Archive for January, 2013

ISW13_120x120

In case anyone is interested, I’ll be doing three presentations at the upcoming InfoSec World 2013 conference in Orlando, FL, April 15-17.

This will be the 8th year that I’ve presented at the conference dating all the way back to my first appearance in 1999. The folks at MIS Training Institute that run this event always do a great job so I’m looking forward to yet another interesting event where I’ll, hopefully, get to meet some of you and hear about the latest hacking techniques from the other presenters.

I’ll be presenting the following topics which you can read about in the conference brochure.

  • “Creating an End-to-End Identity Management Architecture”
  • “Federated Identity Management”
  • “How Secure Are We? Identity Management and Social Networking Threats”

By the way, the brochure has different speakers listed for the first session listed above but I’ve been asked to fill in for the original cast.

Hope to see you there!

 

 

Advertisements

If you’re a security geek, chances are you’ve already heard plenty about the latest “hair on fire” scenario involving Java 7. If not, here’s a very brief discussion of what all the fuss is about…

First of all, Java is a programming language than was designed to allow for execution on a wide variety of platforms without recompiling. Its “write once, run anywhere” value proposition has been compelling in an age where we want to connect all sorts of operating systems and hardware platforms into a unified experience over a worldwide Internet. As a result it has proliferated to the point where it runs on everything from large servers to medium-sized desktops/laptops to small handheld phones.

However, like all software, Java has bugs and, not surprisingly, some of them are security-related. The current fuss involves a type of vulnerability called a “zero day” because it involves a previously unknown weakness for which there was no readily available patch. This means that an attacker could potentially exploit this hole and systems would be defenseless until a fix was developed (in this case, by Oracle, who owns Java) and the fix applied to all vulnerable systems. Sounds scary, right?

Well, it is, but there are some things you can do to lessen the odds you will be victimized, and since some security experts are claiming it could take two years to develop a “real fix” to the problem (as opposed to some more stop gap measures), we had probably think about this problem strategically and settle in for the long haul.

In addition to applying the newly available patch many are advising that Java be disabled in web browsers to lessen the risk. The well-respected US Computer Emergency Response Team (US-CERT) put it this way in their recent alert:

“This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment.”

So, what can you do after applying the latest patch(es)?

  • Disable Java in the browser: You can see instructions on how to do this in the US-CERT alert  or in this ZDNet article.
  • Remove Java entirely: Some advocate the more drastic option of removing Java entirely from your system. I’m not a fan of this approach, though, because, at least in my experience, there are too many things I need to do that require Java so this really isn’t practical.
  • Selectively enable Java in the browser: My personal preference is to use a a Firefox as your browser along with the NoScript extension. This option allows you to turn off client-side functions such as Java, JavaScript, Flash and others by default and then select which trusted sites you’d like to enable these capabilities on. It won’t guarantee safety but it also won’t cripple your system in the interest of security.

Oh, and if you’re responsible for securing your organization against these types of vulnerabilities, it would be worthwhile considering a more holistic, end-to-end approach that would allow you to push patches out automatically to all systems as well as tweak  settings to disable Java (or similar capabilities) temporarily in a way that requires no intervention by end users. IBM Endpoint Manager is one such tool that allows for this sort of centralized management.

Of course, the usual advise regarding avoidance of sketchy web sites and not clicking indiscriminately on links in emails and SMS text messages applies as even the best security tools will eventually be vulnerable to the next zero-day exploit. So rather than looking for a quick fix, think of this as the “new normal” going forward because there will be plenty more similar situations to come…

 

I’ve never been a huge fan of New Years resolutions mostly because it seems that they rarely make it much past mid-February for most folks. So why kid ourselves, right? For that matter, why wait until January 1 to start doing something you already knew you should have been doing?

Nevertheless, it New Years resolutions are a part of the culture and over the past few years the writers that have run the “Stump the Geeks” column at the Raleigh News & Observer have asked me to contribute a few.

Here’s a link to this year’s edition …

http://www.newsobserver.com/2013/01/06/2583495/new-year-is-ideal-time-to-protect.html#storylink=misearch

A couple of them are somewhat of the “set it and forget it variety” so, hopefully, you’ll have a better chance of actually following through on them than say that commitment to lose 20 lbs, exercise more, stop smoking, etc.

Good luck and Happy New Year!

If my last post regarding Android devices being marshaled into zombie armies sounded a little over the top maybe this one will resonate a little better.

According to forensic blog, which focuses on mobile phone forensics and malware, as of December 26, 2012, there are 115 unique Android malware families known to exist. That number would be significantly higher if you counted all the variations on these that might be circulating.

115 doesn’t sound like a lot compared to the tens of thousands of Windows viruses in existence but its a far cry from zero and should serve as a wake up call regarding the need for malware protection on mobile devices. If that still doesn’t convince you then maybe the analysis regarding the threat that these present might:

Families that steal personal information 51,3 %
Families that send premium rated SMS messages 30,1 %
Families with characteristics of a Botnet 23,5 %
Families that contain Root-Exploits 18,3 %
Families downloaded from the Google-Play Market 11,3 %
Families that install additional applications 10,4 %
Families that steal location related data 8,7 %
Potentially unwanted applications 7,8 %
Online-Banking Trojans 3,5 %

Source: forensic blog, http://forensics.spreitzenbarth.de/

And don’t get too smug because your phone or tablet runs iOS. We had this debate years ago when people claimed that Mac OS was immune and then again with UNIX/Linux. Granted, the relative risk might be lower over the entire population of these install bases but the fact remains that any functional OS can be exploited because none are perfect.

Put more succinctly, all software (of any significant complexity) has bugs and some percentage of those bugs will be security-related, therefore, all software carries with it a set of security risks.