According to Microsoft’s own MSDN (Microsoft Developer Network) site Dual_EC_DRBG random number generator is being added to the future release of Vista Service Pack 1 and their new server OS Windows Server 2008. The reason this is a significant newsworthy point of fact is because there are many rumors there is a back door to this random number generator. A majority of the rumors point to the NSA having the keys to this back door. Encryption based off a random number generator that has been compromised is only a little better than clear text.

A presentation from a few research developers at Microsoft provides some insight on the math, but reading it requires a masters in advanced mathematics.

Tags: Information Security, Vista

Author: Christopher

41% of the wireless installations used in business implement WEP (Wired Equivalent Privacy) Wi-Fi security. The largest data breach in the United States is contributed directly to a flaw in WEP security, resulting in the compromise of 94 million payment card numbers.

Vivek Ramachandran of AirTight Networks recently presented a technique to hack WEP in about the time it takes to finish a cup of coffee. Unfortunately this is one of many documented attacks to the WEP security protocol.

If your business still uses WEP security it is only a matter of time your network will be breached and that your data and intellectual property will be compromised.

WPA (Wi-Fi Protected Access) is considered best practice for wireless security, WPA 2 being even better.  If you haven’t already, I highly suggest you upgrade.

Tags: Information Security

Author: Christopher

Top 5 attacks used by U.S. hackers

1. Internet Explorer 6 Buffer Overflow
2. Generic File Inclusion
3. Mambo register_globals Emulation Layer Overwrite
4. Microsoft Windows COM Object Handling Vulnerability
5. Internet Explorer HTML Help Remote Code Execution

Top 5 Attacks used by Foreign hackers

1. HTTP overflow attack
2. Generic File Inclusion
3. WebDAV Overflow Attempt
4. Mambo register_globals Emulation Layer Overwrite
5. phpBB Activity Module File Inclusion

Tags: CyberCrime, hackers, Information Security

Author: Christopher

It’s a shocking but true statement.

But then if the vulnerabilities and misconfigurations are known, why are steps not taken to correct them?

Well, the answer lies in the question itself. The vulnerabilities are known but which ones exist in your system’s network need to be identified.  The first step towards protection against security breaches is identification of these vulnerabilities. This is achieved through security audits and vulnerability scans.

A number of people question the need for security audits and few people even dismiss them as unnecessary. Some people believe that their anti-virus software can take care of all such security concerns. And it’s astonishing to know that a lot of people either have obsolete anti-viruses that are not updated as frequently as they should be or their anti-virus software has poor virus detection rate.

The need for protection varies from business to business. Though a powerful anti-virus software might suffice one business’ security needs; other businesses might require a more sophisticated security solution that comprises protection against malware of all types (malware is the short for “malicious software” and includes viruses, Trojans, worms, spyware, and adware).

Security audits involve a thorough analysis of the systems/network and security practices in order to determine the security solution that would best suit the organization. Security audits involve a lot of tests to identify misconfigurations, firewall vulnerability (e.g. due to exposed workstations), password policy, suitability of current anti-virus software, network component (modems, dial pools etc) vulnerability, vulnerability of web services, mail databases, etc. You must ensure that your security auditors perform all the relevant security tests and give you a complete and comprehensive security solution

Tags: Information Security, Security Breach, Web Vulnerability

Author: Christopher

“Dave gets into work after a good night’s sleep. A few hellos later, he is at his workstation. He is the top finance guy and recently got a high speed computer that he uses to conduct various high value financial transactions every day. He also holds critical and confidential information about company’s financial position on his computer. He is generally quite energetic and is known to be very efficient. But today, he seems dull and has missed his status report deadline, which is very unlike him. Missing a deadline annoys him and he appears unusually temperamental and over-stressed today. He screams at his computer. As the day progresses, similar behavior is observed across the office. Some people are even popping pills to beat their headaches.”

This is a typical scenario at an office that is hit by a computer virus which has not been detected yet. And that shows that computer viruses infect humans too (in a way)….Just check what happens next…

“Dave tries to open a couple of files on his computer. But he cannot access them. His computer is too slow. It’s been 7 hours since he got into office and no work has been done yet. IT department has been informed but nothing has been found wrong. There are no back-ups for his file either”

No backups, low detection rate and slow response to virus outbreak. This is a complete lapse of information security and protection.

“The losses are mounting by the minute and it sends a shiver down your spine. You regret the compromise you made in selecting a proper information security solution “

Lesson Learned: ‘Treating Information security as a secondary thing can cost you your business’

Tags: Anti-Virus, Backup and Recovery, Information Security, Malware

Author: Christopher

The University of California recently has been hit with a proposed $3 Million fine by the U.S. Department of Energy for their alleged failures to protect classified information in a data breach back in October 2006. I am quite confident that the fine is only a portion of the financial responsibility as a result to this breach, quite likely not even the largest.

We tell our clients that protecting your grand moma’s apple pie recipe is only a single goal of Information & Data Security. Liability, reputation, and compliance are other good reasons to be concerned and pro-active with security. Pro-active Security is a time consuming and expensive task, but is yet considerably cheaper than the alternative; a security breach.

Tags: Events, Information Security, Security Breach

Author: Christopher