Information Security

Information Security http://blog.vcu.edu/infosec/ en Copyright 2009 Mon, 04 Aug 2008 16:12:02 -0500 http://www.sixapart.com/movabletype/ http://blogs.law.harvard.edu/tech/rss Think before you click "send" shouldn't have or sent emails to unintended recipients. Before you send an email, ensure that it's only going to go to the intended recipients and think twice about sending it if it could have a negative impact if it was read by an unintended recipient. And if you are planning on sharing confidential VCU data with someone via email be sure to encrypt it or to utilize a different secure method to share it instead. VCU's Securty Standard for Transmission of Confidential Data Through Email prohibits transmission of confidential data via email unless it's encrypted.]]> http://blog.vcu.edu/infosec/2008/08/think-before-you-click-send.html http://blog.vcu.edu/infosec/2008/08/think-before-you-click-send.html email encryption policy Mon, 04 Aug 2008 16:12:02 -0500 GIFAR attack - it looks like an image, but it has a malicious paylod GIFAR attack. The attack involves combining a JAR (Java Archive) file with another file, such as a GIF image file (GIF + JAR = GIFAR). The user's browser would consider the file a valid image file and display it properly, but the Java Virtual Machine (JVM) on the user's computer would also treat it as a JAR file, executing the 2nd part of the file as a Java applet. And for clarity, the JAR files can be combined with other file types, such as JPEG images or Word documents. Why is this a problem? It's a problem because many websites allow users to upload content and most of them are not doing a sufficient job of sanitizing the content. Those websites which do perform input validation (sanitization) typically do little more than confirm that the uploaded file has an acceptable file extension. And though some media coverage implies specific widely used websites such as Facebook, MySpace and Google may be vulnerable, this has the potential to impact any website which does insufficient user content sanitization. As a users, you don't know which websites you interact with do sufficient sanitization. And if you're tricked into running a malicious Java applet, it will run with the same context of the website it was loaded from. That means that the attacker could do things like hijack the user's session (gain unauthorized access to the website, masquerading as the target user). And if a system has really bad security controls, it may even be possible to target a user on a trusted system behind the same firewall as the website in order to perform attacks against the server hosting the website. One of the researchers, Nathan McFeters, mentioned that this isn't the first such attack vector, and that even if Sun patches the JVM, new attack vectors will arise. The lesson? Don't trust content from users. And properly sanitize it.]]> http://blog.vcu.edu/infosec/2008/08/gifar-attack-it-looks-like-an.html http://blog.vcu.edu/infosec/2008/08/gifar-attack-it-looks-like-an.html input validation vulnerability Sat, 02 Aug 2008 09:33:10 -0500 SANS web application security course SEC422) via their @Home (webcast) program. There's a 40% discount for those who attended their now defunct Web Application Security Workshop in the last 18 months. VCU hosted that course last June and numerous VCU staff attended it. @Home consists of live webcasts, though if you miss any they're available via their archive. The course is being taught by Tanya Baccam. For the lowest price, register by August 6th.]]> http://blog.vcu.edu/infosec/2008/07/sans-web-application-security.html http://blog.vcu.edu/infosec/2008/07/sans-web-application-security.html training Thu, 31 Jul 2008 16:09:15 -0500 Application feature - alerting user of concurrent sessions new security features to the latest version of Gmail. A user can now see a list of current open sessions associated with the user's account. See an open session from an IP address you don't recognize or an access type you don't use (Mobile for example)? It may be indicative of a compromised account. Perhaps your password has been compromised or perhaps you accessed Gmail from a friend's laptop. You can change your password (which you could already do, obviously), then click the "Sign out all other sessions" button. Like web systems at many financial institutions, recent activity is also listed. However, unlike most I've seen, Gmail shows activity from more than just the last login - the last 5 logins in fact. When designing web apps, consider incorporating features like these.]]