Thursday, December 30, 2010

Trojan Targeting Android Phones

Geinimi malware displaying botnet characteristics can compromise Top 10 Security Stories Of 2010a significant amount of information on a user's smartphone.

A new Android Trojan that displays some botnet characteristics has emerged from China, Lookout Mobile Security warned on Wednesday.


Called Geinimi, the malware can compromise a significant amount of information on a user's Android smartphone and send it to remote servers, the security developer said in a blog. Once installed on the phone, it potentially could allow the server's owner to control the mobile device, said Lookout. If you are concerned you may have this virus, Razorpoint can help you with mobile security!


"Geinimi is effectively being 'grafted' onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets. The affected applications request extensive permissions over and above the set that is requested by their legitimate original versions," Lookout said in its blog. "Though the intent of this Trojan isn't entirely clear, the possibilities for intent range from a malicious ad-network to an attempt to create an Android botnet."


Lookout has written and delivered an automated update to protect existing free and premium users from the Trojan, the company said.


Consumers can protect themselves from this -- and the anticipated surge in future Trojans targeting mobile apps -- by only downloading apps from trusted sources such as reputable developers, said Lookout. Likewise, users should use common sense when reading the permissions for each app, it recommended.


If a phone starts acting unusually, this could be a sign it has become infected: Some odd actions include unknown applications being downloaded without approval, SMS messages sent without approval to unknown recipients, and uninitiated phone calls being placed, for example. And, of course, Lookout recommends that all smartphone users download a security app.


In fact, smartphones make many CIOs nervous since they are highly portable and give the owner so much access to often sensitive information. In one Ovum study, 80% of IT executives said they think these devices increase the business' vulnerability to attack.


By Alison Diana , InformationWeek
December 30, 2010 10:45 AM

Wednesday, December 22, 2010

The Oldest Hack in the Book

Illustration by Robert Neubecker.As a political statement, a distributed denial-of-service attack ranks somewhere between running naked across your college campus and throwing a brick through a shop window. It's juvenile, not very pretty, and not especially articulate. On the plus side, anyone can do it, it's usually not too damaging, and you do get your point across—the point being that you want the world to start taking you seriously already.

The DDoS, as it's known, has hit the news this week because it's the main tool of the online flash mob that calls itself Anonymous. In the last couple of days they've launched DDoSes on the Web sites of Visa, MasterCard, and various other entities who they believe have hurt or maligned WikiLeaks and its founder Julian Assange. Early on Thursday morning, @Op_Payback, one of the Twitter accounts that seems to be associated with the group, gave out instructions to begin attacking Amazon.com. The plan, though, was quickly abandoned—Amazon, the group determined, was too big to be affected by a DDoS attack, and it was better to stick to smaller, less tech-savvy victims.

The distributed denial-of-service is one of the oldest hacks on the Internet. It's been around for more than a decade, and it first hit the mainstream in 2000, when a Canadian teenager who went by the handle Mafiaboy used a DDoS to take down Amazon, eBay, Yahoo, and other big sites. A DDoS attack is sort of akin to the Mean Girls-esque trick of having your friends prank-call your loser enemy all night long to tie up her phone line. The Internet equivalent of this is getting all your friends—or even strangers, whose computers you've wrangled into a "botnet" via a contagious computer worm—together and directing a bunch of bogus requests at a single Web server all at once. The target machine gets overwhelmed by the requests, knocking it offline for all legitimate users.

It's striking that DDoS attacks can still happen at all anymore. The Internet is very different from the anarchic place it was in the 1990s, and we've conquered many of the earliest threats— spam, e-mail viruses, Nigerian scams—to a peaceful life online. But DDoSes persist. According to a survey (PDF) of network operators conducted by Arbor Networks—which makes tools for systems administrators to detect and fight denial-of-service attacks—just about every network operator working on a large site sees at least at least one DDoS attack every month, and some see dozens. The attacks are getting larger, too. In 2002, a big DDoS attack might consume only around 400 megabits per second of network bandwidth; today's big attacks, which are usually the product of enormous botnets created by worms like last year's Conficker, consume 100 times more bandwidth, up to 49 gigabits per second. Why have DDoS attacks persisted? And why, after all this time, haven't we found a way to quash them?

It's because the means of attack have been baked into the architecture of the Internet. A Web server's main job is to respond to incoming requests, to serve up Web sites based on public demand. Web servers were originally designed not to discriminate—they didn't look to see where a request originated from, or what it asked for, or whether lots of other machines had been asking for the same thing many thousands of times during the last few minutes. All the server knew how to do was respond—that was its reason for being, its only purpose in life. And that's precisely the weakness that a DDoS exploits.

Jose Nazario, a security researcher at Arbor Networks, says that network operators have tried to build more intelligence into Web servers. A lot of major Web sites use anti-DDoS systems that look for deviations from normal traffic—if requests are spiking beyond the baseline, that's a sign the site could be under attack. Security software also analyzes the kinds of requests that outside machines are making, how often they're asking, where they're located on the network, and what software they're using to connect to your server. Through this analysis, the server can determine which computers on the Web are sending malicious requests and blacklist them. "These tools have been remarkably successful at keeping the net up and running," Nazario says. "Considering the number of attempted attacks that we see and the scale, you don't hear about them very often."


But DDoS-defense tools aren't perfect, and Nazario says they never will be. That's because attackers are getting smarter, too. The savviest hackers have begun to analyze their targets for weaknesses. If they find a page on a site that generates a lot of internal processing, or makes a lot of database calls, then they craft their attack to take advantage of that resource-hogging feature. "We've seen them do a lot of reconnaissance to find out the best place on the site to attack—if they find that a handful of requests on this page, say, will bring down the whole site, they'll attack that," Nazario says. What's more, the tools to launch an attack are now much more easily available than in the past. Twitter and Facebook also make it simpler for attackers to recruit and organize their efforts. Anonymous, the group behind the pro-WikiLeaks attacks, has been launching its DDOS efforts using a program called LOIC, which stands for "Low Orbit Ion Cannon."

Followers can download LOIC and instantly join a hive whose target is set by a central administrator.

The denial-of-service attacks that make the news are often ones that are launched for some ideological purpose. The most famous such example occurred in 2007, when hackers brought down the sites of banks, newspapers and other public institutions in Estonia. Although the attackers were never formally charged, many experts blame the attack on a group of Russian hackers who used DDoSes as a kind of cyber warfare, possibly with the blessing of the Russian government. Smaller, ideologically motivated attacks pop up all the time. In September, the meme-inspiring, prank-obsessed message board 4Chan took down the site of the Motion Picture Association of America. Last month, 4Chan set its sites on Tumblr, the blogging platform that 4Chan folks believe is overrun with lazy hipsters. That attack doesn't seem to have worked.

