To ensure consumers stay safe online and enjoy this holiday season, Check Point outlines practical tips for creating a strong password.

• Choose a password that is at least 8 to 10 characters long. This should be long enough to prevent brute force attacks. Since brute force attacks consist of trying every possible code, combination, or a password until the right one is found.

• Make sure your password is difficult to guess. Do not use names of any kind, including your login name, family member’s name or a pet’s name. Also avoid using personal information such as a phone number, birthday or place of birth.

• Avoid words that can be found in the dictionary. With the availability of online dictionaries it is easy for someone to write a program to test all of the words until they find the right one.

• Stay away from repeated characters or easy to guess sequences. For example: 77777, 12345, or abcde.

• Choose a password that is a mixture of numbers, letter and special characters. The more complex and random it is the harder it will be for a malicious person to crack.

• Use fragments of words that will not be found in a dictionary. Break the word in half and put a special character in the middle.
• Choose different and unique passwords for all of the important sites.
• Change your passwords often. Even if someone cracks the system password file, the password they obtain is not likely to last long.
• Use a reliable password protection solution.

To get more insight on how people create poor passwords, take a look at this analysis of 32 million breached passwords.

1. Do not fall for scare tactics. While browsing sites, be cautious of pop-ups warning you that your system is infected and offering a product to clean it up. Never pay for a program that installed itself to your computer. This is a hallmark of rogue software.

2. Use security software with real-time protection and keep it up-to-date. If you know that you have anti-virus, anti-spyware, and a firewall on your PC, you can safely ignore security alerts you receive that do not come from your chosen security software provider. (Rogue security software will often try to lure computer uses by using legitimate looking pop-up messages that appear to be security alerts.) Also, most anti-malware programs will help keep you protected from rogues because they can detect and remove these programs.

3. Access experts at security forums and ask about the software you are considering before you decide to purchase it.

4. Read the software reviews at reputable sites like Download.com. Do not blindly trust individual sites offering security products.

5. Ask knowledgeable friends and family members about quality software they use. Keep in mind that when you search for trustworthy security software online, rogue products can, and often do, appear in the search results list.

6. Practice online skepticism. Be aware that rogue security software does exist on the Web, and be vigilant about avoiding it. These programs are designed to appear genuine – meaning they may mimic legitimate programs, use false awards and reviews to rope you in, or employ other deceptive tactics. It’s also a good idea to familiarize yourself with common phishing scams, and to be cautious of links in e-mail messages and on social networking sites.

Author: Erin Earley, editor of Lavasoft News.

—

NOTE: Original article is posted on Help Net Security website: http://www.net-security.org/malware_news.php?id=1245. You can subscribe to their news for up-to-date security news and articles.
Follow us on Twitter: @securetoday.

In the recent Conficker outbreak globally many customers had presence of infection on unsupported OS, making them impossible to patch as Microsoft patches were not available. Reason being those Operating systems already completed 5 year Microsoft support, crossed extended support and came to the category of “retired” OS. The presence of such un-patched unsupported systems are not limited to Microsoft environment but equally in other flavors like Linux, Mac etc. These are safe homes for virus, Trojans, bots and pose significant risk by itself. Quite interestingly most of these legacy or old systems wont be seen in DNS. Such systems pose a significant risk to the organization by itself. Continues measures needs to be taken to identify such systems or applications and get them decommissioned!

These systems or applications are present in most of the organizations for various reasons..

1. LEGACY: A good numbers of them were either used to run legacy applications and are now forgotten or abandoned or lost interest in up-gradation.
2. BUNDLED DEVICES:Others are still being used for embedded applications/controllers like security camera, printers etc. Its quite possible that individual risk assessment of these components gets left out.
3. BUSINESS REQUIREMENT:There might be a business need for such systems to support specific application. Its an unseen risk until the organization analyze the threat it can bring in.

The situation is little scary if they are noticed in critically risky environments ( like thermo nuclear plants, hydro electric plats,real-time systems, defense,medical system, government establishments) where the risk associated with such bundled products are enormously high.

Management should take the initiative that these systems are identified and tackled. This should be an ongoing activity. Asset management can help in this to a great extend if its well planned and designed. A good asset management keeps track of unused desktops/servers, hosts assigned to employees who are no longer with the organization, etc.. This also helps in building a formal end of life (EOL) strategy for proper disposal of unsupported OS and applications.

Identifying unsupported systems from network will continue to be a challenging task until such measures are taken. Nessus has come with few plugins to detect Unsupported Operating system, which covers Windows NT 4.0, Windows 95/98/ME, Microsoft Exchange Server Unsupported version, Mac OSX and Unsupported Unix and Linux. With a good asset management and proper management support this risk can be addressed to a greater extent.

