September 23, 2010

CLLB Information Security Newsletter

Volume 3 Number 9 September 2010.

September 2010

Detecting and Avoiding Fake Anti-Virus Software

From the Desk of David Badertscher

Your Computer Is Infected with Malware!

You may be familiar with this or similar messages appearing on a website, urging you to take action purportedly designed to clean your allegedly infected computer. Unfortunately, these messages are often scams that attempt to install malicious software (malware) onto your computer. Such software is referred to as rogue (fake) anti-virus malware, and the incidents are increasing. Last year, the FBI reported an estimated loss to victims in excess of $150 million from this type of scam[1][1].

How can my system get infected?

These types of scams can be perpetrated in a number of ways, including via website pop-up messages, web banner advertisements, spam and posting on social networking sites. Scams are also appearing via the use of “tweeting.” The rogue software scam generally uses social engineering to make the user believe his or her machine is infected and that by taking action (clicking on the link provided) the machine will be cleaned. If you click on the malicious link, you may be downloading malware onto your machine. The names of the fake programs sound legitimate, and often, in a further attempt to make the malware appear legitimate, the programs may prompt you to pay for an annual subscription to the service.

Some varieties of rogue anti-virus programs will also get installed on your machine without any interaction by you: your machine could be compromised just by you visiting a website with a malicious ad or code and you wouldn’t know.

What is the impact from rogue anti-virus software?

Rogue anti-virus software might perform many activities, including installing files to monitor your computer use, steal credentials, install backdoor programs, and add your computer to a botnet. The installation of malware could result in a high-jacked browser (i.e., the browser navigates to sites you did not intend), the appearance of new or unexpected toolbars or icons and sluggish system performance. Additionally, another concern related to rogue anti-virus software is the false sense of security you may have, erroneously believing your machine is protected by anti-virus software when in fact it is not.

What can I do to protect my computer?

Applying computer security best practices will help protect your machine and minimize any potential impacts.

1. Don’t click on pop-up ads that advertise anti-virus or anti-spyware programs. If you are interested in a security product, don’t try to access it through a pop-up ad; contact the retailer directly through its homepage, retail outlet or other legitimate contact methods.

2. Don’t download software from unknown sources. Some free software applications may come bundled with other programs, including malware.

3. Use and regularly update firewalls, anti-virus, and anti-spyware programs. Keep these programs updated regularly. Use the auto-update feature if available.

4. Patch operating systems, browsers, and other software programs. Keep your system and programs updated and patched so that your computer will not be exposed to known vulnerabilities and attacks.

5. Regularly scan and clean your computer. Scan your computer with your anti-spyware once a week.

6. Back up your critical files. In the event that your machine becomes infected, having backups of your important files will facilitate recovery.

NOTE: Regarding the above recommendations, many organizations have formal processes that automatically update and patch appropriate software, scan computers and perform file back-ups. In these cases, no end user action is necessary.

For more information, please visit:

Partial Listing of Rogue Security Software: http://en.wikipedia.org/wiki/Rogue_software

Free Security Checks: www.staysafeonline.info/content/free-security-check-ups

Malware: www.onguardonline.gov/topics/malware.aspx

Spyware: www.onguardonline.gov/topics/spyware.aspx

For more monthly cyber security newsletter tips visit:
www.msisac.org/awareness/news/

The above information is from tips provided by the Multi-State Information and Analysis Center (MS-ISAC). To learn more about MS-ISAC go to http://www.msisac.org/ . This information is intended to increase the security awareness of an organization’s end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization’s overall cyber security posture

MORE NEWS AND INFORMATION:


The Data Liberation Movement
By Rob May
TechNewsWorld
09/17/10 5:00 AM PT

Despite the advanced portability of data, the world's largest cloud computing vendors are fighting to lock their customers within their proprietary formats. But it does not need to be this way. Data liberation is a movement that is gaining momentum among enterprises and cloud vendors alike. These progressive businesses and consumers desire to control their data regardless of its location.

http://www.technewsworld.com/story/The-Data-Liberation-Movement-70844.html


Database Security Survey by Oracle: Budget is Top Concern of Administrators
By Brian Prince on 2010-09-16

Database administrators have a busy job keeping up with the mountains of data being created and managed by enterprises every day. Unfortunately, security can sometimes get the short end of the stick on the list of IT priorities. In its annual survey, the Independent Oracle Users Group discovered many of the issues that database professionals confronted in 2010 are virtually the same as the issues they tackled in 2009. The survey, conducted by Unisphere Research, polled 430 data managers and IT professionals in the user group. The report found a numbers of problems in how databases are managed, including a lack of monitoring, encryption and user management. These issues impacted database environments both big and small. However, the good news is that the percentage of respondents whose IT security spending went up was greater in 2010 than in past years. So just where should enterprises spend their security money when it comes to databases? The answer is that help is needed in several areas. Here, eWEEK takes a look at what those areas are and how IT managers can deal with these issues.

http://www.eweek.com/c/a/Database/Database-Security-Budget-Top-Admins-Concerns-Oracle-User-Survey-Says-786379/?kc=EWWHNEMNL09212010STR5


Defuse the Data Breach Time Bomb

By Linda McGlasson. Agency Insider Blog of Banking Information Security, September 20, 2010.

It's the hidden data breach threat to which everyone has access, and it is probably very near your own office.
I'm talking about the ubiquitous printer, copier, and fax machine that everyone uses. It's also a ticking time bomb. Last week, the Federal Deposit Insurance Corporation issued new guidance on stopping this risk in the FDIC Bulletin, Guidance on Mitigating Risk Posed by Information Storage on Photocopiers, Fax Machines and Pronters (FIL-56-2010), September 15, 2010.

http://blogs.bankinfosecurity.com/posts.php?postID=716&rf=2010-09-23-eb Article.

September 9, 2010

CLLB Information Security Newsletter

Volume 3 number 8 August 2010.

From the Desk of David Badertscher

Protecting Children Online.

What are the threats online?

Children are spending more of their time online than ever before. According to one study, 8-18 year-olds spend an average of 1.5 hours a day using a computer outside of school[1]. As use of the Internet and online technologies becomes more ingrained into our everyday lives, it is important we ensure that our youth understand how to use these powerful tools and how to protect themselves from becoming cyber victims. Children of all ages face online risks, including the following:

· Inappropriate Contact: Children may come in contact with individuals with malicious intent, such as bullies and predators.

· Inappropriate Content: Children may be exposed to inappropriate content while online, such as violent or sexually explicit material.

· Inappropriate Conduct: Children have a sense of anonymity while online and may do things that they would not do when face to face with someone.

· Identify Theft: Because of the perceived sense of anonymity online, children may post personal or identifying information that can then be used by identity thieves.

How do I keep my children safe?

There are steps parents, educators and others who work with children can take to help keep children safe on-line:

· Computer Location: Keep your computer in a central and open location in your home.

· Supervise Access: Supervise computer access for children and monitor the types of sites visited. Consider using parental control tools on your home computer. These tools are provided by some Internet Service Providers or are available for purchase as a separate software package. You may be able to set some parental controls within your browser. As an example, in Internet Explorer click on Tools on your menu bar, select Internet Options, choose the Content tab, and click the Enable button under Content Advisor. (For other browsers, contact the vendor to determine what parental controls are included.)

· Establish Rules: Create guidelines for computer use. Include the amount of time that may be spent online and the type of sites that may be visited. Post these rules near the computer.

· Personal Information: Teach children not to post or share personal information such as their photograph, address, age or activity schedule. Create a safe screen name that does not reveal personal information about the child.

· Web Filtering: Use web filtering software that restricts access to inappropriate websites and content.

· Communication: Maintain an open line of communication. Encourage children to come to you if they feel threatened online.

· Cyberbullying: Teach children not to respond to cyberbullies. Report incidents of cyberbullying to school administrators and local law enforcement when appropriate.

Here are some resources focused on protecting children online.

· NET CETERA: Chatting with Kids About Being Online: http://www.ftc.gov/bcp/edu/pubs/consumer/tech/tec04.pdf

· iKEEPSafe Internet Safety Coalition
http://www.ikeepsafe.org/PRC/
·
StaySafeOnline
http://www.staysafeonline.org/content/protect-your-children-online
·
GetNetWise
http://kids.getnetwise.org/safetyguide/

· Netsmartz
http://www.netsmartz.org/index.aspx

The above information is from tips provided by the Multi-State Information and Analysis Center (MS-ISAC). To learn more about MS-ISAC go to http://www.msisac.org/

For additional monthly cyber security newsletter tips visit: www.msisac.org/awareness/news/

MORE NEWS AND INFORMATION:

Free Webinar:Hacking Exposed Live! September 2010, 11:00 AM PDT / 2:00 PM EDT

Web 2.0: New avenues for blended attacks

In this FREE webcast, McAfee Senior Systems Engineer, Erik Elsasser will join Hacking Exposed co-author and McAfee Senior Vice President and General Manager, Risk and Compliance, Stuart McClure to analyze the stages of a blended attack. While today's blended attacks use a number of avenues including social media to deliver malicious payload, they often follow a similar pattern. In this webcast, they will discuss and demonstrate the attack stages

Click here to Register and obtain additional information.

Highlights:Strategic Security Survey: Global Threat, Local Pain
08/30/2010 Highlights of exclusive InformationWeek Analytics research as it appears in "Global Threat, Local Pain," our report assessing whether the high-profile infiltration of corporate networks worldwide (Google China leaps to mind) is forcing execs to reconsider their security strategies and pony up related resources

White Paper: Cloud Based Security Survey.

Summary:
If you aren’t frightened by the changing threat landscape, you should be. Security threats are on the rise and cybercriminals are finding new ways to take advantage of Web ubiquity to scam users, breach personal information, and steal billions of dollars.

What needs to be done and how? This white paper concludes:

• The threat landscape is changing.
• Exsisting solutions are no longer enough.
• Large organizations need to join cloud-based security communities.


August 16, 2010

CLLB Information Security Newsletter

Volume 3 Number 7 July 2010

July 2010

PROTECTING DATA CONTAINED IN COPIERS AND PRINTERS

From the Desk of David Badertscher

What kind of data can be stored in copiers and printers?

You are probably familiar with many of the standard best practices for safeguarding your data, such as avoid carrying unencrypted sensitive data on portable devices; use a complex password; and keeping your PC current with updated anti-virus software and security patches. However, do you realize that another important aspect of safeguarding your data means taking precautions about the information contained on printers or copiers?

Increasingly, printers, copiers and related devices come with hard drives capable of storing large volumes of information. The data you print, copy, scan, or fax may be stored on the hard drive permanently.

Recent news coverage has highlighted the fact that confidential information can be recovered from printers, copiers and similar devices after they are sent to surplus or returned to the vendor at the end of their lease. Some of the confidential information recently reported to be found on these machines included social security numbers, birth certificates, bank records, income tax forms, medical records, and pay stubs with names.

How do I keep my data secure?

Assume that any document that you printed or scanned is stored on the device. At a minimum, be aware that when you dispose of your printer, fax, copier or scanner, there may be a hard drive containing images of all of your documents. In order to properly dispose of the device, have the hard drive securely wiped before you give the device away or sell it, or if the device’s hard drive is removable, remove the drive entirely and have it securely destroyed.

Individuals and organizations should review the following recommendations for printers, copiers, scanners, and faxes:

· Settings: Configure the devices to encrypt the data, if possible.

· New Devices: Purchase\lease devices with disk encryption and immediate data overwriting capability.

· Disposal: Remove or wipe the hard drive before disposal.

· Use of Public Devices: Be cautious if using public printers\copiers\scanner\faxes for documents containing confidential information.

