cissp CISSP training Certified Information Systems Security Professional

Insecure Magazine issue 27 has been released

Posted by cdupuis — 2010-09-01T20:13:58-04:00

(IN)SECURE Magazine is a freely available digital security magazine discussing some of the hottest information security topics.

DOWNLOAD ISSUE 27 HERE (September 2010)

Issue 27 has just been released. Download it from:
http://www.insecuremag.com

The covered topics include:

- Review: BlockMaster SafeStick secure USB flash drive
- The devil is in the details: Securing the enterprise against the cloud
- Cybercrime may be on the rise, but authentication evolves to defeat it
- Learning from bruteforcers
- PCI DSS v1.3: Vital to the emerging demand for virtualization and cloud security
- Security testing - the key to software quality
- A brief history of security and the mobile enterprise
- Payment card security: Risk and control assessments
- Security as a process: Does your security team fuzz?
- Book review: Designing Network Security, 2nd Edition
- Intelligent security: Countering sophisticated fraud
____________________________________________________

(IN)SECURE Magazine is supporting the following industry events:

SOURCE Barcelona 2010
Barcelona, Spain, 21-22 September 2010.
Use discount code SOURCEHN10 to get 15% off your ticket price.
http://www.sourceconference.com

Brucon 2010
Brussels, Belgium. 24-25 September 2010.
http://www.brucon.org

InfoSecurity Russia 2010
Moscow, Russia. 17-19 November 2010.
http://www.infosecurityrussia.ru

RSA Conference Europe 2010
London, United Kingdom. 12-14 October 2010.
http://bit.ly/rsa2010eu

__________________________________________________

Visit the (IN)SECURE Magazine web site at:
http://www.insecuremag.com

Subscribe to our RSS feed at:
http://feeds2.feedburner.com/insecuremagazine

Daily security news RSS feed:
http://feeds2.feedburner.com/HelpNetSecurity

Help Net Security on Twitter:
http://twitter.com/helpnetsecurity

Contact:

- For information on contributing to (IN)SECURE Magazine, please contact Chief Editor Mirko Zorz at editor( at )insecuremag.com
- For marketing inquiries do contact Marketing Director Berislav Kucan at marketing( at )insecuremag.com

September issue of Hakin9 magazine: Mobile Malware � the new cyber threat

Posted by cdupuis — 2010-08-31T09:40:26-04:00

September issue of Hakin9 magazine:
Mobile Malware – the new cyber threat

New issue of Hakin9 magazine already available!

Inside:

Mobile Malware – the new cyber threat
Botnet: The Six Laws And Immerging Command & Control Vectors
Hacking Trust Relationships – Part 2
Web Malware – Part 2
Defeating Layer-2 – A ttacks in VoIP
Armoring Malware: Hiding Data within Data
Is Anti-virus Dead? The answer is YES. Here’s why…

Download your copy NOW -- Click HERE

Mobile Malware – the new cyber threat
Julian Evans
Mobile phone malware first appeared in June 2004 and it was called Cabir. The mobile-phone features at most risk are text messaging (using social engineering), contacts list, video and buffer overflows. GSM, GPS, Bluetooth, MMS and SMS will indeed be some of the attack vector to expect this year and beyond.

Botnet: The Six Laws And Immerging Command & Control Vectors
Richard C. Batka
New BotNet communication vectors are emerging. The industry is not prepared. For the next 20 years, BotNets will be what viruses were for the last 20.

Hacking Trust Relationships – Part 2
Thomas Wilhelm
This is the second article in a series of six that covers the topic of hacking trust relationships. This article focuses specifically on Vulnerability Identification against a target system, in order to identify and exploit potential trust relationships.

Web Malware – Part 2
Rajdeep Chakraborty
In the previous section of the article Web Malwares (Part 1) we discussed various statistics that showed us the increase of Web Malware activity in recent years and why the focus of Malware authors has changed from creating havoc in the infrastructure to infecting the endpoints for various other henious purpose, we have seen it all. Once we are aware of these facts and figures, in the next section we will look into the technical Details of Web Malwares (Part 2).

Defeating Layer-2 – A ttacks in VoIP
Abhijeet Hatekar
ARP Poisoning and other Layer 2 attacks are present since many decades now and one may think that they are absolute. However, we still see them quite often on the network. The biggest advantage is easy access to sensitive information like passwords, credit card details, phone conversations etc.

