Search This Blog

Monday, November 12, 2012

(I) Sophos wins VB100 award for best Anti-Malware contest - Yeah right



I saw this article today on how Sophos Anti-Virus won the "Virus-Bulletin 100 title by detecting 100% of the viruses in Virus Bulletin's "in-the-wild" collection and not having any false alarms."
After I stopped laughing, since it was for Windows Server 2003.... Yes it is 2012, 8 years later; but that's not the funny part.
I was just up in Dallas describing how malware we had been collecting had a whopping 3% detection rate on VirusTotal and that the industry generally accepts Anti-Malware is roughly 60% effective.
Then I saw this from Symantec...

8,000,000 users CAN be and are wrong... Detecting 25% more of 60% or even better 25% more of our 3% which equates to.. Wait for it... 3.75% is still pathetic.
The reality is Anti-Malware does nothing for the real malware that is being targeted towards users and enterprises. The nefarious ne-er'do-wellers craft real malware to evade AV and even know what AV you are running as a part of their payload delivery.
We need a new way to detect malware and we happen to have the tool!
The Sniper Forensics Toolkit
Check it out
Article from Naked Security
Sorry Chet ;-)
#InfoSec #SniperForensicsToolkit

Thursday, September 20, 2012

(W)(I) WTF Microsoft.. really? I mean SERIOUSLY????




I was sitting next to Rafal Los at ConSec 2012 and he showed me the official statement from Microsoft on their latest IE 0-Day.


Microsoft's recommendation? Make sure you keep your Anti-Virus updated.

Seriously?

With ANY flaw like this one that affects all IE versions, the ONLY prudent action to take is DO NOT USE THAT BROWSER UNTIL IT IS FIXED!!!!

The proper response from Microsoft should be "Microsoft is working diligently on the issue and will push out an update as soon as one is available, in the meantime use an alternative browser like FireFox, Chrome or Safari."

Get real Microsoft.. Anti-Virus/Anti-Malware does NOTHING for a flaw in your browser design.

Stoooopid

#InfoSec #Microsoft

Tuesday, July 24, 2012

(W)(I)(E) Why any and all Security Tools WILL fail you




If you are one of the people that believes by implementing one or more security tools will prevent or help protect you from being hacked, think again. First off, an apology to all my colleagues that work for vendors, many of whom I respect, trust and admire.

IPS, IDS, File Integrity, Anti-Malware, Patching solutions, Logging solutions, VPN's, Vulnerability scanners, Pen Testing tools, Code scanners, Mobile Device Management, the list is endless.

All of us in information Security budget for serious dollars to buy all the fancy gizmos, widgets and InfoSec gadgets we are about to see at BlackHat, DefCon and BSides in Las Vegas this week. Not to mention the budget we ask for head count.

So "Why do security tools fail us"? because we fail at implementing to the best ability of not only the tools total ability; but the new owner/user/admin's lack of knowledge of the tool and what it can and CAN'T do. Some tools just can't do what we want.. it's reality.

Most importantly it is the failure of the vendor or person implementing the solution to understand how to apply the "real world of the organization" to the product and tweak it if you will to the unique things the owner will need it for.

Ask the vendors you are considering purchasing a solution from, or more importantly the person that will be implementing your next security solution this question. "What security incident did you implement this tool for and what tweaks did you have to make over the default implementation to detect, deter, monitor and alert on the incident so a similar incident would not go undetected"? I think you will be shocked by the response.

I worked for HP for many years and implemented many products and yet I was also guilty of the "it's an engagement, installed, working, doing stuff... I'm done, bill the client, next" mentality of a vendor and consultant. Some engagements went on long enough we did some real good, most I left wondering what would happen with the solution or effort we put forth, would it last or is it just to pass compliance at that moment? couch couch.. PCI.. cough.. SOX... cough....

What is lacking in every single security tool is critical thinking and practical real world application of the tool to a real world incident or event specific to YOUR environment.

The default installation of a File Integrity solution will NOT catch a piece of malware being placed on your systems in many directories. Why?, because many directories like Windows and their sub-directories are noisy and would generate alerts up the wazoo making the tool noisy and worthless to many. You may find it in the forensics folder, but how does one review hundreds or thousands of forensic folders? How can you tell a patch from malware when they are named the same? Where would a hacker place their Malware anyway? Windows? System32? SysWOW64? ProgramData? Local? LocalLow? Temp? bin? etc?

