Criminal Law Library Blog

Volume 2 Number 6 June 2009.

From the Desk of David Badertscher

All This Functionality in One Device!

Mobile communication devices (includes Blackberrys, iPhones, smart phones in general) have become indispensable tools for today's highly mobile society. Small and relatively inexpensive, these multifunction devices can be used not only for voice calls but also text messages, email, Internet access along with stand alone applications similar to those performed on a desktop computer. A significant amount of personal, private and/or sensitive information may accumulate or be accessed via these devices. Additionally, some of these devices may allow you to access your home computer or your corporate network.

What Risks Do They Present?

While the devices offer many benefits and conveniences, they also pose risks to you and/or your organization’s security. As these devices continue to take on the characteristics of personal computers, they also inherit the same potential risks. Some of the primary risks include the following:

The portability of the device leads to a higher likelihood of loss of the device. Millions of mobile communication devices are lost each year.

When Bluetooth and/or wireless (not cellular) communications are enabled, these devices are subject to the risk of eavesdropping and “highjacking”.

“Malware” available, that if installed on your device, can allow a perpetrator remote access to your device to listen and record all of your calls, send text messages to the perpetrator whenever you make or receive a call, read all of your messages, make calls on your behalf from your phone, access all of the information on your phone, trace your location and enable the speaker functionally on the phone to listen in on conversations even when the phone is not in use.

Sites purporting to offer “free games or ring tones” are major vectors for distributing malware.
While the reports of worms and viruses impacting these devices are relatively low, this is expected to increase in the future.

Despite the risks outlined above, many users do not understand how vulnerable their mobile device is or how to deploy important security settings and controls.

What Can I Do to Secure My Mobile Communication Device?

The following outlines steps you can take to protect your mobile communication device. Some of the steps are dependant upon the functionality of your device.

Use a password to access your device. If the device is used for work purposes, you should follow the password policy issued by your organization.

If the Bluetooth functionality is not used, check to be sure this setting is disabled. Some devices have Bluetooth-enabled by default. If the Bluetooth functionality is used, be sure to change the default password for connecting to a Bluetooth enabled device.

Do not open attachments from untrusted sources. Similar to the risk when using your desktop, you risk being exposed to malware when opening unexpected attachments.

Do not follow links to untrusted sources, especially from unsolicited email or text messages. Again, as with your desktop, you risk being infected with malware.

If your device is lost, report it immediately to your carrier or organization. Some devices allow the data to be erased remotely.

Review the security setting on your device to ensure appropriate protection. Be sure to encrypt data transmissions whenever possible.

Enable storage encryption. This will help protect the data stored on your device in the event it is lost or stolen, assuming you have it password protected!

Beware of downloading any software to your device. If the device is used for work, follow your organization’s policy on downloading software.

Before disposing of the device be sure to wipe all data from it and/or or follow your organization’s policy for disposing of computer equipment.

For more information on securing mobile communication devices, please visit:

National Cyber Alert System - Cyber Security Tip ST06-007, Defending Cell Phones and PDAs Against Attack
http://www.us-cert.gov/cas/tips/ST06-007.html

NIST Special Publication 800-124, Guidelines on Cell Phone and PDA Security
http://csrc.nist.gov/publications/nistpubs/800-124/SP800-124.pdf

FTC Consumer Alert – The 411 on Disposing of Your Old Cell Phone http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt044.shtm

WTHR News story on “Tapping Your Cell Phone” http://www.wthr.com/Global/story.asp?s=9346833 McAfee – The Web’s Most Dangerous Search Terms
http://us.mcafee.com/en-us/local/docs/most_dangerous_searchterm_us.pdf

*The above comments are based on information tips provided by the Multi-State Information and Analysis Center (MS-ISAC). To learn more about MS-ISAC go to http://www.msisac.org/

OTHER NEWS:

DON'T FALL FOR JURY DUTY SCAM.
The phone rings, you pick it up, and the caller identifies himself as an officer of the court. He says you failed to report for jury duty and that a warrant is out for your arrest.

You say you never received a notice. To clear it up, the caller says he'll need some information for "verification purposes"- your birth date, social security number, maybe even a credit card number.

This is when you should hang up the phone. It's a scam!

Jury scams have been around for years, but have seen a resurgence in recent months.

Communities in more than a dozen states have issued public warnings about cold calls from people claiming to be court officials seeking personal information. As a rule, court officers never ask for confidential information over the phone; they generally correspond with prospective jurors via mail.

The scam's bold simplicity may be what makes it so effective. Facing the unexpected threat of arrest, victims are caught off guard and may be quick to part with some information to defuse the situation.

In recent months, communities in Florida, New York, Minnesota, Illinois, Colorado, Oregon, California, Virginia, Oklahoma, Arizona and New Hampshire reported scams or posted warnings or press releases on their local websites.

The jury scam is a simple variation of the identity-theft ploys that have proliferated in recent years as personal information and good credit have become thieves' preferred prey, particularly on the Internet.

Scammers might tap your information to make a purchase on your credit card, but could just as easily sell your information to the highest bidder on the Internet's black market.

Protecting yourself is the key: Never give out personal information when you receive an unsolicited phone call.

Posted by David Badertscher | Permalink | Email This Post | Comments (0)

Posted In: Information Security Newsletter , Information Technology , Technology News

Bookmark:

Volume 2 Number 5 May 2009.

Rogue (Fake) Anti-Virus Software: How to Spot It & Avoid It!*

From the Desk of David Badertscher

Your PC May Be Infected! Click here to clean it!

Have you seen this advertisement or similar pop-up messages? A free PC scan or an offer to clean yur computer of supposedly infected files are often attempts by malevolent persons or organizations to install malicious software (malware) such as a Trojan horse, keylogger, or spyware Such software is referred to as rogue (fake) anti-virus malware.

How can my system get infected?

The primary way rogue anti-virus software gets on your system is the result of you clicking on a malicious link in an advertisement or similar pop-up message. The wording contained in the advertisement is usually something alarming, designed to get your attention and attempt to convince to you scan your PC or clean it immediately with the offered tool. The names of the fake programs sound legitimate, and often, in a further attempt to make the malware appear legitimate, the programs may prompt you to pay for an annual subscription to the service.

Any kind of website could host ads for rogue anti-virus: news sites, sports pages, and social networking sites as well as “riskier” sites such as hacker blogs. Some varieties of rogue anti-virus programs will also get installed on your machine just by you visiting a website with a malicious ad or code, and you might never know you’ve been impacted.

Won’t my valid anti-virus and anti-spyware program protect my computer?

Though good anti-virus and anti-spyware programs will protect against many threats, they cannot protect against all malware threats, especially the newest ones. There are millions of different versions of malware, with hundreds more being created and used every day. It may take a day, a week, or even longer for anti-virus companies to develop and distribute an update to detect and clean the newest malware.

What can rogue anti-virus software do to my computer?

Just about anything, especially if you are using administrative-level access when using your computer. Rogue anti-virus software might perform many activities, including installing files to monitor your computer use or steal credentials, installing backdoor programs, or adding your computer to a botnet. The malware might even use your computer as a vehicle for compromising other systems in your home or workplace network.

Rogue anti-virus software can also modify systems files and registry entries so that even when you clean off some infected files or registry keys others might remain, or even allow the infections to be restored and active again after your system is rebooted. For example, one recent rogue anti-virus program reportedly installed several malicious Trojan files, and also made over two-dozen different changes to ensure that the malware stayed on the system and stayed running. This type of malware also often blocks access to valid security sites (anti-virus and anti-spyware companies, and operating system and application update sites) so that you won’t be able to patch or clean your system by visiting those valid sites.

What can I do to protect my computer?

1. Don’t click on pop-up ads that advertise anti-virus or anti-spyware programs. Even though pop-up ads are used for valid advertising they can also be used for malicious purposes, like getting you to install fake security programs. If you are interested in a security product, search for it and visit its homepage, don’t get to it through a pop-up ad.

2. Use and regularly update firewalls, anti-virus, and anti-spyware programs. It is very important to use and keep these programs updated regularly so they can protect your computer against the most recent threats. If possible, update them automatically and at least daily.

3. Properly configure and patch operating systems, browsers, and other software programs. Keep your system and programs updated and patched so that your computer will not be exposed to known vulnerabilities and attacks.

4. Turn off ActiveX and Scripting, or prompt for their use. ActiveX controls are small programs or animations that are downloaded or embedded in web pages, which will typically enhance functionality and user experience. Many types of malware can infect your computer when you simply visit a compromised site and allow anything to run from the website, such as ads. Turning off ActiveX and Scripting can help protect your computer if you inadvertently browse to or are unwillingly redirected to a malicious site. (You can limit the functionality of your Internet browser through its configuration choices, but be sure to look for a guide if you are unfamiliar with how to limit scripting and active content—see below for resources.)

5. Keep backups of important files. Sometimes cleaning infections can be very easy; sometimes they can be very difficult. You may find that an infection has affected your computer so much that the operating system and applications need to be reinstalled. In cases like this it is best to have your important data backed up already so you can restore your system without fear of losing your data.

6. Regularly scan and clean your computer. If your organization already has configured this on your computer, do not disable it. If you need to scan your computer yourself, schedule regular scans in your programs. Also, several trusted anti-virus and anti-spyware vendors offer free scans and cleaning. Access these types of services from reputable companies and from their webpage, not from an unexpected pop-up.

