GNSC Blog

From the BBC

A contractor working for the Home Office has lost a computer memory stick containing personal details about tens of thousands of criminals.

The Home Office was first told by private firm PA Consulting on Monday that the data might be missing.

The lost data includes details about 10,000 prolific offenders as well as information on all 84,000 prisoners in England and Wales.

The Home Office said a full investigation was being conducted.

Again, from our perspective there are only two ways memory sticks or USB drives should be used…either encrypted or not at all.  Our endpoint security can’t prevent your employees from losing USB drives but it can prevent company data being copied to them or falling into the wrong hands.

According to Australian Blogger Long Zheng, it appears Microsoft is looking to patent a security feature similar to what Apple uses in it’s Safari Browser.

Web browsers store history and cookies that can be used to track where users have been.  This information can be read by web sites a user visits to provide some information about who they are.  Microsoft is looking to provide easier ways for this information to be deleted or prevent its collection.

Look for this feature in Internet Explorer 8.0 which will probably be released sometime in 2009.

I found this post on a blog this AM.  This demonstrates the power and danger of Google.

http://strydehax.blogspot.com/2008/08/hack-olympics.html

Just remember, if you are going to store something online or share a folder in a way that makes it accessible through a web query, realize Google probably will find it and make it accessible to the world. 

Want a good scare? Visit Johnny Long’s web site here and see what he found on Google.

Most of the media coverage and corporate focus related to digital threats is geared towards high-profile, externally-oriented ones.  Vulnerabilities, exploits, worms, etc.  are the main drivers for vendor solutions.  However internal threats pose an equally and arguably greater threat because of low awareness. 

Recently, insider threats, which have always been there, have been more widely reported, most recently with Countrywide’s disclosure related to the millions of stolen and compromised mortgage applicant records. 

In response to this, PromiSEC, a leader in clientless solutions to enforce the security, compliance and integrity of endpoints and servers, has introduced a publicly available Internal Threat Encyclopedia. 

This is a great idea! 

Now there is a place to get reliable and up- to-date information on the many commonly used programs that create holes in your security or compliance environment.

What I like most about the PromiSEC product is that it is so easy to use and configure.  Since it’s clientless, there’s no installs on PC’s.  I’ve seen this product scan, identify and lock down hundreds of computers in less than 10 minutes.  The ease in which it does this is amazing. 

For more information about PromiSEC visit our web site www.gnscon.com

No I am not talking about visiting caves.  Splunking is the process of using a product called Splunk.  It’s a security search engine that allows you to view log information from various sources such as firewalls, servers, and other network devices and report on them.  Think of it as as Google for IT stuff.  Beyond the functionality, which is excellent, the really nice thing about this product is that it’s open source meaning it’s essentially free to use, if you don’t want any professional advice or support and you are not pumping tons of data into it.

This 2 minute video give you all the information you need to get started.

How does it work?

Splunk like Google needs data to work.  Google’s strength is that it can not only search through tons of data but it can correlate it, making some assumptions in terms of what should be displayed and in what order.  Splunk works much the same way.  It uses data generated from virtually any networked computer device and then allows you to search for things that are important, such as signs of potential or known problems.  By default it can gather information from Event Logs automatically, syslogs, file shares and with a growing list of plug-in’s can read data from other sources.

So how does it benefit the average company?

Splunk is a framework that can make sense of data.  In it’s simplest form, it can show you on one page the condition of a system, security information, change controls, web page stats, etc. 

If you’re looking for a way to easily report on the IT log data you already have you should look at Splunk.

Info Security Magazine recently sponsored a great online presentation addressing issues of Web 2.0 and the issues surrounding Social Network sites such as MySpace, FaceBook and LinkedIn.

If you are interested in learning about the issues surrounding Web 2.0, Generation V and Social Networking, this is a great place to start.

I work with Chris Pruetz who does the technical presentation.

You can register for it here.  Its archived so you can attend at a time that best fits your schedule.

Very informative.  Highly recommended.

