I could access the page, then it went away…Google Secure Access is a downloadable client application that allows users to establish a more secure WiFi connection. By using Google Secure Access, your internet traffic will be encrypted, preventing others from viewing the information you transmit.
Blog
-
Hotel Access Cards Contain Credit Card Information
What's scary is how easy it is for even a novice to steal this information. He says he bought a $39 card reader at a local retail store and plugged it into his laptop's USB port. Now when he scans a card, the device inputs the data directly into an open Excel or Word document.
-
Hardening Windows XP
A short, but good, tutorial on Hardening Windows XP Professional.
-
Home made Homemonkey: HoneySpider
In my quest to find more viruses, trojans, and worms (which I find fastinating) I started building my own HoneyMonkey server which I call a “HoneySpider.”
What the hell is a HoneyMonkey?
You've heard of HoneyPots, right? A server that is set up to trick and track potential malicious hackers who think they have found the goods but have in fact been seduced by a decoy. Brilliant defense however it is very passive as you must wait for the bastard hackers to come to your decoy system. The HoneyMonkey is active in that it actively locates sites, pages and weblinks that seek to exploit systems. The Microsoft's Strider HoneyMonkey Exploit Detection system is great evolutionary step for a proactive method of Internet security (something I've been waiting for a while). It actually crawls the web to locate these evil boxes and maps out there location on the Web.
I thought the concept seems pretty self explanatory: set up a server that crawls the web specifically looking for offending sites. This can be down with and old box you happen to have laying around and a web crawler like Zeus.
I'm still working on it. I'll keep you posted.
-
Why Corporations Need to Worry About Phishing
Phishing is a relatively new form of online fraud that focuses on fooling the victim into providing sensitive financial or personal information to a bogus website that bears a significant resemblance to a tried and true online brand. Typically, the victim provides information into a form on the imposter site, which then relays the information to the fraudster.
To view examples of phishing emails go to:
* Citibank: www.ciphertrust.com/images/example_citibank.gif
* US Bank: www.ciphertrust.com/images/example_usbank.gifAlthough this form of fraud is relatively new, its prevalence is exploding. From November 2003 to May 2004, Phishing attacks increased by 4000%. Compounding the issue of increasing volume, response rates for phishing attacks are disturbingly high, sometimes as high as 5%, and are most effective against new internet users who are less sophisticated about spotting potential fraud in their inbox.
Corporations should be concerned with the following four issues:
* Protecting employees from fraud
* Reassuring and educating customers
* Protecting their brand
* Preventing network intrusions and dissemination of trade secretsA failure to succeed in any of these areas could be catastrophic to a company’s ability to function in the marketplace. If employees are not protected, the company could be held accountable for not putting protections in place to prevent fraud. If a hacker impersonates a company, then the company’s reputation and brand may be tarnished or ruined because customers feel that they can no longer trust the organization with their sensitive information. And finally, the latest trend in phishing has been to socially engineer employees or business partners to divulge sensitive trade secrets to hackers. The implications of employee login information getting into the wrong hands could result in grave consequences once hackers are able to “log in” to an employee’s network account using VPN or PC Anywhere software.
Protecting Employees from Phishing
One of the best ways to protect employees from Phishing is to prevent spam from ever getting to the user’s inbox. Since most phishing attacks proliferate through unsolicited e-mail, spam filtering technologies can be very effective at preventing the majority of phishing attempts.
New technologies are also available to help prevent phishing. One such technology offered as a standard by Microsoft and supported by CipherTrust is the Sender ID Framework (SIDF), which prevents spammers from obfuscating their IP address by verifying the source of each email.
Of course, spam filtering and SIDF cannot solve the problem entirely. Many phishing attacks are actually sent on an individual basis to users not protected by cutting edge spam detection technologies. Other attacks are distributed through online email accounts such as Yahoo! Mail, Gmail, MSN, and others. In short, technology alone cannot solve the phishing problem. Employees must be educated about phishing and how to spot fraudulent emails and websites.
Reassuring and Educating Customers
Once a consumer receives a fraudulent email that appears to come from a trusted company, he or she may never trust that company’s email communications again. That is damage that is not easily undone. It is essential that organizations communicate openly and frequently about how customers can identify legitimate email communications, and the need to report fraudulent ones. For those organizations that frequently process consumer credit card transactions, it is recommended that a special section of the site be devoted to helping customers avoid fraud.
