Here’s good news for you if you’re a cybersecurity guru or aspire to be one. The U.S. House of Representatives recently passed a piece of legislation, the Cybersecurity Enhancement Act of 2009 (HR 4061) that will shovel millions of dollars in funding into the National Science Foundation (NSF) for the purpose of developing cybersecurity programs, constructing cybersecurity research facilities and offering scholarships and training programs in cybersecurity at colleges and universities. The bill was passed by an overwhelming majority of the House – 422 to 6. Not everyone in the industry supports the bill, however. Read more about it here:
http://www.computerworld.com/s/article/9152299/Cyb...praise
Safe surfing is getting harder to do and if your users access the Internet with a web browser, they could be putting their machines and the entire network at risk. During the fourth quarter of 2009, a malware analysis tool made by Dasient found that over 560,000 web sites were “infected” with malicious code. More bad news: the attacks are becoming more efficient, more sophisticated and more difficult to detect. And it’s not just dynamic web pages that are being infected; about 40 percent of the compromised pages were static pages.
http://www.darkreading.com/database_security/secur...eaches
Apple has touted the iPhone’s “sandboxing” technology that is supposed to prevent iPhone apps from accessing operating system resources – but security expert Nicolas Seriot says the permissions that are set in the deny/allow rules are way too loose and some apps may be able to access data from other apps, including contacts, email addresses and phone numbers. The iPhone is immensely popular and many businesses are now allowing them to access the corporate network. Unfortunately, that popularity also makes the platform a favorite target of hackers, just as Windows is the favorite target in the desktop operating system space because of its market share. “Jailbroken” iPhones are especially attractive targets because the malware authors don’t have to go through the App Store, but some apps of this nature have made it into the App Store before their true nature was discovered and they were delisted.
http://www.pcadvisor.co.uk/news/index.cfm?RSS&...212022
What with all the anti-phishing technologies built into the latest versions of popular web browsers, some folks might have thought the phishing threat was over. Unfortunately, it’s not that easy. The Anti-Phishing Working Group (APWG), an organization that tracks and analyzes online phishing attacks, recently released their Phishing Activity Trends Report for the third quarter of 2009, and the news isn’t good. The numbers are up, with August setting new records. Especially worrying is the fact that phishers are getting more sophisticated at defeating authentication technologies, and at the same time are targeting more corporate bank accounts held by larger companies, apparently having learned – like bank robbers before them – that “that’s where the money is. The report is available in PDF format here:
http://www.antiphishing.org/reports/apwg_report_Q3...09.pdf
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
dshinder@isaserver.org
A gloomy global economy put a damper on IT spending of all kinds in 2009, and businesses may be moving out of it slowly, but according to a recent report by Forrester Research, a significant portion of companies are planning to increase spending on IT security technologies in the coming year: 42 percent of enterprise-level organizations and 37 percent of small and medium-size companies. This is due at least in some part to the rapidly increasing “consumerization” of IT, as more and more employees connect smart phones and other devices of their own to the corporate network and engage in social networking and other consumer-oriented web activities. Read more here:
http://www.securitypronews.com/insiderreports/insi...e.html
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
dshinder@isaserver.org
Regardless of which web browser your users use, there are bound to be security issues. That’s the nature of the beast. Amidst all the hoopla about an IE exploit being used in the December attacks on Google and other companies, Google itself has obviously recognized that its own browser needed some beefing up in the security department, too. This week they released a new version, Chrome 4, that includes three new security features: XSS protection, strict transport security and postMessage cross-origin communication. Find out more about these features here:
http://www.eweek.com/c/a/Security/Google-Chrome-4-...84240/
Last November, the code for Microsoft’s Microsoft’s COFEE (Computer Online Forensic Evidence Extractor) forensics tool was leaked to the Internet. COFEE is distributed free to law enforcement agencies all over the world and used to gather digital evidence from computers that are seized in connection with criminal activity. Microsoft does not make it available to those outside the law enforcement community.
http://www.crunchgear.com/2009/11/06/siren-gif-mic...ernet/
Then in December, several sites reported on the release of software called DECAF that could detect the presence of 
COFEE and delete its files and processes as well as clearing its log files. You can read more about DECAF here:
http://www.theregister.co.uk/2009/12/14/microsoft_...decaf/
On December 18, that first version was pulled by its makers and it was labeled as fake. Now a new version, DECAF 2, is out there. The new version doesn’t limit itself to COFEE, but also detects other forensics software including EnCase, Helix, Forensic Toolkit and more. DECAF developers say the first version did work and was removed because of legal concerns, and that they were trying to raise awareness for “better security and more privacy tools.”
http://www.thetechherald.com/article.php/200953/50...unched
Do you use social networking sites? Is one of them Facebook? Do you log onto your Facebook page from your mobile phone? Is your cell phone provider AT&T? Recently a “glitch” was discovered whereby a woman in Georgia signed on to what she thought was her account, only to see a group of “friends” she’d never heard of. A bit more investigation showed that she was actually accessing someone else’s account – and when she told others about it, they tried their own accounts and the same thing happened. All of them were going through the AT&T mobile network.
http://www.phoneplusmag.com/hotnews/att-routing-pr...s.html
Now both AT&T and Facebook say they have fixed the problem on their respective ends. AT&T spokespeople say they repaired a “server software glitch” and installed new security measures, and Facebook changed the web site’s privacy settings to prevent it from happening again. But this raises serious concerns about the level of protection your information has on a social networking site, and reinforces the idea that you should never put anything on the site that you wouldn’t want to become public knowledge – even if you think only your friends will be able to see it.
Have you ever wondered about the delegation flags in Active Directory, and how you can use them to determine which accounts are trusted for full delegation? That’s not real clear from some of the Microsoft documentation, but Microsoft security MVP Jesper Johannson, who is also author of the Windows Server 2008 Security Resource Kit, explained it in a blog post back in October, in a way that’s clear and easy to understand. Now you can find out how those flags are set and what they really mean.
http://msinfluentials.com/blogs/jesper/archive/200...y.aspx
It’s common sense: strong passwords (those that contain a larger number of characters made up of a combination
of upper and lower case letters, numbers and symbols) are harder to crack than short, simple or common ones. Surely you can count on the users on your network to understand that and set their passwords accordingly, right? Maybe not. Imperva Inc. (a database security vendor) recently released a report wherein they analyzed 32 million passwords that were revealed in a database security breach. They found that almost half of those passwords were easy to guess, and the most common passwords of all were “123456” and other number sequences starting with 1, of varying lengths. Good grief!
http://www.computerworld.com/s/article/9147138/Use...swords
So no, you can’t trust users to create secure passwords on their own. That’s why you need to set password length and complexity policies and use software to enforce them. Luckily that’s easy to do in a Windows domain. A default password policy is enabled by default in a Windows Server 2008 domain, and you can use fine-grained password policies to apply different password restrictions to different groups of users within the domain. That’s something you couldn’t do with previous versions of Windows Server. This step-by-step guide tells you how to use this feature:
http://technet.microsoft.com/en-us/library/cc77084...).aspx
