You can't secure what you don't acknowledge.SM

Friday, January 18, 2008

Neat tool to fight off keystroke loggers in web apps

I came across the XecureCK tool in Brien Posey's recent SearchWindowsSecurity.com article. It's an application-specific program that's downloaded as an ActiveX control that must be installed on the user's browser (sort of ironic, eh?). It essentially creates an encrypted link between the Windows keyboard driver and the Web site to keep the user's credentials safe and secure...at least the credentials for that one Web site.

Thinking back to my days of assembly language programming, I suspect that there's a way for malware to hook into the keyboard interrupt to override this. Essentially sit "above" the driver and still grab the input from the keyboard. We'll see...

Still a pretty neat app that benefits the Web site owner as much as it does the user. Good way to stay out of trouble and minimize liabilities.

My articles from this week

Here are my information security articles from this week that you may be interested in.

Web application hacking: Inside the mind of an attacker

Cross-site scripting 101: XSS attacks plague Web browsers

For all of my past information security tips and tricks be sure to check out www.principlelogic.com/resources.html.

Enjoy!

Wednesday, January 16, 2008

Cox Communications telecom outage highlights the need for better security processes

This is one of those often-overlooked security operations weaknesses that ends up being one of the most vicious. A fired Cox Communications worker hacks back in and wreaks havoc:

http://www.scmagazineus.com/Former-Cox-employee-who-shut-down-911-sentenced-to-five-months-in-prison/article/104120/

Also a good reason to watch the "watchers". Funny thing that many people in IT forget: there's this thing called change management that helps quite well in these situations.

Lax IRS security - yet another reason for the FairTax!

Apparently a GAO report this week outlines how taxpayer data is at “increased risk of unauthorized disclosure, modification or destruction.” within the IRS:
http://www.scmagazineus.com/GAO-Lax-IRS-cybersecurity-puts-taxpayer-data-in-danger/article/104008/

Yet another reason to get rid of the IRS! :)

So Oracle and Open Source really aren't that secure...?

Chock these up and file 'em away in the I-told-so-you category:

Apparently Oracle's latest security update contains fixes for 27 flaws including SQL injection:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1294080,00.html?track=NL-102&ad=617874&asrc=EM_NLN_2899404&uid=1018924

Oh, and now our Imperial Federal Government has to spend tax dollars that we've earned that prove that open source software is flawed...?:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1289637,00.html?track=NL-102&ad=617852&asrc=EM_NLN_2860161&uid=1018924

The reality is folks, that regardless of the type of software - I don't care what language it's written in, how much money is charged for it, or how in-depth it's been checked for security flaws - it's going to have security flaws uncovered eventually. Adding to it, the more complex software gets the greater the chance of security weaknesses slipping in. And as long as people are involved in writing software...well, the problem is not going to go away.

Monday, January 14, 2008

New evidence of wireless way before our time

This is something that's been out there for a while, but when my Canadian colleague, security guru, and all-around good guy Peter Davis forwarded it to me, I laughed out loud. Had to share it:

After having dug to a depth of 10 meters last year, American scientists found traces of copper wire dating back 100 years and came to the conclusion that their ancestors already had a telephone network more than 100 years ago.

Not to be outdone by the Americans, in the weeks that followed, Canadian scientists dug to a depth of 20 meters, and shortly after, headlines in the Toronto Globe and Mail newspaper read: "Canadian archaeologists have found traces of 200 year old copper wire and have concluded that their ancestors already had an advanced high-tech communications network a
hundred years earlier than the Americans."

One week later, "Moose Jaw Times Herald", a local newspaper in Saskatchewan reported the following:
"After digging as deep as 30 meters in sagebrush fields near Moose Jaw, Ole Johnson, a self-taught archaeologist, reports that he found absolutely nothing. Ole has therefore concluded that 300 years ago, Saskatchewan had already gone "wireless."

Wireless hotspot security measures you can't afford to overlook

Here's a not-so-innovative piece from one of the prominent wireless gurus, Lisa Phifer, on hotspot security but it's a good reminder of what to do nonetheless:
http://www.wi-fiplanet.com/tutorials/article.php/3720151

Here's some thoughts I had on locking down laptops that connect to hotspots from a few years ago:
http://searchwindowssecurity.techtarget.com/general/0,295582,sid45_gci1119415,00.html

Funny how nothing has changed...