Security testing  or assessment is a process to determine that an Information System adequately protects data and maintains intended functionality from the following points:

Confidentiality: A security measure which protects against the disclosure of information to parties other than the intended recipient(s). Often ensured by means of encoding, using a defined algorithm and some secret information known only to the originator of the information and the intended recipient(s) (a process known as cryptography) but that is by no means the only way of ensuring confidentiality.

Integrity: A measure intended to allow the receiver to determine that the information which it receives has not been altered in transit or by other than the originator of the information. Integrity schemes often use some of the same underlying technologies as confidentiality schemes, but they usually involve adding additional information to a communication to form the basis of an algorithmic check rather than encoding all of the communication.

Authentication: A measure designed to establish the validity of a transmission, message, or originator. It allows a receiver to have confidence that the information it receives originated from a specific known source.

Authorization: The process of determining that a requester is allowed to receive a service or perform an operation.

Availability: Assuring information and communications services will be ready for use when expected. Information must be kept available to authorized persons when they need it.

Non-repudiation: A measure intended to prevent the later denial that an action happened, or a communication took place, etc. In communication terms, this often involves the interchange of authentication information combined with some form of provable time stamp.

I’ve listed 100+ free and open source tools used in security testing here.

Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.

This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems. It can be run without prior installation, so inclusion on read only storage is no problem (USB stick, cd/dvd).

Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOX (Sarbanes-Oxley) compliance audits.

Well, that depends on the name of your account and the number of followers naturally. According to researchers at Kaspersky Lab,  hackers  are trying to sell hacked Twitter user names and passwords on-line for hundreds of dollars. Cybercriminals are  looking for an initial, trusted, stepping stone from which to send malicious Twitter messages and, ideally, infect more machines. Imagine a tweet coming from “you” to all your family, friends, co-workers, etc informing them of something particularly interesting just one click away. Naturally the link will be shortened , so they will have no clue where it leads Most will click on it with the confidence that it came from you. That’s all it takes.

One Twitter account, with just over 320 followers, was reportedly offered at $1,000 in an underground hacker forum. The user’s name was a simple three letter combination that might make it more valuable to criminals. Social networks are really the new battlefield and the bad guys are winning.

Source: http://www.computerworld.com/s/article/9150001/Stolen_Twitter_accounts_can_fetch_1_000

Panda Security has released the following advisory:

In the last 24 hours, PandaLabs has detected the massive propagation among Facebook users of a fake virus alert. The truth is, this is just another attempt to infect users with fake antivirus programs.

The fake warning is distributed via email and users are forwarding it or publishing it on Facebook walls, thereby further spreading the hoax. The text of the fake warning reads as follows:

ALERT Has your facebook been running slow lately? Go to “Settings” and select “application settings”, change the dropdown box to “added to profile”. If you see one in there called “un named app” delete it… Its an internal spybot. Pass it on. about a minute ago….i checked and it was on mine.

There is no associated link, but if users search the Web for more information, they will encounter numerous malicious websites designed to download fake antiviruses.

There has been many predictions in the security circles that security in the social networks will pose a significant problem 2010. It’s still January but this isn’t promising. An encouraging sign, however, is that the owners of Facebook is is taking notice and trying to help mitigate some of the risk. On January 13, Facebook announced a year-long partnership with McAfee to offer all 350 million people who use Facebook the ability to download a six-month subscription to McAfee security software at no cost, along with a special discount once the six months are over. Good for them…and You.

Source: http://www.pandasecurity.com/homeusers/media/press-releases/viewnews?noticia=10045

It must be the season. A hacker broke into 49 House Web sites of both political parties overnight to post a crude attack on President Barack Obama.

Spokesman Jeff Ventura in the chief administrative office said Thursday the sites that were hit were managed by a third-party vendor. In contrast, most lawmakers’ Web sites are managed by House technicians.

Ventura says the vendor was performing an update and for a brief moment let its guard down. That was long enough to allow the hacker to penetrate the sites.

Isn’t that just the handiest of excuses? Caught with your pants down, you say ” Well, I just pulled it down.” If you are performing an update with leaves your defenses down, I should think you could easily block access to the systems until the shields are back up. A robust change control process should have flagged this as a possible risk. Sufficed to say, most organizations lack such a process as this one apparently did.

Source: http://www.msnbc.msn.com/id/35125467/ns/technology_and_science-security/

Less than 24 hours ago, I made a blog post about the TechCrunch.com website getting defaced with porn. Well, they cleaned it up only to get owned again! How’s that for a secure web server?

The second hack (image below) features a foul-mouth rant aimed against site founder Michael Arrington. It also includes a link to the same online smut and warez-peddling Torrents site “promoted” via the previous attack.

Arrington, the crackers brag, should be grateful they didn’t delete setup and registrations on TechCrunch’s back end database when they attacked the site.

Source:  http://www.theregister.co.uk/2010/01/27/techcrunch_hacked_again/

Does anyone doubt that Google’s ultimate goal is nothing less than world domination?? That’s besides the fact that the concept of “privacy” on the Internet is a myth. The sooner we come to terms with that the wiser.

Google has updated its browser toolbar after the application was caught tracking urls even when specifically “disabled” by the user.

In a Monday blog post, Harvard professor and noted Google critic Ben Edelmen provided video evidence of the Google toolbar transmitting data back to the Mountain View Chocolate Factory after he chose to disable the application in the browser window he was currently using.

The Google toolbar offers two disable options: one is meant to disable the toolbar “permanently,” and the other is meant to disable the app “only for this window.”

