Thursday, December 30, 2010

Trojan Targeting Android Phones

Geinimi malware displaying botnet characteristics can compromise Top 10 Security Stories Of 2010a significant amount of information on a user's smartphone.

A new Android Trojan that displays some botnet characteristics has emerged from China, Lookout Mobile Security warned on Wednesday.


Called Geinimi, the malware can compromise a significant amount of information on a user's Android smartphone and send it to remote servers, the security developer said in a blog. Once installed on the phone, it potentially could allow the server's owner to control the mobile device, said Lookout. If you are concerned you may have this virus, Razorpoint can help you with mobile security!


"Geinimi is effectively being 'grafted' onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets. The affected applications request extensive permissions over and above the set that is requested by their legitimate original versions," Lookout said in its blog. "Though the intent of this Trojan isn't entirely clear, the possibilities for intent range from a malicious ad-network to an attempt to create an Android botnet."


Lookout has written and delivered an automated update to protect existing free and premium users from the Trojan, the company said.


Consumers can protect themselves from this -- and the anticipated surge in future Trojans targeting mobile apps -- by only downloading apps from trusted sources such as reputable developers, said Lookout. Likewise, users should use common sense when reading the permissions for each app, it recommended.


If a phone starts acting unusually, this could be a sign it has become infected: Some odd actions include unknown applications being downloaded without approval, SMS messages sent without approval to unknown recipients, and uninitiated phone calls being placed, for example. And, of course, Lookout recommends that all smartphone users download a security app.


In fact, smartphones make many CIOs nervous since they are highly portable and give the owner so much access to often sensitive information. In one Ovum study, 80% of IT executives said they think these devices increase the business' vulnerability to attack.


By Alison Diana , InformationWeek
December 30, 2010 10:45 AM

Wednesday, December 22, 2010

The Oldest Hack in the Book

Illustration by Robert Neubecker.As a political statement, a distributed denial-of-service attack ranks somewhere between running naked across your college campus and throwing a brick through a shop window. It's juvenile, not very pretty, and not especially articulate. On the plus side, anyone can do it, it's usually not too damaging, and you do get your point across—the point being that you want the world to start taking you seriously already.

The DDoS, as it's known, has hit the news this week because it's the main tool of the online flash mob that calls itself Anonymous. In the last couple of days they've launched DDoSes on the Web sites of Visa, MasterCard, and various other entities who they believe have hurt or maligned WikiLeaks and its founder Julian Assange. Early on Thursday morning, @Op_Payback, one of the Twitter accounts that seems to be associated with the group, gave out instructions to begin attacking Amazon.com. The plan, though, was quickly abandoned—Amazon, the group determined, was too big to be affected by a DDoS attack, and it was better to stick to smaller, less tech-savvy victims.

The distributed denial-of-service is one of the oldest hacks on the Internet. It's been around for more than a decade, and it first hit the mainstream in 2000, when a Canadian teenager who went by the handle Mafiaboy used a DDoS to take down Amazon, eBay, Yahoo, and other big sites. A DDoS attack is sort of akin to the Mean Girls-esque trick of having your friends prank-call your loser enemy all night long to tie up her phone line. The Internet equivalent of this is getting all your friends—or even strangers, whose computers you've wrangled into a "botnet" via a contagious computer worm—together and directing a bunch of bogus requests at a single Web server all at once. The target machine gets overwhelmed by the requests, knocking it offline for all legitimate users.

It's striking that DDoS attacks can still happen at all anymore. The Internet is very different from the anarchic place it was in the 1990s, and we've conquered many of the earliest threats— spam, e-mail viruses, Nigerian scams—to a peaceful life online. But DDoSes persist. According to a survey (PDF) of network operators conducted by Arbor Networks—which makes tools for systems administrators to detect and fight denial-of-service attacks—just about every network operator working on a large site sees at least at least one DDoS attack every month, and some see dozens. The attacks are getting larger, too. In 2002, a big DDoS attack might consume only around 400 megabits per second of network bandwidth; today's big attacks, which are usually the product of enormous botnets created by worms like last year's Conficker, consume 100 times more bandwidth, up to 49 gigabits per second. Why have DDoS attacks persisted? And why, after all this time, haven't we found a way to quash them?

