New Web Site for ID Application Developers

A new web site for open source developers interested in working on identity and access management applications recently cropped up.

The site is called openLiberty and has links to other similar projects.

Cybercriminals to Target Mobile Banking

There was an interesting story on Vnunet yesterday that has been circulating in the trade press today about how cybercriminals are expected to set their evil sights on mobile banking applications.

This isn't any brilliant insight or surprise. Mobile banking with cell phones and other PDAs for accessing banking is hot. They're just starting to get implemented around the world and, of course, they're also being implemented without security in mind.

Eventually, the designers of these systems will figure out that there are two basic principles of information security: access control and encryption. But that's just a start for mobile banking. Stay tuned. This is a developing story.

Two More University Data Breaches

The University of Idaho in Moscow and the University of Arizona in Tucson join the honor roll of universities with data breaches, according to an article in Computer World. Not to pick on these two universities in particular as being any worse than any other, but there have been a lot of breaches at colleges in the past year.

They're a gold mine for personal data for identity thieves, just like banks and financial institutions are a perpetual bull's eye for hackers. The Privacy Rights web site has a data breach chronology that puts it in perspective. There's a mix of both financial and educational institutions in the mix.

The University of Arizona set up a nice site about computer security for the student masses. It's mostly links to other well-known security web sites, but it's still a decent source of general information for beginners.

Art of Software Security Assessment New Book

Addison-Wesley has a new book out about security reviews for software. It's getting a lot of play and some good reviews and might be worth a glance.

The Art of Software Security Assessment also has an interesting companion web site and blog.

Addison-Wesley has a number of classic texts on all aspects of computers and programming.

Java Vulnerability on CERT

Now, here's something you don't see too often on CERT: a Java vulnerability. That doesn't mean they're not there, they just don't get the headlines from CERT.

The vulnerability would allow an attacker, using a Java applet, to run any code on a compromised machine. Victims fall prey through specifically crafted code on a malicious web site they may visit. Sun has already release updates to the Java Runtime Environment (JRE) to fix the issue.

The Hacking Exposed series has a book available from Amazon on Java hacking with a web site. Sun also has information on secure Java coding on its Java web site.

It's a common myth that Java is somehow more secure than other languages. Sure, it checks buffers and has some built-in security features not found elsewhere. But, it's still code and, if it's code, it can be cracked -- no matter the language.

New Hacking Exposed Book on VoIP

The Hacking Exposed series came out recently with a new book on VoIP security. The book is available from Amazon. The Hacking Exposed series are encyclopedic references to hacking techniques. They list various attacks with rankings on how difficult they are and their risk.

VoIP security is a hot issue right now, but since VoIP isn't any different from other IP network communication, the attacks are similar as other TCP-based exploits. This new Hacking Exposed books makes that point. The book also has a companion web site.

I wrote an article in November about VoIP security for SearchSMB, and the Voice over IP Security Alliance (VOIPSA) also has its own web site dedicated to VoIP security.

Digital Travel Security Tips

A colleague passed along an interesting article from Signal Connections newsletter about securing laptops and other mobile devices when traveling.

Like everything else in information security, it's a lot of common sense. But, unfortunately, even common sense goes out the window, especially when it comes to security, if it's hassle.

Air travel these days can be a challenge, and it's easier than most people think to have laptops hacked or stolen. The article quoted Robert Bagnall, CEO of Maverick-Security. Their web site has a nifty cheatsheet with tips for digital travel safety.

I wrote an article about mobile device security for SearchSMB last July.

4th Edition, Security in Computing

I happened to see a copy of the 4th edition of Security in Computing on colleague's desk this week and was amazed at how much it had changed from the third edition. The new edition of this classic came out in October and is available from Amazon.

The cover has the identical graphics but is now green instead of maroon but the contents are completely different. Charles and Shari Lawrence Pfleeger have re-written the book from scratch.

They've expanded it from 746 to 880 pages and added all kinds of up-to-date topics not in the third edition:

• Phishing
• Wireless Security
• RFID
• Risk Analysis

It also looks a lot more readable and down-to-earth. The third edition was excellent but was sometimes hard to wade through.

I picked up the third edition from Computer Books Direct, a computer book club. It was listed as one of their bestsellers three years ago when I bought it.

Back on WIIT

I was on WIIT again last night talking about spam, the recent explosion in spam and the botnets that are driving it.

It looks like this will be a regular gig, about every two to three weeks.

My next appearance will be on Thursday night, February 1. I'll be talking about hacking techniques, old and new.

You can hear the program live by streaming media.

Oracle Patches and Database Security

Oracle has had its share of security issues, to say the least, but came out this week with an astounding 51 patches.

In honor of the occassion, I've added several links to my web site about database security:

• Database Security
• Common Sense
• About Databases

These are two outstanding sites about Oracle security, in particular:

• Pete Finnigan
• O'Reilly Oracle Security Book

The Finnigan site has a blog with current issues and vulnerabilities, tools, articles and just tons and tons of stuff devoted entirely to Oracle security. The O'Reilly site is badly dated -- it's sample chapter from their out-of-print classic -- but it still has some general information about Oracle security that might be of interest.

There's also two books about database security, one currently available from Amazon and the other scheduled for release by the end of this month.

• The Database Hacker's Handbook
• The Oracle Hacker's Handbook

And, of course, to state the obvious, besides all the above technical controls specifically for databases, any database server should be hardened like any other server with limited access, up-to-date patches, unneeded services and ports turned off, and sufficient firewall, and anti-malware protection.

New OWASP Testing Guide Available

The Open Web Application Security Project (OWASP) came out with version 2 of its testing guide last week.