Have you tweaked your IPS and the alerts to detect real SA, Admin, root failures that differ from the pattern of an Administrator or does your solution just log it as an event? What about your logging solution? If you do not have a logging solution today, you should! In fact it should be the #1 item in your budget !!! Send your syslogs, Event logs and YES, even workstation logs to a central log server. If you have a log solution have you created reports and alerts to known conditions that are bad? Do you know what is normal behavior of administrators so you even know what is suspicious activity? If you are not a log management fan.. talk to me and I will change your mind, or at least make you think seriously about the subject.

Everyone has Anti-Malware, does it work ? Sure it goes off for stuff it knows about, but what does it do for REAL PITA (Pain In The Ass) Malware, not the annoying crap that your users catch surfing and opening emails, but the 0-Day, Duku, Stuxnet, Flame type malware that there are NO signatures for? Does it even have a feature/option to detect nefarious activity by a ne'er-do-weller? What I would I ask an Anti-Malware vendor would totally vary from your questions.. trust me.

This is where head count and budget come into play. Do you have people that have experienced, lived or recovered from one or more of the REAL PITA Events that all of the above would have missed in a default installed configuration and had to recover from a PITA event? If not... seek out and hire one or more of us to tweak your security tools to do everything they are capable of that product training and the vendor that installed it unfortunately do not know enough about, nor can they. I left consulting 4 years ago to get more personal ownership and live in the trenches... boy what a learning experience that has been, but I am better for it for sure.

It is these truly experienced folks that were/are on the front lines that have critical thinking skills you want and are after.. they are the only thing that will keep your security tools from failing you when the poop hits the fan. They are not taboo because they were involved with the major incident at XYZ Corp... they are seasoned at a real world incident. If a candidate can convey what they learned and how they could help you improve your security posture, you have struck pay dirt and maybe your security tools won't suck any longer...

Assuming management will budget for the head count and cares ;-)

Find me at BSidesLV or DefCon to discuss.

#InfoSec

Friday, June 29, 2012

(I) Skype Supernodes are dead...Long live thousands of Linux servers hosted by M$




Yup, Microsoft updated Skype in May to do away with the Supernodes concept which had hijacked many a computer to relay Skype info.

Even more interesting is Microsoft is using LINUX servers to be the the Supernode servers. Hosted in their many data enters around the world, yes Linux, not Windows.... Have no fear, I am sure Microsoft will port the code to the next version of Windows server.. Just guessing...

The importance of this change means all those people who had their computer hijacked by the Skype Supernode formula and thus suffered performance issues can now fix and avoid the issue by upgrading Skype to the latest version.

In addition corporate users and and administrators can relax a bit knowing Supernodes will stop consuming computer CPU when Skype is installed and meets the Skype Supernode criteria and not freak out us InfoSec folks seeing all this traffic on a users system.

arsTechnica article on the new Skype Supernodes

#InfoSec #Skype

Thursday, June 7, 2012

(I) How you can mitigate the LinkedIn and e-not-so-Harmony breaches -LastPass





Be aware that hackers create scripts to use compromised credentials to attempt logging in to other websites, it is easy to do... Presidential candidate Mitt Romney had his Email account hacked and the hackers tried the same credentials on his Dropbox account and low and behold they were the same... 2 birds with one stone... Popped and pwned... And WHY password reuse is a bad, VERY bad idea! This occurred with the Gawker hack as well in late 2010.

Use the LastPass LinkedIn tool to see if your account is within the hacked credentials:

LastPass LinkedIn hacked account tool website

While checking my own LastPass vault for any threat due to the LinkedIn breach, I stumbled upon 2 bugs that I worked with LastPass to verify, one that is due to FireFox ver 13 ( don't upgrade), the other with their Security Challenge); but I also found a way to use LastPass to check and remediate your credentials when a cloud provider is breached.

First off I am assuming like most users that you indeed use the same 'name@email.com' username and 'password' for multiple websites. It goes without saying you should never use the same password for multiple websites since most usernames these days are your email address, but many people do, so we will roll with it for this example.

I was curious in my own LastPass vault of 170+ logins if I had any username/password combos that matched my LinkedIn credentials or if any were in fact duplicates...

I recalled the LastPass Security Challenge I have blogged about before (found here)

LastPass Security Challenge website

And recalled it showed you sites that had the same password grouped by similar password and it nicely shows you the username for each within a grouping.

