[SecurityRatty] tag: avenues

Beware of UC security threats

Sun, 07 Sep 2008 20:00:00 +0000

Unified communications opens up your VoIP network new avenues of collaboration, including instant messaging, video, business applications and e-mail. And that opens up your network to new avenues of attack.

Social Networking Guidelines for safety

Sun, 24 Aug 2008 12:18:37 +0000

Another great article from TrendMicro. Where do they get these writers?

clipped from newsletters.trendmicro.com

Guidelines for Online Socializing

Parents, teachers, and others who care for young people who are socially active online should first set reasonable expectations. Forbidding young people to use social networking sites may force them to “go underground” and find other avenues (e.g., library computers, mobile phones, or friends’ computers) to continue their online social life. A positive alternative is to teach them how to think critically about what they are seeing, reading, hearing and sharing online, and to ask for advice when something doesn’t seem right.

Upping The IPS Ante

Wed, 30 Jul 2008 11:14:48 +0000

My colleague at Forrester, Chris Silva, recently commented upon the recent Air Defense acquisition by Motorola. Looking at the deal through the security lens, I completely agree with Chris that this will help ease integration of wireless security into wireless infrastructure. It's good to see one of the major wireless brands step up and take wireless security seriously. Perhaps that other major wireless vendor will get the hint...

Upping The IPS Ante

Motorola announced this week its intentions to acquires Wireless IDS/IPS vendor AirDefense. The acquisition may provide a bit of deja vu to readers who recall the acquisition of Network Chemistry's wireless IDS/IPS assets by Aruba Networks in 2007.

Meru Networks, eschewing acquisition for product introduction made its own announcement on Monday, announcing the company's RF Barrier, an active RF management solution that aims to solve the problem of what the vendor is calling "leaky RF." The Meru solution actively blocks 802.11 RF from escaping the physical confines of a WLAN deployment to thwart external "parking lot" attacks by closing Wi-Fi based attack avenues.

In fact, 2007 - 2008 has been a time focused on shoring up the security of the WLAN as the networks become more critical to over 50% of enterprises Forrester sees investing in the networks today. As the networks are more pervasive, moving toward covering the entire physical environment, and more employees are relying on Wi-Fi to access corporate data and applications, it's high-time to secure the WLAN.

In the case of Motorola, the Wi-Fi network is especially critical. As the vendor embarks on selling its message of the all-wireless enterprise, where WLANs will interconnect not only users to the network, but networke edge devices -- such as WLAN access points -- to the network along with storage, printers and other peripheral devices, the WLAN is citical and, therefore, a major focus for security.

In markets such as retail, standards like the Payment Card Industry's Data Security Standard dictate wireless security, but compliance and regulation aside, it is becoming easier to secure the WLAN, regardless of the industry you are in. Vendors are rapily working to close security gaps with product enhancements and new product introductions. Look for a broader suite of solutions to address security coming from your primary network vendor; while this won't negate the need to integrate these add-on network elements, the single source should ease integration to some degree.

How secure do you feel your organization's WLAN is today? What are your concerns either about securing the network or its current lack of security?

Stored Procedures and SQL Injection

Fri, 16 May 2008 06:43:56 +0000

There is a nice post by Michael Howard on a couple simple steps to help mitigate SQL Injection attacks over on the Security Development Lifecycle blog this morning. Simple steps that are effective by reducing the avenues of attack or reducing the assumptions of trust between the application and the database. However wanted to add a couple of comments onto this subject that I believe add some value to the suggestions he made. Specifically: -Don't allow create/modify procedure permissions -Use a dedicated,non-admin database user account -Don't use external stored procedures

Oak Ridge National Laboratory visitor information exposed

Tue, 11 Dec 2007 10:45:21 +0000

Technorati Tag: Security Breach

Date Reported:
12/3/07

Organization:
UT-Battelle, LLC

Contractor/Consultant/Branch:
Oak Ridge National Laboratory (ORNL)*

*Oak Ridge National Laboratory (ORNL) is the Department of Energy's largest science and energy laboratory. ORNL was established in 1943 as a part of the secret Manhattan Project to pioneer a method for producing and separating plutonium. Today, ORNL is home to the world's largest civilian science project, the $1.4 billion Spallation Neutron Source, and has been selected to build the fastest unclassified scientific computer in the world. - Source State Science and Technology Institute

Victims:
"visitors to the lab between 1990 and 2004"

Number Affected:
"about 12,000"

Types of Data:
Personal information including names, addresses, Social Security numbers and dates of birth.

Breach Description:
More than a dozen Oak Ridge National Laboratory employees were duped into installing unauthorized software consisting of keyloggers and other malicious software through a targeted phishing attack ("spear phishing"). The targeted phishing attack consisted of roughly 1,100 emails and resulted in the compromise of personal information pertaining to lab visitors over a 14 year period.

