Friday, September 26, 2008

How to Protect Yourself from Web 2.0 Hackers

Introduction to Web 2.0
Web 2.0 is a living term describing changing trends in the use of World Wide Web technology and web design that aims to enhance creativity, information sharing, collaboration and functionality of the web. Web 2.0 concepts have led to the development and evolution of web-based communities and hosted services, such as social-networking sites, video sharing sites, wikis, blogs, and folksonomies. The term became notable after the first O'Reilly Media Web 2.0 conference in 2004. Although the term suggests a new version of the World Wide Web, it does not refer to an update to any technical specifications, but to changes in the ways software developers and end-users utilize the Web.
According to Tim O'Reilly:
“Web 2.0 is the business revolution in the computer industry caused by the move to the Internet as platform, and an attempt to understand the rules for success on that new platform.”

5 steps to Protect Yourself from Web 2.0 Hackers:
1. Run a security suite. It isn't good enough anymore to run merely antivirus. You need a software firewall, antispam, antiphishing, antispyware, anti-rootkit, host-based intrusion prevention solution. These will keep you from getting infected with the malware I try to push to your PC. We don't talk much about antispam, as if spam were just an annoyance.But if you don't read my phishing e-mails, then you'll never visit my fake site, run my buffer overflow exploit, and infect yourself with my malware.

2. Update signatures. I can change my attacks frequently, so you'd better download new signatures or your security suite won't recognize the new ones. Of course, I can stay ahead of signatures, which is why you need the firewall and HIPS.

3. Be street-smart on the Web. Trust no one. Don't share any more information publicly than you need to. And don't use anything you share as your password. If you write about your dog on Facebook and my app grabs his name, then you can bet I'm going to try all kinds of variations on Toto as your password on the common banking sites and PayPal—and, if I can
find it, your PC.

4. Use strong passwords. I hate when marks use strong passwords because it really slows me down. Make sure your password is more than six characters long, contains a mix of letters and numbers, and doesn't include a word that can be found in the dictionary.

5. Mix it up. Don't use the same password on every site. If you do, then once I crack one I have access to everything you do online. The same goes for your credit card and ATM card PIN.

6. Be cryptic. When possible, encrypt important data files at rest and in transit. That means clicking on the "Sign in securely" link, even though it's an extra click, and making sure that you see the little lock in your browser that means the site is using SSL to encrypt traffic. Read your application provider's EULA and find out who owns your data stored online (the answer may surprise you), how they isolate your data from other peoples' data (if they do), and the security measures they've enacted to protect you. A free app is nice, but isn't your identity worth more? Cancel services that won't encrypt your files and explain the other securitymeasures they take.
See you online... Cheers!!!

Tuesday, September 23, 2008

Certification still pays for CISSPs, CISMs

Information security certifications aren't often easy to obtain, but according to new IT data, those who have them are seeing their salaries rise.

Following the release of data from its most recent quarterly IT salary survey Foote Partners LLC, a Vero Beach, Fla.-based independent research group, announced that pay for IT certifications was down for the eighth straight quarter, but a few sectors bucked the trend.
"Of the 165 certified skills we survey, only 17 increased in value over last year," said David Foote, the firm's founder and CEO. Included in that handful of skills are several security certifications, such as the Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM).
In fact, seven of the 17 certifications that increased in value were from the security sector, with those who had earned the GIAC Security Expert (GSE) certification posting a whopping 36.4% average salary increase during the last 12 months: the largest salary growth of any certified professional. Overall, pay for security certifications was up 0.4% during the last six months and 2% during the last year (through July 1, 2008), compared with the downward trend of all IT certifications, which lost 2.5% during the last six months and 3.5% during the past year.
Also measured in the annual report were the changes in value for uncertified IT skills. The increase in pay for uncertified network security management skills was in step with the salary increase of GSE certified workers at 36.4% for last year.
According to Foote, spikes in value occur when the gap between demand and skills supply widens. "There are two reasons why that can occur," he said, "and it is rarely a decline in skills supply that cause[s] gap fluctuations -- it's surging demand."

