Wednesday, March 27, 2013

WindowSecurity.com - Monthly Newsletter - March 2013

WindowSecurity.com - Monthly Newsletter - March 2013

Hi Security World,

=========================================================================

******* EDITOR'S CORNER

* The Problem With Our Security Models

“You can haz better security, you can haz worse security. But you cannot haz
“securityâ€�. There is no security, Deal [with it].â€� â€" Richard Steven Hack

I thought I would start with this quote from Rich Hack, it does describe the issue
in a nutshell. The reason for this article is a post from Bruce Schneier where he
states: “Our security models will never work â€" no matter what we doâ€�.

I’m quoting his first few paragraphs here: "A core, not side, effect of technology
is its ability to magnify power and multiply force â€" for both attackers and defenders.
One side creates ceramic handguns, laser-guided missiles, and new-identity theft
techniques, while the other side creates anti-missile defense systems, fingerprint
databases, and automatic facial recognition systems."

"The problem is that it’s not balanced: Attackers generally benefit from new
security technologies before defenders do. They have a first-mover advantage.
They’re more nimble and adaptable than defensive institutions like police
forces. They’re not limited by bureaucracy, laws, or ethics. They can evolve
faster. And entropy is on their side â€" it’s easier to destroy something than it
is to prevent, defend against, or recover from that destruction."

“For the most part, though, society still wins. The bad guys simply can’t do
enough damage to destroy the underlying social system. The question for us is:
can society still maintain security as technology becomes more advanced? I don’t
think it can.�

Of course he refers to the ultimate example of a terrorist with a nuclear bomb
that everyone is terrified of, but even that is something survivable for a
society. Japan resurfaced from two detonations in a relatively short time.
Of course he is right in the sense that an attacker only needs to succeed once,
and the defender needs to succeed 100% of the time. That is why we need to
design with failure in mind, and fail with the least amount of (collateral)
damage.

Schneier notes that traditional security largely works “after the fact�, and
that is where some of the problems lie. On planet earth, we tend to invent
weapons but neglect to invent the protection against that weapon at the same time.
The Manhattan project developed the atom bomb and completely neglected to also
develop at the same time a force field that would stop an atomic blast.
Wouldn’t having both technologies been a much more powerful solution?

He continues: “Because sooner or later, the technology will exist for a
hobbyist to explode a nuclear weapon, print a lethal virus from a bio-printer,
or turn our electronic infrastructure into a vehicle for large-scale murder.
We’ll have the technology eventually to annihilate ourselves in great numbers,
and sometime after, that technology will become cheap enough to be easy.�
He then states: “If security won’t work in the end, what is the solution?
Resilience â€" building systems able to survive unexpected and devastating
attacks â€" is the best answer we have right now.â€�

At this point I’d have to say his answer is incomplete. Schneier takes for
granted that human nature cannot be changed, and that someone will inevitably
get the tools in hand to create major damage. That event could be prevented
by a change in mankind’s worldwide respect for the United Nations’ Human
Rights, a change in all world government’s priorities regarding education,
and the realization that planet earth is on a downward spiral until we wake
up and -do- something about it.
------------------------

* Security Defined

Did you know that the root of the word 'security' comes from the Latin
'securus'; SE + cura meaning "to care" so feeling no care; safe, certain.
The thought also comes to mind that there might be a diametrically opposed
way to look at this, as in; "security is something that results when you
-do- care."
-----------------------------------

Sun Tzu Quotes of the Month:

"Agents are a ruler's treasure. They are called the hidden network of
mastery over the enemy." - Sun Tzu

"Victory is achieved by means of predicting and then handling that
which is predicted" - Sun Tzu

Warm regards,

Stu Sjouwerman
Editor, WindowSecurity News
Email me at feedback@windowsecurity.com
==================================================================

**** SECURITY DETAIL

* Need Real-time And Personally Relevant Cyber Intelligence?

If so, check out Swan Island Networks.

Their Cybero(TM) service helps you navigate today’s dynamic cyber threat
environment, by delivering a steady stream of up-to-date, personally
relevant cyber intelligence. It addresses your critical cyber risks NOT
prevented by next-generation firewalls, anti-virus software or stronger
encryption. Cybero addresses the human side of cyber security, with the
goal of helping your workforce become a new human firewall. Cybero includes
Kevin Mitnick Security Awareness Training but gives you much, much more.

You get the latest cyber threat environment alertsâ€"in understandable,
actionable formâ€"filtered precisely for you. When part of a company-wide
cyber awareness campaign, you can produce quantifiable reductions in
workforce cyber risk, with positive, measurable ROI.

Cybero is powered by Swan Island Networks’ proven TIES® platform, which is
currently used by more than 300 enterprises, including 20% of the Fortune
100 and is very easy to use. Cybero provides you and your staff with knowledge
that can prevent data loss, stop system intrusion and reduce overall cyber
vulnerability. Cybero Delivers:

• Relevant information feeds from US Federal agencies, leading security
vendors and authentic cyber security experts, filtered just for you.

