December 2007 – CyberSecurity Institute

VoIP vulnerabilities increasing, but not exploits

Posted on December 18, 2007December 30, 2021 by admini

Implementations of Session Initiation Protocol (SIP), an alternative VoIP protocol, can leave VoIP networks open to unauthorized transport of data.

The VoIPSA tools are intended to help businesses test and secure their networks, but these and other online tools can be used to probe for weaknesses as well.

Part of the reason may be that the largest VoIP vendors use proprietary protocols, such as Cisco’s Skinny, Nortel’s Unistim and Avaya’s variant of H.323, Orans says. SIP, which is gaining popularity, is a mixed bag, Orans says, because it is readily available to those who might want to exploit it. These options include firewalls and intrusion-prevention systems that support SIP (compare products).

Another reason for the lack of broad exploits is that there isnt enough ROI for attackers’ development time.

Hybrid PBX systems — which handle both VoIP and TDM voice — account for 64% of all PBX lines sold, according to a December 2007 Infonetics report.

http://www.networkworld.com/news/2007/121707-crystal-ball-voip-vulnerabilities.html

New Service Detects Backdoors in Software

Posted on December 18, 2007December 30, 2021 by admini

“People doing manual code review look for vulnerabilities, but not typically for backdoors,” says Chris Wysopal, CTO and co-founder of Veracode. “We built a metal detector for this.” Wysopal says several of Veracode’s financial services customers had approached the company with concerns about this potential threat in the third-party software products they purchase and that their developers write.

In a recent report by the Defense Science Board on the risks of the Department of Defense’s dependence on software manufactured outside of the U.S., the DSB discusses the need for assuring the software purchased by the DOD isn’t sabotaged in any way. He found that 23 software packages that government employees might download for tools or for developing apps for their agencies, had backdoors within them.

Special credential backdoors are when a developer or attacker hard-codes passwords or keys into the program code, including username and password, for instance. Hidden functionality backdoors are special commands inserted into the code that lets an attacker issue commands or authenticate without going through the app’s standard application procedure. Still, that’s a dangerous practice, Wysopal says: “I don’t care if a feature was put in on purpose by the developer for debugging, or maliciously by an attacker. “The big tell-tale sign of a rootkit is the software is doing something it’s not supposed to do,” Wyospal says.

http://www.darkreading.com/document.asp?doc_id=141487&WT.svl=news2_4

Companies are Thinking of Information Security as a Strategic Asset

Posted on December 14, 2007December 30, 2021 by admini

I think this trend can also be examined from the angle of compliance with PCI standards— payment card industry data security standards (PCI DSS). Visa certainly didn’t like this behavior and was at the forefront of levying fines against offending merchants for not passing their PCI audits. The council is adopting more stringent standards and requirements around keeping card data safe for all those involved in the payments chain—banks included.

It’s encouraging to see that information security is taking on greater importance at organizations, even beyond compliance requirements.

Getting back to the E&Y study, the firm found that companies are better integrating their information security and risk management initiatives (82 percent of respondents). More than two-thirds (69 percent) of respondents felt that information security improves IT and operational efficiencies.

This finding sharply contrasts to previous years, according to the firm, when information security was viewed as a barrier to IT and operational efficiency.

Nearly a third of respondents said they never meet with their board or audit committee.

Although E&Y didn’t specify the kinds of companies involved in the study, it’s not too difficult to draw parallels to the financial services industry.

http://www.banktech.com/blog/archives/2007/12/companies_are_t.html;jsessionid=CESVIN0SMPC0UQSNDLPSKH0CJUNN2JVN

Mashups, SAAS Present Security Risks

Posted on December 4, 2007December 30, 2021 by admini

Web services are typically XML-based, and HTML is the language needed to design Web pages, upon which mashups reside. “You have to explicitly design that in,” he said. “And by explicit, that means you have to design authentication and authorization into the way that the service responds to consumers. Mashups, by their nature as a composition of services, don’t introduce new security issues, Schmelzer said.

“The security issue in composition is the problem of security context in which you have to deal with the fact that composing different systems might mean trying to span different identity domains, which is a significant problem for companies that have not made a prior investment in identity management systems,” he said. That said, the security issue is not a fatal flaw for SAAS, mashups and SOA, Schmelzer said.

Douglas Crockford, a senior JavaScript architect at Yahoo who is know for discovering the JavaScript Object Notation, said there’s been nothing really new done to HTML since 1999, which has led to security problems and security risks down the line for technologies such as mashups. “We’ve been so distracted by XML that HTML has not gotten the attention it needs,” said Crockford, who was on the panel at the show..

Michael Day, founder of YesLogic and the architect of the Prince formatter, said XML does have a future on the Web, if only as a server technology. XML seems to have gone the way of other technologies, such as Java, that started out as client-side technologies and ended up in the server realm, Day said.

http://www.eweek.com/article2/0,1759,2227704,00.asp?kc=EWRSS03119TX1K0000594

Study Reveals Overlooked Sources of Leaks

Posted on December 4, 2007December 30, 2021 by admini

Lost laptops, emails sent to the wrong address, sensitive documents left on photocopiers, employees walking out of the building with confidential papers or storage media — these are not new sources of leaks, but they remain the most common, the study finds. “Most of these are accidental, not malicious,” Seth says.

Some employees repeat sensitive information on social networking sites such as MySpace or Facebook, while others may be overheard in a restaurant or on an airplane. An employee might be shoulder-surfed at a coffee shop or on a train, or lose an unencrypted storage device in a public place, the study observes.

The study also found some methods of leakage that may not be anticipated, such as “print screen” capabilities or photographing of screens on mobile devices. “I know it’s a tired phrase, but we’re talking about human behavior here, and the only way to correct the problem is to correct the behavior.”

http://www.darkreading.com/document.asp?doc_id=140412&f_src=darkreading_section_296

Amount of malware grew by 100% during 2007

Posted on December 4, 2007December 30, 2021 by admini

Other increasing data security phenomena during 2007 included parasitic behavior, like the Zlob DNSChanger, and increasing security exploit activity for Apple products, including both Mac’s, iTunes and the iPhone.

The increased popularity of social networking services carries similar risks.

On the mobile security front Symbian S60 as the most popular smartphone platform has done a good job of curbing malware with its 3rd edition software.

http://www.net-security.org/malware_news.php?id=886