For more information, please visit:

Partial Listing of Rogue Security Software: http://en.wikipedia.org/wiki/Rogue_software

Free Security Checks: www.staysafeonline.info/content/free-security-check-ups

Pop-ups: www.msisac.org/awareness/news/2008-12.cfm

Web Browser Attacks: www.msisac.org/awareness/news/2008-07.cfm

Malware: www.onguardonline.gov/topics/malware.aspx

Spyware: www.onguardonline.gov/topics/spyware.aspx

Free Check for File Infection: www.virustotal.com/

*The above comments are based on information tips provided by the Multi-State Information and Analysis Center (MS-ISAC). To learn more about MS-ISAC go to http://www.msisac.org/

OTHER NEWS:

U.S. Department of Defense Seeks E-Mail Security for Grid Network.
by Doug Beizer
Federal Computer Week May 15, 2009.

System would scan incoming e-mail messages

The Defense Department needs a security system to scan e-mail on its Global Information Grid (GIG) network, and it has asked industry to submit information on such a system, according to an announcement on the Federal Business Opportunities Web site.

http://fcw.com/articles/2009/05/15/dod-email-security.aspx?s=security_180509

Warrant Required to Use GPS to Track Suspects
New York Law Journal

A divided N.Y. Court of Appeals ordered a new trial for a man convicted of burglary in part with evidence from a GPS device. Chief Judge Jonathan Lippman wrote for the majority that "this dragnet use of the technology at the sole discretion of law enforcement authorities to pry into the details of people's daily lives is not consistent with the values at the core of our state Constitution's prohibition against unreasonable searches."

Posted by David Badertscher | Permalink | Email This Post | Comments (0)

Posted In: Commentary and Opinion , Information Security Newsletter , Information Technology , Technology News

Bookmark:

http://www.msisac.org/April 2009 Volume 2 Number 4.

From the Desk of David Badertscher

The use of credit cards to pay for goods and services is a common practice around the world. It enables business to be transacted in a convenient and cost effective manner. However, more than 100 million personally-identifiable, customer records have been breached in the US over the past two years[1]. Many of these breaches involved credit card information. Continued use of credits cards requires confidence by consumers that their transaction and credit card information are secure. The following provides information as to how the credit card industry has responded to security issues and steps you can take to protect your information.

Who regulates the security of credit card transactions?

The Payment Card Industry (PCI) Security Standards Council developed standards and policies that must be met by all vendors which accept credit card transactions. The Council’s members include American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa International. The Council created an industry-wide, global framework that details how companies handle credit card data – specifically, banks, merchants and payment processors. The result was the Payment Card Industry (PCI) Data Security Standard (DSS)[2], a set of best practice requirements for protecting credit card data throughout the information lifecycle.

The PCI compliance security standards outline technical and operational requirements created to help organizations prevent credit card fraud, hacking and various other security vulnerabilities and threats.

The PCI DSS requirements are applicable if a credit card number is stored, processed, or transmitted. The major credit card companies require compliance with PCI DSS rules via contracts with merchants and their vendors that accept and process credit cards. Banks, merchants and payment processors must approach PCI DSS compliance as an ongoing effort. Compliance must be validated annually, and companies must be prepared to address new aspects of the standard as it evolves based on emerging technologies and threats.

How is my credit card information protected?

The PCI standards detail what protective measures are required regarding the string and transmission of credit card information. For electronic Point of Sale (POS) transactions, the information is encrypted and transmitted directly to the credit card processor. For an online transaction, the merchant is required to have a secure server and an encrypted connection to the customer. Access to credit card information is restricted based on a business need-to-know. The standards include guidelines for developing and maintaining secure systems and applications. Recent focus includes heightened security requirements for wireless networks due to the jump in the use of wireless POS terminals.

What if a merchant does not follow the standards?

If a member, merchant, or service provider does not comply with the security requirements or fails to rectify a security issue, they may face fines up to $500,000 per incident or restrictions imposed by the credit card companies, including denying their ability to accept or process credit card transactions.

What can I do to secure my credit card information?

You can help secure your credit card information by adhering to the following guidelines:

Don't respond to email or pop-up messages. If you get an email or pop-up message while you're browsing, don't reply or click on the link in the message or any attachments, especially if personal or financial information is requested. Legitimate organizations don't ask for this information in these ways.

Guard the security of your transaction. When purchasing online, look for the "lock" icon on the browser's status bar and be sure "https" or "s-http" appears in the website's address bar. The "s" stands for "secure."

Use temporary account authorizations when available. Some credit card companies offer virtual or temporary credit card authorization numbers. This kind of service gives you use of a secure and unique account number for each online transaction. These numbers are often issued for a short period of time and cannot be used after that period. Contact your credit card company to see if they offer this service.

Limit your online shopping to merchants you know and trust. If you have questions about a merchant, verify it with the Better Business Bureau or the Federal Trade Commission..

The above comments are based on information tips provided by the Multi-State Information and Analysis Center (MS-ISAC). To learn more about MS-ISAC go to http://www.msisac.org/

Posted by David Badertscher | Permalink | Email This Post | Comments (0)

Posted In: Commentary and Opinion , Information Security Newsletter , Information Technology , Technology News

Bookmark:

March 2009 Volume 2 Number 3.

Social Networking Sites: How To Stay Safe

From the Desk of David G. Badertscher

The popularity of social networking sites--such as MySpace, Facebook, Twitter and others--has exploded in recent years, with usage in the United States increasing 93% since 2006, according to Netpop Research. The sites are popular not only with teenagers, but with adults as well: the number of adult Internet users having a social networking profile has more than quadrupled in the past four years, according the Pew Internet & American Life Project.

While there are many positive aspects of using social networking sites, it is also important to understand the potential security risks and know what precautions to take to protect yourself and your information.

What are social networking sites?

Social networking sites are online communities of Internet users who want to communicate with other users about areas of mutual interest, whether from a personal, business or academic perspective. The specific functionality of the various sites may differ, but in general, the sites allow you to provide information about yourself and communicate with others through email, chat rooms and other forums.

What are the security concerns of social networking sites?

Social network sites are growing in popularity as attack vectors because of the volume of users and the amount of personal information that is posted. The nature of social networking sites encourages you to post personal information. Because of the perceived anonymity and false sense of security of the Internet, users may provide more information about themselves and their life online than they would to a stranger in person.

The information you post online could be used by those with malicious intent to conduct social engineering scams and attempt to steal your identity or access your financial data. In addition, the sites are increasingly sources of worms, viruses and other malicious code. You may be prompted to click on a video on someone’s page, which could bring you to a malicious website, for example. If you are accessing a site that has malicious code your machine could become infected. For examples of some common social networking scams, visit the Council of Better Business Bureaus.

It’s also important to realize that information you post can be viewed by a broad audience, and could have lasting implications. College admissions officers and school administrators, for example, do visit these sites and in some cases, admissions have been denied to applicants, or disciplinary actions have been taken because of information or photos posted online. Employers also review these sites for information about potential job applicants.

What can you do to protect yourself?

Make sure your computer is protected before visiting sites – make sure you have a firewall and anti-virus software on your computer and that it is up-to-date. Keep your operating system up-to-date as well.

Do not assume you are in a trusted environment – just because you are on someone’s page you know, it is still prudent to use caution when navigating pages and clicking on links or photos, because links, images or other content contained on the pages may include malicious code.

Be cautious in how much personal information you provide - remember that the more information you post, the easier it may be for an attacker to use that information to steal your identity or access your data.

Use common sense when communicating with users you DO know – confirm electronic requests for loans or donations from your social networking friends and associates. The communications could be from someone who has stolen the credentials of the person you know with the intent of scamming as many people as possible.

Use common sense when communicating with users you DON’T know – be cautious about whom you allow to contact you or how much and what type of information you share with strangers online.

Understand what information is collected and shared – pay attention to the policies and terms of the sites; they may be sharing your email address or other details with other companies.
Make sure you know what sites your child is visiting - be involved in your child’s activities and know with whom he/she is communicating and what information is being posted by them, or about them by others.

For more monthly cyber security newsletter tips visit:
www.msisac.org/awareness/news/

ADDITIONAL NEWS:

New York City Cyber Security Summit
May 4, 2009

"The City of New York is committed to providing a secure information technology environment and to the protection of private information collected from the public. People are part of that solution, and as a City employee, your understanding and commitment to good security practices go a long way to bolster a secure computing environment. Therefore, I invite you to participate in the second annual NYC Cybersecurity Summit, where we can explore ways to secure information used by the City as we provide municipal services."

- Dan Srebnick, Associate Commissioner, IT Security & Chief Information Security Officer, Department of Information Technology and Telecommunications (DoITT), City of New York
________________________________

Choosing the Right Hardware and Software for Data Protection Solution
Compliments of Infoworld and HP.

"The latest white paper from the Mesabi Group explores the challenge facing many businesses in deciding what combination of software-hardware best meets their needs for data protection, storage, and business needs. There are a number of good options available and, as data protection grows more complicated each day, businesses should review their data protection from the ground up."

To see the white paper click on the link below:

Commentary: Choosing the Right Hardware and Software for Data Protection Solutions

Posted by David Badertscher | Permalink | Email This Post | Comments (0)

Posted In: Commentary and Opinion , Conferences, Seminars and Webinars , Information Security Newsletter , Information Technology

Bookmark:

Book Review by David Badertscher*
March 6, 2009.

