditions...

First U.S. Technology Officer Will Have Hands Full

Wed, 31 Dec 2008 07:34:01 -0500

President-elect Barack Obama's pledge to name the nation's first chief technology officer has triggered a flood of wishes, hopes and demands from tech enthusiasts who'd like the job to have the same stature and reach as, say, the White House national security adviser.

The new officer should be an "Internet evangelist" involved in every practical and policy aspect of government, said Andrew Rasiej, a founder of two Web sites about politics and technology.

"Technology is not a slice of the pie. It's the pan," he said.

That's not quite how the Obama transition team defines the job on its Web site. The chief technology officer is to make sure federal computer networks are secure and agencies "use best-in-class technologies and share best practices."

Transition spokesman Nick Shapiro hints at a bit more in the only statement the team will make on the record. "We have used technology to help run an historically innovative and open transition," he said. "The chief technology officer will help us continue to bring government into the 21st century."

Thousands of people are suggesting priorities for the tech officer on a Web site called ObamaCTO.org. At the top of the list, with more than 12,600 votes, is making the Internet widely accessible and ensuring Net neutrality -- that is, making broadband connections available on a non-discriminatory basis, with no preferential treatment for any company in terms of transmission speed and quality.

In second place with more than 9,800 votes is "ensure our privacy and repeal the Patriot Act," the law enacted after the 9/11 attacks that gives authorities new tools to fight terrorism. Also in the top five: Rethink copyright law, move to the metric system and open up government data.

Only the last one fits with the current job description and Obama's campaign pledges to put bills, contracts, meetings and other federal...

Evolving Cybersecurity Faces a New Dawn

Wed, 31 Dec 2008 07:34:43 -0500

Over the last two years, we have been inundated with bad news about the state of cybersecurity. The list of concerns is growing and endless: rampant cybercrime, increasing identity theft, sophisticated social engineering techniques, relentless intrusions into government networks, and widespread vulnerabilities continuously exploited by a variety of entities ranging from criminal organizations and entrepreneurial hackers to well-resourced espionage actors.

We also are facing the implications of cyberwarfare in light of last year's cyber attacks against Estonia. In a recent speech on cybersecurity, U.S. Department of Homeland Security Secretary Michael Chertoff warned, "We've entered an era of new threats and vulnerabilities," and the consequences of failure are exponentially greater. The stark reality is that the bad guys are winning and our nation is at risk. Given these difficult times, it is easy to feel overwhelmed and believe the situation is hopeless. However, I believe we are on the verge of a new dawn for cybersecurity, and in the coming months we will achieve significant progress in securing our critical networks. We have been on a four-stage journey that began in the late 1990s.

The first stage was ignorance. For the most part, up until 1998 we were clueless as to the vulnerable nature of our networks and the implications of interconnected systems. With the growth of the Internet and increasing dependence of military forces on networked systems as early as the 1991 Gulf War, we have rapidly leveraged the promise of net-centric capabilities. However, our understanding of the need for robust security mechanisms in this new environment was slow to catch up. As information technology boomed in the past two decades, the best young minds flocked to developing the latest and greatest systems-not to protecting data and corporate networks. But then, we entered stage two of the journey.

That second stage constituted...

Information Operation Threats Strike Public Sector

Wed, 31 Dec 2008 07:31:36 -0500

The danger to the Free World's information infrastructure has become more sophisticated and widespread, and it now poses a threat to the very economic well-being of the Free World. Economics and national security have become so closely intertwined that both now are facing common threats from global information operations. The very types of information operations that have threatened militaries for years now are menacing the critical information infrastructure. Conversely, the same devices and techniques used by cyberthieves or hackers are being employed by foreign militaries and intelligence services to endanger the national security of Free World societies.

Some analogies emerge from looking at consequences. Internet denial-of-service attacks are the public sector's version of military jamming. Hacking into Web sites or databases to alter data is the purest form of sabotage. Extracting identity, economic or industrial information is electronic espionage.

But other analogies apply to the adversaries themselves. Foreign governments and organizations such as terrorist cells are probing and attacking civil government and civilian information systems for their own monetary gain and to damage Free World societies, just as they might do through military or intelligence operations.

These efforts are global in origin and in targeting, and it will take nothing less than an unprecedented coordinated global effort to counter them, according to a U.S. government official.

Melissa E. Hathaway, Office of the Director of National Intelligence cyber coordination executive, states unequivocally that a strategic partnership is required to close the gap between cybermarauders on the offense and the Free World's defenses. Government and the private sector need to change the way they do business and instead recognize that a vulnerability to one affects all, she offers.

Private-sector risk models are inadequate for national security and critical systems, she continues, so the government must define higher standards and specifications. The government also must incubate and create...

Computer Security in an Insecure World

Wed, 31 Dec 2008 07:32:25 -0500

Gone are the days when companies stored valuable information and trade secrets on disorganized stacks of floppy disks in dusty back corners of offices. Today, companies are using data storage systems that deliver universal connectivity for storage devices and servers in a networked environment that are easily accessed and managed.

But as companies experience a prolific amount of data and intellectual property, they are re-ordering their priorities and re-examining their security processes with a single goal in mind; to streamline the security of their information management and ensure their employees are honest and law-abiding assets to their companies.

For many companies, the advancements in data security have evolved into must-have components that offer peace of mind 24 hours a day. That's because many of these systems monitor every facet of your business processes -- from file sharing among constituents to lunch-rush POS errors to midnight prowling by would-be intruders.

Storage systems and storage area networks have gone through a different and well-documented revolution over the past few years. Since the mid-'90s, storage has become an essential spoke in the IT wheel, since data is viewed as the critical asset to most organizations. Therefore, the proper storing and protection of that data is mission critical.

"Most discussions of IT security focus on IT infrastructure and process (i.e., network, firewalls, servers, monitoring, security policies, etc.), stopping short of security considerations related to the design and implementation of the application itself," says Brian Morgan, chief technology officer at Skyline Technologies in Green Bay. As a provider of custom, strategic, software solutions, Skyline is very concerned with security from this latter perspective. Skyline is in the unique position to either help a potential client develop its own secure software solution, advise on the development of a new software solution, or help review an existing custom-built solution.

Physical access to...

A Move Toward More Privacy Online

Mon, 05 Jan 2009 07:33:08 -0500

Yahoo has announced that it will no longer hold some personally identifiable search information for more than 90 days. The company is hoping that the new policy will give it a competitive advantage with users who care about privacy. It also is an encouraging development for the cause of Internet privacy.

Many users do not realize that search engines hold onto the words that they type, and the addresses of Web sites that they visit -- often in ways that can be traced back to specific users. If you use Google, Yahoo or Microsoft search engines to find out more about cancer drugs, drug addiction or radical politics, the company may keep that information. And it may turn the data over to the government if presented with a valid subpoena.

Privacy advocates have long objected to these policies. In many cases, they argue, users have no idea that the information is being kept. Some of these advocates have been pushing, in the U.S. Congress, for Internet privacy laws that would limit data retention.

Yahoo has decided to move in a pro-privacy direction on its own. Until now, its policy was to hold onto search data in personally identifiable ways for 13 months. The 90-day limit that it is adopting is considerably better than Google's, which holds onto personally identifiable search data for nine months, or Microsoft's, which holds data for even longer.

Some privacy advocates object to the way in which Yahoo intends to make the data anonymous. The company says that it will remove the last eight bits of a user's Internet Protocol, or IP, address -- a number that can often be traced to a specific computer -- and take other steps to scrub identifiable data. Critics argue that even so, it may still be possible to trace the data back to...