InfoSec Philippines

Information Security, Technology News and Opinions

Archive for the ‘Social Networking’ Category

Password Tips for Websites

Posted by Jaime Raphael Licauco, CISSP, GSEC on June 19, 2009

Revised 06/22/2009 (V1.1)

I’ve been thinking about passwords lately due to recent cybercrime that involved default passwords, and phishing attacks on Facebook which stole passwords from users.

Stronger passwords have been repeatedly talked about by InfoSec personnel since time immemorial.  We have repeatedly asked users to make stronger passwords, to the point that users are probably sick and tired of hearing the same thing. However, recent incidents show that we haven’t been effective enough since people still use simple or default passwords, probably because it’s thought to be inconvenient to make one — It isn’t — All it takes is a few extra minutes of your time and creativity.

Lockdown.co.uk** gives the following example of how long it takes to crack the following passwords using a dual processor PC:
darren = 30 seconds
Land3rz = 4 days
B33r&Mug = 23 years

Until two-factor authentication costs become less prohibitive — hopefully sooner than later (i.e. PhoneFactor is a new service which unfortunately charges $.14 per transaction for the Philippines) — we will have to rely on passwords for authentication.

I try not to rely on password programs which reside on my computer (i.e. Password Safe), but instead try to have strong passwords for each site.

Since the number one site in the Philippines is a Social Networking site, this will have a Social Networking slant (specifically Facebook).

Here are a couple of Tips:

First of all, DO NOT SHARE YOUR PASSWORDS, PUT IT ON A STICKY NOTE ON YOUR MONITOR (UNDER YOUR KEYBOARD, SEAT, ETC)

Now that the common sense ones are out of the way, on with the tips…

Use EV-SSL (Extended Validation SSL)

How: Mozilla Firefox address bar turns green on the left side. For IE, the whole address bar turns green.

Reason: Users who just click through warnings can actually be on a fake https site. EV-SSL makes it more difficult for phishers to fake a site. Also, the strongest passwords are useless if you’re already on a fake site.

EV-SSL

Bookmark your favorite site, and use the keyword feature (for Firefox) or equivalent.

How: On your bookmark, right click on it and then left click on “Properties”. Type a few letters or a word in the “Keyword” category. For this example I used “fb” so that all I need type on the address bar are the letters “f” and “b” to access https://www.facebook.com.

Reason: This mitigates your risk of user error and saves you time. The 2nd reason stated for EV-SSL, also applies here.

Bookmark and keyword

Change some Browser Settings to not remember what are in forms, and not remember passwords for sites.

How: Mozilla Firefox: Go to Tools, Options, Privacy then uncheck, “Remember what I enter in forms and the search bar”; Go to Tools, Options, Security and uncheck, “Remember passwords for sites”. Additionally you might want to click on “Saved Passwords” in case there are already saved passwords in your browser that you may wish to delete.

Reason: Not showing your “Username” to any user on a particular computer is another layer of defense. There have also been some hacks in the past (though already mitigated) on how browsers store passwords.

Uncheck Save Password for Sites

Use Best Password Practice, which is typically composed of the following:

– Must be at least 8 characters.

– Must not be a dictionary word.

– Must be complex – (thank Microsoft for making this popular) at least 3 of 4 of the following: Uppercase character, lowercase character, number, special character)… my take is that use all 4.

– Change your password at least every 60 days.

– Do not re-use any of your passwords for at least a year.

– Do not have the same word or character/number order in your subsequent passwords.

– Use different passwords for different applications and different sites.

All of the above “Best Practices” can be a pain. Security Professionals are human and we also get annoyed by some or all of the above. So I’ll break this down on how this could be easier.

Must be at least 8 characters, Must not be a dictionary word*, Must be complex:

How: You can deliberately misspell words, or use a phrase then shortcut that phrase. For example, the sentence, “Jekyll is a big lying bastard with no integrity whatsoever” can become “jIaBlBwNiW”. Yes, I do realize that this is not complex, but bear with me. As you can see, uppercase and lowercase takes turns here so that it makes it easier for me to remember.

To include numbers, I will change “B” to “8” therefore making it, “jIa8l8wNiW”. You can also change numbers to letters (e.g. 06/19/2009 can be Og/Ip/Zoop) but of course you will have to come up with your own formula on what numbers and letters you can interchange.