Additional Information:

· Identity Theft Awareness: http://www.identity-theft-awareness.com/digital-copiers.html

· Identity Theft Fixes: http://www.identitytheftfixes.com/company_copiers_and_identity_theft_--_is_your_company_at_ris.html

· CBS News - Digital Photocopiers Loaded With Secrets: http://www.cbsnews.com/stories/2010/04/19/eveningnews/main6412439.shtml

· SANS Reading Room: http://www.sans.org/reading_room/whitepapers/networkdevs/auditing-securing-multifunction-devices_1921

· Xerox: http://www.xerox.com/information-security/product/enus.html

· Cannon: http://www.usa.canon.com/cusa/production/standard_display/security-main-page
· HP: http://h71028.www7.hp.com/enterprise/cache/617575-0-0-225-121.html

· Toshiba: http://www.copiers.toshiba.com/usa/security/device-security/index.html

For additional monthly cyber security newsletter tips visit: www.msisac.org/awareness/news/

The above information is from tips provided by the Multi-State Information and Analysis Center (MS-ISAC). To learn more about MS-ISAC go to http://www.msisac.org/

MORE NEWS AND INFORMATION.

Bandwidth Bandit - Symantec White Paper.

Summary:
Internet bandwidth is a finite and expensive resource; protect it from spammers, criminals, hackers, time-wasters and employee misuse. Your company’s internet link is precious. Not only is it expensive and limited but it is a vital business tool. Yet our analysis shows that companies can lose around a quarter of their internet bandwidth to employee web misuse, streaming media and spam. Imagine if you had to give up a quarter of your office space for non-work activities; it’s inconceivable. But when it comes to internet bandwidth, most companies don’t even know about the loss, let alone take steps to prevent it.

Part of the problem is that the internet is designed to continue operating even if links are busy or damaged; indeed that’s the whole point of it. This means that you probably don’t notice if your emails take longer to deliver, web pages take longer to load and internet phone and video conferences are lower quality. It all sort of works and you expect the occasional hiccup.

Download White Paper Here

Six Reasons to Worry About Cybersecurity

By William Jackson

Daily Government Computer News August 16, 2010.

The threats from increasingly professional cyber criminals, spies and hackers are evolving to address the adoption of new technologies and platforms by government and private-sector enterprises.



July 1, 2010

CLLB Information Security Newsletter

Volume 3 Number 6 June 2010

From the Desk of David Badertscher

Home Personal Computer (PC) Maintenance for Windows Operating Systems

Why do I need to maintain my home PC?

As with most types of equipment, you must perform periodic maintenance on your home PC to keep it in good operating condition. Performing maintenance will help your PC run faster, use resources more efficiently, and could save you from headaches caused by system failures and degradation. Most importantly, proper PC maintenance is crucial in order to protect your machine from security threats such as worms, viruses and other malicious activity.

How do I keep my home PC maintained?

Note: The following steps are provided to help ensure that your home PC operates effectively and securely. Most of the tips can be performed with moderate knowledge of PCs and can generally be completed in a short time. More detailed, in-depth assistance may be required in some instances, in which case you may wish to consult a qualified computer repair professional.

§ Establish and maintain a plan. Make a plan to perform periodic maintenance and put it on your calendar as a reminder. Back up critical files system files and programs before beginning.

§ Set a System Restore Point. Before you begin your periodic maintenance or make any significant changes, set up a system restore point, which will enable recovery from any error that may occur during maintenance. To set a System Restore Point, click Start, All Programs, Accessories, System Tools, System Restore, Create a Restore Point. (For “Classic” Start Menu: click Start, Programs, Accessories, System Tools, System Restore, Create a Restore Point.)

§ Remove unnecessary files or programs. Empty your Recycle Bin and delete Windows temporary files. Remove installed programs that you no longer use. The Disk Cleanup program does all of these tasks including the deletion of unneeded Windows components. To access the Windows Disk Cleanup program, click: Start, All Programs, Accessories, System Tools, Disk Cleanup. (For “Classic” Start Menu, click: Start, Programs, Accessories, System Tools, Disk Cleanup.) In Internet Explorer, clear your history, temporary Internet files, and cookies by clicking on Tools, Internet Options and select the tab labeled “General.” Click on the Delete button under the section labeled “Browsing history.”
Finally, archive or delete old files such as documents, images and graphics that are no longer needed.

§ Optimize system performance. Configuring your PC software to operate as efficiently as possible will help your PC run faster and smoother. Organize your data files in a central folder with appropriate subfolders (do not save files in the root directory or on the desktop). This makes backup easier and can reduce fragmentation on your hard drive.

§ Run a defragment tool on your disk drive. To do so, click Start, All Programs, Accessories, System Tools, Disk Defragmenter. (For “Classic” Start Menu, click Start, Programs, Accessories, System Tools, Disk Defragmenter.)

§ Apply updates and patches. Make sure your operating system and software applications have the latest updates installed—and that the auto-update feature is enabled. Ensure that your anti-virus/anti-spyware/anti-adware software are running and receiving automatic updates. Check vendor and manufacturer websites for device drivers updates, and apply patches as needed. Renew all maintenance contracts/subscriptions.

§ Perform regular backups. All critical files, as well as any information not easily replaced should be backed up. Check backup functions to ensure they are operating properly. Back up your files to a remote location (external hard drive or PC).

§ Check your firewall. Review firewall settings for product configurations. Confirm that settings are appropriate for the current level of security needed.

§ Routinely change your passwords. Routinely change all of your passwords for local applications, as well as those used for websites. Use strong passwords with at least eight characters and incorporate a mix of numbers, special characters, and upper and lower case letters.

§ Perform hardware inspections. Perform a visual check of your PC hardware to prevent potential problems before they occur. This includes examining your surge suppressor, UPS, power strip, and cables for any damage. Replace batteries as needed.

Additional Tipa

· Multi-State Information Sharing and Analysis Center Cyber Security Tips Newsletter - http://www.msisac.org/awareness/news/2008-03.cfm

· Small Business Computing - http://www.smallbusinesscomputing.com/testdrive/article.php/3864116/7-Basic-Windows-PC-Maintenance-Tips.htm

· Tips4PC - http://www.tips4pc.com/articles/computer%20maintenance/computer_maintenance_checklis_tips.htm· Sensible-Computer-Help - http://www.sensible-computer-help.com/computer-maintenance-tips.html

· Microsoft - http://www.microsoft.com/athome/setup/maintenance.aspx
For more monthly cyber security newsletter tips visit: www.msisac.org/awareness/news/

The above information is from tips provided by the Multi-State Information and Analysis Center (MS-ISAC). To learn more about MS-ISAC go to http://www.msisac.org/

MORE NEWS AND INFORMATION:

What is Information Security?
WiseGeek.com
http://www.wisegeek.com/what-is-information-security.htm

Information security is the process of protecting information. It protects its availability, privacy and integrity. Access to stored information on computer databases has increased greatly. More companies store business and individual information on computer than ever before. Much of the information stored is highly confidential and not for public viewing.

The 2010 Information Security Summit features 2 days of talks, presentations, hands-on workshops, and a vendor trade-show fair. Information Security Technology, Business/Management, Law Enforcement and Legal issues are featured.

The conference will take place October 14-15, 2010 at Corporate College East in Warrensville Heights, Ohio. Corporate College East is located at 4400 Richmond Road between Harvard and Emery Roads In Warrensville Heights. The facility is easily accessible from Interstate 271
https://www.informationsecuritysummit.org/

Coalition Formed to Tackle Bank Account Scams
BY Marcia Savage, Site Editor
Search Financial Security. com

"A coalition of banks, financial trade associations, federal regulators, and law enforcement agencies is studying a variety of best practices and technologies to thwart the criminal hijacking of accounts and other bank account scams."

http://searchfinancialsecurity.techtarget.com/news/article/0,289142,sid185_gci1515845,00.html

Demystifying Governance, Risk, Compliance
BY David Schneier
Information Security Magazine June 2010
Registration required for access to full article.

GRC aims to bring together disparate compliance efforts in the enterprise, but the concept has been stymied by a lack of clarity. Developing a GRC program requires three key steps.

http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1514262,00.html

May 26, 2010

CLLB Information Security Newsletter

Volume 3 Number 5 May 2010

Identity Theft

From the Desk of David Badertscher

What is Identity Theft?

Identity theft is a crime in which your personal information such as your name, social security number, date of birth, and address is stolen and may be used by someone to assume your identity, often for the purpose of financial gain. It is also referred to as “identity fraud” when the stolen identity is used to impersonate the victim. Methods a criminal may use to steal your data over the Internet include hacking or using spam and phishing. Social media sites and file sharing can be prime targets for identity thieves, since users often make the assumption of a trusted environment, sharing personal information without understanding the consequences.

Identity theft is not just a risk for those who use the Internet. Criminals can obtain information by sorting through garbage, eavesdropping, stealing wallets, picking up receipts at restaurants, and other means.

Once enough information is gathered, criminals may open new credit card accounts, apply for loans, empty your bank accounts, make charges on your credit card, or develop fake forms of identification.

Identity thieves will not always use the information themselves. They may sell it to underground markets for financial gain.

What can I do to protect my identity?

• Ensure that any computer used to connect to the Internet has proper security measures in place. Use and maintain anti-virus software and keep your application and operating system patches up-to-date.
• Do not follow links provided by unknown or un-trusted sources.
• Do not open e-mail attachments from unknown users or suspicious e-mails from trusted sources.
• If you employ file sharing programs, check the configuration settings to ensure you are not inadvertently sharing your personal information.
• Be careful what personal information you distribute, particularly on social networking sites, and continuously check to see what information others may be posting about you. Also verify your privacy settings to ensure you are not inadvertently sharing your personal information.
• Check your credit reports from all three major credit bureaus (Equifax, Experian, and TransUnion) at least once a year. You are entitled to one free credit report from each bureau every year. You may wish to stagger your requests to check a different credit bureau every four months.
• Guard your personal information, including your social security number. Don’t carry your social security card with you, and don’t provide your social security number to anyone unless they have a legitimate need for it.
• Don’t put your social security number or driver’s license number on your checks.
• Be aware of your surroundings when providing personal information orally. Watch for eavesdroppers.
• Properly discard hard copy documents containing personal information. A crosscut paper shredder works best.

What do I do if my identity has been stolen?

The first step is to notify your bank, and any other entities with which you have accounts, to inform them that someone may be using your account fraudulently. File a report with your local police and report the event to the Federal Trade Commision. It is helpful to have your financial statements available to better explain your situation.

Contact all three major credit bureaus to request a credit report, and have a fraud alert or a credit freeze placed on your credit reports to prevent accounts from being opened without your permission.

Continue to monitor all of your accounts for any suspicious activity.

Additional Information:

• Multi-State Information Sharing and Analysis Center - www.msisac.org/webcast/02_06/info/resourses.cfm || www.msisac.org/webcast/02_06/

• Federal Trade Commission
www.ftc.gov/bcp/edu/microsites/idtheft/

• Identity Theft Resource Center
www.idtheftcenter.org/

• Test your Identity Theft Knowledge
www.idtheftcenter.org/artman2/publish/c_theft_test/index.shtml

• National Cyber Security Alliance
www.staysafeonline.org/content/protect-yourself

For more monthly cyber security newsletter tips visit: www.msisac.org/awareness/news/

The above information is from tips provided by the Multi-State Information and Analysis Center (MS-ISAC). To learn more about MS-ISAC go to http://www.msisac.org/
_______________________

MORE NEWS AND INFORMATION:

At a Technology Managers Forum on May 13, 2010 devoted to information security issues, Spencer Parker, Director of Product Management at CISCO gave a keynote presentation titled Dispelling The Myths of Cloud Security. In his presentation Mr. Parker examined the truth behind five common myths about cloud security and outlined the factors fueling its rapid growth. He also presented data from real companies utilizing the cloud, such as:

Employee time spent on Facebook applications.
Ongoing prevelance of data theft Trojans.
A look at advanced, granular reporting capabilities.

