InfoSec Philippines

Information Security, Technology News and Opinions

Archive for the ‘News’ Category

Comelec challenges hackers

Posted by Daniel Tumalad on March 17, 2009

Taken from The Philippine Star (www.philstar.com), 17 March 2009:

Try to hack into automation machines, Comelec challenges hackers
By Sheila Crisostomo

MANILA, Philippines – The Commission on Elections (Comelec) yesterday challenged hackers to try to hack into the voting and counting machines that will be used in next year’s elections, but expressed confidence that they would fail.

Comelec executive director Jose Tolentino said they are very confident the security features of the precinct count optical scan (PCOS) machines would be able to thwart hackers.

“Even in the first level, we can already detect any tampering,” noted Tolentino, who is also the project manager of poll automation.

Read full article:

http://www.philstar.com/Article.aspx?articleId=449326&publicationSubCategoryId=63

[ In any aspect of Security, giving out this sort of challenge is usually unwise and inappropriate as it may prove to be dangerous but nevertheless, it’s entertaining. ]

Posted in News, Philippines | Tagged: , , , , , | 6 Comments »

Seminars and Conventions

Posted by Jaime Raphael Licauco, CISSP, GSEC on March 16, 2009

The Center for Global Best Practices will be giving a one day seminar on “Best Practices in IT Audit” on Apr 24, 2009 at the Edsa-Shangrila Hotel, Mandaluyong City. It will be conducted by Patrick Dailey, CFE, GCFA, CISSP, EnCE, who is the founder and managing director of DigiThreat Solutions. Early bird offer is until Mar 24, 2009. Seminar cost is P7,800.00. For more info call (+63-2) 842-7148 or 59, email:jessica@cgbp.org, or check out their website.


Microsoft Philippines will be giving a two hour seminar on the “Advantages of Microsoft Certification”. The next dates are on Mar 20 and 26 to be held at the dB Wizards Office, 28/F 88 Corporate center Sedeno cor Valero Streets, Salcedo Village, Makati City. Check out the Microsoft Events Philippines site for more details.


ECCI will be giving a staggered three day seminar on “Accelerated Six Sigma Greenbelt – Striving for Quality Excellence and Transformation” on Apr 16-17 & 20, 2009. ECCI will also be giving a one day seminar on “Enterprise Risk Management (ISO 31000)” on Mar 26, 2009. For more info call (63-2) 750-5671 to 73 or email:faith@eccinternational.com.


There are a lot of presentations that are available from the APRICOT Manila Convention late last month. Most focus on IPv6, while there are others on malware, rogue dns’ and general security. Check out the presentations here.


Site News
The site may not get updated much this week since I will be conducting an Introduction to ISMS Seminar (ISO 27001:2005) and will be focusing on that.

Posted in News, Philippines, seminars | Tagged: , , , , , , , , , , | 1 Comment »

InfoSec News, March 11, 2009

Posted by Jaime Raphael Licauco, CISSP, GSEC on March 11, 2009

Browser Security
(SC Magazine US) Firefox 3.07 update addresses multiple security issues
(H-online) Firefox: most vulnerabilities, but quickly patched
(Security Focus) Mozilla, Opera plug security holes


Malware
(SC Magazine US) Conficker worm variant kills security processes
(H-online) Conficker modified for more mayhem


Cyberwarfare
(ZDNet.com) Russia kinda-sorta owns up to Estonia cyberwar
(The Register) Russian politician: ‘My assistant started Estonian cyberwar’


Patches
(The Register) Critical kernel fix stars in Patch Tuesday updates
(Computerworld) Microsoft patches ‘evil’ Windows kernel bug
(Computerworld) Microsoft patches Windows DNS, kernel flaws
(The Register) The long road to Adobe Reader and Flash security Nirvana
(Computerworld) Adobe patches zero-day PDF bug, mum on details
(Computerworld) Bad Symantec update leads to trouble
(H-online) Norton causes alarm and despondency


Social Networking
(H-online) Twitter closes SMS spoofing hole – Updated
(H-online) Spam from compromised Twitter accounts


Other InfoSec News
(SC Magazine US) Gartner: Data breaches hit 7.5 percent of all U.S. adults
(H-online) Version 3 of Microsoft’s Threat Modeling Tool released
(Computerworld) Gmail down; outage could last 36 hours for some
(H-online) Windows Defender: False alarm triggered by hosts file
(The Register) Court rules airline secret security list is stupid
(Techworld) Security needs to be ‘baked in’ say experts
(GCN) Securing cyberspace requires a new attitude
(Stuff.co.nz) Student wiped data worth thousands
(The Register) Feds file new felonies against alleged Palin hacker