But ideological attacks, Nazario says, are the minority—most DDoSes are launched for much more pedestrian reasons. The main one is business competition; a shady company might hire the operators of a botnet to take down its rivals' site. Extortion is also a big thing, with hackers threatening to take companies offline unless they pay up. "Believe it or not," Nazario adds, "one of the big growth areas we see is people building small botnets to get an upper hand in online gaming. You've identified someone who's better at the game than you, but maybe you can knock his computer offline with an attack and then win the game."


This week's attacks didn't result in that sort of direct kill. While parts of the Visa, MasterCard, PostFinance (a Swiss bank that closed Assange's account), and PayPal Web sites went down for a brief while on Wednesday, the attacks don't seem to have done any serious damage to these companies. In particular, none of their primary operations were down—the attacks did nothing to prevent people from using their Visa and MasterCard accounts, or from paying with PayPal. It's unlikely that the DDoS can achieve much more than that. Still, for no money and very little time, the attackers made headlines around the world. That's not a bad return on their investment.


By Farhad Manjoo

Monday, December 20, 2010

Geek to Live: Choose (and remember) great passwords

A secure, memorable password is easy for you to remember, and hard for others to guess.

Everywhere you turn you've got to come up with a password to register for something or another. Whether it's the dozens of web sites that require you log in to use them, or your ATM card PIN, or your wireless network login, how do you decide on a new password? More importantly, how do you remember it?

Don't use the same password for everything.

The problem with using the same password for everything you do is that if it's compromised and someone finds it, the rest of your identity is at risk. If your mutual fund company, for example, has a security breach that exposes usernames and passwords, and you use the same login details there as your online banking and at Amazon.com, potentially thieves could not only compromise your mutual fund account, but your online banking account and credit card details stored in your Amazon.com account as well.

Remember 100 different passwords with 1 rule set.

You don't need to remember 100 passwords if you have 1 rule set for generating them. One way to generate unique passwords is to choose a base password and then apply a rule that mashes in some form of the service name with it. For example, you may use your base password with the first two consonants and the first two vowels of the service name. Say your base password is "asdf." (See how easy those keys are to type?). Then your password for Yahoo would be ASDFYHAO, and your password for eBay would be ASDFBYEA.

Something simpler - but along the same lines - might involve the same letters to start (say, your initials and a favorite number) plus the first 3 letters of a service name. In that case, my password for Amazon would be GMLT10AMA and for Lifehacker.com GMLT10LIF. (Include obscure middle initials - like your mother's maiden name or a childhood nickname - that not many people know about for extra security.)

Before you decide on your single password generation rule, keep in mind that while password requirements are different for each service in terms of length and characters allowed and required, a good guideline is a password at least 8 characters long that includes both letters and numbers. To make a password even more secure - or applicable for services that require special characters - add them around it, like #GMLT10LIF#.

Choose your base password

Some options for choosing your base password:

  • The first letter of a phrase or song refrain. For example, if you wanted to use the famous Jackson 5 song "I Want You Back", your base password might be "IWUB." Remembering the password is a matter of singing yourself the song.
  • Use a pre-established keyboard pattern, like "yui" or "zxcv." Just look at your keyboard to remember it.
  • Use your spouse's initials and your anniversary, like "TFB0602." This one guarantees you won't forget an anniversary card, either.
  • For extra security, choose an easy to remember base, like your spouse's initials, or the word "cat" and then shift your fingers up one row on the keyboard when you type it. In the case of "cat," you'd get "dq5."

Then combine this base with some extra information unique to the service.

A clever password generator bookmarklet creates a password based on a web site URL and autofills it when you visit that site with a click.  Another option is to simply use Firefox to manage your web site logins.

One problem with rules-based passwords is that some sites have their own password requirements that conflict with your established password, such as "no special characters" or "at least 12 characters in length" or "all numbers/numbers and letters/just alphabetical." In those cases, somehow you have to document or remember the exception to your rule for those services.

How do you choose your passwords? Let us know in the comments or visit us at Razorpoint.com!

by Gina Trapani, the editor of Lifehacker

Thursday, December 16, 2010

How You To Can Hack Weak Passwords

How I’d Hack Your Weak Passwords

If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?


Let's see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I'll probably get into all of them.


  1. Your partner, child, or pet's name, possibly followed by a 0 or 1 (because they're always making you use a number, aren't they?)
  2. The last 4 digits of your social security number.
  3. 123 or 1234 or 123456.
  4. "password"
  5. Your city, or college, football team name.
  6. Date of birth – yours, your partner's or your child's.
  7. "god"
  8. "letmein"
  9. "money"
  10. "love"

Statistically speaking that should probably cover about 20% of you. But don't worry. If I didn't get it yet it will probably only take a few more minutes before I do…


Hackers, and I'm not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)


One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here.


So, how would one use this process to actually breach your personal security? Simple. Follow my logic:

  • You probably use the same password for lots of stuff right?
  • Some sites you access such as your Bank or work VPN probably have pretty decent security, so I'm not going to attack them.
  • However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you've shopped at might not be as well prepared. So those are the ones I'd work on.
  • So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
  • Once we've got several login+password pairings we can then go back and test them on targeted sites.
  • But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser's cache. (Read this post to remedy that problem.)

And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker's computer, and the speed of the hacker's Internet connection.


Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it's just a matter of time before the computer runs through all the possibilities – or gets shut down trying.


Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.


How I’d Hack Your Weak Passwords


Remember, these are just for an average computer, and these assume you aren't using any word in the dictionary. If Google put their computer to work on it they'd finish about 1,000 times faster.


Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable – but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night?


Believe me, I understand the need to choose passwords that are memorable. But if you're going to do that how about using something that no one is ever going to guess AND doesn't contain any common word or phrase in it.


Here are some password tips:

  1. Randomly substitute numbers for letters that look similar. The letter ‘o' becomes the number ‘0′, or even better an ‘@' or ‘*'. (i.e. – m0d3ltf0rd… like modelTford)
  2. Randomly throw in capital letters (i.e. – Mod3lTF0rd)
  3. Think of something you were attached to when you were younger, but DON'T CHOOSE A PERSON'S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
  4. Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
  5. You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn't work if you don't use the same password everywhere.
  6. Since it can be difficult to remember a ton of passwords, I recommend using Roboform for Windows users. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. If you'd like to download it without having to navigate their web site here is the direct download link. (Ed. note: Lifehacker readers love the free, open-source KeePass for this duty, while others swear by the cross-platform, browser-based LastPass.)
  7. Mac users can use 1Password. It is essentially the same thing as Roboform, except for Mac, and they even have an iPhone application so you can take them with you too.
  8. Once you've thought of a password, try Microsoft's password strength tester to find out how secure it is.

Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn't important because "I don't get anything sensitive there." Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank's Web site and tell it I've forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?


Often times people also reason that all of their passwords and logins are stored on their computer at home, which is safe behind a router or firewall device. Of course, they've never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network — after which time they will own you!


Now I realize that every day we encounter people who over-exaggerate points in order to move us to action, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven't even mentioned.


I also realize that most people just don't care about all this until it's too late and they've learned a very hard lesson. But why don't you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn't completely in vain.


Please, be safe. It's a jungle out there.


From iFusion Labs, and John Pozadzides.


Note: This isn't intended as a guide to hacking *other people's* weak passwords. Instead, the aim is to help you better understand the security of your own passwords and how to bolster that security. We originally published this piece back in March, but in light of our recent security breach, it seemed more applicable than ever.

Monday, December 13, 2010

The Internet knows what Poppy Harlow keeps private

Two simple pieces of data -- your name and e-mail address -- can unlock a shocking number of details about you, even if you consider yourself to be a very private person who carefully guards your online identity.


Just ask CNNMoney anchor Poppy Harlow. She doesn't have a personal Facebook profile. She doesn't have a LinkedIn account.  She is on Twitter, but she typically limits her tweets to links for CNNMoney stories and videos. Yet starting with only those two bits of information, Poppy's e-mail and name, a privacy researcher's searches across multiple online databases turned up information she found startlingly personal: Her father died of cancer at a young age. She has a half-brother. She's Episcopalian. She's not married. She and her father both went to Columbia University. She rents her apartment. Poppy is a nickname. Then, there was the more private stuff. Her birthday. Years-old photos with friends. Her shopping habits. And some guesstimates about her salary and her family's financial background -- inaccurate ones, it turned out.


That's a lot of information about someone who values her privacy so much. Imagine what the Internet knows about people who aren't as careful. ReputationDefender, an online privacy company, compiled the dossier on Poppy at CNNMoney's request to illustrate just how much information is lurking around online -- hidden, but accessible to those motivated to go hunt it down. ReputationDefender does not create or sell these dossiers on people; instead, its business is selling consumers tools to control their online personal data.


But other companies are gathering up those personal details and creating similar dossiers for commercial gain. Called "data miners" or "aggregators," they crawl the Web scooping up tidbits. Much of what they collect is public information from things like voter registration records and telephone books, but the real treasure trove comes from social networks, which provide photos, interests, activities and a list of your friends. The most advanced aggregators can even tie your Web browsing behavior to your online profile.


One individual source of information may not be all that revealing -- but when you tie multiple sources together, you can paint a pretty detailed picture. Your Amazon.com wish list, public Facebook profile, Pandora playlists and Picasa albums individually may not say much about you, but your name, shopping habits, list of friends, musical tastes and photographs combined say a lot about who you are. Companies like Acxiom, Rapleaf, Spokeo, Intelius, Merlin Information Services and PeopleFinders have built businesses around compiling and selling that information.


Rapleaf and Klout even score your ability to influence others on the Web. (Poppy rates a 42 out of 100 on Klout's influence scale.  One of Klout's top influencers, President Obama, scores an 86.) Right now, those profiles and scores are sold primarily to direct marketers and political campaigns, but insurance companies and prospective employers are starting to use the technology too. Privacy experts say the market for information will keep expanding -- as will the amount of data that can be collected about you.


Dossiers will be built on each of us in the future in a much more intimate way," said Michael Fertik, ReputationDefender' CEO. "This will be used for much more far reaching and invasive things than advertising." So if hiring, firing, insurance or even dating decisions are going to be made about us based on our online profiles, what's especially scary is that a lot of the information collected about us is incorrect. The address ReputationDefender found for Poppy was five years old, her phone number was completely wrong, and her salary information was way off (though Poppy says she'd love to make as much as the search results thought she did).


But even more disturbing are some of the conclusions an automated algorithm could make about Poppy based on online associations with her name. Bankruptcy, prescription drug abuse, Wall Street and Detroit were some of the most frequent words associated with her name – all because she reports on those subjects daily. "No one looks underneath your credit score to find out why it is what it is," Fertik said. "Accurate or inaccurate, life decisions are being based on your online personal information. It's going to define you forever."


If you are concerned about your online privacy, Razorpoint's world-class security experts help companies repel potentially lethal cyber threats that often elude mainstream network security providers.




By David Goldman, staff writer, and Poppy Harlow, CNNMoney.com

Friday, December 10, 2010

Malware incidents drive up IT costs, survey finds

The main driver of IT operating expenses is the increasing costs of malware incidents, according to a recent survey of IT personnel conducted by the Ponemon Institute.

A full 59% of the 782 IT practitioners surveyed said that malware was a significant factor for increasing operating expenses.


Over a third of organizations experienced at least 50 malware incidents per month, or more than one intrusion per day, the State of the Endpoint 2011 survey found. Forty-three percent of respondents noted a dramatic increase in malware attacks in 2010.


“What we are seeing is that malware incidents are increasing, and those incidents are causing an impact to organizations. Malware generates help desk calls, re-imagining costs, and lost productivity”, said C. Edward Brice, senior vice president for worldwide marketing at Lumension, which sponsored the survey.


“IT is getting a much better handle on what their costs are, and what they are seeing is that there is a hard cost associated with malware”, he told Infosecurity.


In addition, about one-third of organizations put no restrictions on which applications run on their network, while another one-third employ application policies but do not actively enforce them, according to the survey.


Despite this lax security, a majority of those surveyed said that preventing applications from being installed or executed is a top challenge for IT security managers.


According to the survey, mobile/remote workers (50%), PC desktop/laptop vulnerabilities (48%), and the introduction of third-party applications onto the network (39%) are the greatest areas of end point risk currently. This is a shift from last year, where end point security concerns were mainly focused on removable media and data center risks.


“Most companies have more mobile and remote workers who are working from mobile platforms that are becoming smarter and able to house more sensitive data. We are definitely seeing application risk shift away from servers and operating system to mobile platforms like laptops and third-party applications”, Brice said.


The top five applications that concern IT managers the most when it comes to security are: third-party applications outside of Microsoft (58%), Adobe (54%), Google Docs (46%), Microsoft operating system/applications (44%), and Oracle applications (39%).


