Fixing the DNS Flaw Yourself at Home

Here's a brief howto from Preston Gralla on how to fix the DNS cache poisoning flaw for home users.

Actually, it's pretty simple. He just explains, with screen shots, how to configure your computer to use the DNS servers at OpenDNS, which, of course, have already been patched.

Report on Banking Web Sites is Flawed

In a recent blog post, I cited a study by researchers at the University of Michigan, saying 75% of banking web sites had design flaws, making them vulnerable to hackers.

In a recent article by Larry Seltzer of eWeek, he said the findings from the study, which came out in 2006, are outdated. He said the results were either not relevant any more -- such as insecure login pages not using https -- or not real threats -- non-https Contact Us pages.

He goes through the rest of the report point-by-point and makes some interesting points.

The DNS Flaw and You

Not to make light of the DNS flaw uncovered by Dan Kaminsky, but the bulk of the issue rests with your ISP. It's not something you can fix on the client side.

Kaminsky was quoted on NPR with advice on testing your ISPs DNS servers. Here are some other thoughts on what to do from Computer World.

Odds and Ends: iPhone Phishing and Gmail Encryption

Security researcher Aviv Raff has uncovered URL spoofing vulnerability in the iPhone's mail and Safari applications that could be used for phishing attacks against iPhone users.

Raff is withholding technical details, pending a fix by Apple, but the issue was also reported by Finextra.

In other web security news, Google has added encryption to its Gmail program. It basically adds https to the e-mail program. Why didn't they just add https for all their e-mail? It would make Gmail too slow, according to the Google Gmail blog.

Your Guide to the Latest on the DNS Flaw

There's already been a lot of ink on the infamous DNS flaw uncovered recently by researcher Dan Kaminsky. So, rather than rehash what everybody else has written, I've assembled links to some of the more interesting items I've seen in both the mainstream and trade media on the subject.

Think of this as a guide, or chronology, if you will, to the latest developments in the DNS crisis:

July 22
This is a story from eWeek about the exploit being accidently released. Here's a recommendation from Chris Pirillo the same day with a video from Dan himself:

July 23
CSO Online had this news item warning that hackers are gearing up to develop attack code based on the exploit, and Bill Brenner agreed, saying this isn't the usual FUD from the security community, but something of real concern. Greg Hughes chimed in on Lockergnome.

July 24
Heise Security reports that attack code for two exploits has already been released, and Computer World mentions that the exploits were developed by HD Moore.

July 25
The BBC reports that attacks have already begun.

In between, DNS-OARC reports about the issue on its site and has a graphical tool to check for it.

Biometrics Security School on TechTarget

My Biometrics Security School came out this week on SearchFinancialSecurity.com, one of TechTarget's newer newsletters.

There are four parts to the series, including a tip, a webcast, a podcast and a quiz:

1) Integrating biometric authentication with Active Directory
2) Biometrics: Taking authentication to the next level
3) Demystifying biometrics: What's real, what's right and what's next?
4) Fact or fiction: Biometrics myths and mantras

Ask The Expert on Identity and Access Management

Here's the answers to a bunch of new questions posed to me by TechTarget as their IAM Ask The Expert:

How to prevent hack attacks against smart card systems.

For a small office, what are the best, least expensive office servers with secure access?

What are the pros and cons of using stand-alone authentication that is not Active Directory-based?

Should users set up password expiries in Active Directory?

How to conduct an efficient and thorough employee access review.

Enjoy!

Insider Threats, Rogue Admins and San Francisco

There's been a lot of press about the recent arrest of a sys admin from the City of San Francisco locking up the network and refusing initially to release the passwords.

But, the core issue, as others have said, as well, is the question of insider threats. Though we don't have all the details, it seems there was too much access given to one person and it was unchecked and unsupervised. There were violations of the Principle of Least Privilege, inadequate separation of duties, inadequate change control procedures and no back up admin to take over.

The issue boiled down to inadequate access controls. Computer World and eWeek offered some tips. M. E. Kabay, in his Security Strategies Alert newsletter on Network World, cited a survey from Cyber-Ark, a vendor specializing in privileged access management tools.

Banking Web Sites Still Insecure

This should, of course, come as no surprise to anybody in IT security, particularly those specializing in protecting web sites. But a study released by researchers at the University of Michigan says 75% of banking web sites have design flaws that open online customers to cybercriminals, according to Finextra and CNET.

