I have been getting a few emails asking why I have been so quiet and where the podcast is.

The podcast has been delayed a bit, sorry for that. I am working on it. Maybe within a week or two I will have it ready and then can get an idea on how often we will do them.

In the meantime, I have been so quiet because I am working on a pretty major project. Stay tuned in the coming weeks for a large announcement from us about a very cool new software product we are about to release. I am very excited, and I think you will be too.

In the meantime, Neil and Troy have been carrying the blog traffic, and I have been continuing to write over at security.itworld.com. Check out my article this week for some insight into why I think IDS/IPS solutions are failing us.

Stay tuned, I promise it will be very interesting…

ANTI-SPAM

– Run a consolidated email filtering solution at your email gateway, and use a good AV product.
– If you don’t know who sent it, especially if you are not in the TO: or CC: part, delete it.
– If the subject looks mangled so it could get by perimeter spam sensors, delete it.
– Have a good email policy in your business or organization, and also for your family at home.
– Don’t open email attachments unless you are prepared to infect your computer with a virus.
– Never ever open unsolicited MS Word or MS Excel or any other MS Office document.
– Never make a purchase from an unsolicited email, or give out your credit card numbers.
– Use a disposable email address when signing up for websites to avoid unsolicited email.
– Don’t click the unsubscribe link, which can add your email address to more spam lists.
– Avoid using the preview functionality of your email client software to avoid inadvertent infection.
– Don’t post your email address on every single message board you visit like some people do.
– When mass mailing, use BCC (blind carbon copy) to conceal recipients from one another.

ANTI-PHISHING

– Phishers make a fake site that looks like the real website to collect private information.
– Never respond to emails that request personal financial information or identity information.
– Banks or e-commerce companies generally personalize emails, while phishers do not.
– Visit bank sites by typing https://www.bank.com to have a securely encrypted connection.
– No matter how well you think you know someone from the internet, you don’t know them at all.
– Vigilently keep good track of your finances and credit report to check for suspicious activity.
– If you’re unsure of a link, search for the URL in a search engine to check its legitimacy.
– Use the latest version of your favorite Internet browser and allow script only on sites you trust.
– Keep your computer patched with all of the latest updates from your operating system vendor.
– If you think your bank has emailed you, call don’t click. Especially if it seems very urgent.
    Ask a customer service representative for help on the phone.
– If your financial institution calls you: hang up, call them back. Always initiate the call.
– Phishers often send false but sensational messages to socially engineer you:
      (“urgent – your account details may have been stolen”)

Following these steps cannot keep you 100% safe but it will reduce your risk against attack.

Recent events at very large and very important institutions, such as the Veterans Administration, have highlighted the importance of having an informed, security minded user-base.  Many, if not all, organizations, that electronically processes client or customer information, have begun to recognize the importance of having a comprehensive Information Security Policy in place.  While every well-prepared Information Security Policy includes provisions that speak directly to the roles and responsibilities of the common user base, it is becoming apparent that few organizations actually provide the training and awareness programs, which have proven effective, in creating that sought after, informed user-base. 

As cyber-criminals realize that organizations’ perimeter defenses have become increasingly more difficult to circumvent, attackers have begun focusing their attention on the individual user, as a means for compromise, instead of the organization as a whole.  Cyber attacks such as Phishing attacks and E-Mail scams attempt to trick a user into providing some sort of personal or confidential information to an attacker, without the user knowing.  With the advent of the slew of different removable “Destructive Technology” devices (i.e.…Laptops, USB Thumb Drives, Smart Phones, PDA’s, etc…) that are available to the layperson, it is quite possible for a common user to contract some sort of malware, while outside of the organization, only to inadvertently introduce the malware to the organization’s “squishy underbelly” that is the internal network. 

It is incredibly important, often mandated by law, for an organization to have a comprehensive Information Security Policy in place.  Even more important, is the requirement that the Information Security Policy includes provisions that explicitly detail the roles and responsibilities of the user-base, in the organization’s overall security posture.  Every organization should include a comprehensive Information Security Awareness Program that speaks directly to how a user should interact with the onslaught of cyber attacks that they are certainly going to encounter.  It should be the ultimate responsibility of the user-base to ensure that they are doing their part in defending their organization’s client/customer information.  It should be the responsibility of the organization to ensure that the policies that detail the responsibilities of the user-base are in place.  But, it ultimately comes down to the user to make sure that they are practicing their due-diligence and adhering to those guidelines.

Does your organization have a Security Awareness Program?  Better yet…do you follow it?

Three vulnerabilities were identified in Microsoft Excel recently. The worst of them, in which a specially-crafted flash video can be inserted into a spreadsheet to remotely compromise a computer, doesn’t even require that the user click on anything. All they have to do is open the Excel file from an email attachment and their system is compromised. Excel spreadsheets can even be embedded into web pages, which allows for yet another attack vector.

The other two Excel vulnerabilities were found less than a week earlier. One exploited Excel’s apparent inability to successfully handle long URLs, and the other was a targeted attack that Microsoft has barely commented on. We expect all of these holes will be patched by Microsoft in their upcoming monthly security update. Until then you should handle unknown excel documents as if they could very well be infected with a virus.

Stay tuned for an upcoming podcast that reviews Unified Threat Management and gives some ideas on how it can help your organization. I also identify some things to look for in choosing a UTM solution and some of the changes we can expect in the UTM market. I am working on it now, and should have it posted next week.

In the meantime, keep working on getting the patches from MS yesterday applied. It looks like exploits are already making the rounds for some of these, so stay vigiliant. WatchDog is yellow now due to the issues and exploits.

Also, I had a pretty good discussion yesterday with some Cisco folks. They had some good feedback and such on where they are going with the “Self Defending Network”. I would love to get some client feedback about how people the view the Cisco mission and the products since they have embraced this idea.

