Category Archives: Security News

Static source code analysis turned on its head

Posted by peter on March 5, 2010 – 1:12 am
Filed under Security News
Tagged as , , , , , ,

If you’re into source code analysis and Web application security, then you know who Caleb Sima is. Sima, for the uninitiated is cofounder of SPI Dynamics and the guy who helped build the popular static source code analyzer, DevInspect. SPI Dynamics was scooped up three years ago by HP and until recently, Sima has been busy handing off his pride and joy to the computing giant. He’s since left HP and has emerged as CEO of Taipei-based Armorize Technologies.

Armorize does source code analysis and Web application security, and is anxious to spread its influence beyond Asia into the U.S. Sima has known about Armorize for a while, meeting up annually with founders Wayne Huang and Matt Huang at the RSA Conference and learning more about their unique approach to source code analysis.

The company’s CodeSecure product turns static source code analysis on its head. Unlike traditional analysis tools that compile and scan projects and then produce a to-do list of issues and vulnerabilities that pain developers to remediate, CodeSecure does real-time language syntax analysis, Sima said, and like a spell-checker, highlights problematic lines of code and with a right-click of the mouse offers suggested fixes as the developer is typing.

“That’s the way it should be,” Sima said. “We’re enabling developers to identify problems and give them the ability to have standards of remediation practices and standard code practices. It’s agile and that’s the way it should be. The goal is to be able to take the technology and for example, give it to a college kid with little or no experience and have him code a secure Web application.”

This is pretty contrary to what other security companies say about introducing security tools into the development lifecycle, Sima said.

“Security companies are shoving security into the development arena. In my viewpoint, developers shouldn’t learn anything about security. It’s not their job. Ultimately, security should be invisible to the developer; it’s the right way to get things done.”

RSA panel weighs PCI implications of cloud computing

Posted by peter on March 4, 2010 – 4:55 am
Filed under Security News
Tagged as , , , , ,

Cloud computing takes PCI compliance into unfamiliar territory, but PCI auditors should make an effort to understand the technology, experts said during a panel discussion Wednesday at the RSA Conference 2010 in San Francisco.

“Auditors have to get used to it,” said Liam Lynch, chief security strategist at eBay. “They need to understand the technology.”

“It’s incumbent on you to avail yourself to understand the cloud environment,” Jim Reavis, executive director of the Cloud Security Alliance, told an attendee who identified himself as an auditor who wanted help in auditing an application in the cloud.

Reavis said CSA earlier this week pre-announced the availability of its Cloud Controls Matrix, a toolset of cloud security controls that map to industry regulations such as PCI and HIPAA. When the CSA releases the full toolkit, there will be 50 controls related to PCI, he said (a CSA press release said the release is scheduled for April).

“We’ll see education of QSAs [Qualified Security Assessors] regarding where standards apply to the cloud model,” he said.

Reavis also said the industry needs SAS-70s that “are scoped properly for cloud environments.”

eBay is both a consumer and producer of cloud services, and is a Tier 1 PCI compliant company, Lynch said.  Regulations are important, he said, but added, “from an eBay perspective, I worry more about criminals than auditors.”

Ward Spangenberg, director of PCI and compliance at security-services firm IOActive, said one of the first things a company needs to do before moving into the cloud is to make sure the cloud provider understands its compliance requirements. A company also needs to know what data is important in their environment before moving to a cloud service, he said.

Shamir acknowledges chip-and-PIN attack as his favorite

Posted by peter on March 2, 2010 – 11:36 pm
Filed under Security News
Tagged as , , ,

Every year Adi Shamir, one of the inventors of the RSA algorithm, brings something new to the table at the annual RSA Conference Cryptographers’ Panel. This year, he gave a shout-out to Ross Anderson, Steven J. Murdoch, Saar Drimer and Mike Bond for their work on breaking chip-and-PIN authentication in credit cards. That team released a paper in early February that explained how to use a man in the middle attack to take down the technology, which is widely used in Europe and Canada as a means of authenticating the card and customer in a transaction.

Credit cards carry an embedded chip and when the card is run through a reader, it asks the customer to enter a PIN. Via a series of digital signatures and cryptography, both ends are authenticated on the card, not on the back end, and the transaction goes through.

Shamir said Ross et al’s research learned that the cards returned a message with the number 900 verifying that the password was authenticated. “No matter what any other details might be, if it’s happy with the password, it sends back 900,” Shamir said.”All you have to is replace a card with one that will always report 900 no matter what PIN is entered, and you’re done!”

