The UNIX and Linux Forums - IT Security RSS

The UNIX and Linux Forums - IT Security RSS http://www.unix.com/ en Sat, 21 Nov 2009 00:35:39 GMT vBulletin 5 http://solaris.unix.com/images/misc/rss.jpg The UNIX and Linux Forums - IT Security RSS http://www.unix.com/ They call it Cyber Monday (but Tuesday’s just as bad)* http://www.unix.com/security-rss/124208-they-call-cyber-monday-but-tuesday-s-just-bad-new-post.html Fri, 20 Nov 2009 00:00:04 GMT In the US, the holiday season is approaching fast, with Thanksgiving a week away on 26th November. I guess most of us outside the US are aware of Thanksgiving if we work with Americans, since almost the entire country closes down on the 4th Thursday in November. (Apologies to the Canadians in the audience, who had their own Thanksgiving celebration back in October.)

However, fewer people outside the US will be aware of Black Friday (the day after Thanksgiving) and Cyber Monday (the following Monday – that’s the 30th November this year) unless they’re in global retail. Black Friday isn’t officially a holiday, but it’s taken to be the start of the Christmas shopping season because many people do get given the day off, and many big retail organizations go the extra mile with extended opening hours, in order to give customers the incentive to start spending.

Cyber Monday is, reputedly, the best day on which to get good deals for on-line customers. In fact, the identification of single days over this period with peaks in sales is flawed, and a recent article by Josh Smith suggests that “the deals are better” on Black Friday.

Nonetheless, retailers on- and offline make a big deal of Cyber Monday with one day sales and specials, as innumerable “Cyber Monday” retail sites bear witness – just try googling the term and see how many hits you get! Rather like the January sales in the UK, I guess, so it does represent an opportunity for bargains, as well as for retailers to unload substandard or obsolete goods. However, it also offers scammers of all persuasions the opportunity for some social engineering.

There is usually a spike in emails using social engineering to lure around public holidays like July 4th, “Hallmark holidays” like St. Valentine’s Day, topical events like disasters, anniversaries, and incidents related to celebrities, and even sheer works of fiction like “Paris Hilton strangled my budgie” or “Martians land in Manhattan”. For example, ESET saw an amazing spike in the numbers of malware samples received on the 4th and 5th July this year: 43% and 25% more respectively than the average for June. (The figures may even be skewed slightly by the fact that some July 4th malware was sent out prematurely because anti-malware companies spotted social engineering trends ahead of time: otherwise, there might have been more infections.)

Cyber Monday isn’t qualitatively very similar to 4th July (I’m pretty sure most people won’t exchange greetings cards on 30th November, and it certainly doesn’t have the emotional and patriotic pull of Independence Day), so we haven’t seen noticeable spikes in malware around Black Friday and Cyber Monday in previous years.

However, cybercriminals are not fussy about what hook they hang their social engineering on, and even a retail event provides extra leverage for psychological manipulation based on the victim’s urge to get a bargain. So my colleague Randy Abrams has listed some generic safety tips on the ESET blog,while I notice that Josh Smith has also followed up on his earlier post with some safety tips.

*Apologies to the late, great T-Bone Walker: http://en.wikipedia.org/wiki/Call_It...Is_Just_as_Bad)

David Harley CISSP FBCS CITP
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://avien.net/blog
httph://blogs.securiteam.corm
http://dharley.wordpress.com/

More... ]]> IT Security RSS iBot http://www.unix.com/security-rss/124208-they-call-cyber-monday-but-tuesday-s-just-bad.html SecLists Archive http://www.unix.com/security-rss/124207-seclists-archive-new-post.html Fri, 20 Nov 2009 00:00:04 GMT The SecLists.Org Security Mailing List Archive collects and archives a number of security related mailing lists, although it concentrates on those dealing with networking and exploits. It also provides a portal to the lists themselves, so it's a valuable resource for those looking for lists. (Check out Funsec and RISKS.)

More... ]]> IT Security RSS iBot http://www.unix.com/security-rss/124207-seclists-archive.html Data sanitization http://www.unix.com/security-rss/124029-data-sanitization-new-post.html Wed, 18 Nov 2009 09:00:05 GMT This article is originally from the IEEE Security and Privacy magazine, circa 2003. As such, some of the programs noted are out of date or obsolete. However, a number are still available and in use, and the basic concepts outlined are still valuable.

More... ]]> IT Security RSS iBot http://www.unix.com/security-rss/124029-data-sanitization.html DataLossDB http://www.unix.com/security-rss/124028-datalossdb-new-post.html Wed, 18 Nov 2009 09:00:05 GMT The Open Security Foundation's (OSF) DataLossDB project is an interesting resource for information about data and confidentiality breaches. At a glance, it gives you news, latest breaches, a timeline of breach numbers, a "top ten" list, and other references you can use in security awareness materials, or for risk analysis.