In McGlure’s demo, he accessed his customized website using IE-6, which is vulnerable to the attack and showed how the exploit is downloaded to the machine, saved, decoded, and ran. Exploits like these make it really scary for everyone because it does not even require the end user to perform anything such as clicking or downloading something.

To make things worst, the downloaded file was a jpg (or could be gif, png). To some, it could be an image file. But it is actually an executable file. The process is automatic. The jpg file is downloaded, repackaged, and then the binary is executed. The payload could be anything as installing a backdoor Trojan that sits in your computer to steal information, or it could be a nasty virus that wipes out your entire data.

While I’ve been stressing enough to everyone to be very aware about clicking links from emails or visiting suspicious websites, sometimes at the end of the day, it boils down to your system protection. What are your protections, walls, or shields from this evildoers? Do you have your system locked down, or updated, or patched?

PATCH. One best thing really to do is to patch your system so you are not vulnerable. Today, Microsoft released an out-of-band security patch to addressed this 0-day vulnerability. I highly recommend you to install this patch as your first line of defense. Here is the link: http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx. Again, do not install any third-party patches. Trust only the one that comes from Microsoft. Currently, I am attending the Microsfot’s Out-of-Band Security Release bulletin webcast, which they covered what is included in this patch.

BROWSE. It is also discovered that other versions of IE, not only IE-6 could be vulnerable to this attack. So, it is not a bad idea to use an alternate browser like Firefox, Opera, or Chrome. I might also include your favorite email clients such as Outlook can easily launch the attack too, since email is displayed in HTML. So be aware of all the doors where this attack can get in.

DEFENSE. For home users it is highly needed you have an antivirus software and an up-to-date virus definitions. Having host firewall or IPS also adds more layer of protection. In corporate world, taking advantage of the powerful features of your Firewall, Proxy, nIPS, hIPS, and your Antivirus is very crucial.

Inline proxies can block those file download that are suspicious or deemed infected, thereby, protecting the corporate users behind the proxies. With a good signature and inline IDS, you can also block or drop these attacks or traffic. And an updated Antivirus can catch this before it can wreak havoc. Multiple line of defense implemented correctly give you and your company a better protection.

So again, download and install the patch now, it is available from the link above; update your antivirus – protect yourself!

Haiti Earthquake Landslide

The recent earthquake disaster that struck Haiti is sometimes unbearable to watch. With an estimate of 80,000 death and rising or 200,000 according to Haitian government. The damages sum up to billion of dollars. It is indeed a disaster that melts your heart in pity.

More than 5 years ago, a colossal disaster hit Indonesia and other parts of the world with an earthquake in the Indian ocean that caused huge and deadly tsunamis in Indonesia, Sri Lanka, Africa, and other countries. All of these sad stories easily spread out the Internet, including heart-touching pictures.

These stories always touch the heart of many. And this is exactly what bad guys take advantage of. In a previous post about Phishing, we’ve uncovered how it works. This is what these scammers is going to use again to exploit vulnerable people. So again, BEWARE of these scam emails asking for donations to help Haiti Earthquake victims. They can appear legitimate but always ensure that you do not click on any link they provide.

Example below is a capture from McAfee’s blog of what could be a similar scam email to lure to donating money to them. This one is from a French origin.

Haiti Scam email

Last week the United States FBI released an immediate warning and reminder to Internet users to be very diligent and apply critical eyes in responding to emails asking for donations of the aftermath of the Haiti earthquake. I’ve outlined below with their guidelines:

“Before making a donation of any kind, consumers should adhere to certain guidelines, to include the following:

Anyone who has received an e-mail referencing the above information or anyone who may have been a victim of this or a similar incident should notify the IC3 via www.ic3.gov.”

Protect yourself against scammers!

Aurora Borealis or the Northern Light is a jaw-dropping awe vista to witness. I have not witnessed one but it’s one of my dreams. While we know the beauty of it, there is another and different aurora (not borealis) that is not to be messed with.

The Operation Aurora dubbed by McAfee to describe the very recent Microsoft’s Internet Explorer Zero-Day vulnerability is a “coordinated attack which included a piece of computer code that exploits a vulnerability in Internet Explorer to gain access to computer systems.” It was used to exploit Google and other 30 more companies as previously reported. Last Friday, George Kurtz, McAfee’s CTO talked in his Security blog about the Aurora exploit that is used to attack Google in December is now in public.

Any zero-day vulnerability is always a bad thing. Two weeks ago, one of my older computers crashed and for what I know it could be caused by this same exploit. While the discovery of this vulnerability has been a while now, Microsoft has yet to release an official patch.

