infosec4all.com

On Tuesday, January 13, I will be talking about Identity theft at ISSA DC Chapter monthly meeting. Come and join us. Everyone is welcome.

This is a good opportunity to learn something about an issue that impacts all of us today and collect a few CPEs.

The aim of this presentation is to help security professionals to better understand identity theft, and to differentiate it from other related crimes. The presentation begins by describing the history of identity theft and explains how the process takes place. It introduces the notion of identity theft enablers, and identifies those that make the United States the most seriously affected country by this crime. We will see how legislation deals with the problem and how official statistics fail to properly account for the magnitude of the crime. Finally, we will learn about the real costs and recovery of the crime; both tangible and intangible.

According to Google: “This document is meant to provide web application developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers. Insufficient understanding of these often poorly-documented characteristics is a major contributing factor to the prevalence of several classes of security vulnerabilities.”

The document is available here.

On November 24, 2008, Symantec released a report on the activity of undergroung servers.

Symantec estimates the value of total advertised goods on underground economy servers was over $276 million between July 1, 2007 and June 30, 2008. Most frequently traded products were credit card details, followed by financial accounts and spam. Interestringly, almsot half of all of the underground servers were based in North America.

Recently, there was a lot of commotion in the media about WPA being hacked. Steve Gibson did a great job dissecting this ‘hack’ and explaining what exactly it is about. Audio version of Security Now episode 170 with Leo Laporte is available in high quality and low quality, and transcripts are available in txt, html, and pdf.

This is a great example how media can can blow things out of proportions. As security professionals, we have to remember that simulating a security event under laboratory conditions is far from a security danger in the real world.

Bottom line - it is only WPA(2)-TKIP that is vulnerable, and TKIP was a temporary solution to WEP vulnerability replaced by WPA2-AES anyway. If someone still needs TKIP for legacy hardware support, simply disabling quality of service (WMM) feature on the router will eliminate this vulnerability. And finally, even if compromised, this vulnerability could only enable attacker to replay certain packages, an event that would most likely lead to denial of service.

For a long time, when asked for advice on using wireless networks, my answer has been: “If you don’t know how to setup and use WPA2-AES - DO NOT USE wireless at all.” Simple as that. This is a good time to check friends’ and neighbors’ wireless routers, upgrade the firmware, and make sure WPA2-AES is enabled.

A worldwide survey of information security for 2008 is out. A Joint Research Project of CIO and CSO in partnership with PricewaterhouseCoopers is available here.

Interestingly, this year, investment emphasis was placed on security technologies. This probably explains why more than 30% of respondents didn’t have clue about security risks their companies were facing. Only 59% have information security strategy, South American and Asian companies plan the biggest infosec budget increases while US and Europeans are at the bottom of the list.

(ISC)² CyberExchange is an online community that allows members to share security awareness tools with general public.

Materials are available in a variety of formats (posters, brochures, presentations, etc), and address topics like networking security, identity theft, Internet privacy, disaster recovery, emerging security threats, mobile security, software development and secure website design.

A short booklet with excellent ideas for presenting security to the boardroom. Only 16 pages/slides and covers the following mission critical information security issues:

- Security is a Boardroom Issue
- Cost of Ignoring Security
- Well-Organized and Focused Cybercriminals
- Increasing Insider Threats
- Borderless Enterprise
- Emergence of the Borderless Enterprise
- Traditional Security No Longer Works
- Policy and Process Reign Supreme
- The Security Role of the CEO

7 Things Every CEO Should Know About Security by Lumension Security

Australian Government’s Office of Privacy Comissioner just released the Guide to handling personal information security breaches.

The aim of this voluntary guide is to provide general guidance on key steps and factors for agencies and organisations to consider when responding to a personal information security breach. 

Such document is a must in any security specialist’s toolbox.