Sunday, December 25, 2011

Thursday, December 15, 2011

A nice article about tokenization methods


and preventing discrepancies and inconsistencies between token generating servers that backup one another. 
the article gives some insight about the relative importance (in some scenarios) of using a deterministic method for generating tokens.


Wednesday, November 9, 2011

Click-jacking

Attaching a nice presentation on the topic of Click-jacking.

http://elie.im/publication/busting-frame-busting-a-study-of-clickjacking-vulnerabilities-on-popular-sites

The presentation and site also describe a "mobile" version of Click-jacking named Tap-jacking,
and also state the importance of addressing these different threats on mobile versions of sites (if a specific version was even developed).

Thursday, November 3, 2011

Symantec uncovers Nitro attacks targeting chemical industry


Symantec has revealed yet another large-scale targeted cyber attack, this time designed primarily to steal information from chemical and defense companies.
The attack, which seems to be related to China, is part of a growing overall trend in the chemicals market of stealing intellectual property.
The discovery comes during a year in which many similar attacks have been uncovered, including Night Dragon, Shady RAT and Lurid, all apparently designed to covertly steal intellectual property from a range of organizations. 

Attached is the original Reuters link which first published the news along with a more detailed analysis of the attack.


Tuesday, November 1, 2011

Duqu vs. Stuxnet – more of the same?


Duqu, the newly discovered malware, has been named by many as a 'predecessor to Stuxnet', but in fact this piece of sneaky code has its resemblances and differences  to the notorious worm.

A variety of anti-malware researchers and firms recently reported that Duqu's structure, in terms of files and some internal logic, is almost identical to its alleged predecessor - offering a close familiarity with Stuxnet source-code in order to conduct it.
One of the firms even identified Duqu as a version of Stuxnet, and their automatic malware analysis determined it was Stuxnet itself.

On one hand, Duqu is signed with a legitimate digital certificate; Stuxnet did the same with a different certificate, obviously the certificate has been revoked upon discovery.
On the other hand, the purpose of Duqu is entirely different. Some of the uncovered features include keylogging, autodestruct of itself including many traces and transmitting collected data to a Command and Control server using encrypted files, and strange image files that are still under investigation.  

Nonetheless, Duqu's level of sophistication is rare, and it's raison d'ĂȘtre is still remained unsolved.
Keep an eye open on this one, as the story of Duqu's history is slowly revealed.

Tuesday, October 25, 2011

Seems that RSA/EMC case is still making waves




Latest’s news claims that more than 760 organizations, 20% of them Fortune 100 companies, may have been compromised by RSA’s data breach in March 2011, according to a report on Krebsonsecurity.

Facebook, Google and Cisco Systems are just a few of the many organizations that were targets of malware using the same command and control (C&C) infrastructure as that used in the RSA attacks, according to the report, though critical information on how the data was compiled and its source was not provided.

Note that Krebsonsecurity does not reveal (yet) its sources so the information below should be treated carefully for now.

Sunday, October 2, 2011

Biometrics: protection or violation? Part B


We'll now continue our previous post on biometrics. In this post we'll display the main disadvantages and concerns of biometrics. As stated in the previous post, the below isn't an opinion of Comsec.

First of all, a main concern is related to privacy issues. Many people believe that maintaining a biometric database in which different personal biometric attributes will be stored is a straightforward violation of their privacy. In this, they state that centralized control over these individual "assets" is a landslide waiting to happen. First, such a database gives control to autonomic organizations (at times) that may use these details for purposes other than security, and second, a security breach / leak may also expose these individuals to different violating actions. Privacy supporters are worried that databases that contain vast amounts of personal information will probably be used for purposes other than screening for airport security and to enforce immigration laws and regulations. Such purposes can be: pinpointing global positioning of individuals and different surveillance operations, minimizing a person's freedom.
Second, many find biometric interaction to also be violating. For example, having a retina scan for the purpose of identification makes some feel uncomfortable. These privacy advocates often claim that biometric systems are intrusive and that they do not enhance security much. To put it simply, security wise, the cons of biometrics overpower the pros.
We'll continue with a few more disadvantages:
1.       Biometrics devices and mechanisms are non-cancellable. Meaning, body parts that are damaged, cannot be as easily replaced like a password. This is why you have to enroll several attributes when activating biometric identification - different fingers, for example.
2.       System performance can also add to the advantages or disadvantages of a given biometric system. A system with a low "false accept rate" is beneficial and desired, the same goes for a system with a "false reject rate". However this performance isn't easily achieved, especially in different environments, such as field conditions, etc.
To sum things up, advocates of the topics above will probably feel empathy with Prof' Adi Shamir's quote:
"The government will give you full privacy, until they want information on you."

