InfoSec Philippines

Information Security, Technology News and Opinions

Archive for November, 2008

Global InfoSec Surveys and Adobe Reader Vulnerabilities

Posted by Jaime Raphael Licauco, CISSP, GSEC on November 8, 2008

Ernst & Young’s 2008 Information Security Survey

EY released their Global Information Security Survey 2008 a few weeks ago. The survey was conducted from June 6 – August 1, 2008, in more than 50 countries and with nearly 1,400 participating organizations.

Some of the key findings were:

  • Protecting reputation and brand has become a significant driver for InfoSec
  • People remain the weakest link
  • International InfoSec standards are gaining greater acceptance
  • Growing third-party risk are not being addressed
  • Business continuity still bound to IT
  • Another notable finding is that despite of the current period of economic pressures and of slowed growth, only 5% of respondents indicated a planned reduction in InfoSec expenditures, while 50% were planning to increase their investment in InfoSec. This is supported by similar numbers from CIO Magazine, CSO Magazine and PWC’s Global state of information security survey 2008 (pdf, 2.79 MB). Key highlights are stated here, and another summary can be found in a article.

    For more information about the survey, click here. If you want a pdf copy of Ernst & Young’s 2008 Global Information Security Survey (1.42 MB) click here. For other informative pdfs from Ernst & Young regarding InfoSec, check out their Technology and Security Risk Services page.

    Adobe Reader vulns remind us why updating ASAP matters

    What I mean by ASAP here is after the correct patch management or change management procedures have been done. Patching/updating with no concern for proper procedures can easily lead to downtime and possibly even more vulnerabilities.

    I’m saying this after the SANS Internet Storm Center came across pdf files that exploited the recently found Javascript buffer overflow vulnerability. They also took note that at the time of writing (Nov 7, 2008) NO ANTI VIRUS could detect the malicious pdf.

    However, had you updated your Adobe Reader to version 9 (Windows systems) a few weeks back, you wouldn’t even need to think of the problem.

    Posted in ISMS, News, vulnerability | Tagged: , , , , , , , , , , , , | Leave a Comment »

    Getting funding for Security Initiatives by ENISA

    Posted by Jaime Raphael Licauco, CISSP, GSEC on November 8, 2008

    In my last seminar for ISACA Manila on Introduction to ISMS, I was asked a question on how to get approval for funding for security projects. I answered that Awareness was key. Upper level management have to have an idea what the risks are to their organization, and the possible consequences. Because coming up with the solution would not matter if there doesn’t seem to be a problem. I then said that a report by ENISA (European Network and Information Security Agency) might help. The report I was talking about was, “Obtaining support and funding from senior management.”

    The report talks about five areas identified as being crucial in obtaining corporate security investments:

    1. Define the investment rationale and the stakeholders.
    2. Build a persuasive business case to make senior management better understand the value of the investment.
    3. Estimation of costs: allows organisations to identify the most common expenses which they may incur and make rough estimates.
    4. Linking business benefits to information security initiative, define and calculate performance metrics.
    5. Detail a typical path to face a corporate executive in a senior management briefing. Effective communication is critical: the right information should be delivered at the right time, in the right manner, preferably 6-12 months ahead the project.

    For more information and where you can download the report, click here. And since we’re talking about awareness and awareness is the best control for social engineering, ENISA also has a whitepaper on “How to avoid on-line manipulation.”

    Another good article that talks about different approaches that can help influence management for their approval is, ISMS Implementation – The bottom-Up approach.

    Updated Links

    I updated the Security Awareness and Training Links to include Microsoft’s Technet on Security Awareness. The free 120 MB zip file includes, Security Awareness Program Development Guidance, Sample Awareness Materials, Sample Training Materials, and the following sample templates:
    * Brochure Templates
    * E-Mail Invite Template
    * Fact Sheet Templates
    * FAQs
    * Newsletter Template
    * Poster Templates
    * PowerPoint Templates
    * Quick Reference Card

    I also added a Philippine Tech Blogs links page.

    Posted in Awareness, ISMS, Whitepapers | Tagged: , , , , , , , | 1 Comment »

    Wireless Hacking part 2

    Posted by Jaime Raphael Licauco, CISSP, GSEC on November 7, 2008

    Yesterday, I had a post on Using Nmap to detect Rouge Wireless Access Points. With that post were various links to tools on hacking wireless networks that are freely available on the net. This is of course to help inform the public on the perils of wireless network computing. However, I also posted a link on the advantages on wireless and how to secure it. As is often the case, one must seek a balance or prioritize among that OTHER security triad of COST vs SECURITY vs CONVENIENCE.

    For the history buffs, there is a A Brief History of Wireless Security from CSOonline, back in May 2008, also published a very informative article on Wireless Security: The Basics.

