InfoSec Philippines

Information Security, Technology News and Opinions

Archive for February, 2009

GMA Fake Site and Tricks Scammers Use

Posted by Jaime Raphael Licauco, CISSP, GSEC on February 25, 2009

GMA News warned the public last week regarding a fake site that reports fake news, which has fortunately been taken down as of press time. This reminds me of the recent fake news item about Megan Fox being a man. If anyone actually checked that site’s menu, they’d see links to a “Mutants” section and an “Aliens” section, which should readily warn anyone about the veracity of news on that site. Unfortunately some educated people believed that piece of news, which is really quite sad.

CSOOnline came out with an article detailing the Dirty Tricks: Social Engineers’ Favorite Pick-Up Lines, which are divided as Social Networking Scams, Office Offenses and Phishing Lures:

    Social Networking Scams
    “I’m traveling in London and I’ve lost my wallet. Can you wire some money?”
    “Someone has a secret crush on you! Download this application to find who it is!”
    “Did you see this video of you? Check out this link!”
    Office Offenses
    “Hi, I’m from the rep from Cisco and I’m here to see Nancy.”
    “This is Chris from tech services. I’ve been notified of an infection on your computer.”
    “Can you hold the door for me? I don’t have my key/access card on me.”
    Phishing Lures
    “You have not paid for the item you recently won on eBay. Please click here to pay.”
    “You’ve been let go. Click here to register for severance pay. “

Check out the site link above for more details.

The same author, Joan Goodchild, also wrote about Social Engineering:8 Common Tactics, and 3 Ways a Twitter Hack can Hurt You, which might interest you if you want to learn more about Social Engineering.


Tips
If in case you aren’t using encryption yet and want an easy and free encryption solution, you may want to check out TrueCrypt. Tom’s Hardware has published a how to and review to start you out.


Auditing
A consortium of US agencies and organizations released a draft of the Consensus Audit Guidelines that define the 20 most critical security controls to protect federal and contractor information systems.
The press release states that: “The CAG initiative is part of a larger effort housed at the Center for Strategic and International Studies in Washington DC to advance key recommendations from the CSIS Commission report on Cybersecurity for the 44th Presidency.”


Other Security News
(The Register) New OS X research warns of stealthier Mac attacks
(The Register) Banking app vuln surfaces 18 months after discovery
(The Register) Hacker pokes new hole in secure sockets layer
(PCWorld) New Attacks Target IE7 Flaw
(PCWorld) IE8 Focuses on Improved Security and Privacy
(PCWorld) Microsoft Adds Clickjacking Protection to IE8 RC1
(PCWorld) Downloads for Hard Economic Times

Posted in Awareness, News, Philippines, social engineering, Social Networking | Tagged: , , , , , , , | Leave a Comment »

Info Sec News, Feb 5, 2009

Posted by Jaime Raphael Licauco, CISSP, GSEC on February 5, 2009

Seminars
ECCInternational will be giving a Certified BCMS (ISO 25999:2007) course from Feb 9-11. They will also be giving an ITIL Practitioner Program – Configuration Management on Feb 10-11, you can check out their Training Schedule here. ISO 9001:2008 IRCA Certified Lead Auditor Seminar will also be given either on Feb 9-13 or Feb 16-20. For details and specific dates, please contact Rose, Faith or Ness at 7505671 to 73 or email training@ccinternational.com.


Webcasts
CSO Online has published a podcast interview of Jim Routh who is the CISO of the Depository Trust and Clearing Corporation (DTCC). He is a veteran technology and security executive, having held positions at American Express and American Express Financial Advisors before joining DTCC.

(Simply Continuous) How To Keep Your Business Running in the Event of a Disaster


Whitepapers
There’s a recent (Winter 2009) presentation published by the Standford Applied Crypto group by John Mitchell on Phishing and Malicious JavaScript. Aside from Phishing, the presentation talks about how JavaScript is used to obtain information from your browser. John Mitchell teaches CS 142, Web Programming and Security, at Stanford University.

(SonicWall) Bottom-line benefits of telecommuting & secure remote access
(Quest Software) Finding Complete Identity Lifecycle Management that Fits


Insider Threat
I either gotta love this… or get paranoid about this: Within 90 minutes of getting fired, a former contract worker for Fannie Mae allegedly added a malicious script hidden within a legitimate script that ran each morning on the network, which was designed to disable monitoring alerts and all log-ins, delete the root passwords to the 4,000 Fannie Mae servers, erase all data and backup data, power off all the servers and then disable the ability to remotely switch on the machines. This was fortunately found by another employee within days of the firing.

