March 17, 2009
Security Breach Resources
Pulling security breach trends for different industries the past few months I came across a few good sources to help anyone that needs specific data.
Two sites I found with an abundance of information were:
Privacyrights.org hosts a chronological list of breaches several years back until present date with a brief description of the breach and the number of records affected.
Datalossdb.org hosts the actual breach notification letters that have been sent out.
For statistics and trends use these resources.
-
http://resources.mcafee.com/content/NAMcAfeeCriminologyReport (Requires Registration)
-
http://resources.mcafee.com/content/NAUnsecuredEconomiesReport (Requires Registration)
In general it looks like breaches frequency is about the same in 2007 and 2008. Problems seem to be related to basic items such as laptop theft, data left unencrypted, and your usual intruder attack.
December 28, 2007
More on MAC Security
So it appears Gartner has something to say about MAC security too. Here is an interesting article building on the MAC security issue. It’s just a matter of time before a major attack happens that hits the MAC platform. Another interesting tidbit is that the article points out that “Mac’s generally have to be patched one at a time”. Don’t get me wrong using both Macs and PCs can be good if the overall strategy supports security, but the key here is not to have a false sense of security.
http://news.yahoo.com/s/infoworld/20071228/tc_infoworld/94177;_ylt=AmF8ijFNlThIuDkLJJ6MHJEE1vAI
December 26, 2007
Army Says Mac’s Are More Secure! Are They?
An article was recently published about the Army adding Macs to improve security. Although diversifying vendors will usually make you more secure if used to support a defense-in-depth strategy, the context of the article supports a lack of knowledge or evidence to support the statements made on the Army’s part.
Article in Full:
http://news.yahoo.com/s/nf/20071224/bs_nf/57382;_ylt=AtIAHN4BI3dTDzpNM.n7xA8E1vAI
There is one particular statement that is worrisome whereas the Army security spokes person has been quoted “Apple’s version of Unix is inherently more secure than Windows”. Now I don’t claim to know all the facts but if you look at the links provided below the Mac OSx falls behind in 2007 and in the year 2004 has less advisories, but remains equally comparative percentage wise in regards to the number of critical vulnerabilities.
2007 Stats:
http://blogs.zdnet.com/security/?p=758
2004 Stats:
http://www.techworld.com/security/news/index.cfm?newsid=1798
Fortunately the article has a counter argument by Charlie Miller at the end supporting the fact that the Army needs to step it up with more then Macs when it comes to security strategy. He comments about Mac being “behind the curve in security”. Also has a great reference stating “In the story of the three little pigs, did diversifying their defenses help? Not for the pig in the straw house.” On the other hand diversifying is good if you use one product to backup the function of another project in the event one fails. So even though the pigs straw house was destroyed if that third pig could get to the brick house it would still survive.
November 13, 2007
Malware Embedded in Advertising – What is the Solution?
Malware is everywhere and becoming one of the most common security threats in the industry. The link below provides some insight into the seriousness of this issue.
There really is not a great solution for this problem at this time, but how can a company that serves adds mitigate the risk. There are several ways.
-
Ensure all ads that are uploaded are hashed in some way to ensure the add being delivered is the add uploaded by the client.
-
Use file monitoring tools like tripwire on image servers to help ensure that adds are not modified. This will also help provide proof if there is an actual attack on the add server.
-
Scan adds with anti-virus software. Although this will not catch everything it will catch some of the files.
-
Scan adds for known malware URL’s to prevent phishing type attacks. (This is like a signature based solution and takes a great deal of maintenance to keep up with the attackers)
-
Hope someone comes up with a good solution that can regularly scan all the adds for malware.
The above will help limit the liability of the ad company serving adds and has some preventive measures that can be implemented to protect both the add companies brand and their customers who may be uploading malware adds without knowing it.
November 8, 2007
IP Address BlackList
IP Address Blacklists are great for short time security events. This information is important for a paper that I am working. It took me a while to find this information again. I actually had to dig into an old email file to get all of the information because typical internet search engines were not providing good results.
Here is a good list of IP addresses and ranges that can be blacklisted to help prevent DOS attacks, etc. Before using this list be sure your organization does not have clients in the below ranges.