    News from SC Magazine US, and Heise Security just came out that WPA can now be cracked in around 15 minutes.

    The news item above talks about Recovering a WEP key in less than a minute using the aircrack-ptw tool that is used with the aircrack-ng toolsuite.

    I remember a few months ago Risky Business podcasts interviewed the maker of Metasploit framework, HD Moore, regarding his evil Eee PC. It’s about the new KARMA+Metasploit 3 framework which is a set of tools that listens to all client probe requests and can then become a fake wireless AP for any requested network. The scary thing here is that you can possibly get owned as long as your wireless is enabled and its automatically looking for a wireless access point, without the user even knowing it. The older Karma framework is available here.

    If the Risky Business podcast didn’t get you a wee bit paranoid, an interview by Network World on, Wireless security foiled by new exploits, just might do the trick. They interviewed Joshua Wright who writes the security blog and is also the author of the six-day SANS Institute course, Assessing and Securing Wireless Networks.

    I wonder what tools were used for the “Wall of Sheep” at the Defcon conferences, which was also at the BlackHat, this year. In case you’ve never heard of the “Wall of Sheep”, its a wall with a projection of Usernames and part of the passwords for the users foolish enough to not have enough security on their wireless connections. MySpace and Gmail accounts have also shown up (in spite of Gmail using the default https, but just for log-on) through the use of replay attacks. Apple iPhones and Window’s mobile phones have also shown up.

    Since you’ll want to save some of the information from the KARMA+Metaploit 3 framework, I’m guessing newer mini-notebooks like the Acer Aspire One which retails for around $350, and Lenovo Ideapad S10 which retails for around $400, would both be great for this.

    Since its related, there’s an On Demand Webcast sponsored by Nokia on, Corporate Mobility Policy and Device Management. In case your organization is PCI compliant or is looking forward (or dreading) compliance in the future, Network World will be having a webcast next month on PCI Wireless Compliance Demystified.

    Posted in ISMS, News, Philippines, vulnerability, Wireless | Tagged: , , , , , , , , , , , , , , , , , | 1 Comment »

    Obama and McCain Campaign Computers Hacked

    Posted by Jaime Raphael Licauco, CISSP, GSEC on November 7, 2008

    Newsweek reports that both the Obama and McCain camps had computers that were hacked. This is apparently also around the time Gov. Palin’s Yahoo account got hacked (details of how the hacker got into Palin’s account are here). SecurityFocus reports on the hack here.

    On a related topic, SCMagazineUS reports that hackers began spreading malware soon after Obama got elected. In the typical bait-and-switch method of social engineering, spam e-mails that were supposed to contain a link to Obama’s “amazing speech” were actually links to trojans.

    New critical vulnerabilities were found for the popular VLC media player. However the Window’s version has not been updated to close the said vulnerabilities. Workarounds can be found in a Heise Security report.

    Heise Security also reports that the BotHunter tool has been updated with the new features listed here. The tool helps network administrators find out if their network has zombie computers.

    There are now more worms that exploit the MS08-67 Critical vulnerability that was reported last month. So if your Windows system uses the “Server” service, you’ll hopefully have it patched soon. For home users that do not need this dis-service, they can easily disable it, by going to services.msc while using their Admin account.

    Posted in News, vulnerability | Tagged: , , , , , , , , , , , , , , , , | Leave a Comment »

    Recent Whitepapers on the Net

    Posted by Jaime Raphael Licauco, CISSP, GSEC on November 6, 2008

    Secure Mobile Computing Using Two-Factor Authentication with VPNs and Disk Encryption – sponsored by Alladin

    This paper highlights the risks that organizations run in allowing mobile users full access to the enterprise network, data, and applications through VPN. It takes a detailed look at how making sensitive corporate data available in this manner, creates security gaps with passwords and encryption keys stored on the hard drive. Aladdin focuses on successfully addressing these issues with strong two-factor authentication, reviewing the broad range of easy to deploy, easy to use, and low cost two-factor authentication devices available that meet the needs of organizations today.

    Web Application Security: Too Costly to Ignore sponsored by HP

    Posted: 24 Sep 2008
    Published: 24 Sep 2008
    Format: PDF
    Length: 8 Page(s)

    Web application security is crucial to mitigating the risks of attack and attaining regulatory compliance. The number of web attacks is on the rise and is exponentially more cost effective to remedy those flaws early in the development process. There is an enormous chasm between where application security should be and the sad shape of application security today. Download this free whitepaper from HP Software to learn about the gaps in most application security programs and how to incorporate application security across the lifecycle.

