Aurora – IE 0-day vulnerability

by: Zarex dela Cruz, CISSP, CISA on Wednesday, January 20, 2010 1:20 PM


Aurora Borealis or the Northern Light is a jaw-dropping awe vista to witness. I have not witnessed one but it’s one of my dreams. While we know the beauty of it, there is another and different aurora (not borealis) that is not to be messed with.

The Operation Aurora dubbed by McAfee to describe the very recent Microsoft’s Internet Explorer Zero-Day vulnerability is a “coordinated attack which included a piece of computer code that exploits a vulnerability in Internet Explorer to gain access to computer systems.” It was used to exploit Google and other 30 more companies as previously reported. Last Friday, George Kurtz, McAfee’s CTO talked in his Security blog about the Aurora exploit that is used to attack Google in December is now in public.

Any zero-day vulnerability is always a bad thing. Two weeks ago, one of my older computers crashed and for what I know it could be caused by this same exploit. While the discovery of this vulnerability has been a while now, Microsoft has yet to release an official patch.

The bad thing is, there are third-party patches out there that have gone out to provide temporary fix for this vulnerability. I would not really recommend installing these third-party patches since we don’t know what the ill-effects in the long run. The good news is, Microsoft is going to release a patch tomorrow, January 21st. Read Microsoft’s Bulletin.

To learn more about Operation Aurora from McAfee, watch the video from George Kurtz and the McAfee team here.

Read the rest of this article »



2010: SecureToday

by: Zarex dela Cruz, CISSP, CISA on Tuesday, January 19, 2010 1:53 PM

So one of the many challenges about our website/blog is the time to catch up with all the many interesting articles and topics happening around the world. There are those great topics that we have drafted but never got a chance to publish them here. There are also those experiences that we are so dying to share here but never managed to get them on.

So there are always the challenges and trials that we have to go through. Once we pass the first, another comes, and the life cycle just go on and on and on.

And although many obstacles are there as may seem, we still have the passion to continue pressing on sharing and writing interesting security articles here on our blog. The old drafts that we have started will be rewritten and posted as we move forward. We still hope and believe it will help in small ways or another in your daily duty in securing today.

One thing that we have started doing is redesigning the site into a different look and add some features. It is part of the project team to do something different for this new year. And yeah, SecureToday is using Twitter. Follow us http://twitter.com/securetoday.

So this year 2010, we look forward in starting to provide you more helpful, relevant and interesting articles in securing your own today! Cheers!



CISSP – Free trainings

by: Zarex dela Cruz, CISSP, CISA on Monday, July 13, 2009 4:04 PM

cisspStudying to get your Certified Information System Security (CISSP) from ISC2 is not a walk in the park. It requires that you have many years of experience in the world of Information Security.

It’s prerequisites includes a possession of minimum five years of professional experience in the information security field or four years plus a college degree. Or, an Advanced Degree in Information Security from a National Center of Excellence or the regional equivalent can substitute for one year towards the five-year requirement. Then after passing the 250-item exam in six hours and complying with ISC2 Code of Ethics, you still have to be Endorsed. Please visit ISC2 website for more information.

I posted this because I want to share some useful links for you professionals out there, who are thinking or studying for CISSP. SearchSecurity with Shon Harris go over the ten Common Body of Knowledge (CBK) domains for the CISSP in the following webcasts. Be sure to read through all the useful information and try their 10-free quizzes.

Domain 1: Security Management Practices
Domain 2: Access Control
Domain 3: Cryptography
Domain 4: Security Models and Architecture
Domain 5: Telecommunications and Networking
Domain 6: Application and System Development
Domain 7: Business Continuity & Disaster Recovery
Domain 8: Law, Investigations and Ethics
Domain 9: Physical Security
Domain 10: Operations Security

Good luck!



The Art of Steganography

by: Zarex dela Cruz, CISSP, CISA on Saturday, June 27, 2009 7:33 PM

Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity [Wikipedia].

Few months ago, I was drafting an article about Cryptography. In my draft I wanted to expand the use of Cryptography not only to cover Confidentiality but likewise Integrity. I began to write along the lines about Public Key Infrastructure; the use of digital signature to encrypt as well as to sign messages. In my search for an email from a friend, I came across an unsent email from my Drafts folder. An old email dated more than four years ago titled Steganography. In my email were two images. One original and one was stego file. I recall, I had planned to send it to my classmate for our Steganography research. So about less than five years later, here I am talking about the same “art” – the art and science of steganography.

Earlier this year, I attended a Product Advisory Council meeting from McAfee. One of the future product integration they are adding to their suite of Security products is the Data Leakage Protection, from the acquisition of Reconnix.

The DLP, be it a Host- or Network-based addresses the detection of file that could potentially leaked out from a confidentiality standpoint within the company. One of the concerns I have brought up was the detection of steganography. As you will see, even sophisticated technology fall short in the ability to decrypt or guess the algorithm used in the steganography.

It is not the scope of this article to cover how steganography works or ways to accomplish it. Further, this article is not going to list down available steganographic tools to perform this. In searching the Internet, you could probably find many articles about this and the tools available as well as countermeasures.

Read the rest of this article »



CPTED – Physical Security

by: Zarex dela Cruz, CISSP, CISA on Sunday, May 10, 2009 4:49 PM

This month, I’d like to discuss a topic that is somewhat being set aside when talking about security – Physical Security. We all know and agree that the physical aspect of security is as important as any facets of security, be it technical or logical, and administrative.

As a security professional, we should be very aware and concerned that the security we protect, such as critcal data and confidential information through the technology like firewall, DLP, IDP, and the like can as easily be compromised as someone stealing the physical server, damaged by natural or environmental calamities, or broken by infrastructure faults. So, physical security must not be ignored and should also be incorporated in the security policies as well as included in any security discussions.

Physical security must be implemented based on the model of a layered defense. The idea is, before unauthorized entity can access the valuable asset, they should go through layers of layers of physical barriers before reaching the spot. If one of the layers fails, the others will protect the asset. So layers of defense should move from the perimeter towards the asset.

I am a firm believer that security should not be a patched-approach, rather, it should be part of the architecture. Similar to software applications, I believe that one of the best ways to stay secure is to develop the program as error-, flaw-free. This way, we don’t have to worry about patching it and afraid of getting compromised by its vulnerabilities. Of course, it is not a perfect world, and that is why as much as we can, security should begin at the very start of the design.

Physical security is not exempted. The CPTED (Crime Prevention Through Environmental Design) is a discipline that structures the proper architectural design of a physical environment to reduce crime by directly affecting human behaviors and activities. The CPTED concept has been around since the 1960s. It provides guidance in loss and crime prevention through proper construction of buildings and the arrangement of environmental components.

CPTED elements

CPTED Key Concepts

So the idea of CPTED is before even the construction of a facility, it then address the landscaping, entrances, exits, neighborhood layouts, access roads and freeways, lightnings, and traffic patterns. It also puts into consideration the placement of offices, lobby, restrooms, campuses surrounding, and even up to the scale of the wider scope of the city. As you can imagine, before a facility is built, the security is already put in consideration. Putting the proper landscaping should deter intruders, or building the right height of fence or correct placement of lightnings should stop unauthorized people. Another good example is to architect the built of a data center to be located at the center of the facility so that the walls will protect it from any damages from outside.

Read the rest of this article »