Reference URL:
eWeek.com Story
SecurityFocus.com Story
MyEyeWitnessNews.com Story
Oak Ridge National Laboratory Potential Identity Theft Page

Report Credit:
Oak Ridge National Laboratory

Response:
From the official breach notification site and sources cited above:

Oak Ridge National Laboratory has been bombarded by a coordinated phishing attack aimed at multiple national labs and may have unwittingly handed over to attackers the personal information of anybody who visited the lab over a 14-year span, including Social Security numbers.

"Oak Ridge National Laboratory (ORNL) recently experienced a sophisticated cyber attack that appears to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country." - Laboratory Director Thom Mason on December 3rd.

"When the employees opened the attachment or accessed an embedded link, the hacker planted a program on the employees' computers that enabled the hacker to copy and retrieve information. The original e-mail and first potential corruption occurred on October 29, 2007. We have reason to believe that data was stolen from a database used for visitors to the Laboratory." - Laboratory Director Thom Mason

The attack comprised approximately 1,100 targeted phishing attempts.

The attackers cooked up seven phishing variations, one of which purportedly advertised a scientific conference, another of which posed as a notification about a complaint on behalf of the Federal Trade Commission.

"No classified information was lost"

"If you visited ORNL between the years 1990 and 2004 your name and other personal information such as your social security number or date of birth may have been part of the stolen information. While there is no evidence that the stolen information has been used, the Laboratory deeply regrets the inconvenience caused by this event."

Mason said reconstructing the crime is tedious and time-consuming and will likely take weeks, if not longer. ORNL is attempting to send letters to every visitor potentially affected but may have difficulties due to out-of-date addresses, management said in its advisory.
[Comfyllama] If the reports about this attack originating (or proxying through) China are true, then it is unlikely that a full "reconstructing" will ever be complete.

"every security system at ORNL was in place and in compliance."
[Comfyllama] Compliant DOES NOT MEAN Secure! Although we all need to be compliant, this doesn't mean that efforts should stop at that. Do you want to trust the security of your information to a Senator or other lawmaker?

"If you think you're going to prevent all phishing attempts from [succeeding] in an enterprise, that's probably false. And if you think that with training, not a single employee will [click on phishing attempts and let an attacker] get through, that's probably false," - Application Security Vice President of Marketing and Strategy Ted Julian

"There's a million [conduits to data theft], and now that the attackers have gotten much more professional and focused, they only need one to get at the information. You only need one unsecured avenue and they're off and running."

it's likely that employee training about phishing attempts will be given renewed emphasis in the future in order to attempt to close down this particular avenue of data theft.

"While our hope is that no one would fall for these kinds of tricks from hackers, we believe there is an ongoing benefit to re-emphasizing staff awareness about cyber-security issues," "We must not click on e-mail attachments if we are not absolutely sure who the e-mail is from and we must not click on [URLs] embedded in e-mails unless we are certain of the source." - Laboratory Director Thom Mason

The lab has sent letters to about 12,000 potential victims.

"We continue to put in place new and more sophisticated security systems in an attempt to stop thieves who are equally determined to break into the cyber network." - Laboratory Director Thom Mason

Commentary:
Scary! Supposedly, there is evidence that points to these attacks originating from servers in China and thus these attacks were sponsored by the Chinese government. I like a conspiracy theory as much as anyone else, but I don't subscribe to this theory. IF the Chinese government were attacking ORNL, I think the attacks would be much more covert.

Think about this for a minute. If I were going to attack a system in the United States without getting caught. Why wouldn't I use (proxy through) an insecure server located in a country that will not cooperate with U.S. authorities? In order to find my true location, investigators will need some level of access to the (proxy) server to look through the evidence. Do you think China (or Iran, North Korea, Russia, etc.) will allow investigators the access they need? Highly unlikely. If I were to guess, I would say that this is a sophisticated attack aimed at gathering information for money and probably orginated by one of the more educated "phishing gangs".

I certainly agree with ORNL Application Security Vice President of Marketing and Strategy Ted Julian in the fact that there is likely no way to prevent all avenues of attack, but the risk of this type of attack can be significantly reduced through regular information security training and awareness. People will be people, no matter what.

Final note, I am curious why ORNL needs to store Social Security numbers in the first place.

Past Breaches:
Unknown

Speaking of Security Podcast #43

Sun, 17 Dec 2006 21:00:00 +0000

Click here to listen/download (10:58).

To close out our first year of the podcast, we take a look at how people can break into the information security industry. We speak with two established experts and investigate the various avenues people can take to get into this business as well as learn what skills one would need to be successful.

Please note that the Podcast Team will take a break for the holidays. Expect a new episode for the week of January 8, 2007. Happy New Year!

Related Links:

Kevin Fu, University of Massachusetts Amherst
National Science Foundation (NSF)
Institute of Electrical and Electronics Engineers (IEEE)