infosec4all.com

The Office of Cyber Security (OCS), dedicated to protecting Britain’s IT infrastructure, will be created in line with a model proposed — and in part practised by the US.

The government will develop information systems to allow it to launch denial-of-service attacks and to spy on chosen targets…

At the same time Defense Secretary Robert Gates ordered the establishment of a U.S. Cyber Command to protect military networks and organize digital security efforts underway at the Pentagon.

The command also is charged with “synchronizing warfighting effects across the global security environment, as well as providing support to civil authorities and international partners,” according to a memo issued Tuesday by Gates to senior military officials.

BackTrack is the most top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes.
For more information visit: http://remote-exploit.org/backtrack.html

I already wrote about this topic. It cannot be stressed enough that credit card theft is not identity theft. However, an interesting video from CNN:

On Tuesday, January 13, I will be talking about Identity theft at ISSA DC Chapter monthly meeting. Come and join us. Everyone is welcome.

This is a good opportunity to learn something about an issue that impacts all of us today and collect a few CPEs.

The aim of this presentation is to help security professionals to better understand identity theft, and to differentiate it from other related crimes. The presentation begins by describing the history of identity theft and explains how the process takes place. It introduces the notion of identity theft enablers, and identifies those that make the United States the most seriously affected country by this crime. We will see how legislation deals with the problem and how official statistics fail to properly account for the magnitude of the crime. Finally, we will learn about the real costs and recovery of the crime; both tangible and intangible.

According to Google: “This document is meant to provide web application developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers. Insufficient understanding of these often poorly-documented characteristics is a major contributing factor to the prevalence of several classes of security vulnerabilities.”

The document is available here.

On November 24, 2008, Symantec released a report on the activity of undergroung servers.

Symantec estimates the value of total advertised goods on underground economy servers was over $276 million between July 1, 2007 and June 30, 2008. Most frequently traded products were credit card details, followed by financial accounts and spam. Interestringly, almsot half of all of the underground servers were based in North America.

Recently, there was a lot of commotion in the media about WPA being hacked. Steve Gibson did a great job dissecting this ‘hack’ and explaining what exactly it is about. Audio version of Security Now episode 170 with Leo Laporte is available in high quality and low quality, and transcripts are available in txt, html, and pdf.

This is a great example how media can can blow things out of proportions. As security professionals, we have to remember that simulating a security event under laboratory conditions is far from a security danger in the real world.

Bottom line - it is only WPA(2)-TKIP that is vulnerable, and TKIP was a temporary solution to WEP vulnerability replaced by WPA2-AES anyway. If someone still needs TKIP for legacy hardware support, simply disabling quality of service (WMM) feature on the router will eliminate this vulnerability. And finally, even if compromised, this vulnerability could only enable attacker to replay certain packages, an event that would most likely lead to denial of service.

For a long time, when asked for advice on using wireless networks, my answer has been: “If you don’t know how to setup and use WPA2-AES - DO NOT USE wireless at all.” Simple as that. This is a good time to check friends’ and neighbors’ wireless routers, upgrade the firmware, and make sure WPA2-AES is enabled.

A worldwide survey of information security for 2008 is out. A Joint Research Project of CIO and CSO in partnership with PricewaterhouseCoopers is available here.

Interestingly, this year, investment emphasis was placed on security technologies. This probably explains why more than 30% of respondents didn’t have clue about security risks their companies were facing. Only 59% have information security strategy, South American and Asian companies plan the biggest infosec budget increases while US and Europeans are at the bottom of the list.