March 2009 – CyberSecurity Institute

New Rootkit Attack Hard To Kill

Posted on March 27, 2009December 30, 2021 by admini

This more “persistent” rootkit is more dangerous than a regular rootkit because it could use the BIOS-located network stack to attack other machines, as well as “using normal exploits, without any access to the disk or memory in the operating system,” the researchers said.

What’s the best defense against such an attack? The researchers say it’s tough to prevent any attack from an advanced rootkit like this.

The best options, they say, are to prevent the flashing of the BIOS by enabling “write” protection on the motherboard, or deploying digitally signed BIOSes, for instance.

http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml;jsessionid=EHDXVE1URKONSQSNDLPCKH0CJUNN2JVN?articleID=216401170&subSection=Vulnerabilities+and+threats

Securely booting from strangest of places

Posted on March 12, 2009December 30, 2021 by admini

BeCrypt (Booth 2231) offers a USB key with a complete operating environment as a way to run a secure session on an unmanaged PC. Insert the drive in a USB port and configure the laptop to boot from the USB, and the hard drive is bypassed altogether in favor of the software on the USB stick. The USB drive, called the BeCrypt Trusted Client, contains a stripped-down version of Linux, along with any applications you want to run. This setup would allow a government worker to run a secure session from anywhere by using the basic secure OS along with downloadable applications provided by Citrix software or some other client. The material on the drive is encrypted with either 128 bit or 256 bit Advanced Encryption Standard (AES). The drive itself has a shock rating of 300 Gs operating and 900 Gs when not in use, it can work in temperatures ranging from 20 degrees below zero to 75 degrees centigrade.

What makes this drive bootable is that it comes with backup and recovery software called BounceBack. When the hard drive fails, plug this portable drive in to the USB port and you can boot directly into the backup. If you don’t need rugged, you could just buy the BounceBack software and back everything up to your own USB key or portable hard drive.

For the security-conscious, MXI Security (booth 2223) does these offerings one better with a couple of bootable USB drives that use Common Access Card-level user authentication out of the box. The Access CAC is a USB drive with fingerprint reader, as well as the ability to hold CAC public key infrastructure credentials. The user can set up the device to allow access to its files only by a combination of a fingerprint biometric and a password. Or, if that drive is attached to a computer with a CAC reader on a Defense Department network, access can be granted through CAC authentication. A worker who wants to sign onto a Defense Department network from a public machine would just insert a USB drive, and attach a smart card reader into another USB port.

Booting from CD is another option, and increasingly, we are seeing a number of what is known as live CDs, or CDs that contain an entire OS that can be loaded into working memory without touching the hard drive at all. With one of these live CDs, you simply insert the disk and set the computer BIOS to boot from the optical disk player, and the entire Linux desktop environment comes up.

http://gcn.com/Articles/2009/03/12/FOSE-bootable.aspx

Worldwide Cybercrime Police Network Grows (PC World)

Posted on March 12, 2009December 30, 2021 by admini

Becoming part of the network is required under the Convention on Cybercrime, an international treaty that sets a legal model for other countries to follow when writing anticybercrime legislation.

Of 47 countries that are part of the Council of Europe, 24 have ratified the treaty, and 23 others have signed it but are awaiting their national legislatures to ratify it.

The 24/7 Network is intended to improve coordination between law enforcement, as Internet scams and frauds are often executed using networks of hacked computers located around the world. That poses much difficulty for law enforcement, as potential evidence could be quickly erased or lost, making prosecutions difficult.

On Wednesday, law enforcement, government officials and security professionals held a closed-door meeting at the International Conference on Cybercrime in Strasbourg, France, to discuss its status.

http://tech.yahoo.com/news/pcworld/20090312/tc_pcworld/worldwidecybercrimepolicenetworkgrows

Better metrics needed for security, says expert

Posted on March 12, 2009December 30, 2021 by admini

Amit Yoran, CEO of security firm NetWitness and the former director of the National Cyber Security Directorate at the DHS, criticized today’s risk management practices.