Now, make a note. The study talked about design flaws, not necessarily coding flaws. Of course, these design flaws are coded into the web sites, but they're not really coding flaws in the way OWASP would see them. They're flaws in the flow and layout of the sites that can lead to exploitation.

They include things like putting logins and contact information on insecure -- meaning non-SSL -- pages, allowing weak user IDs and passwords and weak authentication (an OWASP biggie), and redirection of sites to domains outside the bank without warning.

The fully study can be found here.

Free Tool for Vulnerable DNS Servers

The DNS tool web site, DNSstuff, released a tool last week for checking DNS servers for the infamous protocol flaw uncovered about two weeks, according eWeek.

DNSstuff offers a bunch of nifty free tools for checking DNS servers, including the DNS Vulnerability Checker. There are also tools on steroids for a fee.

Cybercrime Mafia Structure Revealed

Online crime is becoming a highly structured into Mafia-like organizations, according to this tidbit from CSO Online, reporting on new report from Finjan.

The article notes that criminal hackers are becoming less independent and coalescing around structured organizations. But these organizations are tight-knit with small groups. What is happening is that there are now a lot of these gangs.

And, of course, in line with the times, they're fluid and less hierarchical but still structured, of course, just with clear divisions of labor.

Tracking Stolen Laptops: New Open Source Tool

Here's a brand new tool for tracking stolen laptops. The software is called Adeona and works with the OpenDHT distributed storage service connected to a client the user downloads to their laptop. It updates the location of the laptop on servers on the Internet by sending anonymous encrypted notes.

But, best of all, it's open source, which means free. And, free, as we all is know, is always in the budget.

It was also the subject of an article in CSO.

Mitnick's Five Lessons About Computer Security

Kevin Mitnick, one of the most famous hackers of all time, in an interview with CIO magazine, gave five things he has learned about computer security:

1) Hacking wasn't always illegal.
2) Learn the rules before you play the game.
3) Not everyone takes security seriously.
4) Use your powers for good, not evil.
5) Even hackers get hacked.

What struck me was number 3 about not everyone taking security seriously. Mitnick, who now runs his own IT security consulting outfit, said he has done security assessments for one client over the past several years, and he's still able to get in their systems the same way over and over again. Some people never learn, I guess.

Watch For Trojan Deliveries by UPS

This is a textbook example of social engineering using a phishing site. It starts as ane e-mail from UPS about a package delivery and has an attachment with a supposed "invoice."

The invoice, of course, is a Word document with a password-stealing Trojan.

Details are in this SC Magazine article, which says the Trojan runs undetected in the background by replacing an operating system file.

IT Security Tips When Going Global

Here's a nice little piece in SC Magazine with some IT security tips for companies working globally. The piece, by Rob Pfrogner, security services product manager at Virtela Communications, breaks down the issues into physical, logical and personal.

He just doesn't focus on technical fixes but on the whole picture. Physical security might be strong, and technical controls in place, but if the users don't respect access controls, or are compromised, the show is over.

Security on Tight Budgets in Lean Times

CIO magazine had this interesting article on their web site last week about running an IT security department when times are tough -- like now -- on thin budgets.

The article pointed out, among other things, that security professionals shouldn't get complacent about their jobs. Even though their function is important, when cuts come, they can be axed too. This is counterintuitive to the fact security spending should actually be increased in lean times, when desperate people are more likely to try hanky panky.

But the key message of the article was that if staff is light, then make everybody a security professional, so to speak, through security awareness training and education. Make the rest of the staff your security eyes and ears.

Though a bit unrelated, it reminded me of the human side of security, which Bruce Schneier emphasized again in a recent interview for CSO online. He clearly explains his evolution from hardcore techie to security generalist, applying social sciences to security behavior. Interesting stuff.

ATM Vulnerabilities Plague Citibank

Citibank's ATMs are in the news again, but this time -- though details are still scarce -- for some basic security issues.

So far, the speculation is that there could have been, at least, among others, two security issues. Unencrypted PINs transmitted from the ATMs to back end servers, and insecure servers themselves.

What makes this interesting, if its due to these two causes, is that the ATM machines themselves weren't tampered with, as has happened in the past.

Citibank's ATMs were also the subject of a recent Wired article.

