The Security Catalyst

After a hectic travel week, we present Security Catalyst 15. Join Michael as he examines the issues around cell phone numbers and records being offered for sale, a newly announced anonym.OS operating system and the how a NJ school is using biometrics — and 4 questions you need to ask if your organization is thinking about using biometrics.

Read the rest of this entry »

 

 Episode 15 [21:56m]: Play Now | Play in Popup | Download

At the recent Black Hat Federal Briefings, a presentation was given, which proposes that rootkits may soon attack the BIOS of a compromised system, via the ACPI subsystem, which intention is to provide some hardware control for power savings. This would give them multiple advantages over the current approach to a rootkit.

First, since the BIOS loads before the system actually boots from the hard drive, it has the potential of infecting multiple operating systems on the same hardware.

Next, a well-written rootkit that has been installed, undetected, to your BIOS has an extremely high likelihood of continuing to be effective, and indeed most likely recompromising your system after a complete format and reinstallation of your operating system.

Finally, a good implementation is likely to be very difficult to detect, initially, if an attacker is diligent about covering the tracks of their presence.

A PDF of the slides from the presentation at BlackHat can be found here: http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Heasman.pdf
The PDF includes a starting point for people wishing to mitigate this particular type of potential attack vector. Recommendations include “write protecting” the flash memory of your BIOS, if your motherboard supports it; and disabling ACPI support, both in the BIOS and operating system.

Thanks to SecurityFocus, and Slashdot for the story.

This is a great article on steps to take to protect your social security number, and, thus, your identity. Specifically useful is the discussion of numbers to use if a company refuses to respect your privacy, and you need to give them some 9-digit number to satisfy their request.

Michael Santarcangelo, CISSP, and host of the Security Catalyst will be addressing the Cornell Entrepreneur Network (CEN) in NYC on Wednesday, January 25, 2006. He will be presenting an interactive program called “Security in an Unsecured World.” Hopefully you can attend.

Here is a brief program overview:

Security in an Unsecured World
Are your worried about your children using the Internet? Are you afraid to bank online? Do you know whom to trust for answers?

We read and hear stories about security breaches affecting our privacy and threatening our shopping, children and Internet experiences on a daily basis. The media has done an excellent job of convincing us something is wrong - but what can we do about it?

Join Michael for an engaging and energetic conversation where he will share the insights he has gained in the trenches. He will explain the top issues we face today in a language everyone can understand and provide you with simple steps you can follow to protect your family and yourself.

I’m excited to offer this program and expect a candid and thoughful conversation that helps improve the way we all think about and handle security issues.

Here is the link: http://cen.cornell.edu/article.php?sid=261

A new worm is said to be infecting thousands of machines every hour. Although it is described by different names , the “Kama Sutra” label looks likely to stick most strongly. Spreading via e-mail, it is programmed to do three basic things. First, it replicates itself, and attempts to spread further out from the infected machine. Second, it works to disable security and antivirus software from multiple vendors on the infected machine.

Finally, and most destructively, on the third of any given month, it destroys all files it can access with a number of default “document” extensions. This includes the major Microsoft Office document formats, Adobe PDF files, and, strangely enough, files with the .DMP extension, which is how Microsoft stores the dump of memory information when a Windows-based computer crashes. I can only assume this is intended to make chasing this virus more difficult, as it eliminates one of Microsoft’s primary troubleshooting methods.

The Kama Sutra worm, we feel, falls pretty firmly into the category of a Trojan Horse. It cloaks itself in an executable file, appearing to be something of a pornographic nature. It doesn’t exploit any particular e-mail software vulnerability in any fashion. Instead, it convinces the user that it is something they might like to see, and when executed, installs all of its nefarious functionality instead.

A more detailed examination of the worm, and its payload and methodologies can be found at F-Secure’s virus site:
http://www.f-secure.com/v-descs/nyxem_e.shtml

As always, with a significantly expanding worm, we recommend the following major actions:

1) Make sure to update the virus scanning engines at all levels of your organization. For example, I’ve just confirmed the latest virus engines are downloaded on the mail-scanning software which runs on my Exchange systems, as well as updating the signatures for my desktop virus scanning software.