The Oxford Companion to International Criminal Justice
Antioio Cassese, Editor in Chief
Oxford University Press 2009

Book Review: The Oxford Companion to International Criminal Justice

Antonio Cassese, General Editor.

Oxford University Press, 2009.

When Antonio Cassese, Professor of International Law at the University of Florence, was first approached some six years ago on behalf of Oxford University Press to edit an Oxford Companion devoted to international criminal justice, he refused for a number of understandable reasons, including the realization that this task would be truly titanic, and being uncertain of the availability of adequate staff support. However, when Professor Cassese was again approached some two years later he accepted, explaining that he ...”very much liked the idea of compiling for the first time a sort of encyclopaedia covering an area [international criminal justice] that, while in full bloom, had not yet been the object of a general exposition of all its ramifications and intricacies.” By this time he was also able to assemble a very impressive, world class group of contributors that reads like a veritable who’s who of the field to collaborate on this work under Professor Cassese’s direction. The final result is a significant work which treats its subject both broadly and in depth in an accessible manner.

The Oxford Companion to International Justice (Companion), is divided into three parts. Part A consists of 21 essays including a comprehensive survey of issues and debates surrounding international humanitarian law, international criminal law, and their enforcement. Part B is arranged alphabetically, containing 320 entries on doctrines, procedures, institutions and personalities. Part C contains over 400 case summaries of key trials from international and domestic courts dealing with war crimes, crimes against humanity, genocide, torture and terrorism.

With analysis and commentary on every aspect of international criminal justice, this Companion is designed to be an entry point for scholars, practioners, and others interested in current developments in international justice. It addresses the various intricacies of international criminal justice and to some extent other areas of international justice in a manner that is both scholarly and accessible. This is in itself a considerable accomplishment. It attests to the high quality of collaboration among the contributors Professor Cassese assembled. Indeed, one of the special qualities of this work is the use of language throughout that enables those who are not familiar with criminal law but who have an active interest in matters related to international justice to find it useful.

If there is any weakness to this work it relates to the arrangement of some of the material in the book and not the quality of its content. Some readers may find that arranging so many of the tables and lists in the front of the book, before Part A, creates a type of barrier or ‘firewall’ between the Forward and Table of Contents and the substantive materials in Parts A, B, and C, thus unintentionally reducing the accessibility of the work for some users. A better approach might be to have left all of this material in the back near the index so that all of this type of information would be consolidated in one place. A second unrelated suggestion for any future edition would be to add some type of scope note at the beginning of each Part to also enhance accessibility.

It needs to be emphasized that the Oxford Companion to International Criminal Justice is more than a work designed to update scholars, practioners, and others on current developments international justice. An examination of the essays in Part A and cases in Part C indicates that materials contained therein are of sufficient scope and depth that they can be consulted as part of in depth research by all readers. It is a significant work recommended for academic and specialized libraries, large public libraries, scholars and other specialists with interest in the field, and for those general readers who need to keep up with developments in international justice.

Although the Oxford Companion to International Criminal Justice was published by Oxford University Press in the United Kingdom on January 22, 2009, it will only be available in the United States on March 23. That is because it takes about six weeks for stock to be shipped to the US warehouse of Oxford University Press and then a couple of weeks to get to further United States outlets.
___________________________________
*David Badertscher is the Principal Law Librarian at the New York Supreme Court Criminal Term, First Judicial District. New York, NY.

Posted by David Badertscher | Permalink | Email This Post | Comments (0)

Posted In: Commentary and Opinion , David Badertscher , Information Security Newsletter , Publication Announcements and Reviews

Bookmark:

From the ABA Criminal Justice Section: http://www.abanet.org/crimjust

United States v. Hayes (No. 07-608)

"The court released an opinion regarding the prohibition on possession of a firearm by convicted felons to include persons convicted of a misdemeanor crime of domestic violence. Police officers discovered a rifle in respondent Hayes's home. Hayes was charged with possessing firearms after having been convicted of a misdemeanor crime of domestic violence. He was previously convicted for battery in 1994 against his then-wife. Hayes moved to dismiss the indictment on the ground that his past conviction did not qualify as a predicate offense because West Virginia's generic battery law did not designate a domestic relationship between aggressor and victim as an element of the offense. When the District Court denied the motion, Hayes entered a conditional guilty plea and appealed. The Fourth Circuit reversed, holding that a §922(g)(9) predicate offense must have as an element a domestic relationship between offender and victim."

"By extending the federal firearm prohibition to persons convicted of misdemeanor crimes of domestic violence, §922(g)(9)'s proponents sought to close a loophole: Existing felon-in-possession laws often failed to keep firearms out of the hands of domestic abusers, for such offenders generally were not charged with, or convicted of, felonies. Hayes argues that the measure that became §§922(g)(9) and 921(a)(33)(A), though it initially may have had a broadly remedial purpose, was revised and narrowed during the legislative process, but his argument is not corroborated by the revisions he identifies."

"Congress defined "misdemeanor crime of domestic violence" to include an offense "committed by" a person who had a specified domestic relationship with the victim, whether or not the misdemeanor statute itself designates the domestic relationship as an element of the crime."

"Justice Ginsburg delivered the opinion of the Court. Justice Roberts filed a dissenting opinion in which only Justice Scalia joined."

The full opinion can be accessed at http://www.law.cornell.edu/supct/html/07-608.ZS.html.

Posted by David Badertscher | Permalink | Email This Post | Comments (0)

Posted In: Court Decisions , Information Security Newsletter , U.S. Supreme Court

Bookmark:

February 2009 Volume 2 Number 2.

CLLB Information Security Newsletter

Monthly Cyber Security Tips
NEWSLETTER

February 2009
Volume 2, Issue 2

Cyber Security Trends for 2009

From the Desk of David Badertscher

The volume and complexity of cyber threats continue to increase. More of our activities—whether at home, school or work—involve computers and the Internet—in fact, in the not-too-distant future, your household appliances may be computerized and controlled remotely from your PDAs; simultaneously, the knowledge required to launch a successful attack continues to decrease. As we develop more defenses, the cyber criminals and hackers come up with new ways to attack our computers. These factors create an environment in which vigilance on a daily basis is required to help mitigate the risks. Threats such as identity theft, worms and viruses, loss of sensitive information and other malicious activity are part of an ever-evolving cyber security threat landscape.

Some of the key challenges we are facing in 2009 focus on application security. Application security is a crucial layer in a multi-tiered cyber security strategy. Building security in at the beginning of development is an important factor in minimizing potential vulnerabilities. We’ve seen the results when vulnerabilities in web applications are exploited, leading to SQL injection attacks, cross-site scripting and other malicious activity.

Cyber criminals take advantage of commercial web sites that have poor security to add code to the web site without the knowledge of the web hosting company. That code may silently re-direct the user’s computer to another site which will download malware to the user’s computer, without the user’s knowledge; the attackers may also add a script to the site that will automatically execute on the user’s computer.

Another alarming trend continues to be the evolution of cyber crime, which has morphed from fairly innocuous web-site hacking and “graffiti” attacks to organized crime syndicates seeking profit. Cybercrime is now big business. Attackers now want your credit card and other financial information as well as your social security number. According to a recent study by McAfee, the global cost of cyber crime due to identity theft and data breaches is an estimated $1 trillion dollars. Many data thefts are orchestrated by organized crime, both in the U.S. and abroad.

The economic recession is another factor that may impact cyber security challenges. The risks due to insider threats are another major concern, and are expected to increase due to the economic downturn. Additionally, phishing scams and other social engineering attacks will increase, as attackers try to take advantage of bank closings, claims for “easy credit” or other online scams. Phishing attempts are no longer easily detected based on misspelled words in the email scam, or claims of large sums of money left to you in some foreign location, for example. The phishing scams are becoming more targeted and more “realistic” in appearance.

Holidays and major news events are still popular vehicles for compromising computers. Valentine’s Day is this month and email messages are already circulating that will infect a user’s computer when the message is clicked. Once the computer is infected, the malware will attempt to capture the user’s personal information and transmit it to the cyber criminals.

What can be done to make to protect my computer and my personal information?

Good security is implemented through a multi-layer approach. Users can minimize risk by following the recommendations below:

· Install and maintain a firewall.

· Use anti-virus and anti-spyware software and set them to auto-update.

· Keep operating system and other software up-to-date by enabling the auto-update feature.

· Be cautious about all communications; think before you click. If an email appears to be a phishing communication, do not respond. Delete it.

· Do not open email or related attachments from untrusted sources.

· If you receive an email appearing to be from a legitimate business, requesting the submission of personal information, it is most likely a scam. Legitimate businesses do not send emails requesting personal information.

For additional information on protecting yourself from the latest cyber threats, please visit:

Phishing: How to Avoid Getting Hooked! www.msisac.org/awareness/news/2008-10.cfm
Web Browser Attacks www.msisac.org/awareness/news/2008-10.cfm

Online Shopping www.msisac.org/awareness/news/2007-12.cfm
Top Ten Cyber Security Tips www.msisac.org/awareness/news/2006-10.cfm

Brought to you by:

www.msisac.org

More News from the February 24, 2009 issue of SC Magazine:

Visa confirms another payment processor breach
Dan Kaplan February 23, 2009
Visa has confirmed that yet another payment processor has been hit by hackers.