Interview with Brian Hengesbaugh, partner with Baker & McKenzie, on global security and privacy challenges

In a May 2010 interview and podcast reported by Bank Info Security.com Brian Hengesbaugh, partner in the Chicago office of the law firm Baker & McKenzie observes there isnothing smooth about navigating the tricky waters of data security and privacy on a global basis. Regulations vary and often conflict with one another. Click here to read the interview and link to the podcast.


April 22, 2010

CLLB Information Security Newsletter

Volume 3 Number 4 April 2010.

Cloud Computing

From the Desk of David Badertscher

What is Cloud Computing?

Cloud computing is a growing trend in information technology as organizations look for ways to save money and add flexibility to their operations. Cloud computing, while still an evolving service, provides on-demand network access to a shared pool of computing resources such as networks, servers, storage and applications. The pooling of resources allows the provider to rapidly scale to meet changing customer demands. The service is typically provided through a large data center. Cloud computing can be divided into three types: Software as Service, Platform as Service, and Infrastructure as Service.

Software as a Service (SaaS): Provides ready for use web-based applications such as email that are maintained centrally by a provider (e.g., Gmail, Salesforce.com).
Platform as a Service (PaaS): Provides programming languages and tools that can be used by application developers to create and deploy applications on the web.
Infrastructure as a Service (IaaS): Provides computing resources, such as virtualized servers and storage, whose usage is rented from a provider (e.g., Amazon EC2, Windows Azure).

In addition, cloud computing can be private, available for a single organization/group of users, open to the public, or some combination of these models.1

The growth in cloud computing is fueled by economies of scale. Cloud computing allows users to pay for what they need, when they need it.

What are the Security Concerns with Cloud Computing?

There are security and privacy concerns that must be considered before moving to cloud computing, including the following:

Vendor Security: Cloud computing customers rely on providers to implement appropriate security measures to protect the confidentiality, integrity, and availability of data. Be wary of providers who are reluctant to share details of their security architecture/practices with customers.

Isolation/Segregation: Users access cloud computing resources via a virtual machine hosted on an unknown physical machine2. The physical machine may be shared with other users. Providers must ensure that multiple customers do not interfere with each other, maliciously or unintentionally.

Data Location: Providers may have data centers located in other countries. Be sure your vendor contract stipulates any restrictions you may have on the physical location of where your data is stored.

Management Interface: Customers access the cloud management interface via the Internet, thus increasing exposure to potential attack.

Reputation Sharing: Bad behavior by one cloud customer may impact others using the cloud. For example a customer engaging in spamming may cause a common cloud IP address to be blacklisted.

Provider Viability: What happens to your organization’s applications and data in the event that the provider goes out of business?

Compliance: Placement of data in the cloud does not eliminate an organization’s need to meet legal and regulatory requirements such as PCI or HIPAA. Organizations will need timely assistance from cloud computing providers to fulfill investigation/audit requirements.

What Should Organizations Do?

Organizations should fully research the risks and benefits of cloud computing before moving to that environment. It is critical that security requirements are addressed in contractual agreements in advance. In addition, there are steps organizations should take when using cloud computing:

· Data Classification: Consider the sensitivity of your data before making a decision of whether or not to put it in the cloud.

· Encryption: Encrypt sensitive data before placing it in the cloud.

· Authentication: Consider requiring multifactor authentication for access to cloud computing resources.

· Vulnerability Assessment: Include a requirement for a security review or vulnerability assessment as part of the service level agreement with the provider.

· Monitor: Require close monitoring of cloud computing resources by providers for unauthorized activity.

· Backup: Ensure that your backup data is not comingled with other customers.

· Notification: Require providers to provide timely notification of any potential data security breach.

The above comments are from information tips provided by the Multi-State Information and Analysis Center (MS-ISAC). To learn more about MS-ISAC go to http://www.msisac.org/

Additional Information:

[1] The NIST Definition of Cloud Computing. October 2009. http://csrc.nist.gov/groups/SNS/cloud-computing/

2 D. Hilley. Cloud Computing: A Taxonomy of Platform and Infrastructure-level Offerings. April 2009. http://www.cercs.gatech.edu/tech-reports/tr2009/git-cercs-09-13.pdf

Cloud Security Alliance: http://www.cloudsecurityalliance.org/
M. Armbrust et al. Above the Clouds: A Berkeley View of Cloud Computing. February 2009

More News.

Amazon Debunks Top Five Myths of Cloud Computing
e-Week News April 9, 2010.

"As the 5th International Cloud Computing Conference & Expo (Cloud Expo) opens in New York City on April 19, Amazon Web Services (AWS) is tapping into the attention the event is placing on cloud computing to address what the company views as some of the more persistent myths related to the cloud."

Censorship Circumvention Via Kaleidoscope

Video of Jinyang Li's Mar 25 lecture hosted by the New York City Chapter of the Internet Society about the Kaleidoscope system for getting around Internet censorship. The talk explains how traditional censorship workarounds like proxies and P2P can easily be discovered
and defeated, but how Kaleidoscope - which passes encrypted data through trusted relays - defies such efforts.

http://www.isoc-ny.org/?p=1485

April 12, 2010

CLLB Information Security Newsletter

Volume 3 March 2010

Security and Privacy on Social Networking Sites

From the Desk of David Badertscher

What are the security and privacy issues associated with social networking sites?

Social networking sites have become very popular avenues for people to communicate with family, friends and colleagues from around the corner or across the globe. While there can be benefits from the collaborative, distributed approaches promoted by responsible use of social networking sites, there are information security and privacy concerns. The volume and accessibility of personal information available on social networking sites have attracted malicious people who seek to exploit this information. The same technologies that invite user participation also make the sites easier to infect with malware that can shut down an organization’s networks, or keystroke loggers that can steal credentials. Common social networking risks such as spear phishing, social engineering, spoofing, and web application attacks attempt to steal a person’s identity. Such attacks are often successful due to the assumption of being in a trusting environment social networks create.

Security and privacy related to social networking sites are fundamentally behavioral issues, not technology issues. The more information a person posts, the more information becomes available for a potential compromise by those with malicious intentions. People who provide private, sensitive or confidential information about themselves or other people, whether wittingly or unwittingly, pose a higher risk to themselves and others. Information such as a person’s social security number, street address, phone number, financial information, or confidential business information should not be published online. Similarly, posting photos, videos or audio files could lead to an organization’s breach of confidentiality or an individual’s breach of privacy.

What are the precautions I should take?

Below are some helpful tips regarding security and privacy while using social networking sites:


·Ensure that any computer you use to connect to a social media site has proper security measures in place. Use and maintain anti-virus software and keep your application and operating system patches up-to-date.

Use caution when clicking a link to another page or running an online application, even if it is from someone you know. Many applications embedded within social networking sites require you to share your information when you use them. Attackers use these sites to distribute their malware.

Use strong and unique passwords. Using the same password on all accounts increases the vulnerability of these accounts if one becomes compromised.

If screen names are allowed, do not choose one that gives away too much personal information.

Be careful who you add as a “friend,” or what groups or pages you join. The more “friends” you have or groups/pages you join, the more people who have access to your information.

Do not assume privacy on a social networking site. For both business and personal use, confidential information should not be shared. You should only post information you are comfortable disclosing to a complete stranger.

Use discretion before posting information or commenting about anything. Once information is posted online, it can potentially be viewed by anyone and may not be retracted afterwards. Keep in mind that content or communications on government-related social networking pages may be considered public records.

Configure privacy settings to allow only those people you trust to have access to the information you post. Also, restrict the ability for others to post information to your page. The default settings for some sites may allow anyone to see your information or post information to your page; these settings should be changed.

Review a site’s privacy policy. Some sites may share information such as email addresses or user preferences with other parties. If a site’s privacy policy is vague or does not properly protect your information, do not use the site.

Additional Information:

MS-ISAC Monthly Cyber Security Tips Newsletter: Social Networking Sites: How To Stay Safe
www.msisac.org/awareness/news/2009-03.cfm

OnGuardOnline: www.onguardonline.gov/topics/social-networking-sites.aspx

StaySafeOnline – National Cyber Security Alliance: www.staysafeonline.org/blog/staying-safe-social-media-web-sites
Social Networking Privacy - A Parent’s Guide: www.ftc.gov/bcp/edu/pubs/consumer/tech/tec13.shtm

US-CERT--Staying Safe on Social Network Sites: www.us-cert.gov/cas/tips/ST06-003.html

The above comments are from information tips provided by the Multi-State Information and Analysis Center (MS-ISAC). To learn more about MS-ISAC go to http://www.msisac.org/

MORE NEWS AND INFORMATION:

Is it Time to Create A Social Media Policy to Protect Liability?

From: Lexology March 24, 2010

"...the clear take-away for employers is that proactive measures to adopt clear, written procedures on social media and blogging policies may reduce exposure for employee statements. Effective policies should educate employees on the types of statements that require disclosure, prohibit false and misleading employee statements, require that employee endorsements be submitted to management or marketing for approval prior to posting and provide for response measures when violations occur. Additionally, well written policies can work to address exposure under other applicable laws, such as those related to disclosures by public companies under Regulation FD and the protection of company trade secrets."

Faces of Fraud 2010

From: The Field Report with Tom Field April 2, 2010.

"Payment cards, ACH, ATM - these are the forms of fraud that have made the biggest news so far in 2010. But there's another variation preying upon banking institutions, too, and it deserves its own headlines."

From: Cloud Security's Seven Deadly Sins

BY: Kathleen Lau, Computerworld Canada

March 31, 2010

"A security expert warns organizations making a foray into cloud computing may know familiar terms like multi-tenancy and virtualization, but that doesn't mean they understand everything about putting applications in the cloud."



February 2, 2010

CLLB Information Security Newsletter

Volume3 Number 1 January 2010

From the Desk of David Badertscher

As we begin the new year, it’s an opportune time to assess the cyber security landscape and prepare for what new challenges may lie ahead, as well as what current threats may continue.

What Are the Cyber Trends for 2010?

· Malware, worms, and Trojan horses: These will continue to spread by email, instant messaging, malicious websites, and infected non-malicious websites. Some websites will automatically download the malware without the user’s knowledge or intervention. This is known as a “drive-by download.” Other methods will require the users to click on a link or button.

· Botnets and zombies: These threats will continue to proliferate as the attack techniques evolve and become available to a broader audience, with less technical knowledge required to launch successful attacks. Botnets designed to steal data are improving their encryption capabilities and thus becoming more difficult to detect.

· Scareware – fake/rogue security software: There are millions of different versions of malware, with hundreds more being created and used every day. This type of scam can be particularly profitable for cyber criminals -- as many users believe the pop-up warnings telling them their system is infected and are lured into downloading and paying for the special software to “protect” their system.

· Attacks on client-side software - With users keeping their operating systems patched, client-side software vulnerabilities are now an increasingly popular means of attacking systems. Client-side software includes things like Internet browsers, media players, PDF readers, etc. This software will continue to have vulnerabilities and subsequently be targeted by various malwares.

· Ransom attacks occur when a user or company is hit by malware that encrypts their hard drives or they are hit with a Distributed Denial of Service Attack (DDOS) attack. The cyber criminals then notify the user or company that if they pay a small fee, the DDOS attack will stop or the hard drive will be unencrypted. This type of attack has existed for a number of years and is now it is gaining in popularity.