It's because the means of attack have been baked into the architecture of the Internet. A Web server's main job is to respond to incoming requests, to serve up Web sites based on public demand. Web servers were originally designed not to discriminate—they didn't look to see where a request originated from, or what it asked for, or whether lots of other machines had been asking for the same thing many thousands of times during the last few minutes. All the server knew how to do was respond—that was its reason for being, its only purpose in life. And that's precisely the weakness that a DDoS exploits.

Jose Nazario, a security researcher at Arbor Networks, says that network operators have tried to build more intelligence into Web servers. A lot of major Web sites use anti-DDoS systems that look for deviations from normal traffic—if requests are spiking beyond the baseline, that's a sign the site could be under attack. Security software also analyzes the kinds of requests that outside machines are making, how often they're asking, where they're located on the network, and what software they're using to connect to your server. Through this analysis, the server can determine which computers on the Web are sending malicious requests and blacklist them. "These tools have been remarkably successful at keeping the net up and running," Nazario says. "Considering the number of attempted attacks that we see and the scale, you don't hear about them very often."


But DDoS-defense tools aren't perfect, and Nazario says they never will be. That's because attackers are getting smarter, too. The savviest hackers have begun to analyze their targets for weaknesses. If they find a page on a site that generates a lot of internal processing, or makes a lot of database calls, then they craft their attack to take advantage of that resource-hogging feature. "We've seen them do a lot of reconnaissance to find out the best place on the site to attack—if they find that a handful of requests on this page, say, will bring down the whole site, they'll attack that," Nazario says. What's more, the tools to launch an attack are now much more easily available than in the past. Twitter and Facebook also make it simpler for attackers to recruit and organize their efforts. Anonymous, the group behind the pro-WikiLeaks attacks, has been launching its DDOS efforts using a program called LOIC, which stands for "Low Orbit Ion Cannon."

Followers can download LOIC and instantly join a hive whose target is set by a central administrator.

The denial-of-service attacks that make the news are often ones that are launched for some ideological purpose. The most famous such example occurred in 2007, when hackers brought down the sites of banks, newspapers and other public institutions in Estonia. Although the attackers were never formally charged, many experts blame the attack on a group of Russian hackers who used DDoSes as a kind of cyber warfare, possibly with the blessing of the Russian government. Smaller, ideologically motivated attacks pop up all the time. In September, the meme-inspiring, prank-obsessed message board 4Chan took down the site of the Motion Picture Association of America. Last month, 4Chan set its sites on Tumblr, the blogging platform that 4Chan folks believe is overrun with lazy hipsters. That attack doesn't seem to have worked.

But ideological attacks, Nazario says, are the minority—most DDoSes are launched for much more pedestrian reasons. The main one is business competition; a shady company might hire the operators of a botnet to take down its rivals' site. Extortion is also a big thing, with hackers threatening to take companies offline unless they pay up. "Believe it or not," Nazario adds, "one of the big growth areas we see is people building small botnets to get an upper hand in online gaming. You've identified someone who's better at the game than you, but maybe you can knock his computer offline with an attack and then win the game."


This week's attacks didn't result in that sort of direct kill. While parts of the Visa, MasterCard, PostFinance (a Swiss bank that closed Assange's account), and PayPal Web sites went down for a brief while on Wednesday, the attacks don't seem to have done any serious damage to these companies. In particular, none of their primary operations were down—the attacks did nothing to prevent people from using their Visa and MasterCard accounts, or from paying with PayPal. It's unlikely that the DDoS can achieve much more than that. Still, for no money and very little time, the attackers made headlines around the world. That's not a bad return on their investment.