Microsoft says password stealers pose biggest threat
Angela Moscaritolo February 20, 2009
The top two threat families on Microsoft's detection and removal list this month are online game password stealers. These threats are now predominantly occurring in the United States -- a shift from last June when they mostly were detected in China.

Senate report calls for new U.S. cybersecurity effort
Chuck Miller February 20, 2009
A new report released this week by the U.S. Senate's Homeland Security and Governmental Affairs Committee calls for a concerted national effort to overcome cybersecurity threats to the United States.

New Symbian mobile malware in the wild
Angela Moscaritolo February 20, 2009
A new worm is spreading in the wild, targeting mobile devices running Nokia's Symbian OS.

Government travel site hacked, remains shuttered
Greg Masters February 19, 2009
A government travel website used by a dozen federal agencies has been hacked and remains shuttered.

New Sality variant contains moneymaking twist
Angela Moscaritolo February 19, 2009
The newest variant of the Sality virus combines a little bit of old and a little bit of new to infect users.

For more monthly cyber security newsletter tips visit:
www.msisac.org/awareness/news/

The information provided in the Monthly Security Tips Newsletters is intended to increase the security awareness of an organization’s end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization’s overall cyber security posture.

Posted by David Badertscher | Permalink | Email This Post | Comments (1)

Posted In: Commentary and Opinion , Criminal Law and Justice , Information Security Newsletter , Information Technology , Technology News

Bookmark:

January 2009 Volume 2 # 1

Challenge or Secret Questions

From the Desk of David Badertscher

What are Challenge or Secret Questions?

Knowledge-based authentication or the use of “Challenge or Secret Questions” helps computer users access their accounts when they forget their password. The questions are often designed as simple, easy-to-remember “prompts” that only the authorized user should be able to answer. They are in effect a backup to your password.

While some systems allow users to create their own challenge or secret questions, most systems have pre-populated questions such as “What is your mother’s maiden name? What is the name of your first pet or car? What is your favorite color?” While these systems are a great convenience for the end user (they are not likely to forget the responses) and are efficient from the administrator’s perspective (low overhead), they are very weak from a security perspective.

What are the security concerns with using Challenge or Secret Questions?

There is a limited pool of secret questions that most Knowledge-Based Authentication systems use and many of the questions have a limited amount of potential responses, such as “What is your favorite color?” If someone researches you and discovers the answers for your questions, they could gain unauthorized access to your account.

The ability for someone to guess the response to a user’s secret question has greatly increased due to the large volume of information available on the Internet. This was demonstrated during the recent presidential campaign, when one of the candidate’s email accounts was hacked into. The attacker was able to do so by conducting a minimal amount of research about the candidate using information found on the Internet to answer the secret questions and get the password for the email account.

Users need to be aware that there is a tremendous amount of information available about them, not only through Internet search engines, but also social networking profiles and other sources.

What can be done to make Challenge or Secret Questions more secure?

As with the design of a regular password, the responses to secret questions should be something that is hard to guess, but easy to remember. Users are encouraged to not provide the technically correct response to the question. Similar to developing a strong password, the response to a secret question is in effect a password and thus should have the same protections. The use of a combination of upper and lower case letters, special characters and numbers is recommended. There are many ways to obfuscate your response. The key is to develop a methodology that is easy for you to remember but difficult for someone else, even someone you know, to guess. Some examples are:

1. Begin and/or end each response with a number, capitalize a letter a special character. For example, the response to your mother’s maiden name of “Smith” would be “44SmitH!” OR Insert a number and special character in the middle of the word. In this example the response to your mother’s maiden name of “Smith” would be “Smi44!th.”

2. Provide answers that do not correspond to the question, thus making it difficult for an attacker to correctly guess. For example, a user may use the name of a city as the response for “mother’s maiden name.”

3. Use the question itself to create an easy-to-remember passphrase. By combining the main part of the question with one of your favorite catchwords, you can create a passphrase they can remember. If the question is asking for your favorite sports team, you can combine “Sports Team” from the question and combine it with a phrase from your favorite show, such as “CSI.” Their answer is, “Sports Team CSI.”

4. Follow best practices for strong passwords when developing your responses, such as making it at least 8 characters long and using numbers, upper and lower case letters, and special characters. The answers can be different on different websites, even if the same secret question is used. Thus a hacker won’t potentially have access to other accounts if one is compromised.

5. As with passwords, do not share the responses to your Challenge or Secret Questions, or your methodology for developing them, with anyone.

It is also advised to periodically search your name in an Internet search engine so you are aware of what information about you is freely accessible on the Internet.

For additional information on Challenge or Secret Questions, please visit:

US CERT www.us-cert.gov/cas/tips/ST04-002.html

US CERT www.us-cert.gov/cas/tips/ST05-012.html

OWASP www.owasp.org/index.php/Using_Secret_Questions

For more monthly cyber security newsletter tips visit:
www.msisac.org/awareness/news/

The information provided in the Monthly Security Tips Newsletters is intended to increase the security awareness of an organization’s end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization’s overall cyber security posture. Organizations have permission--and in fact are encouraged--to brand and redistribute this newsletter in whole for educational, non-commercial purposes.

Posted by David Badertscher | Permalink | Email This Post

Posted In: Information Security Newsletter , Information Technology , Technology News

Bookmark:

"What happens to your mission-critical... application source code should the vendor go bankrupt? This is when you need a Technology Escrow service.Tech Escrow requires vendors to deposit source code into an account held by a third party agent to ensure ongoing accessibility of the software. Recent research by IDG research Services highlights some recent trends and gaps in coverage, making the case for Technology Escrow."

See: How to Minimize Risk with a Software Vendor 'Prenup' Paper by Digital Iron Mountain under sponsorship of IDG Research..

Posted by David Badertscher | Permalink | Email This Post | Comments (0)

Posted In: Information Security Newsletter , Information Technology

Bookmark:

December 2008
Volume 1

Pop-Ups

From the Desk of David Badertscher

We’ve all experienced Pop-up windows, or “pop-ups,” while browsing the Internet. Pop-ups may appear without any interaction or prompting by the end user. They can be innocuous, such as when used for advertising, but they can be used for malicious purposes as well. This tip will discuss what pop-ups are and what you can do to keep them from affecting the security of your computer and data.

What are Pop-Ups?
Pop-ups are often used for advertising, to entice you to click on the pop-up ad. Pop-ups can also be used in other ways, such as on a “Help” section of an online form. The pop-up can be read without interfering with the form or page you are already visiting. This technique, for example, could be used on banking or ecommerce sites so as to not interfere with the current transaction or form request.

Occasionally you may encounter a “pop-under” which instead of opening on top of whatever website you are viewing it will open underneath the current web page. That way when you close your browser window you’ll be greeted with an unexpected window.

While there are legitimate uses for pop-ups, they can also be used maliciously to entice you to click the pop-up window, which then downloads spyware or malicious code without your knowledge. These kinds of pop-ups often claim to “detect a virus on your computer” or claim to be a “spyware alert!” or offer a “free product” such as laptop or an anti-virus program.

Usually pop-ups are executed through JavaScript, a very popular way of adding content to websites. They can also be executed through online flash programs, though these are more difficult to stop.

What if I encounter pop ups when I am not browsing the Internet?
If you encounter pop-ups, especially an endless stream of them, it is an indication your computer is possibly infected with spyware or a computer virus.
How can you protect yourself against unwanted or malicious pop-ups?

Most Internet browsers include pop-up blockers. They also have a setting to either completely disable JavaScript (and therefore most pop-ups) or to only allow JavaScript with the user’s permission (prompting). Both methods can usually stop advertising and malicious pop-ups. However, sometimes disabling JavaScript (whether via your browser or another program) can interfere with the “look and feel” or even functionality of a legitimate web site.

· Consider using the pop-up blocker function in your browser.

· Consider setting your computer to the “Prompt” setting you before enabling Java scripting.

· Never click inside the pop-up window to close it, even if it has a button or tab that says “Close,” “No Thank You,” or anything else. Instead, either click on the “X” at the top right corner of the title bar, or depending on your browser or operating system you can hold down the “Alt” key then press “F4” to close the currently opened window.

· Browse as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

· Update your operating system and web browser software.

· Set your browser security to at least “Medium” to help detect unauthorized downloads.

· Use anti-virus and anti-spyware software, and a firewall, and update them all regularly.

For additional information on pop-ups and browser protection, go to:

Recognizing and Avoiding Spyware: www.msisac.org/awareness/news/2007-06.cfm

Web Browser Attacks: www.msisac.org/awareness/news/2008-07.cfm

Browsing Safely: Understanding Active Content and Cookies: www.us-cert.gov/cas/tips/ST04-012.html

Evaluating Your Web Browser's Security Settings: www.us-cert.gov/cas/tips/ST05-001.html

Pop-up: http://en.wikipedia.org/wiki/Pop-up

Spyware: www.onguardonline.gov/topics/spyware.aspx

More News:

From SC Newswire, December 18, 2008:

Emergency Internet Explorer patch issued

Angela Moscaritolo December 17, 2008
Users are encouraged to patch immediately.