    Oracle Advanced Security TDE (Encryption)

    Posted: 15 Jul 2008
    Published: 01 Jun 2007
    Format: PDF
    Length: 19 Page(s)

    Encryption is a key component of the defense-in-depth principle and Oracle continues to develop innovative solutions to help customers address increasingly stringent security requirements around the safeguarding of PII data. Retailers can use Oracle Advanced Security TDE to address PCI-DSS requirements while university and healthcare organizations can use TDE to safeguard social security numbers and other sensitive information. Encryption plays an especially important role in safeguarding data in transit. Oracle Advanced Security network encryption protects data in transit on the intranet from network sniffing and modification. Oracle Advanced Security TDE protects sensitive data on disk drives and backup media from unauthorized access, helping reduce the impact of lost or stolen media.

    Data Center TCO – A Comparison of High-density and Low-density Spaces sponsored by Intel

    Posted: 24 Jul 2008
    Published: 01 Jan 2007
    Format: PDF
    Length: 12 Page(s)

    One of the most common misconceptions in this period of growth is that the total cost of ownership (TCO) of a new data center is lower with a low-density design. In fact, the most efficient new data centers are those with high-density designs, which leverage virtualization to reduce TCO by millions.

    This white paper explains why and offers suggestions for successful operations in the high-density data center. Key considerations include:

    * Airflow distribution challenges
    * Server uniformity
    * Airflow velocities
    * Hot aisle temperature

    Posted in Whitepapers | Tagged: , , , , | Leave a Comment »

    Recent Whitepapers from Search

    Posted by Jaime Raphael Licauco, CISSP, GSEC on November 6, 2008

    All the abstracts are from the website.

    Accelerating PCI Compliance with Log Management and Intelligence.

    Posted: 19 Sep 2008
    Published: 19 Sep 2008
    Format: PDF
    Length: 6 Page(s)

    Today, all service providers and retailers that process, store or transmit cardholder data have a fiduciary responsibility to protect that data. As such, they must comply with a diverse range of regulations and industry mandates. One of the most important for the service provider and retailer is the Payment Card Industry Data Security Standard (PCI DSS), which sets forth 12 requirements for IT controls to ensure data security and protection. However, retailers both large and small face tremendous challenges in implementing policies and controls that enable PCI compliance, and the task of implementing best practices can be overwhelming.

    Executive Summary: How to Achieve Comprehensive Network Security.

    Posted: 16 Sep 2008
    Published: 16 Sep 2008
    Format: PDF
    Length: 14 Page(s)

    Security practitioners need to think about security management along three separate axes – operations, investigations, and compliance reporting. Each of these functions is distinct, and typically involves different organizational hierarchies, which dramatically complicates the challenge of security management. The good news is that all of these management functions ultimately can be driven by a common data set, and that is the opportunity for a security management platform to aggregate this data once and leverage it for a number of suitable purposes.

    Unauthorized Applications: Taking Back Control.

    Posted: 01 Jul 2008
    Published: 01 Dec 2007
    Format: PDF
    Length: 7 Page(s)

    This paper explains why it is important for businesses to control unauthorized applications such as instant Messaging, VoIP, games and peer-to-peer file-sharing and how malware protection is the simplest and most cost-effective solution.

    The rapid emergence of Web 2.0 is beginning to redefine how individuals interact with the internet, and the related technologies pose a range of new threats. While there are a number of solutions available that help IT administrators to manage the problem, many require additional investment and, for many organizations, they can be expensive, unwieldy and difficult to maintain. A better solution is one which completely integrates the blocking of unauthorized applications into the existing anti-malware detection and management infrastructure.

    Techniques for Transitioning to an IAM Suite.

    Posted: 14 Oct 2008
    Published: 14 Oct 2008
    Format: PDF
    Length: 5 Page(s)

    Organizations often fill their IAM needs with a variety of disparate techniques and applications, many of which are home grown or built by a variety of third parties. This tip will explain how an organization can ensure a successful transition from multiple products and tools to a single suite. It will look at:

    * How to successfully map functionality from old product/tool functions to new ones
    * How to evaluate and manage new and existing policy exceptions
    * Guidelines for implementing custom connectors with legacy applications

    Anonymous Proxy: A Growing Trend in Internet Abuse, and How to Defeat It.

    Posted: 09 Sep 2008
    Published: 09 Sep 2008
    Format: PDF
    Length: 5 Page(s)

    Anonymous proxies are an unseen threat-a student’s or employee’s backdoor to malicious or productivity-sapping sites on the Internet. If your URL filtering solution relies on the old-school URL database/keyword approach, your ship is leaking and you may not see the holes.

    With hundreds of new proxy sites created each day, traditional URL filtering just can’t keep up, even when supplemented by standard keyword analysis. What follows is a primer on the problems, the sizable costs and time drain for IT professionals, and a discussion of an effective third-generation solution that goes far beyond the traditional strategy.

    Posted in Whitepapers | Tagged: , , , , | Leave a Comment »