Google has recently allowed users to see why it may flag a site as “suspicious.”

The service will show any information Google has about potentially harmful websites, including sites that have been compromised and sites that host malicious programs or malware. This is good in two ways— first, users can take advantage of this service whenever they question a site’s legitimacy; and second, website administrators may be alerted if their site gets compromised without their knowledge and starts serving up harmful content.

Of course, this assumes the compromise results in something that catches the attention of the Google application.

Although this is FAR from a 100% reliable test to determine if a website is safe to visit, it does provide an extra layer of protection just in case.

Example:

http://www.google.com/safebrowsing/diagnostic?site=http://badsite.com

Just replace the value of the “site” variable with whatever website you want to check out.

I think its good that Google is allowing this— they have an enormous amount of information at their disposal. Offering some of it to help keep people away from malicious sites definitely fits their motto— “Don’t be evil.”

One of the most annoying website you find when searching for a solution to a problem on Google is http://www.experts-exchange.com some how someone already asked the same exact question you have. But unfortunately when you go to the page you get something like “Experts Comments are for Premium Members Only” Example you know they have the answer, but is it worth paying? Well they are using an absurd security by obscurity method to ensure you will pay for their services. See any regular Internet user that sees the “For Premium Members Only” sign will immediately hit the back button frustrated and continue on googling. But if you had a bit of curiosity you may find yourself with the answer you were looking for. What is the secret? SCROLL if you scroll down past all the warning and announcements you will find yourself in front of the answers you were seeking. Use it while you can because I am sure after this post hits the web they will promptly close their “Security Hole”

Just stumbled upon some javascript code for determining what social networking sites you visit.

What are you to do if you want readers to promote your content? ... You have to decide on which bookmarking site, if any, to dedicate your precious screen real-estate. It’s a hard choice. If you choose poorly your reader won’t vote—it’s not a single click coupled and out-of-sight means out-of-mind—and your content losses its chance to make it big. You have to choose your horse wisely.

If you could detect which social bookmarking sites your reader uses, on a per-reader basis, you could display only the badges they care about. But you can’t know that because the browser secures the user’s history, right? Wrong.

Let’s try it. You have visited: .

So, is this a cool capability, or a creepy violation of your privacy? I think it is the former; since the code all runs client-side and can be disabled using a tool such as NoScript, and it benefits the user with a cleaner interface. Provide your comments below!

Online banking giant, ING will begin providing software to its customers in the hopes that they’ll be able to bank online without having their accounts hacked on compromised machines.

...The software works by assuming control over the application programming interfaces or APIs in Windows…A more advanced type of malware – known as a “form grabber” – hijacks the “WinInet” API – which sets up the SSL (think https://) transaction between the user’s browser and the encrypted Web site. By hijacking this API, a form grabber can rip out usernames and passwords even when the user is submitting them into a site that encrypts the data during transmission because it grabs that information at the lower level of the operating system, before it is encrypted.

Trusteer’s software examines these and other vital Windows APIs to see if any other process is trying to intercept sensitive data. It then blocks those that do.

I think this is a bad move – end-user computer security, while very relevant to ING’s online banking structure, isn’t within their control enough to be able to make a beneficial change.

ING can only make real changes on their side, to servers, Web pages, etc. Brian Krebs has pointed out 3 good reasons that will cause this venture to fail.

1- Customers who install the tool flood ING with support calls and questions.
2- Nobody adopts it.
3- Malware writers figure out a way around it to steal lots of money from customers.

It will be virtually impossible to avoid any of these pitfalls – besides, some tricks never get old.

Core Security released details on three iCal bugs last week. What’s suspicious is that Apple hasn’t fixed them yet, despite being told in January. The bugs are relatively harmless if you have iCal configured correctly – ie. to not automatically parse invitations from Mail. Unfortunately, that’s not the default on Leopard. I’ve run into the same problem before, and I turned the “feature” off for other reasons.

There’s a bug in the ics parser that could potentially allow for remote code execution. Not good.

Any program that automatically opens up attachments from your mail reader -Mail, Outlook, Thunderbird, etc. SHOULD BE RECONFIGURED! The same goes for remote images. Any attachment should be suspect unless you know who it came from, and SPAM does not qualify as “knowing who it came from”.

This simple configuration/re-configuration can save you a lot of headaches in the long run, in addition to any known vulnerabilities floating around, you’ve closed off a vector for new ones.

According to Network World, the federal government is stepping up its commitment to data security by adding full disk encryption software to 800,000 laptops. This is pretty encouraging, but there are still a lot of laptops and portable devices left to go.

The software products, which are being purchased through the Data at Rest program, is only costing the government about $10 per license. This is good news for everyone as taxpayers, and it’s also encouraging in that budgetary concerns are unlikely to prevent agencies from continuing to secure more and more devices against data loss from theft or misplacement.

It’s always nice to read about companies or government agencies being proactive about security. While this may be an overdue step, it’s one that I’m still quite glad to see taken.

After writing my previous post referencing the security of hospitals and other health care institutions, I decided to do some more digging on what security breaches they might currently be dealing with. I came across the 2008 HIMSS Analytic Report: Security of Patient Data ; it’s basically a report that summarizes patient privacy survey results given by senior executives from health care organizations across the United States.

