[SecurityRatty] tag: shield

Spammers use free Web services to shield links

Tue, 02 Sep 2008 20:00:00 +0000

Spammers are abusing free Web services to make their spam links look more legitimate, according to e-mail security vendor MessageLabs.

Protect laptop traffic in hot-spots and hotels - Part 2

Tue, 12 Aug 2008 04:04:45 +0000

In Part 1 of this two-part series, we explored the necessity of protecting sensitive information flowing across public networks--both wired and wireless. We also looked at a for-fee solution, MegaProxy. In Part 2, we examine a free public network data protection solution, Hotspot Shield from AnchorFree.

Protect laptop traffic in hot-spots and hotels - Part 2

Tue, 12 Aug 2008 04:04:45 +0000

i-safe has some great articles for your online safety

Wed, 02 Jul 2008 19:25:39 +0000

They have a bunch of learning modules for kids to seniors to law enforcement.
Check em out.

clipped from ilearn.isafe.org

Which module do I watch?
There are five options with five different users in mind. Those registered as educators with i-SAFE have the greatest
access to view the modules because you work closely with students and parents. Those registered as parents and fifty+
have access to either of those modules since many users fit both categories. However, students are limited to the i-MENTOR
Training Network. And the Operation i-SHIELD module is reserved for those in law enforcement. Below is a breakdown of each
module. To begin, please register by creating a user name and password at the top of this page. That will help direct you to
the appropriate i-LEARN module. Enjoy!

SaaS Snake Oil Top Ten, with video

Wed, 28 May 2008 16:57:00 +0000

As I was happily sniffing about for more annoying vendor fodder a few nights ago, I found a true gem. I was actually investigating ControlScan's practices and came across some poor hapless site owner that had been manipulated into buying both the ControlScan service and McAfee Secure / Hacker Safe by not one, but two snake oil salesmen.
This site was bound to be secure, right? Wrong!
Here's a new video to detail the inadequacies of both these services, at the same time.
But, as my disdain for these con artists grew yet stronger, it occurred to me (with the suggestion of an unnamed accomplice) that we needed a Letterman-like Top Ten list.
In this case SaaS will denote scanning as a service, rather than software or security, as security is the last thing these daft gits offer. These are all real statements, claims or quotes from these so called services.

Top Ten 10 signs the SaaS sales guy in front of you if offering up snake oil.

10. We first scan for open ports.
9. If you're interested in increasing your conversions, I'd suggest you sign up for WebSafe Shield.
8. Al Gore is on our board.
7. We held a hacker contest to break our security, and no one did.
6. We want to be the trusted partner who’s at your side, day by day, year to year,to help your business grow.
5. Increase your conversion rate or double your money back!
4. Our Web-based PCI Compliance 1-2-3 solution includes everything you need.
3. The "Verified Secure" mark appears only when a web site's security meets the highest security scanning standards of the U.S. government.
2. Unfortunately, the automated scanning technology we use doesn’t have this XSS scanning.
1. We go in like a super hacker.

There will be no rest for their souls in the afterlife; the web app security gods have a special in hell for salesmen and companies like this. ;-)

del.icio.us | digg

Got Your XPShield up and Running?

Thu, 15 May 2008 10:44:12 +0000

Don't. Continuing previous posts with three different portfolios of fake security software, and Zlob malware variants posing as video codecs, the rogue security application XP Shield is the latest addition to the never ending list, with the following domains participating in the campaign :

xp-shield.com
xpshield.com
xpantiviruspro.com
xpantivirussecurity.com
xponlinescanner.com
xpprotectionsoftware.com
xpantivirussite.com
antivirus2008x.com
securityscannersite.com
antivirus-xp.awardspace.us
xpantivirus.awardspace.co.uk

The detection rates for the time being :

XPShieldSetup.exe
Scanners result : 1/32 (3.13%)
File size: 517632 bytes
MD5...: 99c7271ac88edc56e1d89c9f738f889c
SHA1..: 3347564017d289ffd116f70faa712e05883358f4

XPantivirus2008_v880381.exe
Scanners result : 4/32 (12.5%)
File size: 65024 bytes
MD5...: ef9024963b1d08653dcc8d8b0d992998
SHA1..: 436bf47403e0840d423765cf35cf9dea76d289a5

How would the end user reach these domains from a malicious attacker's perspective at the first place? Once being redirected to them through an already SQL injected or iFrame embedded legitimate site, with evidence of the practice seen in the majority of massive iFrame, SEO poisoning and SQL injections campaigns from the last couple of months.