So how do you use this to check and remediate?

First: Install and use LastPass of course
Second: Run the LastPass Security Challenge by either selecting the "LastPass icon-Tool-Security Check" or by using this URL:

Third: Once the Challenge completes, scroll down to the 'Sites with similar passwords' area, and there will probably be several since you reuse passwords and you will see all sites with the same password grouped together (the password is NOT visible unless you select 'Show'.

Review the list(s) to see if a username (your email) from a site (LinkedIn, eHarmony, Zappos, Gawker, etc.) that was compromised matches other sites where you are using the same password. If you are... Visit the site, change your password (use the LastPass unique generator) and update your vault!

You can quickly go through all similar credentials and change them to hopefully something unique so you don't have this issue in the future when another service you use gets popped, and they will, bet on it!

* NOTE: LastPass ignores case and spaces in the challenge evaluation so some passwords may be grouped as similar when they could be very different. They do this since some sites convert to one case and strip spaces.

Again, LastPass rocks ! And allows you to quickly remediate any username/password issues you might have after a breach of a Cloud provider you might use!

Want to know if an email address you use has a known password from one of the many breaches? Check it using the following website:

Pwned List website

Put in your email(s) and see if it shows up.. If so, you have a LOT of passwords that need changing.

#InfoSec #LastPass

Wednesday, June 6, 2012

(W) Chase banking users beware !!!



I recently received the following email and informed my Brother-In-Law NOT to take action as banks like Chase would NEVER send a generic email with links that are cryptic... Or would they?


I had my Bro-In-Law go into a local Chase Bank Branch and ask the manager about it and verify it. Turns out the Bank manager also had never seen such an email.
It was a notification from Adeptra Fraud prevention service used by Chase informing my Bro-In-Law that his Debit account account (yup.. debit) was used to purchase computer equipment in Honduras of all places and to approve the purchase or report it as fraud.

Really Chase and Adeptra, I mean REALLY ??? WTF !

He did call Chase after my warning and indeed it was fraud and thus a victim of Card Skimming as Brian Krebs writes so much about. His debit card number was skimmed somewhere and thusly used for nefarious charges by Honduran ne'er-do-wellers. He cancelled his card and got a refund very quickly. Remember Debit unlike Credit Cards are linked directly to your Checking account! If you get skimmed you might have an issue paying your mortgage and car payment before your case is resolved and you only have a few days to detect the fraud or the bank might not believe you.

Banks should NEVER send this type of email with links or telephone numbers. Rather they should tell you to call or visit your local branch (a number you should know) and ask to be transferred to the Fraud department, no email, no telephone, just URGENT - CONTACT US!!!

There are lawsuits over Wire Transfer Fraud where affected bank users felt their bank communication methods conditioned them to click on links in emails. This IS and always WILL BE a very BAD practice. Financial and Health organizations should never do this in emails.

Remember these Tips when using your Debit/ATM card.

1. When you use your Debit Card on a device that is outside or portable ATM or bad part of town... bad things can happen.
2. Be careful when you use your Debit Card and NEVER let it leave your sight when used, preferably never let it leave your hand.
3. If you need cash.. Go to a WalMart or Grocery store and buy a pack of gum and get Cash Back. These units are less likely (not impossible) to be modified with skimmers.
4. Contact your financial institution if you ever get an email with links to verify it is REAL.

Brian Krebs BLOG on Skimmers

#InfoSec #Fraud #Skimming

(I) Funny video on what people think about Computer Security




I laughed my pASSword off watching this. Describe Computer Security in one word...

Hilarious... maybe not so much after the LinkedIn breach.

YouTube video on describing Computer Security

#InfoSec

(W) Warning - LinkedIn Hacked ! Change your password NOW




Well, yet another large Cloud service provider has fallen and 6.5 million usernames and passwords have been popped as we say.

If you use the email address and password for your LinkedIn account for other websites... you may be in for some compromised accounts in the near future... Change all web logins you have that are the same email and password as LinkedIn immediately !!!

Graham Cluley from Naked Security gave a nice summary of how to change your LinkedIn password:

Naked Security Blog on Changing LinkedIn password

Why is this a problem ?

