George Chetcuti WS Blog

George Chetcuti is a promoter of effective IT governance and IT security best practices. With a personal experience of many years managing complex setups, his contribution to this community is to provide security related info and tips. This blog is aimed at increasing security awareness among IT professionals.

Botnet Operation Disabled

Network of computers (Yours may be one of them!) infected by malicious programs such as, key-loggers are on the rise. Cyber criminals are in control of this international activity and with the help of Botnets they can steal confidential information from infected computers to commit financial crimes. Last week, FBI seized five servers that participated in this activity which are known to have infected as many as two million computers with the powerful virus Coreflood. These servers are part of a larger international setup which has been active for more than a year. Coreflood is actually a key-logging program that allows criminals hijack personal information and steal funds. Coreflood's main spreading mechanism is through email attachments while anti-virus vendors are working hard to update their signature files in order to have Coreflood detected and removed from users' computers. So, make sure that you keep your anti-virus up to date!
The Coreflood Virus which targets Windows-based operating systems is difficult to trace hence, Windows users are advised to check their online banking transaction history and check for unknown transactions which should be reported immediately to the relevant financial institution or bank. From the technical perspective we keep advising this community to make sure to have Microsoft's latest security updates installed and if possible, keep Windows Update set to Install updates automatically, and make sure to have an updated anti-virus program running all times and an active firewall.
For more information about FBI's successfully seizure go her

Wireshark 6lowpan vulnerability

Systems that run Wireshark versions prior to 1.4.4 are susceptible to a denial of service attack. This vulnerability affects 32-bit operating systems while reading a malformed 6LoWPAN (IPv6 over LoW Power wireless Area Networks) packet. Wireshark lacks the proper exception handling when the packet is intentionally varied in length which corrupts the packets buffer and causes Wireshark to crash. An attacker may take advantage of this weakness in order to arrive to a denial of service condition. The vulnerability was discovered by Paul Makowski of SEI/CERT and was tested against both the stable version (1.4.x) and the version in development (1.5.x). While it is confirmed that version 1.5.x is not vulnerable, a fix has been released which is included in version 1.4.4 and users running Wireshark are advised to upgrade to this version. Several other security related fixes are also included in this version.
For more information about this vulnerability visit Wireshark's bug database here.

Cloud Standardization Bodies

There are many initiatives going on to standardize Cloud Computing and one of the main leaders is the National Institute of Standards and Technology (NIST). NIST's SAJACC (Standards Acceleration to Jumpstart Adoption of Cloud Computing) Working Group is leading the development of a USG (U.S. Government) Cloud Computing Roadmap. This roadmap will define and prioritize USG requirements for interoperability, portability, and security for cloud computing in order to support secure and effective USG adoption of Cloud Computing. The goal of the SAJACC initiative is to drive the formation of high-quality cloud computing standards by providing worked examples. It shows how key use cases can be supported on cloud systems that implement a set of cloud system specifications.
Briefly, the program is aimed at making Clouds work together (Interoperable) where workloads can move around (Portable) and customer assets are protected (Secure). Use Cases describe how groups of users and their resources may interact with one or more systems to achieve specific goals such as, copying objects (data) between cloud providers and erase or create objects. Use Cases are based on stories with elements such as, actors, goals, assumptions, etc. and are available to the general public here. One third of the use cases deals with security and related principles.

The collaborative participation by other bodies takes Cloud standards to deeper levels. The DMTF (Distributed Management Task Force) enables more effective management of millions of IT systems worldwide by bringing the IT industry together to coll

