30. September 2010 · Comments Off on Inside Facebook security, and how to better protect your account | Graham Cluley’s blog · Categories: Security-Compliance · Tags:

Inside Facebook security, and how to better protect your account | Graham Cluley’s blog.

Improve your Facebook account security by changing the default setting under “Account Security” for “Would you like to receive notifications for logins from new devices?”

The default is no. Change it to yes.

If I understand this correctly, you will get notified when any third party application logs in to post a message.

There is a caveat though:

Of course, one thing to beware is that it would be easy for hackers to fake an email to appear as though it were one of the messages from Facebook, warning you that your account had been accessed. And if in a blind panic you clicked on a link in that bogus email, you might be taken to a phishing site.

Or worse.

29. September 2010 · Comments Off on Steve Bellovin on Stuxnet: The First Weaponized Software? · Categories: Malware · Tags:

Steve Belllovin has posted a comprehensive analysis of Stuxnet in a post entitled, Stuxnet: The First Weaponized Software? His post also summarizes what is publicly known so far about Stuxnet. Well worth reading in its entirety.

29. September 2010 · Comments Off on Help to combat the Social Engineering Threat · Categories: blog · Tags: ,

If you are not familiar with www.social-engineer.org, I strongly recommend it as a great source of information regarding all aspects of social engineering. Why is this important? In their own words:

Social engineering is a real and dangerous threat to Corporate America. In the simplest of terms, social engineering is manipulating a target to take an action that may or may not be in their best interest. As companies devote more resources to technical security, technical attacks become more expensive. Social engineering is a popular alternative for cyber criminals interested in operating on the cheap. After all, these attackers seek the same high return on investment as business owners.

If you don’t believe that social engineering is a major issue, read an overview about the social engineering contest that was held this past August at Defcon 18 in Las Vegas.

One of the most alarming findings was that it doesn’t take a seasoned expert in social engineering to successfully penetrate a company. Inexperienced attackers have easy access to free resources including Facebook, LinkedIn, Twitter, Google Search, and Google Street. These resources, coupled with call centers and customer service departments that are focused on customer satisfaction, were enough to gather valuable information from most targeted companies. For the more resistant targets, there were plenty of believable pretexts to choose from (e.g., employee satisfaction survey, helpless customer, recruitment agency interviewing a former employee who just posted a resume on a job-seeking website, etc.). As a last resort, any resistance encountered was easily overcome by simply hanging up and calling again until a more cooperative employee could be reached.

The Full PDF version of the report is available for download from Social-Engineer.Org here.

26. September 2010 · Comments Off on Who’s Behind Stuxnet? The Americans? The Israelis? – Security Watch · Categories: Malware, Zero-day · Tags: , , ,

Who’s Behind Stuxnet? The Americans? The Israelis? – Security Watch.

The security research community continues to marvel at the sophistication of Stuxnet. In fact, there is a growing body of opinion that Stuxnet must have been developed with government sponsorship. Since 58% of identified infections seem to have occurred in Iran, the two obvious countries attracting speculation are the United States and Israel.

Previously, I’ve written about Stuxnet on August 14September 15, and September 17.

Aside from the extremely precise targeted nature of Stuxnet, what is striking is that it took advantage of four different 0-day or unknown vulnerabilities.

If this is not a wake-up call for the need for specialized 0-day malware defenses, I don’t know what is.

26. September 2010 · Comments Off on OAuth 2.0 security used by Facebook, others called weak · Categories: Authentication

OAuth 2.0 security used by Facebook, others called weak.

OAuth 2.0 is sweeping through the industry, becoming the standard method of authentication across multiple web applications/sites. Other methods such as SAML and WS-Security are losing out because they are too difficult for web developers to learn and use.

Unfortunately, there is a growing opinion that in an effort to make OAuth 2.0 simple for developers to use, security was compromised.

The main concern is that rather than using digital signatures to assure that the “tokens” transmitted between sites are not tampered with, the sites simply connect to each other via SSL, which is susceptible to man-in-the-middle attacks.

Eran Hammer-Lahav, Yahoo’s director of standards development and one of the creators of OAuth said:

“It is clear that once discovery is used, clients will be manipulated to send their tokens to the wrong place, just like people are phished. Any solution based solely on a policy enforced by the client is doomed.”