Most users of Internet Cloud Services reuse the same password for multiple websites, if not most or all websites. In late 2010 Gawker was popped and their user credential database taken. Providers like Facebook, Twitter, Hotmail, Yahoo, Google, LinkedIn and others locked/reset their users accounts that were found in the Gawker breached data. Because they know like we do in InfoSec that people reuse passwords across the InterWebbings and these providers did not want a massive user accounts compromise to deal with, so the accounts were locked and/or passwords reset.

Time will tell if the LinkedIn breach results in the same account lockout across the net, it should as those of us with LinkedIn accounts, CLEARLY use all the InterWebbings has to offer.

Want to protect yourself from this type of breach? Use a password manager solution like LastPass. Let LastPass remember your logins and use the Password Generator LastPass offers to create ridiculously good passwords. You now need only remember your master password to gain access to your vault and thus all your logins... and don't forget to add Google Authenticator or YubiKey for 2 factor authentication to further protect your vault from nefarious ne'er-do-wellers. Both solutions are FREE !

LastPass website

More on the LinkedIn breach HERE

More details about the LinkedIn hashes

#InfoSec #LinkedIn #Breach

Thursday, May 24, 2012

(W) House Key in your Smartphone Yikes !!!!







Ever wish your smartphone could open the door to your house? I just watched Shark Tank and this was one of the products. A lock for your home that has the technology (via Bluetooth) when in close proximity can unlock your door when you press a button on the door lock.

We all love gadgets and using your iPhone, Droid or Crackberry to open your house seems like a cool idea.... Or is it?

First question... How many of you have your home address in your phone for a contact card to be used with Bump for example on the iPhone?

Second question... If I steal your phone will you be worried I can unlock your house?

Known this first before you answer... By looking at the lock on your front door, I know you have this type of lock because it has two buttons to lock and unlock the door.

Afraid yet?

Smartphone, DumpApps as Dan Cornell says in one of his many entertaining InfoSec presentations. This application must send a command sequence via Bluetooth to your door lock in a secure manner... What if the developers don't consider us Security researchers know how to sniff BT traffic? What if they use just a pin or code to open the lock? Or send it in the clear versus encrypting it as that adds $$$ to the lock, needs a processor and battery to decrypt it all in the lock. What if they forget to do this?

Afraid yet?

I reviewed a solution similar to this years ago for a large customer service entity looking to add features to their service to break into the home market. The solution is now available by Schlage at Home Depot. What I found with the first gen of this solution was that each code sent to each home over the service, in this case the Internet, was the same code for each house, so I was able to turn on and off the lights that were in the pilot users home... They were not happy this could be done and killed the project... Let's hope Schlage corrected the issues I found...

Now would you use UniKey?

The potential of what could go wrong with this solution is scary, VERY scary!

The reason keyless entry for cars works is the ring of keys don't have the license plate and location of the car if you were to find or steal the keys. Your smartphone has your home address in most cases so you know exactly what the key belongs to and where the key fits or works.

Knowing all I would need to gain entry into your home is to steal your phone, or reverse engineer the solution, as we did with the Key Card exploit, there is not much you could do. Worse.. People leave their phones in their cars often to run into a store, go to a movie, hospital and various other businesses or situations like the beach, volleyball, softball, etc. where we leave our phones in our cars so we don't lose them.

And what about kids? How many have lost their phones?

I will be contacting them to share my thoughts and warn the sharks about their investment risk...

Stay tuned.

UniKey website

#InfoSec

Thursday, May 3, 2012

BSidesAustin is over, but BSidesDFW coming Nov 2012




Well, BSidesAustin 2012 is over and it was GREAT! We had 2 days of talks, presentations, discussions and panels. Lots was learned and even a gr33nh0rn elevated to beginner by winning the CTF Badge challenge.

As we collect speaker preso's, pictures and video we will post them on the BSidesTexas website so watch for them.

It was a blast and we look forward to 2013! Watch for announcements in the next few months!!!!

BSidesTexas website

#InfoSec

Thursday, March 22, 2012

(I) 5 more things you probably aren't doing... OK now 11




I just read Roger Grimes InfoWorld Security Advisor latest Blog entry and couldn't agree more to the "5 big security mistakes you're probably making" article. Here are a few more and expand on his 5.

1. Security mistake No. 1: Assuming that patching is good enough
2. Security mistake No. 2: Failing to understand what apps are running
3. Security mistake No. 3: Overlooking the anomalies
4. Security mistake No. 4: Neglecting to ride herd on password policy
5. Security mistake No. 5: Failing to educate users about the latest threats

I like where he went with this thread, many organizations still miss the basics, like basic training in the military or practice in sports, the basics must still be done, done well and done well always!

