Friday, May 29, 2009

US to set out cyber security plan -Baha to the rescue

Why did it takes us over 2 decades to really approach the cybersecurity topic. When I started in informatio security in in 1994, it was the wild west. People were creating processes, developing security frameworks and growing a whole new industry. I like to think I played some part in being on the early team at PriceWaterhouse and we had the first ever corporate "Hacking Lab" in NJ to test our clients security weaknesses. Those were Good time. Now we are just in Regular times.

So what can we expect from the Czar?

The White House must take the cybersecurity lead. The current approach to cybersecurity is untenable, said Hathaway at RSA in April.

Well that was obvious. When you have hackers runing around American corporations and in and out of government agencies, I would agree that is "untenable".

Here is my plan for cybersecurity:
1) Put ME in charge of the whole thing.

Good plan right?

My point is you have to have someone with a practical approach. You to address this both straategically and tactically. Tactically in the short term and strategic in the long term.

We know government cant get out of its own way, so let the private sector have more say in how this is done. Simple way to start:
1) Have a time line, say 2 year to have every government and quasi government computer defined in a risk classification scheme.
2) Conduct continuous vulnerability assessment of the High and Medium risk systems.
3) MUSt have Patch management for all systems.
4) Encrypt any data leaving a secure internal system
5) Figure out what Data Loss Prevention means!
6) FUND Cybersecurity like its part of the Defense Budget.

Baha - new Cybersecurity Czar
baha@kraasecurity.com
www.kraasecurity.com
http://blog.kraasecurity.com
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test

+++++++++++++++++++++++++++++++++++
BBC
US President Barack Obama is to set out plans for securing American computer networks against cyber attacks.

In a speech that follows a 60-day review, Mr Obama is expected to announce the creation of a cyber security office in the White House.

Both US government and military bodies have reported repeated interference from hackers in recent years.

In a separate development, the Pentagon is to create a new military command for cyber space, the New York Times said.

Mr Obama will not discuss the Pentagon plan during Friday's announcement, the newspaper said.

But he is expected to sign a classified order to establish the military command in coming weeks, it reported, citing officials.

'Serious threats'

The 60-day review was carried out by Melissa Hathaway, who has been serving as interim White House cyber security adviser.

The new office is expected to co-ordinate a multi-billion dollar effort designed to restrict access to government computers and to protect systems - such as those that run the stock exchange and air traffic control - that keep the country going, reports BBC defence and security correspondent Rob Watson.

Friday, May 22, 2009

Buying Malware rather than getting it for free

This kind of incident (see article below) seems to be happening every few months. So you purchase a product (netbook) and it comes infected. No longer do you just have to worry about it working, or if the OS will behave nicely or the drivers will work with your printer. If the manufacturer can not control malware, what hope is there?

I am pretty puzzled about how the malware actually got on the machine. The article doesnt delve into too much detail, but looks like maybe a driver was infected that got placed on the machine. This seems to say the manufacturer does not use any kind of antivirus, or antimalware to test the security of the system before shipping it out. It also calls into question the security processes in place around managing software and development. A bit scary.

So what are some things you can do to protect against malware (i hope you know most of these already)

1) Use a firewall - A good personal firewall will help defend your system, especially if it has the capability to monitor outbound traffic or stop unknow programs from being run or installed. Try Zonealarm, free version.

2) Run anti-virus - This is obvious. while many antivirus programs will miss a lot of malware, you need a defense in depth strategy. Try AVG or Avast.

3) Install patches - A must do. Keep your systems patched because many worms, virus, and malware take advantage of unpatched system vulnerabilities

4) Use antispyware - This is a bit different from antivirus. It can stop malicious code from running and warn you of registry changes. A good start for the beginner is SpywareGuard and Spybot S & D.

5) Protect the browser - Browser protection software can stop activex controls from running, protect you from tracking cookies and known malware. Two examples are SpywareBlaster and IE-SpyAd

6) Stop Surfing Porn!

Baha

baha@kraasecurity.com

www.kraasecurity.com

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test


++++++++++++++++++++++++++++++++++++++++++++++++++++

Netbook comes with factory-sealed malware
Chuck MillerMay 20, 2009
SC Magazine
In a rare occurrence, a brand-new factory-sealed netbook has been found to contain malware, according to researchers at Kaspersky Lab.

The factory-infected device, an M&A Technology Touch netbook, came with trojans on the disk image, found during a routine compatibility test.

