30. September 2010 · Comments Off on Inside Facebook security, and how to better protect your account | Graham Cluley’s blog · Categories: Security-Compliance · Tags:

Inside Facebook security, and how to better protect your account | Graham Cluley’s blog.

Improve your Facebook account security by changing the default setting under “Account Security” for “Would you like to receive notifications for logins from new devices?”

The default is no. Change it to yes.

If I understand this correctly, you will get notified when any third party application logs in to post a message.

There is a caveat though:

Of course, one thing to beware is that it would be easy for hackers to fake an email to appear as though it were one of the messages from Facebook, warning you that your account had been accessed. And if in a blind panic you clicked on a link in that bogus email, you might be taken to a phishing site.

Or worse.

25. September 2010 · Comments Off on How to Configure Mozilla Firefox for Secure Surfing · Categories: Security-Compliance · Tags:

Via Threatpost: How to Configure Mozilla Firefox for Secure Surfing

Excellent recommendations for configuring Firefox. One exception, take note of one of the Comments about the downside of clearing site preferences as this will blow away the cookies containing all of the choices you made to set preferences on your favorite sites.

In addition, I recommend the Adblock Plus plug-in. It’s had 94 million downloads and over 2,000 reviews averaging the maximum 5 star rating.

25. September 2010 · Comments Off on HTML5 security concerns · Categories: Security-Compliance · Tags:

Via ThreatPost: Security a Concern as HTML5 Gains Traction

This article and an earlier blog post from Veracode entitled, HTML5 Security in a Nutshell, itemize some of the new HTML5 features which can be seen as new threat vectors including (1) Local database and session storage, (2) sandboxing, and (3) postMessage().

Every new technology increase risks, at the very least, because people misunderstand how to use it and bad actors know this. Therefore as a new technology, in this case, HTML5 gains traction, cyber criminals are drawn to it as well. We’ve seen the same thing happen with Web 2.0 applications, social networking, and virtualization.

If the major security vendors don’t respond to the new threats, you can be sure that new security vendors will.

19. September 2010 · Comments Off on How risky is the ‘Padding Oracle’ Crypto Attack? · Categories: Security-Compliance, Vulnerabilities · Tags: ,

ThreatPost reported that a pair of security researchers announced have implemented an attack that exploits the way that ASP.NET Web applications handle encrypted session cookies. ‘Padding Oracle’ Crypto Attack Affects Millions of ASP.NET Apps | threatpost.

Microsoft admitted the vulnerability in Microsoft Security Advisory 2416728.

The question is, how likely is this vulnerability going to be exploited in the millions of ASP.NET web sites? According to a post on Slashdot.org:

…this attack requires fairly verbose error messages be sent back to the user of a web application. While I’m sure there do exist some ASP sites where this is the case, I don’t think it has been in any of the non-intranet sites I’ve seen in my career.

It just is not standard in any exposed web site, especially the kind of web site where you would care about customer information getting out, to allow useful error messages reach the end user. It is by far the standard to catch the exceptions, log them on the server, and show the end user a generic error message which would not be helpful in the case of this exploit.

So it appears that the risk of exploitation of this vulnerability depends on the coding practices of the web site developers. Good coding practices, not so risky.

05. September 2010 · Comments Off on Mitre releases log standards architecture – Common Event Expression (CEE) · Categories: Log Management, Security-Compliance · Tags: ,

Finally, on August 27, 2010, Mitre’s log standard, Common Event Expression Architecture Overview was released. The goal of CEE is to standardize event logs to simplify collection, correlation, and reporting which will drive down the costs of implementing and operating Log Management controls and improve audit and event analysis.

At present there are no accepted log standards. Each commercial application and security product implements logs in a proprietary way. In addition, the most commonly used log transport protocol, syslog, is unreliable since it’s usually implemented on UDP. The custom application environment is even worse as there are no accepted standards to guide application developers’ implementation of logs for audit and event management.