By Farhad Manjoo

Monday, December 20, 2010

Geek to Live: Choose (and remember) great passwords

A secure, memorable password is easy for you to remember, and hard for others to guess.

Everywhere you turn you've got to come up with a password to register for something or another. Whether it's the dozens of web sites that require you log in to use them, or your ATM card PIN, or your wireless network login, how do you decide on a new password? More importantly, how do you remember it?

Don't use the same password for everything.

The problem with using the same password for everything you do is that if it's compromised and someone finds it, the rest of your identity is at risk. If your mutual fund company, for example, has a security breach that exposes usernames and passwords, and you use the same login details there as your online banking and at Amazon.com, potentially thieves could not only compromise your mutual fund account, but your online banking account and credit card details stored in your Amazon.com account as well.

Remember 100 different passwords with 1 rule set.

You don't need to remember 100 passwords if you have 1 rule set for generating them. One way to generate unique passwords is to choose a base password and then apply a rule that mashes in some form of the service name with it. For example, you may use your base password with the first two consonants and the first two vowels of the service name. Say your base password is "asdf." (See how easy those keys are to type?). Then your password for Yahoo would be ASDFYHAO, and your password for eBay would be ASDFBYEA.

Something simpler - but along the same lines - might involve the same letters to start (say, your initials and a favorite number) plus the first 3 letters of a service name. In that case, my password for Amazon would be GMLT10AMA and for Lifehacker.com GMLT10LIF. (Include obscure middle initials - like your mother's maiden name or a childhood nickname - that not many people know about for extra security.)

Before you decide on your single password generation rule, keep in mind that while password requirements are different for each service in terms of length and characters allowed and required, a good guideline is a password at least 8 characters long that includes both letters and numbers. To make a password even more secure - or applicable for services that require special characters - add them around it, like #GMLT10LIF#.

Choose your base password

Some options for choosing your base password:

  • The first letter of a phrase or song refrain. For example, if you wanted to use the famous Jackson 5 song "I Want You Back", your base password might be "IWUB." Remembering the password is a matter of singing yourself the song.
  • Use a pre-established keyboard pattern, like "yui" or "zxcv." Just look at your keyboard to remember it.
  • Use your spouse's initials and your anniversary, like "TFB0602." This one guarantees you won't forget an anniversary card, either.
  • For extra security, choose an easy to remember base, like your spouse's initials, or the word "cat" and then shift your fingers up one row on the keyboard when you type it. In the case of "cat," you'd get "dq5."

Then combine this base with some extra information unique to the service.

A clever password generator bookmarklet creates a password based on a web site URL and autofills it when you visit that site with a click.  Another option is to simply use Firefox to manage your web site logins.

One problem with rules-based passwords is that some sites have their own password requirements that conflict with your established password, such as "no special characters" or "at least 12 characters in length" or "all numbers/numbers and letters/just alphabetical." In those cases, somehow you have to document or remember the exception to your rule for those services.

How do you choose your passwords? Let us know in the comments or visit us at Razorpoint.com!

by Gina Trapani, the editor of Lifehacker

Thursday, December 16, 2010

How You To Can Hack Weak Passwords

How I’d Hack Your Weak Passwords

If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?


Let's see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I'll probably get into all of them.


  1. Your partner, child, or pet's name, possibly followed by a 0 or 1 (because they're always making you use a number, aren't they?)
  2. The last 4 digits of your social security number.
  3. 123 or 1234 or 123456.
  4. "password"
  5. Your city, or college, football team name.
  6. Date of birth – yours, your partner's or your child's.
  7. "god"
  8. "letmein"
  9. "money"
  10. "love"

Statistically speaking that should probably cover about 20% of you. But don't worry. If I didn't get it yet it will probably only take a few more minutes before I do…


Hackers, and I'm not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)


One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here.