And to put special characters in our shortened phrase, you can put a comma or a period somewhere there and you can make the big letter “I” to “!” to make it “j!a8l8,wNiW”. As with the above opinion on numbers and letters, you have to come up with your own formula for what special characters can be interchanged for letters and numbers (e.g. 06/19/2009 can be )^/!(/@))( which really looks nuts but that’s how it can look like).

I would personally not use the above examples since I don’t know a person named Jekyll, nor would I recommend leaving one finger pressed on the Shift key as one types what is essentially an all special character password that a shoulder surfer might easily be able to see — I have only given the above and below examples to show the thought process on how to make strong passwords.

Reasons: The unrelenting increases in processing power, also means it’s becoming faster and faster to break passwords. A PC Mag list from back in 2007 of the most common passwords are all woefully lacking in complexity. Aside from having a password that takes longer to break, being able to type complex passwords fast, with your fingers in the correct typing position and having to use the Shift key once every few characters, can actually mitigate the threat of shoulder surfing.

Change your password at least every 60 days, Do not re-use any of your passwords for at least a year, Do not have the same word or character/number order in your subsequent passwords:

How: Now this is definitely a bone-of-contention. To mitigate risk some Security Professionals would rather use long passphrases instead of passwords, than have to change their passwords every 60 days. I however, would rather change it. This totally depends on you because this is a much bigger pain that the one above. I would actually suggest writing down your password then putting it in a secure physical space, or if not, put a part of it in your phone or in your wallet. Emphasize on “a part” since if someone steals your phone or wallet, and knows your username, then bye bye to privacy in your account.

Use different passwords for different applications and different sites:

How: What some InfoSec people do, is use something site specific built into their password. For example one can use a complex iteration of their birthday (I’ll use Jose Rizal’s) “June 19, 1861” to “dYun!9,eS1”; and then append it to what one may change the word “Facebook” to, “p@c3sbuks” — to have the really long password of “dYun!9,eS1p@c3sbuks”. You could also of course put “p@c3sbuks” in the middle or in front of your password.

Reason: I included this because a Sophos report states that about 33 percent of people in their survey use one password for everything they have. A Gartner survey done in September 2008 says that 2/3 (66%) of their survey respondents use only 1 or 2 passwords for all the websites they use.

Other things NOT TO DO:

– Don’t use your name or part of your username in your password.

– Don’t use multiple spaces, multiple repeating characters or numbers that are beside each other

– Don’t use any information that is readily identifiable (i.e. name of kids, spouse, girlfriend, etc)

– Don’t use letters or numbers beside or near each other on the keyboard

So that does it for Passwords.

A note on Security Questions:

Deliberately give something false that you can always remember. One wouldn’t want to be the victim of a Sarah Palin like attack wherein the attacker just searched for publicly available information about her to answer the security question that enabled him to access her e-mail. An example would be, “What is your Mother’s Maiden Name?” Your answer could be, “Sorry but I don’t talk to strangers” or some other phrase or sentence that doesn’t make sense but you won’t easily forget.

So those are my tips. I’ll be the first to admit that I don’t know everything, so if you would happen to know any great password tips that I have failed to mention, please do share in the comments section or write me an e-mail if you would like to remain anonymous. Thanks in advance.

* Most Filipinos know at least two different languages/dialects (English-Tagalog, English-Bisaya, English-Waray, etc) so I won’t even tackle that here, just put a (your other language here)-English word together or if you’re Conyo, go put your complex iteration of the the word, “Pare” or “Tol” before, in the middle or after your English word, or put your iteration of “Dude” or “Bro” before, in the middle or after your Tagalog word. Peace to the Conyos out there 🙂

** Many many thanks to a Security Mentor of mine (who may wish to remain anonymous) for sending this link on passwords.

Posted in Opinion, Philippines, Social Networking | Tagged: , , | 9 Comments »

Add Us Up on Facebook

Posted by Jaime Raphael Licauco, CISSP, GSEC on June 3, 2009

InfoSec Philippines's Facebook Page

I typically put a lot of news links for every post. In InfoSec as with IT, nobody should be expected to know everything, but should know where to find it. I will be posting “Tweets” and links in our Facebook wall for faster turnaround (better availability of recent news items). This will also enable readers to individually comment on the multiple news links I expect to post each week. Group members are allowed to post comments and links so they can post upcoming events and conferences.

Posted in News, Philippines, Social Networking | Leave a Comment »

Black Hat Presentations, Flash App Tools, Free AV and News

Posted by Jaime Raphael Licauco, CISSP, GSEC on May 5, 2009

The next BlackHat.com webcast will be about Mobility and Security on May 21 1pm PDT (Friday, May 22, 2009 at 4 AM in Manila, according to The World Clock).

