Home
Gallery
Robotics
Science Fiction

1 March 2005

Visitors
Counter

Valid CSS!




InfoSecurity

I work as a security professional in the Netherlands. My experience is in the areas of security management, security architecture, contingency planning and security operations. In 2004 I certified at (ISC)2 for CISSP. This page contains some opinions and stuff about information security.

Sept 19, 2005

Changes in ISO/IEC 17799

A new code of practice for security management is published by ISO/IEC. I made a quick overview of changes and consequences for current work.

March 25, 2005

Desktop Antivirus last line of defence

Antivirus vendors warn for the Mytob worm, a mildly effective worm that spreads via e-mail or by exploiting the MS-LSASS vulnerability. Once a computer is infected, the worm opens a FTP-server and connects to an IRC-channel waiting for commands or updates. And meanwhile it blocks the update mechanisms of the antivirus clients on your PC. This emphasizes the best practice to apply a layered approach to your virus defence and see the desktop client as a last line of defense. What can we do?

The worm changes the host table of the infected machine so that all requests to update sites of antivirus vendors is redirected to 127.0.0.1, or the local host. Since it is able to update itself, it is even possible to stay one step ahead of new signatures for this worm, as long as the connection to the IRC-channel stays available.

This worm is an example of the changing nature of malware. It was already visible in the virus graphs we used to have at Capgemini: the second half of 2004 showed a decrease of 'normal' viruses and an increase of trojans. More and more the viruses and worms are capable of opening backdoors and providing a way to join networks, either centralized or peer-to-peer. This capability makes it possible to improve the worm or change its nature to make it harder to detect. A recent research of the Honeynet project shows some details of the operation of botnets.

What can we do against these threats?

There are some things we can do to make it less obvious that clients on our networks get infected and take part in some vicious network:

  • Don't allow unneeded traffic to leave your network. Often incoming traffic is blocked on a firewall while outgoing connections can go free on all ports. This makes it possible for trojans, once they are in your network to connect to the home base, e.g. through IRC.
  • Use a layered approach in your virus defence. Introduce chokepoints through which the traffic is directed. A common example is the single mail gateway, which is often secured. But be consequent and apply this to all in and outgoing traffic, for all protocols. Use scanning proxies or gateways that filter the traffic for unwanted patterns.
  • Keep improving your update mechanism for your antivirus. Configure one of your servers to be an update server for your clients, with a fall back to other update services. Use different brands of scanning software on your servers and clients
  • Secure the channels of private mailboxes of your users. Provide guidelines how to recognize untrusted messages and what to do. What is safe behaviour while surfing the net? Use another browser than Internet Explorer.

And in the end, once infected: clean your registry on all keys indicated by the threat response sites (which are probably also blocked), restart your system in safe mode and install the latest updates of your antivirus.

March 14, 2005

Who is spying on your kids?

Symantec researched the speed in which a clean PC gets infected when browsing the web. It turns out that especially the sites your kids use are a popular way to trash your PC, reports silicon.com

"Kids websites were among the worst with 359 pieces of adware and three browser hijackers, which can change browser settings and produce pop-up ads for pornography."

So, time to launch a security awareness campaign in the family. The alternative is worse: get up as early as your kids in the weekends :-)

March 10, 2005

Interview with SHA-1 Cryptanalist

ZDNet published an interview with Yiqun Lisa Yin, one of the Chinese researchers who broke the SHA-1 hashing algorithm by proving that collisions can be found more efficient than using brute force.

The word that SHA-1 has been broken has made some impact in the security community. The impact on every day's encryption is not too much, yet. But highly secured environments must reckon with the probability that using enough computing power, collisions for hashes can be found. The other popular hashing algorithm, MD-5, has some more serious weaknesses. US government agencies has announced that both SHA-1 and MD-5 will be replaced by stronger algorithms (SHA-224, SHA-256, SHA-384 and SHA-512). William Burr, crypto-manager at NIST says:

"There's really no emergency here, but you should be planning how you're going to transition — whether you're a vendor or a user — so that you can do better cryptography by the next decade."

Originally NIST wanted to have SHA-1 phased out at 2010. The recent published research of Yiqun Lisa Yin c.s. did not change this plan. Obviuos the NIST already new what was happening in the Chinese lab's when they first planned the change :-)

More links:
- a practical presentation of Burr about the recent events with hashing functions
- a comment of Bruce Schneier on the breaking of SHA-1
- a dutch recipe for hachee

March 1, 2005

Instant headaches

Instant Messaging is a constant challenge to security officers at corporate headquarters ( I know, I 've been there). The use of IM is very appealing to certain groups of users on a network, due to the direct interaction and presence signalling. It gives a warm feeling solidarity, knowing that your palls are also working late or seeing that your study friend comes on line late, after last nights beers. Most young professionals have spent a lot of their study time interacting using all kind of IM-services. Why stop when they start their corporate carreer? And there is even some business reason of interacting using IM. Especially if you work in an off-shore project: a dutch developper with a heavy dutch accent trying to interact with an his colleague in Bangalore with a heavy indian accent. So why are these security officers so nervous? [more: how to control corporate use of public IM-services...]

[ top | IM-security | menu | useful links ]
[ home | sitemap | mail ]
1