NCompass Live: IT Security for Libraries
Upcoming SlideShare
Loading in...5
×
 

NCompass Live: IT Security for Libraries

on

  • 1,854 views

Most any library can be a target, so join Blake Carver, the Owner of LISHost.org, and get some ideas on how to make your library and your home more secure. Carver covers privacy, as it is closely ...

Most any library can be a target, so join Blake Carver, the Owner of LISHost.org, and get some ideas on how to make your library and your home more secure. Carver covers privacy, as it is closely related to security, and should be taken seriously. He shares many ways to stay safe online, how to secure your browser, PC, and other devices you and your patrons use every day. He also tackles some common security myths, talks about secure passwords and network security, as well as hardware and PC security. Carver discusses security issues that you’ll find in your library as well as tricks sysadmins can do with servers to make things safer for you, and that you’ll never see as an end user.
NCompass Live - June 6, 2012.

Statistics

Views

Total Views
1,854
Views on SlideShare
1,853
Embed Views
1

Actions

Likes
1
Downloads
9
Comments
0

1 Embed 1

http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution-NonCommercial-ShareAlike LicenseCC Attribution-NonCommercial-ShareAlike LicenseCC Attribution-NonCommercial-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • This slide will just sit before I am introduced
  • Here’s where I explain where I’ve worked, and highlight (quickly) security failures at each place
  • They are different, you can feel secure if you’re not, and you can be secure even if you don’t feel it.
  • I’m going to make you feel insecure, even if you’re not. My goal today is not to make you leave here screaming. But, you should leave here and make some changes.
  • It boils down to 3 types of bad guys.
  • They are everywhere. They are where you are.
  • so what are we talking about here? Viruses? Worms? Trojeans?Backdoors? Scareware? Rootkits? Malware? Exploits? We are talkingabout malicios code that takes advantage of software vulnerabilitiesto infect, dirupt or take control of a computer without consent, andusually, without knowledge. These exploits target vulnerabilities inthe OS, the web browser, various appplicates or anything elseinstalled on a computer. These exploits almost always targeted againstknown vulnerabilities that have already been patched by the maker ofthe software. They frequently target java, Adobe Flash and PDF Reader,and the windows OS. Many of these exploits are now spread throughinfected websites, mail, and social media. All these pieces add up—a great lesson to teach people who don’t tend to think outside of their little niche in the organisation. “When you’re thinking with a hacker mindset, the takeaway you get is there’s a little issue here, and there, and over there, and that a+b+c adds up,” Cheyne said. “Most computer users are all too aware of the threat of viruses and worms infecting their machines, but according to security research firm BitDefender different types of malware may now be infecting each other to create a new breed of security risk. Dubbed "Frankenmalware," the hybrids are created when a virus infects a machine that has already been compromised by a worm. The virus attaches itself to executable files on the host system — including the worm — and when the latter spreads it carries the virus along with it. BitDefender claims it analyzed a sample of 10 million pieces of malware and discovered 40,000 different examples of the new breed. Code from the Virtob virus, for example, was found inside both the OnlineGames and Mydoom worms.Finding attacks will only get harder.Smarter, Stealthier, Sneakier Malware Stuxnet. Duqu. Advanced persistent threats. Ever-evolving versions of Zeus and other malware. Malware is not only spreading, it's getting smarter. And sneakier. For most enterprises, it's difficult just to keep up with the newest and most sophisticated attacks, let alone stop them. As more and more tools are introduced they are perfected and this makes it easier for all bad guys to get more victims.
  • But the threat model is evolving and ever changing, based on where the juiciest targets are, and what makes more sense for cybercriminals to use.Before, we used to see email as the primary vector for infection. Whether it was phishing emails trying to get people to click on a link, or simply a message carrying a payload like embedded JavaScript, or even a Word or PDF document trying to exploit a vulnerability in software. But now, email isn’t such a target anymore. Email clients have become much better at protecting users, and so have gateways and spam-scanning services. Today, the web is the main vector of attack, but perhaps not for long. With the increasing activity of hacktivists, the advent of cloud services of all types, and of course the mobile landscape, newer threats are emerging, and so the IT community must adapt.The report also underlined the growing threat posed by the malware-as-a-service industry, where crooks hire out networks of infected computers.“What's happening is a segregation of the malware market, where someone else will invest in infecting machines, and someone else will look to rent this for whatever means they see as most profitable,” James Todd, European technical head at FireEye told V3.They go out of their way to avoid detection and maybe more importantly, to cover their tracks. These things have help desks, user groups, social networking platforms, users can report and fix programming bugs, suggest and vote on new features, and generally guide future development of the botnet malware. The writers use CRMs. They are programmed to work against each other, or with each other. They have Affiliate Partners, and Recruiters, they do Advertising, and everything else any other businesses do.A peek into the underground economy and the market for stolen credit cardsPosted on February 17, 2012 by Linda MusthalerThere’s a great article from Bloomberg (Stolen credit cards for $3.50 online) in which author Michael Riley explores the depths of the underground market for stolen credit card data. Reading this is enough to make you want to stuff all your money in a mattress for safe keeping.By some estimates, the underground digital economy has now surpassed the estimated value of the international cocaine market. Oddly enough, this underground market actually functions like a legitimate economy in many ways. Not only do hackers sell their malware as if it were commercial software – complete with upgrades from time to time – but novice cyber criminals also can obtain training on how to get into the business. Black hat entrepreneurs offer translation services so those phishing scams can reach target victims in their native languages. What’s next, hacker support hot lines? (Maybe not hotlines, but there are chat rooms for sharing tips and “best practices.”)“The problem is getting worse faster than we’re getting better,” according to Tony Sager, the chief operating officer of the Information Assurance Directorate at the National Security Agency, which includes some of the U.S. government’s best cyber experts. “We’re not keeping pace.”2009 was a turning point year for the malware industry. In 2009, Symantec cataloged 2.8 million new viruses infecting computers. A year later that number had jumped to 286 million. This is the time frame when Zeus and its stepchild SpyEye came onto the scene, changing the illicit business model from “write your own code” to “buy the malware starter kit.” It allowed countless criminals with no technical knowledge to enter the market.Riley’s article does offer some hope for the white hats. The FBI and its international counterparts have learned some lessons from big take-downs in the past year. And as we’ve seen with the dramatic drop in spam when just one or two botnets were dismantled, all it takes is one good crime bust to put a dent in the underground market, at least for a while.This entry was posted in Security Threats and tagged SpyEye, stolen credit card data, underground digital economy, Zeus. Bookmark the permalink.
  • At Sophos Labs, we see 95,000 unique individual pieces of maliciouscode every single day.What’s happened is the bad guys have brought professionalism to theirtrade. They’ve developed a black market economy. They are adopting thelatest and greatest technology. And they are garnering more resourcethan most vendors and most public sector organizations, andgovernments can put towards this issue. That’s principally becausethey are not bound by law, they are able to steal these resources. Itis easy for them to go out to the Internet, click their fingers andget 80,000 computers.They are using tools like polymorphism which enable them to create newpieces of malicious code at high speed.The tools look good, and use mostly old holes, not raelly 0Days veryoften. Many go after PDFs, Java, and Office. They know we are allterrible at patching, and go after the easy targets. http://images.infoworld.com/d/security/business-booming-malware-service-merchants-185503?page=0,0&source=rss_securityBusiness is booming for 'malware as a service' merchantsBy Taylor ArmerdingCreated 2012-02-01 09:22AMThey are well organized. They pay close attention to product quality, working hard to make it effective and scalable. They are all about customer service, providing after-sales support. They even solicit the help of their customers in product development.All admirable qualities. But all in the service of theft [1].[ Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive [2]" PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. [3] ]They are malware merchants; in the business of helping others steal from legitimate businesses and innocent consumers. And they have evolved to the point where they operate much like the legitimate software industry. It is possible to buy malware from what amounts to an app store, or to contract for malware as a service (MaaS) [4]."The life cycle of [malware] products is the most amazing aspect," writes Pierluigi Paganini, a certified ethical hacker and founder of Security Affairs in Italy, in an article posted this past week on Infosec Island [5]. "From design to release to after-sales support, each stage is implemented in every detail with care and attention."One of the most famous examples is the Zeus Trojan [6], designed to steal banking information, which can be customized with new features demanded by its customers. There are an estimated 3.6 million computers in the U.S. that have been compromised by Zeus botnets.In early January, the Israel-based security firm Trusteer reported on a new version of the SpyEye Trojan [7] that, somewhat like a security camera hack, swaps out banking web pages to prevent account holders from noticing that their money is gone.Not that the botnet market is new. But it is maturing, and is more diversified and dangerous than ever.Kevin McAleavey, cofounder and chief architect of the KNOS Project outside Albany, N.Y., who has spent more than a decade in antimalware product development and research, says this is a logical progression. "Today's 'professionals' were once amateurs, and by that I mean the authors of the malware itself," he says. "It should come as no surprise that what may have once been done 'for fun' can readily be monetized by criminal and government elements for their own purposes."The modern malware developer and distributor, he says, is selling not just the malware itself, but "the means to keep it hidden and from being detected."But, if these merchants of malware are operating like businesses, can't authorities just track them down and shut them down? Not so easily, it turns out. Most use the so-called "Onion Router [8]," which lets users conduct business anonymously. "The only time one has a chance to track down individuals is when they rat each other out," says McAleavey.It is not only the Onion Router, but the fact that they operate in countries where they are hard to reach -- Latvia, Lithuania, Ukraine, Brazil and others -- where McAleavey says enforcement is lax. "Generally, these 'kids' are smart and don't leave much in the way of tracking data," McAleavey says. "They know how to layer proxies to cause the trail to go cold. Some people working for antivirus companies have successfully managed to audit the trails only to find the perps pull up stakes and move elsewhere by the time the authorities actually show up."The "app store" element of the business amounts to a detection test service, "where a site accepts uploads of packaged malware and tests it against every known antivirus engine with the latest updates and spits out who detected it and as what. So the kids go back, change the code and keep changing it until nobody detects it whereupon, it goes out."Paganini reports that Zeus offshoot Citadel offers a basic bot builder and botnet administration panel for $2,399 plus a $125 monthly "rent." It also offers what McAleavey noted -- a module for $395 that, "allows botmasters [9] to sign up for a service that automatically updates bot malware to evade the latest antivirus signatures."What should enterprises and consumers do? All of the usual things -- don't open odd attachments, even from those you know. Stay away from sketchy websites. Keep your antivirus up to date.Paganini recommends public awareness and alert networks spread through social media. He would also like to see task forces composed of members from various sectors like government, industry, health and the military, "since we are facing cross-sector threats."But neither Paganini nor McAleavey is optimistic in the short run. "As long as there's ways to get into Windows, and money to be made doing so, there will be no shortage of malware authors and those willing to make money servicing them -- until the means of hijacking machines themselves is solved," McAleavey says.Paganini says there are no products on the market now that are able to block an enemy that "grows day by day.""We are completely unprepared," he says, to fight a "perfect business machine that moves an amount of money equal to the economies of several nations."Read more about malware/cybercrime [10] in CSOonline's Malware/Cybercrime section.SecurityAnti-virusCyber CrimeData Loss PreventionMalwareSource URL (retrieved on 2012-02-06 06:07AM):http://images.infoworld.com/d/security/business-booming-malware-service-merchants-185503Links:[1] http://www.csoonline.com/topic/43404/identity-theft-prevention[2] http://www.infoworld.com/t/data-loss-prevention/download-the-data-loss-prevention-deep-dive-168044?source=itself_fssr[3] http://www.infoworld.com/newsletters/subscribe?showlist=infoworld_sec_rpt&source=ifwelg_fssr[4] http://www.csoonline.com/article/678366/cybercriminals-selling-exploit-as-a-service-kit[5] http://www.infosecisland.com/blogview/19615-The-Implications-of-Malware-as-a-Service.html[6] http://www.csoonline.com/article/682326/zeus-leaks-give-tools-to-researchers-attackers[7] http://www.csoonline.com/article/691821/spyeye-malware-continues-to-plague-computers[8] http://www.csoonline.com/article/216352/researchers-show-how-attackers-can-crack-onion-router[9] http://www.csoonline.com/article/507936/the-botnet-hunters-[10] http://www.csoonline.com/topic/43400/malware-cybercrime
  • http://blog.eset.com/2012/03/06/changing-perceptions-of-malware-threat-images-make-a-differenceExamples:IncognitoRat, first known Java-based, cross-platform botnet builder. It can infect Java virtual machines on MacOS and Windows systems.Crimepack, an exploit kit.Xxsed, a source for sites vulnerable to cross-site attacks.Spamdot.biz forum for spammers.Close up shows high quality of data on offer.an example of SEO poisoning [leads to fake pharmacy].more poisoning [leads to cookie stuffing survey scam].the crimepack login.SpyEye, the point-and-click botnet builder with plugins for everything from DDoS to Bank of America credential grabbing.
