You crack passwords with what?
by admin on Sep.27, 2010, under Security
Cracking passwords with video cards?
Keep in mind that most hackers are not after individual accounts through a web log in. That would be a waste of time and resources. Hackers instead go after databases filled with passwords and try to focus on the weak. To do this a hacker must go through trillions of possibilities to obtain valuable information. This can take some time. How can a hacker possibly speed up the process…You guessed it, with a video card!
Think about what a video card is used for. A video card’s Graphics Processing Unit (GPU) is designed for specific tasks. A Central Processing Unit (CPU) is used for a much more generalized purpose. GPU’s are able to go through calculations much faster and decrease the amount of time it takes a hacker to get what they are after.
Just remember…hackers are always finding new and faster ways to get their hands on valuable information. It is our responsibility to keep this from happening.
Reference: http://www.economist.com/blogs/babbage/2010/09/passwords_redux
- Billy Steines
What is Cyber Security?
by danweiske on Aug.22, 2009, under Security
We recently heard Obama announcing to personally select a White House-based Cyber security coordinator and assuring that the U.S. Cyber Security efforts will be intensify. He also state that Cyber Security is a “matter of public safety and national security,” But what exactly is this so called Cyber security and why we need to worry about it?
Also know as Computer Security, Cyber Security is the branch of security dealing with digital or information technology applied to computers and networks. Its objective includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to remain accessible and productive to its intended users.
The concern about cyber attacks nowadays is very obvious. Looking around it seems that everything relies on computers and the internet now: communication (email, cell phones), entertainment (digital cable, mp3s), transportation (car engine systems, airplane navigation), shopping (online stores, credit cards), medicine (equipment, medical records), and the list goes on.
There are many risks, some more serious than others. Among these dangers are viruses erasing your entire system, someone breaking into your system and altering files, someone using your computer to attack others, or someone stealing your credit card information and making unauthorized purchases. Cyber Security involves protecting that information by preventing, detecting, and responding to attacks.
Cyber Attacks Terminology:
Hacker, attacker, or intruder: People who seek to exploit weaknesses in software and computer systems for their own gain.
Malicious code: Also called malware, is a broad category that includes any code that could be used to attack your computer. Viruses and worms are examples of malicious code.
Vulnerability: In most cases, vulnerabilities are caused by programming errors in software. Attackers might be able to take advantage of these errors to infect your computer, so it is important to apply updates or patches that address known vulnerabilities
With these daily basis threats, Federals Agencies are now focus on a better coordination of the security of their own systems with the help of FISMA and other government standards. Companies are also acting “less reticent” about sharing attack data with the feds in order to counter-attack them better.
Protecting your data and information technology systems may require specialized expertise. However, even the smallest business or agency can be better prepared.
Every computer can be vulnerable to attack. The consequences of such an attack can range from simple inconvenience to a national security catastrophe.
Start with these simple steps:
- Use anti-virus software and keep it up-to-date.
- Don’t open email from unknown sources.
- Use hard-to-guess passwords.
- Protect your computer from Internet intruders by using firewalls.
- Back up your computer data. Many computer users have either already experienced the pain of losing valuable computer data or will at some point in the future. Back up your data regularly and consider keeping one version off-site.
- Regularly download security protection updates known as patches. Patches are released by most major software companies to cover up security holes that may develop in their programs.
- Check your security on a regular basis.
- Make sure your co-workers know what to do if your computer system becomes infected.
- Subscribe to the Department of Homeland Security National Cyber Alert System, to receive free, timely alerts on new threats and learn how to better protect your area of cyberspace.
- Participate in National Cyber Security Awareness Month
by danweiske on Aug.10, 2009, under Government, Security
Here at IT Federal Services we’ve got two new service offering based upon red and blue team services. Here’s a little bit about what these services mean in a Military sense.
Military Red Team – Blue Team Exercises
Red Team-Blue Team Exercises are methods of evaluating security by creating a “game” where one team (the Red Team) attempts to “attack” a target and the other team (the Blue Team) tries to defend it.
