Archive for the ‘security’ Category

Cyber-security and utilizing fake data

The Washington Post published an article on January 2nd discussing how many organizations are turning to a unique type of deception in an attempt to protect data and thwart cyber-criminals.

Minnesota based Brown Printing Co. began planting fake data in web servers to lure hackers into “rabbit holes.” The hope is that the hackers will expend a lot of energy and effort trying to steal fake data and eventually will go elsewhere when they are unsuccessful finding useful information. Within weeks of Brown Printing installing its deceptive tools, they detected over 375 suspicious probes against their website. It was the first time that they could detect these threats.

Organizations are looking to turn the tables on would-be hackers and highlight a growing trend that companies are looking to be more aggressive in their attempts to fight off intruders. According to Michael DuBose, a former chief of the Justice Department’s Computer Crime and Intellectual Property Section, theft of intellectual property and other sensitive documents may be the most significant cyber-threat the nation faces over the long-term and many organizations are no longer willing to stay on the defensive.  This new action is known as a type of “active defense.”

The FBI warns that the use of these types of deceptive maneuvers could backfire,  but nonetheless, remain legal as long as the fake data is planted within the company’s network and does not damage a third party’s system. The overall message is that organizations are beginning to take control of their cyber-security and are no longer willing to sit by passively.

To read the full article click here

Tags: ,


Why the password security problem is even worse than you thought it was: 2012

Dan Goodin from arstechnica.com did an outstanding piece showing how password cracking has gotten so easy thanks to new hardware and software techniques that the situation  border on intractable for the old ways.  Time for multifactor authentication everywhere that information must be truly kept secure, I believe.

The full piece is here.  One of his charts is below.

But the upshot is this:

 

  • Bad: Anything shorter than 8-9 characters is breakable now with low cost GPU equipment.  10 is more like it, more is even better, but really random is where it is at.
  • Much Worse: Some of the large-scale hacks since 2007 have provided insight into the tricks the people use to create harder to guess passwords, such as putting a punctuation mark at the beginning or end, or substituting the number zero for the letter O; as a result, hacking tools now are built to rapidly test for this, making it no longer necessary for hackers try every combination in order to crack password. This makes even very long passwords easy to break.
  • Worse Still: Users consistently reuse the same password on different sites, and if any of the sites are cracked, then that users access across all the sites is cracked.
  • The Absolute Worst: Security managers even at some very large firms have not put in place the procedures (like salting) needed to protect their password databases in consistently effective ways.  And it only takes one weakest link if users don’t apply site-unique passwords (which they rarely do).

 

The combination of these factors together make password security less effective at protecting information than ever.

Goodin concludes his piece by suggesting that “the easiest way to put this advice into practice is to use program such as 1Password or PasswordSafe.”  while this is no doubt true, I fear that multifactor ( something you have, and something you know) has a place in all our futures.

 

 

 

Tags: , , , ,


Apple Removes Some Windows Security Comparisons From Its Web Site (CRN)

Why market-share and security issues go hand in hand sometimes.  Recently from CRN:  “Apple Removes Some Windows Security Comparisons From Its Web Site

 

Apple (NSDQ:AAPL) recently changed the wording in the “Why You’ll Love A Mac” section of its Web site, removing longstanding claims about Macs being more secure than Windows PCs.

 For years, Apple’s marketing has centered on the notion that Mac users are immune to the malware that routinely causes headaches for PC users. Here is how Apple used to phrase this: “A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers. That’s thanks to built-in defenses in Mac OS X that keep you safe, without any work on your part.”

But sometime in the past few days, Apple changed this message to read: “Built-in defenses in OS X keep you safe from unknowingly downloading malicious software on your Mac.” Apple also changed its description of OS X from “It doesn’t get PC viruses” to “It’s built to be safe”

 

Read for full piece from Kevin McLaughlin here.


The Last NASA Mainframe Gets Its Plug Pulled

 

From NASA’s CIO Linda Cureton:

“This month marks the end of an era in NASA computing. Marshall Space Flight Center powered down NASA’s last mainframe, the IBM Z9 Mainframe. For my millennial readers, I suppose that I should define what a mainframe is. Well, that’s easier said than done, but here goes — It’s a big computer that is known for being reliable, highly available, secure, and powerful. They are best suited for applications that are more transaction oriented and require a lot of input/output – that is, writing or reading from data storage devices.

They’re really not so bad honestly, and they have their place. Things like virtual machines, hypervisors, thin clients, and swapping are all old hat to the mainframe generation though they are new to the current generation of cyber youths…But all things must change.”

Insert her sigh here..

