Archive for January, 2009

Microsoft issued a warning about malware authors taking advantage of Inauguration Day by creating fake Obama websites to host the Waledec Trojan.

Barack Obama’s name has been used by an increasing number of malware authors and spammers since he ran for the Presidency, with a whole new spate of social engineering tactics coming out for Inauguration Day.

As the Microsoft Malware blog shows, these cybercriminals have set up fake sites that mimic the official Barack Obama website, barackobama.com

As with any email you get from unknown sources, one of the tips you can use to make sure you don’t end up on a fake website is to not click the links. Instead, go to your browser and type in the URL. Although real websites can be taken over to host malware, this way you are avoiding the social engineering tactics that attempt to catch you in your inbox.

Microsoft offers information on what to look for in fake websites, including URLs that include the words “direct”, “online” or “great”, and images such as these.

For those of you who have been eagerly awaiting Obama’s Inauguration, I suggest you also take a look at the changes now visible on Whitehouse.gov. The nicest that website has ever looked! The transition was captured by CNet, along with the brief bugs apparent during the transition progress.

The US National Security Agency (NSA), the Department of Homeland Security, Microsoft, Symantec and a group of more than 30 other cyber security organizations have formed a group to outline the most dangerous software programming errors.

The group has jointly released a consensus list of the 25 most dangerous programming errors – and how to fix them. These programming errors lead to security bugs and can enable cyber espionage and cyber crime – most errors are not well understood, nor is their avoidance taught by computer science programs. The press release also indicates that these errors are not frequently tested by organizations developing software for sale. This list is, therefore, a big step forward in making software more secure.

“There appears to be broad agreement on the programming errors. Now it is time to fix them. First we need to make sure every programmer knows how to write code that is free of the Top 25 errors, and then we need to make sure every programming team has processes in place to find, fix, or avoid these problems and has the tools needed to verify their code is as free of these errors as automated tools can verify.” – SANS Director, Mason Brown

According to the release, just 2 out of these 25 programming errors led to more than 1.5 million website security breaches in 2008. The 25 errors represent the worst things that can happen when software is being written – and will give a minimum set of coding errors that should be eradicated before software gets to the consumer.

The programming errors include sending sensitive information in clear text and hard-coding security passwords into programs. The errors fall into three categories: insecure interaction between components, risky resource management and porous defenses. You can read more here or here.

Via PC World ; Clipart via Microsoft / Presentation Pro

According to (via Computerworld) F-Secure, more than 3.5 million PCs were infected with a new worm that exploits a months-old Windows bug in a matter of days. The “Downadup” or “Conficker” worm gives over full control of the infected machines enabling opportunities for a large botnet, for example. Right now the worm tries to scam users into buying fake security software (ironic, right?) with pop-up messages.

The Windows bug, which can be fixed by this security update, exploits a bug in the Windows Server service used on Windows 2000, XP, Vista, Server 2003 and Server 2008. The number of estimated computers infected, as of January 14th, was 3,521,230. That was up more than 1.1 million in just the 24 hours previous.

Windows recommends installing the update and running the software removal tool. The fact that so many computers were infected with this worm though the patch was available since October shows just how few people keep their software updated. This is a basic tenet of security for both individuals and companies.

So, is your software up to date? Why not run a check?
If you’re a Computrace customer, run a report to make sure that your machines have the most up-to-date patches.

And getting a lot of buzz – that Paris Hilton’s nearly defunct website was hacked to host malware, probably for quite some time.

Image; wax115 @ morguefile

The Liberal Democrats in the UK have publicized the results of their research into computer security across Whitehall. According to their results, 3,000 computers have been lost or stolen across Whitehall in the past 7 years. That’s a staggering average of at least one computer lost per day. The data includes an additional 238 laptops and 40 desktops missing or stolen, a very minor improvement in Government laptop security despite continued public breaches and promises of security upgrades, and even laptop bans.