25. September 2010 · Comments Off on How to Configure Mozilla Firefox for Secure Surfing · Categories: Security-Compliance · Tags:

Via Threatpost: How to Configure Mozilla Firefox for Secure Surfing

Excellent recommendations for configuring Firefox. One exception, take note of one of the Comments about the downside of clearing site preferences as this will blow away the cookies containing all of the choices you made to set preferences on your favorite sites.

In addition, I recommend the Adblock Plus plug-in. It’s had 94 million downloads and over 2,000 reviews averaging the maximum 5 star rating.

25. September 2010 · Comments Off on HTML5 security concerns · Categories: Security-Compliance · Tags:

Via ThreatPost: Security a Concern as HTML5 Gains Traction

This article and an earlier blog post from Veracode entitled, HTML5 Security in a Nutshell, itemize some of the new HTML5 features which can be seen as new threat vectors including (1) Local database and session storage, (2) sandboxing, and (3) postMessage().

Every new technology increase risks, at the very least, because people misunderstand how to use it and bad actors know this. Therefore as a new technology, in this case, HTML5 gains traction, cyber criminals are drawn to it as well. We’ve seen the same thing happen with Web 2.0 applications, social networking, and virtualization.

If the major security vendors don’t respond to the new threats, you can be sure that new security vendors will.

19. September 2010 · Comments Off on How risky is the ‘Padding Oracle’ Crypto Attack? · Categories: Security-Compliance, Vulnerabilities · Tags: ,

ThreatPost reported that a pair of security researchers announced have implemented an attack that exploits the way that ASP.NET Web applications handle encrypted session cookies. ‘Padding Oracle’ Crypto Attack Affects Millions of ASP.NET Apps | threatpost.

Microsoft admitted the vulnerability in Microsoft Security Advisory 2416728.

The question is, how likely is this vulnerability going to be exploited in the millions of ASP.NET web sites? According to a post on Slashdot.org:

…this attack requires fairly verbose error messages be sent back to the user of a web application. While I’m sure there do exist some ASP sites where this is the case, I don’t think it has been in any of the non-intranet sites I’ve seen in my career.

It just is not standard in any exposed web site, especially the kind of web site where you would care about customer information getting out, to allow useful error messages reach the end user. It is by far the standard to catch the exceptions, log them on the server, and show the end user a generic error message which would not be helpful in the case of this exploit.

So it appears that the risk of exploitation of this vulnerability depends on the coding practices of the web site developers. Good coding practices, not so risky.

17. September 2010 · Comments Off on Errata Security: Adobe misses low hanging fruit in Reader · Categories: Malware · Tags: ,

Errata Security: Adobe misses low hanging fruit in Reader.

It appears that one of the reasons that Adobe has so many vulnerabilities is lack of a secure software development practices.

One of the most common features of “secure development” is the ability to avoid functions that are known to be dangerous, functions which have caused major vulnerabilities (such as Internet worms) in the past. These are functions developed in the 1970s, before their risks were understood. Now that we have suffered from these functions and understand the risks, we have come up with safer alternatives. Using these alternatives are cheap and easy, and they can save a development house endless embarrassment and remediation time. More importantly, while verifying that your code is “secure” is an essentially impossible task, verifying that your code contains no banned functions is easy. We call this the “low hanging fruit” of secure development.

The Errata article found a high-risk function, strcat, still being used in Adobe Reader and is possibly related to a recent vulnerability, SING Table Parsing Vulnerability (CVE-2010-2883).

In addition, Brian Krebs is reporting that Adobe published yet another security advisory earlier this week about a previously unknown vulnerability in Flash being actively exploited.

17. September 2010 · Comments Off on ‘Stuxnet’ Worm Far More Sophisticated Than Previously Thought — Krebs on Security · Categories: Malware · Tags:

‘Stuxnet’ Worm Far More Sophisticated Than Previously Thought — Krebs on Security.

Brian Krebs has a detailed article on Stuxnet with details about its targeting Siemens industrial control systems.

“The mechanism [the Stuxnet worm] used to install the Siemens payload came at the very end, which means this isn’t a Siemens problem and that they could have substituted [General Electric], Rockwell or any other PLCs as the target system,” Weiss said. “At least one aspect of what Stuxnet does is to take control of the process and to be able to do…whatever the author or programmer wants it to do. That may be opening or closing a plant valve, turning a pump on or off, or speeding up a motor or slowing one down. This has potentially devastating consequences, and there needs to be a lot more attention focused on it.”