online security

Mar 20

javascript trickery masks evil URLs

By alberg hacks, online security Comments Off

Yes… hover and check…

If you are like me, “hover over the link and read the URL before you click” is a basic piece of advice you give to people who want to know how to avoid malicious links in web pages and emails. Well, it looks like a little bit of Javascript trickery can be used to make malicious links look benign until they are clicked. While email clients like Outlook will not execute Javascript in messages, links in web applications or webmail accounts could be disguised in this way. Sounds like we need a browser based fix to combat this – it is possible, since Opera apparently is not fooled by this behavior.

Nov 28

noted – the russian internet becomes more opaque

By alberg online security, useful stuff, worst practices Comments Off

Interesting post from security and cyberwarfare blog Digital Dao on how changes in Russian law will make it more difficult for foreign firms and investigators to track down the owners of .ru domains used for nefarious purposes. Not a positive development.

Oct 14

security wtf of the week

By alberg online security, worst practices Comments Off

Here is a textbook description of what companies should NOT do when someone privately reports a security vulnerability in their publicly available web site which is chock full of PII…

SC Magazine:
Security Researcher Threatened with Vulnerability Repair Bill

A couple of observations about the article…

The guy who found and reported the vulnerability was a customer of the firm in question and seems to have done everything in an above board manner.

It sounds like the vulnerability involved changing a single parameter in a URL in order to access another customer’s account. Whoever designed/wrote that application needs some serious re-edumacation at the very least. Maybe these are the folks who should be paying to fix the vulnerability.

I’m not sure why they are demanding the researcher’s computer. The nature of the vulnerability would make it extremely easy to make sure he did not access additional PII by simply reading the web server logs.

I’ll bet that plenty of people at this organization are wishing that this incident never hit the news. Had they simply thanked the researcher and fixed the bug, their customers and business would have been protected and they would not have gotten such a public flogging. If I were a customer of theirs, I’d be wondering about the rest of their information security right about now.

So, to sum things up… WTF!

Oct 11

how malware gets in

By alberg best practices, malware, online security Comments Off

Heeeeeere's malware!

The latest edition of Microsoft’s Security Intelligence Report provides some interesting analysis as to how computers get infected with malware. Microsoft’s dataset is pretty large, comprising some 600 million computers equipped with Microsoft’s Malicious Software Removal Tool (MSRT) which reports details of malware infections back to the mother ship in Redmond. The numbers hold some important lessons for security professionals.

Don’t get your knickers in a twist about zero day exploits. While the press loves a good zero day story, only 0.12% of the infections seen by Microsoft used unpatched vulnerabilities. Zero day vulnerabilities are valuable commodities which attackers will not waste on run of the mill cyberattacks. Don’t center your anti malware program on the latest zero day vulnerability of the week.

Vulnerabilities are sooo last year – your users are the weakest link. Only about 6% of malware infections seen by Microsoft were the result of vulnerability exploitation. In contrast, almost half of all malware infections in the study required the user to take an action (clicking a link, running a program, opening an attachment, etc.) in order for the infection to be successful. In most cases, no vulnerability was used – the user simply gave the malware permission to run. Spending some time and effort edumacating your users to be skeptical and think before they click that link or open that attachment has the potential to significantly reduce your malware attack surface.

You still need to keep software up to date. Testing and installing patches from Microsoft and other vendors will protect your systems from the 7% of attacks which use exploits to worm their way in (get it?) to your systems. This is a small portion of the malware threat, but once you get patching and updating to be part of your normal automated business processes, it is a low touch, low cost addition to your malware defenses.

Filtering and monitoring your outbound web traffic is a must – if malware is unable to download code, connect to command and control servers or exfiltrate data, the threat it poses is greatly reduced. Keep your filter lists up to date with the latest known malware URLs – the subscription fees are a small price to pay for preventing access to the malweb in the first place.

Monitoring your network traffic, proxy logs, and changes to the services running on your hosts for strange patterns can pay off big time. Since we can’t count on signatures to find every type of malware you may encounter, look for strange behavior for the early warning signs.

I found Microsoft’s analysis of the malware problem to be pretty interesting and I am looking forward to reviewing the rest of the Security Intelligence Report for nuggets of wisdom – I’ll post more soon!

Aug 15

telex to freedom / telex to chaos

By alberg deep thoughts, online security Comments Off

The latest in anti censorship tech

When I read about Telex, a research project aimed at making it easier to get past Internet censorship, my “split personality” – lover of freedom and justice versus corporate security guy kicked in right away. You see, if widely implemented, Telex would make it much easier and safer for people living under repressive regimes to get past said regimes’ censorship of the Internets. Built on client software, some clever crypto in packet headers and servers hosted by friendly ISPs, Telex would turn the idea of a proxy server inside out, effectively making the entire Internet (it’s a series of tubes, you know) one big proxy.

This would be really great – I would love to see the US government as well as non profit organizations host Telex servers to allow people in China, the middle east, and other places where freedom of expression is curtailed… however, Telex would also make my job as a security professional that much more difficult. By installing a Telex client, the users on my corporate network might be able to bypass the web filtering we have put in place. While some of that filtering is aimed at keeping people away from “non work appropriate sites,” there are other reasons to filter Internet access in the workplace as well. For example, we block access to sites known to host malware. We block access to sites which would put us in violation of various legal and regulatory mandates. These are all legitimate things to do in a corporate environment, and our employees have unfettered access to the Internet outside of the office. Employees using a system like Telex would put our company at risk.

