The Swiss Security Blog (SSB) published results of research performed from honeypots implemented on their network. This is a small example of the benefits of honeypots, while exposing the potential damage new Trojans accomplish everyday.  Security Honeypots are closely monitored network decoys serving several purposes:

- distract adversaries from more valuable machines on a network

- act as an early warning system for new attack and exploitation trends

- allow in-depth examination of adversaries during and after the exploitation of a honeypot.

Read more »

Throughout the presidential campaign, John McCain made no secret that he was computer illiterate. Apparently he wasn’t the only one. A reporter from Fox 5 in Washington D.C. attended a sale of items from the former presidential candidate’s campaign headquarters. Among the items for sale were Blackberrys. The reporter bought one for $20, charged it up, and got quite a surprise. The device contained hundreds of emails and over 50 phone numbers, some of which were the private numbers of politicians and journalists!  An excerpt from ZDNet’s report:

Many security researchers choose to prognosticate about malware as being the next big threat vector for mobile devices. Until data retention policies become ubiquitous and can guarantee 100% enforceability, data leakage along these lines will be the primary information security threat centered for mobile systems.

Obviously the McCain campaign is clueless when it comes to compliance and data security!

Running an email server requires attention to security procedures and policies. How do you prevent unauthorized access? How do you protect your users? How do you ensure the safety of your system?

There are security measures you can take to protect your users and your system from unauthorized use and potentially harmful miscommunications.

One of the first areas to address is application-level security. Data which enters the system can be protected at the application layer before it is passed down the protocol stack. This means that the email text is protected (encrypted) before the email packets are delivered to the intended recipient. This also means that the rest of the email packet – Data link header, Internet header, Transport header and Application Header – is unprotected. Only the email text is protected.

Read more »

The Federal government is taking the next step in security with a new set of guidelines. The new guidelines, which will be issued in the next six months as part of the “Consensus Audit Guidelines”, will represent a change of focus that makes a lot of sense. The new policy will be to first focus on fixing vulnerabilities that are most often exploited.

In the government sector, there is a lot of low-hanging fruit. Easy exploits that are easily prevented are very common, and addressing this unfortunate fact will actually result in a very large difference in frequency of attacks. The fact is, lots of people want to hack or attack the US government’s computers, but very few of those attackers are savvy enough to come up with something completely new. Attackers tend to be opportunistic, and the first thing they do is look for an obvious flaw or vulnerability, such as a server that still has the default password, or an email account with a password that is the account owner’s first name. Fixing the large, gaping holes in security first, and then focusing energy on the hypotheticals, will shut the door on most attacks.

Read more »

The LISNews blog has an interesting article about a man who won a wrongful arrest lawsuit against the city of New York. The arrest resulted after his boss claimed she got a lewd email from him. Here’s more:

“The city has agreed to a $25,000 payout for an ex-librarian at the Riverdale Country School in the Bronx who was busted last year for sending bizarre e-mails to his boss. The city agreed to settle Billy Hallowell’s wrongful arrest lawsuit rather than go to trial. Hallowell was detained for 30 hours in April last year after cops were told Hallowell had sent a lewd e-mail to his former boss.”

“We could do it in the library,” the e-mail said. “I could spank you with a vintage copy of Finigan’s (sic) wake.”

Read more »

An editorial in Processor tackles the issue of mobile phone security in the enterprise, and makes some excellent points that are highly relevant. With smartphones becoming standard-issue equipment in both business and social worlds, IT managers have to face up to the fact that they have to do something to keep control over them. Unfortunately, controlling smartphones is a little tricker than controlling laptops. While it’s common for employees to use company-issued laptops, it’s more likely that employees will be using their own smartphones, and will therefore have an attitude that they can use them as they please, download what they please, and email as they please.

One very good point is that smartphones do not need to have the same level of access to the intranet as a laptop, and firewall rules should be created to offer a more constrained approach to smartphone access. In most cases, employees (at least the ones that aren’t up to any good) will only want and need a very limited subset of services from their smartphones compared to what they might need from a remote laptop.

Read more »

Should Barack Obama have to give up his BlackBerry? To get right to the point, no.

Much of the buzz revolves around the security issue, which is valid. But as a tech-savvy president, Obama will understand the need for security, and the need to comply with policies and Open Records acts just like any other public official. I took Sarah Palin to task in a previous entry, but that was for an entirely different reason–using a private Yahoo email account for government business. Public officials should and must use official government email and email archives, and so long as the new President adheres to this simple rule, there is no reason in the world why he should not be allowed to use it. And to the point often made about Presidential archives, this is a non-issue. The BlackBerry is like any other electronic device, and emails sent from his BlackBerry could easily be archived and preserved appropriately.

Read more »

The Christmas shopping season is upon us, and despite the poor economy, people will still be shopping. And a lot of them will be doing so online. Even as retailers are crashing and burning around us, online shopping is still increasing. IT managers, CIOs and security officers must realize too, that much of this shopping is going to take place in the office, whether they like it or not. The urge to shop will invariably transcend company policy, and too often, common sense as well.

There are risks. According to a survey from ISACA, a non-profit association of IT professionals, employers are at risk because too many employees do not understand the risks involved–and the workplace is more vulnerable to spam and viruses as a result.

According to a recent ISACA survey, forty percent of Americans between the ages of 18 and 24 will spend up to five hours shopping online using a work computer this holiday season. Unfortunately, this same age group is the least worried about vulnerability to the work computer. Overall, 63 percent of people of all ages plan to shop online from work this holiday season. The younger audience tend to pay more attention to the security of their home computers, and are less concerned with workplace security. Clearly, it’s time to take some of these youngsters to school on the matter of security.

Read more »

Besides protecting your incoming email, authenticating your users and authorizing access you will also worry about how to secure your servers. One of the ways of securing your servers is to build a moat around them, to make it difficult for entry or otherwise hinder access to your servers.

To do this you can build a Demilitarized Zone (DMZ) within your network. The first Demilitarized Zone created was the strip of land between North Korea and South Korea after the cease fire of July 17, 1953. 

In a computer environment, a DMZ is an area of your network that sits between your secured protected internal LAN and the unprotected unsecured internet.

Read more »

President-Elect Obama has made little secret of how much he loves his Blackberry. Staffers say that like many owners of the popular email device, Obama makes sure it’s at his side at all times. He receives emails from a large network of friends and supporters. However, due to the Presidential Records Act, which mandates that all presidential correspondence be entered into the official record, and if requested be made available for public review, he may be forced to give it up. In fact presidents are advised not to use email for communicating at all due to the risk of hackers accessing it.

“They could come up with some bulletproof way of protecting his e-mail and digital correspondence, but anything can be hacked,” said Diana Owen, head of the American Studies program at Georgetown University, who has studied how presidents communicate in the Internet era. “The nature of the president’s job is that others can use e-mail for him.”

Read more »