2) Take this opportunity to remind your organization about your policies and recommendations regarding attachments in e-mail from unknown sources.

3) If your environment allows executable files as e-mail attachments, consider modifying your policy and settings such that executables are stripped from inbound e-mail.

For more information, the NIST special publications we’ve been discussing lately on the podcast provide an excellent guidance document on the subject. It can be found here, in PDF form: Guidelines on Electronic Mail Security If you haven’t yet examined your e-mail environment closely for these kinds of issues, this document is a great starting point for a rigorous examination.

Join us as Matt Yoder, formerly just a text contributor to the blog, finally puts his money where his mouth is (or vice versa,) and joins Michael in co-hosting the Security Catalyst Rundown #1!

On this episode, we dive into the industry lingo and what is really meant by “rootkit, trojan, and backdoor,” and how those terms relate to some of the topics in the news lately. We also discuss patch management for a home user as it compares to the corporate world, and analyze some of the difficulties both sides get to contend with. We then wrap up with an introductory look at Risk Assessment, and are reminded that NIST has recently updated their excellent guidance document, SP800-40 with a second version (November 2005).

The links from the show are here….
Creating a Patch and Vulnerability Management Program (NIST SP 800-40V2)

We developed this weekend show based on feedback and a desire to introduce some new ideas into the security dialogue. Send feedback, ideas, suggestions and questions to securitycatalyst@gmail.com. Thanks for listening!

The following track from the podsafe music collection of podshow was used during the introduction of SC14.
BAJA TAXI

Please remember to rate this podcast on iTunes and Yahoo! Thanks!!

 

 Episode 14 [30:50m]: Play Now | Play in Popup | Download

I will be speaking at the Association of Information Technology Professionals (AITP) in Albany on Tuesday evening. I will be presenting my “Security Without Wires” program. If you are in the area, I hope you are able to attend!

Click here for more information or to register for this event.

For more information on my speaking, please visit: The Bald Security Expert

If you can’t make this one, I’ll be speaking in other parts of the country this year, as well as offering some teleseminars and opportunities to network to my podcast family!

Join us as Michael interviews Bill, a former “black hat” hacker (reformed) about the 3 basic steps we advise our friends and familes to take when it comes to protecting their home computers. While there are many things you can do to protect yourself and your family when connecting a computer to the Internet, we cover the three things you absolutely must do!

Join us as we discuss why these steps are important and gain the knowledge you need to be a bit safer!

The links from the show are here….
We are in the process of building a collection of consumer/home computer security links. Click here to check the current list and get information about updating your system, firewalls, anti-virus, anti-spyware and some good general advice.

The following track from the podsafe music collection of podshow was used during the introduction of SC13.
BAJA TAXI

Please remember to rate this podcast on iTunes and Yahoo! Thanks!!

 

 Episode 13 [27:26m]: Play Now | Play in Popup | Download

The recent Symantec vulnerability that affects 63 (!) of it’s products was announced in the end of December, but flew under the radar. They were back in the news this week with discussions about a rootkit — and we examine both issues and help you take steps to be protected. We also briefly look at the new security concerns for exchange/outlook and then focus on talking about dormant user accounts and the large security risk they pose. We talk specifically about key actions you can take to reduce your risk.

The following track from the podsafe music collection of podshow was used during the introduction of SC12.
BAJA TAXI

 

 Episode 12 [31:33m]: Play Now | Play in Popup | Download

So, I was chatting with a friend who mentioned that he was a little bit frightened that Pandora, the service that will point out music similar to stuff you already like, knew who he was after not logging in for a month, despite the fact he didn’t allow cookies.

I pointed out that Macromedia Flash has an entirely separate set of security controls to him. Despite his more than two decades in the IT industry, this was news to him. Given that he didn’t know about it, I had to assume that there were other people out there who were unaware that Flash stores a separate set of security settings.

Thus, here’s a minor piece of news, possibly just a reminder for some people:

The Macromedia Flash Player Control Panel

Note, as the webpage says, it contains a Flash object that connects to your local Flash settings, to edit them.

Thanks to jkarp for making me aware of this topic.