SecGuru -

Boffin brings write once, run anywhere to Cisco hijacks

Param — Wed, 07 Jan 2009 06:40:33 -0800

A researcher has discovered a way to reliably exploit a known security vulnerability in a wide class of Cisco System routers, a finding that for the first time allows attackers to hijack millions of devices with a single piece of code.

The discovery by Felix "FX" Lindner of Recurity Labs in Berlin brings the write-once-run-anywhere approach of software development to the dark art of compromising routers that form the core of the internet. Previously, reliable exploit code had to be specifically fashioned to one of more than 15,000 different supported builds of IOS, or Internet Operating System, which run various Cisco devices.

"What FX has shown, conclusively, is that when something comes out that can potentially compromise your router, you have to get on it as you would get on a remote vuln, for, say, your domain controllers or database servers," said Dan Kaminsky, a fellow researcher who has reviewed Lindner's findings (PDF). "Router infrastructure has been conclusively proven to be as generically vulnerable as commodity operating systems."

Each image version of IOS loads programs in substantially different parts of the device's memory. Until now, the randomization made it virtually impossible for weaponized exploit code to know ahead of time where to stash malicious payloads for the specific device it was targeting. Lindner was able to work through this limitation by observing the behavior of software known as ROMmon, which is analogous to the ubiquitous bios software found on personal computers.

Phishing As Tragedy of the Commons

Param — Wed, 07 Jan 2009 06:32:17 -0800

Phishing As Tragedy of the Commons

View SlideShare document or Upload your own.

Securing Applications - Primer for Developers

Param — Wed, 07 Jan 2009 06:13:07 -0800

Securing Applications

View SlideShare presentation or Upload your own. (tags: security application)

Cisco IOS Attack & Defense - The State of the Art

Param — Wed, 07 Jan 2009 06:04:17 -0800

Cisco IOS Attack & Defense - The State of the Art

View SlideShare presentation or Upload your own.

HSBC strengthens online fraud defences

Param — Wed, 07 Jan 2009 06:02:22 -0800

HSBC has deployed a new authentication system to protect online and remote transactions from fraud.

Using the system provided by Authentify, the authentication process is isolated from the web, and user or transaction details must be entered via a telephone call synchronised to online sessions, making it more difficult for criminals to hack into accounts even when using compromised personal information.

The out-of-band system claims to offer the highest security with the most convenience, as opposed to two-factor authentication – whereby devices give customers automatically-generated one-time passcodes to use in conjunction with the password they already know – as a way to tackle fraud committed in cases where the cardholder is not present, such as online shopping.

Characteristics of Effective Incident Response

Param — Tue, 06 Jan 2009 08:51:30 -0800

There is a need for effective incident response, now more than ever. However, the key to incident response is incident preparedness. Responding without being prepared to respond correctly is what turns an incident into a major data breach and a major embarrassment.

Russian hackers - A global menace ?

Param — Tue, 06 Jan 2009 08:45:49 -0800

Not long ago, the simple, anonymous thrill of exposing chinks in American software was enough of a payoff for a Russian hacker.

Today it's cash. And almost all the targets are in the United States and Europe, where Russia's notorious hackers pilfer online bank accounts, swipe Social Security numbers, steal credit card data, and peek at email log-ins and passwords as part of what some estimate to be a $100 billion-a-year global cybercrime business.

And when it's not money that drives Russian hackers, it's politics - with the aim of accessing or disabling the computers, Web sites and security systems of governments opposed to Russian interests. That may have been the motive behind a recent attack on Pentagon computers.

A new generation of Russian hacker is behind America's latest criminal scourge. Young, intelligent and wealthy enough to zip down Moscow's boulevards in shiny BMWs, they make their money in cubbyholes that police thus far have found impossible to ferret out.

From behind the partition of anonymous online hacking forums, they boast about why they use their programming savvy to spam and steal, mostly from the West.

"Why should I take a regular job after graduating and exert myself to earn just $2,000 a month, rather than grab this chance to make money?" says a Russian hacker on an online forum that specializes in credit card fraud. "It makes sense to get as much as you can, as quickly as possible, rather than wasting time working for someone else."

Celebrity Twitter account hacks raise serious security questions

Param — Tue, 06 Jan 2009 08:42:24 -0800

IT security and control firm Sophos believes that the embarrassing defacements of celebrity Twitter accounts yesterday demonstrate a worrying security problem for micro-blogging service, Twitter.

Tools that normally only Twitter’s technical support team can use to help locked-out members reset their email address were accessed by hackers, enabling them to steal control of the accounts from their rightful famous owners.

Hackers have targeted the accounts of 33 high profile users with the latest attack, including Britney Spears, American news presenter Rick Sanchez, and president-elect Barack Obama. The message walls of the affected accounts were defaced with offensive or embarrassing messages, which have now been removed by Twitter staff.

IT execs losing ground on compensation, salary study says

Param — Tue, 06 Jan 2009 07:27:04 -0800

For those who make it to the top of the IT ladder, the pay can be great. But most IT executives are losing ground as a result of the economic recession, according to a new report released today by Janco Associates Inc.

Janco, a Park City, Utah-based IT consulting firm, said it found that the mean compensation for CIOs in large enterprises is now $168,839, a 6.11% decrease from a similar study it issued a year ago. In midsize organizations, the current average is $163,211, a drop-off of nearly 5%, said Janco, which cited reductions in bonuses and fringe benefits for the compensation declines.

Security will eat IT budgets in 2009, says survey

Param — Tue, 06 Jan 2009 07:16:47 -0800

Security budgets are increasing in 2009 to consume 12.6 percent of the entire IT operating budget, up from 11.7 percent in 2008, according to Forrester Research's survey of 942 IT and security managers in North America and Europe.

Staffing and upgrades to existing security technology are taking up over half of the IT security budgets overall, according to Forrester's report, ‘The State of Enterprise IT Security: 2008 to 2009'.

The survey also shows 20 percent of the available IT security funding this year is expected to go to security outsourcing, consultants and managed services, with another 18.5 percent targeting new security initiatives.

Full-disk encryption was cited as the top client security technology to be piloted or adopted this year, along with file-level encryption. About a fifth of the organisations also said they expected to pilot or adopt data-leak prevention during the next twelve months, though there appears to be less interest in desktop DLP than network-based DLP.