· Social Network Attacks: Social network attacks will be one of the major sources of attacks in 2010 because of the volume of users and the amount of personal information that is posted. Users’ inherent trust in their online friends is what makes these networks a prime target. For example, users may be prompted to follow a link on someone's page, which could bring users to a malicious website.

· Cloud Computing: Cloud computing is a growing trend due to its considerable cost savings opportunities for organizations. Cloud computing refers to a type of computing that relies on sharing computing resources rather than maintaining and supporting local servers. The growing use of cloud computing will make it a prime target for attack.

· Web Applications: There continues to be a large number of websites and online applications developed with inadequate security controls. These security gaps can lead to the compromise of the site and potentially to the site’s visitors.

· Budget cuts will be a problem for security personnel and a boon to cyber criminals. With less money to update software, hire personnel and implement security controls enterprises will be trying to do more with less. By not having up-to-date software, appropriate security controls or enough personnel to secure and monitor the networks, organizations will be more vulnerable.

What Can I Do?

The following are helpful tips to assist in minimizing risk:

· Properly configure and patch operating systems, browsers, and other software programs.

· Use and regularly update firewalls, anti-virus, and anti-spyware programs.

· Be cautious about all communications; think before you click. Use common sense when communicating with users you DO and DO NOT know.

· Do not open email or related attachments from un-trusted sources.

Additional Information:

IBM’s Top Security Trends for 2010: http://www.internetnews.com/security/article.php/3849636/

Symantec’s 'Unlucky 13' Security Trends for 2010:
http://www.internetnews.com/security/article.php/3849371

SANS Top Cyber Security Risks: http://www.sans.org/top-cyber-security-risks/

Bankinfosecurity.com article: http://www.bankinfosecurity.com/articles.php?art_id=1926

PC World: http://www.pcworld.com/article/182889/new_banking_trojan_horses_gain_polish.html

Panda Labs 2009 Annual Malware Report:
http://www.pandasecurity.com/img/enc/Annual_Report_Pandalabs_2009.pdf

The above comments are based on information tips provided by the Multi-State Information and Analysis Center (MS-ISAC). To learn more about MS-ISAC go to http://www.msisac.org/

OTHER NEWS AND VIEWS:

DARPA: Calling All Cyber Geneticists
Technology sought would develop cyber equivalent of DNA to identify cyberattackers

By Ben Bain
Jan 29, 2010
Federal Computer Week
"The Defense Advanced Research Projects Agency is looking for technologists who can think like scientists to develop and use the cyber equivalent of fingerprints or DNA to pinpoint the origins of a cyberattack...."
____________________

False sense of cybersecurity
Paul Bell
GCN Government Computer News
January 13, 2010.
Newly appointed National Cybersecurity Coordinator Howard Schmidt has a big job ahead of him. Getting individuals, businesses and government to take greater responsibility is one of three places he should start

December 22, 2009

CLLB: Information Security Newsletter

Volume 2 Number 12 December 2009.

Automatic Software Updates and Patching

From the Desk of David Badertscher

Security vulnerabilities are flaws in the software that could allow someone to potentially compromise your system. Each year, the volume of software security vulnerabilities discovered increases, and the hacking tools available to exploit these vulnerabilities become more readily available and easier to use. Vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office are prime targets of attacks on computers connected to the Internet. Recent statistics reported show that 48% of the cyber attacks identified in the second quarter of 2009 were targeted against vulnerabilities in Adobe Acrobat/Adobe Reader1 and in October 2009 Microsoft released patches for a record number of security holes. No entity is immune to vulnerabilities, so we must ensure we understand the risks and take appropriate mitigation steps.

Why do I need to update my software?

One of the basic tenets of computer security is to update your operating system and other software installed on your computer. Software updates fix problems in the software, add functionality, and most importantly, fix vulnerabilities that impact the security of the software and subsequently your computer. These vulnerabilities can lead to your computer—and information that resides on it—being compromised. Exploitation of vulnerabilities may occur by opening documents, viewing an email which contains malicious code or visiting a web site hosting malicious content. Seventy percent of the top 100 web sites hosted malicious content or contained a link designed to redirect users to malicious sites.2

What is a software patch (fix) and when should I install software patches?

Patches are often called "fixes." A patch is software that is used to correct a problem to an application (software program) or an operating system. Computer companies are continuously addressing security holes (i.e. vulnerabilities) in computer software which could be used to infect your computer with a virus, spyware or worse. When vulnerabilities are discovered, the software vendor typically issues a fix (i.e. patch) to correct the problem. This fix should be applied as soon as possible since the average time for someone to try to exploit this security hole can be as little as a few minutes. Most major software companies will periodically release patches, usually downloadable from the Internet, that correct very specific problems in their software programs.

My computer includes hundreds of software programs-- which ones do I need to update and how often?

One of the challenges facing the average computer user is to know which software needs to be updated and how often. Software programs that communicate or interact with the Internet are especially susceptible to attacks and should be kept at a vendor-supported version and current on all patches.

Many software programs include a feature called “auto update.” This feature allows the computer to check for updates at periodic intervals. The software will automatically check for updates and save them to your computer. Some updates will instruct you to “reboot” your computer before the software update can be applied.

At a minimum, you should enable the auto update feature on the following products:

Anti-virus and Anti-spam signatures: anti-virus and anti-spam software requires regular updates to virus and spam signatures to remain effective. New viruses and other types of malware appear every day and the anti-virus/anti-spam vendors release new signatures on a daily basis to stay on top of the new threats. Windows Office software: Word, Excel, Outlook, etc. – (see below for updating Windows software) Internet Browsers: e.g., Internet Explorer (Microsoft), Firefox (Mozilla), Safari (Apple) and Chrome (Google). Make sure you update any software you use for browsing the Internet. Adobe products: e.g., Adobe Reader, Adobe Acrobat, Flash, Shockwave Media Players: e.g., Windows Media Player (Microsoft), QuickTime (Apple), Real Player (Real Networks) and Flash Player (Adobe)

Java (Sun Microsystems): Java is software that is installed on most computers to allow users to play online games, conduct online chats, and view images in 3D, among other functions. It is also used for Intranet applications and other e-business solutions. Other software programs that communicate or interact with the Internet, like e-mail, web servers, and remote desktop software are especially susceptible to attacks and should be kept current on patches and version levels.

It is very important to promptly download and patch your operating system and programs whenever security updates or “service packs” become available. These patches are created to protect systems against potential attacks. Be aware that attacks sometimes occur before updates are released.

How do I update my Microsoft Windows programs?

Windows Update is a Microsoft service that provides updates for the Windows operating system and other Microsoft software. Installing Windows updates, such as “service packs” and other patches, is necessary to keep your Windows system secure. To activate Windows Update, go to Settings/Control Panel/Automatic Updates. When you turn on Automatic Updates, Windows routinely checks the Windows Update web site for high-priority updates that can help protect your computer from the latest viruses and other security threats. These updates can include security updates, critical updates, and “service packs.” Depending on the setting you choose, Windows automatically downloads and installs any high-priority updates that your computer needs, or notifies you as these updates become available. Be sure to set the auto updates to daily, as patches can be released at any time.

Note: Many organizations have formal processes to patch systems that will automatically update all appropriate software. In these situations, no end user action is required.

******************************

Source: 1. F-Secure
Source: 2. SC Magazine

The above comments are based on information tips provided by the Multi-State Information and Analysis Center (MS-ISAC). To learn more about MS-ISAC go to http://www.msisac.org/
__________________________________________

OTHER NEWS AND VIEWS

Continue reading "CLLB: Information Security Newsletter " »

November 18, 2009

CLLB: Information Security Newsletter

Volume 2 Number 11 November 2009

Online Holiday Shopping Tips

From the Desk of David Badertscher

Online Holiday Shopping Tips

The holiday season is approaching quickly and many of us will be shopping online. comScore estimates that in one day alone last year --Cyber Monday on December 1--$846 million was spent in online shopping, marking a 15% jump from 2007. With the increased volume of online shopping, it’s important that consumers understand the potential security risks and know how to protect themselves and their information.

The following tips are provided to help promote a safe, secure online shopping experience:

Secure your computer. Make sure your computer has the latest security updates installed. Check that your anti-virus/anti-spyware software is running and receiving automatic updates. If you haven’t already done so, install a firewall before you begin your online shopping.

Upgrade your browser. Upgrade your Internet browser to the most recent version available. Review the browser’s security settings. Apply the highest level of security available that still gives you the functionality you need.

Ignore pop-up messages. Set your browser to block pop-up messages. If you do receive one, click on the "X" at the top right corner of the title bar to close the pop-up message.

Secure your transactions. Look for the "lock" icon on the browser's status bar and be sure “https” appears in the website’s address bar before making an online purchase. The "s" stands for "secure” and indicates that the webpage is encrypted. Some browsers can be set to warn the user if they are submitting information that is not encrypted.

Use strong passwords. Create strong passwords for online accounts. Use at least eight characters, with numbers, special characters, and upper and lower case letters. Don’t use the same passwords for online shopping websites that you use for logging onto your home or work computer. Never share your login and/or password.

Do not e-mail sensitive data. Never e-mail credit card or other financial/sensitive information. E-mail is like sending a postcard and other people have the potential to read it.

Do not use public computers or public wireless to conduct transactions. Don’t use public computers or public wireless for your online shopping. Public computers may contain malicious software that steals your credit card information when you place your order. Criminals may be monitoring public wireless for credit card numbers and other confidential information.

Review privacy policies. Review the privacy policy for the website/merchant you are visiting. Know what information the merchant is collecting about you, how it will be used, and if it will be shared or sold to others.

Make payments securely. Pay by credit card rather than debit card. Credit/charge card transactions are protected by the Fair Credit Billing Act. Cardholders are typically only liable for the first $50 in unauthorized charges. If online criminals obtain your debit card information they have the potential to empty your bank account.

Use temporary account authorizations. Some credit card companies offer virtual or temporary credit card numbers. This service gives you a temporary account number for online transactions. These numbers are issued for a short period of time and cannot be used after that period.


Select merchants carefully. Limit your online shopping to merchants you know and trust. Confirm the online seller's physical address and phone number in case you have questions or problems. If you have questions about a merchant check with the Better Business Bureau or the Federal Trade Commission.

Keep a record. Keep a record of your online transactions, including the product description and price, the online receipt, and copies of every e-mail you send or receive from the seller. Review your credit card and bank statements for unauthorized charges.


What to do if you encounter problems with an online shopping site?:

If you have problems shopping online contact the seller or site operator directly. If those attempts are not successful, you may wish to contact the following entities:


the Attorney General's office in your state

your county or state consumer protection agency

the Better Business Bureau at: www.bbb.org

the Federal Trade Commission at: www.ftc.gov/


For additional information about safe online shopping, please visit the following sites:


US-CERT: www.us-cert.gov/cas/tips/ST07-001.html
National Cyber Security Alliance: www.staysafeonline.org/content/online-shopping

OnGuard Online: www.onguardonline.gov/topics/online-shopping.aspx

Online Cyber Safety: www.bsacybersafety.com/video/

Microsoft: www.microsoft.com/protect/fraud/finances/shopping_us.aspx


The above comments are based on information tips provided by the Multi-State Information and Analysis Center (MS-ISAC). To learn more about MS-ISAC go to http://www.msisac.org/
_______________________________

MORE NEWS AND DEVELOPMENTS:

McAfee Issues Fifth Annual Virtual Criminology Report

SANTA CLARA, Calif., November 17, 2009 - McAfee, Inc. (NYSE:MFE) today revealed that the global cyberarms race has moved from fiction to reality, according to its fifth annual Virtual Criminology Report. The report found that politically motivated cyberattacks have increased and five countries - the United States, Russia, France, Israel and China - are now armed with cyberweapons. Click here for News Release.