The figures, which were released in Parliamentary answers, include:

• Since 2002, 1,774 laptop computers and 1,035 desktop computers have been lost or stolen across Government, at a rate of nearly five a week and three a week respectively
• In 2008 (as of December 29), 238 laptops and 40 desktops went missing
• Since 2002, 676 mobile phones, 202 hard drives and 195 memory sticks have also been lost or stolen
• The worst offenders are the Ministry of Defence (which handles very sensitive information), which has had 866 laptops stolen and has lost 178, as well as 157 desktops stolen and seven lost

Liberal Democrat Home Affairs Spokesman, Paul Holmes said:

“Everyone understands that things go astray but it is truly staggering that over the last seven years a laptop has been lost every working day across government.

It demonstrates a culture of carelessness across Whitehall that ministers have done nothing to curtail.”

It is clear that fundamental changes need to happen in the Government in terms of the way data is handled. This includes a ‘culture of change‘, changing attitudes and knowledge of security practices, as well as upgrading technology that protects data devices (like Absolute’s Computrace can).

Also in troubling Government security news, the IRS in the US has failed to patch more than half of the cybersecurity problems identified in November. Only 49 of the 115 issues found by the Government Accountability Office have been addressed. Read more here…

Via Daily Mail, ITV ; image: mconnors @morguefile

Absolute Software and the Ponemon Institute announced the findings of a new study on the use of encryption on laptops in the corporate environment. The study found that 56% of US business managers disable laptop encryption, an action which increases the risk of data and identity theft. The study was also conducted for the UK and Canadian markets with very similar results.

The study was conducted in order to understand employees’ perceptions about ensuring information entrusted to their care remains effectively managed. This includes using encryption, strong passwords, and keeping their laptop physically safe when traveling. The study unearthed a number of troubling issues including a perception by employees that encryption solutions make other security measures unnecessary. IT security professionals were the most careful in abiding by precautionary steps in safeguarding data on their laptops, but non-IT employees were not so as careful (with 56% turning off encryption).

92% of IT security professionals indicate that a laptop has been lost or stolen in their organization. Of those stolen, 71% resulted in a data breach. In the event of a theft, companies relying solely on encryption cannot be sure whether all stored data on a laptop has been encrypted, if it has been compromised, or even which files have been accessed by thieves. To help solve security risks that encryption alone cannot adequately address, companies can employ a security solution that can locate a stolen or lost laptop, detect which data has been accessed, and remotely delete sensitive data. Such a solution, like Absolute’s Computrace, is not dependent on the diligent behavior of corporate employees.

“The data suggests that, because of user behavior, encryption alone is not enough to protect mobile devices and the sensitive data stored on them. These statistics are especially disconcerting when combined with our recent studies demonstrating that lost or stolen laptops are the number one cause of data loss, with 3 out of 4 companies experiencing a data breach when a laptop has been lost or stolen.” - Dr. Larry Ponemon, chairman and founder of The Ponemon Institute

“The Human Factor in Laptop Encryption: U.S. Study” key findings:

• 92% of IT security practitioners report that someone in their organization has had a laptop lost or stolen and 71% report that it resulted in a data breach;
• 56% of business managers have disengaged their laptop’s encryption;
• Only 45% of IT security practitioners report that their organization was able to prove the contents of missing laptops were encrypted;
• Only 52% of business managers – employees most likely to have access to the most sensitive data (personally identifiable information and/or intellectual property) – have employer-provided encryption;
• 57% of business managers either keep a written record of their encryption password, or share it with others in case they forget it;
• 61% of business managers share their passwords, compared to only 4% of IT managers; and,
• Business managers are much more likely than IT security practitioners to believe encryption makes it unnecessary to use other security measures for laptop protection.

The survey breaks down the types of encryption solutions used to protect data assets, from whole disk encryption to thumb drive encryption. The same questions were asked to IT professionals vs non-IT professionals (business managers), with differing perceptions of security protocols. Here’s a preview of one of the data segments from the survey:

To receive a full copy of the study on the Human Factor in Laptop Encryption, for the US, UK and Canadian markets, fill out this form.

The Identity Theft Resource Center (ITRC) has released their 2008 breach report showing a 47% increase in data breaches over 2007.

2008 Data Breaches Reported – 656

2007 Data Breaches Reported – 446

Keep in mind the key word in this data – reported. More data breaches go un-reported and/or undetected. However, this data still shows a troubling increase in data security issues.