The bad thing is, there are third-party patches out there that have gone out to provide temporary fix for this vulnerability. I would not really recommend installing these third-party patches since we don’t know what the ill-effects in the long run. The good news is, Microsoft is going to release a patch tomorrow, January 21st. Read Microsoft’s Bulletin.

To learn more about Operation Aurora from McAfee, watch the video from George Kurtz and the McAfee team here.

On the other side, I believe this same vulnerability is called by Symantec as Hydraq.

Hydraq is a targeted attack. Through the exploitation of a vulnerability, it attempts to install a trojan on a specific computer that steals information from that machine. The trojan attempts to make contact with command and control servers in order to receive instructions and to upload any information that it may have collected. This type of attack is often called an advanced persistent threat because of the sophistication and persistence of the attack within a business.

What I like about reading the page that Symantec provides is they outlined 3 important things to protect yourself, which is what really I wanted to convey to everyone, not only to home users, but also even helpdesk support, or even any security professionals in their workplace.

• Stay up-to-date with security patches. Zero-day vulnerability like this can wreak havoc and even worst, loss of your important data. So make sure that your OS, applications, antivirus are all up-to-date. It’s a must.
• Complete security solution. Having antivirus, firewall, and even host intrusion detection software will spot these from the very beginning. Again, an updated definitions or dat files is as important as the software. Even if you have antivirus installed if the signature definitions are outdated, it is useless. Get them updated.
• User awareness. This is one of the keys. Understand even the basics of security and how important it is will give you an advantage. I like saying this a lot:  “security is nothing until your computer is hacked and you lost all your data, then security is everything”.

So there are always the challenges and trials that we have to go through. Once we pass the first, another comes, and the life cycle just go on and on and on.

And although many obstacles are there as may seem, we still have the passion to continue pressing on sharing and writing interesting security articles here on our blog. The old drafts that we have started will be rewritten and posted as we move forward. We still hope and believe it will help in small ways or another in your daily duty in securing today.

One thing that we have started doing is redesigning the site into a different look and add some features. It is part of the project team to do something different for this new year. And yeah, SecureToday is using Twitter. Follow us http://twitter.com/securetoday.

So this year 2010, we look forward in starting to provide you more helpful, relevant and interesting articles in securing your own today! Cheers!

It’s prerequisites includes a possession of minimum five years of professional experience in the information security field or four years plus a college degree. Or, an Advanced Degree in Information Security from a National Center of Excellence or the regional equivalent can substitute for one year towards the five-year requirement. Then after passing the 250-item exam in six hours and complying with ISC2 Code of Ethics, you still have to be Endorsed. Please visit ISC2 website for more information.

I posted this because I want to share some useful links for you professionals out there, who are thinking or studying for CISSP. SearchSecurity with Shon Harris go over the ten Common Body of Knowledge (CBK) domains for the CISSP in the following webcasts. Be sure to read through all the useful information and try their 10-free quizzes.

Domain 1: Security Management Practices
Domain 2: Access Control
Domain 3: Cryptography
Domain 4: Security Models and Architecture
Domain 5: Telecommunications and Networking
Domain 6: Application and System Development
Domain 7: Business Continuity & Disaster Recovery
Domain 8: Law, Investigations and Ethics
Domain 9: Physical Security
Domain 10: Operations Security

Good luck!

Few months ago, I was drafting an article about Cryptography. In my draft I wanted to expand the use of Cryptography to not only to cover Confidentiality but likewise Integrity. I began to write in the lines about Public Key Infrastructure; the use of digital signature to encrypt as well as to sign messages. In my search for an email from a friend, I came across an unsent email from my Drafts folder. An old email more than four years ago titled Steganography. In my email were two images. One original and one was stego file. I recall I planned to send to my classmate for our Steganography research. So about less than five years later, here I am talking about the same “art”. Ah, the art and science of steganography.

Earlier this year, I attended a Product Advisory Council meeting from McAfee. One of the future product integration they are adding to their suite of Security products is the Data Leakage Protection, from the acquisition of Reconnix.

The DLP, be it a Host or Network addresses the detection of file that could be leaking out from a confidentiality standpoint within the company. One of the concerns I have brought up was the detection steganography. As you can see, even sophisticated technology could lack in the ability to decrypt or guess the algorithm used in the steganography.

It is not the scope of this article to cover how steganography is performed or ways to accomplish it. Likewise, this article is not going to list down available steganography tools to perform this. In searching the Internet, you could probably find many articles about this and the tools available as well as countermeasures.