This concept can be traced to the military, which has for several decades tested military theory and operational proficiency with the use of Red and Blue Teams. Traditionally Blue and Red are used as designations, with Blue representing the ‘home’ nation and Red the opposition. Within a military setting, these exercises can test both: the practicality of plans as well as the abilities of field commanders and their subordinate leaders at all levels to successfully overcome chaos. They have also been used to test physical security of sensitive sites like nuclear facilities and the Department of Energy’s National Laboratories and Technology Centers. In the ’90s, experts began using Red Team-Blue team exercises to test information security systems.
As any system evolves in complexity, the total number of points of weakness within that system multiplies. Testing security with a Red Team is one method of organizational learning that can be monitored and controlled to the benefit of both infrastructure facilities and federal agencies. The purpose of Red Team exercises has been defined as “to validate perceived vulnerabilities or weaknesses in the overall security of an installation or facility. In addition, it is designed to test security operations, tactics, equipment, and procedures to see if they are able to mitigate actual or perceived threats.”
Red Teams can be composed of internal resources, external resources (military specialists or contracted specialists) or both. These teams can assess, probe, and attempt to breech the facility security (i.e., the physical and/or electronic security systems) of infrastructure assets. The Red Team probes and tests the underlying assumptions on which facility security practices are based. Unexpected and asymmetrical attacks on infrastructure highlight both the strengths and the weaknesses of a given facility’s security and increase the readiness levels of on-site security.
On the other side, the Blue Team is always on the ready and in place to react quickly with a retaliatory or defensive move that may not necessarily be in its plans at the first signs of breech to prevent a full out unexpected attack. Without performing actual offensive attacks, this quick-to-react team testes the capability, speed and flexibility of the attack recognition and plan making ability of the system or physical site. At the end of the exercise they will have the data to better assess how prepared the team, system or infrastructure actually are in order to adapt security protocols for attacks and the skill to make changes during attacks.
Nowadays, the goal of a Red Team-Blue team exercise is not just to identify holes in security, but to train security personnel and management. An initial assessment may identify changes that need to be made.
Using a Red Team with an after-action review process is an economical and realistic method to test the sufficiency of facility security practices at many infrastructure stations and key assets. Team members must be properly trained, for these exercises require careful and thorough scripting to minimize the dangers to property and the public.
New Security Rules for HIPAA… Who does this affect?
by admin on Jun.05, 2009, under Business, Security
President Barack H. Obama signed into law the American Recovery and Reinvestment Act (ARRA) on February 17, 2009, commonly referred to as the federal stimulus package.
Medical establishments as well as their IT business support firms will be directly affected by the detailed changes to federal health information privacy and security provisions under HIPAA or Health Insurance Portability and Accountability Act drawn out in the new stimulus plan.
HIPAA created “strict patient-privacy rules for doctors, hospitals and insurance companies” in 1996; however they took 7 years to actually go into affect. This time you will only have 1 year in order to get your systems ready to comply.
What is now required of you
* First you must supply patients and the Department of Health and Human Services (HHS) with recorded software specific audit trails of who has access to patient information and when.
* If you are housing the patient information electronically and receive a breach of security in your systems, you must now disclose the breach to patients and HHS, along with the media in cases where over 500 patients are involved.
* Additionally for all of you IT firms that service such institutions by storing patient data on corporate servers, you’ll be required to upgrade your systems in order to comply with HIPAA as well. Where as before you may have simply negotiated liability into a contract with the health care provider.
* Everyone handling patient information will now have to pass random audits conducted by HHS in order to confirm compliance with HIPAA.
* Lastly, most of you will need to get your software code and platforms rewritten, in order to log and audit access to patient information based on the new law’s language.
What this will cost you
The Health Information Technology for Economic and Clinical Health or HITECH Act, which is intended to promote widespread adoption of health IT, brings new penalties through an “Improved Enforcement” policy. This regulation now lays out mandatory fines for violations due to “neglect” on your part, starting at $100 per violation and $10,000 for violations due to “willful neglect”.
In addition any company that employees someone who is found guilty of obtaining PHI (Patient Health Information) without authorization, that person will incur criminal penalties as well as potential fines of up to $250,000 and 10 years imprisonment per violation.