Monday, September 5, 2011

Biometrics: protection or violation?

In light of the current talk about the Israeli biometric database, we'll preview the main advantages of biometrics. In the next post we'll present the disadvantages. The objective of this post is not to state an opinion but to shed light on the topic

Authentication is one of the most widely used forms of security and serves as the most basic security mechanism. Biometrics technology refers to the automatic identification of a person based on his or hers physiological or behavioural characteristics. Together, biometrics authentication technology can be seen as the future trend of security systems.

Biometric devices consist of a reader or scanning device, software that converts the scanned information into digital form, and wherever the data is to be analyzed, a database that stores the biometric data for comparison with previous records. There are many different types of biometrics systems available, for example, fingerprint based systems. Fingerprint systems are the most common type of biometrics and work by scanning the tips of one or more fingers and comparing the scans against known images stored in a dedicated database. Likewise with similar functionalities, there are several systems, such as facial recognition, voice scan and other scientific biometric approaches.

Biometrics is a fast developing technology that has important implementations in various areas of activity, civil and security (counter-terrorism) alike. Many applications can achieve security improvement through biometric use, by drastically reducing the risks of the system's security being compromised but also by eliminating the need for much of the operation and management overhead. This post's goal is to look at the various advantages offered by this technology and to answer questions regarding biometric security effectiveness, privacy concerns and why this technology will surely have a positive influence on many aspects of our life.

The first advantage that can be noted is the enhancement of system security by implementing this accurate and reliable mechanism. This method of handling security issues in a technological and fast manner is preferred over traditional methods involving passwords and PIN numbers for various reasons. First of all, the person to be identified is required to be physically present at the point of identification and secondly, identification based on biometric techniques eliminates the need to remember a password or carry a physical token. With biometric technology protecting your systems, fraud and compromising of system security by a foe is not likely and can be dealt with in various ways. The direct benefit of improved system security is keeping meaningful confidential information safe, an achievement that improves company revenues and overall efficiency of an organization.

Another important advantage that can be obtained with biometric systems is the identification of terrorism and criminal suspects. The September 11, 2001 attacks are definitely a milestone that changed people's attitudes toward its use. Americans and the international community overwhelmingly approved of the use of biometric technology in airports and in public facilities in order to pursue suspected terrorists. Positive results, the capture and identification of terrorists, aroused highly persuasive arguments in favor of biometric systems, claiming that they can work, and help identify suspects who have already been identified as criminals or members of criminal or terrorist networks.

Privacy is one of the most important features of any commercial application, especially in a biometric environment. Concerns about privacy violation are believed to be the main flaw of biometric authentication and its accompanied infrastructure (databases that hold private information and intimate characteristics). There is no doubt that users will be apprehensive about making their most intimate characteristic available for scrutiny. In response to these important issues, policy leaders and system regulators have implemented and enforced government regulations that subjugate the biometric infrastructure to liable and trusted authorities, an act that lessens and in cases eliminates privacy concerns.

In conclusion, biometric authentication technology displays unique attributes that will leave their positive marks in everyday life. Some of these being:
1. System security improvement.
2. "Fighting" terror and crime.
3. Reduction in security operation and management overhead.
4. Simplifying daily tasks while enhancing security and reliability.

Hopefully the advancement in biometrics will continue at the present pace, standardizing the technology worldwide.

Thursday, August 4, 2011

The beauty of cryptography

Cryptography is an ancient art. However, it is only in the last 40-50 years that it has evolved and gained considerable roots and applications as different topics in computer science have evolved.
The main problem that we deal with is a scenario in which Alice wants to send Bob a message over an insecure channel. The most known cryptographic primitive that helps protect Alice's message (keep it secret) is encryption. Keeping that in mind, it's important to understand that cryptography consists of other useful and important security "gems", such as:
1) Digital signatures,
2) Cryptographic hash functions,
3) Message authentication codes,
4) Zero knowledge proofs and much more.
Most importantly, these cryptographic gems help us leverage and meet security requirements where different information security solutions (not based on crypto') fail or don't fully comply.

Our goals:
The cryptographic utilities above help us achieve different goals based on the threat model we're facing. The main issues are:
1) Confidentiality (secrecy),
2) Integrity,
3) Availability,
Together comprise the well know CIA.
4) Authentication,
5) Non-repudiation,
6) Completeness (security of protocols).

Applications and real world use cases:
The beauty of cryptography lies in the vast prospect it holds in achieving security, privacy and completeness in different real world situations and systems such as: Online auctions, e-voting, electronic cash, information retrieval and privacy of health records to state a few.