Despite increasing application risks, organizations are sticking with older technologies, even though there are newer technologies better able to reduce end point risk, the survey found. This issue was most notable with the following technologies: vulnerability assessment (used by 51% but considered effective by 70%); application whitelisting (used by only 29% but considered effective by 44%); device control (used by 26% but considered effective by 57%); and end point management and security suites platform (used by 40% but considered effective by 61%).


For 2011, respondents said that the top three security threats are expected to be increasing volumes of cyber attacks and malware incidents (61%), negligent insiders (50%), and cloud computing (49%).


Larry Ponemon, chairman and founder of the Ponemon Institute, commented on the survey: “There is a real need to put the appropriate technologies and personnel in place to best-position organizations of all sizes and in all industries for success in the ongoing battle to ward off cyberthreats as we head into 2011.”


If you find your company spending too much time and money on malware, you are in need of a Application vulnerability assessment from Razorpoint Security, give us a call, 212.744.6900.


This article is featured in:
Application SecurityInternet and Network SecurityMalware and Hardware Security

Monday, December 6, 2010

Congresswoman says chance of cyber attack against electric grid is 100%

Rep. Yvette Clarke (D-NY) delivered the evening keynote during the SC Congress in mid-town Manhattan yesterday, as the member of the House Committee on Homeland Security told the audience that the US electric grid remains vulnerable to a near-certain cyber attack.

The Congresswoman from New York’s 11th legislative district, which encompasses parts of Brooklyn, said that our electrical grid is “what distinguishes our nation as an advanced, modern civil society”. She subsequently warned of the all-too-familiar dangers that could potentially devastate the nation’s power supply.

“As many of you in this room are aware, the grid remains vulnerable” to advanced viruses that are designed specifically to target industrial control systems. Clarke cited Russia, Iran, China, and North Korea as nations that are known to regularly use “offensive cyber attack capabilities, while terrorist organizations continue to work to develop these capabilities”.

“We must do everything in our power to ensure that our grid is protected”, Clarke implored during her on-floor keynote. She reminded the crowd of what happens when the grid goes beyond capacity and breaks, like it did during the Northeast blackout in the summer of 2003, which interrupted service for more than 55 million people in the US and Canada.

“While our citizens remained relatively calm throughout the ordeal, it still caused 11 deaths and roughly $6 billion in damages”, Clarke said. “Imagine what those damages would be for a nationwide blackout lasting a few weeks.”

Clarke continued that, based on current scientific research, if we faced a long-term power outage lasting weeks or even months, our society as we know it would be “irreparably destroyed”.

She stressed that this characterization was hardly an overstatement of the research: “A 2009 National Academy of Sciences report warned that a severe geomagnetic storm is inevitable” and would cause $1–2 trillion in damage and could take anywhere from five to 10 years to recover from.

Next Clarke boldly proclaimed that “the likelihood of a cyberattack that could bring down our grid is also 100%. Our networks are already being penetrated as we stand here. We are already under attack. We must stop asking ourselves ‘could this happen to us’ and move to a default posture that acknowledges this fact and instead asks ‘what can we do to protect ourselves’?”

The representative said the good news is that Congress has begun to take steps to address the vulnerabilities in our electric grid, or at least acknowledge there is a problem. The subcommittee she chairs on Emerging Threats, Cybersecurity, Science, and Technology held a hearing in July 2009 to examine the issue, where, in Clarke’s words, “members of the committee were appalled to learn about the vulnerabilities that affect the electric grid and the lack of robust protection against cyber attacks”.

The solution, said Clarke, “will require efforts from both the government and the private sector. That partnership is something that must be held in high regard. The government cannot do this alone, and we don’t expect to do this alone. We must have partnership. It will take a joint effort between government and the private sector to result in the most robust, effective security practices.”

Congress has already begun to take action as well, according to Clarke, with the unanimous House passage of the GRID Act, which would grant the Federal Energy Regulatory Commission authority to require that expanded cybersecurity protections be put in place as part of broader bill on cybersecurity now being considered by the Senate.

“From what we’re hearing, there is interest in passing the bill”, Clarke said. However, the congresswoman said she was concerned that the current approach, which combines the GRID Act as part of a broader bill on cybersecurity, might be doomed to failure. “This approach”, she lamented, “will stall the potential passage of the bill, and the GRID Act may not come to pass in the end.”

She said the US should look toward its British allies, which recently pledged a nearly £1bn investment to strengthen cybersecurity defenses.   “We cannot afford to fail”, Clarke concluded. “The private sector, the administration, the Congress have all made progress, but we lack the sense of urgency that is necessary. We must move on this forcefully.”

Razorpoint can help organizations configure, deploy, and troubleshoot existing technology to eliminate security vulnerabilities that go undetected. A critical component of every security program is the process for addressing security monitoring, escalation, and follow-up procedures that provide your organization with preventative and adaptive security capabilities. Razorpoint works with organizations to define a rules-based escalation procedure for effective security incident response. The Razorpoint team conducts network and host security testing, and then relies on the results to assess the inventory of current security technology and processes in the organization, to evaluate the critical information assets, and to analyze the security roles related to the infrastructure.

Friday, December 3, 2010

GAO finds gaps in federal wireless network cybersecurity

The Government Accountability Office (GAO) has uncovered gaps in security for wireless networks at federal agencies – gaps that hackers could exploit.

The GAO reviewed wireless network security at 24 federal agencies, concluding that the application of measures to improve security and limit vulnerability to attack “was inconsistent among agencies”.

Among other things, the government watchdog found “gaps” in security measures for “dual-connected laptops and mobile devices taken on international travel”.

“Several agency officials stated that they were aware of the risks posed to mobile devices during international travel, but that agencies had not yet developed policies to address these risks….By not having documented policies, agencies may be at increased risk that sensitive information could be compromised while a device is in another country, or that malware obtained during an international trip could be inadvertently introduced onto agency networks, placing sensitive data and systems at risk”, the GAO warned.

The GAO reached a number of conclusions about federal agencies’ wireless network security: “gaps exist in policies, network management was not always centralized, and numerous weaknesses existed in configurations of laptops and smartphones….[Until] agencies take steps to fully implement leading security practices, federal wireless networks will remain at increased vulnerability to attack, and information on these networks is subject to unauthorized access, use, disclosure, or modification.”

To beef up wireless security, the GAO offered recommendations to the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST). For OMB, the government watchdog recommended that it include metrics related to wireless security as part of the Federal Information Security Management Act reporting process and develop the “scope and time frames for additional activities that address wireless security as part of their reviews of agency cybersecurity programs”.