> http://blog.vcu.edu/infosec/2008/07/application-feature-alerting-u.html http://blog.vcu.edu/infosec/2008/07/application-feature-alerting-u.html Information Security Wed, 30 Jul 2008 14:58:29 -0500 Companies collect and share your data - check it for free requires that the 3 national consume reporting companies (Equifax, Experian and TransUnion) each provide you a free copy of your credit report at your request once every 12 months. You can request all 3 at the same time or you can stagger them. It's your choice. The only authorized online source is annualcreditreport.com. Some of the information in these reports may be inaccurate. Fortunately, you have the right to dispute the information in order to get it corrected. But other organizations have your information as well. For example, ChoicePoint has 3 separate companies which maintain information on you - insurance claims, employment history and tenant history. You can request copies of these reports for free as well. However, if you're concerned about what may appear in a background check, it'll likely cost you since they often conduct research by contacting past employers, courts, and colleges you attended and they're not required to conduct that research for free. And plenty of background check horror stories have been published.]]> http://blog.vcu.edu/infosec/2008/07/companies-collect-and-share-yo.html http://blog.vcu.edu/infosec/2008/07/companies-collect-and-share-yo.html integrity Mon, 28 Jul 2008 17:37:50 -0500 "Spam King" sentenced, but another spammer escapes sentenced to 47 months in federal prison. Soloway had been accused of violating the federal CAN-SPAM Act. In loosely related news, convicted spammer Edward "Eddie" Davidson escaped from a minimum security federal prison camp in Colorado after serving 5 weeks of a 21 month sentence. Perhaps the Spam King will be serve time in a facility that's a little more secure.]]> http://blog.vcu.edu/infosec/2008/07/spam-king-sentenced-but-anothe.html http://blog.vcu.edu/infosec/2008/07/spam-king-sentenced-but-anothe.html legal Fri, 25 Jul 2008 16:32:09 -0500 SSN exposure at University of Maryland included on a mailing label attached to the brochure. The school discovered the problem on the 8th. It's recommending that recipients place a free 90 day fraud alert on their consumer credit and the school is offering a free year of credit monitoring with Equifax.]]> http://blog.vcu.edu/infosec/2008/07/ssn-exposure-at-university-of.html http://blog.vcu.edu/infosec/2008/07/ssn-exposure-at-university-of.html breach confidentiality highered ssn unauthorized disclosure Thu, 24 Jul 2008 10:59:33 -0500 The cat's out of the bag - DNS flaw details revealed announced a serious flaw in DNS. Dan had been working with vendors to address it, but he refused to share the details until Black Hat USA 2008 in August. But now the cat's out of the bag. Halvar Flake took a stab at it, then Matsano Chargen accidentally posted full details about it, then Dan cryptically acknowledged it had been disclosed. The flaw makes it possible to perform DNS cache poisoning attacks. DNS (Domain Name System) is analogous to a phone book. Your computer sends a hostname to a DNS server and it returns a numeric IP address, in the same way that you look up a name in a phone book to find out a phone number. If a DNS cache poisoning attack is performed successfully, your computer is returned an IP address that belongs to the attacker instead of the correct IP address. This is serious since all Internet services (web, email, IM, etc.) rely on DNS. You could think you're logging into Bank of America, but really be logging into the attacker's website. Same with your email. Then the attacker would have your login credentials and any other information you entered. If you manage a DNS server, patch it ASAP. To check if the DNS server you use is vulnerable, visit DoxPara and click "Check My DNS". If you're checking from your home Internet connection, this is likely your ISP's DNS server.]]> http://blog.vcu.edu/infosec/2008/07/the-cats-out-of-the-bag.html http://blog.vcu.edu/infosec/2008/07/the-cats-out-of-the-bag.html DNS vulnerability Wed, 23 Jul 2008 13:19:56 -0500 Distance education required to play Big Brother? The bill includes a single sentence that states that such institutions must implement processes to verify that a student who registers for a course (or program) is the same as the one who participates in it. Here's what it says:

the agency or association requires an institution that offers distance education to have processes through which the institution establishes that the student who registers in a distance education course or program is the same student who participates in and completes the program and receives the academic credit