Companies that make efforts to educate their customers about phishing are much less attractive targets than those who make no efforts at all. Some examples of organizations that have developed extensive policies around this issue are:
* USBank
* Wells Fargo Bank
* Ebay and PayPal
* CitibankProtecting the Company Brand
Each time a phishing attack is launched, a legitimate company’s trademark is tarnished and brand equity is eroded. The more attacks a company suffers, the less consumers feel they can trust the company’s legitimate email communications or websites. The value of this trust is difficult to quantify – at least until a company begins to lose customers. When customers no longer trust the company’s ability to protect their personal information, they often defect to competitors or opt to use more expensive commercial options such as telesales or retail locations.
Clearly, the goal is to convince the fraudsters that your customers will not fall for the scam. This is why having an obvious anti-phishing program that is public for all to see can be very effective. The fraudsters tend to follow the path of least resistance. Seeing that customers are well informed of how to avoid phishing attacks, the perpetrators simply turn their attention to other “softer” targets.
Preventing Network Intrusions and Dissemination of Trade Secrets Employees must be educated not only about phishing generally, but also about how fraudsters might use social engineering and other methods to entice employees to divulge sensitive information to hackers outside the organization.
With little knowledge of an organization’s business methods, hackers can easily distribute hundreds or even thousands of spoofed messages to an organization’s employees. The messages may ask for network passwords and usernames, or may attempt to fool employees into providing sensitive information to competitors.
It is important to properly train employees about what information is appropriate to share through email, and specifically what steps employees should take if they are unsure about the authenticity of a request for information.
Information gleaned by fraudsters from corporate networks can be used in a variety of nefarious ways. In the financial services industry, criminals can use credit cards to deduct money straight from accounts of unsuspecting victims. Many other organizations hold private healthcare information, or personal financial information that could be used by criminals to extort payoffs from corporations wishing to avoid the bad publicity of a security breach becoming public knowledge.
Though deflecting this attack does involve a significant amount of education, providing content filtering on outbound e-mail traffic can flag suspicious communications. Looking for these regular expressions, like social security numbers and account numbers, can prevent a simple deception from becoming a major liability issue.
What to Do If You Are the Victim of a Phishing Scam If you become aware of fraudsters imitating your organization to commit phishing fraud, you should:
* Immediately educate your customers on how they can correctly identify the phish
* Notify the authorities of your situation. Phishing Fraudsters may have violated all or some of the following Federal Laws:
— 18 U.S.C. 1028(a)(7) – Identity Theft
— 18 U.S.C. 1343 – Wire Fraud
— 18 U.S.C. 1029 – Credit-card Fraud
— 18 U.S.C. 1344 – Bank Fraud
— 18 U.S.C. 1030 (a)(4) – Computer Fraud
— 18 U.S.C. 1037 – CAN-SPAM Act
— 18 U.S.C. 1028(a)(5) – Damage to computer systems and files* Prosecute the criminals – when Spammers use your trademarks to commit fraud, they are violating U.S. Trademark laws as well as anti-fraud laws. Your organization has the right to defend its mark in court.
If you find that you are personally the victim of a phishing scam, then you should identify what information was compromised and then:
* If the fraudster obtained your Bank Account, Credit, ATM or Debit Card information:
— Report the theft to your card issuer, and cancel the account
— Check your statements for any unauthorized charges and follow up with your financial institution regarding their procedures for minimizing your liability to the charges
* If the fraudster has obtained your personal identification information — Contact the credit reporting agencies:
* Experian
* Equifax
* Trans Union — Request that a fraud alert be placed on your record
— Request a copy of your credit report and follow up on any unauthorized credit inquiries
— Request that unauthorized credit inquiries be erased from your record
— Notify your bank of potential fraud
— File a police report with your local police department
— File a report with the Social Security Administration
— Notify the Department of Motor Vehicles and determine if an unauthorized driver’s license number has been issued in your name
— Notify the Federal Trade Commission (www.ftc.gov)
— File a complaint with the Internet Fraud Complaint Center (www.ifccfbi.gov/index.asp). Additional Internet Fraud Sites:
* www.cybercrime.gov
* www.consumer.gov/idtheft/
* www.identity-theft-help.us/
* www.identitytheft.org/
* www.usdoj.gov/criminal/fraud/idtheft.html
* www.usdoj.gov/criminal/fraud/idquiz.html
* www.ifccfbi.gov/index.asp
Dr. Paul Judge is a noted scholar and entrepreneur. He is Chief Technology Officer at CipherTrust, the industry's largest provider of enterprise email security. The company’s flagship product, IronMail provides a best of breed defense against phishing attacks and other email-based threats. Learn more by visiting http://www.ciphertrust.com today.
-
Browser Security Test
Scanit's Browser Security Test automatically checks your browser for various security problems. When the test is finished you get a complete report explaining the discovered vulnerabilities, their impact and how to eliminate them.
-
Multiple Linksys WRT54G Vulnerabilities
Several severe flaws have been recently discovered with Linksys WRT54G wireless routers. If you have one, patch it up now.