(Computerworld) Ex-Fannie Mae engineer pleads innocent to server bomb charge
(CSO Online) Alleged Fannie Mae data bomb author working for Bank of America now?

Another recent example of an Insider Threat is of a former employee that still has access to the system, as this article reports, “Mysterious Text-Message Alert at U. of Florida Scares and Angers Students.


Psychology/Social Engineering
There’s good insight as to the psychology involved when it comes to Information Security in this article from (CSO Online) Are You Addicted to Information Insecurity?

And speaking of psychology, CSO Online’s Anatomy of a Hack is an in-depth article on how Social Engineering can be used. Also in connection to social engineering, the FBI also warns of Money Mule Scams.

A novel way of luring people to a website with malware was found in North Dakota. How? Stick a parking violation ticket on the windshield, with the supposed details of the infraction on a website.

Readers of this blog might also want to check out What the Web knows about you. Its a 6 page article on what attackers may be able to find out about you online. If you’re in the US and is considering searching your SS number, check out this article first on Search Engine Privacy Tips from the World Privacy Forum website.


Browser Security
CSO Online also did a an unscientific poll of security experts on browser security, and it turns out that IE isn’t viewed as being as insecure as it was just a few years back. In relation to browser security, Firefox just fixed a couple of vulnerabilities in their release of version 3.06 of their browser.

Also related, Browser secrets of secure connections talks about how browsers play a key part in determining the strength of cipher used between the client and the web server. The article references the Infoworld Test Center Guide to browser security.


New DNS Attack
(CSO Online) Porn Site Feud Spawns New DNS Attack – Botnet operators are adding code to launch a new type of distributed denial of service attack, security experts warn
(NetworkWorld.com) Porn Site Feud Spawns New DNS Attack – A scrap between two pornographic Web sites turned nasty when one figured out how to take down the other by exploiting a previously unknown quirk in the Internet’s DNS.
(NetworkWorld.com Slideshow) How DNS cache poisoning works – this also has tips at the end on how to defend this kind of attack.


Other Info Sec News
(CSO Online) SMB Security: Five Bright Ideas – Small businesses have to be crafty to handle security with fewer resources. Here are bright ideas for SMBs.

(Computerworld Blog) Security businesses move ahead in this economy

(Computerworld) Removing admin rights stymies 92% of Microsoft’s bugs

(Computerworld) Microsoft denies Windows 7 security feature contains bug

(Computerworld) Banks, customers feel the fallout of the Heartland breach

(Computerworld) Study: Data breaches continue to get more costly for businesses

(Computerworld) Obama health care plan said to boost security, privacy controls – Privacy advocates say $20B e-health proposal overcomes some HIPAA concerns

Posted in Change Management, conferences, Incident Management, ISMS, Presentations, Privacy, social engineering, Webinars, Whitepapers | Tagged: , , , , , , , , , , , , , , , , , | Leave a Comment »

Info Sec News, Feb 4, 2009

Posted by Jaime Raphael Licauco, CISSP, GSEC on February 4, 2009

There seems to be confusion on a new draft bill by the NTC which is aimed at online content providers and VAS providers for mobile phones. Some have argued that the seemingly catch all bill may include people who blog and upload pics on Social Networking sites, although the spirit of the bill seems to be more for online applications.

(Business Mirror.com) NTC issues draft circular on content development…
(Blog) MikeAbundo.com
(Blog) Pinoy Pro Blogger


Don’t we all just wish that what happened in the US National Science Foundation can actually be audited and checked in the Philippines? The questions would be, are logs even activated? And secondly, does someone with the skill and competence actually take the time to consistently check those logs?

Speaking of Log Management, Prism Microsystems has a video series on 100 uses of Log Management which so far, is on #9 Email Trends.

#8 Windows disk space monitoring
#7 Windows lockout
#6 Password reset
#5 Outbound Firewall traffic
#4 Solaris BSM SU access failure
#3 Antivirus update
#2 Active Directory login failures
#1 Firewall blocks


9th e-Services Global Sourcing Exhibition will be held at the SMX Convention Center from from Feb 9-10, 2009
APNIC 27 will be held in Manila from Feb 23-27, 2009


Other News:
(CNN.com) Teens Face Porn Charges for “Sexting”

Posted in conferences, Philippines, Privacy, Social Networking | Tagged: , , , , , , , , , , | Leave a Comment »