Armoring Malware: Hiding Data within Data
Israel Torres
We are receiving malware daily via hundreds of facets that the Internet enables with various services; most common are via e-mail and web surfing. At any one time you can be sitting idly on the ‘net when you are presented with something that could be malicious either overtly or covertly. We’ll play through the scenario of where you’ve discovered a binary on your network and unsure of it’s purpose... and then reveal how it was done.

Is Anti-virus Dead? The answer is YES. Here’s why…
Gary Miliefsky
There have been billions of dollars in damages caused by exploiters on the Internet. These exploiters are intelligent cyber terrorists, criminals and hackers who have a plethora of tools available in their war chest – ranging from spyware, rootkits, trojans, viruses, worms, zombies and botnets to various other blended threats. From old viruses to these new botnets, we can categorize them all as malware.

Hakin9 magazine is also available in German.
Download here

Contacts Us

editors@hakin9.org
Editor-in-Chief
Karolina Lesińska
karolina.lesinska@hakin9.org

£2.28 million fine for Zurich Insurance's data loss

Posted by cdupuis — 2010-08-30T06:03:38-04:00

Zurich Insurance's UK branch has been fined £2.27 million by the Financial Services Authority (FSA) as punishment for losing the details of 46,000 customers.

Zurich lost an unencrypted backup tape which contained the data while it was being transferred to a South African data storage centre in 2008. The records included customer identities, bank account, credit card and other financial information.

The company did not become aware of the loss until a year later. The fine is, to date, the largest company fine for a single data loss although HSBC were fined £3 million in 2009 for a number of separate losses of customer data.

Because the company agreed to settle early on in the investigation by the FSA, the fine was reduced by 30%.

Without that cooperation the fine would have been £3.25 million. Margaret Cole, the FSA's director of enforcement and financial crime said the company had "let it's customers down badly" noting that the company failed to effectively oversee its outsourcing and lacked full control of the data being processed in South Africa.

"Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made" added Cole. The FSA say that, according to Zurich UK, there is no evidence that the lost data has been misused.

Bank fined 9.7 Millions over poor Governance

Posted by cdupuis — 2010-08-29T23:41:56-04:00

Note from Clement:

This shows clearly that IT security is NOT only a technical issue. If management fail to exercise due care and due diligence and play the role they are supposed to, they will be find guilty and will pay the price dearly. In this case it is the law that caught them but the next time it might be a large scale compromise. You have to implement proper security and that include audit, enforcement, and constant review. See the article below:

Bank fined $9.7m over poor IT governance

Liam Tung | Aug 5, 2010 9:22 AM

RBS' IT systems could have let fraud go unmonitored.

UK financial services regulator the Financial Services Authority [FSA] has fined the Royal Bank of Scotland (RBS) £5.6 million (A$9.7 million) for implementing shoddy IT systems which left it in breach of the country’s money laundering laws.

The bank had implemented its treasury IT system in 2006, which was meant to screen incoming and outgoing cross-border payments.

According to the FSA, RBS neglected to check the accuracy of the systems since its implementation.

“After the initial set up, the results produced by the screening filters were not routinely reviewed or monitored by RBSG to ensure that they were appropriate.

"This meant that over time the ‘fuzzy matching’ parameters initially set by RBSG became significantly less effective at identifying potential matches,” the authority said in its decision notice this week.

For two years the bank failed to screen a single incoming payment from a foreign source. It also missed the bulk of outgoing payments by its customers, except those destined for the US.

“RBSG’s automated screening failed to screen the majority of trade finance SWIFT messages generated in the international trade transactions that it carried out,” said the FSA.

Under UK laws financial institutions are meant to match customer transactions to the government’s treasury list, known as Her Majesty’s Treasury. The Treasury’s Asset Freezing Unit (AFU) maintains a list of people identified by the United Nations, the European Union and the UK. If the financial institution identifies a transaction that may correlate to a person on that list, it must stall the payment until it determines whether it is an exact match. If it is the bank should alert the AFU.

The FSA said it could have fined RBS $13.8 million, but offered RBA a 30 percent discount for not challenging its decision.

Hackers blind quantum cryptographers

Posted by cdupuis — 2010-08-29T21:45:08-04:00

As seen on the NatureNews web site at:

http://www.nature.com/news/2010/100829/full/news.2010.436.html

Hackers blind quantum cryptographers

Lasers crack commercial encryption systems, leaving no trace.

Zeeya Merali

A way to intercept photons of light to create a security leak has been discovered.

Quantum hackers have performed the first 'invisible' attack on two commercial quantum cryptographic systems. By using lasers on the systems — which use quantum states of light to encrypt information for transmission — they have fully cracked their encryption keys, yet left no trace of the hack.