  • They are after most of the things you’d expect, and some you might not...
  • You might say to yourself you’re not a target because you’re only on The Facebook or The Twitter...
  • Personal information is the currency of the underground economy. It'sliterally what cybercriminals trade in. Hackers who obtain this datacan sell it to a variety of buyers, including identity thieves,organized crime rings, spammers and botnet operators, who use the datato make even more money.A name or email address is worth anywhere from fractions of a cent to$1 per record, depending on the quality and freshness of the data,information security experts say.That may not sound like a windfall, but when you multiply it bymillions of records, it quickly adds up. Take the Zappos breach as anexample: If hackers in fact obtained data on 24 million customers,even if they sell only 5 million email addresses at five cents apop—cha-ching—they've just made $250,000 off of one hack.Botnet operators make even more money. Say you own a botnet thatconsists of 100,000 computers. You may rent it out to spammers for$1,000 per hour, says Stu Sjouwerman, founder and CEO of KnowB4, aprovider of Internet security awareness training based in Clearwater,Fla. If you rent or buy the 24 million records from Zappos' so thatyou can then send malware to those email addresses, even if only 20percent of recipients get infected with your malware that takescontrol of their computer, you've still grown your botnet by about 5million computers with very little work, he adds."Now you can charge $5,000 an hour instead of $1,000 per hour for 5million bots that start sending spam," says Sjouwerman. "These guysmake money hand over fist." Of course, their illegal activity alsomeans criminal charges, jail time and financial restitution.http://www.cio.com/article/698820/Are_You_at_Risk_What_Cybercriminals_Do_With_Your_Personal_Data_ Print Article   Close WindowFrom: www.cio.comAre You at Risk? What Cybercriminals Do With Your Personal Data– Meridith Levinson, CIO
  • It's also important to know that, ultimately, there is no such thing as a secure computer. Nothing we do can make things 100% safe. We can just make things safer than they were before. All of the security work we do is about reducing risk. It's about knowing what we're up against. We want to reduce the possible frequency of loss (by securing things as much as possible, given our resources) AND we want to reduce the potential magnitude of loss (by limiting what can be lost as much as possible).To help set the stage for success we should keep in mind 2 things. "Any lock can be picked", and people are the weakest link in security chain. First, people:People choose bad passwords, we write them down, we share them, we reuse them,People email things we shouldn'tPeople post things on twitter or Facebook.People click on links without knowing what's behind them.People don't update our computers and programs.People plug in USB drives w/o knowing where they came from.Of course, we all want our computers to work. We don't want to worry about all this security. We just want things to be safe. We have better things to do. We do insecure things because we're tired and busy. We write down passwords because our brains are full. We have better things to do than update our computers and programs. It's not (only) because people are lazy. It's because every layer of security we add causes more work for them. Much of this advice, many of these things we want them to do just costs too much in terms of a daily burden when so few of them will really be harmed by evil doers. There is generally low motivation and poor understanding of why this could be important. People choose the easiest and quickest way to get things and hope for the best. So even though we have better security than ever before, there are also more ways to defeat it than ever before. To make matters worse, we are now in the era of "steal everything." We all have something a hacker is interested in stealing. And to make things even worse, barriers to this particular type of theft are lower than ever.Frequently, hacking requires little training or knowledge or investment of time. Hackers have moved beyond banks and are now stealing more mundane things that you have. These are all worth money, or can be used to cause trouble and spread malware. There are bad guys who will pay for email passwords, Facebook logins, trojaned PCs, game logins, nearly anything you have. Our libraries are no exception. They become targets because of what we have inside our ILSs, our public access machines, the OPAC, the databases and more.
  • ANY lock can be picked!
  • Outline of the awesomeness to come...
  • A comment on an LISNews post from last week asked me about passwords. It seems like such simple, obvious topic, but when you stop and think about it, passwords are difficult, and a good answer does indeed take 1,399 words. Do you always use unique passwords? Are those passwords always "strong"? Does your library's web presence require strong passwords for all users? Do you have password recommendation clearly posted on your web resources for your users? What makes a good password? Are complex passwords the most secure? Is it uniqueness? Is length the most important thing in a password? I'll start by saying the single most important thing is uniqueness, never reuse a password on everything.Using the same password for everything is THE WORST thing you can do. If you learn just one thing from this post make sure it's password reuse is dangerous. Doing this will allow anyone who gets your password from an insecure site (and the chances of this happening are probably higher than you'd think) to use it elsewhere. Your password could have been taken from any number of large data breaches and you'd never know it. When these big hacks happen the only thing saving you from becoming an easy target is having a unique password. It's easy for a hacker to use your email address and password taken from a site like Gawker and use it as a starting point to cause some serious trouble.New School Approaches to Passwords from The New School of Information Security by adamAdam Montville left a comment on my post, “Paper: The Security of Password Expiration“, and I wanted to expand on his question:Passwords suck when they’re not properly cared for. We know this. Any other known form ofauthentication we have is difficult because of the infrastructure required to pull it off. Thatsucks too. Does this leave us at a stalemate where we need to get people to care about theirpasswords? I think the answer is “almost.” We need to agree that passwords suck when they’re not properly cared for, and that caring for them is hard. So we need to assume that passwords will tend to be poor, reused, etc, and develop methods to deal with that. Most of our mechanisms today punish users. We tell them to memorize 100 or more unique passwords, and then “security experts” abuse them for re-use or using a password management tool. Cormac Herley has claimed that the password has a set of properties including being subject to memorization that make it impossible to replace, and we should accept that and start engineering for it. (“A Research Agenda Acknowledging the Persistence of Passwords” and “Passwords: If We’re So Smart Why Are We Still Using Them?“)Similarly, Nate Lawson posted “On the evolving security of password schemes” which closes “most admins focus too much on increasing entropy of user choices and not enough on decreasing the attacker’s guess rate and implementing responses to limit their access when they do get a hit.” Indeed.We need to observe the world, and ask how we can work within the constraints it presents regardless of if those constraints are economic, sociological or evolutionary.
  • The report identifies the most commonly used passwords:1. 1234562. 123453. 1234567894. Password5. iloveyou6. princess7. rockyou8. 12345679. 1234567810. abc123None of this is overly surprising, although it remains alarming. We know passwords are too short, too simple, too predictable and too much like the other ones the individual has created in other locations. The bit which did take me back a bit was the extent to which passwords conformed to very predictable patterns, namely only using alphanumeric character, being 10 characters or less and having a much better than average chance of being the same as other passwords the user has created on totally independent systems.http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html
  • What Makes A Good Password?So what makes a good password? In short, length and complexity. If you think about it, a password is really weak security. If you're in charge of setting the password policy for your library, you have decisions to make. Should you force people to use complex and unique passwords? Anytime you change up security policies people will look for ways around it. Enforcing strong passwords is no exception. Even when your users are forced to use "good" passwords, they'll do something like choose all the characters on the left side of the keyboard. They will turn the seemingly secure restrictions into EASY passwords and make your network even LESS secure. Somehow your new security policy just made everyone's password easier to guess. Those passwords are not strong and can be easily bruteforced/rainbowed/dictionaried because they are commonly used and will be guessed first in an automated attack. A truly strong password is darn hard to remember and that's the problem for all of use with more than a few passwords.
  • http://blogs.securiteam.com/index.php/archives/1597There is no way any reasonable person can choose a password that fits this policy AND can be remembered (note how they are telling you that you CANNOT use special characters. So users now have to bend according to the lowest common denominator of their bad back-end database routine and their bad password policy).I’m sure some high-paid consultant convinced the T-MO CSO that stricter password policy is the answer to all their security problems. Reminds me of a story about an air-force security chief that claimed 25% increase in security by making mandatory password length 10 characters instead of 8, but I digress.Yes, I know my habitat. No security executive ever got fired for making the user’s hard difficult. All in the name of security. Except it’s both bad security and bad usability (which, incidentally, correlate more often than not, despite what lazy security ‘experts’ might let you believe.
  • The world’s greatest passwordThis evergreen advice often gets interpreted to mean that passwords should be obscure, or a term no one would ever think you’d pick if they had a million years. Yes, obscure can work—and it’s a darn sight better than picking an obvious password. However, an obscure password only protects you from people who know something about you. Odds are, most people trying to crack your passwords don’t know you.
  • Choosing A Good PasswordSo, it turns out a key to a strong password isn’t its obscurity but its complexity — things that make it less likely to be guessed by an automated password cracker. However, making a good complex password means knowing a bit about how passwords get broken.Passwords don't necessarily need to be hard. Pick a good memorization strategy, pick a good password, and you'll be on your way to being more secure.Choose NON obvious, NON dictionary passwords. If we assume someone has time to just sit and guess your password on a system, they will check common passwords first, then they check a dictionary. Since they don't know your passwords, they look for the easiest guesses first. Given enough time, and if they are persistent enough, they will just start throwing every possible combination of letters, and then numbers, and then letters and numbers, and so on. So after using things that aren't common, the most important thing is length. There's no different between a simple long password as a complex long one as far as guessing goes. So start with an easy to remember password, then pad it with something else easy to remember. So get your own password and pad it. But don't just use Password1 as this is easily guessed, and don't pad by easily guessed numbers. The password plus padding shouldn't be easily guessed or obvious. E.g. most common (therefore easily guessed) padding is done by adding a 1,2,3,4 at the end of some word. This increase in length and complexity defends against Brute Forcing. We get protection by adding more digits because they need to guess every possible combination of everything up to that length, each digit adds A LOT of time required. If you use special characters and upper/lower case you add even more time because they know most passwords are all lower case numbers. Some places will allow the use of spaces in your password, which gives you the opportunity to use a pass phrase e.g. Correct Horse Battery Staple.Simple Things Make a Good Strong PasswordAt least 1 UppercaseAt least 1 LowercaseAt least 1 Number (And don't put those numbers on the end)At least 1 Something else (*%$@!-+=)Make it as long as you canAre complex passwords better? Well, maybe. Longer passwords are better, no doubt. If we knew exactly what each password was defending against, we would know what kind of password to choose. You have no idea how your passwords are stored or shared. Given enough time any captured password can be broken. Remember, we don't know HOW people are going to get your password. Given enough time and resources any password can be guessed. BUT, that is no excuse to not use a good password, because chances are good no one will have the time and resources to crack a good password.One more random piece of password changing advice, if you break up with someone who knew your passwords, change them all.