Tips
(Computerworld) Biometrics: three tips for success


Webcasts
(LogLogic) Unleashing your log power to do more with less
Date: Wednesday, March 18, 2009
Time: 2:00 p.m. EST/11:00 a.m. PST


Whitepapers
(HID) Username and Password: A Dying Security Model
(Computerworld) Social Elements of Security Policy and Messaging


Posted in Change Management, News, Security Policy, Social Networking, Webinars | Tagged: , , , , , , , , , , , , , , | Leave a Comment »

GMA Fake Site and Tricks Scammers Use

Posted by Jaime Raphael Licauco, CISSP, GSEC on February 25, 2009

GMA News warned the public last week regarding a fake site that reports fake news, which has fortunately been taken down as of press time. This reminds me of the recent fake news item about Megan Fox being a man. If anyone actually checked that site’s menu, they’d see links to a “Mutants” section and an “Aliens” section, which should readily warn anyone about the veracity of news on that site. Unfortunately some educated people believed that piece of news, which is really quite sad.

CSOOnline came out with an article detailing the Dirty Tricks: Social Engineers’ Favorite Pick-Up Lines, which are divided as Social Networking Scams, Office Offenses and Phishing Lures:

    Social Networking Scams
    “I’m traveling in London and I’ve lost my wallet. Can you wire some money?”
    “Someone has a secret crush on you! Download this application to find who it is!”
    “Did you see this video of you? Check out this link!”
    Office Offenses
    “Hi, I’m from the rep from Cisco and I’m here to see Nancy.”
    “This is Chris from tech services. I’ve been notified of an infection on your computer.”
    “Can you hold the door for me? I don’t have my key/access card on me.”
    Phishing Lures
    “You have not paid for the item you recently won on eBay. Please click here to pay.”
    “You’ve been let go. Click here to register for severance pay. “

Check out the site link above for more details.

The same author, Joan Goodchild, also wrote about Social Engineering:8 Common Tactics, and 3 Ways a Twitter Hack can Hurt You, which might interest you if you want to learn more about Social Engineering.


Tips
If in case you aren’t using encryption yet and want an easy and free encryption solution, you may want to check out TrueCrypt. Tom’s Hardware has published a how to and review to start you out.


Auditing
A consortium of US agencies and organizations released a draft of the Consensus Audit Guidelines that define the 20 most critical security controls to protect federal and contractor information systems.
The press release states that: “The CAG initiative is part of a larger effort housed at the Center for Strategic and International Studies in Washington DC to advance key recommendations from the CSIS Commission report on Cybersecurity for the 44th Presidency.”


Other Security News
(The Register) New OS X research warns of stealthier Mac attacks
(The Register) Banking app vuln surfaces 18 months after discovery
(The Register) Hacker pokes new hole in secure sockets layer
(PCWorld) New Attacks Target IE7 Flaw
(PCWorld) IE8 Focuses on Improved Security and Privacy
(PCWorld) Microsoft Adds Clickjacking Protection to IE8 RC1
(PCWorld) Downloads for Hard Economic Times

Posted in Awareness, News, Philippines, social engineering, Social Networking | Tagged: , , , , , , , | Leave a Comment »

Info Sec News, Jan 22, 2009

Posted by Jaime Raphael Licauco, CISSP, GSEC on January 22, 2009

One of the reasons why I started this site is because there seems to be a paucity of Information Security News about the Philippines. Sometimes its even hard to find out about Conferences and Seminars in Metro Manila. Its refreshing to be able to find the following:

(YouTube, from GMANews.TV) IMBESTIGADOR – Friendster Hacker (Identity Theft, Cybercrime)
(GMANews.TV, Old News) Woman who hacked Friendster account faces estafa raps

(Computerworld Philippines) Surveys: Security risks impede business innovation
(Computerworld Philippines) Web Security Lifeline: In-the-Cloud Technology Beats Malware Pollution
(Computerworld Philippines) Survey: Banks need better communication methods
(Inquirer.net) Nasty worm hits millions of computers
(Inquirer.net) Kids’ shield vs porn on Net removed
(Manila Bulletin Online) EMC creates new company to address today’s growing personal information challenge
(Manila Bulletin Online) RP to benefit from Satyam scandal, lawmaker crows
(Manila Bulletin Online) Employees’ everyday behavior puts sensitive business information at risk – new threat study from EMC reveals
(Manila Bulletin Online) Sophos warns Twitter users of possible hacking


Just in case you need help in figuring out HijackThis, there’s this useful tutorial on PCHell.com. If you already use HijackThis and don’t understand parts of the log file, the tutorial points you to the HijackThis Logfile Analysis site.