To expand on Roger's post...

1. Patching - Do you really even know what is installed and needs patching ? Start with priorities, if it's Internet facing or a user has Internet access, make these apps a priority to patch. More importantly, make an approved list of software so you can track what you have so you know what to patch, assuming you get or follow alerts and notifications. Can you say 'Google Alerts'...

2. What Apps are running - In the old days we called this baselining. When you build a system, dump what users and applications, services, daemons are on the system so you can compare it to the baseline list when you troubleshoot. Also keep track of which services, apps and daemons need credentials and where these creds are stored so #4 can be maintained. If your system is already deployed, then start with that and identify all the components and get a build document created. Then you have a chance to do #1. Same priority applies, Internet facing systems first and systems with users that access the Internet, high risk, etc.

3. Anomalies - You may be lean and mean in staffing and unless you have a good forensic team, re-imaging systems with anomalies might be your best bet. You WILL get compromised at some point so how fast can you recover, re-image or revert a VM snapshot is key.

4. Passwords - If you don't know where all you user repositories are, you can't enforce policy. Local accounts, services, daemons, apps that attach to other systems, etc. Learn where you have accounts, document them in a matrix and make those passwords long and complex if rotation is not an option or the risk is low and monitor for misuse of these service type accts and please disable login if all they need is to authenticate. And NEVER use the default accounts as these make great nefarious activity detectors.

5. Regular and ongoing education or exposure to real threats that users face needs to be enforced or reminded, often. When you get a good phishing email, print and post it in a public area, rotate them quarterly and fill up a 2x3 Poster Board with real examples. Discuss using Browser plug-ins to help protect the user from themselves. Remind them how Microsoft says being an Admin is bad by posting the studies everyone puts out these days. This is real world info to remind people the Internet IS a scary thing to use with protection. Don't forget to post Brian Krebs research on ATM skimmers and Credit Card fraud with images of the units and screen shots... These are powerful educators.



Now for my $.02 worth...

6. If you couldn't guess, administrative access is my next one. Remove it and do everything you can to get your users into the Standard User model with VM's to run admin tasks or do development, or issue separate systems on a test/lab/Dev network that does not allow email clients or open surfing.

7. Implement re-imaging of user systems on a malware alert or every 2 years. This will accomplish a couple things, one, it will curb user behavior of visiting sites with malware, they know where they were when the AV triggered. Two, reduce the applications that developers and users install at any given time that they 'think' they need (see #6). Reduce your installed application list reduces patching requirements and software inventory lists. And we all know re-imaging is the only real way to clean an infected system. Create a process of when to re-image user systems. Applies to servers too, but only ones that have VM snapshots, but develop DR for the others too. Remember.. You WILL get Pwned at some point.

8. Don't install Java, Adobe, browsers or mail clients on servers, if you must, use plug-ins and only allow security minded admins to use the browser to update the system. NO open surfing on servers, there is no reason, instead surf on a workstation, download what you need, expand the archive so AV can do its thing and copy over to the server. Yeah I know.. "iiiiiiitssss haaarrrrrd"...

9. Apply the same internal processes to cloud apps and servers. Studies have shown that the processes we follow for internal firewalls for example, are not applied to cloud firewalls or security policies leaving cloud systems open to hacking or exploitation attempts. Lack of process I feel is the #1 Cloud risk.

10. Prepare for the BIG ONE, it will happen to you at some point, so how fast can you recover? Or will you be like Stratfor, Sony, Zappos, Gawker, Amazon and Azure and suffer untold reputational damage. Prepare to recover as a part of BCP and DR and yes... Incident Response...DR/BCP lives!

11. And last but not least.. ENCRYPT your user credentials, laptops, desktops and removable drives so you don't end up like the people mentioned in #10.

Roger Grimes Blog Post

#InfoSec #RogerGrimes

(I) Auzzie police in Brisbane to War Drive and tell you to secure your WiFi




Yeah... The cops down-unduh will achieve what InfoSec and Geeks have been unable to do.. Tell you to secure your Home or business WiFi..

Good luck with that.