So, how would one use this process to actually breach your personal security? Simple. Follow my logic:

  • You probably use the same password for lots of stuff right?
  • Some sites you access such as your Bank or work VPN probably have pretty decent security, so I'm not going to attack them.
  • However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you've shopped at might not be as well prepared. So those are the ones I'd work on.
  • So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
  • Once we've got several login+password pairings we can then go back and test them on targeted sites.
  • But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser's cache. (Read this post to remedy that problem.)

And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker's computer, and the speed of the hacker's Internet connection.


Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it's just a matter of time before the computer runs through all the possibilities – or gets shut down trying.


Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.


How I’d Hack Your Weak Passwords


Remember, these are just for an average computer, and these assume you aren't using any word in the dictionary. If Google put their computer to work on it they'd finish about 1,000 times faster.


Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable – but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night?


Believe me, I understand the need to choose passwords that are memorable. But if you're going to do that how about using something that no one is ever going to guess AND doesn't contain any common word or phrase in it.


Here are some password tips:

  1. Randomly substitute numbers for letters that look similar. The letter ‘o' becomes the number ‘0′, or even better an ‘@' or ‘*'. (i.e. – m0d3ltf0rd… like modelTford)
  2. Randomly throw in capital letters (i.e. – Mod3lTF0rd)
  3. Think of something you were attached to when you were younger, but DON'T CHOOSE A PERSON'S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
  4. Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
  5. You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn't work if you don't use the same password everywhere.
  6. Since it can be difficult to remember a ton of passwords, I recommend using Roboform for Windows users. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. If you'd like to download it without having to navigate their web site here is the direct download link. (Ed. note: Lifehacker readers love the free, open-source KeePass for this duty, while others swear by the cross-platform, browser-based LastPass.)
  7. Mac users can use 1Password. It is essentially the same thing as Roboform, except for Mac, and they even have an iPhone application so you can take them with you too.
  8. Once you've thought of a password, try Microsoft's password strength tester to find out how secure it is.

Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn't important because "I don't get anything sensitive there." Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank's Web site and tell it I've forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?


Often times people also reason that all of their passwords and logins are stored on their computer at home, which is safe behind a router or firewall device. Of course, they've never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network — after which time they will own you!


Now I realize that every day we encounter people who over-exaggerate points in order to move us to action, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven't even mentioned.


I also realize that most people just don't care about all this until it's too late and they've learned a very hard lesson. But why don't you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn't completely in vain.


Please, be safe. It's a jungle out there.


From iFusion Labs, and John Pozadzides.


Note: This isn't intended as a guide to hacking *other people's* weak passwords. Instead, the aim is to help you better understand the security of your own passwords and how to bolster that security. We originally published this piece back in March, but in light of our recent security breach, it seemed more applicable than ever.

Monday, December 13, 2010

The Internet knows what Poppy Harlow keeps private

Two simple pieces of data -- your name and e-mail address -- can unlock a shocking number of details about you, even if you consider yourself to be a very private person who carefully guards your online identity.


Just ask CNNMoney anchor Poppy Harlow. She doesn't have a personal Facebook profile. She doesn't have a LinkedIn account.  She is on Twitter, but she typically limits her tweets to links for CNNMoney stories and videos. Yet starting with only those two bits of information, Poppy's e-mail and name, a privacy researcher's searches across multiple online databases turned up information she found startlingly personal: Her father died of cancer at a young age. She has a half-brother. She's Episcopalian. She's not married. She and her father both went to Columbia University. She rents her apartment. Poppy is a nickname. Then, there was the more private stuff. Her birthday. Years-old photos with friends. Her shopping habits. And some guesstimates about her salary and her family's financial background -- inaccurate ones, it turned out.