If you are interested in learning more about the solution they recommend from Marshal Inc, please visit our website at www.gnscon.com

If you haven’t already heard, the big IT security news over the last few weeks has been the DNS Vulnerability that was outed by Dan Kaminsky, a security researcher at IOActive in Seattle.  It’s appeared in most major publications and it was certainly one of the top talks at Black Hat last week in Las Vegas.

For more information on this, see the NY Times article here

What’s it all about and why is this so important?

The issue is that it affects the heart of the Internet.  DNS or Domain Name Service is what makes everything work.  It the thing that makes browsers work and email flow.  In very simple terms, DNS converts named domains to IP addresses.  It is the human factor of Internet routing.

The issue that Dan Kaminsky exposed, which has actually been known for years, is that with certain DNS servers (BIND), carefully crafted code could be used to “poison” the server and divert legitimate DNS requests to unauthorized servers.  What this means is that if you wanted to go to your online banking site and typed in “www.whateveryoursitenameis.com”, a compromised DNS server might take you to another site or even an official looking replica of your banking site that could be used for fraudulent purposes.  Essentially requests to go to a specific site are “hijacked”. 

The issue potentially affects everyone but it’s up to ISP’s to fix it.  Why haven’t they fixed it?  Well there are really two main reasons.  First, there is no real fix.  There’s a patch but it supposedly slows everything down.   In the consumer’s mind, IPS’s are measured by speed not security.  To most business, slowness is worse than having a potential security issue.  The second reason is that some ISP’s don’t see the risk as being that high.  Their argument is that if it’s known and there’s been no exploits, why worry.  To most ISP’s credit, they have taken either direct or indirect steps to protect their customers.  However some have not. 

Dan’s talk at Black Hat has pretty much eliminated both the above arguments.  In fact it’s been reported that several exploits have now been published and there have been a few actual attacks.  This week will prove to be a defining week.

What do you do?  Well Dan Kaminsky has a great resource on his web site that will allow you to determine if your ISP’s DNS is vulnerable.  You can find it here.  If it is, you can contact your provider and ask what they are doing to protect you. 

The controversial Race to Zero contest being held during Defcon in Las Vegas rendered several common computer viruses undetectable by most popular anti-virus products.  The issue was not the fact that it was accomplished, but the speed in which it was done.  Teams of security researchers took common computer viruses and obfuscated them in just a few hours.

What this means is that it is possible TODAY, to render many destructive worms and viri undetectable.

This exercise demonstrates how the now 20+ year old technology of signature-based detection is no longer a reliable way to detect and prevent viral and worm infections on a network.

Simon Howard, the New Zealand-based security researcher who sponsored the contest said, "Behavioral recognition is the way forward, but it’s only in some of the desktop anti-virus software and not in any of the server software."

One of the true behavior based products out there is Norman Virus Control.  We have found that our Norman customers have fared better than users of other AV products, the main reason being the Norman Sandbox.

The Norman Sandbox is a real behavioral-based AV system for servers and desktops.  For more information, see our Norman page here.

We have customers who have gone years without infections with Norman.  Contact us about trying Norman Virus Control.  sales AT gnscon.com or +1 814-620-2006

Anyone with a Microsoft Server knows about Patch Tuesday.  It’s the day Microsoft announces vulnerabilities and security patches for it’s products.  Sadly, Exploit Wednesday is becoming more frequent.  More and more day-zero exploits being noted has led Microsoft to begin sharing security information ahead of time with key software partners. 

Yesterday, Microsoft announced a plan to share information in advance with key partners to ensure customer data was better protected.  This is a major change for the software giant.  This change represents a major shift in the normally secretive Microsoft.

See the press release here

From my vantage point this is a good thing.  The key in all of this now is how the software partners respond.  Will they be able to reduce or eliminate the threat of Exploit Wednesday.  If the program works, we should see the effects quickly, probably within a few months. 

Sophos demonstrated the other day how someone could find out the date of birth of a FaceBook subscriber even if it was made private.

Again the moral of the story is to never give anyone any information you wouldn’t want to be made public.

Last year, Sophos published results of a identity theft probe into Facebook which uncovered that 41% of users, would divulge personal information - such as email address, date of birth and phone number - to a complete stranger.