Flood Safety Awareness

Take FEMA's advice and increase your awareness and review your plans, as the level of flood risks increases in spring time! As snow melts susceptible areas may be affected, however, no matter where you live it is important to be informed about the risks and preparations you can do in case your area becomes under the threat of flooding. The first suggestion is to always have an emergency kit with the necessary items such as food and water, medicine, battery powered communications devices and copies of important documents. Keep this kit somewhere handy and make sure that any food you place in is non-perishable! The second suggestion is to make a plan. A plan should include meeting points both within and outside of your immediate neighborhood, contact telephone numbers and other backup means. Make sure that all members of the plan are well aware of this plan. The third suggestion is to search for sources that provide the latest info about flood hazards in your region, such as, weather stations. Some locations prone to floods have flash flood warnings which can help you to evacuate in time. Get yourself knowledgeable about the causes of flooding in your area and use this knowledge to forecast such events.
The financial impact of a flooding may be devastating hence, purchase a flood insurance policy if you do not already have one. Even a small flood can cause serious damages and cost you lots of money. Try this interactive tool to get an idea what a flood to your home or office could cost you! Estimating costs can help you in re-assessing and re-structuring your house or office

Perceived Security

The perceived security of some major entities may fail if tested, quite recently NASA's security was challenged and found to lack some bolts! On February 23, a 26 year old Texas developer was charged of hacking into NASA's networks. The federal court is charging him of wire fraud and computer hacking! He is accepting all charges. Apparently this was not the only cybercrime this individual was up to. In fact, he is also charged of manipulating Digital River's SWReg systems as to credit his account to an approximate amount of $275,000 over a period of one year. SWReg pays independent software developer royalties to their submitted code.
The NASA incident occurred once where he managed to get access to two servers at the flight center in Greenbelt, Maryland. The hacked servers gathered data sent from satellites so that the scientific community could retrieve oceanographic data against a paid membership. The cybercriminal did not gain any financial income from this attack but has caused NASA approximately $43, 000 to fix the damage and caused a long down time for the 3,300 paid members of NASA. Such a criminal faces a potential maximum penalty of 20 years in prison on the wire fraud and 10 year on the computer hacking charge!
According to official reports there was an increase of 23% of cybercrime in 2009 than the previous year where the estimated dollar loss from such activity reached about $569 million. Mainly, there are two lessons to be learned here, first is that cybercrime activity will continue to increase and will get more effective, and secondly we are seeing more big

Privacy by Design – Part 5

For practices requiring choice, companies should offer the choice at a time and in context in which the consumer is making a decision about his or her data
As we have seen in Part 4 of Privacy by Design, the lengthy privacy choices can be omitted for commonly accepted practices but what is the recommended approach for those that fall outside this boundary. The choice has to be meaningful through clear and concise questions, and at a time and in a context in which the consumer is making a decision about his or her data. For example, in online activity the disclosure and control mechanism should appear clearly on the page on which the consumer type in his or her personal information whereas in offline, the disclosure and consumer control should take place at the point of sale such as, having the cashier ask the customer whether he/she would like to receive marketing offers from other companies. A typical situation is with social media services. If consumer information will be conveyed to third-party application developer, the notice-and-choice mechanism should appear at the time the consumer is deciding whether to use the application and in any event, before the application obtains his/her information. In the event where information sharing occurs automatically through a default setting, the consumer must be informed in plain English when he/she becomes a member of the service.
The commission believes that businesses that take a simplified approach to providing choices will not only help consumers make decisions during particular transactions but also will facilitate consum

Trial run Windows Azure

Are you an MSDN subscriber? I can imagine that most of you somehow are connected to MSDN and enjoy the benefits it offers, however, Microsoft are now offering free compute hours on their Windows Azure infrastructure if you are an MSDN Premium or Ultimate subscriber. Check with your manager or superiors your subscription level and take advantage of this offer as to dirty yours hands with this Cloud technology!
"Windows Azure is an internet-scale cloud computing and services platform hosted in Microsoft data centers, which provides an operating system and a set of developer services which can be used individually or together. It gives developers the choice to build web applications; applications running on connected devices, PCs, or servers; or hybrid solutions offering the best of both worlds. New or enhanced applications can be built using existing skills with the Visual Studio development environment and the .NET Framework. With its standards-based and interoperable approach, the services platform supports multiple internet protocols, including HTTP, REST, SOAP, and plain XML."
The special offer consists of approximately $1800 worth of services annually. You will benefit from a 750 hours per month of free compute hours running an extra small scale instance, 10GB of free storage space and 1 million free transactions per month. This offer is adequate to run a small web application for free! In fact, this offer is very similar to Amazon's AWS Free Usage Tier. Competition is good, isn't?
Existing MSDN users can activate the trial run from their MSDN account while non-MSDN users can try a limited amount of the infrastructure through an introductory promotional offer. For more info about MSDN Windows Azure benefits go here.