That's a lot of information about someone who values her privacy so much. Imagine what the Internet knows about people who aren't as careful. ReputationDefender, an online privacy company, compiled the dossier on Poppy at CNNMoney's request to illustrate just how much information is lurking around online -- hidden, but accessible to those motivated to go hunt it down. ReputationDefender does not create or sell these dossiers on people; instead, its business is selling consumers tools to control their online personal data.


But other companies are gathering up those personal details and creating similar dossiers for commercial gain. Called "data miners" or "aggregators," they crawl the Web scooping up tidbits. Much of what they collect is public information from things like voter registration records and telephone books, but the real treasure trove comes from social networks, which provide photos, interests, activities and a list of your friends. The most advanced aggregators can even tie your Web browsing behavior to your online profile.


One individual source of information may not be all that revealing -- but when you tie multiple sources together, you can paint a pretty detailed picture. Your Amazon.com wish list, public Facebook profile, Pandora playlists and Picasa albums individually may not say much about you, but your name, shopping habits, list of friends, musical tastes and photographs combined say a lot about who you are. Companies like Acxiom, Rapleaf, Spokeo, Intelius, Merlin Information Services and PeopleFinders have built businesses around compiling and selling that information.


Rapleaf and Klout even score your ability to influence others on the Web. (Poppy rates a 42 out of 100 on Klout's influence scale.  One of Klout's top influencers, President Obama, scores an 86.) Right now, those profiles and scores are sold primarily to direct marketers and political campaigns, but insurance companies and prospective employers are starting to use the technology too. Privacy experts say the market for information will keep expanding -- as will the amount of data that can be collected about you.


Dossiers will be built on each of us in the future in a much more intimate way," said Michael Fertik, ReputationDefender' CEO. "This will be used for much more far reaching and invasive things than advertising." So if hiring, firing, insurance or even dating decisions are going to be made about us based on our online profiles, what's especially scary is that a lot of the information collected about us is incorrect. The address ReputationDefender found for Poppy was five years old, her phone number was completely wrong, and her salary information was way off (though Poppy says she'd love to make as much as the search results thought she did).


But even more disturbing are some of the conclusions an automated algorithm could make about Poppy based on online associations with her name. Bankruptcy, prescription drug abuse, Wall Street and Detroit were some of the most frequent words associated with her name – all because she reports on those subjects daily. "No one looks underneath your credit score to find out why it is what it is," Fertik said. "Accurate or inaccurate, life decisions are being based on your online personal information. It's going to define you forever."


If you are concerned about your online privacy, Razorpoint's world-class security experts help companies repel potentially lethal cyber threats that often elude mainstream network security providers.




By David Goldman, staff writer, and Poppy Harlow, CNNMoney.com

Friday, December 10, 2010

Malware incidents drive up IT costs, survey finds

The main driver of IT operating expenses is the increasing costs of malware incidents, according to a recent survey of IT personnel conducted by the Ponemon Institute.

A full 59% of the 782 IT practitioners surveyed said that malware was a significant factor for increasing operating expenses.


Over a third of organizations experienced at least 50 malware incidents per month, or more than one intrusion per day, the State of the Endpoint 2011 survey found. Forty-three percent of respondents noted a dramatic increase in malware attacks in 2010.


“What we are seeing is that malware incidents are increasing, and those incidents are causing an impact to organizations. Malware generates help desk calls, re-imagining costs, and lost productivity”, said C. Edward Brice, senior vice president for worldwide marketing at Lumension, which sponsored the survey.


“IT is getting a much better handle on what their costs are, and what they are seeing is that there is a hard cost associated with malware”, he told Infosecurity.


In addition, about one-third of organizations put no restrictions on which applications run on their network, while another one-third employ application policies but do not actively enforce them, according to the survey.


Despite this lax security, a majority of those surveyed said that preventing applications from being installed or executed is a top challenge for IT security managers.


According to the survey, mobile/remote workers (50%), PC desktop/laptop vulnerabilities (48%), and the introduction of third-party applications onto the network (39%) are the greatest areas of end point risk currently. This is a shift from last year, where end point security concerns were mainly focused on removable media and data center risks.