Dshield Top 10 Attack IP’s
http://www.dshield.org/top10.php
- 074.052.180.114
- 218.003.209.174
- 211.106.172.081
- 195.068.089.211
- 121.015.253.104
- 218.004.137.213
- 202.062.224.090
- 150.164.029.253
- 058.215.065.237
- 218.006.009.099
Dshield Recommend Block List
http://feeds.dshield.org/block.txt
| Start | End | Country |
| 121.150.29.0 | 121.150.29.255 | |
| 64.80.28.0 | 64.80.28.255 | |
| 81.3.254.0 | 81.3.254.255 | |
| 139.55.62.0 | 139.55.62.255 | US |
| 139.55.82.0 | 139.55.82.255 | US |
| 203.152.123.0 | 203.152.123.255 | NZ |
| 196.22.194.0 | 196.22.194.255 | ZA |
| 139.55.113.0 | 139.55.113.255 | US |
| 81.3.248.0 | 81.3.248.255 | |
| 202.144.113.0 | 202.144.113.255 | IN |
| 139.55.97.0 | 139.55.97.255 | US |
| 121.18.13.0 | 121.18.13.255 | |
| 81.3.250.0 | 81.3.250.255 | |
| 121.18.12.0 | 121.18.12.255 | |
| 139.55.103.0 | 139.55.103.255 | US |
| 74.86.127.0 | 74.86.127.255 | |
| 200.207.155.0 | 200.207.155.255 | BR |
| 206.51.136.0 | 206.51.136.255 | CA |
| 85.88.191.0 | 85.88.191.255 | |
| 217.175.179.0 | 217.175.179.255 |
Asia Pacific Black List
http://www.apnic.net/db/ranges.html#country
- 58.0.0.0/8
- 59.0.0.0/8
- 60.0.0.0/8
- 61.0.0.0/8
- 116.0.0.0/8
- 117.0.0.0/8
- 118.0.0.0/8
- 119.0.0.0/8
- 120.0.0.0/8
- 121.0.0.0/8
- 122.0.0.0/8
- 123.0.0.0/8
- 124.0.0.0/8
- 125.0.0.0/8
- 126.0.0.0/8
- 169.208.0.0/12
- 202.0.0.0/8
- 203.0.0.0/8
- 210.0.0.0/8
- 211.0.0.0/8
- 218.0.0.0/8
- 219.0.0.0/8
- 220.0.0.0/8
- 221.0.0.0/8
- 222.0.0.0/8
September 19, 2007
Data Leak! What Not to Do!
The other day I performed an external penetration test and obtained access using a default password (which is common) that was not changed. Afterwards I began looking up statistics on passwords and here is one of the links that was listed on a regular Google search.
http://staff.washington.edu/krl/stats/pwc/
Amazing that someone would to this day post such information out on a public website. Nice to know if this was my next external penetration target. Wait it gets better! Looking at the URL it was only obvious there had to be more so instead of going to the /pwc directory I modified the URL to go back one, which led me to these:
http://staff.washington.edu/krl/stats/
http://depts.washington.edu/ast/projects.old/
http://depts.washington.edu/ast/projects.old/pwedit.html
Thanks Ken for showing us all a perfect example of “What NOT to Do”! I especially enjoy the mention of the following:
-
Home directories /rc, /cg, /mailer
-
The mail server statistics that show me what appear to be system names and the number of entries in the etc/passwd file.
-
The large directory listing with a plethura of information
-
The nice picture of your license
- A password hash U:4001 A:2B314469 N:noyd P:MWlJQdaJvoxaE G:15 C:6
Ken
So why did I post this?
Two reason’s. One, I have a blog. Two because sometimes the best lesson you can learn is by seeing the mistakes of others. Of course I plan to send an email to Ken and show him this blog entry. If there is any follow-up to the story I will post another message.
July 12, 2007
Security Threat Statistics – Resources
Where do you get statistics and probabilities on threats? It seems organizations always ask for hard facts on threat statistics, but the research doesn’t appear to be very mature. Creating a good threat library and making a best guest effort seems to be common practice among others in the security industry. There are a few good sources for this information that exist such as:
- CERTs Ecrime Surveys
- The National Counter Terrorism Center
- FEMA
- Workshare Reports
And then you have all kinds of different sites that can help you build a threat library but are lacking statistics such as:
- Georgia Institute of Technology
http://www.oit.gatech.edu/information_security/architecture/threat.html
Some of these sources were used to start the ISM’s list, but my involvement has slipped, however time and time again there is a need for this information. If anyone has other good resources let me know and I will add them to the links page and see about getting some of this information into the ISM community threat library.