Privacy by Design – Part 4

Companies should simplify consumer choice
The Commission's draft proposes a more simplified approach to offering and communicating privacy choices. We all know that none or few go through the lengthy and sometimes indecipherable privacy policy statements before buying a product or service. What we tend to forget is that our choice of buying or not the product or service must also depend on such policies. There may be one clause or notice that would influence our purchasing decision! The draft states that businesses need to provide consumers with meaningful choices while they can omit choices pertaining to commonly understood and accepted data practices.
Companies do not need to provide choice before collecting and using consumers' data for commonly accepted practices, such as, product fulfillment
The draft identifies five common accepted practices where companies should not be required to seek consent once the consumer elects to use the product or service in question:
Product and service fulfillment- where consumer's private data is collected during the ordering process such as, shipping and credit card details.
Internal operations – where consumers are asked to fill in customer satisfaction surveys from existing customers or the collection of websites visits and click through rates to improve site navigation.
Fraud prevention – where fraud detection services are used to monitor against fraud such as, checking drivers' licenses when consumers pay by check.
Legal compliance and public purpose – where businesses report a consumer's delinquent account to a credit bureau.

Privacy by Design – Part 3

Companies should implement and maintain data management procedures
FTC suggests that the procedures a company puts in place to safeguard consumers privacy are to be practiced throughout the life cycle of the product or service they sell. The draft mentions training employees on consumer privacy policies and promote the awareness of privacy best practices within the company. Risk assessment programs help organizations to assess the privacy impact of specific practices, products and services while it ensures that they are following effective procedures to mitigate any risks. The size and scope of the programs should be appropriate to the amount of data, sensitivity of data and related risks, therefore, different organizations put in different levels of resources when implementing privacy programs. Some requirements are already defined in government and privacy acts (US).
The draft illustrates this principle with an example. The recent worldwide disclosure of US government information and other sensitive personal data were leaked through the P2P (peer-to-peer) file-sharing networks. This information became available because businesses allowed employees to download and use P2P at the workplace. No security controls were in place and no awareness programs were done. When businesses incorporate privacy and data security policies in their business processes they are mitigating these risks. Typically, after applying security policies, P2P software would be often disallowed or allowed to run a separate machine where no personal or sensitive data is stored. A similar policy would app

Privacy by Design – Part 2

FTC's framework proposes that business should only retain consumer data as long as there is a legitimate need. The data retention period must be reasonable and appropriate. For instance, companies tend to retain old data for long periods of time which they may consider valuable for a future need; however, consumers might have provided their private data just for the current service or product! In addition, the archived consumer private information may be prone to identity threats and if such thefts occur they may go unnoticed for long periods of time. The commission states that businesses should promptly and securely dispose of data in any form, for which they no longer have a specific business need. In principle this is an excellent measure but what if businesses relate some dummy business activity as to proof that they still need the data?

Private data accuracy is another term that is referred to in the Commission's draft. Businesses need to ensure that data collected from their customers is accurate and should take reasonable steps to verify this. Lots of things can happen with erroneous or incomplete private data. If consumers are allowed to benefit from public or private services by means of identification verification then they may gain or lose if their data is incorrect. This can cause significant harm to individuals such as when accessing funds or health benefits. Conversely, mischievous persons may take advantage of a weak system!

The draft is open for discussion and as already noted above, the concept of specific business need as regards to retain related data i

Scroll to Top