-
List of Common and Bad Passwords
Huge list of commonly used, bad passwords. If you use any of these passwords, it may be a good idea to change it asap. Dictionay words make bad passwords!
-
Hacking Threats and Protective Security
Written by Michael Hart
The 1998 Data Protection Act was not an extension to, but rather a
replacement which retains the existing provisions of the data
protection system established by the 1984 legislation. The Act was to
come into force from 24 October 1998 but was delayed until 1st March
2000.In addition to data, manual records were to be brought within the terms of the new data protection system, thus allowing
subject access rights to access to such records.Due
to the allowances made for existing institutions to be brought into
compliance with the new legislation, manual data processing that began
before 24 October 1998 was to comply with the new subject access
accommodations of the Act until 2001.Now 4 years later there are
still unresolved issues such as the security threats presented by
computerisation, these can be broadly divided into 3 broad categories:Incompatible usage:
Where the problem is caused by an incompatible combination of
hardware and software designed to do two unconnected but useful
things which creates weak links between them which can be
compromised into doing things which they should not be able to.Physical:
Where the potential problem is caused by giving unauthorised persons
physical access to the machine, might allow user to perform things that
they should not be able to.Software:
Where the problem is caused by badly written items of “privileged”
software which can be compromised into doing things which they should
not be able to.Security philosophy:
A systems security implementations (software, protected hardware, and
compatible) can be rendered essentially worthless without appropriate
administrative procedures for computer system use.The following
details the results of the threat analysis. If a computer system was
setup to mimic the current running of the health practice the following
considerations should be understood:Assets To Be Protected:
That due to the nature of the institution, stable arrangements would need to be made to protect the:Data: Programs and data held in primary (random access and read only memory) and secondary (magnetic) storage media.
Hardware: Microprocessors, communications links, routers, and primary / secondary storage media.
Security Threats:
The following details the relevant security threats to the
institution and the more common causes of security compromise.Disclosure:
Due to both the sensitive nature of the information to be stored and
processed there are more stringent requirements of the new data
protection legislation, all reasonable precautions must be taken to
insure against this threat.Attackers:
Although the vast majority of unauthorized access is committed by
hackers to learn more about the way computer systems work, cracker
activities could have serious consequences that may jeopardize an
organisation due to the subsequent violation of the seventh data
protection principle ie that personal data shall be surrounded by
proper security.The staff:
It is widely believed that
unauthorized access comes from the outside, however, 80% of security
compromises are committed by hackers and crackers internal to the
organisation.operators:
The people responsible for the installation and configuration of a
system are of critical risk to security. Inasmuch as they may:[1] Have unlimited access to the system thus the data.
[2] Be able to bypass the system protection mechanisms.
[3] Commit their passwords for your system to a book, or loose notes.
[4] A tendency to use common passwords on all systems they create, so that a breach on one system may extend to others.
The data subject:
The data subject invoking the right to access personal data creates a
breach in security by definition. To comply with such a request the
data must be ‘unlocked’ to provide access to it, thus creating
additional risks to security. Inasmuch as:[1] If copies have to be made, this will normally be by clerical staff who would not normally have such rights themselves.
[2] The copies may go astray whilst being made available.
[3] Verification of the identity of the data subject becomes very important.
Software:
Many business have database applications that are typically designed to
allow one to two staff to handle a greater work load. Therefore such
software does not allow validation (confirming that data entries are
sensible) of the details the staff enter.This is a critical
security risk as it allows basic acts of fraud to be committed, such
as, bogus data entry (entering additional unauthorised information).Importance Of Good Security:
Data is valuable in terms of time and money spent on gathering and
processing it. Poor or inadequate system protection mechanisms canlead
to malicious computer system attacks (illegal penetration and use of
computer equipment).One
or more devious, vandalising, crackers may damage a computer system and
/ or data, such damage could have serious consequences other than those
of the subsequent violation of the seventh data protection principle
that may jeopardize the organisation. For example:Loss of information:
Which can cost money to recreate.False information:
With possible legal action taken.Bad management:
Due to incorrect information.Principles Of Computer Security:
The publication and exploration of inefficiencies and bugs in security
programs that exit in all complex computer programs (including
operating systems), methods of entry and ease of access to such
technical information has meant that a system is only as secure as the
people who have access to it and that good system security cannot be
guaranteed by the application of a device or operating system.Computerisation:
Media reports that draw public attention to the security threats
inherent in the nature of programable technology and the safety of