Read more at: http://blogs.nasa.gov/cm/blog/NASA-CIO-Blog/posts/post_1329017818806.html

Tags: , , , , , ,


Hyper-V3 may give VMWare a run for its money this year

 

VMware has the quality, market share, and price-point of a high-end IT industry leader.  It also sits in between the hardware layer and the OS layer, a position that our friends in Redmond do not like to share with anyone if they can help it.   Looks like 2012 may be the year that Microsoft gets serious about competition in this space with HyperV3.  Some good technical stuff from Julio Urquidi  here.  Also see this good piece from Beth Pariseau for some insight into the details below.

 

 

 

 Virtualization 2012: Hyper-V 3 vs. vSphere 5 showdown looms

Beth Pariseau, Senior News Writer, SearchServerVirtualization.com

Microsoft’s Hyper-V has been making steady progress catching up to VMware for years, but as IT pros look ahead into 2012, they see the battle between these two virtualization vendors heating up like never before.

In one corner: VMware vSphere 5, made generally available in August, and capable of supporting up to 1 TB of RAM and 32 virtual CPUs per virtual machine (VM). Other new features include Auto Deploy, which can automatically provision hosts according to user-defined rules; overhauled High Availability (rechristened Fault Domain Manager); policy-driven storage provisioning; and Storage Distributed Resource Scheduler.

In the other corner: Microsoft Hyper-V 3.0, still at the developer preview stage. If released as planned before the end of 2012, however, it will contain several key features to bring it into closer competition with vSphere. Those features include a new extensible virtual switch (which has received Cisco’s pledge of support), true live storage migration, shared-nothing live migration, and new scalability with up to 32 virtual CPUs and 512 GB of memory — up from a limit of 4 vCPUs and 64 GB of RAM.

Read the full story here.


Why Implementing End-to-End PCI Security is a Good Idea: The Subway Franchise Caper

Three lessons jump out at me from this story:

  1. If you are dealing with credit card data, actually getting the PCI done end-to-end seems like a very good idea.  Don’t forget the field offices, Jarad!
  2. No remote access software tools anywhere near servers that house credit card data (part of PCI)
  3. Using easy-to-guess passwords is still the #1 dumb thing to do in data security, and one of the easiest to fix (also in PCI, and see my recent post here as well).

Check out the excerpted story from Gallagher below, and read it in full at:  http://arstechnica.com/business/news/2011/12/how-hackers-gave-subway-a-30-million-lesson-in-point-of-sale-security.ars

——————

 

How hackers gave Subway a $3 million lesson in point-of-sale security

By Sean Gallagher | Ars Technica

… In a scheme dating back at least to 2008, a band of Romanian hackers is alleged to have stolen payment card data from the point-of-sale (POS) systems of hundreds of small businesses, including more than 150 Subway restaurant franchises and at least 50 other small retailers. And those retailers made it possible by practically leaving their cash drawers open to the Internet, letting the hackers ring up over $3 million in fraudulent charges.

The tools used in the crime are widely available on the Internet for anyone willing to take the risks, and small businesses’ generally poor security practices and reliance on common, inexpensive software packages to run their operations makes them easy pickings for large-scale scams like this one, Marcus said.

… the systems attacked were discovered through a targeted port scan of blocks of IP addresses to detect systems with a specific type of remote desktop access software running on them. The software provided a ready-made back door for the hackers to gain entry to the POS systems—which is why remote access software is banned from systems that handle payment cards by the PCI Security Standards Council, which governs credit card and debit card payment systems security.

“… the hackers gained access to the remote desktop software by guessing or “cracking” the passwords they were configured with. Fellmann isn’t surprised, based on his experience with retailers. Weak passwords, such as “password,” are one of the most common things he discovers during POS penetration testing, he said. “Some people, you tell them what’s required, and they’d rather not do it. They had the tools, and could have easily blocked [the attack]. If they were using a validated POS application, the vendor should provide an implementation plan, which would have included making sure you have a firewall in place. ” But, he said, “these people weren’t thinking about point of sale security—they were just thinking about making a sandwich…”

Read the full story here.

 

Tags: , , ,


Some really poor password choices…

For better or worse, passwords are the basis of much of the security we use in the cloud.

SplashData put out there “worst password of 2011” report, based on a blind review of their database of common passwords.  If you use any of these on any accounts you wish to protect, clearly a good idea to think about changing them soon.

  • password
  • 123456
  • 12345678
  • qwerty
  • abc123
  • monkey
  • 1234567
  • letmein
  • trustno1
  • dragon
  • baseball
  • 111111
  • iloveyou
  • master
  • sunshine
  • ashley
  • bailey
  • passw0rd
  • shadow
  • 123123
  • 654321
  • superman
  • qazwsx
  • michael
  • football

A few simple guidelines for good passwords, from around the web:

  • Use at least eight characters
  • Use a random mixture of characters, upper and lower case, numbers, punctuation, spaces and symbols.
  • Don’t use a word found in any dictionary, English or foreign.

