Information Security News
In matters of food and wine, the Europeans have this concept of "AOC", based on the originally French "Apellation d'origine contrÃ´lÃ©e". It means that, say, Bordeaux wine actually comes from there, and is not re-bottled Malbec from Patagonia. The point I'm trying to make, albeit poorly, is that it is sometimes important to know where things are coming from, which implies traceability to the source.
In matters of IT, we are currently losing this AOC. Only three years ago, we likely knew exactly, down to the server room cabinet and shelf, where our mail server was located. These days, with "cloud" services proliferating rapidly, we might know who *sold* us the service, but we only have a vague idea of its real origin or location.
The question recently came to light again when Codespaces (http://www.codespaces.com/) went down after a hacking attack back in June. As they say on their web page "In summary, most of our data, backups, machine configurations and offsite backups were either partially or completely deleted". I wonder how many (if any) of Codespaces' customers had actually done the due-diligence, while signing up, to determine that all of Codespaces' services were hosted at Amazon EWS, *including* the backups. That's AOC! You might know from where you buy your SVN or GIT hosting, but - unless you negotiate hard, forbid any sub-subcontracting, and ruthlessly enforce your right to audit - you might never learn where your SVN/GIT hoster actually hosts the service. And, not even with your right to audit, will you ever find out where *that* hoster draws their services from. Because you don't have a contract relationship with the hoster (only with the SVN service on top), and if the hoster, at their discretion, decide that they can operate more cheaply by re-selling Virtual Machines from Patagonia instead of running their own .. that's what's going to happen.
If you like this concept, I have a stellar 1961 Bordeaux that I'm willing to part with for a good price. Please don't worry about the penguins and the Spanish language on the label :).
In all seriousness though - it is overdue that "cloud" providers provide a bit less cloud, and a bit more sunlight. It might hurt their bottom line a little, but the kind of "AOC" end-to-end transparency, with traceability to the source, is vital and paramount for the customer to assess and mitigate any resulting risk.
If you have any stories on how you determine the "AOC" of your penguin wine (or not), please share below.(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The US Secret Service is warning hotel operators to be on the lookout for malware that steals passwords and other sensitive data from guests using PCs in business centers, according to a published report.
The non-public advisory was issued on last Thursday, KrebsOnSecurity reporter Brian Krebs reported Monday. Krebs said the notice warned that authorities recently arrested suspects who infected computers at several major hotel business centers around Dallas. In that case, crooks using stolen credit card data to register as hotel guests used business center computers to access Gmail accounts. From there, they downloaded and installed keylogging software. The malware then surreptitiously captured login credentials for banking and other online services accessed by guests who later used the compromised PCs.
The report is a poignant reminder why it's rarely a good idea to use public PCs for anything more than casual browsing of websites. Even when PCs are within eyesight of a business center employee, librarian, or other supervisor, and even when it is locked down with limited "guest" privileges, there are usually a host of ways attackers can compromise machines running either Windows or Mac OS X. Krebs wrote:
Over the last couple of days, we have been seeing a number of quite credibly looking phishing emails that impersonate toll-road providers in the US. The agency affected by the current wave is E-ZPass, a toll charging system used mainly in the Northeast. Adapting the template to match the colors and fonts of other organizations, like Florida's SunPass, would be easy to accomplish for the scammers though, so chances are that we will see more of this.
Since toll road agencies can impose stiff fines for violations or if road and bridge charges are not paid in time, people might fall for it and click on the link just to make sure. In the samples at hand, the link was pointing to www . ruckon . pl (spaces added to de-fang), and returned a ZIP with an EXE or directly an EXE. Hat tip to ISC reader Wayne for providing the latest sample.
If you receive similar emails that impersonate other toll road providers, please let us know.
Â(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
For almost two years, Ars has advised readers to use a software-based password manager to ease the password fatigue that comes from choosing and securing dozens of hard-to-guess passcodes that are unique to each site or service. A research paper scheduled to be presented at a security conference next month underscores the hidden dangers of selecting the wrong products.
The researchers examined LastPass and four other Web-based managers and found critical defects in all of them. The worst of the bugs allowed an attacker to remotely siphon plaintext passcodes out of users' wallets with no outward sign that anything was amiss. LastPass and three of the four other developers have since fixed the flaws, but the findings should serve as a wakeup call. If academic researchers from the University of California at Berkeley can devise these sorts of crippling attacks, so too can crooks who regularly case people's online bank accounts and other digital assets.
"Widespread adoption of insecure password managers could make things worse: adding a new, untested single point of failure to the Web authentication ecosystem," the researchers wrote in their paper, titled The Emperor's New Password Manager: Security Analysis of Web-based Password Managers (PDF). "After all, a vulnerability in a password manager could allow an attacker to steal all passwords for a user in a single swoop. Given the increasing popularity of password managers, the possibility of vulnerable password managers is disconcerting and motivates our work."
Oracle has released a preview of patches to be released, seen here, on Tuesday, July 15, 2014, and includes updates to business critical systems, such as Oracle Database, WebLogic server, and Fusion. The most concerning aspect of the majority of vulnerabilities discussed is the one phrase âmay be exploited over a network without the need for a username and passwordâ. The most critical update, imho, that is being released Tuesday is the Java fixes that are being released (20 security fixes!), which give the vulnerability a pristine CVSS Base Score of 10!! Woohoo, way to go Oracle and Team Java!
But please donât take my word for all of this, go take a look for yourself, and see what the week ahead has in store.
tony d0t carothers --gmail(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Posted by InfoSec News on Jul 14http://www.dailymail.co.uk/news/article-2690798/Top-FBI-cybercrime-expert-discount-furniture-salesman-joining-thwarting-online-theft-fraud-worldwide.html
Certified pre-pw0ned devices are nothing new. We talked years ago about USB picture frames that came with malware pre-installed. But for the most part, the malware was added to the device accidentally, or for example by customers who later returned the device just to have it resold without adequately resetting/wiping the device.
But more recently, more evidence emerged that everything from network gear  to inventory scanners  may be infected deliberately in order to penetrate otherwise hard to reach networks. Typically, there is little a customer can do to verify that a device is not infected. Standard practices, like malware scanners and verifying installed software doesn't always work if you don't have "shell access" or the ability to install software on the device.
This leaves careful network monitoring as one option to detect and disrupt command and control channels used by these devices. However, in order to do so accurately, it is important to characterize "normal" network traffic from the device, which can be challenging in particular if the device connects to cloud services for updates or intentional data exchange.
The large number of these devices entering our networks asks for a scalable solution. We can't add security devices and personal proportional to the number of devices deployed. The security features included in these devices (host based firewalls, encryption technologies, ability to manage and limit installed software/"apps") varies widely and frequently there are no enterprise configuration tools available.
What kind of network segmentation and on-boarding procedure do you apply to new devices introduced into the network?
Posted by InfoSec News on Jul 14http://www.bnd.com/2014/07/12/3299436/scott-air-force-base-poised-for.html
Posted by InfoSec News on Jul 14http://www.computerworld.com/s/article/9249690/Oracle_to_release_115_security_patches
Posted by InfoSec News on Jul 14http://www.infosecnews.org/former-uic-accounting-students-alerted-to-2002-personal-security-breach/
Posted by InfoSec News on Jul 14http://www.reuters.com/article/2014/07/14/insurance-cybersecurity-idUSL6N0PI3M820140714
Infosec still a concern for state's Auditor-General
Information security remains an area of concern for the state's Auditor-General. Photo: Michele Mossop. Information security remains an area of concern for Queensland's Auditor-General, with the number of “significant control weaknesses” identified ...