The security industry is awash in bad data, and companies that attempt to use the metrics could take the wrong actions, he said.
The process requires that executives work with their security group to find the right way to measure security for that specific company, he said.
“Set the expectations that a lack of due care is not going to be tolerated.”

http://www.securityfocus.com/brief/926?ref=rss

Massachusetts Data Protection Law Date Extended: What Your Business Needs to Know

Posted on March 10, 2009December 30, 2021 by admini

Agnes Bundy Scanlan, a lawyer at Boston’s Goodwin Procter, and a board member of the International Association of Privacy Professionals (IAPP), says that while in general the Massachusetts data protection law is “pretty complicated,” it has gone through revisions and extensions. “But as it stands today, businesses that have Massachusetts residents’ information will have to have a comprehensive written security program, and heightened security procedures, including encryption.” “Even if there wasn’t a recession, this regulation still would be something that businesses would be reluctant to comply with,” Holland says.

The Massachusetts regulation was prompted by several high-profile data breaches that impacted residents, including the TJX case that first made headlines in 2007.

“Clearly, the Massachusetts government didn’t believe that data breach notification alone was sufficient to protect its citizens,” Bundy Scanlan says.

The Massachusetts law is breaking new ground in data protection requirements, just as the California state data breach notification law that was passed in 2003 did for state data breach notification laws. CA-1386 was passed by California state legislators after a 2002 data breach affected thousands of state workers, including some of the legislators themselves.

In the January public hearing held by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) the room was packed with businesses and representatives from other entities calling for more time. Representatives of the Greater Boston Chamber of Commerce, Massachusetts Business Coalition, various nonprofits, colleges and universities and others at the January meeting testified the near impossibility of complying with the encryption standards, as well as the enormous investment of time, energy, and scarce cash required by this undertaking. By mid-February, the Massachusetts government made a decision to push back the date for compliance with the new regulations, says OCABR undersecretary Daniel Crane because of the recession and to give entities more time to comply.

Still, the regulations require that companies limit the amount of data they collect, have and maintain written security policies and keep a detailed inventory of all personal data and where it is stored, whether on electronic media or on paper. The regulations require any business that handles sensitive personal information on citizens of the Commonwealth of Massachusetts to encrypt that data as it is transmitted over the Internet or stored on external mobile devices such as laptops, flashdrives and other mobile storage equipment. “They should do as much as they possibly can; then if it is a systems problem with encryption, they will at least show they are doing their due diligence for the regulator.”

http://www.bankinfosecurity.com/articles.php?art_id=1261

Cyberattack mapping could yield blueprint for cyber defense

Posted on March 10, 2009December 30, 2021 by admini

Cyberattack maps developed by Sandia researchers were presented to the public during a seminar last week at Harvard University. Those measurements make up a complex computer simulation of a massive botnet attack against a large-scale network.

Goldsmith presented the Sandia research as part of the “Cyber Internal Relations” series sponsored by MIT and the Belfer Center for Science and International Affairs at the Harvard Kennedy School. The researchers chose to examine a root attack, a Byzantine attempt to gain control of a target system at its most basic level of operation.

Applications of such simulations aren’t academic at all; such large-scale IT infrastructures would of course include those of state and federal agencies or defense contractors. Goldsmith and other attendees at the lecture assert that the “Holy Grail” of cyberwarfare is to quickly and accurately map out the network of an attacker or defender. Such a map could produce a decisive advantage, just as understanding the local geography of a country is a crucial advantage in real-world warfare.

Goldsmith is the lead scientist on a project creating intelligent white hat software agents that enable networks to be self defending.

Enterprise intrusion detection software in the future may include network topography and intelligent agents in a collective to improve its effectiveness. The developers of high-level enterprise architecture policies, including service-oriented architectures, will need to consider where and how to build in a level of autonomous intelligence into networks.

In an address Feb. 26 at an Armed Forces Communications and Electronics Association meeting in Baghdad, Sorenson called for greater information sharing on a single communications network.

http://gcn.com/Articles/2009/03/10/Cyberattack-mapping.aspx