Breaking down the data by sector, the figures are approximately the same as in previous years. The Business sector accounted for 240 breaches, 36.6% of all breaches. Following behind in terms of incidence are Education (20%), Government (16.8%), Medical (14.8%) and Financial (11.9%). The Government sector was the only sector to have a marked decrease in breach incidents over a 2 year period, dropping nearly 50% since 2006.

According to ITRC reports, only 2.4% of all breaches had encryption or other strong protection methods in use. 8.5% used password protection.

Five categories of data loss methods are tracked: data on the move, accidental exposure, insider theft, subcontractors, and hacking. Insider theft accounted for 15.7% of data breaches, more than doubling between 2007 and 2008. Most breaches, 35.2%, are accidental, falling into the ‘data on the move’ and ‘accidental exposure’ categories.

Based on data collected, 82.3% of breaches were electronic (vs paper) and at least 35.7 million records were potentially breached (based on notification letters / information supplied). Given that one breach alone in 2007 accounted for 25 million exposed records in 2007, it is likely that though the number of breaches went up in 2008, the number of records exposed may have gone down.

You can download the ITRC Stats & Reports here.

Fun read: Ever wonder what a month of spam looks like? Crazy, isn’t it, that one person can receive so much spam!

Following the publicized hacks of ‘big’ accounts (Britney Spears, Barack Obama, Fox News) on the social networking site Twitter, Sophos is calling on Twitter to enforce stronger password security (though, really, every company should enforce strong password standards of its users).

An 18-year-old with a history of celebrity pranks has admitted to hacking several high-profile Twitter accounts. The hacker, GMZ, says he was able to use an automated password-guesser to do a “brute force” attack to guess the password of a Twitter user. Since Twitter allowed an unlimited number of login attempts (a poor security tactic), the hack was easy. The password of one account was as simple as “happiness”, a very insecure password.

Although he didn’t realize it at first, he’d hacked into a Twitter staffer, and that opened up the ability to reset the password on any Twitter account. For fun, he asked other hackers if they wanted access to any Twitter account and posted a video he made of his hack:

DMZ then filled requests to access several high profile accounts, including Barack Obama’s account and Britney Spears’ account. Those accounts were then hijacked and they sent fake messages, as demonstrated here. DMZ was in Twitter for a couple of hours before his access was blocked by Twitter.

Twitter says they are doing a full security review and are already at work to strengthen the sign-in process. This security issue came immediately on the heels of a Twitter phishing scam.

This piece of news has prompted Bruce Schneier to write a great article reminding us that technology is only part of the solution to security issues. The article talks mostly about the threats of impersonation, not web security, but it’s a great read.

BTW, if you are a Twitter user, you can follow Absolute Software news at: twitter.com/absolutecorp.

Absolute Software has just revealed three behind-the-scenes laptop theft experiences by customers of LoJack for Laptops, its consumer laptop theft protection solution.

The three success stories include:

1. The Yom Kippur Burglaries: Jeffrey’s Laptop Theft Story – A laptop, among other possessions, was discovered stolen after a weekend away. Jeffrey was a victim of a string of break-ins over the holidays. Jeffrey’s laptop was recovered and 4 arrests made!
2. I Bought It From ‘Some Guy’: Niyonu’s Laptop Theft Story – LoJack helped trace a stolen computer to a computer repair store. Not only was the laptop recovered, but investigators now have more information in their burglary investigation.
3. Dorm Room Rip-Off: Stefanie’s Laptop Theft Story – This story tells of a computer stolen from a dorm at Delaware State University and transported to New Jersey. Three arrests were made and the laptop recovered.

Here’s a quote from Jeffrey Alexander, the customer whose theft is featured in the first story:

“After thieves broke into my home and made off with my laptop, I really never expected to see it again, let alone catch the criminals who had it. I wasn’t aware at the time, but as soon as I reported the theft to my local police and Absolute’s Theft Recovery Team, an amazing investigation began. Not even four full days after I reported the theft, Absolute’s technology had led police to the home of an alleged thief where my laptop was recovered – along with four other laptops, a large quantity of drugs and cash. Not only did I get my laptop back, the investigation also resulted in four arrests! I can’t really imagine a better result.”