Why after ten years of log management efforts are there still no standards? In my opinion, it’s because government agencies and enterprises have not recognized that they are indirectly bearing the costs of the lack of standardization. Now that log management has become mandatory for compliance and strongly recommended for effective cyber defense, organizations will realize the need for log standardization. Initially, it’s going to be up to the Federal Government and large enterprises to force CEE compatibility as a requirement of purchase in order to get product manufacturers to adhere to CEE. The log management vendors will embrace CEE once they see product manufacturers using it.

Here is the Common Event Expression Architecture Overview (CEE AO) Abstract:

This Common Event Expression (CEE) Architecture defines the structure and components that comprise the CEE event log standard. This architecture was developed by MITRE, in collaboration with industry and government, and builds upon the Common Event Expression Whitepaper [1]. This document defines the CEE Architecture for an open, practical, and industry-accepted event log standard. This document provides a high-level overview of CEE along with details on the overall architecture and introduces each of the CEE components including the data dictionary, syntax encodings, event taxonomies, and profiles. The CEE Architecture is the first in a collection of documents and specifications, whose combination provides the necessary pieces to create the complete CEE event log standard.
KEYWORDS: CEE, Logs, Event Logs, Audit Logs, Log Analysis, Log Management, SIEM

There are four components of the CEE Architecture – CEE Dictionary and Taxonomy (CDET), Common Log Syntax (CLS), Common Log Transport (CLT), and Common Event Log Recommendations (CELR).
  • Common Log Syntax (CLS) – how the event and event data is represented. The event syntax is what an event producer writes and what an event consumer processes.
  • CEE Dictionary – defines a collection of event fields and value types that can be used within event records to specify the values of an event property associated with a specific event instance.
  • CEE Taxonomy – defines a collection of “tags” that can be used to categorize events. Its goal is to provide a common vocabulary, through sets of tags, to help classify and relate records that pertain to similar types of events.
  • Common Event Log Recommendations (CELR) – provides recommendations to developers and implementers of applications or systems as to which events and fields should be recorded in certain situations and what log messages should be recorded for various circumstances. CELR provides this guidance in the form of a machine-readable profile. The CELR also defines a function – a group of event structures that comprise a certain capability. For example, a “firewall” function can be defined consisting of “connection allow” and “connection block” event structures. Similarly, an “authentication management” function can be composed of “account logon,” “account logoff,” “session started,” and “session stopped.”
  • Common Log Transport (CLT) – provides the technical support necessary for an improved log transport framework. A good framework requires more than just standardized event records, support is needed for international string encodings, standardized event record interfaces, and reliable, verifiable log trails. In addition to the application support, the CLT event streams supplement the CLS event record encodings to allow systems to share event records securely and reliably.
The CEE Architecture Overview document also defines the CEE “product” approval management process and four levels of CEE conformance.

CEE holds the promise of driving down the costs of implementing Log Management systems and improving the quality of audit and event analysis. However, there is still much work to be done for example in defining Taxonomies and defining and testing interoperability at the Transport and Syntax levels.

Mitre has had mixed results over the years in it’s efforts to standardize security processes. CVE (Common Vulnerabilities and Exposures) has been it’s biggest success as virtually all vulnerability publishers use CVE numbers. CEE is much more ambitious though and will require more money and resources than Mitre is accustomed to having at its disposal.

Enhanced by Zemanta
02. August 2010 · Comments Off on Is SSL safe? · Categories: Security-Compliance, Vulnerabilities · Tags: ,

Via DarkReading, if you are using the latest version of SSL and it’s configured properly, the answer still may be no, based on two presentations at BlackHat last week.

First, according to Ivan Ristic, the Director of Engineering at Qualys, the main problems with SSL are running old versions of SSL and poor configuration management. Ivan said that half the sites running SSL are still using SSLv2 which has known vulnerabilities. In addition, a statistically large number have invalid certificates.

On the other hand, Robert “RSnake” Hansen and Josh Sokol believe that SSL is broken. They presented some 24 HTTPS/SSL exploitation techniques. Their assessment is that “HTTPS simply cannot guarantee confidentiality and integrity in the browser.”

Ristic countered with, “While the state of SSL websites is “average” in terms of security, SSL is rarely targeted by attackers today. “I have a disclaimer: SSL is not a common attack vector today because there’s so much low-hanging fruit out there. I think it’s the time to start fixing things, and they can be fixed.”