Black Hat Webcast 9 (34MB audio, around 79 mins running time; WebSync version is here) is a preview of the Black Hat Conference in Amsterdam that was held from April 16-17, 2009 (see link to presentations below).
The following people and their presentation topic were in this webcast:

Enno Ray – Attacking Backbone Technologies
Charlie Miller and Vincenzo Iozzo – Fun and Games with Mac OS X and iPhone Payloads
Stefano Zanero – Web App Firewall Based on Anomaly Detection
Roberto Gassira’ and Roberto Piccirillo – Hijacking Mobile Data Connections

Past Black Hat Conferences:
Video of Charlie Miller and Vincenzo Iozzo’s presentation on Mac and iPhone payloads (152 MB)
Black Hat Europe 2009 (Amsterdam) Media Archives
Black Hat USA 2008 Archives


Flash App Vulnerability Tools

Exposing Flash Application Vulnerabilities with SWFScan
Flare
SWFIntruder


Free Anti-Virus

F-Secure Online Scanner Beta Program


InfoSec News

(Inquirer.net) Has your e-mail address won in a lottery?
(Computerworld PH) Report: Web continues to rise as security threat

(Inquirer.net) RP gov’t websites vulnerable to hacking
(Inquirer.net) Cyber spies hack into DFA computers
(Inquirer.net) RP needs cybersecurity program–CICT
(Inquirer.net) PNP experts tell how to catch a hacker

(Inquirer.net) Purge 2-M ‘flying’ voters, Comelec told
(Manila Times) Lawmaker to hack Comelec electronic counting machines
(Inquirer.net) Hack poll machines and win P100M
(Inquirer.net) P100M hack reward ‘dishonors’ poll automation
(Inquirer.net) Hacking poll results to take lots of time
(Inquirer.net) Comelec to tap DOST on poll machine testing
(Inquirer.net) Comelec mulls inclusion of more provinces in poll automation

(Inquirer.net) Comelec eyes YouTube stardom to lure voters

(PhilStar) Is quitting Twitter more popular than re-tweeting?
(IT Matters.com) Twitter — a rising marketing channel?

(PhilStar) Globe backs ICT Awards

(Inquirer.net) RP seeks removal from USTR watch list
(Inquirer.net) Twitter, Facebook abuzz over Pacquiao win

(Computerworld) Facebook’s privacy options
(Computerworld) How Facebook mucks up office life
(Wired) PIN Crackers Nab Holy Grail of Bank Card Security

(SecurityFocus) Researcher argues for CERTs with teeth
(Inquirer.net) Cyberspies hack into US fighter project
(H Security) Linux cache poisoning attacks easier than on Windows?
(Computerworld) 20 kick-ass network research projects

(Computerworld) Leaked copies of Windows 7 RC contain Trojan
(Computerworld) Botnet probe turns up 70GB of personal, financial data
(Computerworld) Heartland earns back spot on PCI-approved list

(The Register) Security researchers fret over Adobe PDF flaw
(H Security) Demo exploits for new vulnerabilities in Adobe Reader
(SecurityFocus) Companies slowest to fix Office, Acrobat flaws
(SecurityFocus) JavaScript flaw reported in Adobe Reader

(The Register) US Congress wants hack teams for self-penetration
(Boston.com) US looks to hackers to protect cyber networks
(NY Times) ‘Hackers wanted’ ad fed security misconception

(The Register) Botnet hijacking reveals 70GB of stolen data
(The Register) Twitter breach gives behind-the-scenes Obama peek

(The Register) Firefox finds more pesky bugs
(H Security) Firefox 3.0.10 fixes critical vulnerability

(The Register) Hacker behind P2P botnet gets no jail time
(The Register) US military’s cyberwar rules ‘ill-formed,’ says panel
(NY Times) Panel Advises Clarifying U.S. Plans on Cyberwar
(The Register) Adobe users imperiled by critical Reader flaw

(H Security) Lost+found: Worms, Exploits, Online Scanners
(NY Times) H.P. Labs Pulls Out the Measuring Stick

Posted in News, Social Networking, tools, vulnerability assessment, Webinars | Tagged: , , , , , , , , , , , , | Leave a Comment »

More on Poll Automation and some Tools

Posted by Jaime Raphael Licauco, CISSP, GSEC on March 24, 2009

Readers of this blog may be getting bored about poll automation, however there are news articles that are pertinent and give good arguments that I believe ought to be posted here.