Telex is stil in the proof of concept stage and there needs to be a lot more software and infrastructure development done before it can be a reality on a large scale. As I said, I am 1000% pro Telex as a tool for people to bypass repressive regimes’ Internet censorship. But I think that corporate Internet censorship (hate that word) is another kettle of fish altogether and we security professionals need to keep an eye on Telex and similar technologies. I feel like I should be dressing like these guys after writing this…

Aug 13

fish radio zero tango

By alberg best practices, online security Comments Off

Over the past few days, a lot of folks at work have been sending me links to this really excellent XKCD cartoon:

I think this really hits the password problem on the head. With the advent of inexpensive GPU assisted password cracking, as well as more intelligence on the part of the (human) password crackers, the old school password rules of “must have a capital letter, a small letter, a number, and (maybe) a special character” are becoming woefully outdated. And yes, they are hard to remember. And most importantly, they make users hate the InfoSec people. Do they ever bring us home baked brownies as a reward for our password rules? Nope.

As I tend to always take advice from comic strips when making important decisions, I really like the four dictionary word idea. The math seems to work and it certainly seems to be easier on the user. However, the infrastructure for implementing such a scheme in the systems where it would count (primarily Microsoft Active Directory) would have to exist in order for this to be workable. I hope that Microsoft and others who did better than me in math take a long hard look at this as a potential solution to password problems.

Jul 01

in which i dare disagree with security industry luminary bruce schneier

By alberg CSO, hacks, malware, online security, Paranoid Peeps Comments Off

It’s not often that I disagree with Bruce Schneier, one of the leading lights of the security world… however, I do have a teensy weensy bone to pick with him regarding one of his recent blog postings. A recent test conducted by the Department of Homeland Security on its employees found (to no one’s surprise) that people are prone to pick up unidentified USB drives and pop them into their computers with abandon, providing nefarious personages the ability to infect their systems with malware. Schneier took issue with the following quote from a security expert regarding the study:

Mark Rasch, director of network security and privacy consulting for Falls Church, Virginia-based Computer Sciences Corp., told Bloomberg: “There’s no device known to mankind that will prevent people from being idiots.”

In Schneier’s view, the idiocy really rests with operating system manufacturers who allow their products to access untrusted USB devices with providing the user with any protection and that the users are simply doing the best that they can under the circumstances. This is where I disagree.

While OS manufacturers should be doing a better job of securing their products against unknown USB devices, in the current situation users need to exercise extreme caution in what they stick into their computers’ USB ports. Until we have better tools to mitigate this risk, users have to play an active role in protecting themselves and their organizations from USB borne threats. There has been a lot of news coverage (and at least at my organization, security awareness training) to let people know about the risks of USB devices of uncertain provenance. I happen to think that the people in my organization are smart (and good looking) enough to remember a few very basic security messages and behaviors needed to protect our systems and networks:

Don’t open links or files from strangers
Don’t open unexpected/strange links or files (that seem to be) from friends
Don’t take USB candy from strangers

Yes, I know that application of these rules will not provide 100% protection from malware, but following them will definitely mitigate the risks involved, which is really the best we can hope for at this time.

So, Bruce, you are still my hero, but I think we need to hold our colleagues to a slightly higher standard in terms of their role in protecting our computers and networks.

Oh, and as for Mr. Rasch’s “idiot” comment, I think he was a bit rough on users in terms of his choice of language. I would have said “boneheaded” or “Homer Simpson-like” instead. This is why I am beloved at my workplace.

May 25

americans are more gullible in the morning…

By alberg best practices, hacks, malware, online security, useful stuff Comments Off

…at least according to this interesting blog post from OpenDNS’ Allison Rhodes. It makes sense to me… in the AM, we are all going through our emails, getting ready for the day to come and in a hurry to get caught up with the latest news. I saw this post as a result of being on OpenDNS’ site from here at the Agahozo Shalom Youth Village, where we are using OpenDNS to provide web filtering to keep the students away from some of the, um, racier sites on the Net. OpenDNS seems to be a really good, easy to use solution for web filtering in the cloud. If you have young web surfers at home, you might want to check it out.

May 14

it’s not always nice to share

By alberg hacks, online security, privacy, worst practices Comments Off

Sharing is for weenies. (This is why it is good that I have no kids)

From the department of things that should be common sense, but are not… it is not safe to put confidential data on cloud based file sharing sites like RapidShare, FileFactory and Easyshare. Some researchers in Belgium did some poking around on these sites and the results are yet another that security through obscurity just doesn’t cut it.

May 09

secure your computer the nsa way

By alberg best practices, online security, useful stuff Comments Off

The National Security Agency isn’t all about listening in on other people’s conversations or being the object of insanely paranoid fantasies. The NSA also has an Information Assurance mission, protecting guvmint computers from hackers, spies, and this guy. Now taxpayers can take advantage of the billions of dollars they have paid in to keep the NSA running… the agency has released a pretty good guide to securing home computers (PDF file) with information for Windows and Mac users. Unfortunately, it is a little bit on the techie side – you can’t just email it grandma and assume she’s good to go, but it does provide a great checklist to help you (and your colleagues) batten down those cyber-hatches. Worth a read.

Previous Entries

Free WordPress Themes

FYI

Everything you read here has been written by Al Berg, who, by day, is the Chief Security and Risk Officer for the best darn Institutional Equity marketplace on this planet. The opinions expressed in this blog are mine and do not represent those of my employer or anyone else.