02. August 2010 · Comments Off on Details of 100 million Facebook users published – lazy consumer marketers love it · Categories: Privacy, Security-Compliance · Tags:

ITPRO reported that Ron Bowes, a hacker/security consultant from Skull Security, gathered the personal details of 100 million Facebook users from Facebook’s user directory using Facebook’s standard APIs, and published them in a downloadable file on Pirate Bay.

I suppose that Ron only got 20% of the Facebook population is a reflection of how most people have set their privacy settings. This jives (via ars technica) with a study conducted by researchers at Northeastern and Harvard and published in First Monday showing that college students do in fact care about their privacy on Facebook.

Or maybe Facebook does not really have 500 million users.

What’s even more interesting, are the lazy consumer oriented companies that downloaded the file! I say lazy because they could have done the same thing themselves. Gizmodo, published the list of companies!

01. August 2010 · Comments Off on Google Malware double that of Bing, Yahoo, and Twitter combined · Categories: Malware, Security-Compliance

Via Help Net Security, Barracuda’s recently released its Barracuda Labs 2010 Midyear Security Report which includes the results of a study it did on search engine and Twitter malware. It focused on 25,000 trending topics over a two month period. The somewhat surprising finding was that percentage of malware laden links on Google (69%) exceeded Yahoo! (18%), Bing (12%), and Twitter (1%) combined. The “Searching for Malware, A Comparative Study,” starts on page 56 of the report.

It would have been interesting if the study broke down the results by page. In other words, the percentage of malware found on the first page of the search results, etc. Most people only review the first few pages of a search result.

This provides additional proof of the need of a web-based anti-malware solution. You surely cannot depend on the search engines themselves to do the job.

Full disclosure. Cymbel does partner with Barracuda, but for Web Application Firewalls. For web-based anti-malware, we recommend Zscaler.

01. August 2010 · Comments Off on The attack of the Cookie monsters · Categories: Privacy, Security-Compliance · Tags: , ,

This past Friday, the Wall Street Journal wrote an extensive article on the “nefarious” techniques web content sites use to help monetize their mostly free content. WSJ calls it “spying.” It implies that users are unaware that its happening and are helpless to do anything about.

First, if you read the WSJ or this blog, you are no longer unaware. Second, most browsers provide tools to protect your privacy while you are browsing and to delete the “cookies.” Third, since most people are unwilling to pay anything for content, the content providers have little choice but to monetize via advertising. In order achieve reasonable rates, advertisers want to be able to target their ads. Fourth, I believe that most people are OK with the trade-off – free content in exchange for giving up their privacy. If you are not OK with the exchange, see the second point above.

For the most part, I agree with Jeff Jarvis, who takes the Wall St. Journal to task in his post, Cookie Madness.

On the other hand, Wired reported earlier in the week that a lawsuit was filed against Quantcast, a subsidiary of MTV, which allegedly “violated federal computer intrusion law by secretly using storage in Adobe‚Äôs Flash player to re-create cookies deleted by users.”

The Wired article goes on to say,

Unlike traditional browser cookies, Flash cookies are relatively unknown to web users, and they are not controlled through the cookie privacy controls in a browser. That means even if a user thinks they have cleared their computer of tracking objects, they most likely have not.

Quantcast claims it stopped using this technique last August 2009 after Wired had first brought this technique to light.

25. July 2010 · Comments Off on Fraud related to virtual goods sales increases to 1.9% · Categories: Fraud, Security-Compliance · Tags: , ,

The Wall St. Journal is reporting that fraud related to the sale of virtual goods, primarily in online games, increased to 1.9% in 2009. This compares to 1.1% for physical goods. These numbers are coming from CyberSource Corp., a subsidiary of Visa, which provides payment management services including fraud detection related to the sale of digital goods. (We at Cymbel have no relationship with CyberSource or the other vendors like PayPal mentioned in the article.)

While interesting, these numbers are not surprising. As the article states, many of the precautions that can be used in the physical world, like checking the shipping address against the address on the credit card, are not available in the world of purely digital goods.

So for those selling digital goods, selecting a payment processing provider should be just as much about its fraud detection capabilities as processing fees.