This article only wishes to address the pros and cons of steganography. As with many tools and technologies, using it with the wrong hands determines the result of it. As a security professional, this should be used as yet another layered defense or security. If we combine steganography with PKI, the result is a more secured document. Let’s take this simple approach:

I have a document. The document is hashed for message integrity. Together with the hash, I encrypt it with my private key. This is non-repudiation. The altogether result is encrypted with the user’s public key. This is confidentiality, since only the receiver can decrypt it. The result is cryptic digitally signed message. This is the PKI part. This by itself is already super secure. What if I still want to embed this using steganography and the result is encrypt again with my private key? Maybe it is too much but you see my point in combining them to add layers of security.

I’ll write a separate discussion on digital certificates next time, but for now the use of steganography can be very beneficial. On the other hand, this tool can be used in bad ways as well. It was also suspected that terrorists have used this method for their communications, but no evidence to support it.

This is a very simple method to conceal your messages. The result is almost impossible for the naked eye to spot the difference. Back to the two images I’ve talked about earlier in my email. By looking at them both now, scared me to tell that I cannot spot which one has embedded document and which one is not. Both appear identical and file size is the same.

In conclusion, when you see an image, for example the logo in this website, how easy for you to know that it is actually an image embedded with my secret recipe for my steak sauce for my sister to download? Scary but it could be true. But it is not the end of the world; steganalysis, which is the science of detecting hidden messages using steganography exist. Similar to cryptography, these are not impossible to crack. It is not a matter of if, it is a matter of when.

As a security professional, we should be very aware and concerned that the security we protect, such as critcal data and confidential information through the technology like firewall, DLP, IDP, and the like can as easily be compromised as someone stealing the physical server, damaged by natural or environmental calamities, or broken by infrastructure faults. So, physical security must not be ignored and should also be incorporated in the security policies as well as included in any security discussions.

Physical security must be implemented based on the model of a layered defense. The idea is, before unauthorized entity can access the valuable asset, they should go through layers of layers of physical barriers before reaching the spot. If one of the layers fails, the others will protect the asset. So layers of defense should move from the perimeter towards the asset.

I am a firm believer that security should not be a patched-approach, rather, it should be part of the architecture. Similar to software applications, I believe that one of the best ways to stay secure is to develop the program as error-, flaw-free. This way, we don’t have to worry about patching it and afraid of getting compromised by its vulnerabilities. Of course, it is not a perfect world, and that is why as much as we can, security should begin at the very start of the design.

Physical security is not exempted. The CPTED (Crime Prevention Through Environmental Design) is a discipline that structures the proper architectural design of a physical environment to reduce crime by directly affecting human behaviors and activities. The CPTED concept has been around since the 1960s. It provides guidance in loss and crime prevention through proper construction of buildings and the arrangement of environmental components.

CPTED Key Concepts

So the idea of CPTED is before even the construction of a facility, it then address the landscaping, entrances, exits, neighborhood layouts, access roads and freeways, lightnings, and traffic patterns. It also puts into consideration the placement of offices, lobby, restrooms, campuses surrounding, and even up to the scale of the wider scope of the city. As you can imagine, before a facility is built, the security is already put in consideration. Putting the proper landscaping should deter intruders, or building the right height of fence or correct placement of lightnings should stop unauthorized people. Another good example is to architect the built of a data center to be located at the center of the facility so that the walls will protect it from any damages from outside.

There are several components to consider when implementing CPTED as shown from the figure above. The best approach is usually to build an environment from a CPTED approach and then apply these components on top of the design where it is needed. The following target-hardening components are derived from Moffat (1983, p.23):

• Access Control
• Natural Surveillance
• Territoriality
• Defensible Space
• Activity Programme
• Formal Organized Surveillance

Access Control (Natural) – this is the guidance of placing of fences, doors, lightnings, and landscaping to address the flow of people going in and out of a location.

Surveillance (Natural and Formal)- is the components that address the placements of CCTV, security guards, and natural strategies such as line of sight, raised entrances, bollards, etc.)

Territoriality – addresses the concepts of security zones. It can be implemented through the use of physical barriers such as walls, dividers, fences, flags, to clearly marked your dedicated scope of coverage or jurisdiction.

Defensible Space – this is similar to Territorial Reinforcement (above), in that the environment or community being designed incorporates sense of ownership. Good examples are the physical fences or logical borders of jurisdiction where you defend of which you own.

Activity Programme - or activity support involves the use of design to encourage intended patterns of usage of public space. This concept aims to protects community by encouraging safe activities and practices in the surrounding environment to deter any unsafe activities from happening. This approach also includes access control, surveillance, and territoriality.

The CPTED discipline adds value in security as it starts where it needs to be. And although as IT Security professionals, our involvement in the construction of facilities and implementation of CPTED is rare, it is a good knowledge to know and it is there. The CPTED is a security concept that if it is implemented correctly, it will benefit everybody.