Hack The Planet

Russell Tice (the NSA whistleblower) hasgone into more detail about the activities of the NSA domestic wire tapping scandal. It seems that the good folks at the NSA have been doing a bit more than they said they were. I could be mistaken but aren’t they supposed to be the good guys?

If you haven’t heard of the enormous data breach at Heartland Payment Systems then you have been living under a rock. It makes me wonder just how much Heartland had paid for their compliance and how little they actually spent on security.

In the IDS market there are two different disciplines. The first uses signatures to determine if an attack is happening. The second is using network behavior to determine if an attack is happening. I am a firm believer that you have to at least have a signature based IDS to detect known attacks, virus’ and malware. Having a behavior based IDS is definitely useful but only after you have stopped everything that is known about in the wild.

A researcher at the University of California at Davis has been working on a very interesting way to use behavior based IDS to stop zero day worms.

Well, before you do your taxes maybe you should be aware how readily accessible your data is. The Government Accountability Office has called out the IRS for some pretty big security issues.

Fixing 49 of 115 big issues is pretty decent admittedly but when user IDs and passwords are “readily” available to any user on their network I think you need to reprioritize what you have fixed that was more important than that.

I don’t know if I am more offended by the lack of a good password policy or that the data isn’t always encrypted. “For example, the IRS still does not always enforce strong password management rules for identifying and authenticating users of its systems, nor does it encrypt certain types of sensitive data, the GAO said.”

There has to be a better and faster way to get people to think about security because it is obvious that what we are doing isn’t working.

This made me laugh because I love cheese and computer security.

This makes me laugh because you deserve to get a trojan if you go to (don’t go here because there is a trojan on it) parishilton.com.

Having a strong password policy is one of the first things you should work on, whether personal or corporate. If you need an example of poor password policy then just look at all of the articles and blogs referencing Twitter’s recent hack.

A hacker was able to get admin access into Twitter and take over accounts from the likes of President-elect Obama, Britney Spears and many others. The hacker was able to do this because a certain Twitter employee had the password “happiness” and Twitter has no policy for locking an account after multiple failed login attempts.

This is just one of the epic fails in this case but quite possibly the biggest. Have a strong password policy because if you don’t, it will cost you.

What is the greatest risk to your network? It may not be the teenage hacker sitting in his room trying to figure out how to get into your network. It might just be your administrative assistant and the websites she visits, maybe even from home on her work laptop.

Case in point. A fellow Security Engineer arrived on site at a potential customer’s site to do an evaluation with them but was quickly moved down the priority ladder because earlier in the day a person had come in and infected the entire network with the GAObot.AO worm. It took most of the day and all of the customers IT resources to get the worm under wraps and even then having to recover for days.

So instead of working with a vendor to evaluate software that may have stopped this from happening in the first place, they had to spend resources and time fixing an issue that never should have happened.

When I hear people talk about insider threats it often seems that they picture someone sitting at their desk stealing company secrets and then selling them off. Or they see a sysadmin as a possible risk because he may have built in backdoors into all of their systems. I believe that the true insider threat comes from your users that don’t know any better and are unaware of all the risks they present to the company.

This year was a very interesting one from my perspective. Many (including just yesterdays CCC MD5 hack) big vulnerabilities were discovered (Kaminsky DNS) or proven this year. The funny thing is that these vulnerabilities and attacks were not against new systems or systems that we thought were secure. I think the big lesson from 2008 is that it isn’t the new thing that will kill you, it is not securing the old and heavily used protocols, applications, etc.