And the bill goes to great lengths to define distance education, but it boils down to any course in which the instructor and students are separated. VCU offers such courses. An article in The Chronicle of Higher Education explores some of the technologies which are available to help with user authentication. These include tried and true technologies like fingerprint readers and challenge questions, as well as keystroke pattern analysis and webcams photos reviewed by remote proctors. With authentication there are 3 categories of choices - methods that rely on something the user has, something the user knows and something the user is. When the risk to mitigate involves willful deceit by the user, the first method is useless and the second is difficult to implement effectively since it's trivial for a person to share basic information that could be asked. So it's likely that the types of technologies adopted will consist of biometrics (such as fingerprint scans, retina scans and subdermal capillary patterns) and visual comparison of the student to a baseline image. Of course, technology like this has a cost. In addition to a financial component there are privacy and usability concerns. But there are some larger issues that need to be considered. 1. Is cheating more rampant in a distance education course than in a traditional classroom environment? 2. How is the authenticity of the baseline sample being ensured? If a school needs to collect a photo of the student or digitize a fingerprint as part of the enrollment process to use for authentication, the school needs to be sure the individual who submits that information is in fact who they claim to be. If a person masquerades as another throughout the entire process, a person could conceivably earn a degree without completing any work. To close the gap the person's identity needs to be verified during enrollment. A less effective control would be to publish sufficient information from a student's academic record and a photo online. But an individual's appearance changes over time and if two people resemble each other enough, they can still defeat the system.]]> http://blog.vcu.edu/infosec/2008/07/news-distance-education-requir.html http://blog.vcu.edu/infosec/2008/07/news-distance-education-requir.html news Tue, 22 Jul 2008 08:57:12 -0500 San Francisco's rogue network admin refusing to hand over the administrative password to the WAN, FiberWAN, which carried more than 60% of the city government traffic. Yes, $5 million. As of today he still hasn't handed it over. The password is needed to make changes to the configuration of network equipment like routers and switches. This is a fascinating story. He's being accused of all sorts of behavior - facilitating remote network access so confidential data could be destroyed, covertly reading coworkers emails, and taking pictures of the female head of security during a password audit. However it seems that there's a lot more to this story. There are some key lessons. 1. Ensure that at least 2 people have access to all administrative passwords. 2. Backup all system configuration files on a regular basis to storage media with restricted access. 3. Ensure that at least 2 people can perform every business function. 4. Document all systems and processes. 5. Establish a written information security policy.]]> http://blog.vcu.edu/infosec/2008/07/news-san-franciscos-rogue-netw.html http://blog.vcu.edu/infosec/2008/07/news-san-franciscos-rogue-netw.html news Mon, 21 Jul 2008 10:37:26 -0500 Only 41% of web browsers are fully patched study published on July 1st, on any given day only 41% of web browsers are fully patched. The data came from visits to Google websites worldwide between January 2007 and June 2008. Not surprisingly, Firefox came out on top because of its single click auto-update technology which alerts users of new versions and then allows them to upgrade with a single click. The percentage of users using the latest version of their browser: Firefox - 83% Safari - 65% Opera - 56% Internet Explorer - 48% More details can be found in the full research paper.]]> http://blog.vcu.edu/infosec/2008/07/only-41-of-web-browsers-are-fu.html http://blog.vcu.edu/infosec/2008/07/only-41-of-web-browsers-are-fu.html Information Security Thu, 10 Jul 2008 17:44:10 -0500 Vulnerability in Word reported in Microsoft Word, which can be exploited by malicious people to compromise a user's system. It's known to affect Word 2002 SP3 and is not believed to affect other versions. No patch has been released. Microsoft suggests viewing Word documents using their Viewer software instead.]]> http://blog.vcu.edu/infosec/2008/07/alert-vulnerability-in-word.html http://blog.vcu.edu/infosec/2008/07/alert-vulnerability-in-word.html Thu, 10 Jul 2008 10:09:09 -0500