  • Instead, what's important is that the password be unique. Most sites are like StratFor and have poor cybersecurity. (StratFor wasn't even close to good cybersecurity, they were horrible on almost any measure). Any information you give them, such as your password, will eventually get stolen by hackers. If you use the same password for all websites, then eventually hackers will break into one of those sites, then gain access to all your other accounts.There are essentially three tiers of websites. At the first tier is your e-mail account. Since a hack of your e-mail account means hackers can reset passwords on all your other accounts, it would be terrible if that password were lost. This should both be very complex, as well as wholly unrelated to any other accounts.At the second tier are important e-commerce sites, like Amazon.com, NewEgg,com, Apple.com, and so on. The major sites are unlikely to be hacked. You could probably share the same password for all these accounts.At the third tier are the unimportant accounts, like StratFor, where it wouldn't be catastrophic if your password were lost. Again, you could choose a third, simple password, like "passwd1234" for all these accounts. It'll probably get stolen within a year, but who really cares?Thus, you really only need three passwords for each tier, so it's not too much trouble. However, even then, you might consider adding uniqueness. For example, on the last tier, you might use the domain name as your password, like "passwdStratfor1". When a hacker breaks in and runs an automated script to see if your password is unique, the script will fail to find a match on any other site. Sure, a hacker looking at the password individually will figure out your scheme, but in a huge hack like the 800,000 StratFor accounts, hackers are unlikely to manually check every password.In conclusion, your first password policy shouldn't be complexity, but uniqueness. When hackers break into a site like StratFor and discover your password is "password1", you shouldn't be embarrassed. You should instead say you don't care about your free StratFor account, or that hackers break into it, and that knowing this password doesn't help break into any account you do care about.
  • The general idea is to make your password hard to guess. So from easy to guess to hard (in order):* monday* Monday (adds capitol where expected)* mondaY (adds capitol where not expected* m0ndaY (substitute “o” for zero)* m0n daY (add a space where not expected)* m0n daY! (add punctuation where expect)* m0n! day (add punctuation where not expected)http://rdist.root.org/2012/01/10/on-the-evolving-security-of-password-schemes/What makes a bad password?We have interesting stats on passwords thanks to some major hacks. In short, people choose bad passwords. They choose passwords that are short, all lower case, not random, they're in the dictionary, they have no special characters, they're found in password dictionaries, and worst of all, they'll reuse the same password again and again across sites. That stats link has 3 interesting conculsions:1. Passwords are inspired by words of personal significance or other memorable patterns.2. Attempts to obfuscate or strengthen passwords usually follow predictable patterns.3. Truly random passwords are all but non-existent – they’re less than 1% of the data set.Don't use any part of your username in your password. Don't use any members of your family's names. Avoid keyboard sequences, any real words, any real words with just a number tacked on either end, or any real word, just reversed.
  • Only do it if you think it’s necessary.Should you as an administrator force users to change passwords? Maybe. If you have good policies already in place, it may be needed. That is, don’t define complexity, force long passwords and maybe little else.Should You Change All Your Passwords Every 3 Months?Before I cover some recommendations, I'll ask, how often do you change your password? Is changing your passwords every 3 months a good idea? Is forcing your users to change their password every so often a good idea? I'll stick my neck out and say, in general, no, changing your passwords every so often isn't going to help things, with one exception: network or server logins. Network and server passwords should probably be changed every so often. I'll explain why by first explaining why other things probably won't matter. Say for example your bank... Your money is gone if anyone gets your password, you'll notice that right away. You'll only need to be change that one if it's taken along w/ all your money. Your email? Chances are good if someone gets your email password they'll start causing trouble right away. Hopefully you'll be able to change it back and lock them out. In general: you don't need to regularly change the passwords you use, UNLESS it's to something like a network or a web server. The bad guys can just sit and wait once they've gotten into your network or your web server. They don't need to do anything that will be instantly obvious like an empty back account. It may be good practice to change those types of passwords on a regular basis.
  • Since most identity theft occurs en masse, to the entire user base of a site that has its database hacked, Walker says the burden ought to be more on system administrators to enhance security of passwords. "For example, authentication sessions could be managed with timed lockouts, IP addresses could be tracked and more advanced password complexity analysis at the time of creation would actually improve security for the end user," he says. Part of the problem, according to Rees, is that users may expect more of passwords than they can deliver. "They should be part of a layered security defense," he says.
  • This website allows you to enter a username or email and see if it’s been hacked from someplace.
  • Tl;dr Keep everything updated, don’t trust anything, and use good passwords
  • A very brief discussion on which OS might be safest, or at least how using Apple or Linux makes you MORE safe... NOT safe.
  • Here’s a big list ofCommon computer troublesCommon symptoms of malware infectionsYou don’t know which one it is!
  • Symantec reports they have seen the technique in malicious Droid apps hosted on Russian websites. Polymorphism has long been used to evade signature-based detection on PCs, with no little success. Server-side polymorphic techniques create a new version of the malware each time it is downloaded. The combination of these mechanisms, sophisticated obfuscation and the sheer volume of unique malware samples — tens millions annually — have rendered client-based antimalware far less effective that it was just a few years ago.
  • On your computer: Keep that OS patched and updated. Related: Don’t use Windows XPDisable hidden filename extensionsMake sure ALL those programs are updated. Especially don’t miss anything made by Adobe (e.g. Flash & Acrobat)Never install things you’re not sure are safe. Especially don’t trust anything from Torrents or P2P sites. Avoid downloading programs from unknown sourcesIf you're not using something, just remove it. Every program installed on your computer opens a potential new hole.Make sure your firewall is turned onMake sure file sharing is turned offUse a reputable virus & malware protection software program, keep it up to date and run it oftenMake sure that the Macro Virus Protection feature is enabled in all Microsoft applicationsNever trust any links, attachments, short links, or anything else from anywhere or anyone unless you are SURE what’s insideHave a recovery plan - Is your stuff backed up?If it's a laptop, use something like Prey ProjectAdvanced: Consider changing up your hosts file and/or using something like OPEN DNS.
  • Your Email: Never open email attachments unless you know for sure what that file containsNever click a link unless you know for sure where it leads is safeCheck your mail filters and forwards for things you didn’t addUse good passwordsSign out when you're doneUse two factor authentication when possible (e.g. Google Authenticator for Gmail)Be sure to use https when on public Wi-FiConsider using 2 separate email accounts to keep important things separate from everyday stuffWatch out for short links, it's hard to know where they'll lead you
  • Examples of really common email threats we’re seeing now.Blended threats mean they are combining email with attachments or hacked websites to trick you into installing something bad.
  • Here's a curiousity that's developing in modern browser security: The security of a given browser is dominated by how much effort it puts into other peoples' problems.This may sound absurd at first but we're heading towards a world where the main browsers will have (with a few notable exceptions):This may sound absurd at first but we're heading towards a world where the main browsers will have (with a few notable exceptions): Rapid autoupdate to fix security issues.Some form of sandboxing.A long history of fuzzing and security research.These factors, combined with an ever more balanced distribution of browser usage, are making it uneconomical for mass malware to go after the browsers themselves.Enter plug-insPlug-ins are an attractive target because some of them have drastically more market share than even the most popular browser. And a lot of plug-ins haven't received the same security attention that browsers have over the past years.The traditional view in security is to look after your own house and let others look after theirs. But is this conscionable in a world where -- as a browser vendor -- you have the power to defend users from other peoples' bugs?As a robust illustrative point, a lot of security professionals recently noticed some interesting exploit kit data, showing a big difference in exploitation success between Chrome (~0%) and IE / Firefox (~15%).The particular exploits successfully targeted are largely old, fixed plug-in bugs in Java, Flash and Reader. So why the big difference between browsers?The answer is largely the investment Chrome's security team has made in defending against other peoples' problems, with initiatives such as: Blocking out-of-date plug-ins by default and encouraging the user to update.Blocking lesser-used plug-ins (such as Java, RealPlayer, Shockwave etc). by default.Having the Flash plug-in bundled such that it is autoupdated using Chrome's fast autoupdate strategy (this is why Chrome probably has the best Flash security story).The inclusion of a lightweight and reasonably sandboxed default PDF viewer (not all sandboxes are created equal!)The Open Type Sanitizer, which defends against a subset of Windows kernel bugs and Freetype bugs. Chrome often autoupdates OTS faster than e.g. Microsoft / Apple / Linux vendors fix the underlying bug.Certificate public key pinning. This new technology defends against the generally gnarly SSL Certificate Authority problem, and caught a serious CA compromise being abused in Iran last year.In conclusion, some of the biggest browser security wins over the past couple of years have come from browser vendors defending against other peoples' problems. So I repeat the hypothesis:The security of a given browser is dominated by how much effort it puts into other peoples' problemsFunny world we live in.
  • The ones thing ALL those browsers have in common is plugins. Especially anything from Adobe. That’s why bad guys are targeting Flash and Acrobat Reader. They are ubiquitous, and notoriously easy to hack and notorious for 0Days.
  • "In 2011, advertisers submitted billions of ads to Google, and of those, we disabled more than 130 million ads. And our systems continue to improve—in fact, in 2011 we reduced the percentage of bad ads by more than 50% compared with 2010. That means that our methods are working. We’re also catching the vast majority of these scam ads before they ever appear on Google or on any of our partner networks. For example, in 2011, we shut down approximately 150,000 accounts for attempting to advertise counterfeit goods, and more than 95% of these accounts were discovered through our own detection efforts and risk models."Your Browser:Keep your browsers updated to the latest secure releasesKeep ALL Plugins updated to the latest secure releases, especially anything from AdobeDon’t install things from sources you don't trustBlock cookies, flash, and JavaScript (use with caution, will cause you trouble)Use a password manager to store all your many passwordsWatch out for short links
  • "In 2011, advertisers submitted billions of ads to Google, and of those, we disabled more than 130 million ads. And our systems continue to improve—in fact, in 2011 we reduced the percentage of bad ads by more than 50% compared with 2010. That means that our methods are working. We’re also catching the vast majority of these scam ads before they ever appear on Google or on any of our partner networks. For example, in 2011, we shut down approximately 150,000 accounts for attempting to advertise counterfeit goods, and more than 95% of these accounts were discovered through our own detection efforts and risk models."Your Browser:Keep your browsers updated to the latest secure releasesKeep ALL Plugins updated to the latest secure releases, especially anything from AdobeDon’t install things from sources you don't trustBlock cookies, flash, and JavaScript (use with caution, will cause you trouble)Use a password manager to store all your many passwordsWatch out for short links
  • This is a plugin that tracks where all your cookies come from .