“Most companies have more mobile and remote workers who are working from mobile platforms that are becoming smarter and able to house more sensitive data. We are definitely seeing application risk shift away from servers and operating system to mobile platforms like laptops and third-party applications”, Brice said.


The top five applications that concern IT managers the most when it comes to security are: third-party applications outside of Microsoft (58%), Adobe (54%), Google Docs (46%), Microsoft operating system/applications (44%), and Oracle applications (39%).


Despite increasing application risks, organizations are sticking with older technologies, even though there are newer technologies better able to reduce end point risk, the survey found. This issue was most notable with the following technologies: vulnerability assessment (used by 51% but considered effective by 70%); application whitelisting (used by only 29% but considered effective by 44%); device control (used by 26% but considered effective by 57%); and end point management and security suites platform (used by 40% but considered effective by 61%).


For 2011, respondents said that the top three security threats are expected to be increasing volumes of cyber attacks and malware incidents (61%), negligent insiders (50%), and cloud computing (49%).


Larry Ponemon, chairman and founder of the Ponemon Institute, commented on the survey: “There is a real need to put the appropriate technologies and personnel in place to best-position organizations of all sizes and in all industries for success in the ongoing battle to ward off cyberthreats as we head into 2011.”


If you find your company spending too much time and money on malware, you are in need of a Application vulnerability assessment from Razorpoint Security, give us a call, 212.744.6900.


This article is featured in:
Application SecurityInternet and Network SecurityMalware and Hardware Security

Monday, December 6, 2010

Congresswoman says chance of cyber attack against electric grid is 100%

Rep. Yvette Clarke (D-NY) delivered the evening keynote during the SC Congress in mid-town Manhattan yesterday, as the member of the House Committee on Homeland Security told the audience that the US electric grid remains vulnerable to a near-certain cyber attack.

The Congresswoman from New York’s 11th legislative district, which encompasses parts of Brooklyn, said that our electrical grid is “what distinguishes our nation as an advanced, modern civil society”. She subsequently warned of the all-too-familiar dangers that could potentially devastate the nation’s power supply.

“As many of you in this room are aware, the grid remains vulnerable” to advanced viruses that are designed specifically to target industrial control systems. Clarke cited Russia, Iran, China, and North Korea as nations that are known to regularly use “offensive cyber attack capabilities, while terrorist organizations continue to work to develop these capabilities”.

“We must do everything in our power to ensure that our grid is protected”, Clarke implored during her on-floor keynote. She reminded the crowd of what happens when the grid goes beyond capacity and breaks, like it did during the Northeast blackout in the summer of 2003, which interrupted service for more than 55 million people in the US and Canada.

“While our citizens remained relatively calm throughout the ordeal, it still caused 11 deaths and roughly $6 billion in damages”, Clarke said. “Imagine what those damages would be for a nationwide blackout lasting a few weeks.”

Clarke continued that, based on current scientific research, if we faced a long-term power outage lasting weeks or even months, our society as we know it would be “irreparably destroyed”.

She stressed that this characterization was hardly an overstatement of the research: “A 2009 National Academy of Sciences report warned that a severe geomagnetic storm is inevitable” and would cause $1–2 trillion in damage and could take anywhere from five to 10 years to recover from.

Next Clarke boldly proclaimed that “the likelihood of a cyberattack that could bring down our grid is also 100%. Our networks are already being penetrated as we stand here. We are already under attack. We must stop asking ourselves ‘could this happen to us’ and move to a default posture that acknowledges this fact and instead asks ‘what can we do to protect ourselves’?”

The representative said the good news is that Congress has begun to take steps to address the vulnerabilities in our electric grid, or at least acknowledge there is a problem. The subcommittee she chairs on Emerging Threats, Cybersecurity, Science, and Technology held a hearing in July 2009 to examine the issue, where, in Clarke’s words, “members of the committee were appalled to learn about the vulnerabilities that affect the electric grid and the lack of robust protection against cyber attacks”.