individuals information has given rise to situations where institutions
entrusted with sensitive information need to spend as much time and
energy to gain public trust in such systems as they do in providing
serveries.Although
this scenario does not yet apply to the health industry inasmuch as the
public are not yet the end users of the system, such social impressions
must be considered:This leads us to the question: if life with
computers is so wonderous, how do you leave it? Simply flip a switch
and everything will shut down and you can explore the marvels of the
oustide world. Computers are only tools and, just like an electric
screwdriver, computers can save time and effort without taking anything
away from you. All you have to decide is when you want to use a
computer and when you don't, you're still in complete control of your
life.Principles Of Inference:
One of the new concepts introduced by the data protection legislation
is ‘inference’, and data is now regarded as itself sensitive if
sensitive data can be inferred from it. For example, if an estate agent
displays complete details about one terraced house, you can infer what
the neighbouring house is like. In a medical practice, full patient
details about three members of a family could probably allow you to
construct the details of a fourth.This
must be linked to the proposition that, in the last 10 years or so more
information has been stored about individuals than in all of previous
history, and, because of computerisation, all of that information is
capable of being pulled together from the different organisations
(banks, stores, state, etc) which hold it.Right To Privacy:
It can be seen that the statement ‘The processing of personal
computerised data represents a threat to the individual’s right to
privacy’ is well founded. Unfortunately, until now, there has been no
statutory right in English law to personal privacy.For
this reason, a right to privacy of that information has been set into
the data protection legislation, and, it is only such legislation that
prevents complete dossiers from being compiled on any given individual.Health
professionals are exempted from the need for prior approval before
processing personal information, for example, as it is clear the health
of the individual overrides the individual’s right to privacy, and the
consent can be taken for granted.This does not prevent health
professionals from having the full burden of protecting that
information from unauthorised access, specifically due to the higher
obligations placed on them by the Hippocratic oath which states that a
member of the medical profession should respect the secrets which are
confided them, even after the patient has died.However,
as can be seen from the exemptions and exceptions, a difficult balance
has to be achieved between the right to privacy, and the needs of the
individual (and/or the organisation).In the case of the any
entity or practice, the data subject’s rights to the protection of the
data that relates to them creates a conflict of interests between them
and the practice inasmuch the complex security system needed for this
requires extra administration and the navigation of a complex system
every time data is need may place extra stress on the staff, both
things the management may wish to avoid.© I am the website administrator of the Wandle industrial museum (http://www.wandle.org).
Established in 1983 by local people to ensure that the history of the
valley was no longer neglected but enhanced awareness its heritage for
the use and benefits of the community. -
NR-KPP stands for Net Ready Key Performance Parameters
NR-KPP stands for Net Ready Key Performance Parameters.
Net Ready is the ability to have immediate access to mission or business essential information. Like the term Netcentric, Net Readiness is the full exploitation of the Internet and/or Intranet whether the organization's primary mission is business, volunteerism or warfare.So Net Ready Key Performance Parameters refers to evaluating the “net readiness” of a given information system or organization.
Formal Definition:
NR-KPP was developed to assess net-ready attributes required for both the technical exchange of information and the end-to-end operational effectiveness of that exchange. The NR-KPP replaces the Interoperability KPP, and incorporates net-centric concepts for achieving Information Technology (IT) and National Security System (NSS) interoperability and supportability.What are the elements within the Net Ready Key Performance Parameters?
Net Centric Operations and Warfare Reference Model (NCOW RM) Compliance Statement
Information Assurance (IA) Accreditation Compliance Statement
Your guide on creating the NR-KPP will be the CJCSI 6212, Interoperability and Supportability on National Security Systems:
Net-Ready Key Performance Parameter. All Information Support Plans (ISP) for systems that exchange information with other systems will contain a Net-Ready KPP. For all ISPs with an associated approved JCIDS CDD or CPD capabilities document, the ISP can refer to the associated CDD/CPD. ISPs for CRDs, ORDs, non-ACAT and fielded systems will include the NR-KPP in the ISP.
The NR-KPP will consist of the following:
a. AV-1, OV-2, OV-4, OV-5, OV-6C
b. SV-4, SV-5, SV-6
c. TV-1 generated from DISR online
d. Applicable CRD crosswalk (See Table D-3)
e. Initial LISI Profile (Interface Requirements Profile) See Enclosure K
f. NR-KPP statement. (Table I-1)
g. IA Statement of Compliance
h. Key Interface Profile (KIP) Declaration (list of the KIPS that apply to
the system)Key Interface Profiles (KIPs) Compliance Statement
Reference:
CJCSI 6212, Interoperability and Supportability on National Security Systems
ß http://www.teao.saic.com/cbrtraining/docs/CJCSI_6212_01.pdfNet Ready -> http://del.icio.us/tag/%22net%2Bready%22
More on NR-KPP à http://del.icio.us/tag/%22nr%2Bkpp%22http://del.icio.us/rss/tag/netcentric