Dennis Posadas, the Deputy Executive Director of the Philippine Congressional Commission on Science, Technology and Engineering, wrote an article entitled, “Computers can be hacked, so what?” The article details that we take a lot of technology based risks everyday, but it doesn’t mean that we shouldn’t use them. In other words, we make dozens of cost-benefit analyses each day but in the end we mostly benefit.

I am all for the automation of elections, there’s a possibility of it being a game changer and we may actually have a lot less fraud at the polls… something unheard of in my generation. However, I believe that it should be correctly implemented to minimize fraud, because if not, all those billions of pesos in taxpayer money might not go to the pockets of our corrupt officials… oops I mean, all that money will be for nought, and we’ll have the same or even more problems than we do with the un-automated version. The length of time for implementation and the logistical challenges full poll automation presents just strenghthens the case that maybe partial automation may be better.

Technology is an enabler, it can enable poll fraud to be harder, or it can actually make it easier. It all depends on the process.

Intelligent, competent and honest people should run the show (poll automation in this case). Leaders that put too much confidence and give statements that a yet implemented system cannot be hacked, borderline on ignorance, and shouldn’t be there at all… unless of course they have technical advisors that are the best the country can offer.


Re-post of earlier Comments

I am re-posting an earlier comment by dts, made by Patrick Dailey since its in the comments section and may not be seen by people who don’t check the comments.

dts said
March 21, 2009 at 10:14 am e

Comments made by
Patrick Dailey CISSP, GCFA, IT Audit and Security Consultant – Managing Director at DigiThreat Solutions
[http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=29343049&gid=1851931]

From an IT project management point of view, 80,000 machines with source code, voter information data, vote data, and other information will be installed throughout the country. Additionally, the provision of transmission of data to a centralized location (presumably via Internet) will have to be procured from each location where the machines are installed. Supplies of ballot paper, training, technical support, and warehousing are all part of this project, and all aspects of this project need to be completed by May 10th, 2010 (417 days from now). The winning bidder is announced on April 27th, 2009, giving the bidder 378 days to complete all tasks.

To say that this project is ambitious would be an understatement – let’s do the math. It will require that the winning bidder install the machines, the software, and (hopefully) test an average of over 200 machines a day, travel not included. This does not account for machines that are dead on arrival. Internet access will need to be procured at locations throughout the country. Ever tried to get an Internet connection procured in a remote province? It can take months to get a reliable connection even in Metro Manila. What about remote islands that offer no Internet service whatsoever?

Logistics will also play a major role – while slightly less than 2000 mothballed counting machines from the 2004 election are sitting in four floors of storage (costing taxpayers P30 million a year), how much storage will 80,000 counting machines require? If the same size of machines and stacking capability is utilized as is the current storage, it will require 160 floors, or roughly 40 hectares, of storage space. Phasing the storage of equipment in warehouses will add to the complexity of the project, and delivery of machines and other materials to the end location to install (and coordinating with the installers) would almost require a Ph.D. in logistics, if there was such a degree. Add training and technical support to the equation, and you have an extremely difficult project. I have no reason to doubt Mr. Tolentino when he has confidence in the bidders capabilities, but this type of project would stretch many large multi-national companies. Simply put, whoever wins this project has their hands very full, and I do wish them the best of luck.

Assuming the bidder can survive the project demands and logistics, they will then have to contend with the security risks that are involved with this undertaking. While “hackers” are the “in” thing to talk about, they are a very small subset of the overall security risks. Here are some very basic IT security questions the winning bidder should be asking before even bidding on the project:

-Are there a defined information security policies and procedures for this project?
-What is the overall network architecture of this project, including systems, ports, data transmission, data locations, and other pertinent information? Where are its weak points?
-Will firewalls be a part of the architecture? What is blocked? What is allowed? What is needed?
-Are wireless technologies utilized? If so, is it secured, or can someone sit outside the precinct offices and modify the votes?
-Is SMS an option being considered, and if so, what is being done to secure SMS?
-How does the transmission of data occur? Is it encrypted? If so, how?
-Is data transmission from one location to another vulnerable to man-in-the-middle or other attacks? If you do not know what a man-in-the-middle attack is, it is probably recommended that you not bid on this project.
-What happens if there is no electricity, or there is an outage during the middle of the election? What happens if there is an Internet/telco outage? Is there a detailed continuity and/or recovery program? If so, does the introduction of people handling the data provide added risk?
-How is the centralized data secured? Is it centralized on a SQL database? If so, how secure is your SA password and how vulnerable are you to SQL injection attacks?
-What if there are discrepencies between the vote tallies at the precinct, and the vote tallies that ends up being stored at the centralized location? What happens?