“McAfee began to warn of the global cyberarms race more than two years ago, but now we’re seeing increasing evidence that it’s become real,” said Dave DeWalt, McAfee president and CEO. “Now several nations around the world are actively engaged in cyberwar-like preparations and attacks. Today, the weapons are not nuclear, but virtual, and everyone must adapt to these threats.”

The McAfee Virtual Criminology Report 2009 is available for download at http://resources.mcafee.com/content/NACriminologyReport2009NF


Chief Information Security Officers Answer 4 Burning Questions
6 government chief information security officers have a round-table discussion about the most dangerous new cybersecurity threats and best strategies for addressing those risks.




October 21, 2009

CLLB Information Security Newsletter

Volume 2 Number 10 October 2009.

Top Ten Cyber Security Tips

From the Desk of David Badertscher

October is Cyber Security Awareness Month – Our Shared Responsibility
In recognition of the 2009 National Cyber Security Awareness Month, this edition of the newsletter is designed to provide you with the TOP 10 Cyber Security Tips that you can - and should - use to protect your computer system.

Think Before You Click
Always think before you click on links or images in an email, instant message, or on web sites. Be cautious when you receive an attachment from unknown sources. Even if you know and trust the sender of the email, instant message, web site, or a friend's social networking page, it is still prudent to use caution when navigating pages and clicking on links or images.

Use Hard to Guess Passwords
Developing good password practices will help keep your personal information and identity more secure. Passwords should have at least eight characters and include uppercase and lowercase letters, numerals and symbols.

Avoid Phishing Scams
Phishing is a form of identity theft in which the intent is to steal your personal data, such as credit card numbers, passwords, account data, or other information. Do not reply to emails that ask you to “verify your information” or to “confirm your user-id and password.”

Shop Safely Online
When shopping online always know with whom you're dealing. When submitting your purchase information, look for the "lock" icon on the browser's status bar to be sure your information is secure during transmission. Always remember to pay by credit card and keep a paper trail.

Protect Your Identity
When visiting web sites, it's important to know what information is being collected, by whom and how it will be used. Web sites track visitors as they navigate through cyberspace, therefore, data may be collected about you as a result of many of your online activities. Please keep in mind most legitimate web sites include a privacy statement. The privacy statement is usually located at the bottom of the home page and details the type of personally identifiable information the site collects about its visitors, how the information is used - including with whom it may be shared - and how users can control the information that is gathered.

Dispose of Information Properly
Before discarding your computer or portable storage devices, you need to be sure that the data contained on the device has been erased or "wiped." Read/writable media (including your hard drive) should be "wiped" using Department of Defense (DOD) compliant software.

Protect Your Children Online
Discuss and set guidelines and rules for computer use with your child. Post these rules by the computer as a reminder. Familiarize yourself with your child's online activities and maintain a dialogue with your child about what applications they are using. Consider using parental control tools that are provided by some Internet Service Providers and available for purchase as separate software packages.

Protect Your Portable Devices
It is important to make sure you secure your portable devices to protect both the device and the information contained on the device. Always establish a password on all devices. If your device has Bluetooth functionality and it’s not used, check to be sure this setting is disabled. Some devices have Bluetooth-enabled by default. If the Bluetooth functionality is used, be sure to change the default password for connecting to a Bluetooth enabled device. Encrypt data and data transmissions whenever possible.

Secure Your Wireless Network
Wireless networks are not as secure as the traditional "wired" networks, but you can minimize the risk on your wireless network by enabling encryption, changing the default password, changing the Service Set Identifier (SSID) name (which is the name of your network) as well as turning off SSID broadcasting and using the MAC filtering feature, which allows you to designate and restrict which computers can connect to your wireless network.

Back-Up Important Files
Back-up your important files minimally on a weekly basis. Don’t risk losing your important documents, images or files!

For more information on the Top 10 Cyber Security Tips,
please visit the MS-ISAC Monthly Cyber Security Newsletter Tips:
www.msisac.org/awareness/news/

The above comments are based on information tips provided by the Multi-State Information and Analysis Center (MS-ISAC). To learn more about MS-ISAC go to http://www.msisac.org/
_______________________________________

More News:

Incident of the week: Russian company proves that WiFi/wireless networks no longer secure
Foley Hoag LLP ElcomSoft Co. Ltd., a Moscow-based "password recovery" company, has announced that its software can make an encrypted wireless network accessible using only a PC and the innovative computing power of consumer graphics cards from Nvidia.

SEC enforcement action for lax information security after data breach involving independent registered representatives

Sidley Austin LLP

The Securities and Exchange Commission (SEC) has issued another indication that they are serious about information security.

Does the FTC action against Sears cast doubt on the benefit of website privacy policies?

Navy CIO has plans for interlocking security, Web 2.0 tools, and open-source apps

Department of the Navy CIO Robert Carey is pushing to improve security across the department while promoting the use of Web 2.0 tools and open-source software.

IRS wins some, loses a few in fight against identity theft and data loss

The IRS recorded more than 51,000 cases of taxpayer identity theft in 2008 and paid out $15 million in fraudulent refunds, and a GAO report finds that internal information security weaknesses constitute some of the most significant challenges faced by the agency.

Navy CIO has plans for interlocking security, Web 2.0 tools, and open-source apps

Department of the Navy CIO Robert Carey is pushing to improve security across the department while promoting the use of Web 2.0 tools and open-source software.

September 30, 2009

CLLB Information Security Newsletter - Cyber Ethics

September 2009
Volume 2, Issue 9

Cyber Ethics

From the Desk of David Badertscher

What is Cyber Ethics?

Cyber ethics refers to the code of responsible behavior on the Internet. Just as we are taught to act responsibly in everyday life, with lessons such as “Don’t take what doesn’t belong to you,” and “Do not harm others,” -- we must act responsibly in the cyber world as well.

What are Responsible Behaviors on the Internet?

Responsible behavior on the Internet in many ways aligns with acceptable behavior in everyday life, but the consequences can be significantly different. For example, verbal gossiping is generally limited to the immediate audience (those within earshot) and may well be forgotten the next day. However, gossiping on the Internet can reach a far wider audience. The “words” are not forgotten the next day, but may live on the Internet for days, months or years and cause tremendous harm.

Some people try to hide behind a false sense of anonymity on the Internet, believing that it does not matter if they behave badly online because no one knows who they are or how to identify them. That is not always true. Computers, browsers, and Internet service providers may keep logs of their activities which can be used to identify illegal or inappropriate behavior.

The basic rule is do not do something in cyber space that you would consider wrong or illegal in everyday life.

When determining responsible behaviors, consider the following:

Do not use rude or offensive language.
Don’t be a bully on the Internet. Do not call people names, lie about them, send embarrassing pictures of them, or do anything else to try to hurt them.
Do not copy information from the Internet and claim it as yours. That is called plagiarism.
Adhere to copyright restrictions when downloading material including software, games, movies, or music from the Internet.
Do not break into someone else’s computer.
Do not use someone else’s password.
Do not attempt to infect or in any way try to make someone else’s computer unusable.

We were taught the rules of “right and wrong” growing up. We just need to apply the same rules to cyber space!

For more information on Cyber Ethics visit:

- U.S Department of Justice: www.usdoj.gov/criminal/cybercrime/cyberethics.htm- MS-ISAC: www.msisac.org/awareness/news/2007-01.cfm

- Symantec: www.symantec.com/norton/library/familyresource/article.jsp?aid=pr_cyberethics
- Cyber-Ethics Champions Code: www.playitcybersafe.com/resources/EthicsCode.pdf

- StaySafeOnLine: www.staysafeonline.info/content/cyber-ethics-materials
************************************************************************

OCTOBER IS NATIONAL CYBER SECURITY AWARENESS MONTH

“CYBER SECURITY IS OUR SHARED RESPONSIBILITY”
www.staysafeonline.org/ncsam

www.nascio.org/newsroom/pressrelease.cfm?id=44

www.msisac.org/awareness/oct09/2009awareness.cfm


*****************************************************
LIVE NATIONAL WEBCAST
A Strategy for Promoting Cyber Security Awareness - October 8 – 2:00pm-3:00pm EDT
www.msisac.org/webcast/2009-10/index.cfm

The above comments are based on information tips provided by the Multi-State Information and Analysis Center (MS-ISAC). To learn more about MS-ISAC go to http://www.msisac.org/


************************************************************************
MORE NEWS AND REFERENCES:

Information Security News, Tips and Trends from Janus Associates*

European cyber-gangs target small U.S. firms, group says
The Washington Post 08/25/2009

Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the United States , setting off a multimillion-dollar online crime wave that has begun to worry the nation's largest financial institutions. A task force representing the financial industry sent out an alert Friday outlining the problem and urging its members to implement many of the precautions now used to detect consumer bank and credit card fraud.

"In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," the confidential alert says.
.
Businesses do not enjoy the same legal protections as consumers when banking online. Consumers typically have up to 60 days from the receipt of a monthly statement to dispute any unauthorized charges. In contrast, companies that bank online are regulated under the Uniform Commercial Code, which holds that commercial banking customers have roughly two business days to spot and dispute unauthorized activity if they want to hold out any hope of recovering unauthorized transfers from their accounts. Read More

7 easy ways to protect PC based information from theft

The proliferation of Personal Storage Devices (thumb drives, iPods, USB external hard disks, etc.) and simple remote access has created unprecedented levels of convenience and at the same time a substantially increased risk of data loss. Pocket sized external USB storage devices can put hundreds of Gigabytes of data storage at your fingertips which is easily enough space to house an industrial-strength database or thousands of documents, spreadsheets, photos and other sensitive information. With the right software installed, these devices can be configured to automatically transfer data off any machine into which they’re plugged. This can be a convenience for the owner of the data, or for the Bad Guy an easy way to potentially access and steal your data. Exploiting this type of threat is very inexpensive and does not take expertise.

Securing your environment is very easy and involves a multi-tiered Best Practices approach including:

Creating and enforcing sound policies and procedures thatlock down the system BIOS on all computers processing, storing or transmitting data.

Creating a logon requirement that uses password and / or biometric authentication every time the PC is turned on.

Requiring the use of strong passwords that contain a minimum 7 character combination of both alpha and numeric symbols.

Never sharing or writing down your passwords.

Automated forced changing of passwords every 60 days.

Locking the PC after 10 minutes of inactivity to prevent unauthorized access to the machine and its data when the user steps away.

Turning off the PC when it is unattended for long periods of time. This one is an often overlooked critical step. A turned off PC means that someone who gains unauthorized access to the network has no access to the hard drive of that specific machine. If the PC is infected and part of a Bot network shutting it down will prevent its use as a zombie for mass spamming or D.o.S. attacks. Think about it; how many people do you know who leave their pc’s at work or home on 24/7? If it’s on it can be accessed remotely.

Securing your PC and data isn’t rocket science. It’s simply a matter of common sense and best practices. Cases in point; would you leave your house unlocked when you go to work for the day or leave your keys in the car and walk away? Of course not. So why would you leave your PC unlocked when you aren’t there? Easily implemented precautions that cost you nothing beyond a few minutes of your time can help minimize the risks associated with data loss and identity theft.
________________________________
* JANUS Associates provides a full range of information security and business information solutions including risk analysis, penetration testing, Payment Card Industry and regulatory compliance assessments including HIPAA, disaster recovery and business continuity planning and testing, eDiscovery, data forensics and data breach crisis management.

In business since 1988, JANUS has the longest tenure of any independent IT security firm in the nation and has been in the forefront of providing quality IT centric services.