Secure cloud concept built on new Intel processor

Posted by peter on March 2, 2010 – 4:52 am
Filed under Security News
Tagged as , , , , , , ,

At a press event here on the opening day of the RSA Conference in San Francisco, EMC’s security division, RSA, along with Intel and VMWare unveiled a proof of concept for creating secure and compliant cloud services.  An interesting aspect of this “vision” was its foundation — an upcoming new processor from Intel called Westmere.

The processor for servers features seven new instructions for accelerating encryption and decryption, an executive with Intel’s data center group said. It also features Intel’s Trusted Execution Technology to deliver “a new base root of trust,” he said. An RSA press release said the technology “authenticates each and every step of the boot sequence, from verifying hardware configurations and initializing the BIOS to launching the hypervisor.”

Other components of the RSA/Intel/VMWare concept, which is going to be demonstrated at the conference, are security information and event management (RSA’s enVision technology) and GRC management software (from Archer Technologies, which was recently acquired by EMC). The idea is to provide cloud services with greater visibility, finer controls and streamlined compliance, the companies said.

Pat Gelsinger, president and chief operating officer, EMC Information Infrastructure Products, said the proof of concept “portends to a more secure, more compliant environment” and encompasses both public and private cloud services.

VMWare is owned by EMC.

FTC probes P2P corporate data leaks

Posted by peter on February 23, 2010 – 4:55 pm
Filed under Security News
Tagged as , , , , , , , , ,

An FTC investigation found financial records, drivers’ license and Social Security numbers available for viewing on P2P networks. Monitor your network traffic, experts say.

The FTC this week notified nearly 100 organizations that personal information, including sensitive data on customers and employees had leaked onto peer-to-peer (P2P) file-sharing networks.

The file-sharing programs, popular with music and now video enthusiasts, have long been thought to be a pariah in many corporate networks, but apparently either poor security controls or a lack of communicating security policy to employees has resulted in a resurgence of P2P application use on many endpoint machines. The problem is as the FTC puts it so succinctly, “when P2P file-sharing software is not configured properly, files not intended for sharing may be accessible to anyone on the P2P network.”

Our site security expert, Kevin Beaver warned in a 2003 tip that P2P programs “introduce more vulnerabilities and open up more entry points to your network than many security managers ever thought possible.”

Beaver’s advice may be old, but it certainly isn’t outdated:

One of the best ways to keep up with P2P applications on your network is to know your traffic. A simple network analyzer sitting on a network hub on the public side of your firewall can show you what P2P traffic is going in and out of your network. There are P2P “air gap” and firewall products that can help control this. Some content filtering products are also now able to detect and stop P2P traffic.

Businesses should take note of the FTC alert on the P2P breaches. FTC Chairman Jon Leibowitz said the FTC found health-related information, financial records, drivers’ license and Social Security numbers available for viewing on P2P networks.

Leibowitz not only issued a warning to companies, but to the developers behind the file sharing programs themselves:

“Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure. Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing.”

The FTC said it was conducting an investigation into firms where customer or employee information has been exposed on P2P networks.

A webpage has also been established, Peer-to-Peer File Sharing: A Guide for Business, by the FTC to educate businesses about the problem.


How to turn off Google Buzz and avoid privacy issues

Posted by peter on February 11, 2010 – 1:41 pm
Filed under Security News
Tagged as , , , , ,

Google’s new Twitter-like tool in Gmail called Google Buzz has prompted some privacy advocates to cry foul. Here’s how to turn it off.

Google’s new Twitter-like tool it calls Google Buzz was added this week in its popular Gmail webmail service. While many are praising its inclusion as a way to easily integrate updates with friends and family, privacy advocates are miffed over the way Google has rolled out the new tool.

Gmail users were initially prompted to try Google Buzz, but even if you skip the trial, Google Buzz is automatically turned on by default. And many Google Buzz features are enabled by default.

Then Google chose to make Google Buzz automatically follow certain friends and family members who you supposedly “frequently” email in your contact list. While it seems like a helpful way to get started, the privacy issue stems from the fact that anyone you have emailed can view your followers and see who you communicate with frequently. All they need to do is visit your publicly available profile. I didn’t even realize my information was public until I learned that I was being followed by my wife and several others in my contact list.

Cnet video podcaster Molly Wood explains some of the other initial Google Buzz privacy issues in this blog post and explains why she’s turning off the feature. Wood says it immediately attempted to share some of the photos on her Android phone – photos which she had not uploaded. In addition, though it’s not turned on by default, Google Buzz has a feature that can broadcast your location to your followers.