Register article on OZ WiFi cops

#InfoSec #WiFi




Friday, March 2, 2012

(I) Feds crack Colorado woman's password avoiding 5th Amendment fight




The Feds managed to finally crack the pass-phrase of a Colorado woman's laptop that contained potential evidence of her and her husband involvement in real estate fraud.

For now this puts to rest, delays really, the battle over whether a person can be forced to give up their password to encrypted data that can, may or will lead to self incrimination.

For now, your 5th Amendment rights are in tact and your encrypted info safe. Along with this weeks 11th District Appeals court ruling that a user does NOT have to provide their TruCrypt password seems to indicate we own our passwords and pass-phrases.

It should be pointed out that the use of poor passwords and pass-phrases WILL lead to discovery given enough time. I guess Ramona should have used a MUCH stronger and longer pass-phrase!

"

The Register article

#InfoSec #5thAmendment #Encryption

Thursday, February 9, 2012

(C) BSides Austin 2012 - April 12th & 13th

Year 3 of BSides Austin will be taking place in downtown Austin April 12th & 13th at the Hideout Theatre, 617 Congress.  It's looking to continue the Eclectic, Weird and Quirky Information Security Con we have come to enjoy... Complete with 'Hackers on a Duck, and 'U can't shut us down Fire Marshall Talks' on Thursday evening with the After Party on Friday night down the street.

 

A FUN and educational time for all InfoSec, Nerds, Developers and geeks of any kind.

Security BSides Austin Wiki page

 

#InfoSec #BSidesTexas #BSidesAustin #SecurityBSides

 

Tuesday, January 24, 2012

(W) Ahhhhhhhhhh ! Your 5th Amendment personal password rights just died




Many of us have been watching the Colorado Court Case where a woman used encryption to protect files on her laptop. She was arrested for bank fraud and as a part of the investigation she refused to give up her password that would produce more evidence of her guilt - thus self incrimination and a violation of her 5th Amendment rights...

US District Judge Robert Blackburn ruled against the defendant.

She is appealing the ruling...

I hope she wins !!! The authorities should build a case without this data or obtain it from a witness or whistleblower, not by being ordered!

Article on CO Judge ruling




#InfoSec #Password #5thAmendment

(I) Expanding on people's passwords - InformationWeek article




Kevin Casey of InformationWeek magazine wrote a bit on "9 Password Security Policies For SMBs" and though mostly OK in the 9, I would add the following to each of the 9 password items mentioned:

1. Password complexity - Should or must be set by GPO or via the OS, Application and Database where available to force policy compliance

2. Password reuse - Can you say LastPass... but really, you can't force user to use unique passwords for each website, but for LastPass users, the LastPass password challenge web page helps to educate the user the impact. Now you just need to test everyone in your organization once they use it to convince them to change the passwords to be unique wherever possible.

LastPass User Security Challenge

3. Change Passwords regularly - 30 days ? uhh.. if you force a long complex (meaning 12 characters or more, all 4 char sets aA1!) password via GPO, OS, App or DB level... rotation is not necessary.. 90 days is plenty internally and two (2) times per year for Internet accessible Apps (Expense Watch, SalesForce and Marketo do this now) Logging and monitoring Internet facing systems further mitigates this risk as hopefully failed and successful login attempts with some alerting is being performed.

4. Email accounts - If your email is not tied to AD or some forced policy... Use 2-Factor authentication like Google Authenticator for Cloud based Email

5. Restrict App settings - Anything Internet facing should or must have strict password policies enforced or p0wnage will occur. For Mobile devices in the enterprise, use Mobile Device Management to enforce policy on iDevices, Droid and BBerrys.

6. Password wallet - LastPass again - Yeah !! - You CAN have different passwords for each login.. a GREAT thing. Remembers the URL, username and password of your Web based Apps. You can share logins too and create secure notes. Also sync to mobile devices. The only wallet you will ever want or need. Don't forget to use 2-Factor authentication with the FREE Google Authenticator app on your smart device or a YubiKey. I use both !

7. Device Locking - Who doesn't use a ScreenSaver? On all PC's and laptops enable a 5 minute screensaver... OK.. 10 mins at most. Autolock on handhelds and smartphones to 5 mins... seriously! Use GPO or the OS and App settings and a Mobile Device Manager for your phones and smart devices like BoxTone.

8. Jailbreak or rooted devices - I agree, block them from corporate use, too bad for you... get a personal device if you want to do this, but it is not acceptable for corporate devices - period!