Monday, July 11, 2011

Cyber Security Today

Computer crimes and terrorist cybernetic acts constitute a real threat to the activities of organizations and companies working in the public and business alike; from establishing phishing sites to steal personal data, identity theft and theft of funds, through the introduction of viruses and other malicious software information systems to take over sites and disrupt national infrastructures of countries.
Whether for reasons of criminal or political parties and ideologies, whether business entities or public bodies, the consequences can be very severe and lead to real damage in the business activity and / or public enterprise:
• loss of critical information
• disruptions, and technological systems vulnerable to work stoppage
• disruption and vulnerability to business, public and political processes
• significant damage to the image of public business organizations
• disruption of national and security infrastructures

Hackers today are no longer kids playing from their garage. They are serious.

Monday, July 4, 2011

Security in mobile applications

Applications on mobile devices are now an integral part of the business activities of enterprises. These applications require externalization of enterprise information and making two-way interaction, anywhere, anytime. In addition, many applications store sensitive personal data, including business applications, sensitive or personal.
This expansion of the organization's boundaries to the "mobile world" brings a wide range of specific threats to the organization's critical data and therefore, companies wishing to join the mobile revolution, to be held properly against the security threats involved.
Here are some information security challenges in the mobile world:
1 - secure storage of sensitive information on mobile devices
2 - protection of sensitive information sending process for mobile (passwords, credit information, personal data etc.)
3 - dealing with hostile activity of hackers, viruses, spyware, malware and other applications
4 - preventing unauthorized access to personal information such as email addresses, location information and more
Get secured when it comes to your mobile devices.

Tuesday, February 15, 2011

The Evolution of Data Loss Prevention

Data loss has become an important problem which must be addressed in many types of organizations. Despite increased awareness and more sophisticated security measures, the numbers of reported data breaches continue to grow, with high profile incidents frequently gracing the headlines. In 2009, 735 data loss incidents were reported an increase of 39% from incidents reported in 2008 (Open Security Foundation, 2009). With the average records lost per incident standing at over 750,000, the cost to organizations in terms of financial loss, fines, reputation damage and legal costs, can often amount to millions of dollars.

This increase can be attributed in part to new legislation in countries including the US, UK, Germany and Russia, which forces organizations to report data loss; and in part due to the trend of greater data centralization. This is turn increasing both the impact of a data loss incident and incentivizing malicious external attackers.

As technologies have advanced and working practices have altered, the possible routes of data loss have become complicated and numerous, making countermeasures difficult to develop. For example, organizations need to be prepared to defend themselves on a variety of different fronts. A data loss incident may be the result of malicious activities originating from an external or internal source; or occur accidentally as a result of an employee security breach.

Equally, the causes of data loss have become increasingly diverse. Popular mediums, such as social networking sites and instant messenger provide new channels for data loss, whilst the increased drive towards flexible working has caused a significant growth in portable devices capable of storing large volumes and remote connectivity.




Data loss prevention (DLP) solutions have evolved over time in response to these changing circumstances. In the early stages, network security technologies were deployed, to protect data from external threats, such as viruses and unauthorized access. Following this, there was a drive towards end-point security technologies, to protect the data stored on PCs, laptops and mobile devices, by deploying data encryption techniques.

However, individual end-point measures in themselves have become limited and there is a need for information-centric security technologies. The aim of the latest DLP solutions is to protect an organization’s critical data wherever it exists by identifying sensitive data at rest (in storage), in use (during an operation) or in motion (transmission across a network).

Gartner recently coined the phrase ‘content aware DLP’ to describe a set of technologies able to classify information content within an object, such as a file, email, data packet or application; and dynamically apply a policy, for example, reporting, logging, classifying, relocating, tagging and encrypting data throughout the entire data life cycle. However, with the variety of different product offering from a growing number of DLP vendors, identifying the right solution for your organization is a complex task.

Whilst DLP solutions can be a powerful tool in preventing data loss incidents and aiding in an organizations desire to be compliant with regulation and legislation, Gartner warns that many organizations are struggling to effectively implementing these sophisticated solution. Comsec has developed tried and tested methodologies for assisting organizations develop DLP strategies based on best practices and international standards.

Our deep understanding of DLP regulations & legislation together with our knowledge of vendor technologies enables us to assist organizations in selecting and implementing an appropriate solution. From undertaking a risk assessment of your existing security environment, mapping existing DLP systems, documentation of DLP roles, responsibilities & processes and provision of employee training & awareness programs; Comsec is able to provide end-to-end consultancy services to assist an organization successfully deploy a DLP solution.