• A consolidated, edited view of the latest cyber developments in order to
help you perform your professional responsibilities (in the form of
personalized dashboards and alerts).

• A rich library of personal cyber security training and best practices.
Open source data feeds: top cyber blogs and news.

• The ability to automatically report critical cyber incidents to the right
corporate groups or government agency.

• Ability to integrate with corporate compliance and governance initiatives
to help ensure incidents are appropriately managed and documented.

• And much, much more. Register here if you want a product demo:
http://swanisland.net/cybero-referral
----------------------------

* Acunetix Web Vulnerability Scanner Voted Readers' Choice

Acunetix Web Vulnerability Scanner was selected the winner in the Web
Application Security category of the WindowSecurity.com Readers' Choice
Awards. N-Stalker Web Application Security Scanner and Syhunt Suite were
runner-up and second runner-up respectively. More:
http://www.acunetix.com/vulnerability-scanner/
---------------------------

* Who Loses Their Data And How?

The Harvard Business Review has a fascinating blog post based on data from
auditing firm KPMG. Sarah Green spoke with Greg Bell, their information
protection lead. The article talks about how they are getting this data,
how the threats are evolving, which industries are most at risk, which
countries lose the most data and a whole host of other interesting things.
Read the full blog post here, lots of interesting graphs:
http://blogs.hbr.org/hbr/hbreditors/2013/03/the_companies_and_countries_lo.html

======================================================================

***** SECURETOOL BOX

Free Service: Email Exposure Check. Find out which addresses of your
organization are exposed on the Internet and are a phish-attack target:
http://www.knowbe4.com/eec/

Frustrated with gullible end-users causing malware infections? Find out
who the culprits are in 10 minutes. Do this Free Phishing Security Test
on your users:
http://www.knowbe4.com/phishing-security-test/

======================================================================

****** VIEWPOINT â€" YOUR TAKE

Write me! This is the spot for your take on things. Let me know what you think
about Security, tools, and things that need to be improved.
Email me at feedback@windowsecurity.com

======================================================================

****** SECOPS: WHAT YOU NEED TO KNOW

* Scam Of The Week: Army CID

The Army Criminal Investigation Department warns that if you get an email
that appears to come from “US-Army-Criminal-Investigation-Command@usa.com,�
it’s a phishing scam. The real Army Criminal Investigation Command, also
known as CID (made famous by the Jack Reacher movie and books), is warning
the public that criminals are posing as Army law enforcement officials in
an email that is making the rounds. WHAT TO DO:

CID is asking that recipients of emails claiming to be from “Office of the
Division of Criminal Investigation� take the following steps:
• Do not respond to the email.
• If you have responded to the email, stop all contact.
• Report the email to Army CID.

“By reporting this crime one can assist CID and other law enforcement
officials across the United States in their investigations and help bring
those responsible to justice,� said Christopher Grey, CID’s chief of
public affairs. More at the armytimes website:
http://www.armytimes.com/news/2013/03/army-cid-warns-of-email-phishing-scam-030713/
------------------------

* Georgia Tech Researchers Try To Stop Spear-phishing

Georgia Tech has correctly identified that the most challenging threat
facing corporate networks today is “spear phishing.�

“Spear phishing is the most popular way to get into a corporate network
these days,� said Andrew Howard, a GTRI research scientist who heads up
the organization’s malware unit. “Because the malware authors now have
some information about the people they are sending these to, they are
more likely to get a response. When they know something about you, they
can dramatically increase their odds.�

Trying to stop spear phishing with software is not that simple. Dozens
of antivirus companies have spam modules in their software and they
all try to do this as well. The big problem is false positives; legit
messages that are being blocked. The issue is that the attacker is
human and the victim is human. Until we can create expert systems that
are smart enough to for instance identify a scam which makes the target
try to avoid a negative consequence, we should follow the Georgia Tech
advice “users are the front line defense. We need every user to have a
little paranoia about email.�
---------------------------------

* How Phishing Attacks Are Evolving

Tracy Kitten at bankinfosecurity reported: Phishing attacks are up, and
the methods are changing. Paul Ferguson of the Anti-Phishing Working Group
explains how phishers are fine-tuning their schemes and exploiting
cross-platform technologies.

From PCs and Macs to mobile devices, cybercriminals no longer have to be
selective about the operating systems they target, says Ferguson, vice
president of threat intelligence for online security company IID (Internet
Identity) and a member of the Anti-Phishing Working Group.

“What we have seen lately are attacks on cross-platform software,� he
says. “They only care about plug-ins or the browser. They don’t care
about the operating systems.�

Increases in cross-platform technologies have made phishing attacks more
fruitful, Ferguson explains, because they’ve made it easier for attackers
to compromise desktops, laptops, mobile devices, websites and servers,
all from a single campaign. “The cross-platform technologies are suffering
from what I call ‘the tragedy of the masses,’ and criminals are taking
advantage.� Here is the article:
http://www.bankinfosecurity.com/interviews/how-phishing-attacks-are-evolving-i-1849

======================================================================

****** HACKERS’ HAVEN

* "Hugo Chavez Murdered By U.S."

Whenever there's a big story in the news â€" a natural disaster, an anticipated
election, a celebrity death â€" you can be sure online scammers will try to
exploit it.

So it is with the death of Venezuelan President Hugo Chavez. Emails
are circulating that blame the U.S. for Chavez's fatal cancer â€" but
the most malignant things about the messages are the malicious links
embedded in the text. Warn your users not to open any emails with
a subject like that which might slip through the filters.
--------------------

* 28 Percent of Successful Hacks Lead to Fraud

New research says 28 percent of consumers hit by a data breach later
become victims of identity fraud - especially when payment card
information is exposed. But card issuers and consumers are taking
proactive steps to mitigate their risk of fraud in the wake of a data
breach, says Pascual, an analyst at Javelin Strategy & Research and
lead researcher for "2013 Identity Fraud Report: Data Breaches Becoming
a Treasure Trove for Fraudsters." The annual study has surveyed 48,200
respondents over the last 10 years and is the longest-running independent
analysis of U.S. identity fraud. This is an interesting article at the
BankInfoSecurity site:
http://www.bankinfosecurity.com/interviews/report-28-breaches-lead-to-fraud-i-1834
-----------------------

* Video: Akamai CSO Andy Ellis at RSA

This video was recorded by RSA Conference organizers. Here, Akamai CSO
Andy Ellis talks about managing risk with psychology instead of brute force.
This is an interesting talk and worth the 29 minutes; some good concepts
and new language. Make it your next 'lunch & learn', Andy is a smart guy!:
http://blogs.csoonline.com/social-engineering/2600/video-akamai-cso-andy-ellis-rsa

======================================================================

***** FAVE LINKS & COOL SITES

---
* This Week's Links We Like. Tips, Hints And Fun Stuff.

Dan Rice of Hadouken returns with ‘People Are Awesome 2013', a sequel
to his 2011 viral hit. Jawdropping stunts:
http://www.flixxy.com/people-are-awesome-2013.htm#.UUTQ7dash8E
---
I wish I had a wingsuit, but I don't know about doing THIS...
http://www.flixxy.com/urban-wingsuit-flying-rio-de-janeiro.htm
---
iRACER: The world’s first build at home electric racing car kit. I want one:
http://www.gizmag.com/iracer-kit-electric-race-vehicle-kit-development/26600/?
---
Magician Michael Carbonaro is a magic clerk at a convenience store - with
hidden cameras placed by the Jay Leno Show:
http://www.flixxy.com/michael-carbonaro-the-magic-clerk.htm
---
Watch this amazing new magic trick called 'The Grid' by Richard Wiseman:
http://www.flixxy.com/the-grid-magic-card-trick.htm
---
A group of young girls in black and white tights perform a trippy dance to the
popular tune of German folk-rock polka band Hiss:
http://www.flixxy.com/black-and-white-tights-dance.htm
---
Even though they are undoubtedly the Internet's favorite animal, cats can
be real jerks sometimes...
http://www.flixxy.com/cats-can-be-jerks-sometimes.htm
---
World Champion of Magic Greg Frewin at the French TV Show 'The Worlds Greatest
Cabaret'. This guy is not bad, wait till the very end!:
http://www.flixxy.com/world-champion-of-magic-greg-frewin.htm#.UUTLrNash8E
---
For the kids. Lion cub and dog are best friends:
http://www.flixxy.com/lion-and-dog-are-best-friends.htm#.UUTNLdash8E
---
"You Know You Have Been in Infosec Too Long When…"
http://www.tripwire.com/state-of-security/off-topic/you-know-you-have-been-in-infosec-too-long-when/


WindowSecurity.com Sections
-----------------------------------------------------------------
- Articles & Tutorials (http://www.windowsecurity.com/articles-tutorials/)
- Products (http://www.windowsecurity.com/software/)
- Reviews (http://www.windowsecurity.com/articles-tutorials/Product_Reviews/)
- Free Tools (http://www.windowsecurity.com/software/Free-Tools/)
- Blogs (http://www.windowsecurity.com/blogs/)
- Forums (http://forums.windowsecurity.com/)
- White Papers (http://www.windowsecurity.com/white-papers/)
- Contact Us (http://www.windowsecurity.com/pages/contact-us.html)



Techgenix Sites
-----------------------------------------------------------------
- MSExchange.org Home (http://www.msexchange.org/)
- WindowsNetworking.com Home (http://www.windowsnetworking.com/)
- VirtualizationAdmin.com Home (http://www.virtualizationadmin.com/)
- ISAserver.org Home (http://www.isaserver.org/)
- MSPanswers.com Home (http://www.mspanswers.com/)
- WServerNews.com Home (http://www.wservernews.com/)


--
Visit the Subscription Management (http://www.techgenix.com/newsletter/) section to unsubscribe.
WindowSecurity.com is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@WindowSecurity.com
Copyright WindowSecurity.com 2013. All rights reserved.

No comments:

Post a Comment