JANUS is an independent, woman-owned vendor neutral company with deep skills and strong credentials in the government, commercial and Not-For-Profit sector.


August 21, 2009

CLLB Information Security Newsletter - Cookies

Volume 2 Number 8 August 2009.

From the Desk of David G. Badertscher

Mmmm… cookies - chocolate chip and oatmeal with raisins! Cookies are one of the most popular snacks that exist today. Did you know you can get “browser” cookies almost every time you go on the Internet? These cookies help with Internet commerce, allow quicker access to web sites, or can personalize your browsing experience. However, there are some privacy and security issues to be aware of, so it is important to understand the purpose of a “browser” cookie and manage their use on your computer appropriately. This tip will help you understand what a “browser” cookie is, what it is used for and what risks might be associated with using cookies.

What’s a Browser Cookie and How is it Used?

Browser cookies are simply reference files stored on your computer, just like pictures and documents. When you visit a web site, the visited web site will often place a cookie on your computer. Cookies do not contain active content (executables) or links, just text-based information. The information in the cookie might indicate how often you visit the site, what kind of products you bought, what kind of things you searched for, etc.

There are two different types of browser cookies that are stored on your computer – session and permanent cookies. Session cookies are stored in the computer's memory only during your browsing session and are automatically deleted from your computer when the browser is closed. These cookies usually store a session ID that is not personally identifiable, allowing you to move from page-to-page without having to log-in repeatedly. Session cookies are never written to the hard drive and they do not collect any information from your computer. They are widely used by commercial web sites; for example, to keep track of items that a consumer has added to a shopping cart. For instance, when you add an item to your shopping cart while shopping online, the information on that item is placed into a cookie. When you are finished with your online shopping, the application then references the appropriate cookie, tallies up your purchases, and bills you for those items.

Permanent cookies are stored on your computer’s hard drive and are not deleted when the browser is closed. These cookies can retain user preferences for a particular web site, allowing those preferences to be used in future browsing sessions. Permanent cookies can be used to identify individual users, so they may be used by web sites to analyze users' surfing behavior within the web site. These cookies can also be used to provide information about number of visitors, the average time spent on a particular page, log-in information stored in an account, and generally the performance of the web site.

In addition to session and permanent cookies, many sites allow their advertisers to place “third-party” cookies on your computer. Third-party cookies allow the marketing or an advertising company to track your interests and browsing through multiple web sites and companies. Third-party cookies, ones used by companies you are not dealing directly with, are more of a privacy issue than a security issue. The more you allow companies to track your online behavior, the more they can market directly to your specific interests. How cookies are processed and/or stored on your computer is controlled by your browser’s privacy settings.

Risks and What Should I Do?

Although permanent cookies may be useful and convenient, there are risks associated with stored log-in credentials. Storing credentials in a cookie can increase the risk of your log-in information being discovered if someone else uses your computer or in the event your computer may be compromised. If your computer or the website you are visiting is compromised, cookies can be used for malicious purposes, such as hackers altering data in the cookie or intercepting traffic between your computer and the web site.

Is recommended that you:

Set your cookie preferences using your browser privacy settings.

Periodically delete cookies from your computer.

Session cookies should be automatically deleted when you have completed a financial transaction online. By clearing your cookies from your browser periodically you can decrease the risk of the misuse of information accidentally or intentionally stored in cookies.

Do not allow cookies to store login information.

Keep your system and browser up-to-date on patches, update your anti-spyware software, and only visit trusted web sites.

If you do not want to share your online behavior data with third-parties, set your privacy settings to not allow third-party cookies. Note, this may impact your browsing experience.

Be cautious when sharing your computer. If you stored credential information using a browser cookie (user names and password), the individual using your computer will have access to your account and will be able to process transactions in your name.

For More Information on Cookies Visit:

Web Browser Attacks: www.msisac.org/awareness/news/2008-07.cfm

Browsing Safely: Understanding Active Content and Cookies: www.us-cert.gov/cas/tips/ST04-012.html

Evaluating Your Web Browser's Security Settings: www.us-cert.gov/cas/tips/ST05-001.html

Http Cookie: http://en.wikipedia.org/wiki/HTTP_cookie

Free Security Checks: www.staysafeonline.info/content/free-security-check-ups

How to Control Cookies: www.aboutcookies.org/Default.aspx?page=1

The above comments are based on information tips provided by the Multi-State Information and Analysis Center (MS-ISAC). To learn more about MS-ISAC go to http://www.msisac.org/
_____________________

SHOULD COOKIES BE USED ON FEDERAL WEB SITES?

They say timeing is everything; sometimes I wonder. Late in July I begain receiving a number of e-mails about the federal government reconsidering the question of whether cookies and other technological tracking devices should be used on federal web sites. When this matter had been raised before, the Office of Management and Budget (OMB) in the White House and presumably others decided that use of cookies on federal web sites should be greatly restricted in not prohibited. That decision was based on privacy and other concerned deemed especially important at the time. See a discussion of the issues from the perspetive of OMB at:
http://blog.ostp.gov/2009/07/24/cookiepolicy/

Now, with newer, more advanced and more accessible techology, and other concerns, the question is being reopened and revied. I have submitted comments to the Office of Management and Budget, but certainly wish that I had received the above information from MS-IAC before doing so. The public comment period ended August 10 (unless it has been extended) and I did not receive the very helpful information and resources included above until two days ago August 19. I guess timing is everything after all.

At the time I received the earlier information, I did some research and posted information and links for those who might want either more background information, submit comments to the OMB blog or comment directly to the Federal Register, or all the above on this Criminal Law Library blog . To see my posting, which incorporates material I submitted to the OMB, visit:

http://www.criminallawlibraryblog.com/2009/08/should_cookies_be_used_on_fede.html

MORE;

Message Labs, now part of Symantec, has produced a white paper on what they consider the Top 5 Security Tips for 2009. The tips discussed are: Endure more than one line of defense; Educate your users about the risks; Control web access; Stay ahead of threats; and Know your legal obligations. To see the white paper go to:

http://whitepapers.technologyevaluation.com/download/9784/Top-5-Security-Tips-for-2009.html

OCTOBER IS NATIONAL CYBER SECURITY AWARENESS MONTH

“CYBER SECURITY IS OUR SHARED RESPONSIBILITY”
www.staysafeonline.org/ncsam

July 24, 2009

CLLB Information Security Newsletter - Cybercrime

Volume 2 Number 7 July 2009.

From the Desk of David Badertscher

Monthly Cyber Security Tips

Cybercrime

What is Cybercrime?

The term “cybercrime” is usually referred to as any criminal offense committed against or with the use of a computer or computer network. The US Department of Justice (DOJ) interchangeably uses the terms “cybercrime,” “computer crime,” and “network crime” to refer to acts such as computer intrusions, denial of service attacks, viruses and worms.

1 A cybercrime incident can lead to loss of business and consumer confidence, financial loss, productivity loss, and even loss of intellectual property. For something to be considered a crime, however, requires a law to denote it as such, and the laws have, to this point, lagged behind technology. Existing laws relating to cybercrime oftentimes do not apply to specific acts being investigated and those laws vary from state to state. Some cybercrime may be more easily prosecuted if it is simply viewed as a more commonly recognized crime, e.g. vandalism instead of web defacement. To refer to a criminal act as “cybercrime” or “computer crime” tends to place the focus more on the technology, rather than on the crime itself. For these reasons, Anthony Reyes, author of the book Cyber Crime Investigations, argues against using the term “cybercrime,” and instead prefers to call these acts as “crimes with a computer component.” 2 Regardless of the means used to commit a crime or the target of a crime, whether it is a computer, a business, or someone’s data, it is still a crime.

What are the Trends in Cybercrime?

In the 1990s, cybercrime was mainly motivated by notoriety or revenge and predominately defined by the willful destruction of online property or intentional disruption of a business. The current era of cybercrime is dominated by criminals who want to use your computer for illegal activities, to steal data for profit, and organized crime is heavily involved.3 Attackers exploit vulnerabilities in computer software in order to develop “crimeware,” such as viruses, Trojans, and keyloggers, in order for other criminals to carry out their nefarious acts. These “crimeware” creators also utilize the software-as-a-service business model to provide crimeware-as-a-service. Some of their crimeware servers not only act as command and control servers (machines designed to provide instructions to the crimeware), but also as “data suppliers” or repositories for private stolen information that is harvested by the crimeware.

Personal information is a valuable commodity for criminals. Traditional security tools are becoming increasingly more limited in their ability to mitigate these highly complicated cybercrime attacks.4 Another trend is that the governments of various countries are suspected of being involved in cybercrimes for political reasons. As governments become more dependent upon technology, those assets will be attacked for various reasons. The cybercrime landscape, as it may be called, has definitely changed, but the criminal motivations are still the same – money, power and revenge.

What Can I Do?

Fighting cybercrime is problematic for several reasons. Many actions, such as writing crimeware, are currently not defined as illegal and, even if they constitute a crime, can be difficult to prosecute. Location and jurisdiction may also be a problem. For instance, a criminal may reside in one country and use a crimeware server in another country to attack a victim who resides in a third country.5 Cybercrime can also be perpetrated without a person’s knowledge, unlike other types of crimes that may be more noticeable. To adequately defend against cybercrime, you need against cybercrime, you need to follow the traditional best practices for protecting your network or desktop.

If you become a victim of cybercrime, you should report the incident to the appropriate law enforcement authorities. Depending on the scope of the crime, the appropriate agency may be local, state, federal, or even international.

The US DOJ maintains a list of federal agencies to which computer related crimes may be reported at the following address: http://www.usdoj.gov/criminal/cybercrime/reporting.htm. In addition, you may report cybercrimes to the Internet Crime Complaint Center (IC3), a partnership among the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C) and the Bureau of Justice Assistance (BJA). The IC3 provides a convenient reporting mechanism for both citizens and government agencies that alerts authorities of suspected criminal or civil violations and may be contacted via the following address: http://www.ic3.gov.

For more monthly cyber security newsletter tips visit:
www.msisac.org/awareness/news/

The information provided in this Newsletter is intended to increase your security awareness and help you conduct activities in a more secure manner within your work and home environments. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve overall cyber security posture.
_________________________________

1 “Prosecuting Computer Crimes”, February 2007, http://www.usdoj.gov/criminal/cybercrime/ccmanual/00ccma.html.

2 Reyes, Anthony, Cyber Crime Investigations: Bridging the Gaps Between Security Professionals, Law Enforcement, and Prosecutors, Syngress Publishing, Inc. 2007.

3 “A Brief History of Data Theft”, The ISSA Journal, June 2008.

4 “The Cybercrime 2.0 Evolution”, The ISSA Journal, June 2008.

5 Organized Cybercrime”, The ISSA Journal, October 2008.

The above comments are based on information tips provided by the Multi-State Information and Analysis Center (MS-ISAC). To learn more about MS-ISAC go to http://www.msisac.org/

OTHER NEWS AND REFERENCES:

Jackson, William. Tweeters Beware: All Is Not Secure on the Cyber Front. Government Computer News July 20, 2009.
" Twitter microblogging service gets a lot of publicity, but recently that publicity has been increasingly bad as the company has become the victim of a series of hacks."
http://gcn.com/articles/2009/07/20/cybereye-twitter-social-network-security-warning.aspx?s=security_230709

Bain, Ben. Agencies Riddled With Security Holes, GAO Says. Federal Computer Week July 17, 2009.
"A continued lack of sufficient information security controls at major federal agencies puts sensitive data at risk, the Government Accountability Office said today."
http://fcw.com/articles/2009/07/17/web-gao-fisma-info-security.aspx?s=security_230709


June 22, 2009

CLLB Information Security Newsletter

Volume 2 Number 6 June 2009.