ZoneAlarm ForceField

Sun, 11 May 2008 20:00:00 +0000

Sometimes even the most protective phalanx of antivirus, antispyware and antiphishing programs is not enough to shield a computer from online dangers. Check Point Software's ZoneAlarm ForceField provides an extra defensive layer by cloning your Web browser to catch dangerous software before any damage can be done.

Hacker Free Site?...Yeah, right.

Fri, 09 May 2008 15:51:00 +0000

So as not to seemingly pick only on McAfee Hacker Safe, I thought it appropriate to show just how ridiculous the entire premise of calling anything Hacker Safe, Hacker Proof, and now WebSafe Shield Hacker Free Site really is. For you, dear reader, a new video for your streaming pleasure, courtesy of the WebSafe Shield Hacker Free Site.
My brother in arms in the battle against BS, Rafal Los, has already called out Comodo for their Hacker Proof fluff on the Digital Soapbox.
I simply couldn't let this one pass without a little extra scrutiny. I Googled hacker safe to see what else popped up and bam, there's WebSafe Shield in the sponsored links for "70% less than Hacker Safe" to boot!
I had literally about ten minutes to kill, and in less than two minutes, more XSS silliness courtesy of the sites with starring roles in the latest installation in our growing video series. The home page for WebSafe Shield lists frictionent.com and shoppingvale.com with such inanities as "My customers feel more safe and more likely to sign up knowing I operate a secure website." and "If you're interested in increasing your conversions, I'd suggest you sign up for WebSafe Shield." Doesn't that sum it up? Forget protecting the consumer. Let's just blindly lead the sheep to the wolves with some Hacker Free Site logo that means nothing in order to "increase conversions."
WebSafe Shield vaguely discuss their methodology here; I just love:
#6 - How do you conduct your security scans?
"We use industry-standard software and methodologies to scan, test and identify security vulnerabilities. We first scan for open ports, and for each open port, we identify the service and software for that port, and report any security vulnerabilities."
Wow, open ports. Let me guess...you're using Nessus?
The only discussion of web application security is on their rather vague Security Tips page. It's a perfectly generic read and they make no mention of actually scanning for those vulns, only open ports, and that they "report any security vulnerabilities." Maybe they keep it vague intentionally so they can more easily duck the criticism. I can imagine the answer to this question. Why are both the sites proudly listed front and center on your home page vulnerable to XSS and yet showing their WebSafe Shield Hacker Free Site logos? Likely because they only mention XSS, but don't actually scan for it. Probably not SQLi either. Just open ports. Please. Maybe that 70% discount over Hacker Safe means you're not making enough to build a service that can find XSS, the most prevalent of all web application vulnerabilities.
I'll say the same thing to WebSafe Shield that I've said to McAfee. Stop misleading people with some crappy little logo that you wouldn't take down for anything in the world (you wouldn't want to tick off your customer base, right?).
What about the consumers using those sites who actually fall for your misleading false premises? What's your answer to them? XSS doesn't count because you can't hack the server with it? Who is the victim of a well executed XSS attack?
The consumer, not your ill-coding customers.
In case you missed it earlier, here's the video.
The last little gem, and I quote: "Our security professionals are CISSP (Certified Information Systems Security Professional) certified." Oh goody. Maybe you can charge a wee bit more than "70% less than Hacker Safe" and help your customers build secure web apps on behalf of consumers, rather than driving conversions on behalf of your customers, and ultimately your investors.

WebSafe Shield, you're welcome to comment.

del.icio.us | digg

Anonymizer acquired by risk-mitigation firm

Wed, 30 Apr 2008 20:00:00 +0000

Herndon, Va.,-based risk-mitigation firm Abraxas Corp. announced it has acquired, for an undisclosed price, San Diego-based Anonymizer, which makes products that shield a user's identity online.

40,000 BlueCross BlueShield members notified of lost laptop

Tue, 11 Mar 2008 12:31:27 +0000

Technorati Tag: Security Breach

Date Reported:
3/10/08

Organization:
HealthNow New York Inc.

Contractor/Consultant/Branch:
BlueCross BlueShield of Western New York

Victims:
Healthcare members

Number Affected:
40,000

Types of Data:
Names, dates of birth, Social Security numbers, addresses, employer group names, and health insurance identifier numbers

Breach Description:
"Blue-Cross Blue-Shield of Western New York says it is notifying tens of thousands of its members about identity theft concerns after one of it's company laptops went missing."