In a statement passed to The Reg, Google has acknowledged the bug. According to the statement, the bug affects Google Toolbar versions 6.3.911.1819 through 6.4.1311.42 for Internet Explorer. An update that fixes the bug is now available here, and the company intends to automatically update users’ toolbars sometime today.

The statement also says that the bug does not occur if you open a new tab after disabling the toolbar for a particular window. In the statement, Google goes on to say that the bug disappears if you restart your browser, but this doesn’t quite make sense. If you’re interested in disabling Google toolbar for a particular window, you aren’t going to close that window.

“For that option to work as its name promises, Google Toolbar must cease transmissions immediately,” Edelman says. “Fact is, the ‘Disable Google Toolbar only for this window’ option doesn’t work at all: It does not actually disable Google Toolbar for the specified window.”

Read the whole article at http://www.theregister.co.uk/2010/01/27/google_toolbar_caught_transmitting_data_when_disabled/

Are your employees ( or you ) leaking sensitive data over the social networks? This report from the UK should give you pause.

The Ministry of Defence has admitted that staff leaked secret information 16 times on social networking sites such as Facebook and Twitter over an 18-month period.

The admission comes in response to a Freedom of Information request by Lewis PR, which handles public relations for security firm F-Secure.

Lewis said the Ministry of Defence had disciplined 10 personnel, although was unable to specify individual cases.

Are your employees leaking your sensitive data via social networks? This report from the UK should give anyone pause.

Ministry of Defence staff aren’t banned from using social networks, but Lewis pointed out that the department’s code tells employees: “Remember you are a member of HM Forces/MOD civil servant. Observe the same high standard of conduct and behaviour online as would be expected of you in your professional or personal life.”

However, F-Secure said the Ministry of Defence should do more to ensure the guidelines are adhered to.

“It’s worrying that employees in sensitive positions have been sharing confidential information via Twitter and other means,” said F-Secure’s security expert Mikko Hypponen

“They might think they are confiding in friends or family when they go on Facebook. However, the recent changes in Facebook’s privacy settings might make them disclose information to the world. This is a potential security risk.”

Source: http://www.csoonline.com/article/525613/MoD_Staff_Leak_Military_Secrets_on_Facebook_and_Twitter

As more organizations consider moving into the cloud to benefit from the evident cost savings  and focus more on their core business functions, the bad guys are also looking for the benefits.

2009 has been a notable year for malware and malicious online activity for a number of reasons and several of them relate to what is known as botnets. A zombie, or a bot, is a PC infected by malware that brings it under the remote control of a criminal. Criminals run networks that can range from thousands to millions of infected machines and they use them to power most of the cybercrime we see today including spam, DDoS, scareware, phishing, and malicious or illegal website hosting. They have a finger in every cybercriminal pie.

In the first half of the year, the Conficker worm (also known as Downadup or Kido) stole all the headlines in the malware world. Eventually the Conficker botnet was seen to deliver standard cybercriminal payloads, such as spambots and Fake AV (or scareware), much to the disappointment of some of the more hysterical commentators. Just because the outbreak received so much coverage that died away just as rapidly, don’t be fooled into thinking this threat has gone away. The Conficker Working Group, an alliance of security vendors, researchers and other commercial organisations is currently showing around 6 million unique IP addresses as appearing to be infected with this malware.

An unrelated, but important trend in 2009 was the exponential increase in the abuse of social networking providers for malicious purposes. The enormous active user populations on sites like Facebook, Twitter and MySpace prove a very attractive lure to organised online crime and its attendant money-making, bot recruitment and Fake AV pushing scams. Facebook has been abused by rogue Apps, designed to fool users into clicking links that reward the creator through pay-per-click affiliate advertising networks. It has also been used to spread malware through many means; malicious links in wall posts and messages, malware designed specifically to hijack accounts and by external compromise of legitimate Facebook Apps. The Koobface family of malware (also a botnet) has evolved over the course of 2009; it was initially spread through malicious messages and wall posts with links to fake YouTube sites punting a supposed codec in order to view the video. The codec of course was nothing of the sort and led to infection and account hijacking. Koobface now though has evolved to the point where it is fully capable of creating its own fake Facebook profile pages, complete with confirmed Gmail address, photo and biographical data. These fake accounts then set about joining networks and sending friend requests again all in a completely automated fashion.

Read more at http://countermeasures.trendmicro.eu/2010-year-of-the-zombie-cloud/

StopBadware, an anti-malware effort started at Harvard University’s Berkman Center for Internet and Society, has announced it has begun operating as a standalone non-profit organization.

Google, PayPal, and Mozilla have committed the initial funding to support the launch of StopBadware, Inc.

StopBadware began four years ago as a Berkman center project aimed at engaging the Internet community in fighting software such as viruses or spyware that disregard a user’s choice about how their computer or network connection will be used.

StopBadware works with its network of organizations and individual volunteers to collect and analyze data, to build community momentum for fighting badware.

“If we want to put an end to badware-or even put a dent in it-we have to change the attitudes and behaviors of individuals, organizations, and governments,” said Maxim Weinstein, StopBadware’s executive director.

“That’s no small task, but we know progress is possible by combining the creativity and passion of our BadwareBusters.org community members with the hard facts derived from our Badware Website Clearinghouse.”

The decision to spin StopBadware off from the Berkman Center was made in recognition of the effort’s evolution from research project to mission-driven organization.

“There is still much to do. Badware remains a growing problem, but in the past few years, there’s also been a growing sense that this is a problem we-the Internet community-can and should work together to address. StopBadware is committed to making that happen,” said Weinstein.