Firefox joins in security update whirlwind

Chuck Miller December 17, 2008
Along with the updates to Microsoft's Internet Explorer, Apple's Safari fixes and the latest Opera patches, Mozilla has released its own security updates for Firefox.

"Extremely severe" issues addressed with Opera 9.63 update

Angela Moscaritolo December 17, 2008
The security issues could lead to system access, disclosure of potentially sensitive information, cross-site scripting exploits, or a denial of service condition.

XSS vulnerabilities discovered in Facebook, closed quickly

Angela Moscaritolo December 16, 2008
Researchers this week released proof-of-concept code for a number of cross-site scripting flaws on Facebook, but the social networking site said it closed the vulnerabilities within hours.

Apple pushes out Mac OS X 10.5 security update

Dan Kaplan December 15, 2008
Apple on Monday released a security update for for Mac OS X, addressing 21 vulnerabilities.

Posted by David Badertscher | Permalink | Email This Post | Comments (0)

Posted In: Commentary and Opinion , Information Security Newsletter , Information Technology

Bookmark:

November 2008 Volume 3, Issue 11

MAIN TOPIC:

Internet Shopping – How to Enhance Your Security Online

From the Desk of David G. Badertscher
The Holidays are Approaching – Help Protect Yourself and Shop Smart!

The holiday shopping season is upon us and the volume of online shopping is increasing. According to some estimates, holiday e-commerce spending totaled $29 Billion in 2007, an increase from $24 billion in 2006. While online shopping can be convenient and time-saving, you must shop smart and take precautions to mitigate the risks.

Below are some helpful tips to follow for a safe online shopping experience:

Enhance the security of your computer. Be sure to install a firewall and make sure your computer has the most current anti-virus and anti-spyware software before you begin your online shopping. Set your default settings on your computer to “auto update.”

Use strong passwords. When creating passwords for online accounts, use at least eight characters, with numbers, special characters, and upper and lower case letters. Don’t use the same passwords for online shopping websites that you use for logging onto your computer. Never share your login and/or password.

Guard the security of your transaction. When submitting your purchase information, look for the "lock" icon on the browser's status bar and be sure “https” or “shttp” appears in the website’s address bar. The "s" stands for "secure.”

Don't email your financial information. Clear-text emails are not a secure method of transmitting financial information such as your credit card, checking account, or Social Security numbers.

Keep a paper trail and check your credit card and bank statements regularly. Print and save records of your online transactions, including the product description and price, the online receipt, and copies of every email you send or receive from the seller. Read your credit card and bank statements as you receive them and be on the lookout for unauthorized charges.

Don’t respond to pop-up messages. If you get an email or pop-up message while you're browsing, don't reply or click on the link in the message, especially if it is asking for personal or financial information. Legitimate organizations don't ask for this information in these ways.

Check the privacy policy. Know what information the merchant is collecting about you, how it will be used, and if it will be shared or sold to others. You can do this by checking the web site to make sure there is a privacy policy posted, and that you're comfortable with the way your personal information is treated under that policy. Look for seals from privacy enforcement organizations like TRUSTe or the Better Business Bureau (BBBOnLine). Be suspicious if you're asked to supply personal information not needed to make a purchase, such as your Social Security number, mother’s maiden name or other personal information.

Limit your online shopping to merchants you know and trust. If you have questions about a merchant, verify it with the Better Business Bureau or the Federal Trade Commission.

Pay by credit card. Credit or charge card transactions are protected by the Fair Credit Billing Act. (Debit cards are covered under the Electronic Funds Transfer Act, but the potential protections provided will depend upon when you report the error, loss or unauthorized use.)
Under the Fair Credit Billing Act, in the event of unauthorized use of your credit or charge card, you generally would be held liable only for the first $50 in charges. Some companies offer an online shopping guarantee that ensures you will not be held responsible for any unauthorized charges made online, and some cards may provide additional warranty, return, and/or purchase protection benefits.

Use temporary account authorizations when available. Some credit card companies offer virtual or temporary credit card authorization numbers. This kind of service gives you use of a secure and unique account number for each online transaction. These numbers are often issued for a short period of time and cannot be used after that period. Contact your credit card company to see if they offer this service.

Know who you are doing business with before placing your order. Confirm the online seller's physical address and phone number in case you have questions or problems.

What to do if you are a victim of online fraud or encounter problems with the online shopping site:

If you have problems during a transaction, you can contact the seller, buyer or site operator directly. If those attempts are not successful, you may wish to file a complaint with the following entities:

the Attorney General's office in your state

your county or state consumer protection agency

the Better Business Bureau at: www.bbb.org

the Federal Trade Commission at: www.ftc.gov/

For more information about secure online shopping, please visit the following sites:

OnGuard Online: www.onguardonline.gov/topics/online-shopping.aspx

US-CERT: www.us-cert.gov/cas/tips/ST07-001.html

StaySafeOnline www.staysafeonline.org/

Federal Trade Commission: www.ftc.gov/opa/2008/11/smartshopping.shtm and www.ftc.gov/bcp/menus/consumer/tech/online.shtm

National Consumer League’s Internet Fraud Watch: www.fraud.org/tips/internet/

WatchGuard: www.watchguard.com/infocenter/editorial/18714.asp

Online Cyber Safety: www.bsacybersafety.com/video/

For more monthly cyber security newsletter tips visit:
www.msisac.org/awareness/news/

The information provided in the Monthly Security Tips Newsletters is intended to increase the security awareness of an organization’s end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization’s overall cyber security posture. Organizations have permission--and in fact are encouraged--to brand and redistribute this newsletter in whole for educational, non-commercial purposes.

ADDITIONAL NEWS:

From: CIO & CSO Enterprise Business Alert November 14, 2008

Top 10 Ways to Protect Against Web Threats

You can thwart many web attacks with protections at the Web Gateway. Make sure your Secure Web Gateway provides these requirements to stop malware. Users never intend to visit a malware site, but it can happen innocently enough.

Download now:
http://www.cio.com/download-center?id=50065441&source=cxoalert_entbiz111408

Selections from SC Newswire, November 11, 2008.

Top 10 Ways to Protect Against Web Threats

You can thwart many web attacks with protections at the Web Gateway. Make sure your Secure Web Gateway provides these requirements to stop malware. Users never intend to visit a malware site, but it can happen innocently enough. Read this Top 10 list to protect your enterprise network.

Download now:
http://www.cio.com/download-center?id=50065441&source=cxoalert_entbiz111408

Posted by David Badertscher | Permalink | Email This Post | Comments (0)

Posted In: Commentary and Opinion , Information Security Newsletter , Information Technology

Bookmark:

October 2008

October is National Cyber Security Awareness Month
Volume 1, Issue 6

Phishing – How to Avoid Getting Hooked!

From the Desk of David Badertscher
What is Phishing?

Phishing is a scam which attempts to entice email recipients into clicking on a link that takes them to a bogus website. The website may prompt the recipient to provide personal information such as social security number, bank account number or credit card number, and/or it may download malicious software onto the recipient’s computer. Both the link and website may appear authentic, however they are not legitimate.

How does it Work?

Have you received an email, an instant message, or another communication that just did not seem right, even though the communication appeared to be from a reputable organization? This communication could very well be a phishing scam. It’s important to note that in the past, phishing scams were often more easily detectable because of misspellings, typographical errors and blatantly bad grammar; however, they are increasingly more difficult to detect because they often appear so legitimate.

Phishing scams try to “bait” the recipient in a number of ways: the malicious email could include notice of an account cancellation, a request to verify/update personal information, a notice of a purchase that you did not make, or just about anything else that would get you to respond to the communication. The types of messages used in phishing are expanding almost every day, so it is important to be cautious of any communications you receive.

If the email communication, with its enticing subject line, is the “bait,” what is the hook? The hook is getting you, the user, to take some action that enables the phisher to obtain information or otherwise gain access. You may be “tricked” into visiting a website, which appears to be a legitimate organization’s website. Once at that site, you may be asked to enter personal information. Another method of attack may be to get you to open an attachment in an email, upon which malicious code, such as a Trojan horse will be installed onto your computer. Other variations include a telephone call, in which the phisher will ask you to provide personal information. Once the phisher has “hooked” you, they may use the information to open accounts in your name, access your bank account or make purchases using your credit card. There is also a type of phishing attack known as “spear phishing” where the attacker targets specific individuals by name or organizations. For example, an email invitation to attend an event that may be of interest could be sent to an organization’s employees. When an employee clicks on the link contained in that email, malware is downloaded to the employee’s computer. The attacker may be targeting specific employee information, such as user names and passwords, or proprietary organization information.

How do I Know it is a Phishing Scam?

If you receive an email appearing to be from a legitimate business, requesting you submit personal information, it is most likely a scam. Legitimate businesses do not send emails requesting personal information.
Use an Internet search engine to research the subject line of a suspicious email to determine if that subject line is a known phishing scam.

What Can I Do?

Be cautious about all communications you receive. Think before you click.
If the communication looks too good to be true, it probably is.
If it appears to be a phishing communication, do not respond. Delete it. You can also forward it to the Federal Trade Commission at spam@uce.gov.

Do not click on any links listed in the email message and do not open any attachments contained in suspicious email.

Do not enter personal information in a pop-up screen. Legitimate companies, agencies and organizations don’t ask for personal information via pop-up screens.

