November 21, 2008
Worm Drives Military to Ban Removable Storage
“The Defense Department’s geeks are spooked by a rapidly spreading worm crawling across their networks. So they’ve suspended the use of so-called thumb drives, CDs, flash media cards, and all other removable data storage devices from their nets, to try to keep the worm from multiplying any further.
“The ban comes from the commander of U.S. Strategic Command, according to an internal Army e-mail. It applies to both the secret SIPR and unclassified NIPR nets. The suspension, which includes everything from external hard drives to ‘floppy disks,’ is supposed to take effect ‘immediately.’ Similar notices went out to the other military services.
“In some organizations, the ban would be only a minor inconvenience. But the military relies heavily on such drives to store information. Bandwidth is often scarce out in the field. Networks are often considered unreliable. Takeaway storage is used constantly as a substitute.
I had the pleasure of serving as an Information Systems Security NCO (ISSNCO) while I was stationed at Ft. Bragg. The only thing surprising about this particular article to me is that it’s happening now. The amount of crap people drug back and forth between their laptops and their home computers was astounding.
On the other hand, back when I was worrying about what people were up to on their laptops echelons below battalion were seldom even allowed to have a live Internet connection of any sort. When the CO wanted a networked printer, we ended up buying some bizarre $89 collection of parallel port dongles that connected to each other with telephone wire and “networked” with a printer by sending each other little “I’m using the printer!” signals.
(Link)
Posted by mhall at 4:50 PM | Add Comment
November 19, 2008
Free OneCare: Killer Generosity from Microsoft?
“Microsoft said Wednesday it will discontinue sales of its subscription PC security service and instead offer free software to help protect computers from viruses, spyware and other threats.
“With the move, the software giant appears to be taking aim at McAfee and Symantec, its chief rivals in the PC security market.
“Microsoft (NASDAQ: MSFT) plans to halt sales of its Windows Live OneCare service on June 30. The service being discontinued costs $49.95 a year and covers up to three PCs.
“The new security program, which the company has code-named ‘Morro,’ will be available as a free download in the second half of next year.”
I like the “appears to be taking aim at McAfee and Symantec” bit. Microsoft appeared to be taking aim at McAfee and Symantec three years ago when it started giving away its anti-spyware software and bought Sybari to start working on more comprehensive client-side security software.
McAfee and Symantec started running for cover in 2005 through increased pushes into the enterprise, and they haven’t really looked back, even though OneCare was pretty anemic and got off to a horrible start.
I’d say this is less about “taking aim” at anybody than it is giving its putative rivals the finger on its way out of a market it wasn’t doing so well in.
(Link)
Posted by mhall at 4:41 PM | Add Comment
November 13, 2008
New Safari Intros Anti-Phishing Measures
Apple released Safari 3.2 today. The big news is that it includes phishing protection similar to that offered by other browsers, but it also includes a number of security fixes (most of which seem to apply to the Windows version of Safari).
The phishing protection takes the form of a bit of text in the upper right corner of a Safari Window. When visiting a site with Extended Validation (EV) SSL certificates, Safari shows the site’s name in that spot, as in this screen shot from a visit to PayPal:
In February, PayPal’s CISO advised users to avoid Safari because of its lack of EV SSL support, which had the predictable effect of upsetting a lot of people who promptly argued that it didn’t matter anyhow.
Now everybody wins. Even though at least one study shows that 70 percent of us ignore the presence (or lack thereof) of EV SSL indicators when our browsers provide them.
Posted by mhall at 6:33 PM | Add Comment
November 11, 2008
Kaminsky Vulnerability Still Present in 10 Percent of DNS Servers
“More than 10 percent of the Internet’s DNS (Domain Name System) servers are still vulnerable to cache-poisoning attacks, according to a worldwide survey of public-facing Internet nameservers.
“‘We estimate there’s 11.9 million nameservers out there, and over 40 percent allow open recursion, so they accept queries from anyone. Of those, a quarter are not patched. So there’s 1.3 million nameservers that are trivially vulnerable,’ said Liu, who is Infoblox’s vice president of architecture.
“Other DNS servers may well allow recursion, but are not open to everyone, so they were not picked up by the survey, he said.
(Link)
Posted by mhall at 3:47 PM | Add Comment
November 7, 2008
"Foreign Entities" Hacked McCain and Obama Campaign Computers
The best part of elections might be getting to read all the campaign post-mortems. Newsweek released a great seven-parter over the course of this week that provided all sorts of detail thanks to an agreement its reporters made to keep what they learned to themselves until the election ended.
You can start on the highlight page and then check the “Secrets of the 2008 Campaign” navbar for links to parts one through seven. If you haven’t already, this is a good reason to set up an Instapaper account and save the print versions of each installment there. A few of the installments run close to 8,000 words.
Anyhow, one of the details offered in the series, is information that the FBI and Secret Service warned that computers from each campaign had been compromised by “foreign entities:”
“The computer systems of both the Obama and McCain campaigns were victims of a sophisticated cyberattack by an unknown ‘foreign entity,’ prompting a federal investigation, NEWSWEEK reports today.
” At the Obama headquarters in midsummer, technology experts detected what they initially thought was a computer virus—a case of ‘phishing,’ a form of hacking often employed to steal passwords or credit-card numbers. But by the next day, both the FBI and the Secret Service came to the campaign with an ominous warning: ‘You have a problem way bigger than what you understand,’ an agent told Obama’s team. ‘You have been compromised, and a serious amount of files have been loaded off your system.’ The following day, Obama campaign chief David Plouffe heard from White House chief of staff Josh Bolten, to the same effect: ‘You have a real problem … and you have to deal with it.’ The Feds told Obama’s aides in late August that the McCain campaign’s computer system had been similarly compromised. A top McCain official confirmed to NEWSWEEK that the campaign’s computer system had been hacked and that the FBI had become involved.
” Officials at the FBI and the White House told the Obama campaign that they believed a foreign entity or organization sought to gather information on the evolution of both camps’ policy positions—information that might be useful in negotiations with a future administration. The Feds assured the Obama team that it had not been hacked by its political opponents. (Obama technical experts later speculated that the hackers were Russian or Chinese.) A security firm retained by the Obama campaign took steps to secure its computer system and end the intrusion. White House and FBI officials had no comment earlier this week.”
(Link)
Posted by mhall at 8:13 PM | Add Comment
November 6, 2008
Had to Happen Eventually: WPA Vulnerability Exposed
A researcher says he’s exposed a vulnerability in WPA security:
“Cryptographic expert Erik Tews will appear at PacSec security conference in Tokyo next week with his presentation, ‘Gone in 900 seconds: Some Crypto issues with WPA.’ There, Tews is expected to show off his discoveries in TKIP (Temporal Key Integrity Protocol) cracking, that allow WPA to be broken in a brief 12-15 minute window.
“TKIP itself is not really crackable, since it is a Per-Packet Key, but once it is initialized, the Pairwise Master Key (PMK) can be obtained. From there, the conventional method of breaking in involved a brute force dictionary attack, or a long process of elimination by trying millions of options.
(Link)
Posted by mhall at 8:02 PM | Add Comment
November 3, 2008
Microsoft Says Malware Is Routing Around Its OS
Microsoft’s latest security report says:
“… there was a 43 percent rise in malware and ‘potentially unwanted software’ during the first half of 2008. Potentially unwanted software is generally a program, similar to adware, that may not prey on a vulnerability or exhibit the classic characteristics of malware but can nonetheless expose a user’s data or activity history to a third party.
“It may not seem like it given the recent high-profile, off-schedule patch, but the company has observed that malware coders are targeting applications, increasingly foregoing the operating system. According to the company’s data, only 10 percent of disclosed vulnerabilities belonged to an operating system. The rest, 90 percent, affected applications.
“In addition to the apparent reprieve operating systems are getting, Microsoft is reporting an improvement in its own efforts to button up the company’s software. Compared to the latter half of 2007, the number of vulnerabilities attributable to Microsoft during the first half of the year plunged 33.6 percent.”
(Link)
Posted by mhall at 7:08 PM | Add Comment
October 31, 2008
Does the Global Network Initiative Have Any Teeth?
The Global Network Initiative is a broad coalition of tech companies and assorted human rights stakeholders designed to “provide high-level guidance to the ICT industry on how to respect, protect and advance user rights to freedom of expression and privacy, including when faced with government demands for censorship and disclosure of users’ personal information.”
It launched on Wednesday. Here’s Rebecca MacKinnon’s take:
“Organizations like Human Rights Watch, Human Rights in China, Human Rights First, and the Committee to Protect Journalists would not be putting their reputations behind this thing if they didn’t think it was meaningful.
“That said, the initiative must prove its value in the next couple of years by implementing a meaningful and sufficiently tough process by which companies’ adherence to the principles will be evaluated and benchmarked. If there is a rigorous process that rates the companies’ behavior, then investors who care about social responsibility, and users who want to know how trustworthy a given company is compared to others, can make more informed choices.
“The initiative is based on the reality that there is pretty much no country on earth - including the United States - where governments aren’t pressuring telecoms and Internet companies to do things that potentially violate users’ rights to privacy and free expression. Companies must consider the right to free expression and privacy of users in all markets to be part and parcel of what it means to be socially responsible. Part of the problem is that many telecoms and Internet companies just have not been thinking through these issues as they roll out products and services around the globe, resulting in all kinds of unintended consequences - the TOM-Skype fiasco in which Skype’s Chinese business partner was found to have allowed a huge security breach being the latest example. The Initiative is about getting companies to think ahead and incorporate human rights assessments into new product plans or plans to enter new markets. It’s also about being more transparent and honest with your users about what’s being censored, why and how, and informing them about how and with whom their personal data is being stored and shared. That way, users can make informed choices about how and when it is safe or reliable to use these services - or not.
(Link)
Posted by mhall at 8:05 PM | Add Comment
October 29, 2008
More Home Wi-Fi Users Encrypting
Encouraging news on Wi-Fi security:
“The RSA study also found that 97 percent of New York City’s corporate access points featured some level of encryption — an increase of 21 percent over last year and the greatest growth spike in the seven years of the study. In Paris, 94 percent of business’ Wi-Fi access points had some form of security, while only 80 percent of London’ business access points were secured.
“In many cases, home networks appear to be more security-savvy. According to the report, 97 percent of New York City’s at-home Wi-Fi access points use encryption, with 61 percent of those networks using advanced encryption.
“In Paris, 98 percent of the City of Lights’ at-home Wi-Fi installations were protected by encryption standards, while in London, more than 90 percent of consumers had set up security for their in-home Wi-Fi access points.
“‘This is good news for businesses and consumers alike,’ the study said.
“Another positive security trend is that enterprises and consumers are moving away from basic Wired Equivalent Privacy (WEP) encryption standard, adopting more secure technologies instead, the survey found. As a result, a growing number of businesses and consumers are dropping WEP in favor of Wi-Fi Protected Access (WPA) or a more advanced edition of the protocol, WPA2.
“The report said that New York City-based WPA use reached 49 percent during the year, with 50 percent of all businesses having adopted WPA or stronger security.
(Link)
Posted by mhall at 3:11 PM | Add Comment
October 27, 2008
Tweeting for Terror
When experts warned that Second Life and World of Warcraft were potential hotbeds of terrorist recruitment and planning, I shrugged them off. But Twitter?
That fun tool can also be put to nefarious uses, according to an addendum to the 304th Military Intelligence Battalion periodic newsletter, available on the Federation of American Scientists’ (FAS) Web site.
“The paper tracked some of the latest tactics terrorist groups use to organize and described some techniques that are emerging.
“‘The ‘Twitter’ member can send Tweets (messages) near real time to Twitter cell phone groups and to their online Twitter social networking page,’ the author said, adding that ‘there are multiple pro- and anti-Hezbollah Tweets.’
“Twitter members ‘can also mashup their Tweets with a variety of other tools including geo-coordinates and Google Maps or other electronic files/artifacts. Members can direct and re-direct audience members to other Web sites and locations from ‘Tweets’ and can engage in rapid-fire group social interaction,’ the writer said.
“The author outlined three scenarios where Twitter could be used by terrorists, and pointed out that terrorists have also talked about using other technologies, including cell phones, Skype and other internet telephony services.
If I were a member of a crack terrorist team, I think Twitter is the last thing I’d use to carry out an operation. Who needs the x-eyed Fail-Whale just as they’re about to find out where the Stingers are cached?
(Link)
Posted by mhall at 7:37 PM | Add Comment