  • Yet Another Reason to Secure Your Wi-Fi Network: Child Porn ChargesPublished by Jay Riveraon April 28, 2011in Criminal Law. 0 Comments Tags: internet, password, police, privacy, search, unsecured, warrant, wi-fi. By now we all know that privacy and the internet mix just about as well as water and BP.  Previously we have blogged about privacy concerns and technology, specifically how police need a warrant to search e-mails.  But did you know that you could get accused for internet activity that you didn’t even do, or weren’t even aware of?That’s exactly what happened in a recent New York case regarding unsecured wi-fi internet connections and privacy rights.In Buffalo, New York, police raided the house of a man because they suspected he was downloading child pornography.  After viewing the man’s wi-fi internet activity, they believed that he might be responsible for the downloads, which were traceable to the user screen name “Doldrum”.It turns out he wasn’t “Doldrum” at all- after further investigation, the police discovered that Doldrum was actually a neighbor who had been mooching download time off of the man’s unsecured wireless wi-fi.  In this case, the man was found to be innocent.  However, the police stated that the unfortunate situation might have been avoided if he had protected his internet connection with a password (which of course he didn’t).On a much broader note, the Buffalo case does raise some very relevant issues regarding wi-fi usage and citizen’s privacy rights.  That is, do the police have the right to obtain information from unsecured wi-fi internet activities?  If you are using a neighbor’s unsecured internet connection (which is completely commonplace nowadays), who is responsible for activities such as illegal downloads?  As this case illustrates, it can initially be difficult to tell who is responsible for what when it comes to openly shared and unsecured wireless wi-fi connections.Copyright lawsuit targets owners of non-secure wireless networks Failure to secure routers may let others download copyrighted content, Liberty Media contendsBy Jaikumar Vijayan, Computerworld February 06, 2012 04:35 PM ET Sponsored by:A federal lawsuit filed in Massachusetts could test the question of whether individuals who leave their wireless networks unsecured can be held liable if someone uses the network to illegally download copyrighted content.The lawsuit was filed by Liberty Media Holdings LLC, a San Diego producer of adult content.The company has accused more than 50 Massachusetts people, both named and unnamed, of using BitTorrent file-sharing technology to illegally download and share a gay porn movie.According to the compliant, the illegal downloads and sharing were traced to IP addresses belonging to the individuals named in the compliant and to several John Does. The complaint alleges that each of the defendants either was directly responsible for downloading and sharing the movie or contributed to the piracy through their negligence.To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.A federal lawsuit filed in Massachusetts could test the question of whether individuals who leave their wireless networks unsecured can be held liable if someone uses the network to illegally download copyrighted content. The lawsuit was filed by Liberty Media Holdings LLC, a San Diego producer of adult content.The company has accused more than 50 Massachusetts people, both named and unnamed, of using BitTorrent file-sharing technology to illegally download and share a gay porn movie. Your Wi-Fi At Home:Make sure you set a good password and use WPA or WPA2Be sure to change the default Administrator Passwords (and Usernames)Change the Default SSID and also disable SSID BroadcastTurn off DHCP and set a fixed IP address range insteadUse MAC Address FilteringWhen you're not using it, just turn it offBe sure to keep the firmware upgradedChange your passwords every so often
  • Some tips on social media
  • Spreading the attack One of the benefits of Facebook is the inherent trust of a network of friends. This trust also benefits cybercriminals who can use one Facebook user as a starting point to reach out to multiple friends in order to ensure the spread of an attack. Here to, there are several common methods used: 1) Tricking users into sharing – this is pure social engineering – users are aware that they are liking or sharing a page, but are probably doing so under false pretenses. Users fall for scams promising free gift cards in exchange for a like or share. Alternatively they may post a hoax that they believe to be true warning other users about a (nonexistent) virus or telling them the sad tale of a (nonexistent) abused child. In the Costco scam shown below users must first click on “share” and then on “like” to get their “free gift card”. 2) Likejacking – in most likejacking attacks, Facebook users will be shown a video player after following some sensationalist link. The player may be functional but the page will include scripts that use any mouse click to generate a like that will lead more friends to the video page. Users are therefore unaware that they have liked a page. Users clicking on a post about girls in Bikinis would arrive at the video player shown below. Clicking on the play button starts a video but also results in a like being generated to their friends that will drive more users to the site. 3) Rogue applications – these apps are added by users who believe they will be providing worthwhile functionality – most often, the ability to know who has viewed a user’s content. As part of the process of adding an app, users will give that app permission to access parts of their profile and of course post on their wall. This ability to post allows the rogue app to spread itself further within Facebook. The rogue app below is supposed to reveal who has been viewing your profile – as shown users who click on “allow’ will be giving the app permission to access their information and post on their wall. Source: CommtouchSource: CommtouchSource: CommtouchRogue app asks for permission to post on a user wall Site with clickjacking script. Clicking on the play button of the video player generates unwanted likes and shares. Advertising around player generates revenues. 4) Malware and “self-XSS” – In these cases the user has unwittingly installed malware on their PC. This malware can then hijack their Facebook session for posts or any other activity. Traditional cross-site scripting (XSS) attacks rely on some hidden script within a webpage that hijacks a Facebook session. Self-XSS means that a malicious script was activated by a user (the “self”) giving another site access to the Facebook session. these attacks, users are asked to enter a line of text directly into their browser address bars in order to see some “exciting” content. When users paste the text provided into their browser they are effectively telling their browser to act on their behalf and do whatever the script says – in most cases it will visit an external site (the “cross-site” of “cross-site scripting”) and then be told to post a wall post or an event invite. This perpetuates the attack as friends see the posts and follow them. The attack goal The user has been tricked with social engineering, the attack has been further spread using one of the techniques listed above, and now the cybercriminal must reap whatever reward they set out for. These may be divided into the following categories: 1) Fraudulent marketing affiliate/survey sites – users are led to believe that completion of a questionnaire or a form will result in a free gift (iPhone, gift card, cap, etc.). Cybercriminals receive affiliate payments for driving these users to the sites with these offers. Users may be tricked into signing up for unwanted products or may simply be providing personal information that will later be used for identity theft. . Legitimate businesses are often defrauded of their affiliate marketing budget by having them included in these pages. 2) Chain posts and hoaxes – fake stories that have done the email rounds many years ago are receiving a second life in the world of Facebook. Users like or share stories of abused children or devastating computer viruses without bothering to verify whether there is a shred of truth in the story. The aim here is the same as it was 10 years ago – pranksters having a laugh at the expense of unaware Internet users. 3) Other – A small percentage of attacks with very different goals including a. Defacement – particularly the November attack that spread pornographic and violent images on many user walls. The aim of the attack seems to have been embarrassing Facebook. b. Spreading malware – where the aim of the malware may not be exclusively limited to Facebook posts i.e.: malware that steal passwords or sends spam. c. Collecting Likes – attacks that resulted in enormous likes of a page (several hundred thousand in some cases) but with no clear further malicious purpose. The vast majority (nearly 74%) of Facebook attacks in 2011 were designed to lead users to fraudulent marketing affiliate/survey sites. Surprisingly chain posts and hoaxes accounted for nearly 20%.
  • Spreading the attack One of the benefits of Facebook is the inherent trust of a network of friends. This trust also benefits cybercriminals who can use one Facebook user as a starting point to reach out to multiple friends in order to ensure the spread of an attack. Here to, there are several common methods used: 1) Tricking users into sharing – this is pure social engineering – users are aware that they are liking or sharing a page, but are probably doing so under false pretenses. Users fall for scams promising free gift cards in exchange for a like or share. Alternatively they may post a hoax that they believe to be true warning other users about a (nonexistent) virus or telling them the sad tale of a (nonexistent) abused child. In the Costco scam shown below users must first click on “share” and then on “like” to get their “free gift card”. 2) Likejacking – in most likejacking attacks, Facebook users will be shown a video player after following some sensationalist link. The player may be functional but the page will include scripts that use any mouse click to generate a like that will lead more friends to the video page. Users are therefore unaware that they have liked a page. Users clicking on a post about girls in Bikinis would arrive at the video player shown below. Clicking on the play button starts a video but also results in a like being generated to their friends that will drive more users to the site. 3) Rogue applications – these apps are added by users who believe they will be providing worthwhile functionality – most often, the ability to know who has viewed a user’s content. As part of the process of adding an app, users will give that app permission to access parts of their profile and of course post on their wall. This ability to post allows the rogue app to spread itself further within Facebook. The rogue app below is supposed to reveal who has been viewing your profile – as shown users who click on “allow’ will be giving the app permission to access their information and post on their wall. Source: CommtouchSource: CommtouchSource: CommtouchRogue app asks for permission to post on a user wall Site with clickjacking script. Clicking on the play button of the video player generates unwanted likes and shares. Advertising around player generates revenues. 4) Malware and “self-XSS” – In these cases the user has unwittingly installed malware on their PC. This malware can then hijack their Facebook session for posts or any other activity. Traditional cross-site scripting (XSS) attacks rely on some hidden script within a webpage that hijacks a Facebook session. Self-XSS means that a malicious script was activated by a user (the “self”) giving another site access to the Facebook session. these attacks, users are asked to enter a line of text directly into their browser address bars in order to see some “exciting” content. When users paste the text provided into their browser they are effectively telling their browser to act on their behalf and do whatever the script says – in most cases it will visit an external site (the “cross-site” of “cross-site scripting”) and then be told to post a wall post or an event invite. This perpetuates the attack as friends see the posts and follow them. The attack goal The user has been tricked with social engineering, the attack has been further spread using one of the techniques listed above, and now the cybercriminal must reap whatever reward they set out for. These may be divided into the following categories: 1) Fraudulent marketing affiliate/survey sites – users are led to believe that completion of a questionnaire or a form will result in a free gift (iPhone, gift card, cap, etc.). Cybercriminals receive affiliate payments for driving these users to the sites with these offers. Users may be tricked into signing up for unwanted products or may simply be providing personal information that will later be used for identity theft. . Legitimate businesses are often defrauded of their affiliate marketing budget by having them included in these pages. 2) Chain posts and hoaxes – fake stories that have done the email rounds many years ago are receiving a second life in the world of Facebook. Users like or share stories of abused children or devastating computer viruses without bothering to verify whether there is a shred of truth in the story. The aim here is the same as it was 10 years ago – pranksters having a laugh at the expense of unaware Internet users. 3) Other – A small percentage of attacks with very different goals including a. Defacement – particularly the November attack that spread pornographic and violent images on many user walls. The aim of the attack seems to have been embarrassing Facebook. b. Spreading malware – where the aim of the malware may not be exclusively limited to Facebook posts i.e.: malware that steal passwords or sends spam. c. Collecting Likes – attacks that resulted in enormous likes of a page (several hundred thousand in some cases) but with no clear further malicious purpose. The vast majority (nearly 74%) of Facebook attacks in 2011 were designed to lead users to fraudulent marketing affiliate/survey sites. Surprisingly chain posts and hoaxes accounted for nearly 20%.
  • .5% of facebook users is 4 million people! Stillallota people!
  • Transparency is lacking – Far too often apps are taking more than you want them to. Right now there’s not much attention paid to mobile devices by the bad guysA newly discovered malicious application circulating on third party Android markets in China has created a botnet that contains more than 100,000 compromised devices, researchers report.
  • You might say to yourself, oh, we’re just a library, no one will come after us, we have nothing worth taking.