“This case shows once again that even brand new products can leave the factory infected,” wrote Roel Schouwenberg, senior anti-virus researcher with Kaspersky Lab, on the company's Viruslist blog. “Safeguarding against infected new devices is particularly difficult.”

The machine seems to have been infected while technicians were installing drivers for the machine, he said.

“Given the dates associated with the files, it was clear that the infection had to occur somewhere in the process of putting these things together, or while installing drivers,” Schouwenberg told SCMagazineUS.com on Tuesday. “So it's logical to assume that a whole batch of these machines is infected.”

The infections found were examples of a common malicious family that tries to steal the online passwords of gamers and to spread to USB devices. The nature of the malware seemed to indicate that it showed up on the computer purely by accident.

“Games are very graphics intensive," Schouwenberg said. "Netbooks are not necessarily the best platforms for games. That means the malware was probably not specifically targeted to these machines.”

Manufacturers should have proper security processes in place, he said. Some makers, for example, actually have metal detectors to be sure that nobody walks into the factory with a USB stick, which they may use to accidentally introduce malware into new hardware.
Individuals at M&A Technology, which makes products for education, government and corporate customers, were informed of the problem, but did not respond publicly other than to say that they would look into it, Schouwenberg said.

Sunday, May 17, 2009

iECon 2009 Conference - great companies you should know

The TieCon 2009 conference just concluded (www.tiecon.org). It was two days of meeting some very interesting entrepreneurs, hearing some good talks on everything from CleanTech to VC funding strategies.

What I thought was very interesting and different, was the TiE50. 50 companies were selected that were successful, interesting and hopefully on the road to making an impact. Several that I thought were worth a shot are:

1) Jajah (www.jajah.com) Global phone-to-phone. Make a JAJAH call anywhere - on your mobile or landline phone to save money and keep in touch with friends and family. JAJAH can save you up to 98% on your international phone calls. It connects you using your existing phone. No contract, no software, no headset, easy to use!
2) Kiva (www.kiva.org) Lets you make loans to entrepreneurs in developing nations. Microlending is really a way to change the world.

3) Splunk (www.splunk.com) Splunk is the IT Search company changing the way organizations manage, secure and audit their IT infrastructures. Splunk is software that lets you search and analyze all your IT infrastructure data from a single location in real time. With Splunk, now you can troubleshoot application outages, investigate security incidents, and demonstrate compliance in minutes, not hours or days.

4) Xobni (www.xobni.com) The Outlook plugin that finds people & email in your inbox.

5) Reqall (www.reqall.com) Remember what's important to you with reQall. reQall is a voice-enabled memory aid that seamlessly integrates your mobile phone, email, text messaging and IM into a powerful organizer, reminder system and productivity assistant. reQall lets you capture your ideas, tasks and commitments before you forget, and it proactively keeps you well-prepared and memory-strong.

Check them out,

Gary Bahadur

http://www.kraasecurity.com

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

Healthcare Security- Identity Theft and Hacker ransom

I hope no one is actually shocked by this story. Records are stolen everyday. Typically, the hackers will sell the information in the underground somewhere is Eastern Europe or Asia. The fact that someone is asking for ransom, and so publicly it actually a good thing in my opinion. Why is it good you ask? (I assume you are asking that, vulcan mind meld and all that..) Maybe the industry (meaning all industries) need a sensational story to get real change in their IT Security environments.

When the Heartland data breach happened, it was interesting but the general public didnt find it sexy enough. A ransom note, publicly done makes for good drama. Equate it to the Somali pirates. They really broke in the news because of the weapons they captured. This might be the "weapons" story that gets the general public asking about security of the places they use on the Internet.

Identity theft is on the rise. Most companies never do a web application security assessment. They almost never do a database security review. If the hacker can break in through your web portal but your database of customer data is encrypted, well your last line of defense can save your hide.

So what are some things you can do to protect your website?

1) Conduct a web application security assessment. You should probably do this twice a year or anytime you make any significant changes to the application.

2) Conduct an architecture review. If your network architecture has holes in it, a hacker can find away around the application and perhaps get to the data through a different port.

3) Conduct a host security diagnostic review. If the hacker can get on the system and take advantage of an operating system weakness, you will still be compromised

4) Conduct a database security review. Your last line of defense, make sure the data in encrypted, access is completely authenticated and IDS on the database to flag and stop inappropriate access

5) Hire someone smart to do your security assessment.