Many more IT questions could and will be asked, but the IT questions go well beyond the source code of the application. The source code could be absolutely fine, but if the underlying architecture has problems, then there are significant risks. It’s like building a mansion on an unstable slope – it might look good, but will crumble at the first sign of stress.

In a case such as elections, people pose an additional risk. Some questions to ask include:

-Will all programmers, installers, and other employees undergo background checks to help ensure that they cannot be compromised by third parties?
-How are devices physically secured from being compromised? Are guards watching them? If so, do they know what to look for? Or are they part of the problem?
-What if it weren’t typical “hackers”, but a foreign government trying to ensure that their preferred candidate gets elected? If you think that is far-fetched, then why were both the campaigns of John McCain and Barack Obama hacked by a foreign entity last year while leading up to the election? Why is the Chinese government repeatedly alleged to be hacking into foreign government systems?

The project scope, risks, and huge budget make this an extremely difficult endeavor. While Mr. Tolentino makes some pretty bold statements, it’s ultimately up to the winning bidder to follow through on the assertions he has made. Our company, as I am sure many other information security companies, would love to see the finished product. However, the source code is only a small component of the overall product and project, and will not give an overall picture of the security of the 2010 elections.


Seminars and Conventions

DEFCON Philippines BeerTalk II will be on April 24, 2009 7PM at Grilla, Paseo De Roxas Avenue Branch (near Greenbelt), Makati City, Philippines

THE 2ND SOCIAL NETWORKING AND E-BUSINESS CONFERENCE 2009 will be on April 23 – 24, 2009 at the Grand Ballroom, Hotel Intercontinental, Makati City, Philippines


Tools for Man in the Middle Attacks

Middler by Jay Beale
sslstrip by Moxie Marlinspike


Tips

(The H Security) The right way to handle encryption with Firefox 3


Other InfoSec News


(SC Magazine US) Internet Explorer 8 “critical” flaw in final version

(Computerworld Philippines) New IE8 still the slowest browser
(SearchSecurity) Internet Explorer 8 includes a bevy of security features
(Computerworld) IE8 best at blocking malware sites, says Microsoft sponsored study
(The Register) A grim day for browser security at hacker contest
(The H Security) Pwn2Own 2009 ends: Smartphones & Chrome unbroken

(The Register) Newfangled rootkits survive hard disk wiping
(Security Focus) Researchers aim low to root hardware

(SC Magazine US) OWASP Security Spending Benchmarks Report published
(Computerworld Philippines) Asia’s top infocomm event continues to chart region’s IT direction
(Security Focus) China more friend than foe, says white hat
(Computerworld) In poor economy, IT pros could turn to e-crime

(Security Focus) Cybercriminals optimize search for cash
(The Register) Scareware affiliates playing search engines
(Washington Post – Security Fix) Web Fraud 2.0: Data Search Tools for ID Thieves
(The Register) Cybercrime server exposed through Google cache

(The Register) Worm breeds botnet from home routers, modems
(The H Security) Botnet based on home network routers
(The H Security) An Analysis of Conficker-C
(Computerworld) Conficker’s next move a mystery to researchers

(The H Security) Twitter XSS vulnerability
(SecurityFocus) No more bugs for free, researchers say
(The H Security) HP publishes free security tool for Flash developers

(Computerworld) Start-up unveils hybrid cloud/on-site backup service

(SearchSecurity) Diebold ATMs in Russia targeted with malware
(The H Security) Windows Trojan on Diebold ATMs

(SearchSecurity) Firms muddle security breach response, expert says

(SearchSecurity) Microsoft Threat Management Gateway has some drawbacks

Posted in News, Opinion, Philippines, seminars, Social Networking, tools | Tagged: , , , , , , , | Leave a Comment »

InfoSec News, March 11, 2009

Posted by Jaime Raphael Licauco, CISSP, GSEC on March 11, 2009

Browser Security
(SC Magazine US) Firefox 3.07 update addresses multiple security issues
(H-online) Firefox: most vulnerabilities, but quickly patched
(Security Focus) Mozilla, Opera plug security holes


Malware
(SC Magazine US) Conficker worm variant kills security processes
(H-online) Conficker modified for more mayhem