For NIST, the watchdog recommended that it develop and issue guidelines in the following areas: technical steps agencies can take to mitigate the risk of dual-connected laptops; government-wide secure configurations for wireless functionality on laptops and for smartphones; ways agencies can centralize their management of wireless technologies; and criteria for selection of tools and recommendations on appropriate frequencies of wireless security assessments and monitoring of wireless networks.

If you feel that your company is in need of improving security of your wireless networks, contact Razorpoint today, we are the experts you’ve been waiting for.

This article was reposted from http://www.infosecurity-us.com/

Monday, November 29, 2010

11 Tips for Safe Online Shopping

Razorpoint believes in protecting you from online identity theft and let's face it, there's every reason in the world to shop online. The bargains are there. The selection is mind-boggling. The shopping is secure. Shipping is fast. Even returns are pretty easy, with the right e-tailers. It's a golden age for not going to the store, yet buying more than ever.

But since the average person will spend almost $700 this season (according to the National Retail Federation, or NRF) and the number of phishing scam sites that resemble e-commerce companies has more than tripled from just July to September of 2010 according to IID's Third Quarter Phishing Trends Report, that means there's so many more chances you could accidentally hand over data to the wrong guy. A busy holiday season is only going to mean even more attempts at stealing your money and your identity.

You're already a step up in safety by shopping online—there's no way for you to leave behind a credit card or wallet that way—but you could still run into trouble. However, with some common sense and basic guidelines in place, your <>should never be troubling. Here are 11 tips for staying safe online while knocking out that holiday shopping list.

1. Use Familiar Web Sites
Start at a trusted site rather than shopping with a search engine. Search results can get rigged to lead you astray, especially when you drift past the first few pages of links. If you know the site, chances are it's less likely to be a rip off. We all know Amazon.com and that it carries everything under the sun; likewise, just about every major retail outlet has an online store, from Target to Best Buy to Home Depot. Beware misspellings or sites using a different top-level domain (a .net instead of a .com, for example)—those are the oldest tricks in the book. Yes, the sales on these sites might look enticing... that's how they get you into giving up your info.

2. Look for the Lock
Never ever, ever buy anything online using your credit card from a site that doesn't have SSL (secure sockets layer) encryption installed—at the very least. You'll know if it has it because the URL for the site will start with HTTPS:// (instead of just HTTP://) and an icon of a locked padlock will appear, typically in the status bar at the bottom of your Web browser. Never give anyone your credit card over e-mail. PayPal, however, is still a good, safe way to make a payment.

3. Don't Tell All
No online shopping store is going to need your social security number or your birthday to do business. But if a bad-guy gets them, combined with your credit card number for purchases, they can do a lot of damage. When you can, default to giving up the least amount of information.

4. Check Statements
Don't wait for your bill to come at the end of the month. Go online regularly during the holiday season and look at electronic statements for your credit card, debit card, and checking accounts. Make sure you don't see any fraudulent charges, even originating from sites like PayPal (after all, there's more than one way to get to your money). If you do see something wrong, jump on the phone to address the matter quickly. In the case of credit cards, don't pay the bill until you know all your charges are accurate. You have 30 days to notify the bank or card issuer of problems, however; after that, you might be liable for the charges anyway!

5. Inoculate Your PC
Bad-guys don't just sit around waiting for you to give them data; sometimes they give you a little something extra to help things along. You need to protect against such Trojan horse malware with regular updates to your anti-virus program.

6. Use Strong Passwords
We like to beat this dead horse about making sure to utilize uncrackable passwords, but it's never more important than when banking and shopping. Our tips for making a unique password for each site can come in handy during a time of year when shopping around probably means creating new accounts on all sorts of shopping sites.

7. Think Mobile
The NRF did a survey that also predicts that 25 percent of adults will do their online shopping via their smartphones, but mostly as a way of find gifts, not purchase them. You can buck that trend, just follow the advice above. Better yet, download store specific apps like those for Amazon, Target, etc. and use them to find what you want and make the purchase without going to the store or the Web site.

8. Stay at Home
Do we really have to tell you it's a bad idea to use a public computer to make purchases? Hopefully not. If you do, just remember to log out every time you use a public terminal, even if you were just checking e-mail.. But what about using your own laptop to shop while you're out? It's one thing to hand over a credit card to get swiped at the checkout, but when you have to enter the number and expiration date on a Web site while sitting in a public cafe, you're giving an over-the-shoulder snooper plenty of time to see the goods. At the very least, think like a gangster: sit in the back, facing the door.

9. Privatize Your Wi-Fi
If you do decide to go out with the laptop to shop, you'll be on a Wi-Fi connection. Only use the wireless if you access the Web over a virtual private network (VPN) connection. If you don't get one from your employer, you can set up a free one with AnchorFree Hotspot Shield, if you're willing to put up with the ads. By the way, now is not a good time to try out a hotspot you're unfamiliar with. Stick to known networks, even if they're free, like those found at Starbucks.

10. Count the Cards
Gift Cards are the most requested holiday gift every year, and this year will be no exception. Stick to the source when you buy one; scammers like to auction off gift cards on sites like eBay with little or no funds on them upon arrival.

11. Know What's Too Good to Be True
McAfee compiled a list of scams to look for and one of them is the offer of a free product with purchase, in particular the iPad (a very coveted gadget this holiday) or even holiday job offers. Many of these "offers" will come in via social media. Beware even of your friends, who might innocently forward such a thing. Skepticism in these cases can go a long way toward saving you from a stolen card number.

Reposted from Eric Griffith of PCMag.com

Published November 29, 2010

Tuesday, November 23, 2010

Security needs drive cyberforensics industry

This is a great article out of USA Today about Cyberforensics, a field and service that Razorpoint Security is very familiar with and often is asked to help consult with clients on.



Cyberforensics, the science of finding and securing digital evidence buried deep within company networks, is fast emerging as a global industry.

Three major players are in the vanguard. PricewaterhouseCoopers has recently hired several former law enforcement agents and prosecutors to supplement its cyberforensic services, which already have 3,000 employees and 55 labs in 37 countries.


Verizon
Business — supplier of communications, networking and security technologies to large organizations — has pumped more than $50 million into cyberforensics-related services in the past two years. That includes setting up a state-of-the-art hygienic lab to examine computer circuit boards.

The National Cybersecurity and Communications Integration Center in Arlington, Va.

The National Cybersecurity and Communications Integration Center in Arlington, Va.


And Stroz Friedberg, a private CSI-like company founded by an ex-FBI agent and an ex-U.S. Attorney, recently received a $115 million investment from private equity firm New Mountain Capital to open new offices across the U.S., Europe and Asia.