9. Exit Apps - It has been shown that not timing out Web/Browser based apps can be tab nabbed or XSS from the user surfing on other sites and thus steal session and cookie info... Short timeouts for Web based user interfaces is a good thing... annoying to login, but a good thing. Don't save username or password info on Mobile Apps... and time them out to 15 mins. A pain I know, but if all I have to guess is your password... bummer for you. Browsers will sandbox this in the future. Look at the way HootSuite terminates your session for an example. I blogged about this apps session timeout here:

Session TimeOut Post

Just some education and things to ponder as you develop and administer your enterprise, SMB or even home systems.

InfoWeek article

#InfoSec #KevinCasey

Friday, January 20, 2012

(I) RSA 2012 Social Security Bloggers Awards nominees - great list




If you are looking for Security Blogs to follow, consider this list of nominees for the RSA 2012 Blogger awards.

Add them to your reader and sync them to you mobile device, I use Early Edition on my iPad synchronized with my Google Reader account for lunch time and evening reading... Simple and educational for you N3wbs, Gr33nhorns or seasoned InfoSec professionals.

RSA 2012 Security Blogger Awarda

#InfoSec #RSA2012

Thursday, January 12, 2012

(W) Warning home WiFi users - your router may allow strangers to surf your connection




There has been recent press about the flaw in WiFi Protected Setup (WPS) and the possibility that newly released tools 'Reaver' and the scanner 'Walsh' can scan your home network and attach to your wireless network and begin having fun and mayhem...

Look up your Wireless Router on the follow list to see if you are vulnerable. This list is work in progress And will update as routers are tested.







If you have a vulnerable router, you will need to disable WPS or if you have a vulnerable Linksys router, Cisco has confirmed WPS can NOT be disable so you might consider using one of the OpenSource firmware options listed below to replace the vulnerable version. There are more links to other OpenSource firmware at the bottom of the Tomato firmware website.




If you want to play with the tools to validate if your system is vulnerable, here are links to the 'Reaver' tool and LifeHacker website on How-To use the tools.
















#InfoSec

Friday, January 6, 2012

(W) Warning Will Robinson.. Damnit Ramnit steals Facebook passwords

This is yet another reason your Facebook password and any other social password should be unique.  The Ramnit worm when clicked on by a link in a Facebook post will install and steal your Facebook password, so far 45,000 of them.  

The password would then be use to try against your other accounts on the InterWebbings.. Say your $$$$ Bank...

Like I continue to say, you should have a different unique password for every website you use on the Internet and so you don't have to remember them, use a password manager like LastPass to remember them for you... It's free unless you want to access your password vault on your mobile device which will cost you $12 USD per year for a subscription.. Well worth when you realize someone you know has already had their password or an Internet account compromised.

And DON'T Click on links in Facebook unless you use WOT plugin for Chrome and FireFox!!!!  And for security sake... Remove administrator rights to your Windows user!!!!





Thursday, January 5, 2012

(I) My Preso on "The BIG ONE" from HouSecCon and BSides DFW - Incident Response




For those interested in Tips on how to prepare yourself and your management for the BIG ONE... Read and watch my presentation on Incident Management preparation from HouSecCon and BSides DFW 2011.

#InfoSec #BSidesDFW #IncidentResponse #HouSecCon

Tuesday, January 3, 2012

Humor that Astronomers and physicists had hanging up...



(W) Warning Android users... Don't install Apps with this right

If you are one of the many Android users, you see the permission screen when installing Apps...

You should really pay attention to it as Android Apps can come from anyone, written anywhere, contain and do anything if you just install it and don't pay attention to what you are allowing...

So what's wrong with these permissions?


(W) Subway POS hacked and card numbers stolen


Subway and the Feds found a elaborate hacking scheme that stolen the credit and debit card numbers of customers between 2008 and possibly thru 2011.  80,000 card numbers were compromised at over 150 Subway shops. 

Why?  Because clearly Subway did not understand putting a Point of Sale (POS) on the InterWebbings is a bad thing... A REALLY bad and Stooopid thing.  They should have scanned the IP's of the stores to verify things were properly configured.  Like my Cardkey system split, anything Internet facing needs to be thoroughly scanned and checked for vulnerabilities.

A Romanian hacker Ring stole over $3 million USD in fraudulent charges on the stolen cards.

So check your statements if you frequent Subway...