Cyberwarfare
(ZDNet.com) Russia kinda-sorta owns up to Estonia cyberwar
(The Register) Russian politician: ‘My assistant started Estonian cyberwar’


Patches
(The Register) Critical kernel fix stars in Patch Tuesday updates
(Computerworld) Microsoft patches ‘evil’ Windows kernel bug
(Computerworld) Microsoft patches Windows DNS, kernel flaws
(The Register) The long road to Adobe Reader and Flash security Nirvana
(Computerworld) Adobe patches zero-day PDF bug, mum on details
(Computerworld) Bad Symantec update leads to trouble
(H-online) Norton causes alarm and despondency


Social Networking
(H-online) Twitter closes SMS spoofing hole – Updated
(H-online) Spam from compromised Twitter accounts


Other InfoSec News
(SC Magazine US) Gartner: Data breaches hit 7.5 percent of all U.S. adults
(H-online) Version 3 of Microsoft’s Threat Modeling Tool released
(Computerworld) Gmail down; outage could last 36 hours for some
(H-online) Windows Defender: False alarm triggered by hosts file
(The Register) Court rules airline secret security list is stupid
(Techworld) Security needs to be ‘baked in’ say experts
(GCN) Securing cyberspace requires a new attitude
(Stuff.co.nz) Student wiped data worth thousands
(The Register) Feds file new felonies against alleged Palin hacker


Tips
(Computerworld) Biometrics: three tips for success


Webcasts
(LogLogic) Unleashing your log power to do more with less
Date: Wednesday, March 18, 2009
Time: 2:00 p.m. EST/11:00 a.m. PST


Whitepapers
(HID) Username and Password: A Dying Security Model
(Computerworld) Social Elements of Security Policy and Messaging


Posted in Change Management, News, Security Policy, Social Networking, Webinars | Tagged: , , , , , , , , , , , , , , | Leave a Comment »

GMA Fake Site and Tricks Scammers Use

Posted by Jaime Raphael Licauco, CISSP, GSEC on February 25, 2009

GMA News warned the public last week regarding a fake site that reports fake news, which has fortunately been taken down as of press time. This reminds me of the recent fake news item about Megan Fox being a man. If anyone actually checked that site’s menu, they’d see links to a “Mutants” section and an “Aliens” section, which should readily warn anyone about the veracity of news on that site. Unfortunately some educated people believed that piece of news, which is really quite sad.

CSOOnline came out with an article detailing the Dirty Tricks: Social Engineers’ Favorite Pick-Up Lines, which are divided as Social Networking Scams, Office Offenses and Phishing Lures:

    Social Networking Scams
    “I’m traveling in London and I’ve lost my wallet. Can you wire some money?”
    “Someone has a secret crush on you! Download this application to find who it is!”
    “Did you see this video of you? Check out this link!”
    Office Offenses
    “Hi, I’m from the rep from Cisco and I’m here to see Nancy.”
    “This is Chris from tech services. I’ve been notified of an infection on your computer.”
    “Can you hold the door for me? I don’t have my key/access card on me.”
    Phishing Lures
    “You have not paid for the item you recently won on eBay. Please click here to pay.”
    “You’ve been let go. Click here to register for severance pay. “

Check out the site link above for more details.

The same author, Joan Goodchild, also wrote about Social Engineering:8 Common Tactics, and 3 Ways a Twitter Hack can Hurt You, which might interest you if you want to learn more about Social Engineering.


Tips
If in case you aren’t using encryption yet and want an easy and free encryption solution, you may want to check out TrueCrypt. Tom’s Hardware has published a how to and review to start you out.


Auditing
A consortium of US agencies and organizations released a draft of the Consensus Audit Guidelines that define the 20 most critical security controls to protect federal and contractor information systems.
The press release states that: “The CAG initiative is part of a larger effort housed at the Center for Strategic and International Studies in Washington DC to advance key recommendations from the CSIS Commission report on Cybersecurity for the 44th Presidency.”


Other Security News
(The Register) New OS X research warns of stealthier Mac attacks
(The Register) Banking app vuln surfaces 18 months after discovery
(The Register) Hacker pokes new hole in secure sockets layer
(PCWorld) New Attacks Target IE7 Flaw
(PCWorld) IE8 Focuses on Improved Security and Privacy
(PCWorld) Microsoft Adds Clickjacking Protection to IE8 RC1
(PCWorld) Downloads for Hard Economic Times

Posted in Awareness, News, Philippines, social engineering, Social Networking | Tagged: , , , , , , , | Leave a Comment »