InfoSec News

A serious bug that led to a series of fast-spreading worms on Twitter's website Tuesday had been fixed in August but was accidentally re-introduced.
 
Cloud computing, especially public cloud infrastructure-as-a-service is not yet a reality for the vast majority of companies. Recent announcements however, from VMware, Citrix and Oracle clearly show that enterprise cloud computing is gaining momentum.
 
Google has trotted out an interactive tool that it says shows government-induced blocks and disruptions of the search company's services.
 
In the last 14 months, the U.S. Department of Health and Human Services has awarded Verizon Business a string of network deals that will bring in more than $600 million to the carrier over the next seven years.
 
Videoconferencing has gone mobile. Anyone who has seen the recent iPhone commercials can attest that you no longer need "an app for that" – it's built in. But while individual consumers now have videoconferencing at their fingertips, many small and midsize businesses (SMBs) are still relying on different modes of communication.
 
A key Oracle executive declines to comment on the effort driven by Java founder James Gosling
 
Verizon Wireless took more steps Tuesday to open its network for location-based applications by releasing a software developer kit.
 
Two U.S. lawmakers have asked the U.S. Federal Communications Commission to allow Internet-connected, electricity-monitoring devices to access unused television spectrum.
 
Verizon said that it will begin pushing updates to Droid X smartphones from Motorola on Wednesday.
 
AT&T is finally selling its satellite-3G smartphone, the TerreStar Genus, which can be switched from AT&T's network to a satellite for coverage all over the U.S.
 
A cross-site scripting Twitter attack could have been exploited to spread dangerous malware and steal user data, experts said.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Cross-site scripting - Twitter - Malware - Security - WWW
 
Advanced Micro Devices on Tuesday announced inexpensive desktop microprocessors with up to six cores to put pricing pressure on rival Intel.
 
Nokia has delayed shipment of the N8, the first mobile phone to run the latest version of Symbian software and a device meant to turn around the company's slump.
 
SAP has migrated its online service for reporting carbon emissions over to an Amazon cloud platform.
 
Most PC makers gained ground in the latest edition of a major customer satisfaction survey because they like Windows 7 a lot more than they did its predecessor. Apple continues to lead overall, however.
 
The European Commission has adopted a plan to limit third-country access to travelers’ data and intends to use the plan in negotiations with the U.S., Australia and Canada.
 
Xerox added remote printing capabilities to its enterprise print services portfolio, bring a new way for smartphone users to print documents while on the go.
 
While many large financial services firms recognize the intrinsic benefits of cloud computing, security and regulatory concerns still prevent its widespread use on Wall Street.
 
EMC announced today that it is embarking on a three-year project to digitize the National Baseball Hall of Fame and Museum's photos and video and audio content for online viewing.
 
Users downloaded more than two million copies of its Internet Explorer 9 (IE9) beta in the two days after its Sept. 15 launch, Microsoft said.
 
In response to a recent Hassle-Free PC that described quickly determining which version of Windows you have, a reader asked the following question about his system:
 
Microsoft issued an update to its security advisory after discovering limited, active attacks against .NET Web applications with flawed encryption implementations.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Microsoft - ASP.NET - .NET Framework - Programming - ASP
 
I am teaching our Defending Web Applications [1] class this week, and yesterday, one of the students pointed me to a news release about Google implementing two factor authentication for its applications [2].
First of all, the mandatory primer on two factor authentication: Two factors means two authentication method groups. There are typically 3 different groups: Something you know (password), something you have (token), something you are (biometric). If you have for example a laptop login setup via finger print, you are still using single factor unless you also have to enter a password. And of course, two different passwords are not two factor. There is also the problem of users collapsing the tokens, by for example writing the password on the back of the smartcard. Now something you know becomes something you have.
Typically, implementing two factor authentication means buying tokens or smart cards for all of your users. This can be expensive (from what I have seen $50/user is typical in smaller deployments) and it is only manageable for users with whom you have an existing relationship (employees, in some cases customers).
So how do you implement two factor authentication for cheap? Here are a few methods Ihave seen used:
Smart phone application as token, or other soft tokens
This is the route Google picked. The first time I have seen a system like that was OTP (one time password) tokens on old Palm PDAs. Of course, if you can turn the token into software, you could have a desktop application as well. Google appears to off the smart phone version only. The advantage of course is cost and ease of deployment. Once the application is written, it is pretty easy to deploy and there is no incremental per user cost making it ideal for a large deployment like Google. The disadvantage is the fact that it is software. It could be compromised by malware. It is very much possible for malware to pull tokens from the software to send them to an attacker. And attacker may even be able to clone the token without the user knowing. Verisign offers a free OpenID based system using phone based one time password tokens [4].
SMS Messages
It is pretty much free to send SMS messages via e-mail, in particular in moderate volume. SMS can be used to send a one time password to a phone. The advantage is again that you are using a phone the user already has and that the message travels out of band, at least the last step to the user. The cell phone becomes something you have. The main disadvantage I have seen is that SMS is not totally reliable. Messages may be delayed or if you don't have reception you don't get the message. One could potentially implement a similar system using voice calls using for example an Asterisk server. This is still pretty cheap but probably not as easy to implement (Phonefactor offers a commercial solution like this [3]). Another problem may be the cost the user has to pay for incoming SMS messages. These days of course one could use a Google voice account to receive the SMS messages, removing the out of band advantage.
Paper based tokens
Print a sheet of paper with one time passwords. This works pretty well. I once had a bank in Germany back in the 80s that used just a system like this, and I believe still does. Very cheap to implement even on a larger scale, and hard to attack by malware. However, easy to attack with a copy machine and you wouldn't even know that you lost it.
Any other methods I missed?
[1] http://www.sans.org/security-training/defending-web-applications-security-essentials-1442-mid

[2] http://threatpost.com/en_us/blogs/google-adds-two-factor-authentication-apps-accounts-092010

[3] http://www.phonefactor.com

[4] https://pip.verisignlabs.com
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

The 451 Group Appoints Wendy Nather as Senior Analyst in the Enterprise ...
PR Web (press release)
She is tremendously respected [and leveraged] in the InfoSec thought leadership community. I'm excited to both give her grounded wisdom a broader platform ...

 

Internet Storm Center Infocon Status