OWASP is a leader in providing information about web application security. This is very timely since the bulk of attacks against applications are now via their web sites.

This is one of the fastest growing areas of interest in computer security at the moment. That doesn't appear to be changing any time soon.

Instructions for commenting on the latest OWASP testing guide are on their web site.

There are a list of other web and application security resources on my site, as well. Click on Programming in the left-hand navigation for the list.

Encryption Tools and Resources

I've come across some interesting encryption tools, some free, and resources that I'd like to share:

Tools

1. TrueCrypt
2. AxCrypt
3. Cypherix

Resources

1. CryptoDox Free Encyclopedia of Cryptography
2. PwdHash Web Password Hashing
3. Illustrated Guide to Cryptographic Hashes

These have also all been added to my web site. Click on Tools and then Tools II in the footer.

Real Time MITM for OTPs is Now Real

This had been predicted for a long time, but it's finely become an automated attack rather than a lab simulation. There was an article in Finextra this week about Man-In-The-Middle (MITM) phishing kits for sale on the web.

Authentication credentials are stolen through a phishing site, usually from a link in a spam e-mail. The kit sets up a phony URL that communicates with both the user and the real company's web site. As with other phishing attacks, the user is asked to enter their log in credentials, whatever they may be -- user ID, password and even One-Time Password (OTP) token value.

The difference here is that the attack simultaneously and automatically logs onto the real web site, authenticates with the right credentials and allows the attacker -- the MITM -- to access the user's account and steal funds. Before, phishing sites just gathered static credentials for later use by criminals.

The other danger is that the kit is generic yet customizable, so a crook has a base to work with but can tailor make it for any target financial institution. It can also be customized to gather all authentication credentials, not just a user ID and password.

I wrote an article for TechTarget about OTP best practices in September of last year. I mentioned a recent MITM attack against tokens but also cautioned that this was an isolated instance. I said the real danger was when these things become both real time and automated. That time has now arrived.

Bruce Schneier first warned about MITM attacks against OTPs in his now famous post in 2005 and then again last year after an attack.

Up-To-Date PHP Security Sites

A friend of mine who is an IT professor and developer mentioned to me that the PHP Security site on my personal web page was dated. When I took a look, I noticed that it hadn't been updated since last October.

Then he forwarded two other more recent PHP security sites that I'd like to share:

1. PHP Security Blog
2. Hardened-PHP Project

I'm keeping the old PHP Security link on my site. I still like it since it has some useful information about PHP security and good overall security tips.

PHP gets criticized a lot for its security. It's a programming language like any other. They all have holes. If coded correctly, it can be made secure.

Winter 2600 Now on Newstands

The Winter 2006-07 issue of 2600 just came out this week. It's about two weeks early, but who's complaining?

It's also a little thicker, I noticed, with a glued binding instead of the old stapled binding they've had for centuries. They also increased the price -- no big deal either -- and apologized profusely in a long explanation in the introduction. In my mind, the price increase is small, especially for information you can't get anywhere else.

Here's a sampling of the goodies in this issue:

• Wi-Fi hunting
• Bypassing DoD's SmartFilter
• Red boxing
• Getting around cable/DSL lockdowns
• Novell exploits
• Circumventing Chinese Internet censorship
• Hacking a North Korean web site

Another winning issue with great stuff. Hats off to 2600 again!

More on Passwords from Fred Langa

Fred Langa recently merged his outstanding computer tip newsletter, Langa's List, with Windows Secrets.

He recently had two interesting articles on passwords:

An explosion of info on passwords

How to ease your password hassles

Schneier on Choosing Passwords

Bruce Schneier had an interesting post to his blog today about choosing passwords. Schneier has always challenged the conventional wisdom about how passwords are currently used. On the other hand, in some of his posts, he's agreed with critics of such things as two-factor uthentication.

What I like about Schneier's view of the security world is that he really understands the people side of the equation. He came from a hardcore techie background as a cryptographer but has gone beyond that to see the non-technical aspects of both IT and physical security.

A lot of his stuff too is just plain common sense about security.

My SearchSMB Article on Two-Factor Authentication

My article on two-factor authentication best practices for SMBs came out in SearchSMB yesterday.

It was in their Weekly Tech Advice newsletter.

Real Life ID Theft Story

Baseline magazine had an interesting article last month about the loss of data from 365,000 patients at Providence Health. The story was very detailed about how the hospital handled the breach but was still sued by affected patients.

Those involved in the suit set up a web site to keep track of the case. I added a link on my personal web site. Click on Scams in the left hand navigation and then Providence on the list that appears.

Baseline had some related stories about medical ID theft in the same issue. Medical ID theft is a growing problem with the potential for victims to lose insurance benefits.

TechTarget's Eight Top Security Events for 2006

My piece about the top eight information security events of 2006 came out yesterday on TechTarget's Threat Monitor newsletter.

Article and Sites on Protecting Kids Online

There was an interesting article in yesterday's New York Times about young people using sites other than YouTube for posting less than savory videos. YouTube has strict rules prohibiting, for example, nudity and violence.

But the real focus of the article was on child safety on the Internet and they mentioned an organization, Enough is Enough, with two interesting web sites. The sites have a lot of good tips for protecting kids online and is a good resource in general on Internet safety. The other site is ProtectKids.

Technology is only part of information security. A good chunk of it is still a people problem.

Microsoft MVP for 2007

I got a pleasant surprise this morning when I checked my e-mail. My status as a Microsoft Most Valued Professional (MVP) was renewed for 2007.

I became an MVP last year in developer security.

What a great way to start out the New Year!

A Happy New Year to all.