Internal IT Security Threat
Internal users continue to be the torn in system and security administrator’s side. This is the case for many reasons. One, they have knowledge of the networking recourses. Two, they have credentials to access various systems on the network and third, most security controls defend against external entities as compared to internal users. According to the Computer Security Institute (CSI), approximately 80 percent of network misuse incidents originate from inside the network.
Security Administrators should apply the “Defense in Depth” security model when it comes to protecting the network. This mean network firewalls, IDS, HIDS, host-based firewalls, patch management, security policies and vulnerability scanning.
Black Hat USA 2010
Black Hat USA 2010 is the technical security event for members of the security industry to gather and learn about the cutting-edge research – that address challenges to today’s senior-level IT professional. This year’s event will be hosted at Caesars Palace in Las Vegas, Nevada July 24-29th offering: over 70 multi-day training sessions, 32 live tool demonstrations in the new Black Hat Arsenal, and 100+ sessions of presentations from security industry elite. To learn more and register for the event visit: www.blackhat.com.
Adobe Systems Patches 17 Critical Security Holes
On June 29, Adobe Systems plugged 17 critical security holes affecting Adobe Reader and Acrobat including a patch for a zero-day vulnerability that impacted many of their other products, on multiple operating systems such as Windows, Mac and Linux. The new versions of Acrobat and Reader are 8.2.3 and 9.3.3, but Adobe strongly recommends using the version 9.x products. 
A zero-day attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or undisclosed to the software developer.
Adobe products should automatically update when your system is on and connected to the Internet, but SecurityOrb.com ask that you verify and initiate the process if it has not already occurred.
For more information on this topic, please refer to the following links:
Russian Spies used Steganography
The FBI arrested 11 suspected Russian spies for passing U.S. information to Russian spy agents using wireless networking and steganography.
Steganography is the process of writing hidden messages in such a way that no one, apart from the sender and intended recipient, knows of the existence of the message, a form of security through obscurity. The message can be hidden in pictures, text and many different forms.
For more on this story please refer to the links below:
The Economist – http://www.economist.com/node/16486569?story_id=16486569
Wired – http://www.wired.com/dangerroom/2010/06/alleged-spies-hid-secret-messages-on-public-websites/
Dark Reading – http://darkreading.com/insiderthreat/security/encryption/showArticle.jhtml?articleID=225701866
Linux Security – http://www.linuxsecurity.com/content/view/152728/169/
Smart Phone Security
These cell/smart phones are becoming digital wallets… 10 years ago people did not keep the type of vital information they do today.
Hackers are able to pull information such as address books, text messages, email and notes that may contact account numbers, passwords and PINs.
New trends in the wireless industry are making it easier for hacking attacks, said John Girard, a Gartner vice president, who spoke at the IT Security Summit in London.
A few years ago, there was not a lot of standardization across wireless devices. Differing operating systems, differing implementations of mobile Java, and even varying configurations among devices with the same operating system made it hard to write malicious code that ran on a wide array of devices, Girard said.
But that’s changing as the quality control gets better on widely used platforms such as Microsoft’s Windows Mobile and the Symbian operating system, he said. That standardization makes it easier for attackers to write code that will run on many devices.
“The more your phone gets like a PC, the more it can host malicious code,” Girard said. “People are getting used to sending out executable code.”
Ethical Vulnerability Disclosure
The debate on whether vulnerabilities should be disclosed to force a vendor to fix the problem in a reasonable period or kept covert until a fix has been implemented has been a big discussion in the Information Security field. Black Hats, White Hats and even Grey Hats have their opinions. I personally have disclosed a vulnerability I discovered to vendor and known others who have as well, too only witness slow responses to rectify the matter to no responses at all.
In an Enterprise IT Planet Staff.com article, one group feels immediate disclosure effects change at a brisker pace (WMF again) and encourages vendors to tighten up their development practices. While other point to the complexity of software today, where yesterday’s feature becomes today’s liability. They would say that out of respect for users, and the community at large, vendors should be given a chance to make things right.
What do you think?