Quantum cryptography is often touted as being perfectly secure. It is based on the principle that you cannot make measurements of a quantum system without disturbing it. So, in theory, it is impossible for an eavesdropper to intercept a quantum encryption key without disrupting it in a noticeable way, triggering alarm bells.

Vadim Makarov at the Norwegian University of Science and Technology in Trondheim and his colleagues have now cracked it. "Our hack gave 100% knowledge of the key, with zero disturbance to the system," he says.

In standard quantum cryptographic techniques, the sender — called 'Alice' for convenience — generates a secret key by encoding classical bit values of 0 and 1 using two different quantum states of photons, or particles of light. The receiver, 'Bob', reads off these bit values using a detector that measures the quantum state of incoming photons. In theory, an eavesdropper, 'Eve', will disturb the properties of these photons before they reach Bob, so that if Alice and Bob compare parts of their key, they will notice a mismatch.

In Makarov and colleagues' hack, Eve gets round this constraint by 'blinding' Bob's detector — shining a continuous, 1-milliwatt laser at it. While Bob's detector is thus disabled, Eve can then intercept Alice's signal. The research is published online in Nature Phototonics today1.

Breaking the rules

The cunning part is that while blinded, Bob's detector cannot function as a 'quantum detector' that distinguishes between different quantum states of incoming light. However, it does still work as a 'classical detector' — recording a bit value of 1 if it is hit by an additional bright light pulse, regardless of the quantum properties of that pulse.

That means that every time Eve intercepts a bit value of 1 from Alice, she can send a bright pulse to Bob, so that he also receives the correct signal, and is entirely unaware that his detector has been sabotaged. There is no mismatch between Eve and Bob's readings because Eve sends Bob a classical signal, not a quantum one. As quantum cryptographic rules no longer apply, no alarm bells are triggered, says Makarov.

"We have exploited a purely technological loophole that turns a quantum cryptographic system into a classical system, without anyone noticing," says Makarov.

Makarov and his team have demonstrated that the hack works on two commercially available systems: one sold by ID Quantique (IDQ), based in Geneva, Switzerland, and one by MagiQ Technologies, based in Boston, Massachusetts. "Once I had the systems in the lab, it took only about two months to develop a working hack," says Makarov.

This is the latest in a line of quantum hacks. Earlier this year, a group led by Hoi-Kwong Lo at the University of Toronto in Ontario, Canada, also showed that an IDQ commercial system could be fully hacked. However, in that case, the eavesdropper did introduce some noticeable errors in the quantum key2.

Grégoire Ribordy, chief executive of IDQ, says that the hack of Makarov and his group is "far more practical to implement and goes further than anything that has gone before".

Both IDQ and MagiQ welcome the hack for exposing potential vulnerabilities in their systems. Makorov informed both companies of the details of the hack before publishing, so that patches could made, avoiding any possible security risk.

"We provide open systems for researchers to play with and we are glad they are doing it," says Anton Zavriyev, director of research and development at MagiQ.

Ribordy and Zavriyev stress that the open versions of their systems that are sold to university researchers are not the same as those sold for security purposes, which contain extra layers of protection. For instance, the fully commercial versions of IDQ's system also use classical cryptographic techniques as a safety net, says Ribordy.

Makarov agrees that the hack should not make people lose confidence in quantum cryptography. "Our work will ultimately make these systems stronger," he says. "If you want state-of-the-art security, quantum cryptography is still the best place to go."

References
1. Lydersen, L. et al. Nature Photonics advance online publication doi:10.1038/NPHOTON.2010.214 (2010).
2. Xu, F., Qi, B. & Lo, H.-K. Preprint at http://arxiv.org/abs/1005.2376v1 (2010).

Microsoft's Security Development Lifecycle (SDLC) under Creative Commons Li

Posted by cdupuis — 2010-08-29T21:30:18-04:00

As seen on the great H-Online web site at http://www.h-online.com/:

Microsoft's Security Development Lifecycle under Creative Commons License

Microsoft is to change the license for its process for developing secure software. In future, the company's Security Development Lifecycle (SDL) will be available under a Creative Commons license (Attribution-NonCommercial-ShareAlike 3.0 Unported). This should make it easier for others to use and distribute the principles behind SDL and for programmers to integrate SDL components into their own development processes. This has not previously been possible, as documentation and other SDL materials were under an exclusive Microsoft license which precluded such use.

The company hopes that the change will lead to more developers utilising the Microsoft process for developing software more securely across the entire product lifecycle. SDL can trace its origins back to a 2002 Bill Gates memo on "trustworthy computing". The resulting programme was intended to make security an integral part of the company's software development process and make its products more persistently secure. All Microsoft software since Windows Vista has been developed in accordance with SDL.