Gary Bahadur

http://www.kraasecurity.com

o:888-KRAA-911

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test



+++++++++++++++++++++++++++++++++++++++++++++++

The Channel Wire
May 06, 2009
Hacker Holding Health Records Hostage Demands Ransom
A hacker wants $10 million for the return of nearly 8.3 million patient records stolen from a Virginia prescription database last week.When users logged into the Virginia Prescription Monitoring Program (PMP) site April 30, they found a ransom note that also was posted on Wikileaks, a site that posts untraceable documents. The PMP has since disabled the link.
"I have your [expletive]!" read the note on the Wikileaks site. "In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uh-oh :( For $10 million, I will gladly send along the password."

Virginia set up the database in November 2007 after a spate of serious crimes primarily involving OxyContin made headlines, including a segment on "60 Minutes." The PMP was designed so that pharmacists can cross-reference prescriptions to see if a patient is issued multiple scripts for narcotics by different physicians.

The PMP extortionist warns that, "If by the end of 7 days, you decide not to pony up, I'll go ahead and put this baby out on the market and accept the highest bid. Now I don't know what all this [expletive] is worth or who would pay for it, but I'm bettin' someone will. Hell, if I can't move the prescription data at the very least I can find a buyer for the personal data (name, age, address, social security #, driver's license #)."

This is not the first time and certainly won't be the last that hackers have broken into health information records and demanded money for the return of confidential records.

In November 2008, Express Scripts, one of the largest pharmacy benefit management companies in North America, fell victim to this practice that has been dubbed "cryptoviral extortion."

"A small number of its clients have received letters threatening to expose the personal information of its members," the company said in a letter on its Web site. "The threats are believed to be connected to an extortion threat the company made public last week."

Those letters included personal information such as Social Security numbers, dates of birth and, in some cases, prescription information, the company said.

Express Scripts said it first received a letter the previous month that threatened to publicly expose millions of the company's members' records if an extortion threat was not met. The original letter included the personal data of 75 Express Scripts members.

The company is working with the FBI, and has posted a $1 million reward for the arrest and conviction of whoever is responsible for the breach. Express Scripts also said it would offer its members free identity restoration services from Kroll, a New York-based risk-consulting and global data security firm, if they become victims of identity theft because of the hacker.

Express Scripts said that it is not aware of any actual misuse of its members' data.

Friday, May 1, 2009

Encrypt Your Laptops to Safeguard Information

With the advancement of technology come its disadvantages as well. As the technology is improving, the number of thefts and fraud activity is on the rise. To hear about stolen laptops has now become a normal news story. Companies usually store their data in their systems or laptops and forget to keep a backup copy of the same data or even to encrypt that data. This data includes all information regarding the employees of the company, business clients and the valued customers of the company. Recently, Oklahoma’s Department of Human Services (DHS) had reported that an unencrypted laptop containing information regarding millions of customers was stolen by an employee of the agency. The laptop contained their all important information regarding their complete background as well as their social security numbers, though the agency is somewhat sure about the safety of the data as the laptop was protected by a password.

The personal data stored on the laptop should be on an encrypted share or drive, i.e., it needs to be there in a way so that no one other than the assigned person can get access of this highly valuable data. You may have highly confidential details that should not be disclosed. The customers share their information on the basis of the fact that as per the guidelines of the company, the data would be safe within the company only.

There have been many laptop thefts reported by many reputable companies. The laptops containing sensitive information get stolen, posing a security threat to the company. Whether the amount of customer data on the laptop is for one or one hundred, it can have a very damaging affect on the company and the customers. IN most cases, the records number in the thousands or even millions. not like only one or hundred clients are associated with the company. But the client base encompasses a mass of millions of people and certainly involves huge risks if they face any security breach.

There are many ways to ensure safety of the data even if the laptop gets stolen. First of all, it should be encrypted with PGP Encryption system which helps in protecting all the data by offering various encryption applications. the chances of growth and profitability of any company. Automated patch management is another way of keeping your laptop's sensitive information safe. Firewall protection is also necessary for protecting your laptop against harmful attacks or when surfing suspicios sites. To keep it safer, you should also protect your hard disk with a password as it makes the cracking very tough for the fraudsters.

on increasing. Recently, Oklahoma’s Department of Human Services (DHS) had reported that an unencrypted laptop containing information regarding millions of customers was stolen by an employee of the agency. The laptop contained their all important information regarding their complete background as well as their social security numbers, though the agency is somewhat sure about the safety of the data as the laptop was protected by a password.

So, it is better to take some measure beforehand, rather than facing such risks in the future. These are easily available tools that need to be used by every organization so as to maintain their clients and growth.

An expert with the knowledge of Application Security Risk Assessment has written this article.