The good news is that the federal economic stimulus legislation provides you with over $22 billion solely reserved for the development, implementation and promotion of your new health information technology infrastructure, software and electronic health records systems. Take advantage of it!
What this new act means for you
Although these provisions give patient’s the freedom to access their PHI electronically, you’ll be the one feeling the impact for maintaining that information on behalf of them, IF you don’t upgrade your software and IT systems now.
Currently those of you whom only support or facilitate information storage for health care organizations, are not governed by HIPAA, however this will all change with the new HITECH Act, which applies different HIPAA Security Rules along with other required data safety requirements.
* For one, you will now have to submit to administrative physical and technical safeguards in all of your systems.
* You will also be required to report any security breaches to the covered entities, providing specifics of the breach in each report.
* Further, you will now be subject to civil and criminal penalties under HIPAA.
* As well as civil and criminal penalties if you, upon becoming aware, fail to take action.
How much time you have
I would highly recommend that you become compliant as soon as conveniently possible, however, you still have some time left. The legislation brings new life to the Office of the National Coordinator for Health Information Technology (ONCHIT) as the hub for the national health information technology effort. ONCHIT adopts national standards for all electronic health records and will be in affect by December 31, 2009.
These mandatory notification requirements do not apply to those of you with security incidents involving “secured” health information that is protected by technologies, such as encryption, that render the contents unusable, unreadable or undecipherable to unauthorized individuals.
Notably, the notification requirements applicable will be in addition to the FTC’s “Red Flags” regulations, which apply broadly to any of you financial institutions and/or creditors. Therefore you’ll also be required to adopt new programs for identifying and addressing security risks that might lead to identity theft.
Remember you WILL be audited; become complaint before it’s too late to avoid the hefty fines.
Conflicker - Did it bust today? April Fools, right?
by admin on Apr.02, 2009, under Security
Where did the conflicker madness go? It seems that the AV companies have been eating this up. On the news all you see is vendors and VARs going nuts about “buy my product”.
Ummm. Yea if I didn’t patch my system like 5 months ago and I got infected by going to some nudie net site. Then yea, I need some antivirus. My home network consist of more non Microsoft PC’s because of this constant patching problems and re-occuring bugs from Bill. Ugh.
The three main things I learned back in the day were … you better patch your machine, have some level of AV that updates, and firewall (host or network).
For conflicker… Is it that hard to update your machine? Sheez.
It’s been a long day of waiting … We’ll see what it does…maybe…
FISMA - As done by my buddy Bill Hornish with Splunk
by danweiske on Mar.27, 2009, under Government, Security
FISMA and the CAG
by danweiske on Mar.27, 2009, under Security
You may have seen the CAG pop up over the last few weeks and wondered “What the heck is this thing?”.
I too was baffled by the lack of “meat” on this proposal. And with no consideration to risk and enviroment how are system owners going to understand what and how to protect thier systems… I’ll give you $100 bucks to protect a one dollar asset. Doesn’t make sense right? You want to appropriately protect your systems…assess those systems with the appropriate risk. I’ll talk about more of this as time goes on. The CAG won’t last and if it does there’s going to be serious issues with the security of many government and DOD systems.
After the move to a new hosting company.
by danweiske on Mar.27, 2009, under Uncategorized
We did it. In less than a few hours all of our files and DNS entries were moved. What a relief that we didn’t have to worry about email. Now were off and moving. Welcome again to “Another IT Security Blog.”‘
-
Howdy. Welcome to Another IT Security Blog!
Thanks for dropping by! Feel free to join the discussion by leaving comments, and stay updated by subscribing to the RSS feed. See ya around!
Sans - Tip of the Day- People Forget, Computers Don't
- Email isn't the only online communication that has security risks
- Lock it when you leave it
- If you get up from your computer, lock it!
- Never respond to an email asking for personal information
- Save your files to a network server
- Make your password long.
- Prevent USB Drives from Spreading Viruses
- Question Apparent Authority
- Change your password on a schedule.