David Ladd, Principal Security Program Manager at Microsoft, has announced that the first two documents to be placed under the new license will be a white paper entitled "Simplified Implementation of the Microsoft SDL" and "Microsoft Security Development Lifecycle (SDL) – Version 5.0", a guide to how the company uses SDL in its product development. These can be expected within the next few weeks. According to Ladd, the company will also be going through other content on the SDL portal and relicensing it as appropriate. SDL tools are not affected by the licensing change, but will continue to use Microsoft licenses.

FREE Cisco CCNP TSHOOT Webcast

Posted by cdupuis — 2010-08-29T09:37:00-04:00

FREE Cisco CCNP TSHOOT Webcast August 31st, 2010 with expert trainer and best-selling Cisco Press author Kevin Wallace, see more info about Kevin and register now at:

http://promo.pearsonitcertification.com/pages/start/plp-webcast-home/index.html?Campaign_Id=262&Activity_Id=212

Kevin Wallace, expert trainer and best-selling author of the CCNP TSHOOT 642-832 Official Certification Guide and Network Troubleshooting Video Mentor, takes you on a tour of a troubleshooting scenario that is typical of what you might see on the CCNP TSHOOT exam. Kevin walks you through an HSRP trouble ticket. You will review the theory of HSRP followed by a live troubleshooting demonstration and concluding with a Q&A session.

Join us for this Free Pearson IT Certification / Cisco Press Webcast to gain unique insight into what you can expect on the CCNP TSHOOT exam! Register Now. Hope you can attend!

~Jamie

Jamie Adams, Senior Publicist

Representing technical brands of Pearson in networking technologies (IP Com, network security, storage), and all certifications including Cisco®, Microsoft and CompTIA.

Office: 317-428-3012

Twitter: @ciscopress, @pearsonitcert, and @jamieadams76

Facebook: facebook.com/ciscopress and other Pearson brands at informit.com/socialconnect.

LinkedIn: www.linkedin.com/in/msjamieadams.

A new advanced security certification from CompTIA -- Fill the survey

Posted by — 2010-08-27T22:15:40-04:00

A New Advanced Security Certification is on the way!

To Security Professionals – Important Request:

In case you did not know, I am a Founding Member of the CompTIA Security+ Cornerstone Committee. I am writing this blog to ask if you would complete an important survey because of your expertise in information security. CompTIA is developing a new advanced security certification exam to follow CompTIA Security+ (or equivalent experience) and we are seeking your input on the exam objectives. We hope you’ll appreciate how important your input is to the development of this certification, and ultimately to those who follow you in their security careers. Personally, I am excited by the cutting-edge objective set of the intended certification: It is up-to-date and pragmatic. It includes (speak of the devil) objectives related to:

Security and Social Media
Virtualized Desktops (VDI)
Insider Threat
802.1x
Fuzzing
And a plethora of deep, technical, scary stuff!

To begin this approximately ten-minute survey, please go here: https://s-xut5m-345723.sgizmo.com
In appreciation for your time and participation, CompTIA is giving away a CompTIA T-shirt to every 10th person who completes the survey.

CompTIA values your privacy. Results are completely anonymous and the data will only be viewed in the aggregate. Please complete by September 8, 2010.
Thank you very much for your participation.

Please contact research_at_comptia.org if you experience any technical difficulties with the survey.

Go ahead: support the community and get a free T-Shirt!

Barry Kaufman, CISSP, CEH, MCSE, ITILv3

Malware Contributed To Plane Crash

Posted by cdupuis — 2010-08-24T09:25:03-04:00

Investigation into Spanair flight 5022 finds that monitoring server had been disabled by Trojan application.

By Mathew J. Schwartz, InformationWeek
--> Aug. 23, 2010
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=226900089

Spanish authorities investigating the crash of Spanair flight 5022 in Madrid have found that malware may have contributed to the accident, which occurred two years ago, killing 154 people on board. Only 18 survived the crash and subsequent fire.

The Spanish agency charged with investigating the accident has listed the official cause as pilot error, because the pilots failed to extend the MD-80 airplane's takeoff flaps and slats, which would have helped the airplane to rise. Instead, the plane stalled just seconds after takeoff.

But the agency also found that a warning alarm meant to ensure that the pilots didn't leave the flaps and slats retracted failed to sound, and that the warning had failed to sound on two previous occasions.