Trends in Identity and Access Management

This must be my lucky day at TechTarget. My second article of the day came out, this one on trends in identity and access management.

It's part of a new newsletter they're launching about IAM.

Guide to SOA Security

Here's a piece I wrote for TechTarget's SearchFinancialSecurity site about securing service oriented architecture (SOA).

I basically broke it up into three pieces: the security of the components of the SOA system themselves, authenticating the components through the system and securing the connections between the components.

Enterprise Role Management Article

My article on enterprise role management (ERM) came out today on TechTarget's SearchSecurity web site.

I gave a brief explanation about ERM with some best practices and vendors.

IT Security Risk Assessments for Dummies

This is a piece I wrote that came out today in SearchCIO-Midmarket about cheap and simple security risk assessments for smaller companies.

Web Application Security Today is Inadequate

This is a real nice piece from CSO last week about the state of web application security. It was written by Jeremiah Grossman, founder and CTO of WhiteHat Security, a web vulnerability testing firm.

Basically, in a nutshell, Grossman says we're at the same place today with application security that we were at with network security ten years ago. Back then, firewalls were new, not widely used and patch management was an afterthought. Today, the world is different. It would be hard to find any company or organization without a firewall or patching program.

As a result, network attacks are pretty rare, while application attacks are all the rage. Grossman cites a Gartner study saying that 75 percent of breaches are due to application flaws, yet 90 percent of security spending is still on traditional perimeter security.

None of what Grossman is saying is news. Everybody in IT security has already heard this. But I liked his article because it did an outstanding job of summarizing the issue, highlighting application security threats, explaining how it's not being addressed fully and then offering some solutions.

Hot Items from Summer 2600 Magazine

The summer edition of the famed hacker quarterly, 2600, has already hit the newstands, even before being announced on the magazine's website.

There were four articles that caught my attention this time: two about wireless security -- an article about hacking wireless networks with Windows (page 10) and another about catching freeloaders trying to use your wireless network (page 24) -- an Hping tutorial (page 20) and a way to crack hashes with Google (page 48).

The magazine now also has an online respository for code from articles back to 2004.

Enjoy!

PCI to Include Unattended POS Devices

Have you ever wondered when you pump gas, if the card reader on the pump could be stealing your credit card number? Well, the Payment Card Industry (PCI) Security Standards Council sought to alleviate that fear this week with additional security guidelines for unattended payment devices, like those in kiosks, stores and gas stations.

Basically, according to a council press release, the devices will have to have the same level of protection for account numbers as POS devices manned at checkout counters in stores. These protections include not storing account numbers and PINs and encrypting them in transit.

Web App Firewalls the Rage for PCI 6.6 Compliance

The deadline for complying with Section 6.6 of the Payment Card Industry Data Security Standard (PCI DSS) passed this week. Before June 30, its two alternatives -- web application firewalls or code reviews -- were only a recommendation.

Making it an either-or proposition is sort of silly. It should really be based on a risk assessment and vulnerability testing of the web application. In some cases, securing the web application could be both alternatives together or, maybe, neither.

It seems that many companies are choosing the easier way out, rather than the right way out, and opting for web application firewalls.

Now, here's a nice companion guide from the PCI council itself, clarifying the two Section 6.6 alternatives. After reading this, it's not as scary as it seems. In some cases you can use web scanning tools, like AppScan and WebInspect, which are reasonably priced and easy to use.

Let's Get Physical: Social Engineering and Security

This is a real interesting item from Dark Reading about social engineering scams where fraudsters basically just walk into banks and steal data -- not from computers but paper right off people's desktops. Posing as consultants, they come in and take their pick of what may be lying around.

The article says too many banks are beefing up online and web security, which is still important, but are still vulnerable on the old fashioned physical security front.

Study Cites Risk Management as Key

Risk management is the key to information security, according to the 2008 Information Week Strategic Security Survey.

The idea is to "focus on the value of data and how likely it is to be compromised, rather than on how the compromise might occur." In other words, assess the risk first, then figure out the technical fix second.

Throwing on technical controls willy-nilly without regard to the level of risk doesn't make sense . It can be costly and hinder the business -- ultimately, turning them against the security they really need.

High risk data on laptops, for example, that might leave the office requires stronger controls than, say, an isolated desktop not connected to the Internet with little customer data.