While Gmail is used frequently for personal email, some small businesses and even midsize companies are using the webmail service for primary business email to cut down on costs. I’m sure having contact lists automatically broadcasted to others wouldn’t bode well with those users.

Here’s how to turn off Google Buzz:

  1. Log into Gmail
  2. Scroll down to the very bottom of the page.
  3. Click the link that says “Turn off Google Buzz.”

That’s it. It’s that easy. There are ways to turn off some of the features, but Google hasn’t made it easy and intuitive for users to find and edit those settings. The best way to ensure your privacy is to turn off the service.



Torrent phishing scheme trips up Twitter users

Posted by peter on February 4, 2010 – 1:02 pm
Filed under Security News
Tagged as , , , , ,

Attacker steals torrent site account passwords and attempts to access Twitter, other social networks.

If you signed up for an account on a torrent forum or website and use similar passwords for other accounts, change your passwords now. A savvy attacker is skimming passwords from the users of a number of torrent sharing sites he created, using the credentials to try to break into Twitter and other third-party sites.

Torrent sites were made popular by people who wanted to share music files in the early 2000s. The file sharing protocol enables users to “seed” files and share small pieces of large amounts of data. In the early days it was difficult for a non technical user to tweak network settings and load a torrent file, but a set of new programs have automated that process. Today torrent files have grown more popular with users sharing files of popular movies and television shows, though the legality of this is in question.

Twitter said it detected anomalies in several Twitter accounts that had a surge in follower activity. A further investigation led to the discovery of the phishing scheme. As a precaution, Twitter anyone following the suspicious accounts were temporarily suspended until they reset their account credentials.

In a post on the Twitter Status Blog, Del Harvey, Twitter’s director of trust and safety, said the hacker is suspected of building a number of different torrent sharing forums and torrent websites that require users to sign up for an account. The sites were sold to other people, but they were riddled with holes – malicious code and backdoors that enabled the hacker to skim account credentials of users who signed up for the sites he built.

This person then waited for the forums and sites to get popular and then used those exploits to get access to the username, email address, and password of every person who had signed up. Additional exploits to gain admin root on forums that weren’t created by this person also appear to have been utilized; in some instances, the exploit involved redirecting attempts to access the forums to another site that would request log-in information.

Harvey warned users to change their passwords if they signed up for a torrent forum or torrent site.

Torrent sites aren’t exactly ‘new’; however, this is one of the first times that we’ve seen an attack that came from this vector. … We felt that it was important to put this knowledge out there so that users would know of the possibility of compromise of their data by a third party unrelated to their Twitter account.

The scary part of all this is that it appears that the hacker had been using the scheme for “a number of years,” according to Harvey. So if you think you may have signed up for a torrent site a number of years ago, go back and address your passwords now.

Another ongoing issue is that people use the same email address and password to multiple sites, Harvey said. Security experts have warned against doing this. A number of new password management programs are available including some smartphone applications that help users create a strong password and securely store it. While it may seem difficult, using them could alleviate any unnecessary headaches in the future.

Popular Password Management Programs:
Here are links to popular password management programs. I don’t advocate any one program. This is an area to be especially careful. Do a search for reviews to find the right one that meets your needs:

Sixipper: Firefox add-on.

Roboform: Windows-based but provides online access for Mac and Linux users.

1Password: Popular Mac-based password management.

KeePass: Open source light-weight password manager.

Aurora Password Manager: Windows-based with full encryption capabilities.

SplashID: Apple iPhone and RIM Blackberry password manager.

eWallet: iPhone password manager.

AsCendo DataVault: Supports RIM Blackberry, Apple iPhone and Windows desktops.

Cisco Releases Security Advisory for Unified MeetingPlace

Posted by peter on January 28, 2010 – 1:08 pm
Filed under Security News
Tagged as , , , , ,
Cisco has released a security advisory to address multiple vulnerabilities in Unified MeetingPlace. These vulnerabilities may allow a remote, unauthenticated attacker to obtain sensitive information, manipulate configuration data, create unauthorized accounts, operate with elevated privileges or cause a denial-of-service condition.

US-CERT encourages users and administrators to review Cisco security advisory cisco-sa-20100127-mp and apply any necessary updates to help mitigate the risks.

Google Releases Chrome 4.0.249.78

Posted by peter on January 26, 2010 – 1:26 pm
Filed under Security News
Tagged as , , , ,
Google has released Chrome 4.0.249.78 for Windows to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, obtain sensitive information, bypass security restrictions, or cause a denial-of-service condition.

US-CERT encourages users and administrators to review the Google Chrome Releases blog entry and update to Chrome 4.0.249.78 for Windows to help mitigate the risks.