Demand for cyberforensics is being driven by "the proliferation and complexity of security issues companies are facing," says Alok Singh, New Mountain's managing director. "Issues of data security and integrity are critical for all companies around the world."


Large organizations increasingly need expert guidance preserving and extracting digital records, such as e-mail and copies of sensitive documents, for civil lawsuits and regulatory audits. They also increasingly need help getting to the bottom of security breaches.


U.S. Internet crime losses reached $560 million in 2009, up from $265 million in 2008, says the Federal Deposit Insurance Corp. Research firm Market Research Media estimates that the federal government will spend $55 billion from now through 2015 on cybersecurity.


Globally, a recent study by the Computing Technology Industry Association, a non-profit trade group, found that 63% of large organizations surveyed in 10 nations experienced at least one security incident in the past 12 months, with 45% of those incidents classified as serious.


Much like the CSI investigators portrayed on TV, cyberforensics sleuths preserve the crime scene and use their training, experience and intuition to ferret out crucial evidence. But instead of looking for fingerprints, DNA and ballistics, they hunt for "subtle data attributes inside company networks that have been changed or altered," says Ed Stroz, ex-FBI agent and co-founder of Stroz Friedberg.


PricewaterhouseCoopers
forensics director Kim Peretti, a former Justice Department litigator, says the hunt can become intricate. "Looking for breach indicators is really more of an art than a science," Peretti says. "The more you do these types of investigations, the more you know where to look and what to look for."

By Byron Acohido, USA TODAY

Tuesday, November 16, 2010

128 Bit What? Razorpoint on SlideShare!

Razorpoint launched it’s new website a few months ago and one of our great new features are our whitepapers which show our commitment to our clients and dedication to the highest level of service in information security!

This is the first in our series, 128 bit what?!

Your data is encrypted. So what? Are you using SSL, AES, 3DES, or something else? Can your data be compromised with a cryptographic attack? What key length are you using? This paper attempts to shed a bit of light on the myths and misconceptions when dealing with encryption.

Wednesday, November 3, 2010

Is Free WiFi really Ever Free?

Razorpoint came across the article below and find it astounding as it may seem, people still don't get it. I have been in situations where internet access was "really needed," and an open "linksys" or "tmobile" or "default" network seemed like kismet (no pun intended). But, alas, the malicious hackers have taken this all too common scenario and used it to exploit the uneducated (read: most) wireless users. If remote wireless access is becoming more and more of a "must," try getting a MiFi box that allows a private WiFi connection to the box and then relays your connection over a 3G or 4G cellular network.


This way, as long as you have a cell signal, you have your own WiFi connection, even in a moving car or train. of course, if your cellular phone supports "tethering" you could also use your cell phone as a MiFi box. pun = kismet is also the name of a wireless network analysis/hacking tool.

Razorpoint Security will help you and your company prevent intrusions, hackers!


(Newser) – You're stuck in an airport and don't feel like paying $9.95 for Internet access ... but wait! You stumble upon a network called "Free Public WiFi." The heavens are smiling, right? Wrong. Available in thousands of locations across America, "Free Public WiFi" is an "ad hoc" network that connects you to another computer in the vicinity instead of the Internet, wireless security expert Joshua Wright tells NPR. The "zombie network" appears to have spread via a bug in old versions of Windows XP—and it provides an easy access point for hackers. As NPR explains, when computers running the older version of XP can't find one of its "favorite" wireless networks, it creates an "ad hoc" one named after the last network joined ... and the "Free Public WiFi" name then becomes available to nearby computers, enticing their unsuspecting owners to join, explains Wright. He compares its spread to how "a zombie takes a hold of one person, bites them, and they become infected by this zombie virus." He believes it may originally have been created by somebody trying to trick a friend into connecting "so he would get a Web page with some kind of a gross image or childish prank." Other "zombie" networks to steer clear of include "linksys," "hpsetup," "tmobile," and "default."


Originial article:

http://www.newser.com/story/102722/beware-free-public-wifi.html

Monday, October 18, 2010

ZEUS Malware Infects Globally Million PCs

Just when security companies have developed new ways of dealing with the infamous Zeus Trojan, a variant characterized as the "Son of Zeus" has arisen. Worse yet, the variant has the trait of being virtually undetectable by conventional antivirus applications.

About the Zeus Trojan and MS Windows

The Zeus Trojan made headlines back in 2009 as a "highly customizable" tool for hackers. It's main mission is to sniff out financial information and break into online bank accounts. Security experts estimate that the Zeus Trojan has been used to infiltrate tens of thousands of PCs around the world. Owners of infected PCs are unaware their computers are even infected, with the majority (if not all) of infections targeting MS Windows PCs.



Zeus a Persistent Threat, Continues to Morph

The Zeus Trojan continues to be a persistent threat and was responsible for stealing 3 Million US Dollars (as of October 1st, 2010) and a reported 6 Million British Sterling from UK bank accounts (Source: itnews.com.au).


The latest revision of the Trojan ("Son of Zeus") Trojan is codenamed "TSPY_ZBOT.BYZ," according to security experts. The reason why it is able to slip by conventional antivirus programs is because it imports a large number of application programming interfaces (API's), making it difficult to know (or even predict) where it will strike next. (Source: itpro.co.uk)


New Variant More Efficient Than Original

As is the case with most types of malware variants, the newer version is somewhat different (and much more efficient) than its predecessor. It is also different in its compression and can foil a detection system based on calculable entropy. In a nutshell, calculable entropy pertains to finding where in the viral code certain trigger routines might be hidden and gives TSPY_ZBOT.BYZ its "undetectable" status.


With most forms of malware, security companies are able to isolate the virus in a virtual "sandbox" and track how the code was executed, what system changes it made and any network traffic it generated. Thus, Zeus (in all of its forms) refuses to "play in the sandbox". (Source: itnews.com.au)

Conventional Antivirus Not Sufficient

This spells disaster for most security companies whose primary focus is to keep their customers safe. As Trend Micro research engineer Julius Dizon expressed, "To properly guard against this threat, conventional antivirus is not sufficient. Only improved detection techniques and proactive blocking of the websites, working together, can protect users."


Razorpoint Services Can Protect You
Mainstream network security providers are fine for organizations looking to "check the box." Most can neutralize the average hacker and help organizations comply with a security checklist. They apply their technologies and processes and fix the obvious problems. But these organizations usually are not suited to keep pace with the world's most sophisticated cyber criminals. Razorpoint is.

Friday, June 11, 2010

Passwords: To Secure or Not to Secure

Passwords have been in use since ancient times but it seems like the periodic controversy over whether or not to use them really gained momentum with computing. The latest view turned up in the SmartPlanet blog. There you’ll find Joe McKendrik waxing poetic about a Microsoft study that basically says the cost of passwords outweighs the risks. Wrong!

There is a perception that coming up with unique, strong passwords is a burden. And adding to this perceived difficulty are things like creating a new password, on a regular basis, that can never be the same as a previously used one, is in insurmountable task.

Reading that above blog posting made me feel as if i had taken a time machine to work that morning. Really? Passwords are always hard to remember? Really? So, let's see, users (the de facto weakest link in any security chain) should just be allowed to do whatever they like because, as soon as the enormous burden of password creation and retention is removed from their hectic schedules, productivity skyrockets. Really? Facebook, YouTube, and MySpace anyone? Oh, and finally, a "top security researcher from Microsoft?" Don't get me started.

Flux-capacitor and time circuits set back to 2010, cybercrime is about to surpass illegal drug trafficking as a moneymaker for criminals. Yes, you read that correctly. Cybercriminals can make more money than drug dealers. Hello? Things are getting worse, not better. While end user failure enables a large part of the rise in cybercrime, corporate ineptitude still plays a key role. Training and basic understanding of network and cybersecurity (strong passwords included) is pitifully low. On regular security engagements, my team and I are routinely stunned at what we find. Whether it is a small, medium, or even a large global firm, undoubtedly we achieve a mind blowing, head shaking dose of "I can not believe what I'm seeing." Dated or non-existent security policies, unmonitored and out-of-date security technologies (firewalls, VPN, IDS, etc.), understaffed and undertrained IT departments tasked with a security role, and a common company-wide malaise regarding proper network security. Routinely, we're able to obtain identity information, bank account access, transaction histories, internal pricing lists, etc. Billions spent on network security, and we're going backwards.

I agree that users get bombarded with different, often unclear and untrue, messages about security and how to handle certain situations (phishing emails and web sites, spoofed SSL certificates, even social engineering). A big reason for this is the wrong people get tasked with designing and disseminating a company's security policy. Security personnel should be doing this, not IT personnel. Perhaps a topic for another article, but Security is not an IT issue, it is a management issue.

Growing cybercrime profitability shows us that current and past security practices are severely flawed. But, stopping the use of one of them (passwords) isn't a solution. They should be enhanced. Yes, use a credentialed mechanism for secure access to data, sites, services, etc. But perhaps instead of forcing the average user to produce and remember cryptic passwords constantly, teach them to use patterns on a standard QWERTY keyboard. Examine this password: 0ok9ij)OK(IJ - It has all the password characteristics of a security manager's dream. But how on earth is someone going to remember that? Look at your keyboard and notice that those characters are in a pattern. Start with the zero and then move down and to the left; you get the "o" and the "k". Then move from the zero to the 9 and go down again for the "i" and "j". Then do the same two downward patterns while holding the Shift key. Dream password? Solved. Want another password? Pick a new starting point and a new directional pattern. What to make it unique to a particular site? Add a letter before or after that password ("E" for email, "I" company intranet, "A" for Amazon.com, etc.). You now have a strong password with nothing to remember but a keyboard pattern.

Strong passwords aside, however, two-factor authentication is another technology that can help with the ongoing battle of user password management. Two-factor authentication is something you have, and something you know. You can "have" a random password generator token on your key chain, and you can "know" a sufficiently strong password that goes with it. These and other technologies are available today in an attempt to curb cybercrime's expanse.

If it’s your business you’re securing, you can ignore the reports that say passwords are not cost effective. Instead, invest in employee education. Truly relevant, informative, actionable, employee security education. A good investment always yields solid returns. If you want to keep your support costs down while keeping your company secure, teach your employees the importance of good password habits along with an overarching mindset of reality-based security awareness.

While companies have consistently failed at these things, the future is now and big differences can be made. I believe we can only go up from here.

Gary Morse is President and Founder of Razorpoint Security Technologies.

Tuesday, May 25, 2010

Tabnabbing: A new type of phishing

Check out this page at azarask.in. They demonstrate a new method of phishing. A page you are looking at can auto-switch to a page that resembles a page of a trusted website such as gmail, facebook, paypal, or online banking. Part of the attack involves changing the favicon of the page and monitoring for page inactivity.

A New Type of Phishing Attack from Aza Raskin on Vimeo.

Tuesday, May 18, 2010

Widespread attacks continue against WordPress sites

Owners of self-hosted WordPress based websites should make sure that their FTP and wordpress passwords are secure. Also review your WordPress installation to make sure that it is up to date. The current version is 2.9.2. Sites hosted on WordPress.com are not affected.

Intruders in recent weeks have hacked a large number of websites created through the WordPress blogging platform to spread malware, with another major campaign launched on Thursday, security researchers said.

In addition to WordPress blogs, websites created with other PHP-based platforms, including the Zen Cart eCommerce solution, were affected by the attacks, Regina Smola, co-founder of WPSecurityLock, a provider of WordPress security services, told SCMagazineUS.com on Tuesday.

Attackers injected malicious JavaScript into the sites, causing visitors to be redirected to scareware domains that attempted to trick users into installing a virus, she said.


Read more...

Monday, April 26, 2010

1.5 million stolen Facebook IDs up for sale

A hacker named Kirllos is offering to sell the accounts in an underground forum for 2.5 cents per account.

A hacker named Kirllos has a rare deal for anyone who wants to spam, steal or scam on Facebook: an unprecedented number of user accounts offered at rock-bottom prices.


Researchers at VeriSign's iDefense group recently spotted Kirllos selling Facebook user names and passwords in an underground hacker forum, but what really caught their attention was the volume of credentials he had for sale: 1.5 million accounts.

IDefense doesn't know if Kirllos' accounts are legitimate, and Facebook didn't respond to messages Thursday seeking comment. If they are legitimate, he has the account information of about one in every 300 Facebook users. His asking price varies from US$25 to $45 per 1,000 accounts, depending on the number of contacts each user has.

To date, Kirllos seems to have sold close to 700,000 accounts, according to VeriSign Director of Cyber Intelligence Rick Howard.

Hackers have been selling stolen social-networking credentials for a while -- VeriSign has seen a brisk trade in names and passwords for Russia's VKontakte, for example. But now the trend is to go after global targets such as Facebook, Howard said.

Facebook has more than 400 million users worldwide, many of whom fall victim to scams each day. In one such scam, criminals send out messages from a compromised account, telling friends that the account's owner is trapped in a foreign country and needs money to get home.

