admini – Page 168 – CyberSecurity Institute

New Service Detects Backdoors in Software

Posted on December 18, 2007December 30, 2021 by admini

“People doing manual code review look for vulnerabilities, but not typically for backdoors,” says Chris Wysopal, CTO and co-founder of Veracode. “We built a metal detector for this.” Wysopal says several of Veracode’s financial services customers had approached the company with concerns about this potential threat in the third-party software products they purchase and that their developers write.

In a recent report by the Defense Science Board on the risks of the Department of Defense’s dependence on software manufactured outside of the U.S., the DSB discusses the need for assuring the software purchased by the DOD isn’t sabotaged in any way. He found that 23 software packages that government employees might download for tools or for developing apps for their agencies, had backdoors within them.

Special credential backdoors are when a developer or attacker hard-codes passwords or keys into the program code, including username and password, for instance. Hidden functionality backdoors are special commands inserted into the code that lets an attacker issue commands or authenticate without going through the app’s standard application procedure. Still, that’s a dangerous practice, Wysopal says: “I don’t care if a feature was put in on purpose by the developer for debugging, or maliciously by an attacker. “The big tell-tale sign of a rootkit is the software is doing something it’s not supposed to do,” Wyospal says.

http://www.darkreading.com/document.asp?doc_id=141487&WT.svl=news2_4

Companies are Thinking of Information Security as a Strategic Asset

Posted on December 14, 2007December 30, 2021 by admini

I think this trend can also be examined from the angle of compliance with PCI standards— payment card industry data security standards (PCI DSS). Visa certainly didn’t like this behavior and was at the forefront of levying fines against offending merchants for not passing their PCI audits. The council is adopting more stringent standards and requirements around keeping card data safe for all those involved in the payments chain—banks included.

It’s encouraging to see that information security is taking on greater importance at organizations, even beyond compliance requirements.

Getting back to the E&Y study, the firm found that companies are better integrating their information security and risk management initiatives (82 percent of respondents). More than two-thirds (69 percent) of respondents felt that information security improves IT and operational efficiencies.

This finding sharply contrasts to previous years, according to the firm, when information security was viewed as a barrier to IT and operational efficiency.

Nearly a third of respondents said they never meet with their board or audit committee.

Although E&Y didn’t specify the kinds of companies involved in the study, it’s not too difficult to draw parallels to the financial services industry.

http://www.banktech.com/blog/archives/2007/12/companies_are_t.html;jsessionid=CESVIN0SMPC0UQSNDLPSKH0CJUNN2JVN

Mashups, SAAS Present Security Risks

Posted on December 4, 2007December 30, 2021 by admini

Web services are typically XML-based, and HTML is the language needed to design Web pages, upon which mashups reside. “You have to explicitly design that in,” he said. “And by explicit, that means you have to design authentication and authorization into the way that the service responds to consumers. Mashups, by their nature as a composition of services, don’t introduce new security issues, Schmelzer said.

“The security issue in composition is the problem of security context in which you have to deal with the fact that composing different systems might mean trying to span different identity domains, which is a significant problem for companies that have not made a prior investment in identity management systems,” he said. That said, the security issue is not a fatal flaw for SAAS, mashups and SOA, Schmelzer said.

Douglas Crockford, a senior JavaScript architect at Yahoo who is know for discovering the JavaScript Object Notation, said there’s been nothing really new done to HTML since 1999, which has led to security problems and security risks down the line for technologies such as mashups. “We’ve been so distracted by XML that HTML has not gotten the attention it needs,” said Crockford, who was on the panel at the show..

Michael Day, founder of YesLogic and the architect of the Prince formatter, said XML does have a future on the Web, if only as a server technology. XML seems to have gone the way of other technologies, such as Java, that started out as client-side technologies and ended up in the server realm, Day said.

http://www.eweek.com/article2/0,1759,2227704,00.asp?kc=EWRSS03119TX1K0000594

Study Reveals Overlooked Sources of Leaks

Posted on December 4, 2007December 30, 2021 by admini

Lost laptops, emails sent to the wrong address, sensitive documents left on photocopiers, employees walking out of the building with confidential papers or storage media — these are not new sources of leaks, but they remain the most common, the study finds. “Most of these are accidental, not malicious,” Seth says.

Some employees repeat sensitive information on social networking sites such as MySpace or Facebook, while others may be overheard in a restaurant or on an airplane. An employee might be shoulder-surfed at a coffee shop or on a train, or lose an unencrypted storage device in a public place, the study observes.

The study also found some methods of leakage that may not be anticipated, such as “print screen” capabilities or photographing of screens on mobile devices. “I know it’s a tired phrase, but we’re talking about human behavior here, and the only way to correct the problem is to correct the behavior.”

http://www.darkreading.com/document.asp?doc_id=140412&f_src=darkreading_section_296

Amount of malware grew by 100% during 2007

Posted on December 4, 2007December 30, 2021 by admini

Other increasing data security phenomena during 2007 included parasitic behavior, like the Zlob DNSChanger, and increasing security exploit activity for Apple products, including both Mac’s, iTunes and the iPhone.

The increased popularity of social networking services carries similar risks.

On the mobile security front Symbian S60 as the most popular smartphone platform has done a good job of curbing malware with its 3rd edition software.

http://www.net-security.org/malware_news.php?id=886

Cybercrime agency faces cuts as computer raid threats grow

Posted on December 4, 2007December 30, 2021 by admini

In particular, Finjan investigated an attack that used zero-day exploits – malicious software for which there are no security patches – that was designed to steal confidential information.

On Saturday, The Times disclosed that the Director-General of MI5 had written to businessmen with a warning that they were being attacked by Chinese cyberspies. Ian Brown, of Oxford University, a cyber-espionage expert, said that British businesses were more vulnerable than they need to be because of the merger and planned job cuts. Critics say that leaves cybercrime and web-based industrial espionage too far down the agenda.

http://business.timesonline.co.uk/tol/business/industry_sectors/technology/article2994807.ece