One interesting excerpt from the report:

Respondents reported that their organizations take educating their employees about the importance of security patient data very seriously. The data also suggests that most of the breaches reported surround inadvertent access…

Clearly most of these institutions believe that employee breaches are among the larger threats to patient data. The report shows that a large amount of attention is paid to educating employees and instituting policies and disciplinary actions to protect against internal privacy breaches.

On the other hand, the report seems to indicate that there is less of a focus on malicious (and external) privacy breaches.

Noticeably absent were concerns around breach sources associated with malicious intent, such as stolen laptops, stolen computers, deliberate acts by unscrupulous employees, cyber attacks through the Internet, etc., supporting the lack of industry focus on fraudulent data breaches.

It seems to me that the security of hospitals is a bit lopsided. Although I agree that focusing on managing accidental privacy breaches by employees is important, I also think that its time they tightened up protection against malicious security breaches as well. As I posted before, these health care institutions might be the next big target for identity thieves to get their data. It would be nice if hospitals were a bit more prepared.

We have all heard about ISO 17799 and ISO 27001; ISO 17799 is being renamed to ISO 27002 and ISO 27001 was formally known as BS7799-2. If you haven’t and your reading this, stop now and go look them up. Here is a good place for an general overview.

These standards are the basis of least requirement for doing business, when security is concern. Instead what you see are most companies, those that care and especially here in the US, are still in a phase of “working towards” meeting these standards. Very few western organizations have implemented or even looked at these standards. In Japan over 2000 companies have been certified meaning that Japan dwarfs any country by at least 300% more compliance than the UK and the US put together.

Something needs to be done to bring the compliance level up. Especially when it comes to the base foundation for security controls and ISMS.

So what can you do? Here is a 10 step guide to becoming certified.

1. Prepare the ground: obtain copies of the ISO 17799 and BS7799-2 standards, research the background, set the objectives, understand the costs and benefits, and liaise with senior management to gain their support.
   
2. Define the scope: what’s in, what’s out, including issues like location, assets and so on. Prepare a Statement of Applicability.
   
3. Define a formal ISMS (Information Security Management System) policy.
   
4. Analyze the information security risks to identify the corresponding security control objectives.
   
5. Prepare a security implementation plan describing the implementation of specific information security controls to satisfy the objectives identified in step 4. Gain management approval and secure the budget.
   
6. Implement the plan. Prepare, review, approve and publish information security policies, procedures, standards and so forth. Bring controls protecting the IT infrastructure and facilities up to scratch. Review and where necessary improve application security controls. Prepare and exercise contingency plans.
   
7. Operate and maintain the information security management system. Keep records to document proper use of your system (e.g. information arising from the review of system security logs).
   
8. Perform an information security audit and management review to check that everything is in order (this typically involves an informal pre-certification assessment by the certification body).
   
9. Make any last-minute adjustments to the information security management system to address issues identified in the pre-certification assessment.
   
10. Undergo the formal certification assessment by an accredited certification body.
    

Source

A Tim recently pointed out, identity theft costs businesses billions of dollars each year.

I think the main burden at this point is from repercussions of an incident originating from the individual. Banks and credit card companies have to pay back the individuals when something does happen, then try and track down the thief, mind you most of this is outsourced, but it’s not cheap.

Here’s where businesses should take the lead since customer’s are woefully ignorant on how to protect their assets. All of the following assumes that there is a legal framework to push companies to think about more than their pocketbooks and more about the people that finance them.

People don’t know how or want to educate themselves on how to protect their identities. That’s why the experts exist, if everyone knew why/how to encrypt their hard drives, shred credit card offers, or run penetration tests the IS industry wouldn’t be what it is. There would be less car accidents if people actually learned how to drive, make evasive maneuvers, etc.

When the average Joe has all of their money stolen, they are, to put it bluntly, screwed. When a big company mismanages all of its money, engages in unethical practices, and goes belly up the government bails them out.

Businesses have better resources to handle the costs of education, security, and mitigation. As Walt pointed out, customers are already paying for it – so why isn’t it paying off?

Tim already posted about the Debian SSL flaw so I’ll let you read his take on it, but I wanted to bring some more information to the table.

Slashdot (of all places) has an excellent description of why the code was originally changed. The maintainer/developer had run valgrind on the code, and changed the code without thinking about it. It’s unclear who’s to blame here, we only have who checked in the code, not necessarily who changed it. However, this bug is a prime example of using “security” tools without knowing what you’re doing.

Valgrind looks for memory leaks and undefined memory usage. It’s not purely a security tool, but sometimes it’s used as one. Purify and flawfinder are others that I’ve seen used. These tools can show you how memory is used (or misused) in source code. Its these memory misuses that typically cause buffer overflows, so while it’s desirable to remove all “bad” code, it’s also desirable to understand why the code is bad or good.

Security folks aren’t always developers, and developers are almost never security folks. Get the two together to interpret the results of code scanners, it’ll make it a lot easier for you in the long run.