From the Desk of David Badertscher

All This Functionality in One Device!

Mobile communication devices (includes Blackberrys, iPhones, smart phones in general) have become indispensable tools for today's highly mobile society. Small and relatively inexpensive, these multifunction devices can be used not only for voice calls but also text messages, email, Internet access along with stand alone applications similar to those performed on a desktop computer. A significant amount of personal, private and/or sensitive information may accumulate or be accessed via these devices. Additionally, some of these devices may allow you to access your home computer or your corporate network.

What Risks Do They Present?

While the devices offer many benefits and conveniences, they also pose risks to you and/or your organization’s security. As these devices continue to take on the characteristics of personal computers, they also inherit the same potential risks. Some of the primary risks include the following:

The portability of the device leads to a higher likelihood of loss of the device. Millions of mobile communication devices are lost each year.

When Bluetooth and/or wireless (not cellular) communications are enabled, these devices are subject to the risk of eavesdropping and “highjacking”.

“Malware” available, that if installed on your device, can allow a perpetrator remote access to your device to listen and record all of your calls, send text messages to the perpetrator whenever you make or receive a call, read all of your messages, make calls on your behalf from your phone, access all of the information on your phone, trace your location and enable the speaker functionally on the phone to listen in on conversations even when the phone is not in use.

Sites purporting to offer “free games or ring tones” are major vectors for distributing malware.
While the reports of worms and viruses impacting these devices are relatively low, this is expected to increase in the future.

Despite the risks outlined above, many users do not understand how vulnerable their mobile device is or how to deploy important security settings and controls.

What Can I Do to Secure My Mobile Communication Device?

The following outlines steps you can take to protect your mobile communication device. Some of the steps are dependant upon the functionality of your device.


Use a password to access your device. If the device is used for work purposes, you should follow the password policy issued by your organization.

If the Bluetooth functionality is not used, check to be sure this setting is disabled. Some devices have Bluetooth-enabled by default. If the Bluetooth functionality is used, be sure to change the default password for connecting to a Bluetooth enabled device.

Do not open attachments from untrusted sources. Similar to the risk when using your desktop, you risk being exposed to malware when opening unexpected attachments.

Do not follow links to untrusted sources, especially from unsolicited email or text messages. Again, as with your desktop, you risk being infected with malware.

If your device is lost, report it immediately to your carrier or organization. Some devices allow the data to be erased remotely.

Review the security setting on your device to ensure appropriate protection. Be sure to encrypt data transmissions whenever possible.


Enable storage encryption. This will help protect the data stored on your device in the event it is lost or stolen, assuming you have it password protected!

Beware of downloading any software to your device. If the device is used for work, follow your organization’s policy on downloading software.

Before disposing of the device be sure to wipe all data from it and/or or follow your organization’s policy for disposing of computer equipment.


For more information on securing mobile communication devices, please visit:

National Cyber Alert System - Cyber Security Tip ST06-007, Defending Cell Phones and PDAs Against Attack
http://www.us-cert.gov/cas/tips/ST06-007.html

NIST Special Publication 800-124, Guidelines on Cell Phone and PDA Security
http://csrc.nist.gov/publications/nistpubs/800-124/SP800-124.pdf

FTC Consumer Alert – The 411 on Disposing of Your Old Cell Phone http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt044.shtm

WTHR News story on “Tapping Your Cell Phone” http://www.wthr.com/Global/story.asp?s=9346833 McAfee – The Web’s Most Dangerous Search Terms
http://us.mcafee.com/en-us/local/docs/most_dangerous_searchterm_us.pdf


*The above comments are based on information tips provided by the Multi-State Information and Analysis Center (MS-ISAC). To learn more about MS-ISAC go to http://www.msisac.org/

OTHER NEWS:

DON'T FALL FOR JURY DUTY SCAM.
The phone rings, you pick it up, and the caller identifies himself as an officer of the court. He says you failed to report for jury duty and that a warrant is out for your arrest.

You say you never received a notice. To clear it up, the caller says he'll need some information for "verification purposes"- your birth date, social security number, maybe even a credit card number.

This is when you should hang up the phone. It's a scam!

Jury scams have been around for years, but have seen a resurgence in recent months.

Communities in more than a dozen states have issued public warnings about cold calls from people claiming to be court officials seeking personal information. As a rule, court officers never ask for confidential information over the phone; they generally correspond with prospective jurors via mail.

The scam's bold simplicity may be what makes it so effective. Facing the unexpected threat of arrest, victims are caught off guard and may be quick to part with some information to defuse the situation.

In recent months, communities in Florida, New York, Minnesota, Illinois, Colorado, Oregon, California, Virginia, Oklahoma, Arizona and New Hampshire reported scams or posted warnings or press releases on their local websites.

The jury scam is a simple variation of the identity-theft ploys that have proliferated in recent years as personal information and good credit have become thieves' preferred prey, particularly on the Internet.

Scammers might tap your information to make a purchase on your credit card, but could just as easily sell your information to the highest bidder on the Internet's black market.

Protecting yourself is the key: Never give out personal information when you receive an unsolicited phone call.


May 18, 2009

CLLB Information Security Newsletter

Volume 2 Number 5 May 2009.

Rogue (Fake) Anti-Virus Software: How to Spot It & Avoid It!*

From the Desk of David Badertscher


Your PC May Be Infected! Click here to clean it!

Have you seen this advertisement or similar pop-up messages? A free PC scan or an offer to clean yur computer of supposedly infected files are often attempts by malevolent persons or organizations to install malicious software (malware) such as a Trojan horse, keylogger, or spyware Such software is referred to as rogue (fake) anti-virus malware.

How can my system get infected?

The primary way rogue anti-virus software gets on your system is the result of you clicking on a malicious link in an advertisement or similar pop-up message. The wording contained in the advertisement is usually something alarming, designed to get your attention and attempt to convince to you scan your PC or clean it immediately with the offered tool. The names of the fake programs sound legitimate, and often, in a further attempt to make the malware appear legitimate, the programs may prompt you to pay for an annual subscription to the service.

Any kind of website could host ads for rogue anti-virus: news sites, sports pages, and social networking sites as well as “riskier” sites such as hacker blogs. Some varieties of rogue anti-virus programs will also get installed on your machine just by you visiting a website with a malicious ad or code, and you might never know you’ve been impacted.

Won’t my valid anti-virus and anti-spyware program protect my computer?

Though good anti-virus and anti-spyware programs will protect against many threats, they cannot protect against all malware threats, especially the newest ones. There are millions of different versions of malware, with hundreds more being created and used every day. It may take a day, a week, or even longer for anti-virus companies to develop and distribute an update to detect and clean the newest malware.

What can rogue anti-virus software do to my computer?

Just about anything, especially if you are using administrative-level access when using your computer. Rogue anti-virus software might perform many activities, including installing files to monitor your computer use or steal credentials, installing backdoor programs, or adding your computer to a botnet. The malware might even use your computer as a vehicle for compromising other systems in your home or workplace network.

Rogue anti-virus software can also modify systems files and registry entries so that even when you clean off some infected files or registry keys others might remain, or even allow the infections to be restored and active again after your system is rebooted. For example, one recent rogue anti-virus program reportedly installed several malicious Trojan files, and also made over two-dozen different changes to ensure that the malware stayed on the system and stayed running. This type of malware also often blocks access to valid security sites (anti-virus and anti-spyware companies, and operating system and application update sites) so that you won’t be able to patch or clean your system by visiting those valid sites.

What can I do to protect my computer?

1. Don’t click on pop-up ads that advertise anti-virus or anti-spyware programs. Even though pop-up ads are used for valid advertising they can also be used for malicious purposes, like getting you to install fake security programs. If you are interested in a security product, search for it and visit its homepage, don’t get to it through a pop-up ad.

2. Use and regularly update firewalls, anti-virus, and anti-spyware programs. It is very important to use and keep these programs updated regularly so they can protect your computer against the most recent threats. If possible, update them automatically and at least daily.

3. Properly configure and patch operating systems, browsers, and other software programs. Keep your system and programs updated and patched so that your computer will not be exposed to known vulnerabilities and attacks.

4. Turn off ActiveX and Scripting, or prompt for their use. ActiveX controls are small programs or animations that are downloaded or embedded in web pages, which will typically enhance functionality and user experience. Many types of malware can infect your computer when you simply visit a compromised site and allow anything to run from the website, such as ads. Turning off ActiveX and Scripting can help protect your computer if you inadvertently browse to or are unwillingly redirected to a malicious site. (You can limit the functionality of your Internet browser through its configuration choices, but be sure to look for a guide if you are unfamiliar with how to limit scripting and active content—see below for resources.)

5. Keep backups of important files. Sometimes cleaning infections can be very easy; sometimes they can be very difficult. You may find that an infection has affected your computer so much that the operating system and applications need to be reinstalled. In cases like this it is best to have your important data backed up already so you can restore your system without fear of losing your data.

6. Regularly scan and clean your computer. If your organization already has configured this on your computer, do not disable it. If you need to scan your computer yourself, schedule regular scans in your programs. Also, several trusted anti-virus and anti-spyware vendors offer free scans and cleaning. Access these types of services from reputable companies and from their webpage, not from an unexpected pop-up.

For more information, please visit:

Partial Listing of Rogue Security Software: http://en.wikipedia.org/wiki/Rogue_software

Free Security Checks: www.staysafeonline.info/content/free-security-check-ups

Pop-ups: www.msisac.org/awareness/news/2008-12.cfm

Web Browser Attacks: www.msisac.org/awareness/news/2008-07.cfm

Malware: www.onguardonline.gov/topics/malware.aspx

Spyware: www.onguardonline.gov/topics/spyware.aspx

Free Check for File Infection: www.virustotal.com/


*The above comments are based on information tips provided by the Multi-State Information and Analysis Center (MS-ISAC). To learn more about MS-ISAC go to http://www.msisac.org/

OTHER NEWS:

U.S. Department of Defense Seeks E-Mail Security for Grid Network.
by Doug Beizer
Federal Computer Week May 15, 2009.

System would scan incoming e-mail messages

The Defense Department needs a security system to scan e-mail on its Global Information Grid (GIG) network, and it has asked industry to submit information on such a system, according to an announcement on the Federal Business Opportunities Web site.

http://fcw.com/articles/2009/05/15/dod-email-security.aspx?s=security_180509

Warrant Required to Use GPS to Track Suspects
New York Law Journal

A divided N.Y. Court of Appeals ordered a new trial for a man convicted of burglary in part with evidence from a GPS device. Chief Judge Jonathan Lippman wrote for the majority that "this dragnet use of the technology at the sole discretion of law enforcement authorities to pry into the details of people's daily lives is not consistent with the values at the core of our state Constitution's prohibition against unreasonable searches."


April 10, 2009

CLLB Information Security Newsletter

http://www.msisac.org/April 2009 Volume 2 Number 4.

From the Desk of David Badertscher

The use of credit cards to pay for goods and services is a common practice around the world. It enables business to be transacted in a convenient and cost effective manner. However, more than 100 million personally-identifiable, customer records have been breached in the US over the past two years[1]. Many of these breaches involved credit card information. Continued use of credits cards requires confidence by consumers that their transaction and credit card information are secure. The following provides information as to how the credit card industry has responded to security issues and steps you can take to protect your information.

Who regulates the security of credit card transactions?

The Payment Card Industry (PCI) Security Standards Council developed standards and policies that must be met by all vendors which accept credit card transactions. The Council’s members include American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa International. The Council created an industry-wide, global framework that details how companies handle credit card data – specifically, banks, merchants and payment processors. The result was the Payment Card Industry (PCI) Data Security Standard (DSS)[2], a set of best practice requirements for protecting credit card data throughout the information lifecycle.