The recent Twitter hack shows that some Admin level personnel should follow Admin Password Best Practices. Apparently the Admin’s password was, ‘happiness’, as is discussed in this Wired blog.


Other Info Sec News:
(SecurityFocus) Payment processor warns of network breach
(HeiseSecurity) Over 100 million credit / debit cards compromised
(Washington Post) Payment Processor Breach May Be Largest Ever
(HeiseSecurity) QuickTime 7.6 update brings security fixes
(HeiseSecurity) Elcomsoft Wi-Fi auditor prompts security warnings

Posted in News, Philippines, Social Networking | Tagged: , , , , , , , | Leave a Comment »

Info Sec News, Jan 19, 2009

Posted by Jaime Raphael Licauco, CISSP, GSEC on January 19, 2009

Secure Coding and Application Dev
What is probably the most significant security news item of the past week is the release of SANS and Mitre of their Top 25 errors and how to fix them. It’s been said that around 85% of criminal activities on the net stem from the current crop of Top 25 flaws. The Top 25 list is divided into three broad categories namely: Insecure Interaction Between Components, Risky Resource Management, and Porous Defenses.

The PDF version of the Top 25 is available here.

The Software Assurance Forum for Excellence in Code (SAFECode) has made two publications available to help eliminate the Top 25 errors, its Guide to the Most Effective Secure Dev Practices in Use Today, and Software Assurance: An Overview of Current Industry Best Practices.


Social Engineering
A rehash of old tactics can be seen in an E-mail purportedly from Northwest Airlines (but actually carries a zipped trojan file), and malware spreading websites that claim US President elect Obama won’t be taking the oath of office on the 20th. This just strengthens the argument that your personnel and their security awareness training are now your first line of defense, and not your perimeter firewall.

This is related to the fake Christmas and holiday greetings that been sent every year for the past few years, which was seen again this past Christmas.


Malware
The Downadup (also known as Conficker) Worm versions A, B and C that exploits what Microsoft released an out of band patch for in late October ’08, and weak Admin passwords, is said to have infected an “amazing” 9 million PC’s according to F-Secure researchers. If you’re wondering how they got to this astonishing figure, check out F-Secure’s Blog.

(PC World) UK Ministry of Defence Stung by Rapidly Spreading Virus


Secure deletion, reuse or disposal
According to new research led by Craig Wright, it just takes one re-write to securely wipe the data from a hard drive. This talks about a complete sector by sector overwrite of a hard drive.

Articles on this can be found on Heise Security and SecurityFocus. The paper was presented at the Fourth International Conference on Information Systems Security (ICISS) in Hyderabad, India and can be purchased here.


Encryption
Heise Security has published an in depth article on how modern cryptological attacks are done in their article, “Cheap Cracks“.


Patches and Change Management
Oracle released fixes for 41 different flaws this month and Microsoft released a single patch that closed three flaws.

(Heise Security) Numerous security updates from Oracle
(Heise Security) Microsoft closes three holes in Windows
Microsoft issues patches for ‘nasty’ Windows bugs

A vulnerability in SAP GUI has also been found and a patch has been released and is available to registered SAP users.


Other InfoSec News:
In relation to the Anonymization article I wrote about a few days ago, the makers of Tor has announced that their software has zero known bugs.

(Computerworld) Two big, bad botnets gone, but replacements step up

(Computerworld) Critical security projects escape the budget ax

(Heise Security) Banking details can be stolen through a new JavaScript exploit

(Computerworld) Six Worst Internet Routing Attacks

(GO San Angelo.com) US Air Force planning to train hundreds yearly in cyber warfare skills

(Information Week) Thief Steals Sony Ericsson Prototypes

The Windows 7 Beta Team has removed the 2.5 million download limit as stated in the Windows 7 Blog. People can get the Beta until January 24.

Secunia Advisories


Tips:

(Computerworld) How to Secure your Vista PC in 10 easy steps

(Computerworld Blog) Removing malware from an infected PC

The Windows Security Blog has announced a new Beta called Sundance that could help secure Windows and Office 2007 installations.

In relation to what I wrote about around a month ago regarding wireless networks, the crack in the WPA protocol only affects the TKIP version and not AES, so the solution is to simply switch from TKIP to AES as is detailed in this article from Search Security.com, “Cracks in WPA? How to continue protecting Wi-Fi networks“.

(PC Magazine) The Top Tech Tips of 2008 Part 1

(PC Magazine) The Top Tech Tips of 2008 Part 2

Posted in ISMS, News, social engineering, Windows | Tagged: , , , , , , , , , , , , , , , | Leave a Comment »