According to Spanish daily El Pais, those failures, which were non-trivial, should each have been immediately logged in a maintenance system, which would have spotted the recurring fault and triggered an alarm at the airline's headquarters in Palma de Mallorca, keeping the plane grounded until the issue was fixed.

But authorities say that the maintenance system had been infected by a Trojan application, rendering the monitor useless. In addition, two engineers currently under investigation for manslaughter apparently failed to log the device faults, even though under company policies they were required to do so immediately. When they did attempt to enter the faults, the plane had already crashed, at which point they found that the monitoring system apparently wasn't working.

The judge, Juan David Perez, has demanded that the airline turn over copies of all entries in the maintenance system from the days before and after the crash.

"I am not a pilot, so I cannot speak with authority on how to fly a passenger airliner, but it seems clear to me that this accident was caused by the failure of a number of controls leading to a disastrous outcome," wrote Rick Wanner of the SANS Internet Storm Center, on his blog. "Clearly the SpanAir diagnostic system (a detective control) designed to detect anomalies in the airliners system failed, possibly due to a Trojan. Also it appears the pilots bypassed part of their pre-takeoff checklist, leaving the flaps and slats in a position not recommended for takeoff."

"This one all boils down to inadequate training and a lack of professional behavior," said a responder to Wanner's post, citing 25 years of jet avionics experience. "They had to have had ample indications that certain systems were not working, they didn't follow the checklists and they didn't abort when they failed to reach certain speeds at certain points during the takeoff roll."

Security Professionals� Salaries Up 6 Percent in 2010

Posted by cdupuis — 2010-08-19T21:35:48-04:00

As seen on the Security Product website at: http://secprodonline.com/

Security Professionals’ Salaries Up 6 Percent in 2010

Aug 10, 2010

The median compensation for security professionals in the United States increased 6 percent from 2009 to $93,000, according to the 2010 ASIS International “U.S. Security Salary Survey.” In addition, respondents who had a Certified Protection Professional (CPP) certification earned a median salary of $118,000.

Average compensation (sum of dollars divided by the number of respondents) was $108,000, a 5.5 percent increase over last year. 2010 marks a continuation of a 5-year trend in which average compensation for salaried security professionals has risen 19 percent from $88,000 in 2006 to the current $108,000.

Other findings from the 2010 survey include:

Salaries of those at the bottom-rung of earners -- those in the 10th percentile --rose from $46,000 in 2009 to $52,000 in 2010, and those at the top of the scale -- the 90th percentile -- saw their compensation increase from $163,000 to $180,000.
The Mid-Atlantic region continues to offer the security jobs with the highest compensation ($105,000 median), up 5 percent from 2009. Conversely, the Mountain and East South Central regions offer the lowest rates of compensation, and unlike every other region in which compensation rose, these regions show stagnant or dropping wages.
Information and Natural Resources and Mining tied for the highest average compensation. However, the Information sector saw the greatest increase with an average salary of $142,000, up 30 percent from 2009. Natural Resources and Mining, with an average salary of $142,000, suffered a 10 percent drop from 2009 average compensation levels of $151,000.
Federal government and law enforcement employees report an average salary of $114,000, and the highest median of any sector at $101,000.
Thirty-nine percent of this year’s respondents are top-level security professionals at their organization; this group earns an average salary of $123,000 and a median of $100,000.
Holding a core industry certification correlates to compensation substantially higher than the salaries of peers with no certification. Those holding the Certified Protection Professional (CPP) certification, administered by ASIS, for example, report an average compensation of $118,000, 18 percent higher than 2009, and a median salary of $100,000. Those with no certification reported an average compensation of $100,000 and a median salary of $85,000.
Education also correlates with compensation. Thirty-one percent of respondents hold a master’s degree and report a median compensation of $122,000.

More than half (58 percent) of the survey respondents work for privately held companies, a sector reporting an average compensation of $104,000 and a median salary of $90,000. Those working for publicly held (stockholder-owned) companies (27 percent of respondents) report the highest average compensation at $124,000, with a median of $100,000.

The survey examines trends in both average and median salaries, because the two measurements can offer different perspectives; the average is a total of all items in the sector divided by the count in the sample, while the median is the precise midpoint of the range of all items reported. All ASIS members employed in the United States were eligible to participate. The results are based on 784 participants who completed the survey. The survey collected data from the current and preceding years and breaks out responses in 11 industries and 9 geographic regions. Each section drills down into 18 specific factors that affect compensation.

The “U.S. Security Salary Survey” will be available in October for $135 to ASIS members and $195 for nonmembers. For more information, visit www.asisonline.org/.