February 20, 2010 | Posted by Dave Earlier this week I hosted a webinar entitled “Inside the Mind of a Hacker”. During this hour long broadcast we discussed; How a Hacker thinks, What are a Hackers goal, and the tools of a Hacker. We concluded the Webinar with a demo of a Trojan.
The webinar can be found on Parameter’s website or by Click Here.
Categories: Original, Viruses, compliance | 
Tags: chronister, trojans, webinar | 
No Comments »
November 23, 2009 | Posted by Dave Unless you have been living under a rock during the past 20 years you know that Man made Global Warming has been a very hot topic (no pun intended 
). Recently it seemed that the Pro-Global Warming team had been making the most ground. As the inventor of the Internet Al Gore put it “The debate is over”.. Is it???
It appears that a group of Hacktivist may have pulled some skeletons out of the closet, for the whole world to see. A Hacktivist is a Hacker who hacks for a cause. We have seen many far-leaning ideologue groups around the world, on both sides of the debate, who have employed various attacks against their enemy. The attacks have included defacing websites, Dos/DDoS, and other destructive attacks. This attack however was different.
Hacktivist stole over 4000 documents from the Climatic Research Unit of the University of East Anglia in Britain, which included over 1000 emails. Many of these emails were correspondents between high profile Global Warming “Alarmist”, and it seems a few of these emails included some of their deepest secrets such as how to manipulate data to hide discrepancies between their cause and the actual data (There is growing data that Global Warming may have stopped in the late 90s.). The university has acknowledged the breech and the authenticity of the documents, many of which are available on the internet.
Score one for the Hacktivists it seems, but what does this mean for the future? If these really are a smoking gun, which all indications point to yes, then this will definitely embolden others who believe they can expose their opponent’s agenda by breaking the law.
The lessons to take from this? Not all malicious attacks are Dollar driven. Some people will go to extremes to prove a point. And finally, if you want something to be kept a secret do not put it in an email.
- Dave
Link to an article about the attack http://www.washingtonpost.com/wp-dyn/content/article/2009/11/20/AR2009112004093_pf.html
Categories: Recent News | Tags: global warming, hacker, hacktivist | No Comments »
November 12, 2009 | Posted by Dave I apologize for delays in new post, business has been well keeping me busy. 2010 I hope to update more regularly. Until here is an article I wrote for security magazine in 2008. I hope you enjoy.
by Dave Chronister
April 1, 2008
Technology’s ever-growing importance is a mixed blessing.
On one hand, it keeps me employed, but many times I will find myself talking about “new threats” that aren’t really new, they are just finally coming to the public’s attention.
The issue “de jour” is identity theft, and, according to the general public, this never happened until the TJ Maxx break in. Am I the only one who watched Sandra Bullock in “The Net?” Granted this movie was a little far-fetched — I mean, come on, ordering a pizza online? But there we were in the mid-1990s watching a movie about a recluse woman whose identity was stolen in order to cover up a major conspiracy. Now, 13 years later, we live in a world where it seems the only data leak to worry about is consumer information.
Doesn’t a company with revolutionary ideas worry about corporate espionage and loss of trade secrets? Shouldn’t a publicly traded company need to ensure its financials are not released prematurely?
In reality, security professionals have to deal with data of different levels of security, much of which is unknown to even them. So while the rest of the world is focused on the little old ladies’ Social Security numbers, let’s look at the best strategies on keeping our sensitive information in our castle’s keep and maybe even use the identity theft hysteria to our advantage.
The decentralization of a company’s data stores and multiple facets of data retrieval have rendered the security strategy of building a bigger outside wall obsolete. A silver-bullet solution will eventually become an Achilles’ tendon. Instead, you want to go for layers, defense in depth. Structure your security solutions to identify threats, guard against automated scans, and slow down and report possible intrusions. In the event of a successful attack, ensure containment and, if possible, identify the offenders of the data loss.
Let’s take a look at a few weapons that you may want to put in your arsenal.
First, there are network traffic analyzers — and we are not talking about your network administrator’s wire shark system. These analyzers will examine the content and determine if sensitive data may have been sent out to unauthorized recipients. Many traffic analyzers will even determine if information is being sent to correct destinations but over incorrect channels, say instant messaging or IM, or to the public network unencrypted.
The obvious concern with this technology would be the potential bottleneck that you would face even on a small network. Global Velocity, one of the newer companies in this realm, is about to release a hardware-based content analyzer that it claims can process 10gbps. The potential is a godsend, but it isn’t without limitations. It can only analyze clear text. Someone sending out binaries, say screen prints, or encrypted traffic, such as a virtual private network or VPN stream, would not be analyzed. It also only handles traffic heading out of your network to other networks either public or private.
This doesn’t address other avenues of “data escape,” such as mobile devices and USB keys. There are multiple solutions to this problem, from physical USB locks to software solutions, such as Devicewall’s Centennial, which can block various types of USB devices, such as MP3 players or PDAs, and provide a complete audit trail. Microsoft shops could even use network policies to lock USB ports.