Install a phishing filter on your email application and also on your web browser. These filters will not keep out all phishing messages, but will reduce the numbers of phishing attempts.

Ensure that your computer is up-to-date on all patches.

Ensure that your antivirus program is installed and up-to-date.

Use bookmarks in your web browser for the organization’s which with you regularly communicate to limit the chances of being redirected to malicious sites.

If you think you have been scammed, visit http://www.ftc.gov/idtheft.

Look for unauthorized charges or withdrawals on your credit card and bank statements/bills.

Review your credit report - visit http://www.ftc.gov for a link to request an annual free credit report.

For more information on phishing, please visit the following sites:

AntiPhishing Work Group: www.antiphishing.org/

OnGuard Online: www.onguardonline.gov/phishing.html

Federal Trade Commission: http://ftc.gov/bcp/menus/consumer/tech/privacy.shtm

National Consumer League’s Internet Fraud Watch: www.fraud.org/tips/internet/phishing.htm

US CERT: www.us-cert.gov/cas/tips/ST04-014.html

WatchGuard Video: www.watchguard.com/education/video/play.asp?vid=budhasmail

National Phishing Webcast- October 9, 2008 2:00pm Eastern: register at www.msisac.org

October is National Cyber Security Awareness Month

The Fifth Annual National Cyber Security Awareness Month is being celebrated during October 2008 as a collective effort among the Multi-State Information Sharing and Analysis Center, the National Cyber Security Division and the National Cyber Security Alliance to raise cyber security awareness nationwide and empower citizens, businesses, government and schools to improve their cyber security preparedness and help promote a safe Internet experience. For more information, and Awareness Materials, please visit the MS-ISAC at www.msisac.org

Posted by David Badertscher | Permalink | Email This Post | Comments (0)

Posted In: Commentary and Opinion , Information Security Newsletter , Information Technology , News from Organizations

Bookmark:

Volume 1 Issue 5

Personal Privacy – How to Protect Your Information

From the Desk of David Badertscher

As we continue to conduct more business online, such as banking, shopping and other activities, our personal information (such as name, credit card account, address, etc) is increasingly utilized. Personal information has become a frequent target for data thieves and the volume of breaches involving personal information continues to grow. According to the Privacy Rights Clearinghouse, there have been more than 240 million records containing sensitive personal information involved in security breaches to-date nationally.

What Personal Information is Collected?

Many types of organizations are interested in obtaining and using your personal information, and it’s important to know what information is being collected, by whom and how it will be used.

Websites track web users as they navigate cyberspace. Data may be collected about you as a result of many of your routine activities including:

· When you make purchases and pay bills with credit cards, you leave a data trail consisting of purchase amount, purchase type, date, and time.

· When you pay by check, data such as phone number, home address, driver’s license number, etc. may often be requested to verify your identity.

· When you use supermarket discount cards, the store is able to create a comprehensive database of everything you have purchased.

· When you surf the web, you leave a significant data trail such as your name, email address, Internet address of your computer, the name of your computer, the last time you visited that particular site, the type of browser and operating system you are using.

· When you sign up for a subscription or service (for a magazine, book or music club, professional association, warranty card, etc.) or give money to charities your personal information is often collected and stored.

Protecting Your Personal Information

The following tips should be used to help you manage your personal information wisely, to help minimize its misuse, and to lessen the risk of your personal information being compromised:

· Most legitimate websites include a privacy statement. This is usually a link at the bottom of the home page and details the type of personally identifiable information the site collects about its visitors, how the information is used—including with whom it may be shared— and how users can control the information that is gathered. Be sure to read the privacy statement on websites you are visiting prior to providing any personal information, to understand that entity’s policy regarding protection of data.

· When shopping online, guard the security of your transactions by ensuring the transaction is submitted securely. When submitting your purchase information, look for the “lock” icon on the browser’s status bar to be sure your information is secure during transmission.

· Periodically check your Internet browser settings (e.g. Security and Privacy) to ensure that the settings are adequate for your level and type of Internet activity.

· If you are not already using anti-spyware or adware protection software, start now. This software is designed to protect against spyware or malware designed to extract private information from your computer without your knowledge. Make sure you keep the anti-spyware or adware protection programs updated.

· Be sure to have a firewall installed and enabled on your computer.

· If you store private data on your laptop or other portable electronic devices (e.g. USB), use encryption software to protect your private data in the event the device is lost or stolen.

· Use strong passwords on all your accounts, such as a minimum of eight characters and a mix of special symbols, letters and numbers.

· To protect against identity theft, always question someone who is asking you to reveal any personably identifiable information. Find out how it will be used and whether it will be shared with others.

· Keep items with personal information in a safe place. When you discard receipts, copies of credit applications, insurance forms, health records, bank statements, or other personal documents, tear or shred them.

· Order a copy of your free annual credit report. Make sure it’s accurate and includes only those activities you’ve authorized.

References

To learn more about protecting your privacy, you may wish to visit the following sites:

· Identity Theft: www.ftc.gov/bcp/menus/consumer/data/idt.shtm
· Consumer Action: www.consumer-action.org

· Electronic Privacy Information Center: www.epic.org
· Privacy Rights Clearinghouse: www.privacyrights.org

· World Privacy Forum: www.worldprivacyforum.org

· Free Annual Credit Report: www.annualcreditreport.com
· US-CERT Tips for Strong Passwords: www.uscert.gov/cas/tips/ST04-002.html

News from SC Magazine Newswire
September 30, 2008.

Study: Few internet users exercise caution
Angela Moscaritolo September 25, 2008
In a recent study, researchers found that most users are susceptible to tricks that could potentially open them up to attacks by malicious software.

Group tells FTC more RFID security guidance is needed
Angela Moscaritolo September 24, 2008
The Federal Trade Commission should tighten regulations around the use of RFID, urged an industry group.

No charges in Palin hacker investigation
Dan Kaplan September 24, 2008
A federal grand jury has failed to return an indictment against the University of Tennessee student accused of hacking into vice-presidential candidate Sarah Palin's webmail account.

The information provided in these Newsletters is intended to increase the security awareness of an organization’s end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization’s overall cyber security posture.

Organizations have permission--and in fact are encouraged--to brand and redistribute this newsletter in whole for educational, non-commercial purposes.

Brought to you by:

http://www.msisac.org

--------------------------------------------------------------------------------

This message may contain confidential information and is intended only for the individual(s) named. If you are not an intended recipient you are not authorized to disseminate, distribute or copy this e-mail. Please notify the sender immediately if you have received this e-mail by mistake and delete this e-mail from your system.

Posted by David Badertscher | Permalink | Email This Post | Comments (0)

Posted In: Commentary and Opinion , Information Security Newsletter , Information Technology

Bookmark:

NEWSLETTER

AUGUST 2008 Volume 1, Issue 4
Firewalls
From the Desk of David Badertscher

What is a firewall and why should I use one?

A firewall is a software program or hardware device that filters the inbound and outbound traffic between your network or computer and the Internet. Firewalls add a layer of protection by blocking unauthorized and potentially dangerous data from entering your computer or network. Firewalls are especially critical for users who have an “always on” connection to the Internet.

Some users may think that data residing on their computer is not valuable and therefore a firewall is not necessary. However, even small pieces of information can be obtained by the hacker and used to steal identities and other personal data. In addition, hackers may be interested in taking over your computer to store illegal materials or launch other attacks that can leave a trail back to your computer. Once a hacker gets access to your computer, the intruder may have access to resources and data stored on your machine.

What does a firewall protect me from?

Firewalls can help protect your data and computer by blocking the following:

• unsolicited traffic/malware from coming into your computer or network
• traffic from known malicious computers
• specific traffic you don’t want leaving your computer or network
• programs, protocols and ports that you specify
• attempts to access or attack your computer

Firewalls can also log activity, and these logs should be reviewed periodically to identify any anomalous or unexpected activity.

What type of firewall should I use?

There are two types of firewalls: hardware and software. A hardware firewall is usually an external device that sits between your computer and your connection to the Internet. A software firewall (also known as a personal firewall) runs directly on your computer. This firewall is the most common type for home users.

The selection of a firewall is dependent on what is being protected. The value of the assets, the complexity of the computers or networks, and their usage of the Internet will dictate the type and size of firewall that should be used.

Make sure you have a firewall--selected based on your business or personal needs--and that it is enabled.

Before enabling a firewall, read the documentation carefully to ensure proper configuration. A properly configured firewall can save you hours of recovery or rebuilding of data.

Below are some areas for consideration when installing a firewall:

• allow only the traffic that you need
• enable the “automatic update” feature if one exists and also periodically check the firewall vendor’s website for the latest software updates
• enable the logging feature and review the logs regularly
• change the default “administrator” account (if available) and password
• disable the remote management option (if available)

A firewall is a very valuable tool to protect your data and your computers, but it must be selected, installed, configured, monitored, and maintained effectively to do its job. It’s also important to note that although firewalls can block intruders, viruses or unwanted traffic from getting into your computer, using a firewall is not a complete solution to security. Firewalls should be used along with anti-virus, anti-spyware, and anti-spam software, as part of a defense-in-depth strategy for protecting your computer from various forms of malware (viruses, worms, trojans, etc.), hackers, and others who want your data or your computer for illegal or malicious purposes.

Remember: Cyber Security is Your Responsibility. Always apply safe cyber security practices to protect the data on your computer or network.