  • http://blog.lumension.com/4675/the-year-i-started-being-afraid/The Year I Started Being AfraidFebruary 21st, 2012 I’ve been in IT since I was a kid.  I was a real, stereotypical nerd.  While other computer nerds were learning to program games, I turned up my nose at their childish efforts and learned database programming because at 12 I actually wanted to write accounting software.  I know, I know, weird.  Anyway I say this to underline the fact I’ve been in technology since PC’s first came out and business technology at that. When the Internet and Windows NT got big in the nineties I switched from development to security – so I’ve been there.  But except for a brief period when I got my first constant connection to the Internet, I haven’t been afraid.  I’ve respected the risks of the Internet and the danger from the bad guys on it but I’ve never been paranoid like many of my other colleagues in infosec.  I’ve always taken sensible measures, ran AV most of the time, kept my attack surface small and monitored my logs.  And I’ve only had 2 security incidents over that time.  I got the “Ethan Frome” Word virus which was harmless and after that my Windows 2000 based IIS web site suffered SQL injection once which broke some drop down lists on the site.  Then Things Started to ChangeSo, I’ve always felt pretty safe with my informed, common sense approach.  But last year that started to change.  Part of it is because my business is growing.  More people are on my network.  More endpoints connect to my network.  There’s more to protect.  Part of it is the accelerating sophistication of bad buy technology.  Malware is getting more sophisticated and beginning to outpace signature based detection.  The bad guys’ work in content related vulnerabilities is outflanking us by going beyond OS and penetrating us via PDFs, JPGs, Flash files, ad nauseam.  But the biggest part I think is that that bad guy of the last few years is a new and different bad guy.It used to be loosely organized nihilistic antisocial kids defacing web sites sometimes for ostensibly social causes but sometimes for the pure nihilism of it.  Or, in other instances, it was “security researchers” trying to make a name for themselves or their companies.  And the scenarios I would describe in my security and audit classes where just that – theoretical scenarios about would could happen in theory.  But when pressed for real examples and anecdotes, I usually came up short.  It was more like “this is what could happen if we were in the middle of a Mission Impossible movie.”But today, Mission Impossible scenarios are happening all the time.  The biggest, most respected name in strong 2-factor authentication gets hacked.  Then a major defense contractor apparently gets hacked as the fruits of the first attack. The bad guys are now financially and politically driven.  What are more powerful motivators than that?  What can gather greater resources and stimulus than money and power?  Religion is the only thing I can think of.  But money and power are more than enough for now.So I’m now taking information security more seriously for my business than I ever have before.  And while it’s tempting to think about my little datacenters out there exposed to the Internet 24/7 or the data in the few cloud services we use, what keeps me awake at night – well, I’m not really at the point of losing sleep, but let’s say if I did wake up at night and start thinking about the security of my business – is endpoints. Time to Worry About Your EndpointsEndpoints worry me. There’s so many. They are so exposed. Endpoints process so much content directly from the Internet.  And so intimately – a file server or a SharePoint site may store files from the Internet but it’s on the endpoint where they are actually parsed and rendered.  (To be accurate, and while not extremely common, SharePoint servers are getting pretty intimate with content today given how Visio, Access and Excel is actually parsed, rendered and manipulated by SharePoint, within SharePoint itself.)  And the bad guys know this.  The endpoint is the initial target of APTs.At least I realize this. Too many folks in management, IT, infosec and Internal Audit, still have the mainframe philosophy superimposed on servers: “all my data is on my server so I need to protect my server.  Endpoints aren’t that important because that isn’t where the data resides.”I’m preaching to the converted when I say “Wrong”, right?  Let’s just put aside the reality there is confidential, sensitive data out there on nearly every laptop, workstation and smartphone.  Let’s just assume for a minute that no important data is on a given endpoint. Doesn’t matter.  That laptop or other endpoint is still part of your trusted computing base and if it gets compromised, you’re in trouble.  After all, I don’t think anyone believes the seed codes for SecurID tokens or anything else proprietary about SecurID technology was on the endpoint initially hacked at RSA when that poor employee opened the intriguing email about next year’s recruiting plan.  But that’s where it started and we all know where it ended.The security of your endpoints – of all our endpoints – is more than important – it’s critical.  And I’m going to put some real effort into endpoint security this year.  I hope you do too.
  • Libraries Are TargetsChances are your library is now, or will be at some point, a target. Don't think you're safe just because you're just a small library because when it comes to getting hacked, size doesn't matter. The average web-based application (small or large) is hit by some type of attack once every two minutes (says security firm Imperva, but anyone with access to web server logs will agree). Automated tools make it easy for bad guys to target everything and anything regardless of what might be inside. These tools can easily scan thousands of sites looking for anything with a security hole (and we all have them). There's a seemingly infinite number of things they're after. They may want to host cracked software. They may want to send spam. They may be doing blackhat SEO. They may want your patron's personal information. They may want to use your site as a way to get elsewhere. This is just a small fraction of what they can do with little time or effort.
  • A conclusion reinforced by evidence accrued in the aforementioned Verizon report and the following summation by Marc Spitler, a Verizon security analyst: "Very often, the companies breached had no firewalls, had ports open to the Internet or used default or easily guessable passwords." In other words, easy-to-find, easy-to-learn and easy-to-exploit weak passwords. Victims were not ‘chosen’ because they were large, important or had financial data. They were simply the easiest targets.“Every year that we study threat actions leading to data breaches, the story is the same; most victims aren’t overpowered by unknowable and unstoppable attacks. For the most part, we know them well enough and we also know how to stop them.”And here’s the same thing in different wording:“The latest round of evidence leads us to the same conclusion as before: your security woes are not caused by the lack of something new. They almost surely have more to do with not using, under using, or misusing something old.”And of course, I like this one because it highlights Automated Vulnerability Assessment:“SQL injection attacks, cross-site scripting, authentication bypass, and exploitation of session variables contributed to nearly half of breaches attributed to hacking or network intrusion. It is no secret that attackers are moving up the stack and targeting the application layer. Why don’t our defenses follow suit? As with everything else, put out the fires first: even lightweight web application scanning and testing would have found many of the problems that led to major breaches in the past year.”Basically, your organization already has the security solution that it needs; you’re just not using it.
  • As you’ve now seen, it takes very very little skill to be a bad guy now.
  • Why Security Is HardThough it is easy, that is, so man of the holes we miss are easy to fill, it’s hard to get it all right.IT Security isn't always easy. When it comes to securing your IT resources it's very easy to make a mistake, or overlook something small. In every library it feels like there are a million things to worry about. It's NOT only the fools who are getting hacked, it's everyone and anyone. The best of us miss things and make mistakes that can lead to security breaches. Most libraries don't have the money, time, or people to secure even the small number of resources they have. Larger libraries may be able to afford to spend more time/money on security, but then they also have more things to secure. Unfortunately, security doesn't scale up very easily. This doesn't mean you should give up and hope for the best! Everyone in your library has some small part to play in keeping things secure. We can talk all day about how we should integrate security into our daily routine more, and how vendors need to simplify, consolidate, and improve functionality. But in the end those problems are every bit as hard as everything else I'm talking about and won't be solved anytime soon. Especially since the economics or security aren't overly favorable. The costs are very low for the bad guys, and very high for those of us trying make things more secure.The malware your computers are subject to now is very sophisticated. It's highly evolved and many times will be able to run totally undetected. It has automated installers, updaters, and a sophisticated command and control center that puts every infected machine to good use. It's easy for the writers of these tools to stay one step ahead of those who work to keep us safe. It's very easy for your computers to spy on your users, or become part of a botnet used to cause trouble anywhere in the world.
  • Force Attacker PerfectionI will fully admit that I sometimes finding myself parroting standard industry tropes. For example, I can’t recall how many times I’ve said in presentations and interviews:The defender needs to be perfect all the time. The attacker only needs to succeed once.And yes, it’s totally true. But we spend so much time harping on it that we forget how we can turn that same dynamic to our advantage.If all the attacker cares about is getting in once, that’s true. If we only focus on stopping that first attack, it’s still true. But what if we shift our goal to detection and containment? Then we open up some opportunities.As defenders, the more barriers and monitors we put in place, the more we demand perfection from attackers. Look at all those great heist movies like Ocean’s 11 – the thieves have to pass all sorts of hurdles on the way in, while inside, and on the way out to get away with the loot.We can do the same thing with compartmentalization and extensive alert-based monitoring. More monitored internal barriers are more things an attacker needs to slip past to win. Technically it’s defense in depth, but we all know that term has turned into an excuse to buy more useless crap, mostly on the perimeter, as opposed to increasing internal barriers.I am not saying it’s easy. Especially since you need alert-based monitors so you aren’t looking at everything by hand. And let’s be honest – although a SIEM is supposed to fill this role (at least the alerting one) almost no one can get SIEM to work that way without spending more than they wasted on their 7-year ERP project. But I’m an analyst so I get to spout out general philosophical stuff from time to time in hopes of inspiring new ideas. (Or annoy you with my mendacity).Stop wishing for new black boxes. Just drop more barriers, with more monitoring, creating more places for attackers to trip up.—Rich
  • If firewalls worked that list of the major data breaches wouldn’t exsist.