The solution, said Clarke, “will require efforts from both the government and the private sector. That partnership is something that must be held in high regard. The government cannot do this alone, and we don’t expect to do this alone. We must have partnership. It will take a joint effort between government and the private sector to result in the most robust, effective security practices.”

Congress has already begun to take action as well, according to Clarke, with the unanimous House passage of the GRID Act, which would grant the Federal Energy Regulatory Commission authority to require that expanded cybersecurity protections be put in place as part of broader bill on cybersecurity now being considered by the Senate.

“From what we’re hearing, there is interest in passing the bill”, Clarke said. However, the congresswoman said she was concerned that the current approach, which combines the GRID Act as part of a broader bill on cybersecurity, might be doomed to failure. “This approach”, she lamented, “will stall the potential passage of the bill, and the GRID Act may not come to pass in the end.”

She said the US should look toward its British allies, which recently pledged a nearly £1bn investment to strengthen cybersecurity defenses.   “We cannot afford to fail”, Clarke concluded. “The private sector, the administration, the Congress have all made progress, but we lack the sense of urgency that is necessary. We must move on this forcefully.”

Razorpoint can help organizations configure, deploy, and troubleshoot existing technology to eliminate security vulnerabilities that go undetected. A critical component of every security program is the process for addressing security monitoring, escalation, and follow-up procedures that provide your organization with preventative and adaptive security capabilities. Razorpoint works with organizations to define a rules-based escalation procedure for effective security incident response. The Razorpoint team conducts network and host security testing, and then relies on the results to assess the inventory of current security technology and processes in the organization, to evaluate the critical information assets, and to analyze the security roles related to the infrastructure.

Friday, December 3, 2010

GAO finds gaps in federal wireless network cybersecurity

The Government Accountability Office (GAO) has uncovered gaps in security for wireless networks at federal agencies – gaps that hackers could exploit.

The GAO reviewed wireless network security at 24 federal agencies, concluding that the application of measures to improve security and limit vulnerability to attack “was inconsistent among agencies”.

Among other things, the government watchdog found “gaps” in security measures for “dual-connected laptops and mobile devices taken on international travel”.

“Several agency officials stated that they were aware of the risks posed to mobile devices during international travel, but that agencies had not yet developed policies to address these risks….By not having documented policies, agencies may be at increased risk that sensitive information could be compromised while a device is in another country, or that malware obtained during an international trip could be inadvertently introduced onto agency networks, placing sensitive data and systems at risk”, the GAO warned.

The GAO reached a number of conclusions about federal agencies’ wireless network security: “gaps exist in policies, network management was not always centralized, and numerous weaknesses existed in configurations of laptops and smartphones….[Until] agencies take steps to fully implement leading security practices, federal wireless networks will remain at increased vulnerability to attack, and information on these networks is subject to unauthorized access, use, disclosure, or modification.”

To beef up wireless security, the GAO offered recommendations to the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST). For OMB, the government watchdog recommended that it include metrics related to wireless security as part of the Federal Information Security Management Act reporting process and develop the “scope and time frames for additional activities that address wireless security as part of their reviews of agency cybersecurity programs”.

For NIST, the watchdog recommended that it develop and issue guidelines in the following areas: technical steps agencies can take to mitigate the risk of dual-connected laptops; government-wide secure configurations for wireless functionality on laptops and for smartphones; ways agencies can centralize their management of wireless technologies; and criteria for selection of tools and recommendations on appropriate frequencies of wireless security assessments and monitoring of wireless networks.

If you feel that your company is in need of improving security of your wireless networks, contact Razorpoint today, we are the experts you’ve been waiting for.

This article was reposted from http://www.infosecurity-us.com/