References
To learn more about firewalls, please visit the following sites:

MS-ISAC - Beginners Guide to Firewalls
http://www.cscic.state.ny.us/localgov/#download

US-CERT
http://www.us-cert.gov/cas/tips/ST04-004.html

How Stuff Works - Firewalls
http://computer.howstuffworks.com/firewall.htm

Firewalls for Dummies
http://www.dummies.com/WileyCDA/DummiesTitle/Firewalls-For-Dummies-2nd-Edition.productCd-0764540483.html

Resources – For previous issues of the Monthly Cyber Security Tips Newsletter go to:
http://www.msisac.org/awareness/news/

Organizations have permission--and in fact are encouraged--to brand and redistribute this newsletter in whole for educational, non-commercial purposes.

The information provided in the Monthly Security Tips Newsletters is intended to increase the security awareness of an organization’s end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization’s overall cyber security posture.
.

Brought to you by:

http://www.msisac.org

Posted by David Badertscher | Permalink | Email This Post | Comments (0)

Posted In: Information Security Newsletter , Information Technology

Bookmark:

April 2008 Volume 1, Issue 3

From the Desk of David Badertscher

SOCIAL ENGINEERING: ARE YOU AT RISK?

The term “social engineering” can be defined in various ways, relating to both physical and cyber aspects of that activity. For the purposes of the discussion in this newsletter, social engineering is referred to as an approach to gain access to information, primarily through misrepresentation, and often relies on the trusting nature of most individuals. It involves the conscious manipulation of people to obtain information without the individual realizing that a security breach is occurring. Most users are familiar with email phishing scams (a form of social engineering) and have been taught not to open attachments from unknown or untrusted sources or to visit untrusted web sites. There are other ways that a perpetrator may prey on the trusting human nature to gain access to information or systems.

Below are several examples of social engineering methods, many of which rely on direct contact with an individual, along with suggestions to minimize the likelihood that such methods will be successful.

IMPERSONATION

In this situation, the perpetrator pretends to be someone else - for example, impersonating a senior official from your organization or someone from your Help Desk. The impersonation may occur over the telephone, in person, or via email. The perpetrator may try to make you feel obligated to assist, or under pressure to follow their directions. They may use intimidation or a false sense of urgency to seek your cooperation – prompting you to react before you’ve fully thought through the consequences.

Remember to follow your internal procedures when responding to requests for sensitive or confidential information. Never give out your password to anyone, even if they claim to be from “technical support.”

PIGGYBACKING or TAILGATING

All too often, people will hold the door open for someone entering into a secure area or building without even knowing who the individual is or asking where they are going. The unauthorized individual may pretend to be a delivery person, a visitor, or even a fellow employee. Be cautious if an unknown or unauthorized individual is trying to follow you through access doors.

SHOULDER SURFING

This scenario refers to the ability of an attacker to gain access to information by simply watching what you are typing or seeing what is on your computer screen. This is known as “shoulder surfing,” and can also be done by looking through a window, doorway, or simply listening in on conversations. Be aware of your work environment and who is around you when you are working with confidential information, or even when you are typing in your password. Do not let others see you type your password, and protect your computer screen from unauthorized viewing. Computers in public areas should not have the monitors facing outward.

BAITING

This scenario involves an attacker asking a variety of seemingly innocuous questions designed to “catch” the right answers. The attack is often done over the telephone but can also be done in person. Items of conversation can also be introduced based upon replies received. Small amounts of facts are interjected at the right time into the conversation to make requests for information sound legitimate. Information you know could be valuable to an attacker--whether that information is about your work environment, fellow employees, projects, or personal information--must be handled with extreme care. Be mindful of what you say to whom.

SURVEYS

Many of us have no doubt been recipients of requests to participate in surveys—whether online, via telephone or otherwise. The surveys may be for legitimate purposes or might be a scam. In either case, be aware of unwittingly disclosing information that may be used inappropriately. For example, disclosure of details about your organization, its network or infrastructure could prove extremely useful to someone with malicious intent. If you receive a survey request, you should contact the sponsoring organization to ensure the survey is legitimate, and make sure you are not sharing sensitive or confidential information with unauthorized individuals or organizations.

DUMPSTER DIVING

Do you shred all unneeded confidential or sensitive documents? Searching through trash (“dumpster diving”) is a method used by perpetrators to obtain sensitive information. When confidential and sensitive documents are no longer needed, be sure to shred or properly destroy them in accordance with your organization’s records retention policy.

PUTTING IT ALL TOGETHER

The scenarios above represent just a few types of social engineering attempts you may encounter. By following some common sense rules and using your best judgment, you can defend against these attacks and better protect yourself and your information:

1 Before releasing any information to anyone, it is essential to at least establish: the sensitivity of the information, your authority to exchange or release the information, the real identity of the third party (positive identification), and the purpose of the exchange.

2.Be aware of your surroundings. Make sure you know who is in range of hearing your conversation or seeing your work. Computer privacy screens are a great way to deter shoulder surfing in public places.

3.Before you throw something in the trash, ask yourself, “Is this something I would give to an unauthorized person or want to become publicly available?” If you are not certain, always err on the side of caution and shred the document or deposit it in a secure disposal container.

4.If you don’t know someone who is in a restricted area, look for a badge or a visitor pass. If you are unsure about their authorization or access permission, report the situation to the appropriate staff.

SECURITY NEWS UPDATE FROM CERTSTATION TMA:

Dutch transit card crippled by multihacks Wed, Apr 16 2008
The introduction of the Dutch public RFID transit pass will be delayed because it can be easily hacked. The final blow was given by researchers from Royal Holloway, University of London, who confirmed earlier findings by Dutch Institute TNO that the card isn't properly secured.

Researchers uncover undetectable chip hack Wed, Apr 16 2008
For years, hackers have focused on finding bugs in computer software that give them unauthorised access to computer systems, but now there's another way to break in: hack the microprocessor.

Regulatory compliance 'irrelevant' to security Tue, Apr 15 2008
Companies who get hung up on regulatory compliance are developing a false sense of security which leaves them just as open to malware attacks the chief exec of tools vendor Protegrity has warned.

Criminals phish for CEOs via fake subpoenas Tue, Apr 15 2008
Panos Anastassiadis didn't click on the fake subpoena that popped into his in-box on Monday morning, but he runs a computer security company. Others were not so lucky.

For more monthly cyber security tips, please visit: www.msisac.org/awareness/news/

Brought to you by:

www.msisac.org

Posted by David Badertscher | Permalink | Email This Post | Comments (0)

Posted In: Information Security Newsletter , Information Technology , News from Organizations

Bookmark:

CLLB Information Scurity Newsletter
March 2008
Volume 1, Issue 2

Annual Maintenance For Computers

From the Desk of David Badertscher

Perform Annual Maintenance in Conjunction With Daylight Savings Time Change

In addition to your routine security and maintenance processes, you should perform an annual PC “tune up” or maintenance to be sure that your computer is operating efficiently, that appropriate software updates and settings have been applied and to minimize the risk of losing your data. Performing your annual check up with the switch to Daylight Savings Time is a great way to develop an annual schedule. One important step to take before performing maintenance is to back up all your data, in case anything goes wrong during your maintenance.

System and Data Backups - Review, update and test your file backup process.

If you do not have a backup system, consider purchasing a portable back up hard drive.
Check your scheduled “backup” scheme to see if it is still applicable. Add folders and files to be backed up as necessary. Test the restore function for the backed up files to ensure the restore works properly. Create a folder on you computer and restore your back up to the folder. Afterwards, delete the test folder.

Firewall - Check firewall settings to check for a current licensed version and updates.

Review settings for product configurations. Confirm settings are appropriate for the current level of security needed. Review firewall settings to ensure they are configured for automatic updates (if available), known applications are allowed, known inappropriate sites are blocked and known port scans are blocked. Confirm that the firewall is updated and that the license is current (if applicable).

Internet Browser - Check your browser configuration to ensure you have appropriate secure zone settings.

Review current zone settings (Tools/Internet Options/Security tab) for appropriate levels. The minimum level of security should be the default level which is set at Medium-High for the Internet zone. Adjustments can be made based on your needs.Confirm “Automatic Update” settings for your browser are set properly (applied at least weekly or as available).

Anti-Virus, Anti-Spam, and Anti-Spyware - Check all products for current versions and updates.

Confirm “Automatic Update” settings are set properly (applied at least weekly or as available).Confirm that applicable updates have been applied and that you have current versions and updates for all products. You may need to visit the vendor site for details. Confirm that your software licenses are current (if applicable). Run complete virus and anti-spyware scans on all drives. This should be done on a weekly basis.

Other Computer Software - Update other frequently used software programs, especially those that interface with the Internet.

Some software programs have “Automatic Update” features, others do not. Check your software programs (media players, music players, Adobe, etc.) for updates and new software versions. Follow the instructions within each program for updating.

The recommendations below are designed for Windows XP Operating System (since this the most prevalent operating system) and thus some steps may be slightly different with other Windows operating systems.

Operating System - Check for updates and remove unneeded programs.