Reference URL:
The Buffalo News
WIVB Channel 4 News
WGRZ Channel 2 News

Report Credit:
WGRZ Channel 2 News

Response:
From the online sources cited above:

HealthNow New York has alerted 40,000 members in Western and Northeastern New York that they may be at risk for identity theft, after a former employee’s laptop computer went missing with confidential information several months ago.

The Buffalo-based parent of Blue- Cross BlueShield of Western New York sent letters late last week to the affected customers, even though officials are still not certain what, if anything, was on the computer.
[Evan] Not sure where confidential information is? Sad, common and true.

Based on the company’s investigation, the potential information includes names, dates of birth, Social Security numbers, addresses, employer group names, and health insurance identifier numbers.

there was no health or medical claims information involved
[Evan] I think a name, date of birth, Social Security number, address, and employer should be enough to do some damage.

HealthNow has arranged for any affected member to receive a one-year free membership in Equifax Credit Watch, to monitor for identity theft.

The laptop was not encrypted, but does have security features, including the requirement to enter the user’s identification number and passcode after 15 minutes of inactivity.
[Evan] OK, seriously? Does anyone expect a username and password to stop someone with even novice computer skills? I am assuming that this is a Windows laptop, all the more simple.

the company shut down the laptop’s access to the corporate network, and has not detected any activity from the laptop since the disappearance.
[Evan] Shutdown the laptop's access or access from the user id of the person that had been using the laptop? Semantics, I know. The information that may be on the laptop is the real concern.

The employee is no longer with HealthNow, having accepted a position at another company out of state, but the insurer is still in contact.

the company is reconfiguring its claims software system, and the employee had downloaded some member information to his laptop while working on the project so he could work either in building or at home
[Evan] Too many "no-nos". "No-no" #1 is not knowing where confidential resides within the organization. "No-no" #2 is allowing confidential information onto mobile devices without additional controls such as encryption. "No-no" #3 is working with sensitive confidential information for software development and testing purposes. Only sanitized information should be used for development and test work.

The laptop was reported missing in late fall, but the company did not notify customers until now because officials wanted to make sure whether such action would be necessary.
[Evan] This is way too long! An excerpt from New York Bill A02261 "Notice of Information Breach" can be found in the commentary below.

officials first "spent an exhorbitant amount of time" to try and locate the laptop, which they still believe is in the company’s building

Using the company’s shared drive and with the cooperation of the employee, officials retraced his path to determine what information he was working with. The company then set up the credit-monitoring, and began contacting members last Thursday and Friday.

"We didn’t want to have to reach out to our members and cause them unnecessary worry until we knew the potential of what we were dealing with," she said. "With all of the factors and orchestrating credit monitoring, we do believe our response time has been reasonable."
[Evan] "We didn't want to have to reach out to our members and cause them unnecessary worry until we know the potential of what we were dealing with" is a terrible reason to delay notification. BlueCross BlueShield needs to understand that they are NOT the information owners.

The company has also tightened its policies and procedures about use of laptops and other mobile devices "to ensure that the policies are more strict," she said. She added that officials are also encrypting all information on laptops "to prevent this situation from recurring."
[Evan] Of the "No-nos" I mentioned above, this takes care of one.

Commentary:
Another laptop that may or may not have contained sensitive personal information that goes missing without encryption. Do you think John Doe from XYZ company thought twice about filling out his health insurance forms on his first day of work? He probably just expected better protection from a company that handles thousands of personal records.

I am certainly not a lawyer, nor am I qualified to give legal advise of any kinds, but this is a simple copy and paste...

Excerpt from New York Bill A02261:
"ANY PERSON, FIRM, PARTNERSHIP, ASSOCIATION OR CORPORATION THAT COLLECTS, OWNS, MAINTAINS OR USES PERSONAL INFORMATION SHALL DISCLOSE A BREACH OF SECURITY RELATED TO UNENCRYPTED OR NON-REDACTED PERSONAL INFORMATION CONCERNING TWENTY-FIVE OR MORE RESIDENTS OF NEW YORK. THE DISCLOSURE SHALL BE MADE WITHIN TWO BUSINESS DAYS AFTER LEARNING OF THE BREACH OF SECURITY, BUT MAY BE DELAYED IF A LAW ENFORCEMENT AGENCY DETERMINES THAT THE NOTIFICATION WILL IMPEDE A CRIMINAL INVESTIGATION. THE NOTIFICATION REQUIRED BY THIS SECTION SHALL BE MADE AFTER THE LAW ENFORCEMENT AGENCY DETERMINES THAT IT WILL NOT COMPROMISE THE INVESTIGATION."

Past Breaches:
Unknown