More... ]]> IT Security RSS iBot http://www.unix.com/security-rss/124028-datalossdb.html Pig hackers http://www.unix.com/security-rss/123931-pig-hackers-new-post.html Tue, 17 Nov 2009 08:30:04 GMT Amusing video from the BBC. A report on pigs managing to figure out how to get more food from an automated control system. If even pigs can (accidentally) figure out how to defeat access controls, what do you have to do to prevent determined attackers?

(Actually, pigs are pretty clever critters ...)

More... ]]> IT Security RSS iBot http://www.unix.com/security-rss/123931-pig-hackers.html Botnets? Not a problem... http://www.unix.com/security-rss/123882-botnets-not-problem-new-post.html Mon, 16 Nov 2009 20:17:13 GMT An article in PC Pro by Asavin Wattanajantra quotes Dr Steve Marsh, who is deputy director at the Office of Cyber Security in the Cabinet Office, as saying (in respect of EU policy on protecting Europe from cyber attack, whatever you may understand by that term) that:

"the main focus of botnets would be to target and extort money from private companies, rather than bring down public sector networks [and] .... in a sense [it is] not in their interest to bring down infrastructure which is earning them money."

This isn't a million miles away from something I was saying early in 2009, when there was a great deal of speculation in the media about what would happen when and if the Conficker worm went active on April 1st. Much of that speculation centred around the possibility that the Conficker botnet would launch a major attack on the Internet infrastructure. The point I made several times in blogs at ESETand elsewhere at that time was that it wouldn't make sense for the botmasters to switch straight into such an attack, since it would make it harder in the longer term to make use of the kind of concerted attack that botnets do so well (click fraud, DDoS and so on).

Nevertheless, Dr. Marsh's statement, if quoted correctly, is, at least in the context of that article, somewhat misleading. (As Gadi Evron pointed out at some length in a typically insightful article at Dark Reading.) Assaults on the infrastructure of the Internet are one thing. (They're by no means out of the question, by the way: my point about Conficker was that most known criminal botnets are about commercial gain, and it wouldn't be in the interests of the botmaster to compromise the effectiveness of his network. However, the same is by no means necessarily true of other groups.)

Attacks on government infrastructures are another matter. I certainly don't wish to raise the spectre of (sigh...) cyberwarfare and all that FUD (Fear, Uncertainty, Doubt) unnecessarily, but I can think of many hypothetical scenarios where a concerted attack on a national infrastructure might be made by another government or a terrorist organization, with dramatic consequences. (In the UK, it's common to see refer ences to the Critical National Infrastructure, which I believe includes not only the Corridors of Power, but more peripheral areas such as parts of the National Health Service, and sectors like banking which many people wouldn't necessarily think of in a governmental context). The "Government Secure Internet" (GSI) is indeed a pretty effective layer of protection, but it does not, I think, cover all the sectors that might sustain serious impact from such an attack, and might in turn seriously damage the wellbeing of the nation as a whole.

I spend most of my working life saying "Don't panic!" in one context or another, and right now, we aren't seeing huge botnets used for (sigh...) cyberwarfare. Nevertheless, I don't believe that the UK government or the European Community (or anyone else) should be complacent about potential risks to national security from botnet-like activity, just because most of the bots we know of right now have a commercial agenda. Anyone with the resources and incentive can build, buy or rent a botnet (should I mention the BBC?), and it's not a good idea to make too many presumptions about what motivation might drive the individual or organization behind future botnet attacks.

David Harley FBCS CITP CISSP
Director of Malware Intelligence, ESET

More... ]]> IT Security RSS iBot http://www.unix.com/security-rss/123882-botnets-not-problem.html US cyber policy review http://www.unix.com/security-rss/123830-us-cyber-policy-review-new-post.html Mon, 16 Nov 2009 08:15:07 GMT This paper, directed from the US White House, may be the structure for US information, networking, and infrastructure policy over the next seven years. While vague, it does give some indication of directions.

More... ]]> IT Security RSS iBot http://www.unix.com/security-rss/123830-us-cyber-policy-review.html Social armour http://www.unix.com/security-rss/123801-social-armour-new-post.html Sun, 15 Nov 2009 20:00:07 GMT A blog posting from Eset outlining some basic tips for reducing the risks associated with social networking (http://www.eset.com/threat-center/blog/2009/09/08/armor-for-social-butterflies)/social media/Web 2.0 activities. Image: http://feeds.feedburner.com/~ff/isc2Blog?d=yIl2AUoC8zA ... A blog posting from Eset outlining some basic tips for reducing the risks associated with social networking/social media/Web 2.0 activities.