Speaking of policies, let’s take a quick look at your greatest weapon and your worst enemy: The User.
Sometimes it may seem a better idea to give flamethrowers to your local Cub Scout troop than to depend on John Q. User to ensure the integrity of your data. No matter how much you secure your sensitive data, the simple fact is your employee will be retrieving and writing this data on a daily basis. You need to ensure your security awareness program prepares them to handle the various aspects of social engineering as well as prevent accidental data leaks. After all, hackers are targeting the secretaries, not the Certified Information Systems Security Professionals or CISSPs. Computer-based training and posters should be part of your program, not the entire program.
Finally, getting upper management’s buy-in to the cost of data protection in money and manhours can be a daunting task. The horror stories of other data breeches as well as the projected cost to a business for identity theft can be used as a case study during your presentation. If that doesn’t work, maybe you can bust out your VCR and hope Bullock’s stellar performance in “The Net” does.
http://www.securitymagazine.com/Articles/Feature_Article/BNP_GUID_9-5-2006_A_10000000000000298345
Categories: Best Practices, Original, compliance | Tags: business professionals, cyber security, identity theft, security awareness training | 1 Comment »
July 6, 2009 | Posted by Dave WASHINGTON (AP) — For all the concern about identity theft, researchers say there’s a surprisingly easy way for the technology-savvy to figure out the precious nine digits of Americans’ Social Security numbers.
“It’s good that we found it before the bad guys,” Alessandro Acquisti of Carnegie-Mellon University in Pittsburgh said of the method for predicting the numbers.
Acquisti and Ralph Gross report in Tuesday’s edition of Proceedings of the National Academy of Sciences that they were able to make the predictions using data available in public records as well as information such as birthdates cheerfully provided on social networks such as Facebook.
For people born after 1988 — when the government began issuing numbers at birth — the researchers were able to identify, in a single attempt, the first five Social Security digits for 44 percent of individuals. And they got all nine digits for 8.5 percent of those people in fewer than 1,000 attempts.
For smaller states their accuracy was considerably higher than in larger ones.
Acquisti said in a telephone interview that he has sent the findings to the Social Security Administration and other government agencies with a suggestion they adopt a more random system for assigning numbers.
Social Security spokesman Mark Lassiter said the public should not be alarmed by the report “because there is no foolproof method for predicting a person’s Social Security number.”
“The suggestion that Mr. Acquisti has cracked a code for predicting an SSN is a dramatic exaggeration,” Lassiter said via e-mail.
However, he added: “For reasons unrelated to this report, the agency has been developing a system to randomly assign SSNs. This system will be in place next year.”
The researchers say their report omits some details to make sure they aren’t providing criminals a blueprint for obtaining the numbers.
The predictability of the numbers increases the risk of identity theft, which cost Americans almost $50 billion in 2007 alone, Acquisti said.
A problem in the battle against identity thieves is that many businesses use Social Security numbers as passwords or for other forms of authentication, something that was not anticipated when Social Security was devised in the 1930s. The Social Security Administration has long cautioned educational, financial and health care institutions against using the numbers as personal identifiers.
“In a world of wired consumers, it is possible to combine information from multiple sources to infer data that is more personal and sensitive than any single piece of original information alone,” he said, warning against providing too much data on social network sites.
Acquisti, who researches the economics of privacy, said he got interested in what could be learned from easily available by looking at social networks, which he termed “a great experiment in self-revelation.”
People were willing to include their date of birth and hometown, he said, and he already knew that was part of the information used in issuing Social Security numbers.
So the researchers turned to the SSA’s “Death Master File,” which lists the numbers of people who have died. The purpose of making that file public is to prevent impostors from assuming the Social Security numbers of deceased people.
But by plotting the data for people listed on the file between 1973 and 2003 the researchers were able to develop patterns for number issuance.
“I was surprised by the accuracy of certain predictions,” Acquisti said.
The system can produce a range of possibilities for the last four numbers, making it easier for a computer to test the possibilities until the correct number is found for an individual, Acquisti explained.
In addition, “attackers can exploit various public- and private-sector online services, such as online “instant” credit approval sites, to test subsets of variations to verify which number corresponds to an individual with a given birth date.
While it was well known that the numbers have a geographic component, past studies have used the patterns plus other data to estimate when and where a specific number may have been issued.
“Our work focuses on the inverse, harder, and much more consequential inference: it shows that it is possible to exploit the presumptive time and location of SSN issuance to estimate, quite reliably, unknown SSNs,” Acquisti said.
The research was supported by the National Science Foundation, the U.S. Army Research Office, Carnegie-Mellon University and the Pittsburgh Supercomputing Center.
___
On the Net:
PNAS: http://www.pnas.org
http://newsok.com/social-security-number-code-cracked-study-claims/article/feed/55270?custom_click=pod_headline_national-politics
Categories: Recent News, Security Tools | Tags: cyber threats, identity theft, SSN | No Comments »