  • http://www.wired.com/wiredenterprise/2012/03/antivirus/Jeremiah Grossman is the kind of guy you’d expect to be super paranoid when it comes to computer security. He was on the front lines at Yahoo more than a decade ago when a hacker named MafiaBoy was abusing the site with DDoS attacks. Now Chief Technology Officer at security consultancy White Hat Security, Grossman spends his time fighting web intruders for his company’s clients.When it comes to computer security, he’s paranoid — and for good reason. He’s seen what the bad guys can do. But when he met with Wired at the RSA Conference in San Francisco this week, he said something surprising: He doesn’t use antivirus software.As it turns out, many of his security-minded peers don’t use it either. The reason: If someone is going to try and attack them, they’re likely to use a new technique, one that most antivirus products will miss. “If you asked the average security expert whether they use antivirus or not,” Grossman says “a significant proportion of them do not.”Dan Guido, the CEO of security startup Trail of Bits also doesn’t use AV. Some security pros use it because they’re in regulated industries, or because they work with customers who require it. “If it weren’t for that,” he says, “almost nobody in the security industry would run it.”It’s a story we heard again and again at RSA this week. The pros are generally smart enough to avoid the things that will get them hacked — visiting malicious websites or opening documents from untrusted sources. But even if they get fooled, the odds are their antivirus software catching it are pretty low. But many of these pros also believe that antivirus isn’t always that useful to the average business either. “Ten years ago if you were to ask someone the question, ‘Do you need antivirus?’ the overwhelming response would be, ‘Absolutely, my entire security strategy is based on endpoint antivirus,’” says Paul Carugati, a security architect with Motorola Solutions. “Today … I don’t want to downplay the need for it, but it has certainly lost its effectiveness.”The problem is that most criminals are smart enough to test their attacks against popular antivirus products. There’s even a free website called Virus Total that lets you see whether any of the most popular malware scanning engines will spot your Trojan program or virus. So when new attacks pop up on the internet, it’s common for them to completely evade antivirus detection.Consumers and small businesses can get good antivirus software for free, but do businesses even need antivirus software?You Do and You Don’tThe short answer is: yes they do. Most companies can’t just drop AV. First of all, it’s a line of defense protecting employees who do the stupid things that the security experts tell us to avoid: clicking on dubious attachments, visiting untrustworthy websites. Second, companies often must have desktop security software to meet industry regulations, such as the Payment Card Industry (PCI) Data Security Standard. Those folks simply have no choice but to pay the Symantecs and McAfees of the world.But according to some, businesses should probably spend less on antivirus and other security software. Much of the money they’re spending is better spent somewhere else, such as analyzing the mountains of data logged by software on computer networks for signs of attack. “Save that money,” says Andy Ellis, Chief Security Officer with Akamai, a company that helps websites deliver content on the internet. “Do your own log analysis because that is what’s going to catch the problems.”White Hat’s Grossman agrees. “I think we overspend on the wrong security products,” he says. “Particularly antivirus. I think we overspend on firewalls and antivirus.”Corporations do spend a lot of money on antivirus and firewalls. Research firm Gartner pegs the corporate desktop security software market at $3.4 billion worldwide. Consumers will spend even more — nearly $5 billion — on antivirus this year. Biggest of all, though, is the $6.5 billion firewall market.Gartner Analyst RuggeroContu doesn’t quite buy the argument that companies are spending too much money on antivirus. According to him, the antivirus vendors have been doing a good job lately of beefing up their products and delivering new features beyond basic malware protection adding new features to encrypt files on disk and prevent data from leaking out. “Not to have malware protection would be foolish,” he says.But spending money on learning how attackers are working, and changing your business to thwart common attack techniques may be a better investment. “We need to be smart, we need to be more agile,” says Motorola’s Carugati. “My biggest concern right now and one of the things we’re focusing on is information sharing.” That means figuring out from his peers what attacks are really happening, and working out ways to stop them. Dan Guido describes it as going “offensive on security.” Figure out who is likely to attack you — hacktivists, online banking thieves, so-called advanced persistent threat groups — and make sure that you can stop the known attacks that these people use. “You need to attack the system that they have developed to take advantage of your flaws,” he says. “That’s the name of the game.”Mark Patterson learned that lesson the hard way back in 2009. That’s when hackers managed to install a variant of the widely used Zeus Trojan horse program on his construction company’s computers and steal the username and password to his corporate bank account. Over the next eight days, the criminals moved more than half a million dollars out of his account. Some of that cash was recovered, but at the end of the day, about $345,000 went overseas and is gone forever. To make matters worse, Patterson’s bank, Ocean Bank, says he’s responsible for the theft. (Patterson sued; last year, a court sided with the bank, but the case is being appealed.)Patterson said his company, Patco, had “good AV” at the time of the attack, but nevertheless it missed the password-stealing Trojan. Now, two years later, he’s taken an inexpensive step that every small business should take to prevent his company from becoming victim to this type of fraud: He’s told his bank give him a call before it authorizes any big money transfers.Patco still uses antivirus, but as Patterson puts it: “I think an AV is worth the investment,” he says. “I just would not rely on it as my protection for those transactions.”
  • Don’t worry about Anonymous or APT Agents, worry about bots and scanners, automated tools that look for easy targets. By doing SOMETHING, by doing ANYTHING you’ll be ahead of the game. Make sure you pull down all the low hanging fruit those automated scans are looking for.
  • Your website and OPACA web environment has four layers that need protection: the Network level, the Application level, the Operating System level and the Database level. Most people think of these layers as being one within the other, like concentric circles. They reason that if they protect the outermost level, the inner levels are automatically protected.Enforce good passwordsKeep things patchedUse a good IDS
  • PACs give me the same feeling I get when I go into a hospital. I assume they are covered with flesh eating bacteria or MERSA or somethig awful.
  • PACs give me the same feeling I get when I go into a hospital. I assume they are covered with flesh eating bacteria or MERSA or somethig awful.
  • There are ways around ANYTHING and EVERYTHING you have installed on your PACs
  • All these pieces add up—a great lesson to teach people who don’t tend to think outside of their little niche in the organisation. “When you’re thinking with a hacker mindset, the takeaway you get is there’s a little issue here, and there, and over there, and that a+b+c adds up,” Cheyne said. “
  • Parents look at things differently. I have a three year old at home. A simple wall outlet looks like an electric chair to me.
  • http://h30565.www3.hp.com/t5/UK-Articles/Teaching-Security-to-the-Ungeeky-Instilling-a-Hacker-s-Mindset/ba-p/3279There’s a combination lock on the PowerPoint slide. That’s it: no words, just the picture of a Master Lock brand padlock.Most nontechnical people in a security training class see such a sturdy-seeming lock and assume it’ll safeguard their stuff. If they lose the combination to one of these locks, most nontechnical people also assume they’ll have to resort to bolt cutters and buy a new lock.How otherwise? Theoretically, there should be 64,000 potential combinations for each lock. But as security-minded people may know, there are in fact only 100, due to a simple mechanical weakness. Those who are familiar with techniques to crack a Master Lock can do so in minutes.It’s a simple, real-world analogy. Nontechnical people don’t recognise streams of code that allow SQL injection, but most do recognise this lock. And with this type of simple, easy-to-grasp analogy of an information security flaw, Rob Cheyne begins to teach the nontechnical how to think like a hacker. 
  • Funny thing happened on the way to that last slide, I caught a virus searching for pictures of battles axes!
  • This was my welcome email from a professional organization I joined last year. They assigned all new members a sequential number and set their password to their last name. I was able to login to the next 10 new members accounts.
  • There is simply too much malware out there to be strictly focused on keeping your users infection free. They would become the modern corporate equivalent of “bubble people” whereby they can only interact with the world from a sterile environment. It’s impractical, and frankly impossible when you look at how business operates. Instead, you provide them with hand-washing education, the basics of how infection works, and rounds of anti-viral and antibiotic remedies when they do catch the common cold. Assume your users will get infected, but don’t assume infection means loss. \\Integrating Security For PatronsInformation literacy!Your patrons don't care much for security. They just want to get some work done. Or worse, they are actively trying to break it. This is why it's important to build security in, make it a part of everything from the start. Security needs to be an integrated process in everything your library does, and everyone needs to play a part. Sometimes your security policies will get in the way. Of course this will make people angry, Your users don’t want to be saved. They want to do what they want to do, when they want to do it. Somehow you'll need to define a set of acceptable behaviors and then put the hammer down on everything else. Do you allow everyone to install anything on their workstations? Companies are essentially split on whether to allow users to install applications -- 51 percent yes, 49 percent no, according to a survey of 765 professionals by security vendor Bit9. Do you block access to Flash and PDFs (frequently attacked programs)? Probably not, even though they are both a very common attack vector. Do you switch to a different PDF reader with fewer features that may be more secure? Perhaps. This is just one decision, among many, that should be made at the policy level to help make things safer. Look for ways to make things safer in ways that don't interfere with people's everyday tasks as much as possible. People will always find a way around policies if those policies get in the way.
  • Can you use something like this in your library?
  • This to watch for on a webserver.
  • This to watch for on a webserver.
  • May 2, 2012, 1:59PMNine Percent of Websites May be MaliciousShare on twitterShare on facebookShare on redditShare on google_plusoneShare2 Commentsby Brian DonohueJust fewer than 10 percent of websites serve some sort of malicious purpose, with an additional nine percent of sites being characterized as “suspicious” by Zscaler in a new research report.Zscaler ran 27,000 website URLs through a tool they developed to assess the security of websites and give them a score from zero to 100. Nearly 81 percent of sites scored between zero and 49 (benign). 9.5 percent scored between 50 and 74 percent (suspicious) and another 9.5 percent scored somewhere between 75 and 100 (malicious), according to the company's State of the Web Report.The report also indicates that outdated plug-ins and the users that refuse to update them continue to be a serious but improving problem in the enterprise. Zscaler cites the Flashback outbreak, which exploited known java vulnerabilities, as anecdotal evidence of this. The report shows that more than 60 percent of Adobe Reader users are running an outdated version of that software. Adobe Shockwave came in second, with 35 percent of users running an outdated version. Java came in fourth, with a only five percent of users running an outdated version.Editor's PickCelebrity Ashton KutcherFiresheep'd at TED ConferenceNetwork Of 7K Typo Squatting Domains Drives Huge Traffic To Spam Web SitesNew Clickjacking Scam Uses Facebook, Javascript, Our Primate Brain To SpreadThreatpost Newsletter Sign-upIt appears also that enterprises are increasing their efforts to block employees from visiting social networking sites. When the quarter opened, social networks only accounted for 2.5 percent of policy blocks; by the end of the quarter, that statistic had increased to four percent.Some other interesting info-morsels include Zscaler’s findings that Apple devices are becoming more prevalent in the work place as Android and BlackBerry devices become less prevalent. Facebook’s share of Web 2.0 traffic is down slightly from 43 percent in Q4 2011 to 41 percent in Q1 2012. On the other side, Twitter saw its share of such traffic increase over the same period from five percent to seven percent. Zscaler claims that the drop in Facebook’s traffic share is due to corporate policies that are increasingly blocking employee access to that social network while remaining noticeably less concerned about employee access to Twitter. Zscaler also believes that Twitter’s traffic-share increase may suggest that the service is being more widely adopted for use in the enterprise.Sports and gambling sites generally see a spike in traffic in Q1 that can very likely be attributed to events like the NFL playoffs, Super Bowl, and March Madness in America and the International Cricket Council's Cricket World Cup in places like India and Australia. This year, those sites’ traffic increased a dramatic 74 percent.Commenting on this Article will be automatically closed on August 2, 2012.
  • Keep those things updated!!!Does this mean WP and Draupl are insecure? NO. They really set the standard for how they respond to security troubles. They have a team to work on security, and ways to announce fixs. They are attacked frequently because they are so popular. So the point here is WP and Drupal ARE INSECURE IF YOU DON'T KEEP THEM PATCHED. Security Depends on Your Paying Attention
  • So WHY are those bad guys coming after your web site. It’s Easy!Using Google, et al. to find youSEO Malware PhishingDDoSSpam
  • Common attack vectors.
  • The story of how I found out one of my hosted sites was hacked.
  • Mod_sec is a great idea to run!
  • Also tied into my firewall with CSF.
  • You have nothing important to steal 'Steal everything' era of hackingHaving antivirus software makes you completely safe Online security doesn't exist and/or No Software Is 100% Fault Free And That Includes Antivirus ProgramsYour antivirus software is a seat belt – not a force field. - Alfred Huger Using Mac/Linux makes you safe OSX Security MythsPatches and updates make things worse and break them Test shows how vulnerable unpatched Windows isYou can look at a site and know it's safe and not serving bad stuff Put that website down, you don’t know where it’s been! also, How To Check If A Site Is SafeUsing a firewall makes you safe The Three Myths of FirewallsComplex frequently changed passwords make you safe How are passwords stolen?Avoiding IE makes me safe Internet Explorer is most secure browser for malwareIf an email comes from a familiar face it's ok What Is Spearfishing? If a link comes from a friend on Facebook/twitter it's safe Facebook Worm Refuses to DieIf I just click a link it's ok Only porn, gambling, and other “sketchy” sites are dangerous Mass Infection Of WP SitesOnly naive users get infected with malware and viruses You can only get infected if you download files Drive By DownloadIf I'm compromised I will know it How We Interpret Antivirus Lab Tests also... Opening the email that was used to hack RSAInfections come from email P2P and torrents are safe Hardware can't spread or come preinfected with malware Pre-infected hardware and software ships to the USIf I never log off / restart I can't get infectedAnd finally... I'm too smart to get infected... Yes, you and me both!
