Hoaxes as Threats

A few days ago I went to see the latest installment of the Harry Potter movies.  So it is timely that a new Internet hoax emerged today playing on the popularity of the film and its actors.  A hoax spread rapidly today via email and social networking sites such as Facebook and Twitter...

Malware Undetected

The recent massive attacks on web sites, dubbed Beladen and Gumblar, show that one of the primary weaknesses (if not the primary weakness) of information systems is the endpoint.  Attackers have been using malware to steal the FTP credentials of web site maintainers and uploading...

Reflections on a DDoS Attack

In the past few months, there has been a noticeable increase in the number of DDoS (distributed denial of service) attacks being launched against large and small targets on the Internet.  For example, during the last 120 days, GoGrid, Telefonica, Register.com and The Planet all suffered...

Airport Security Theater

Bruce Schneier has written extensively on the airport security practices that have been implemented since the 9/11 attacks and for the most part, he views them as “security theater”. This term is used to describe security countermeasures that provide the feeling of improved...

SEO Poisoning Techniques

Search engine optimization (SEO) has traditionally been the domain of web masters and Internet marketing specialists who understand the importance of high search engine ranking and how to influence sites’ ranking based on various search criteria.  It didn’t take long after...

Scam Soup

Lately I have been reading about a veritable alphabet soup of Internet scams.  Some are run-of-the-mill phishing or email scams, but some are rather innovative and utilize new attack vectors that I have not seen before.  In this post I will review some of these scams, including one...

Malicious Websites Target Internet Explorer

I have always been a fan of Mozilla’s Firefox browser. To tell the truth, I have been using it since its original incarnation when it was known as Netscape Navigator (and Mosaic before that). I always thought it was more intuitive, faster, and had more and better features than...

Security Vendors Lacking Good Security

In two separate incidents ealier this month, well known security companies had their web sites breached as a result of SQL injection vulnerabilities.  The first was Kaspersky Labs, an anti-virus vendor which reported the incident on February 9.  Two days later, it was reported that...

Heartland Payment Processor Breach

Another day, another major breach of credit card data. And this one is a doozy. The payment processor Heartland Payments Systems released a statement on January 20th that they had suffered a breach and an unknown number of credit card accounts had been compromised. Heartland is the 5th...

Data Breach Trends

Recently, several organizations have released data on security breaches for 2008. As you would expect, there were more reported breaches in 2008 than in 2007. Based on information from the Identity Theft Resource Center, the trend is summarized below: 2008 – 656 ...

Looking Into the Future

This is the time of year when information security professionals like to make prognostications about future trends in the industry.  The soothsayers who pen these prophecies rarely provide any information that could be considered earth shattering or even mildly prescient.  I am not...

My Latest Experience With Credit Card Fraud

Well, it has happened again.  One of my credit cards has been used to make unauthorized purchases.  I was contacted about a month ago by my issuing bank to inform me of suspicious purchases at a grocery store and restaurant in Arizona.  I presumed (incorrectly) that because I live in...

Mitigating SSH Brute Force Attacks

If you manage a system connected to the Internet that allows inbound SSH traffic, and you check your system logs periodically, no doubt you have noticed the failed login attempts from rogue systems trying to brute force your machine. These brute force attempts are typically generated...

Serving Up Spam for the Holidays

The holiday season is upon us and the scammers are taking advantage by sending out emails with bogus holiday cheer.  They attempt to take advantage of the holiday season by sending out emails with Christmas and New Years greetings.  Many such emails that find their way into our...

PCI 1.2 and Anti-virus Software Requirements

Last month the PCI Security Standards Council released version 1.2 of the PCI DSS. There were a number of updates and changes to the standard, most of which I have already written about. I want to revisit Requirement 5 of the PCI DSS which relates to the use of anti-virus software on...

New Attacks on Wireless Encryption

Two graduate students in Germany have successfully demonstrated an attack against the WPA wireless encryption protocol. WPA was developed as a stop-gap measure when it was discovered that WEP, the original wireless encryption protocol, was deeply flawed and offered virtually no...

Protocol Fuzzing With the Mu-4000

I recently had a demonstration of the Mu-4000 Service Analyzer by Mu Dynamics. This device provides the type of security testing capabilities difficult to duplicate with any other single product (hardware or software). The Mu-4000 is an appliance that integrates the testing...

Managed Security Services Moving into the Cloud

There is a sea change underway in the managed security services marketplace.  This change is from a premises-based model to a cloud-based one.  The traditional managed security services model works like this.  An organization that does not have the resources or desire to manage its...

Hiding in Pictures

Take a look at the two images below. Can you tell which one has a message hidden within it? Even though it is impossible to notice, the image on the left has a hidden text file in it. The hidden message says: “This is a test file used in my steganographic encryption...

PCI DSS 1.2

Last week the Payment Card Industry Security Standards Council (PCI SSC) released the first update to the Data Security Standard (DSS) in more than two years. Version 1.2 of the DSS provides some much needed updates and clarifications to the 1.1 version of the document and is the...