The PCI compliance security standards outline technical and operational requirements created to help organizations prevent credit card fraud, hacking and various other security vulnerabilities and threats.

The PCI DSS requirements are applicable if a credit card number is stored, processed, or transmitted. The major credit card companies require compliance with PCI DSS rules via contracts with merchants and their vendors that accept and process credit cards. Banks, merchants and payment processors must approach PCI DSS compliance as an ongoing effort. Compliance must be validated annually, and companies must be prepared to address new aspects of the standard as it evolves based on emerging technologies and threats.

How is my credit card information protected?

The PCI standards detail what protective measures are required regarding the string and transmission of credit card information. For electronic Point of Sale (POS) transactions, the information is encrypted and transmitted directly to the credit card processor. For an online transaction, the merchant is required to have a secure server and an encrypted connection to the customer. Access to credit card information is restricted based on a business need-to-know. The standards include guidelines for developing and maintaining secure systems and applications. Recent focus includes heightened security requirements for wireless networks due to the jump in the use of wireless POS terminals.

What if a merchant does not follow the standards?

If a member, merchant, or service provider does not comply with the security requirements or fails to rectify a security issue, they may face fines up to $500,000 per incident or restrictions imposed by the credit card companies, including denying their ability to accept or process credit card transactions.

What can I do to secure my credit card information?

You can help secure your credit card information by adhering to the following guidelines:

Don't respond to email or pop-up messages. If you get an email or pop-up message while you're browsing, don't reply or click on the link in the message or any attachments, especially if personal or financial information is requested. Legitimate organizations don't ask for this information in these ways.

Guard the security of your transaction. When purchasing online, look for the "lock" icon on the browser's status bar and be sure "https" or "s-http" appears in the website's address bar. The "s" stands for "secure."

Use temporary account authorizations when available. Some credit card companies offer virtual or temporary credit card authorization numbers. This kind of service gives you use of a secure and unique account number for each online transaction. These numbers are often issued for a short period of time and cannot be used after that period. Contact your credit card company to see if they offer this service.

Limit your online shopping to merchants you know and trust. If you have questions about a merchant, verify it with the Better Business Bureau or the Federal Trade Commission..

The above comments are based on information tips provided by the Multi-State Information and Analysis Center (MS-ISAC). To learn more about MS-ISAC go to http://www.msisac.org/



March 26, 2009

CLLB Information Security Newsletter

March 2009 Volume 2 Number 3.

Social Networking Sites: How To Stay Safe

From the Desk of David G. Badertscher

The popularity of social networking sites--such as MySpace, Facebook, Twitter and others--has exploded in recent years, with usage in the United States increasing 93% since 2006, according to Netpop Research. The sites are popular not only with teenagers, but with adults as well: the number of adult Internet users having a social networking profile has more than quadrupled in the past four years, according the Pew Internet & American Life Project.

While there are many positive aspects of using social networking sites, it is also important to understand the potential security risks and know what precautions to take to protect yourself and your information.

What are social networking sites?

Social networking sites are online communities of Internet users who want to communicate with other users about areas of mutual interest, whether from a personal, business or academic perspective. The specific functionality of the various sites may differ, but in general, the sites allow you to provide information about yourself and communicate with others through email, chat rooms and other forums.

What are the security concerns of social networking sites?

Social network sites are growing in popularity as attack vectors because of the volume of users and the amount of personal information that is posted. The nature of social networking sites encourages you to post personal information. Because of the perceived anonymity and false sense of security of the Internet, users may provide more information about themselves and their life online than they would to a stranger in person.

The information you post online could be used by those with malicious intent to conduct social engineering scams and attempt to steal your identity or access your financial data. In addition, the sites are increasingly sources of worms, viruses and other malicious code. You may be prompted to click on a video on someone’s page, which could bring you to a malicious website, for example. If you are accessing a site that has malicious code your machine could become infected. For examples of some common social networking scams, visit the Council of Better Business Bureaus.

It’s also important to realize that information you post can be viewed by a broad audience, and could have lasting implications. College admissions officers and school administrators, for example, do visit these sites and in some cases, admissions have been denied to applicants, or disciplinary actions have been taken because of information or photos posted online. Employers also review these sites for information about potential job applicants.

What can you do to protect yourself?

Make sure your computer is protected before visiting sites – make sure you have a firewall and anti-virus software on your computer and that it is up-to-date. Keep your operating system up-to-date as well.

Do not assume you are in a trusted environment – just because you are on someone’s page you know, it is still prudent to use caution when navigating pages and clicking on links or photos, because links, images or other content contained on the pages may include malicious code.

Be cautious in how much personal information you provide - remember that the more information you post, the easier it may be for an attacker to use that information to steal your identity or access your data.

Use common sense when communicating with users you DO know – confirm electronic requests for loans or donations from your social networking friends and associates. The communications could be from someone who has stolen the credentials of the person you know with the intent of scamming as many people as possible.

Use common sense when communicating with users you DON’T know – be cautious about whom you allow to contact you or how much and what type of information you share with strangers online.

Understand what information is collected and shared – pay attention to the policies and terms of the sites; they may be sharing your email address or other details with other companies.
Make sure you know what sites your child is visiting - be involved in your child’s activities and know with whom he/she is communicating and what information is being posted by them, or about them by others.

For more monthly cyber security newsletter tips visit:
www.msisac.org/awareness/news/

ADDITIONAL NEWS:

New York City Cyber Security Summit
May 4, 2009

"The City of New York is committed to providing a secure information technology environment and to the protection of private information collected from the public. People are part of that solution, and as a City employee, your understanding and commitment to good security practices go a long way to bolster a secure computing environment. Therefore, I invite you to participate in the second annual NYC Cybersecurity Summit, where we can explore ways to secure information used by the City as we provide municipal services."

- Dan Srebnick, Associate Commissioner, IT Security & Chief Information Security Officer, Department of Information Technology and Telecommunications (DoITT), City of New York
________________________________

Choosing the Right Hardware and Software for Data Protection Solution
Compliments of Infoworld and HP.

"The latest white paper from the Mesabi Group explores the challenge facing many businesses in deciding what combination of software-hardware best meets their needs for data protection, storage, and business needs. There are a number of good options available and, as data protection grows more complicated each day, businesses should review their data protection from the ground up."

To see the white paper click on the link below:

Commentary: Choosing the Right Hardware and Software for Data Protection Solutions


March 6, 2009

The Oxford Companion to International Criminal Justice

Book Review by David Badertscher*
March 6, 2009.

The Oxford Companion to International Criminal Justice
Antioio Cassese, Editor in Chief
Oxford University Press 2009

Book Review: The Oxford Companion to International Criminal Justice

Antonio Cassese, General Editor.

Oxford University Press, 2009.

When Antonio Cassese, Professor of International Law at the University of Florence, was first approached some six years ago on behalf of Oxford University Press to edit an Oxford Companion devoted to international criminal justice, he refused for a number of understandable reasons, including the realization that this task would be truly titanic, and being uncertain of the availability of adequate staff support. However, when Professor Cassese was again approached some two years later he accepted, explaining that he ...”very much liked the idea of compiling for the first time a sort of encyclopaedia covering an area [international criminal justice] that, while in full bloom, had not yet been the object of a general exposition of all its ramifications and intricacies.” By this time he was also able to assemble a very impressive, world class group of contributors that reads like a veritable who’s who of the field to collaborate on this work under Professor Cassese’s direction. The final result is a significant work which treats its subject both broadly and in depth in an accessible manner.

The Oxford Companion to International Justice (Companion), is divided into three parts. Part A consists of 21 essays including a comprehensive survey of issues and debates surrounding international humanitarian law, international criminal law, and their enforcement. Part B is arranged alphabetically, containing 320 entries on doctrines, procedures, institutions and personalities. Part C contains over 400 case summaries of key trials from international and domestic courts dealing with war crimes, crimes against humanity, genocide, torture and terrorism.

With analysis and commentary on every aspect of international criminal justice, this Companion is designed to be an entry point for scholars, practioners, and others interested in current developments in international justice. It addresses the various intricacies of international criminal justice and to some extent other areas of international justice in a manner that is both scholarly and accessible. This is in itself a considerable accomplishment. It attests to the high quality of collaboration among the contributors Professor Cassese assembled. Indeed, one of the special qualities of this work is the use of language throughout that enables those who are not familiar with criminal law but who have an active interest in matters related to international justice to find it useful.

If there is any weakness to this work it relates to the arrangement of some of the material in the book and not the quality of its content. Some readers may find that arranging so many of the tables and lists in the front of the book, before Part A, creates a type of barrier or ‘firewall’ between the Forward and Table of Contents and the substantive materials in Parts A, B, and C, thus unintentionally reducing the accessibility of the work for some users. A better approach might be to have left all of this material in the back near the index so that all of this type of information would be consolidated in one place. A second unrelated suggestion for any future edition would be to add some type of scope note at the beginning of each Part to also enhance accessibility.

It needs to be emphasized that the Oxford Companion to International Criminal Justice is more than a work designed to update scholars, practioners, and others on current developments international justice. An examination of the essays in Part A and cases in Part C indicates that materials contained therein are of sufficient scope and depth that they can be consulted as part of in depth research by all readers. It is a significant work recommended for academic and specialized libraries, large public libraries, scholars and other specialists with interest in the field, and for those general readers who need to keep up with developments in international justice.

Although the Oxford Companion to International Criminal Justice was published by Oxford University Press in the United Kingdom on January 22, 2009, it will only be available in the United States on March 23. That is because it takes about six weeks for stock to be shipped to the US warehouse of Oxford University Press and then a couple of weeks to get to further United States outlets.
___________________________________
*David Badertscher is the Principal Law Librarian at the New York Supreme Court Criminal Term, First Judicial District. New York, NY.

March 2, 2009

U.S. Supreme Court: United States v. Hayes (No. 07-608)

From the ABA Criminal Justice Section: http://www.abanet.org/crimjust

United States v. Hayes (No. 07-608)

"The court released an opinion regarding the prohibition on possession of a firearm by convicted felons to include persons convicted of a misdemeanor crime of domestic violence. Police officers discovered a rifle in respondent Hayes's home. Hayes was charged with possessing firearms after having been convicted of a misdemeanor crime of domestic violence. He was previously convicted for battery in 1994 against his then-wife. Hayes moved to dismiss the indictment on the ground that his past conviction did not qualify as a predicate offense because West Virginia's generic battery law did not designate a domestic relationship between aggressor and victim as an element of the offense. When the District Court denied the motion, Hayes entered a conditional guilty plea and appealed. The Fourth Circuit reversed, holding that a §922(g)(9) predicate offense must have as an element a domestic relationship between offender and victim."

"By extending the federal firearm prohibition to persons convicted of misdemeanor crimes of domestic violence, §922(g)(9)'s proponents sought to close a loophole: Existing felon-in-possession laws often failed to keep firearms out of the hands of domestic abusers, for such offenders generally were not charged with, or convicted of, felonies. Hayes argues that the measure that became §§922(g)(9) and 921(a)(33)(A), though it initially may have had a broadly remedial purpose, was revised and narrowed during the legislative process, but his argument is not corroborated by the revisions he identifies."

"Congress defined "misdemeanor crime of domestic violence" to include an offense "committed by" a person who had a specified domestic relationship with the victim, whether or not the misdemeanor statute itself designates the domestic relationship as an element of the crime."

"Justice Ginsburg delivered the opinion of the Court. Justice Roberts filed a dissenting opinion in which only Justice Scalia joined."

The full opinion can be accessed at http://www.law.cornell.edu/supct/html/07-608.ZS.html.