  • Published on InfoWorld (http://www.infoworld.com)Home > Security > Security Adviser > 5 big security mistakes you're probably making > 5 big security mistakes you're probably making5 big security mistakes you're probably makingBy Roger A. GrimesCreated 2012-03-13 03:00AM How vulnerable are most companies to hacking? So vulnerable that hackers claim they can point their systems at pretty much any target and be guaranteed of breaking in fairly quickly. Most run-of-the-mill vulnerability testers I know can break into a company in a few hours or less. It must be child's play for professional criminals.It doesn't have to be this way. The problem is that most IT admins are making the same huge mistakes over and over.[ InfoWorld's Malware Deep Dive special report [1] tells you how to identify and stop online attacks. Download it today! | Roger A. Grimes offers a guided tour of the latest threats in InfoWorld's Shop Talk video, "Fighting today's malware [2]." | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter [3]. ]Security mistake No. 1: Assuming that patching is good enoughEvery company I've ever audited tells me it has patching under control. What the company means is that the operating systems running on most of its computers have been patched. The most popular and most attacked applications? Not so much.For example, when I find an Apache Web server running [4], it's never fully patched. If the computer has Adobe Acrobat Reader, Adobe Flash, or Java [5], the same is true. They're almost never patched. It's not a coincidence that they're also the most successfully exploited applications. This huge disconnect has been true for years.IT admins think they have patching under control because they bought a comprehensive patching program, assigned someone to oversee it, got better patching than before, and checked it off their to-do list. Never mind that the patching was never perfect, never patched all computers, and didn't patch every piece of vulnerable software. Somehow all that was glassed over and quickly forgotten.On top of that, many departments won't patch many of the applications they want to patch because of real (or perceived) application compatibility problems. For example, they update Java one day, hear that it caused some random error to appear in one department's application, and by default are forbidden to update Java -- forever. Or they have to keep a bazillion versions of Java around because updating it could possibly cause problems.Years pass while most computers aren't fully patched. Management goes along happily thinking that the patching problem is solved, whereas it's just as bad as ever. Hackers have a field day.Security mistake No. 2: Failing to understand what apps are runningMost IT departments have no clue about the programs running on their computers. New computers come preloaded with dozens of utilities and programs the user doesn't need, then users routinely add more. It's not unusual for a normal PC to be running hundreds of programs and utilities at startup.How can you manage what you don't even know you have? Lots of these programs have huge, known vulnerabilities or vendor-implemented backdoors that anyone can take advantage of. If you want to secure your environment, you have to inventory what programs are running, get rid of what you don't need, and secure the rest.Security mistake No. 3: Overlooking the anomaliesAlthough hackers can break in without being detected, it's hard for them to hack away without doing something anomalous. Hackers need to explore the network, connecting from one computer to other computers that never talk to each other. Basically, hackers perform tasks that regular end-users would almost never do.Most IT admins do not have good baselines about what activities and activity levels are expected and normal. If you don't define what is normal, how can you detect the abnormal and send an alert? The Verizon Data Breach Investigations Report [6] says year after year that almost every data breach would have been detected or prevented if the victims had implemented the controls they should have had in place all along.Security mistake No. 4: Neglecting to ride herd on password policyWe all know that passwords should be strong (long and complex) and changed frequently. Every admin I talk to says their passwords are strong. But whenever I check, they aren't. Well, they might be strong in some areas, but in the places they really count, like enterprisewide service accounts, domain-wide accounts, and other super-user accounts, they are weak.I've got an axiom: The more powerful the account, the weaker the password will be [7] and the less likely it will ever be to be changed. Wanna find out how strong your password policy really is? Run a query to see how many days it's been since the last password change. I guarantee you'll find accounts that have gone without a password change for thousands of days.Security mistake No. 5: Failing to educate users about the latest threatsThis one befuddles me the most. We say end-users are our weakest links [8], but then we don't educate them about the latest threats. Regarding latest threats, I mean the big majority of attacks for the last five years. Most end-users are incredibly educated about email file attachment attacks -- you know, the attacks that used to be popular 10 years ago.But ask end-users if they realize they are most likely to be infected by a website that they know, trust, and visit every day -- and you'll hear crickets. Most end-users have no idea about malicious ads on their favorite website orr the fact that popular Internet search engines may get them infected. They don't know that the cute little app being pushed their way by a friend in Facebook is most likely malicious. They don't know the difference between their antivirus software and the fake one that just popped up a window on the screen. They don't know because we don't teach them.These five weaknesses are far from new. They've been around for over two decades. What I'm constantly surprised by is the complacency. They have checked off the item and are moving on to bigger tasks -- when in fact, their environment may be very broken. All they would have to do is ask a few questions or run a few queries.To all those IT admins who realize this stuff is broken, I salute you. At least you know. That's the first step. You're ahead of the game.This story, "5 big security mistakes you're probably making [9]," was originally published at InfoWorld.com [10]. Keep up on the latest developments in network security [11] and read more of Roger Grimes's Security Adviser blog [12] at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter [13].Open Source SoftwareSecurityHackingPassword SecurityPatch ManagementSecuritySource URL (retrieved on 2012-03-13 11:19AM):http://www.infoworld.com/d/security/5-big-security-mistakes-youre-probably-making-188517Links:[1] http://www.infoworld.com/d/security/download-infoworlds-malware-deep-dive-report-186438?source=ifwelg_fssr[2] http://www.infoworld.com/d/security-central/watch-the-shop-talk-video-fighting-todays-malware-923?source=ifwelg_fssr[3] http://www.infoworld.com/newsletters/subscribe?showlist=infoworld_sec_rpt&source=ifwelg_fssr[4] http://www.infoworld.com/d/security/lesson-apache-flaw-test-everything-175566[5] http://www.infoworld.com/d/security/old-java-versions-breed-new-security-exploits-178980[6] http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf[7] http://www.infoworld.com/d/security/doomed-default-passwords-180214[8] http://www.infoworld.com/d/security-central/putting-limits-users-privileges-290[9] http://www.infoworld.com/d/security/5-big-security-mistakes-youre-probably-making-188517?source=footer[10] http://www.infoworld.com/?source=footer[11] http://www.infoworld.com/d/security?source=footer[12] http://www.infoworld.com/d/security/d/security/blogs?source=footer[13] http://twitter.com/infoworld

NCompass Live: IT Security for Libraries NCompass Live: IT Security for Libraries Presentation Transcript

  • However, there is one kind of crime which may exist in the future - computer crime. Instead of mugging people in the streets or robbing houses, tomorrows criminal may try to steal money from banks and other organizations by using a computer. … it is very difficult to carry out a successful robbery by computer. Many computers have secret codes to prevent anyone but their owners from operating them. As computers are used more and more, it is likely that computer crime will become increasingly difficult to carry out.From The 1981 book, School, Work and Play (World of Tomorrow)
  • IT Security For LibrariesBlake Carver – blake@lishost.org http://lisnews.org/security/ Intro
  • Intro
  • “ Security is two different things: Its a feeling Its a reality ” Bruce Schneier – TedxPSU Intro
  • Intro
  • CriminalsActivistsGovernment Agents Intro
  • Where Are They Working?• Social Networks •Web Sites• Search Engines •Web Servers• Advertising •Home Computers •Mobile Devices• Email Intro
  • What Are They Doing? Man In The Middle Attacks Trojans Privilege Escalations DNS ChangesArbitrary File Downloads Cross Site Request Forgery Heap Overflows Remote Stack Buffer Overflow Worms Blended Threats Malvertising Arbitrary Command Execution Address Bar Spoofing Crimevertising File Overwrite Keyloggers Format StringsMalware Shell Uploads Spyware Local Stack Buffer Overflow Advanced Persistent Threats Data Exfiltration Data Aggregation Attacks Code Remote Code Execution Scareware Injections Information Disclosures SQL Injections Denial Of Service Array Integer Overflows Stack Pointer Underflow Null Byte Injection Backdoors Tojan-Downloaders Cross Site Scripting HTTP Parameter Pollution Viruses Cookie Disclosures Forced Tweet Local File Inclusions Rootkits Man In The Browser Attacks Adware Remote Code Injection DNS Poisoning Buffer Overflows Directory Traversals Open Redirection Remote Command Executions Frankenmalware Intro
  • What Are They Using?lethic s_torpig darkmailer FakeCheck Dofoil Phoenix Sefnit Rimecud Incognito SpyEye CoinMiner ClickPotato ZwangiFakeRean Bleeding Life Hotbar RedKit Citadel Siberia fivetoone RamnitConedex Cycbot Eleonore Alureon IRCBot ZeuS Blacole Alureon Camec GameVance Sirefef SEO Sploit SpyZeus Poison Intoxicated Onescan FineTop Taterf MSIL Taterf bobax Conficker grum OpenCandy Sality SideTab CrimePack PlayBryte cutwail Pdfjsc sendsafe gheg maazben Intro
  • Malware Incorporated• Matured, Diversified and Dangerous• Hard to reach• They conduct business anonymously Intro
  • Examples*Thanks to Brian Krebs for sharing screenshots: krebsonsecurity.com And to Dr. Mark Vriesenga, BAE systems Intro
  • What Are They After?• PINs •Usernames• Passwords •Contact Lists• Credit Cards •Emails• Bank Accounts •Phone Numbers• Computers Intro
  • Intro
  • Personal information is thecurrency of the underground economy Intro
  • The Era Of Steal Everything Intro
  • There is no such thing as a secure computer Intro
  • • Passwords• Staying Safe – Desktops & Laptops – Email – Browsers – Wi-Fi – Social Media – Mobile Devices• Security In Libraries – Biggest Mistakes – Practical Policies• Server Side Security Intro – Next - Passwords
  • PasswordsReuse Weak Passwords
  • Passwords Are Like Bubblegum...• Best When Fresh• Should Be Used Once• Should Not Be Shared• Make A Mess When Left Lying Around• Easy To Steal NativeIntelligence.com Passwords
  • What Have We Learned From Breaches?1. Passwords Are Reused2. Passwords Are Weak Passwords
  • What Makes a Good Password?1. Uniqueness2. Complexity3. Length4. Strength5. Memorableness Passwords
  • World’s Best Password Policy!• Be at least 32 characters in length.• Contain all of the following 4 character types: – Uppercase letters (ABCDEFGHIJKLMNOPQRSTUVWXYZ) – Lowercase letters (abcdefghijklmnopqrstuvwxyz) – Symbols (,./’~<?;:”[]{}|!@#$%^&*()_=-+) – Numbers (0123456789)• Not be similar to or contain any portion of your name or login name• Not contain English words that are longer than 4 letters• Not begin or end with a number• Not be the same as any of the previous 78 passwords in the password history• Be changed at least once every 12 days• NOT Use a sequence of keys on the keyboard, such as QWERTY or 12345• NOT Use information about yourself, family members, friends or pets. This includes (in whole or in part) names, birthdates, nicknames, addresses, phone numbers• NOT Use words associated with your occupation or hobbies• NOT Use words associated with popular culture, such as song titles, names of sports teams, etc.• NOT Be reused for multiple accounts Passwords