Learn, in each case, how the Absolute Theft Recovery team was able to work with investigators to recover the stolen laptops. In each story, the Recovery Team provides some commentary on the case and how Absolute Software can help you in similar situations.

You can read the rest of the details of these stories from the press release on Yahoo. Then head over to learn more about how LoJack for Laptops can work for you.

Also, if you’re going to be in San Francisco for MacWorld or Las Vegas for CES, come stop by the Absolute booths!!

Meet Absolute at MacWorld Expo

Location: Moscone Center, San Francisco
Booth: 325
Dates: Tuesday – Friday, January 6 – 9, 2009
Time: 10:00 am – 6:00 pm

Meet Absolute at CES

Location: Las Vegas Convention Center
Booth: 36808, South Hall
Dates: Thursday – Sunday, January

There have been a number of great news items in the security field in the past couple of weeks. So, this post will share some that I found particularly interesting or useful.

The Center for Strategic & International Studies (CSIS) Commission on Cybersecurity for the 44th Presidency has released its final report, “Securing Cyberspace for the 44th Presidency.” The report indicates the importance of Cybersecurity as a national security issue, that privacy and civil liberties should be reflected in cubersecurity issues, and that a national security strategy is necessary.

Control Risks has released its annual RiskMap report for 2009. The RiskMap provides an assessment of global and regional political and security risks that businesses are likely to face in the upcoming year. Read more about that here and here.

Roger Grimes at InfoWorld sets out the two primary things you need to know in order to secure your home computer (or home business computer). Although he talks about anti-virus programs, his two main pieces of advice involve being smart (don’t download it if you don’t trust it) and to patch your system regularly – he does recommend the commercial version of Secunia’s Software Inspector for this. Keep reading here.

There’s an interesting article by Tom Olzak at Tech Republic asking if state and federal breach notification mandates are unreasonable. I’ve always been a huge proponent of national legislation as key; I believe consumers need to be informed of breaches in order to mitigate their risk and choose which companies they choose to trust. Tom agrees with this, and argues against statements to the contrary made by Chris Wolf, an attorney and head of the Proskauer Rose (Washington, D.C.) law firm’s privacy and security group. You can read the article here.

Also an interesting read from informIT, an article entitled “Software [In]security: Software Security Top 10 Surprises“.

Have you found any security reports or news to be an interesting read of late? If so, do share the link in the comments!

Image anitapatterson @morguefile

Chris Hubbard over at Intel posted a review of Computrace by Absolute Software earlier this month. This review came on the heels of an announcement that Absolute Software’s Computrace product would be built into the hardware level of select Lenovo ThinkPad T400 notebooks, the first notebooks to ship with support for Intel’s Anti-Theft PC Protection and Computrace built right in.

Chris’ review of the product is quite thorough, from the “quick and painless” installation to how the product works. As Chris describes:

“When using Computrace, once a day your laptop will use the available internet connection to phone home to the Computrace servers on the internet. Under normal circumstances, the laptop will receive an “all clear” signal from the servers and disconnect until the following day. All this happens silently in the background without user intervention.”

Chris goes on to describe the process that is initiated if a laptop is marked as lost or stolen. When that laptop reports back in, after it’s been marked as missing, a sequence of pre-determined actions will take place. Depending on what is preferred, that could include deleting the sensitive data from the hard drive, tracking down the laptop and/or preventing the laptop from booting at all.

“When paired with disk encryption, this is a powerful countermeasure to laptop theft. If the data is protected by encryption and the notebook is unuseable because of the Intel Anti-theft technology, the laptop effectively has no value to anyone. With the LoJack capability, a stolen laptop actually becomes a liability since it could be telling the local authorities where the stolen laptop is.”

Chris continued to test the product, using a variety of tactics such as reporting it stolen, having it phone home, and entering incorrect passwords. As Chris hopes, the strong security countermeasures make the Lenovo T400 laptop series quite unattractive to most thieves. You can read more about his review here and can sign up to view a demo of Computrace here.