So what's making the difference for security? Foote said the upward trend started with business' compliance concerns when the Sarbanes Oxley Act (SOX) debuted in 2002; it made sense for enterprises to put some money into security infrastructure and personnel to avoid paying the penalties of being noncompliant. Security awareness, however, has grown from there.
Separately, Foote Partners' data shows that the companies surveyed have raised their budgets for IT security governance by an average of 10.8% in the past year. Enterprises are more interested in keeping their data secure following high-profile breaches like the one at TJX Companies Inc. "Businesses are starting to hold vendors' feet to the fire," Foote said. "They are asking … for products with baked-in security."
With increased awareness comes greater need for experienced security pros to manage security plans and systems. This, Foote said, is why demand for security certifications -- particularly those with security management-related certifications like GSE, CISSP and CISM -- is growing.
Foote predicts demand for certified information security practitioners will only increase. Once greater security education comes into sync with budget planning, the demand and funding for security staff will continue to rise.
The seven security certifications that gained in value over the last year were GSE, CISM at 27.3%, the Certified Hacking Forensics Investigator (CHFI) at 14.3%, the GIAC Certified Intrusion Analyst (GCIA) and GIAC Systems and Network Auditor (GSNA) both at 11.1%, the Cisco Certified Security Professional (CCSP) at 9.1% and CISSP at 8.3%.
Foote said information security has proven to be one of the most stable IT niches for those who enjoy the work and are well-trained. "Conditions are in place for a fairly sustained momentum [when it comes to] staffing skilled security people internally," Foote said.

Saturday, September 20, 2008

Google Docs flaw could allow others to see personal files

A security researcher said he has discovered a vulnerability in Google Docs that mysteriously allows private documents to appear in other users' accounts.Tim Bass, a researcher posting Monday on the ISC(2) blog, wrote that when he recently was using his Google Docs account he found that it was listing documents as "owned" by him but that did not belong to him.In his case, he discovered documents written in Thai. When Bass contacted the owner of those files, that person also mentioned that his account contained documents not owed by him or normally shared with him.Bass said he suspects a JavaScript error in the way in which Google manages user sessions is to blame. A Google spokeswoman said Tuesday afternoon that the company was prepping a fix.Google Docs is a web-based application that saves files not to a user's desktop -- as is the case with programs such as Microsoft Office -- but to Google servers so users can retrieve documents from anywhere using the internet."The bottom line is that the security breach is real and dangerous," Bass said. "Your Google Docs, and I suspect other Google applications that use the same session management code, are vulnerable. There may be an underlying XSS (cross-site scripting) vulnerability as well."

Thursday, September 18, 2008

Network penetration testing heats up!

Keeping up with the latest trends and developments in network security is always a challenge and according to the SANS Institute and local partner Shearwater Solutions, network penetration testing is one of the hottest topics right now.
Hackers are deploying increasingly intelligent methods of attack, such as the exploitation of client-side technologies, including browsers, media players and office software to bypass firewalls and other network defences. Also becoming more and more prevalent is the data mining of social networking sites to obtain confidential information.
Alan Paller, director of research at the SANS Institute, stated, “According to data compiled by the SANS Internet Storm Centre, the number of attacks on web applications has increased dramatically over the past year. Enterprises need to arm themselves with the information and skills required to beat cyber-criminals at their own game.

For More Info:-


"One of the greatest lessons I have learnt in my life is to pay as much attention to the means of work as to its end. He was a great man from whom I learnt it, and his own life was a practical demonstration of this great principle I have been always learning great lessons from that one principle, and it appears to me that all the secret of success is there; to pay as much attention to the means as to the end. ."
Swami Vivekananda
Representative of HindusParliament of ReligionsColumbian Exposition,
Chicago World Fair11 September 1893.