 

Stuff that just doesn’t work well, at least not anymore, because common hacker tools know them well:

  • Don’t merely add a single digit or symbol before or after a word. e.g. “password1″
  • Don’t double a single word. e.g. “kittykitty”
  • Don’t just reverse a word. e.g. “drowssap”, or just remove the vowels. e.g. “psswrd”
  • Avoid Keyboard sequences that can easily be repeated. e.g. “qwerty”,”zxcvf” etc.
  • Don’t garble letters into numbers as the only thing between you and the dictionary, e.g. converting e to 3, L or i to 1, o to 0. as in “z3r0-10v3″

Read more about the Splashdata report in full here: http://splashdata.com/splashid/worst-passwords/index.htm

Tags: , , ,


Cyber Security Gets the DOD Cloud Treatment

eWeek.com did a nice piece, quoting extensively from recent NSA public statements, on how both cloud and data security strategies in general are starting to move into extended pilot modes.  Here is a link to the General’s presentation - below is an except from the eWeek summary.

 

U.S. Counts on the Cloud to Boost Cyber–Security

 By: Fahmida Y. Rashid, eWeek.com

Army Gen. Keith Alexander, head of the National Security Agency (NSA), discussed the cloud and how to defend against increasingly sophisticated cyber-threats at a recent Information Systems Security Association conference in Baltimore and in a follow-up interview with eWEEK. As commander of U.S. Cyber Command, he also discussed rules of engagement for the military in cyberspace.

The cloud is a key part of the intelligence community’s IT strategy, Alexander said, because cloud computing gives defense and intelligence agencies more visibility over hackers who are trying to breach government networks.

Within the NSA and Department of Defense (DoD), there are more than 7 million pieces of IT infrastructure and systems and 15,000 different network enclaves, according to numbers provided by the general. With each enclave protected by its own firewall, network administrators have little to no insight into what is happening in isolated and segmented networks, he said.

“Collapsing the enclaves” would provide administrators with a better end-to-end view of their networks and situational awareness, said Alexander. He added that it’s not a perfect solution, but “it is more defensible.”

In a pilot program, the NSA has reduced the number of applications it is running from 5,000 to 250 cloud applications and slashed the number of help desks from 900 to 450, according to Alexander. The agency plans to keep shrinking the infrastructure to just two help desks and 20 data centers, as well as adopt more open-source software, he said, noting that the military is already using Apache Hadoop and OpenStack.

Read the full piece here.

Tags: , , , , , ,


Small Businesses is Target For Hackers

Gerry Smith the digital affairs reporter for HuffPo wrote a nice piece on a new FCC tool out there to assist smaller business with security audits.  Here is a small piece of it:

A growing number of cyberattacks are targeting small businesses, from construction companies to local grocery stores, presenting an emerging threat that government officials are trying to combat.

While attacks against large corporations like Sony and Citigroup have garnered attention this year, experts are increasingly worried about the digital vulnerabilities of small businesses, who often lack the resources to invest in cybersecurity. Forty percent of all targeted cyberattacks are aimed at companies with less than 500 employees, according to the security firm Symantec.

“With larger companies increasing their protections, small businesses are now the low hanging fruit for cybercriminals,” FCC Chairman Julius Genachowski said Monday at a cybersecurity forum at the U.S. Chamber of Commerce.

Now, government officials are offering help.

On Monday, the FCC announced a new online tool, the “Small Biz Cyber Planner,” that allows small businesses to create customized cybersecurity strategies by answering questions like whether they handle credit card data or host a public website.

Read the rest of the story here.

Tags: , , , ,


Google, Microsoft Suffer Cloud Computing Outages

Even the big guys have not get it down quite right yet at scale:

by Clint Boulton

Cloud Computing News

Google and Microsoft both watched their cloud computing systems choke this past week, with Google Docs going dark for an hour and Microsoft Hotmail, Office 365 and SkyDrive knocked offline for three hours.

Google Sept. 7 saw its Google Docs word collaboration application [act] up for one hour, shutting out millions of users from their document lists, documents, drawings and Apps Scripts. Microsoft, meanwhile, watched its online services, including Hotmail, SkyDrive and Office 365 software, go kaput for three hours Sept. 8.

Google’s outage was caused by a memory management bug software engineers triggered in a change designed to “improve real time collaboration within the document list,” the company explained in a corporate blog post.

Microsoft’s outage was more serious. Beginning around 9:30 PDT Sept. 8, the company’s Hotmail, SkyDrive and Office 365 services went down, owing to a Domain Name System (DNS) issue.

Read the rest at http://www.eweek.com/c/a/Cloud-Computing/Google-Microsoft-Weather-Cloud-Computing-Outages-779302

 

 

Tags: , , ,