By Andrew Winthorp 

With many individuals and businesses connecting to the internet using wireless devices, and the reported cases of security breach and identity theft, having an awareness of wireless security measures to improve system security is a must. Many wireless users simply do not know that they are open and exposed to system penetration and bandwidth theft. Here are several suggestions to prevent your system from becoming a wireless hotspot.

(i) Change the password on your router. All routers come with preset service identifiers. Hackers are familiar with these protocols. You should change the password to something

Read the rest of this entry »

By Raheel Ahmad

WARNING:

The information provided is for educationally purposes only and not to be used for malicious use.

Before digging into what actually SQL Injection is, let me explain you what is SQL itself.

What is SQL?

Structured Query Language (SQL) is a specialized programming language for sending queries to databases. Most small and industrial- strength database applications can be accessed using SQL statements. SQL is both an ANSI and an ISO standard. However, many database products supporting SQL do so with proprietary extensions to the standard language. Web applications may use user-supplied input to create custom SQL statements for dynamic web page requests.

What is SQL Injection?

SQL injection is a technique that exploits a

Read the rest of this entry »

In a breaking news story directly related to data security policies, it sounds like Deloitte had another laptop stolen yesterday, 9 Oct 2008.

Here’s an excerpt from the UK Computing article here:

A laptop owned by consultancy Deloitte which held information about staff under BSkyB’s pension plan has been stolen, Computing can reveal.

The computer was taken from a Deloitte employee in September at a public place and contained names, dates of birth and salary figures to be used for audit work on the broadcaster’s pension scheme.

BSkyB said the data did not include bank or address details and claimed it is highly unlikely that the information will be mishandled due to the laptop’s reliable data security set-up.

“The laptop was protected by a number of security measures, including passwords, user IDs and encryption of the majority of the information, so we are confident that the risk of data access or misuse is low,” said a BSkyB spokeswoman.

The fact that the spokeswoman says they used encryption on “the majority of the information” signals to me that they weren’t using whole disk encryption which is a common practice on laptops these days.

I’m sure if they were using full disk encryption they would have been 100% confident that the data was protected and they wouldn’t have had to notify the media about the loss.

What do you think?

Read the rest of this entry »

By Gale Yocom

In today’s’ high tech world, maintaining the privacy and protection of customers and employees’ information grows more and more difficult particularly for many financial institutions. These days’ scammers are getting bolder and more brazen in their abilities to get personal information from banking customers as they aggressively target the smaller locally owned community financial institutions. In fact, a recent customer reported a complex, malicious, and targeted attack took place on their institution’s customers and employees. A well-recognized phishing activity trends website reported that financial institutions saw a continuing rise in phishing activities with 92.5% of attacks targeted on financial institutions. On average, a phishing site stays online for 3.8 days. The relevance to the number of days online is that the longer it remains online, the more possibilities for the scammer to gather personal information. It is imperative that we

Read the rest of this entry »

If you’re planning on deploying Windows Vista, make sure you follow the Windows Vista Security Guide available from Microsoft Technet here.

This is a description of the hardening guide:

This guide focuses on how to help create and maintain a secure environment for desktop and laptop computers that run Windows Vista. The guide explains the different stages of how to secure two different environments, and what each security setting addresses for the desktop and laptop computers deployed in either one. The guide provides prescriptive information and security recommendations.

Here are the chapters:

Chapter 1: Implementing the Security Baseline
Chapter 2: Defend Against Malware
Chapter 3: Protect Sensitive Data
Chapter 4: Application Compatibility
Chapter 5: Specialized Security – Limited Functionality
Appendix A: Security Group Policy Settings

Don’t install Vista without it!

This blog entry from the Security Monkey at ITToolbox.com is shaping up to be a very handy list of security policy websites. Entitled, “Where Do You Get Your Security Policies From?”, the Security Monkey asks readers to respond with websites that they use for researching security policies.

Included in the suggestions are:

• http://www.sans.org/resources/policies/
• http://csrc.nist.gov/publications/nistpubs/index.html
• CoBIT (http://www.isaca.org/cobit)
• ISF Security Standard (http://www.isfsecuritystandard.com)
• ISO27XXX series (http://www.iso.ch)
• IT Baseline Protection Manual (http://www.bsi.de/english/gshb/index.htm)
• Plus many more

Definitely worth checking out!

When you write your wireless security standards, make sure you don’t fall into the trap of including wireless LAN security myths in them.

George Ou has written extensively about wireless LAN security and he’s published several articles on common wireless LAN security myths in ZDNet over the years. His latest article, “Wireless LAN security myths that won’t die” can be found on his ZDNet blog here.

He categorizes the myths he debunks as follows:

Waste of money, resources, time

• MAC filtering
• Disable DHCP and use Static IP addresses
• Signal suppression with expensive paint or antenna placement

Worse than no wireless security at all

• LEAP (adding EAP-FAST to the list)
• SSID Access Point beacon suppression (or “hiding”)

Has nothing to do with security mechanisms

• Just use 802.11a or Bluetooth

Even if you’re not writing your wireless security standard, read George’s article and make sure you aren’t spreading myths and making yourself look dumb in front of others who know better!

The University of Connecticut has a great wireless security standards worksheet here.

It includes requirements for large deployments and small/individual deployments as well as requirements that are common for all deployments.

Here’s an excerpt:

Common Requirements

Please review the University Wireless Policy for policy related information.

Minimum Technical Requirements

• Locate APs on the interior of buildings instead of near exterior walls and windows as appropriate.
• Place APs in secured areas to prevent unauthorized physical access and user manipulation.
• Change the default service set Identifier (SSID).
• Ensure that AP channel selection utilizes the maximum amount of non overlapping channels for the given spectrum.
• Use WPA or greater encryption.
• APs shall not be plugged into network hubs.
• Ensure that all APs have strong administrative passwords.
• Use SNMPv3 and/or SSL/TLS for Web-based management of APs.
• Access points cannot interfere with any part of the central University wireless network
• When disposing of access points that will no longer be used, clear access point configuration to prevent disclosure of network configuration, keys, passwords, etc.

Here’s an archived copy of the standard: Wireless Security Standards

Great info! Check it out!

I wrote a generic e-mail filtering standard.

Here’s an excerpt:

3.1 Content Filtering

Employ a content filtering mechanism that scans all incoming e-mail messages and their attachments and manages the messages depending on the results of the scan.

3.1.1 Suspicious Content

Strip suspicious active content (ActiveX, JavaScript, etc.) from e-mail and forward to quarantine.

3.1.2 Prohibited Words

Quarantine e-mails that contain words or phrases that indicate the e-mail is “junk” or “spam”, words in the “Carlin List” and words that are racist, libelous, offensive or obscene.

3.1.3 Outbound Filtering

Protect the organization from possible litigation or loss of sensitive data by implementing outbound e-mail filtering.

3.1.3.1 Quarantine outbound e-mails that contain words or phrases viewed as inappropriate for use in organizational e-mail, including hoaxes and “spam”.
3.1.3.2 Quarantine outbound e-mails that contain words or phrases that indicate sensitive data is leaving the organization.

An archive of the standard is here: E-mail Filtering Standard

Let me know if you have any suggestions!