In another, they send Web links that lead to malicious software, telling friends that it's a hilarious or sensationalistic video.

"People will follow it because they believe it was a friend that told them to go to this link," said Randy Abrams, director of technical education with security vendor Eset. Once the malware gets installed, criminals can steal more passwords, break into bank accounts, or simply use the computers to send spam or launch distributed denial of service attacks. "There's just a plethora of things that people can do if they can trick people into installing their software," he said.


Kirllos' Facebook prices are extremely cheap compared to what others are charging. In its most recent Internet Security Threat Report, Symantec found that e-mail usernames and passwords typically went for between $1 to $20 per account -- Kirllos wants as little as $0.025 per Facebook account. More coveted credit card or bank account details can go for much more, ranging between $0.85 to $30 for credit card numbers to $15 to $850 for top-quality online bank accounts.


Reposted from IT World.

Monday, March 22, 2010

Is your company social networking?

At the RSA Security conference during the week of March 1st, one of the topics of discussion was securing networks in a web 2.0 world (http://www.itworld.com/security/98911/tweet-social-network-security-risky-business?page=0%2C0&source=ITWNLE_nlt_today_2010-03-04.

Facebook, Twitter, LinkedIn and other social networking sites were until recently considered to be productivity killers. Most companies blocked access to these websites for their employees to make sure their staff members were not using company resources on frivolous time-wasters.

It is a good idea to block access to these sites for another reason. Social networking sites are just another point of exposure to malware, phishing attempts, and viruses. Everyone agreed that it was just best to keep your employees away from social networking.

However, last year marked a turning point in social networking. Employees in sales, HR, customer service and marketing need to use social networking sites to do their jobs. Corporations are now looking to open their doors to social networking, but how do you protect your company from malicious attacks?

Our take on the situation? Its not time to open the floodgates. Social networking is still potentially dangerous.

Your company should continue to block access to Facebook, Twitter and LinkedIn for most employees. Access should be granted on an individual or departmental basis, and only sparingly using monitored firewall, IPS or Application Security Gateway rules. Check Point and Tipping Point offer good solutions in these areas.

Cybercriminals love social networks because there is a false sense of being in a trusted, safe zone. Employees who do have access to social networking need to be educated that:

  • There is no privacy anywhere on the web. They should assume that anything posted on a social network may somehow become public. Trade secrets are at risk as well as your corporate brand.
  • All links should be treated suspiciously. Social networks use link shortening services like bit.ly and tinyURL. It's impossible to know where such a link will take you. It could be a phishing site that will enable someone to take over your account, steal your information or install a virus or malicious code on your computer.
  • All third party applications should be treated suspiciously. Twitter and Facebook offer thousands of applications that they do not take responsibility for. Be wary when installing one, or giving access to your account.
  • Finally, consider heavily what information you add to your public or semi-public social networking profiles. Remember that things like "High School attended," "Birth Date," "Pet Names," "Sibling Names," etc. are all things used by banks and credit institutions to validate your identity. You wouldn't hand out this information to strangers on the street, would you? Why, then, do people gleefully post this online? I'm actually surprised Facebook doesn't have a "Mother's Maiden Name" field.

Thursday, March 18, 2010

There is No Security Patch for Stupidity

At Razorpoint, we spend a lot of time trying to stay ahead of malicious attackers and cybercriminals. We track the newest, most advanced techniques so that we can work with our customers to repel attacks. That's why we were floored by this article:

http://www.businessweek.com/news/2010-02-18/global-hackers-breached-2-400-companies-security-firm-says.html


According to Bloomberg News "hackers infiltrated the computer networks of more than 2,400 companies in almost 200 countries over an 18-month period." When we took a closer look at these attacks we noticed something very interesting:

"The attack uses a piece of software called ZeuS, designed in Eastern Europe, that takes control of large numbers of computers. These so-called botnets of computers are deployed to extract login and personal information related to e-mail, financial and social-networking Web sites."



ZeuS (aka Kneber) is a bot that steals information by keystroke logging. This method of infiltration is over 10 years old and it should not work anymore. Yet it does - because users continue to fall for the same dumb tricks. They open attachments to email that they shouldn't. They respond to phishing emails.

ZeuS and other bots now control more than 100 million computers worldwide. ZeuS targets login credentials for online social networks, e-mail accounts, and banking. Anti-virus software may not offer protection. The primary way to prevent infection is to offer training and security awareness to prevent your employees from clicking on hostile or suspicious links in email and in social networks.

Razorpoint knows that the Internet is still a target-rich environment. While there isn't a security patch for stupidity you can help protect your company by employing our endpoint client protection service (Rz.Endpoint). Additionally, companies should have regular comprehensive security assessments conducted in an effort to stay ahead of attacks like this.

Monday, March 8, 2010

PleaseRobMe.com

Foursquare is an increasingly popular location-based social network that is based on a game-like premise. Players use smart phones or laptops to "check in" to a location, recording their position on a map for friends using the service to see. The more often you check in, the better your chances of being declared the mayor of a particular location, be it a restaurant, bar, office or even your own home. Fourquare updates can be connected to twitter and facebook, keeping the world up to date about your progress.


Is this a good idea? No, and the new site http://www.pleaserobme.com/ shows exactly why. The site is a simple stream of Foursquare updates posted on twitter.


Please Rob Me consists exclusively of an aggregation of public Twitter messages that have been pushed through fast-growing location-based networking site Foursquare, one of a handful of services that encourages people to share their whereabouts with their friends. You can filter by geographic location, too.


You wouldn’t post a sign for all the world to see advertising the fact that you are not home. But people who connect Foursquare to publicly viewable sites like twitter not only let the world know that they are not home, but how far away they are.


Security is not just about installing alarms, locks or guard dogs. Its about exercising common sense. Be secure online and in the real world and keep your whereabouts private.

Thursday, March 4, 2010

Razorpoint Security Begins 10th Year

Razorpoint Security Technologies specializes in comprehensive security assessments that provide business leaders and corporate clients the certainty and stability required for survival in today's business climate.

On March 1, 2010, Razorpoint Security Technologies celebrated the beginning of their 10th year in business – great, and slightly hard to believe, at the same time. Our tremendously talented staff and faithful clients have kept us going the entire way. We've done quite a bit to help secure cyberspace in that time. However, we have also realized there is an astonishing amount still to be done. The good news is, we're not tired. There is much more to come.

Seemingly every day another security breach is reported. Bank accounts, identities, corporate data and intellectual property are just some of the valuable assets targeted by attackers. The danger and risk posed to corporate environments grows daily.

If you think your company's network is at risk then call us today for a full risk assessment!