  • O9q[#*FjJ9kds7HJ&^4&!@&$#s(6@G Passwords
  • Simple Things Make a Strong Password• Some Letters – UPPER and lower case• Maybe some numbers• Maybe a something else (*%$@!-+=)1. DO Make it as l o n g as you can2. Do not reuse it on multiple sites Passwords
  • Assume Your Password Will Be Stolen Passwords
  • What Makes a Bad Password• Default Passwords• Dictionary and Common Words• Predictable Patterns• Passwords From Password Lists• Obvious Personal Details Passwords
  • Should You Change Your Passwords Every X # of Months?• Email?• Bank Account?• Network?• Server?• Router?• Facebook & Twitter?• Library Web Site?• LISNews? Passwords
  • What Can Sysadmins Do?• Don’t allow bruteforcing• Encrypt and Salt Passwords• Allow Large Passwords• Allow Large Character Sets Passwords
  • Nobody – nobody – is immune from getting hacked Passwords
  • Have your accounts been compromised?https://www.pwnedlist.com/ Passwords – Next – Staying Safe Online
  • Staying Safe OnlinePatches Trust Passwords Staying Safe Online
  • Staying Safe Online
  • How Do You Know If You Are Infected? • Sudden slowness• Fans Spinning Wildly • Change in behavior• Programs start unexpectedly You Don’t• Your firewall yells at you • Odd sounds or beeps • Random Popups• Odd emails FROM you• Freezes • Unwelcome images • Disappearing files• Your browser behaves funny • Random error messages Staying Safe Online
  • Your antivirus software is a seat belt – not a force field. - Alfred Huger Staying Safe Online
  • Desktops & Laptops• Keep everything patched / updated• Don’t Trust anything – Links / Downloads / Emails• Backup your stuff! Staying Safe Online
  • Only 1% of all cyber attacks are from previously unknown threats Microsoft Report
  • If I took your laptop/iPad right now....What would I have access to? Staying Safe Online
  • Laptops• Prey / LoJack• Passwords• Sign Out & Do NOT Save Form Data Staying Safe Online
  • Carry A SafeNot A Suitcase Staying Safe Online
  • Email• Don’t trust anything• Don’t leave yourself logged in• 2 Factor Authentication• Passwords Staying Safe Online
  • Email Blended Threats• 新 任 经 理 全 面 管 理 技能 提 升• Fwd: Scan from a Hewlett-Packard ScanJet 38061• Airline Itineraries• Temporarily suspended your account• Your intuit.com order.• Better Business Bureau complaints (BBB)• UPS / FedEX Delivery Notifications Staying Safe Online
  • 35% 2% 20% 35% 4% Staying Safe Online
  • Staying Safe Online
  • Browsers• Use Two• Keep Everything Updated Staying Safe Online
  • Browsers• Know Your Settings – Phishing & Malware Detection - Turned ON – Software Security & Auto / Silent Patching - Turned ON• A Few Recommended Plugins: – Something to Limit JavaScript – Something to Force HTTPS – Something to Block Ads Staying Safe Online
  • Collusion Staying Safe Online
  • Wi-Fi• Passworded & Encrypted• MAC & DHCP• Firmware Updates• Off Never Trust Public Wi-Fi Staying Safe Online
  • Social Media• Understand and adjust your privacy settings• Use HTTPS• Be skeptical of everything – especially ANYONE asking you for money Staying Safe Online
  • Social Media Common Threats• YOU HAVE TO SEE THIS• Free iPhone 5!• SOMEONE IS LYING ABOUT YOU• Celebrity / Current Event• Twitter @s Hidden behind URL Shortners Staying Safe Online
  • Social Media Facebook: <4% of all posts were spam Twitter: 1.5% of all Tweets were spamEvil hits less than 0.5% of Facebook users Staying Safe Online
  • Four Million People Staying Safe Online
  • 600,000 times a day,someone tries to log into a stolen account (out of 1.2 billion logins) Staying Safe Online
  • Mobile Devices Staying Safe Online
  • Mobile Devices - Threats• Trojans, Viruses & Malware• Lost and/or Stolen• Opaque Apps - Data Access• Open Wi-Fi Networks and Public Hotspots Staying Safe Online
  • Carry A SafeNot A Suitcase Staying Safe Online – Next - Libraries
  • Security In Libraries IT Security For Libraries
  • But We’re Just A Library IT Security For Libraries
  • You Should Worry IT Security For Libraries
  • We Are All Targets IT Security For Libraries
  • 83% of victims were targets of opportunity92% of attacks were easy85% of hacks were found by a 3rd party Verizon Data Breach Investigations Report – Fall 2011 IT Security For Libraries
  • • Only 16% of the companies managed to detect the breach on their own• They had an average of 173.5 days within the victims environment before detection occurred Trustwave 2012 Global Security Report IT Security For Libraries
  • It’s Easy Being Bad IT Security For Libraries
  • Security Is Hard IT Security For Libraries
  • The attacker only needs to succeed once... securosis.com/blog/ IT Security For Libraries
  • Staying safe takes more than just a firewall... IT Security For Libraries
  • Your firewall is a seat belt – not a force field. IT Security For Libraries
  • What are the biggest mistakes you can make in your library?• Ignoring it and thinking youre safe• Not Preparing• Not Training IT Security For Libraries
  • Ignoring it and thinking youre safe83% of victims are targets of opportunity92% of attacks are easy96% of hacks were avoidableDo something.... Do Anything! IT Security For Libraries
  • What Does A Library Need To Protect?• OPAC / ILS •Backups• Staff Computers •Printers• Network Thingys •Cell Phones• Databases •Wi-Fi Routers •Routers• Printers / Copiers / Thingys •Cell Phones •Ipads• Website• Servers• Laptops Your Employees Homes / Phones / etc...? IT Security For Libraries
  • Public Access Computers IT Security For Libraries
  • Public Access Computers• Staying Safe On This Computer: – Make Sure You Log Out – Don’t Access Sensitive Sites – Beware of the "remember me" option – Dont send personal or financial information via email – Dont send personal or financial information over unsecure websites IT Security For Libraries
  • Your security software is a seat belt – not a force field. IT Security For Libraries
  • Preparation- Practical Policies• Patching and updates of the OS and applications on a regular basis• Regular automated checks of public PCs & network• Check the internets for usernames/passwords for your library (e.g. pastebin)• Dedicated staff? Someone needs to stay current• Lost USB Drives?• Is your domain name going to expire? IT Security For Libraries
  • Preparation - Practical Resources• SANS 20 Critical Security Controls http://www.sans.org/critical-security-controls/ Inventory Secure Hardware & Network Audits Wireless Malware Training• Securing Library Technology: A How-To-Do-It Manual Earp & Wright IT Security For Libraries
  • Not Training IT Security For Libraries
  • Training• Train The Security Mindset• Train The Hacker’s Mindset IT Security For Libraries
  • IT Security For Libraries
  • IT Security For Libraries
  • IT Security For Libraries
  • Carver, Blake Member Name123456 Member ID Number00123456 Online User IDcarver Online Password05/01/2012 Termination Date
  • Training• Phishing• Privacy• Passwords• Email Attachments• Virus Alerts• How to practice safe social networking• Keeping things updated IT Security For Libraries
  • Training What About Patrons?• Your patrons dont care much for security• Their habits are inviting malware• Look for ways to make things safer in ways that dont interfere with peoples everyday tasks as much as possible.• Principle of Least Privilege IT Security For Libraries
  • Library Security Mantra Security Privacy Confidentiality Integrity Availability Access (based on Net Sec 101 Ayre and Lawthers 2001) IT Security For Libraries
  • Server Security Sever Side Security
  • Server Security• Keep things updated• Passwords• Limit logins• Logs• Watch for file changes (IDS)• Firewall• Kill unneeded processes Sever Side Security
  • Any Good Web Site Can Go Bad At Any Time Sever Side Security
  • Sever Side Security
  • Why?Sever Side Security
  • How Good Sites Go Bad• Remote File Inclusion• SQL Injection• Local & Remote File Inclusion• Cross Site Scripting (XSS)• Directory Traversal Sever Side Security
  • Sever Side Security
  • Sever Side Security
  • SecRule REQUEST_BODY|ARGS"mortgage|autoloan|prequalify|refinance|tramadol|ultram“"deny,log,auditlog,status:403,msg: General Link Spammers Must Die,id:‘6010"SecRule REQUEST_BODY|ARGS"free-codec|rolex|tolltech|anime|batteries“"deny,log,auditlog,status:403,msg: ‘Misc Spammers Must Die,id:61206 Sever Side Security
  • ConfigServer Security & Firewallhttp://www.configserver.com/cp/csf.html• A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers.• This suite of scripts provides:• Straight-forward SPI iptables firewall script• Daemon process that checks for login authentication failures for: – Courier imap, Dovecot, uw-imap, Kerio – openSSH – cPanel, WHM, Webmail (cPanel servers only) – Pure-ftpd, vsftpd, Proftpd – Password protected web pages (htpasswd) – Mod_security failures (v1 and v2) – Suhosin failures
  • Trustwave - Monthly Web Honeypot Status Report February 2012
  • Staying Current• Schneier on Security : http://www.schneier.com/blog/• Naked Security – Sophos : http://nakedsecurity.sophos.com/• Security FAQs : http://www.security-faqs.com/• SANS Reading Room : http://www.sans.org/reading_room/• Security Now Podcast : http://grc.com/securitynow.htm Conclusions
  • Done!• Use Good Passwords• Be Paranoid• Keep Everything Updated Conclusions
  • IT Security For LibrariesBlake Carver – blake@lishost.org http://lisnews.org/security
  • 10 Tips1. Use a Password Manager2. Turn on GMail two-step verification3. Switch to Google Chrome and install KB SSL Enforcer4. Use a VPN everywhere5. Full Disk Encryption6. Routine Backups7. Kill Java8. Upgrade to Adobe Reader X9. Common sense on social networks10. Don’t forget the basics
  • Common Security Myths1. You have nothing important to steal2. Using Mac/Linux makes you safe3. Patches and updates make things worse and break them4. You can look at a site and know its safe and not serving bad stuff5. Avoiding IE makes me safe6. If an email comes from a familiar face its ok7. If Im compromised I will know it8. P2P and torrents are safe9. I have a firewall10. Im too smart to get infected... Yes, you and me both! Staying Safe Online
  • top security excuses1. Its okay, its behind the firewall.2. Wont antivirus catch that?3. No, we dont have confidential data on our system, just these Social Security numbers of our employees.4. But nobody would do that [exploit of a vulnerability].5. I cant remember all these passwords.6. My application wont work with a firewall in the way.7. They wont be able to see that; its hidden.8. Its safe because you have to log in first.9. No, we dont have credit cards on our system, just on this one PC here.10. We didnt HAVE any security issues until YOU came to work here. by Wendy Nather
  • Six ways to be a model cyber citizen1. Be cyber security aware, use security best practices and report cyber crime2. Use an antivirus product as it helps not only to protect you but prevents your computer from hosting malware that affect others3. Be a good cyber parent, educate your child on the dangers, ethics and safety measures to be used online4. Stay away from using pirated products5. Encourage your government to invest in raising the national standard of cyber security in curriculum, law and customer protection6. Be responsible for your online habits, tweets, as what you do online affects your reputation, family, colleagues, religion, nation and company
  • 5 big security mistakes1. Assuming that patching is good enough2. Failing to understand what apps are running3. Overlooking the anomalies4. Neglecting to ride herd on password policy5. Failing to educate users about the latest threats
  • MY ExcuseTH TIP