For the last week or so, DShield and SANS have been showing a spike in Telnet (port 23) traffic for scans and attacks. However, the scans truly seem to be localized to specific ISPs. To date, none of the MSI honeypots or sensors have recorded any increase in Telnet traffic. On a couple of our consumer broadband connections, we have been watching for Telnet traffic for nearly a month without a SINGLE connection to any of our systems.

This may mean that some specific malware or scanning autorooter has been created that targets specific IP blocks that are known to belong to commercial operations. What they are seeking, at this point is still unknown.

This leaves us wondering if something else is coming, or if this is simply an anomoly or noise in the Net, so to speak. The smart idea is to do some additional monitoring around hosts that provide Internet facing Telnet services. It might be a good idea to run some quick scans for open Telnet connections and begin to round up whether they are needed or not. Some perimeter firewall config changes may help hide the unneeded ones from whatever is out there crawling the net for them.

If you see any unusual traffic on Telnet, please submit logs, packet captures or let us know using email or the “Talk to ISOC” function of WatchDog.

A recent report from the Veteran’s Administration (VA) indicates that a data analyst illegally removed the personal records of over 26.5 million former service members from the VA, which was subsequently stolen from the analyst’s residence.  Fortunately, the records did not contain any medical or financial information on every service member that has served this country’s armed forces since 1975.  However, the names, dates of birth, and Social Security Numbers were among the information that has been stolen.  The authorities do not believe that the information was specifically targeted, as there has been a string of burglaries in the analyst’s area of residence.  They also believe that the thief(s) may not even know that they have this particular information.  How the data analyst got the data out of the building is unclear, whether it was on a laptop, USB drive, CD/DVD or some other type of destructive, transportable media.  However, the incident does pose several questions, for me, about the organization’s Information Security policies and procedures.  Especially, if you consider that my name, date of birth, and Social Security Number is included in the 26.5 million other veterans that have been affected.

My first question about this incident is, naturally, what were the motivating factors that allowed this series of events to take place?  If you recall from my previous blog entry, my research for the State of the Threat presentation indicated that there is a growing market for our personal information to be used in identity theft schemes.  With organized crime groups doing all they can to get the SSN’s of innocent people to be used to steal their identities for monetary gains, I have to wonder (pure speculation!) if there was some sort of cooperation between the data analyst and an external entity to have this information removed from the Veteran’s Administration.  With all the talk about the illegal immigration issue, we all know that many of those immigrants are using stolen identities in order to be able to work.  There is a debate going on in the Senate that may end up allowing those same illegal immigrants to keep the Social Security benefits that they paid into by using the stolen identities.  Could the underground market for names and SSN’s (and the finders fees for those numbers) be a motivating factor?

More imporant than the motivators is what security policies were in place that were supposed to safeguard against this type of thing occurring?  By now, most companies or agencies are being regulated by some sort of legistlation, whether it be GLBA, HIPPA, SOX, or NCUA 748, that mandates certain controls be implemented to prevent just this very thing from happening.  Were these safeguards implemented at the Veteran’s Administration?  If they were implemented, were they being followed?  Was there an awareness program in place to inform the employees of their roles and responsibilities in the organization’s Information Security posture?  Has a third party ever performed a risk assessment of the VA’s security posture, to include security policies and business processes?  What was the VA’s policy about USB Drives or other transportable media?  Is there unmitigated access to this type of data, once access is gained to the internal network?

For years, security professionals have been screaming, at the top of their lungs, that the user will always be the weakest link in an organization’s security posture.  Could this incident have been avoided with a comprehensive, standards based Risk Assessment and follow on Awareness Program?  Or, will the theoretical disgruntled employee (I don’t know if that’s the case in this incident) always be the worst fear of any organization?

This incident, or one of the dozen or so incidents that have been reported from some of the largest companies in the world, should put the need for a comprehensive, repeatable, and standards-based, third party risk assessment at the top of the list on every security professional’s mind.  If the thought of being the company or organization that is responsible for the identity theft and ruined credit of 1 person to millions of people doesn’t get the job done, maybe the fines and lawsuits that could ensue if an incident of this nature occurs at your organization, will be the motivator that enables your organization to realize that information security is not just a new buzz word.  It’s a reality….and a necessity.

As for me, I can be found at the nearest credit bureau trying to order my credit report.  OUT OF MY POCKET….NO LESS!!!

The press is spending some attention on the Word attacks that took place recently, but we feel much of this is overblown. Sure, two forms of the attack are said to be in use, but there is little public info about them, and certainly no evidence of widespread attacks as of yet.

On WatchDog we have placed the suggestion of using the “winword /safe” command to better protect your organization, but it is likely a patch for the issue is coming in June, and until widespread exploits are available, it is pretty unlikely that most organizations will see any attacks from this.

In the meantime, we suggest treating it like the myriad of unpatched holes in Internet Explorer that occur so often, and use some caution, alert users and help desk folks to be aware of the symptoms. Then, apply the patch when it is released.

Most of all, please do not panic. The risks are not all that high compared to many of the other vulnerabilities common in most enterprises today.

We are left wondering about the Exchange vulnerability. To date, we have seen no malware exploiting this vulnerability on a mass scale. Even public exposure of exploit code has not been made. So, the question is why?

Are attackers holding this back for integration into a multi-exploit attack or did the recent VNC development distract them from the Exchange problem. Only time will tell.

We will keep our eyes open for development on this situation and let you know what we see. In the meantime, make sure you are applying the patch for Exchange and upgrading your VNC servers to the new version. We are seeing wide scans for the VNC problem, and SANS is reporting much attacker activity from this exploit.

You can see the full presentation at:

http://www.microsolved.com/SOT1Q06.html