More... ]]> IT Security RSS iBot http://www.unix.com/security-rss/123801-social-armour.html Psych and sec http://www.unix.com/security-rss/123784-psych-sec-new-post.html Sun, 15 Nov 2009 07:45:10 GMT Ross Anderson has put together a great page of links about psychological factors in security. Quite a few resources and papers on deception and social engineering, usability, risk calculations, economics, and more.

More... ]]> IT Security RSS iBot http://www.unix.com/security-rss/123784-psych-sec.html California Shakeout http://www.unix.com/security-rss/123656-california-shakeout-new-post.html Fri, 13 Nov 2009 01:30:06 GMT Resources, instructions and tips from the government of California on earthquake preparedness. http://www.youtube.com/watch?v=o7eGZEY5wEM

More... ]]> IT Security RSS iBot http://www.unix.com/security-rss/123656-california-shakeout.html Security awareness video http://www.unix.com/security-rss/123495-security-awareness-video-new-post.html Wed, 11 Nov 2009 13:00:01 GMT If your organization relies on "proximity cards" or "swipe cards", or even good ol' fashioned staff passes, to restrict access to secure areas, I heartily recommend a BBC security awareness video featuring, um, pigs.

Whoever said security awareness sessions have to be boring? :-)

Gary

More... ]]> IT Security RSS iBot http://www.unix.com/security-rss/123495-security-awareness-video.html US online fraud http://www.unix.com/security-rss/123447-us-online-fraud-new-post.html Wed, 11 Nov 2009 00:45:06 GMT A collection of links to sites with information on online fraud. Reporting links for those in the US.

More... ]]> IT Security RSS iBot http://www.unix.com/security-rss/123447-us-online-fraud.html Avoiding a Project Ambush http://www.unix.com/security-rss/123277-avoiding-project-ambush-new-post.html Mon, 09 Nov 2009 12:15:03 GMT There was a story I read recently on the Times Online: French troops were killed after Italy hushed up ‘bribes’ to Taleban. What could this tragic event possibly have to do with IT security? Let me explain.

First,there were allegations that the Italian government had been payingbribes to the Taliban in exchange for save haven. But Italy vehemently denied it. Then, last year, ten French troops were killed in what they hadpreviously assessed to be a peaceful area of Afghanistan.

Before France went into this deadly area, they (of course) did a risk assessment. What factored considerably into France's conclusions was the fact that Italian troops were met by little aggression inthe same area. Unfortunately, France went in to the same area butended up in a deadly ambush, resulting in the tragic deaths.

Politicsaside, I think this example illustrates the importance ofconducting a thorough assessment during the requirements phase of anysecurity or software-related effort. If an observation is made during this phase, you should checkto see if there are any dependencies behind it. This way you canbetter identify any variables that could negatively impact thesoftware implementation. Trust but verify, in other words.

Some points to consider:

Resarchand look for any underpinnings to your conclusions. Make sure there'sno dependencies behind what is observed that are not guaranteed to bethere.
Interview and observe more than once. How you seethings one time may be completely different the following week. Over aseries of visits you should be able to aggregate and form a morereliable assessment.

In the book 97 Things Every Software Architect Should Know, Timothy Hugh has some good advice.

Bestpractices in software architecture state that you should document therationale behind each decision that is made, especially when thatdecision involves a tradeoff. In more formal approaches, it is commonto record along with each decision the context of that decision,including the "factors" that contributed to the final judgement.

As an analyst, you make certain assumptions after conductinginterviews. This is how we fill the gaps, not only out of time andbudget constraints, but also because this is just human nature. Recognizing and mitigating this behavior can help ensure what isperceived is indeed fact, and this can hopefully prevent ambushes,project-related or otherwise.

More... ]]> IT Security RSS iBot http://www.unix.com/security-rss/123277-avoiding-project-ambush.html Free licence http://www.unix.com/security-rss/123173-free-licence-new-post.html Sat, 07 Nov 2009 06:15:07 GMT Interesting piece by an author who explains why he is not upset by, and even wants people, "pirating" his book, which is published under the GNU Free Documentation License.

More... ]]> IT Security RSS iBot http://www.unix.com/security-rss/123173-free-licence.html OnguardOnline.Gov http://www.unix.com/security-rss/123083-onguardonline-gov-new-post.html Fri, 06 Nov 2009 06:00:04 GMT Latest online security awareness from the US feds. Limited and basic awareness tips (but a decent start), some cute games (for the easily amused), and a very few phishing videos.

More... ]]> IT Security RSS iBot http://www.unix.com/security-rss/123083-onguardonline-gov.html