Confirm that the “Automatic Update” settings are set properly (applied at least weekly or as available). Confirm that Applicable updates (Critical, Important) have been applied to your operating system (Settings/Control Panel/Add or Remove Programs and click Show updates).
Remove old System Restore Points – Use Start/Control Panel/System/System Restore tab, check “Turn off System Restore” box to remove all restore points except the most recent.
Remove unneeded programs and “trial” programs. Go to Settings/Control Panel/Add or Remove Programs to uninstall a program.

Hard Disk Drive Maintenance - Ensure your hard disk is operating at peak efficiency.

Scan your Hard Disk for errors. In Windows Explorer select the drive then right click-Properties/Tools/Check Now/.

Check “Automatically fix file system errors” and “Scan for and attempt recovery of bad sectors.” Defragment your Hard Disk Drive. The data on your hard drive can get separated or fragmented and therefore makes your computer less efficient. Defragmenting physically reorganizing the data to store the pieces of each file close together for more efficient storage and retrieval. In Windows Explorer select the drive then right click-Properties/Tools/Defrag Now.
Remove old files and emails on your PC. Remember to empty the “Recycle Bin” or “Deleted Items” (Outlook) folders.

Clean up your disk to remove cookies, temp files, cache, and history files. Go to Start/Program/Accessories/System Tools/Disk Cleanup.

Additional resources for PC maintenance can be found at:

Microsoft PC Care Online

www.microsoft.com/athome/moredone/maintenance.mspx

Microsoft Backup Utility

http://support.microsoft.com/kb/308422/

For more cyber security monthly tips go to: www.msisac.org/awareness/news/

More News:

From SC Magazine Newswire March 4, 2008.

Fake Department of Justice complaint-spam strikes again
Jim Carr March 03, 2008
"In what could presage a rash of tax-time spam emails purportedly from government agencies, security researchers at MX Logic have uncovered an influx of keylogger-laden emails spoofing the U.S. Department of Justice (DOJ). "

Sourcefire offers weak outlook following rough fourth quarter
"Dan Kaplan February 29, 2008
A dismal earnings forecast this week from intrusion prevention maker Sourcefire underscores some of the challenges facing public IT security companies, a pair of analysts said Friday."

Report outs banks with most ID theft complaints
Sue Marquette Poremba February 29, 2008
"Consumers, regulators, and businesses have no way to reliably assess the incidences and frequency of identity fraud at major financial institutions, a new study concludes."

Survey: IT security employees in demand, but skills lack
Sue Marquette Poremba February 28, 2008
"There is a wide gap between IT security skills that organizations need and the skills IT professionals bring to the job, according to a new survey by the Computing Technology Industry Association (CompTIA)."

From Government Computer News, March 7, 2008.

Biometrics accreditation planned
"The Homeland Security Department has asked the National Institute of Standards and Technology to develop a Biometrics Laboratory Accreditation Program that would accredit laboratories to evaluate biometric ID systems."

Posted by David Badertscher | Permalink | Email This Post

Posted In: Information Security Newsletter , Information Technology

Bookmark:

"Wikis are useful business tools. With planning and some staff time, you can make your own online collection of useful articles, tailored to your organization's needs, to communicate about business processes, manage collective know-how and more" Since many libraries, including law libraries, have expressed an interest in incorporating wikis into their progrrams and services , we have included a link to the article: "How to Build Your own Wikipedia," by Margaret Locher, CIO, February 27,2008. This is a "hands on" article which addresses issues many of us are beginning to encounter. Comments are welcome.

Posted by David Badertscher | Permalink | Email This Post | Comments (0)

Posted In: Information Security Newsletter , Library Organization and Planning

Bookmark:

The following is some updated information that we thought might be of interest. This is not a separate issue of the Newsletter:

NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL INFRASTRUCTURE COORDINATION CYBER INFORMATION BULLETIN

DATE ISSUED:

February 21, 2008

SUBJECT:

Malicious Email Messages Referencing the Lunar Eclipse

One state reported that they received a large number of malicious email messages which reference the “lunar eclipse” and include a link purporting to show video of a lunar eclipse. Clicking on the link connects users to a site that will deliver malware to client machines. Presently, some commercial antivirus products are not detecting this malware. The addresses hosting the malware are reported to be constantly changing, thus minimizing the impact of blocking the offending sites.

We recommend that organizations warn users of the risks associated with visiting unknown or un-trusted Web sites and clicking on links provided in email messages.

As this example demonstrates, be advised that attackers may use current events (such as the recent lunar eclipse, various holiday greetings, and the 2008 Presidential Election) to entice users to visit Web sites, click on links, open attachments, or perform other actions that could lead to system compromise.

Posted by David Badertscher | Permalink | Email This Post

Posted In: Information Security Newsletter , Information Technology

Bookmark:

While reviewing responses to readers of this blawg, I noticed that many seem interested in postings related to information security. Therefore, as an experiment beginning with this posting I plan to include an occasional newsletter covering topics and issues related to information security.

As an added activity I serve on an Information Security Committee at my orgaization. This experience has certainly increased my awareness of the importance of information security issues to all of us, including law librarians. Let's see how this works. Comments are welcome.

David Badertscher

February 2008

Volume 1, Issue 1

Securing a Wireless Network

From the Desk of David Badertscher

Is a Wireless Network Secure?

Wireless networks are not as secure as the traditional “wired” networks, but you can minimize the risk on your wireless network (at home or at work) by following the tips below.

How Does it Work?

The standard set up for a wireless network requires two components: a Wireless Access Point (WAP) and a computer with a wireless network adaptor. Properly configuring a wireless device can be challenging and the steps will vary depending on the manufacturer. If you do not feel comfortable doing it yourself, be sure that whomever is configuring the wireless network follows these best practices.

Wireless Access Point (WAP)

The WAP connects to your high speed Internet connection or your internal network. This is the foundation for building a wireless network. It provides the ability to use a computer without being constrained by the distance of a wire. Keep in mind that metal filing cabinets as well as certain building materials, such as bricks and blocks, can interfere or limit the range. The distance between your wireless computer and the wireless access point. Generally, the indoor range for a WAP is approximately 125 feet.

Wireless Network Adaptor

A wireless network adaptor, used for transmitting and receiving information, is required for each computer you intend to connect to a WAP. When purchasing wireless networking hardware from separate vendors, be sure to obtain guarantees that the hardware will conform to defined standards and interoperate properly. The wireless network adaptor is usually built into laptop computers while it is an add-on component inserted into a USB port on desktop computers.

Enable Encryption

Every wireless network should enable encryption. Encryption scrambles the data in a way that if your signal is intercepted there is reduced risk of someone being able to eavesdrop or monitor your communications. There are several standards of encryption common to most WAPs. Wired Equivalency Privacy (WEP) is the older standard. WEP has a number of known security flaws and should only be used if no other method of encryption is available. Be sure to set the WEP authentication method to ”shared key” instead of “open system.” Under “open system” the initial sign-on is encrypted but the data is not. Newer wireless access points include Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2). WPA2 is the stronger and the preferred method of encryption.

Change the Default Password

Change the default password that comes with your WAP. The default passwords used by manufacturers are well known to the hacking community. Be sure to use a strong password, at least eight characters including numbers and special characters.

Change SSID Name

The Service Set Identifier (SSID) is the name of your wireless network. Default SSIDs are well known, often the name of the manufacturer and easy to guess. Change the SSID name to something unique and be careful not to use a name that freely discloses information. For example, avoid using your family name. Avoid descriptive or functional names as well, such as “Payroll” or “Accounting” since this would advertise an attractive target for an attacker.

Turn Off SSID Broadcasting

By turning off SSID Broadcasting, your wireless access point does not advertise its presence. It is similar to having an unlisted telephone number. This is a way to reduce the visibility of your network to others in your neighborhood. The only way to connect to a WAP with SSID Broadcasting turned off is to know the SSID name and password.

Use MAC Filtering on Your WAP

The MAC (Media Access Control) address is the unique ID assigned to your computer’s network interface card. It is referred to as the computer’s “physical address.” Enabling MAC filtering on your WAP allows you to designate and restrict which computers can connect to your WAP. If the computer’s address is not listed, a wireless connection cannot be made to the WAP. To look up a MAC address on a Windows computer, go to “Start” then “Run” and type “cmd”. A new window will open and you will need to type ipconfig /all and press the enter key. A number of attributes will be displayed. The MAC address is identified as the “Physical Address.”

RF Interference Assuming your WAP point functions in the 2.4 GHz range, you may experience Radio Frequency (RF) interference from other 2.4 GHz devices, such as cordless phones, microwaves and baby monitoring devices. These devices can limit wireless performance. To manage the problem, limit sources of RF interference in proximity to the WAP.

Additional resources for wireless networks can be found at:
Wireless Network Tutorial including manufacturer step by step procedures.
http://spotlight.getnetwise.org/wireless/wifitips/
Microsoft: www.microsoft.com/technet/network/wifi/wifisoho.mspx

For more monthly tips go to: www.msisac.org/awareness/news

FROM IT SECURITY NEWS:

Bush wants a security clearance reform plan by April 30
The memo's language reflects concerns that longstanding security
clearance practices are preventing employees and contractors from
beginning work. (fcw)
http://www.1105newsletters.com/t.do?id=866100:3309489

For more monthly tips go to: www.msisac.org/awareness/news/

Posted by David Badertscher | Permalink | Email This Post | Comments (0)

Posted In: Authors of Articles , David Badertscher , Information Security Newsletter

Bookmark: