Dangerous Internet Celebrities

Published September 1, 2010 Hacking & Cybercrime Leave a Comment
Tags: , , ,

While the title of this week’s blog may have you thinking about some of the antics seen on reality TV or a recent episode of Jersey Shore, the real purpose of this post is to highlight the danger of some web searches.


McAfee has just released its fourth annual report of the most dangerous celebrities for Internet searches.  Number one on the list is Cameron Diaz; she replaced last year’s #1 choice, Jessica Biel.  In some searches, there can be a 10% or greater chance of clicking on a malicious site.

Such reports highlight the importance of practicing some discretion when doing searches and always making sure your computer is fully patched and your antivirus is up to date.   You might also consider using an alternative browser such as Google Chrome.  While these items may not offer 100 percent protection, they can reduce your chance of becoming infected.

From Michael Gregg

image from user dlritter on rgbstock.com

Standards for Network Access Control

Published August 26, 2010 Hacking & Cybercrime Leave a Comment
Tags:

2010 is shaping up to be a year that continues to emphasize the need for security.  One potential solution that has been promoted for several years is network access control (NAC).  NAC has come about as a response to the increased need for security by large and small organizations.  If you’ve been considering NAC, there are several ways to deploy this security solution.  These include infrastructure-based NAC, endpoint-based NAC, and hardware-based NAC.


One key issue that has held back NAC has been multi-vendor interoperability and standards. Regardless of which implementation you’re considering, what you’ll want to note is the new IETF standards for NAC known as Network Endpoint Assessment (NEA). The NEA working group is setting standards at the three layers of the architecture, including the Posture Attribute protocol (PA), the Posture Broker protocol (PB) and the Posture Transport protocol (PT).

These standards will allow different vendors to approach NAC while maintaining interoperability. Standardization is also a good move for the industry as it will help provide tools for network professionals to use as they guard their critical assets.  You can read more about the standards here.

From Michael Gregg

Image from Abyla at rgbstock.com

Identity Theft a Serious Problem

Published August 13, 2010 Hacking & Cybercrime Leave a Comment
Tags: ,

While the victims of identity theft continue to see the loss of their identity as a serious problem, a report from the Office of the Inspector has found that the government is falling short. While there have been a few, high profile prosecutions, the report found that while the number of victims of identity theft has risen, the amount of total prosecutions has actually fallen.
Although an Identity Theft Task Force was created back in 2007, the report found that, “DOJ did not assign any person or office with the responsibility to coordinate DOJ’s efforts to combat identity theft.”

We can only hope that the government takes a much harder look at identity theft and the rising wave of Internet-based crime.  Identity theft is one of the fastest growing crimes and is a serious problem for everyone.  Until the government steps up its response to the crimes, the real work is on the end-user to do everything they can to protect their personal identity. Identity theft can net criminals thousands of dollars in a very short period, and the lure of quick cash means this problem will continue to grow until addressed.


From Michael Gregg

ATM Hacking

Published August 3, 2010 Hacking & Cybercrime Leave a Comment
Tags: , ,

While the prospect of free money would get anyone excited, the demonstration at BlackHat on how to hack ATM machines may have many feeling overdrawn.  The presentation demonstrated how simple software designed to exploit a security hole in the authentication mechanism used to update the firmware on automated teller machines (ATMs) could make an ATM dispense cash on demand.

This particular attack requires physical access and the ability to load code onto the ATM. While this may sound daunting, many ATMs are protected by a master key that can be easily purchased on the web.  The key gives an attacker access to USB slots.  The presenter, Barnaby Jack, stated that ATM makers offer upgrade options on physical locks or a unique key for each ATM.

What such demonstrations prove is that all code is vulnerable. While security professionals spend most of their time on securing common OSs such as Microsoft, there are other threats on the horizon.  ATMs, SCADA infrastructure, and other automated types of equipment can also be targeted for attack.

From Michael Gregg

Share

Quotable: City of Los Angeles

Published July 29, 2010 Industry Information Leave a Comment
Tags: , , ,

“Further, the Los Angeles Police Department indicated that several security issues have yet to be resolved, and that a pilot of its technical support staff must be successfully completed before it can be expanded to the rest of the LAPD.”

Source: Inter-departmental correspondence from the City of Los Angeles on results of a pilot program with Google’s email and collaboration system. They hoped to replace their current system with the cloud-based service from Google. Read ChannelWeb’s analysis of the issue here.

Share

CompTIA Continuing Education Policy

Published July 27, 2010 Industry Information Leave a Comment
Tags: , , , , ,

For those who don’t know, CompTIA will retire their “lifetime certification” policy at the end of this year. For everyone who is certified before December 31, 2010, the credential is good for life. Starting January 1, 2011, however, any new certification holders will have to renew their credentials every three years.

CompTIA has now posted information on how new members (those certified after 1/1/11) can renew their credentials. Certification holders will enroll in a continuing education program that provides CEU credits, with the following CEU credits required every three year period:

CompTIA A+: 20 CEUs in three years

CompTIA Network+: 30 CEUs in three years

CompTIA Security+: 30 CEUs in three years

Credits can be earned through myriad activities including lecturing or presenting, attending industry events, publishing relevant content, and taking a training course that uses CompTIA CAQC-approved material.

I believe some of this information is still in the “proposal” stage, so it may change before the policy changes begin. You can read more on the CompTIA web site here, where they’ve posted a Q&A resource center.

If I were contemplating getting certified in A+, Network+, or Security+, I would want to do so before the end of the year so that I wouldn’t have to worry about expiration dates or CEU fulfillment. But that’s just my humble opinion.

How do you feel about CompTIA’s new policy?

CompTIA logo is a registered trademark of CompTIA.

Share

NPR Report Warns of Cyberdefense Shortage

Published July 19, 2010 Hacking & Cybercrime Leave a Comment
Tags: , , , , , ,

One of my favorite radio stations, NPR, had a discussion this morning on a topic very near and dear to this blog. It centered on this country’s vulnerability to cyberattacks and lack of an adequate defense system.

Partially at blame is a shortage of computer security specialists and engineers who have the skills and knowledge needed to defend against “cyberwarriors.” James Gosler, who worked at the CIA, the National Security Agency and the Energy Department, estimates that there are only 1,000 or so people in the United States who have the skills necessary to meet our computer security needs. To put that number into perspective, Gosler estimates we need around 20,00o-30,000 of these workers.

Quite a deficit, no?

According to the Center for Strategic and International Studies, there is a shortage of people who can “design secure systems, write safe computer code, and create the ever more sophisticated tools needed to prevent, detect, mitigate and reconstitute from damage due to system failures and malicious acts.”

A country that is not having this problem is China. In China, according to the NPR story, training computer experts is a national priority. In fact, at the most recent International Collegiate Programming Contest, 4 of the top 10 places were held by Chinese universities. American universities took none.

In response, a group of congress members is pushing a project to find up to 10,000 potential cyberdefense experts via a national talent search that starts at the high school level.

What do you think? Are we really leaving ourselves that vulnerable to attack? Could we ever have enough manpower to effectively defend ourselves from hackers and other cybercriminals?

Read the article here, or you can listen to the podcast.

Logo: National Public Radio; npr.org

Cyber Espionage Event

Published July 12, 2010 Hacking & Cybercrime Leave a Comment
Tags: , , , , ,

Join us tomorrow at the SC World Virtual Symposium on Cyberespionage.  This free event features speakers from the Council on Foreign Relations, Team Cymru, and Novell. Be sure to stop by our booth on the exhibitor floor, along with Blue Coat, Cisco, McAfee, and many others!

The conference starts at 2, and you can join right from your computer! Click here to register.

The agenda for the day is as follows (all times are set in ET):

2:00 p.m. – 2:10 p.m.
Explore the floor: Chat with top IT security vendors

2:10 p.m. – 2:35 p.m.
Counter Cyber Espionage: A Strategic Approach to Defend Your Organization

2:35 p.m. – 2:45 p.m.
Explore the floor: Chat with top IT security vendors

2:45 p.m. – 3:10 p.m.
Redefining the IT Enterprise: Cyber Espionage on Physical, Virtual & Cloud Computing

3:10 p.m. – 3:20 p.m.
Explore the floor: Chat with top IT security vendors

3:20 p.m. – 4:00 p.m.
Malware: The Next Wave The need for layered security to protect against threats

4:00 p.m. – 4:10 p.m.
Explore the floor: Chat with top IT security vendors

4:10 p.m. – 4:55 p.m.
Keynote address

4:55p.m. – 5:30 p.m.
Explore the floor: Chat with top IT security vendors

Can You Crack the Code?

Published July 8, 2010 Hacking & Cybercrime Leave a Comment
Tags: ,

The logo for the new US Cyber Command contains more than meets the eye. At first glance, it looks just like any other logo might, but further inspection reveals a secret code. (No, this is not the plot for a new Dan Brown novel.)

The gold band in the middle holds a series of numbers and letters that the Command acknowledges is a code of some sort, but no one seems to know what it means. The sequence is 9ec4c12949a4f31474f299058ce2b22a. Notes that explain the logo say it is a, “computer code that ties the command back to the early days of computer networking; USCYBERCOM’s mission statement is encrypted within this code.”

The Command spokesman believes the code is a cryptographic algorithm called an MD5 Hash, which converts all or part of the Command’s mission statement into a string of characters.

Wired’s Danger Room blog is offering a free T-shirt or a ticket to the International Spy Museum to the first person who cracks the code. Anyone care to give it a shot?

From the editor

Image source

Feds: US at High Risk for Computer Attack

Published July 1, 2010 Hacking & Cybercrime Leave a Comment
Tags: , ,

Federal IT pros say the US is at high risk for computer attack.

With all the talk of the cyber security bill that wound its way through congress, it is interesting to note the findings of the recent Federal Cyber Security Outlook for 2010 survey. This poll found that 74 percent of respondents believe that a network attack on the government’s IT infrastructure is expected in the next year. While there is much to debate with regard to these findings, I think we can agree that there is a need for greater network security in the government realm and in the private sector.


The real question is…where do we start?  With limited funds and budgets tight, every penny spent on IT security must be justified.  One area with good returns can be gained despite limited funds is training and end-user awareness.  Many attacks are now targeting end-users.  Web 2.0 sites and social sites such as Twitter and Facebook have become much bigger targets in the same way that email used to be (not that it isn’t a target anymore).

Here’s where training can reap big returns. Something as simple as a periodic email, newsletter, or a lunchtime event that occurs once a month can be used to inform users of these current threats and the types of attacks to be aware of. This type of training can help users spot trends and techniques used by hackers, which can reduce the effectiveness of social engineering and phishing techniques. Like it or not, security has to become a much bigger part of everyone’s computing experience.  Much like most states require seatbelts while driving in automobiles, safe computing is going to require increased awareness.

Do you provide security training to your end-users?

From Michael Gregg

Image source

Subscribe in a Reader

Subscribe by Email

Follow us on Twitter

Featured Courses

Categories

Archives