In a white paper released last November by RSA, research from ordinary person-on-the street interviews with random office workers revealed troubling trends for those concerned with information security.  Sometimes in an honest effort to finish their work from home or while traveling, sometimes through simple carelessness, but in either case without intending to put secure information at risk, employees from all sectors of the workplace admitted to behaviors which do, in fact, put secure information at risk.

In interviews conducted in Boston and Washington, D.C., employees from both the public and the private sector answered “frequently,” “sometimes,” or “never” to questions probing their own customary behavior and also to questions asking what they had observed in their workplace.  Employers with international networks full of proprietary and confidential private information, including social security numbers and other personally identifying information, were reported by nearly 20% of private enterprise employees as routinely leaving networks set up for conference room and guest use open and available, without a password, to anyone who might walk in.

Employees themselves, with their own logins and passwords, accessed their work-network at home, in airports, in hotel and restaurant hot-spots, and even, at times, on public access hotel or internet cafe-type computer terminals.  In fact, the number of workers who retrieved their work e-mail from a public access computer was slightly higher than the number who used their own laptop but at a public wireless hotspot.  Both numbers, however, were over 50%.  Since well over 80% of workers reported that they “frequently” or “sometimes” conduct business over some kind of network away from their workplace, one can conclude that perhaps 30% of employees access work from a home computer, either by modem high speed internet connection.

More knowledge of security protocols will not solve the problem, according to RSA.  Almost all employees confirm that they have been trained in their employer’s security policies and that they are familiar with those policies.  Nevertheless, they hold doors to secure areas open for persons they don’t recognize, they notice people they don’t know working in empty offices without comment, and they find themselves with access to parts of the network they know they have no need to see.

Perhaps most troubling, a full third of all employees surveyed answered “yes” to the question, “Do you ever feel that you need to work around your company’s established security policies and procedures just to get your job done.”

RSA concluded its report, provocatively titled “The Confessions Report,” with a summary of its findings and a set of “Recommendations for Managing Information Risk.”  The recommendations call for a “holistic, information-centric security strategy [that] takes people, processes and technology into account and has a feedback mechanism.”  Clearly, an alert has been sounded.

Author: Christopher

(No Ratings Yet)

 Loading ...

While Finjan was researching a server hosting a new version of NeoSploit crimeware toolkit, a database of over 8,000 ftp accounts was uncovered. 10% of Alexa’s top 100 domains login username & password are in the database. A majority of the accounts originate in the United States.

Also uncovered was a trading application that rates the quality of the compromised accounts according to location of the ftp server. This allows hackers to put a price on the stolen accounts.

These login credentials were stolen by appending an HTML iframe tag onto the victims website. This type of attack we are finding almost every day during our own research. Finjan identified government websites hosting similar malicious code on their websites. An example they talked about was a website belonging to a State Superior court.

Finjan is offering to identify if your website appears in this database by filling out this form.

Author: Christopher

(No Ratings Yet)

 Loading ...

Late in December 2007, something Roger Thompson of Grisoft characterized as “a pretty good mass hack” compromised tens of thousands of websites, including edu and gov domains, with an automated SQL injection. The hack exploited a Microsoft SQL Server vulnerability that was over a year old, one that was patched in early 2006 by the MS06-014 security update. The hack injected into SQL databases an SQL iterative loop with a JavaScript tag that appends itself to every column of text. The script instructs browsers reaching the site to execute another script hosted on a malicious server. From what is known, those hacked appeared to share little in common except a common weak spot in their SQL server databases. Since those hacked are not bragging about it, the identities of the hackees as well as the actual purpose of the hackers was, and is, unclear.

Although the mass hack was cleaned up in record time, quickly relieving many fears of disastrous consequences, the possibilities from the hack may have been broader than what actually took place. One professional web developer responding on Thompson’s blog anxiously noted, “Looks like exploits for Y! Messenger, IE TIFF overflow and RealPlayer are also in there. Yikes.” Symantec and other experts analyzing the JavaScript itself agreed that the malicious script targeted a RealPlayer bug, one much more recent that the server vulnerability. The RealPlayer bug targeted had been found and fixed in October 2007, only a couple of months before the hack.

Those hacked were not simply at-home users or amateur server owners. According to Thompson, who reported the hack on January 5, 2008, “some victims were pretty sophisticated in terms of security smarts, including, apparently, some Computer Associates pages.” While it appears that no seriously harmful damage resulted from this particular hack, its massive size leaves many users troubled about other equally vulnerable bugs that may exist in their own server farms.

Author: Christopher

(No Ratings Yet)

 Loading ...

Digital Armaments is running a “Hacker Challenge” to uncover exploitable vulnerabilities in Microsoft Windows operating system.  $20,000 is being offered on top of their normal offer for a windows vulnerability or exploit.  Digital Armaments then sells this information to anyone who wants to subscribe to their vulnerability intelligence subscription ranging from $6,000 to $80,000 a year.

Author: Christopher

(No Ratings Yet)

 Loading ...

According to Microsoft’s own MSDN (Microsoft Developer Network) site Dual_EC_DRBG random number generator is being added to the future release of Vista Service Pack 1 and their new server OS Windows Server 2008. The reason this is a significant newsworthy point of fact is because there are many rumors there is a back door to this random number generator. A majority of the rumors point to the NSA having the keys to this back door. Encryption based off a random number generator that has been compromised is only a little better than clear text.

A presentation from a few research developers at Microsoft provides some insight on the math, but reading it requires a masters in advanced mathematics.

Author: Christopher

(No Ratings Yet)

 Loading ...

41% of the wireless installations used in business implement WEP (Wired Equivalent Privacy) Wi-Fi security. The largest data breach in the United States is contributed directly to a flaw in WEP security, resulting in the compromise of 94 million payment card numbers.

Vivek Ramachandran of AirTight Networks recently presented a technique to hack WEP in about the time it takes to finish a cup of coffee. Unfortunately this is one of many documented attacks to the WEP security protocol.

If your business still uses WEP security it is only a matter of time your network will be breached and that your data and intellectual property will be compromised.

WPA (Wi-Fi Protected Access) is considered best practice for wireless security, WPA 2 being even better.  If you haven’t already, I highly suggest you upgrade.

Author: Christopher

(No Ratings Yet)

 Loading ...