DUBAI, UAE — Senior business and technology leaders will convene at InterContinental Dubai Festival City from 21-22 February 2011 for CACS in Dubai, an internationally respected event that features governance, security, assurance and risk management experts from around the world.

Hosted by ISACA, a global information technology (IT) association of 95,000 IT professionals, CACS (Computer Audit, Control and Security) will include a keynote presentation by Neeraj Kumar, Senior Vice President of Internal Audit and Chief Audit Executive of Emirates Group. Neeraj Kumar will explain how to use technology to improve proactive risk-focused auditing and continuous monitoring.

CACS in Dubai will also offer educational sessions on key IT security and governance issues facing enterprises today, including:

• Implementing COBIT: A Public-sector Case Study, presented by Naveed Ahmed, CISA, CISM, CGEIT, Dubai Customs, UAE
• IT Governance to Support Corporate Governance: A Case Study, presented by Avinash Totade, CISA, CGEIT, Dubai Aluminium Company, UAE
• E-government Security: Threats and Challenges, presented by Abbas S Kudrati, CISA, CISM, CGEIT, eGovernment Authority, Kingdom of Bahrain
• Metrics and Indicators for a Changing Security Landscape, presented by Ramsés Gallego, CISM, CGEIT, Entel IT Consulting, Spain
• Social Media: Business Security, Governance and Assurance Perspectives, presented by Urs Fischer, CISA, CRISC, IT GRC Consultancy, Switzerland
• Designing Next Generation Security and Audit for Cloud Computing Environments, presented by Eddie Schwartz, CISA, CISM, NetWitness Corp., USA
• The Future of Information: Real Challenges and Opportunities, presented by Norman Marks, SAP, USA
• Automating IT Risk and Compliance to Reduce Costs: A Series of Case Studies, presented by Anil Jogani, CISA, CGEIT, Milan Solutions Limited, UK

ISACA chose Dubai as the location for the conference because it is an important city in the global economy as well as the region’s crossroads, serving as a center of business and technology. ISACA’s United Arab Emirates Chapter was established in 1997 to bring together business and information technology leaders in the region. The ISACA UAE Chapter is a strong network of professionals from all the emirates of the UAE: Abu Dhabi, Dubai, Sharjah, Ajman, Umm Al Quwain, Ras Al Khaimah and Fujairah.

“CACS in Dubai will help attendees add value to their enterprise by providing them with practical guidance on critical IT-related issues facing organizations worldwide,” said Vatsaraman Venkatakrishnan, CISA, CISM, CGEIT, CRISC, Vice President of IS audit at Emirates Airlines and Chair of ISACA’s Conference Development Task Force.

Attendees who register by 12 January 2011 will receive an early-bird discount. Registration forms for the conference and two pre-conference workshops–Using COBIT for Effective IT Assurance and the Risk Management Workshop: Featuring ISACA’s Risk IT Framework and Guidance–are available at www.isaca.org/cacsindubai.

About ISACA

With 95,000 constituents in 160 countries, ISACA^®  is a leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit ISACA develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the Certified Information Systems Auditor^® (CISA^®), Certified Information Security Manager^® (CISM^®), Certified in the Governance of Enterprise IT^® (CGEIT^®) and Certified in Risk and Information Systems Control™ (CRISC™) designations.

ISACA continually updates COBIT^®, which helps IT professionals and enterprise leaders fulfill their IT governance responsibilities and deliver value to the business.

Source

Information Technology Professionals: Percento Technologies International

Sources from within Google are claiming that the online search and advertising giant is implementing an official transition away from the Microsoft Windows operating system. According to the reports, the culture shift is intended to reduce security concerns. That makes a compelling headline–especially for a Microsoft rival developing its own operating system–but it doesn’t make a very good security strategy.

On one level, it makes perfect sense for Google to abandon Windows. Google has always been a bitter rival of Microsoft, and Google’s Android mobile operating system and upcoming Chrome operating system are built on Linux. Of course Google should avoid generating additional revenue for Microsoft and rely on the platform that forms the foundation of what Google expects its customers to use.

Another area where Google should eat its own proverbial dog food is with Web browsers. The Chrome Web browser has been gaining market share since its launch, but it was a zero-day flaw in Microsoft’s Internet Explorer Web browser that was exploited to compromise systems and steal data from Google earlier this year. With the exception of key developers that might need to see how things render in IE, users at Google should ostensibly not be using the competing browser.

That brings us to the claim that security concerns are behind the move to abandon Windows. The reports suggest that Google has banned the use of Windows in response to the Operation Aurora attacks which Google alleged were state-sponsored attacks from the Chinese government.

The flaw in that logic is that it assumes the attacker would be unable to compromise alternative platforms like Linux or Mac OS X. Microsoft Windows–by virtue of its dominant market share–is the target of the vast majority of general malware attacks, so switching from Windows may reduce the daily operational risks. But, when it comes to precision, targeted attacks, alternative OS platforms don’t provide any better defense so dropping Windows would not have prevented the Operation Aurora attacks.

In fact, alternative platforms may arguably make a precision attack that much easier. The Mac OS X platform has an illusion of superior security because malware developers don’t care to invest time and resources developing exploits that only work on five percent of the possible targets. However, year after year Mac OS X is compromised in a matter of minutes–or even seconds–in the annual Pwn2Own contest.

Before Google decides to base its security strategy on which operating system platform it relies on, the Google management and IT administrators should read the venerable information security classic Hacking Exposed–currently in its sixth edition. The first step to an attack is gathering details of the intended target–or footprinting.

Hacking Exposed explains that “The systematic and methodical footprinting of an organization enables attackers to create a near complete profile of an organization’s security posture.” The bottom line is that Google can use whatever operating system, Web browser, or other applications it chooses, but a professional attack will learn what those are during reconnaissance and design the attack accordingly to exploit whatever software Google is using.

I asked George Kurtz, Worldwide CTO for McAfee, his thoughts. Kurtz explains “Just moving operating systems doesn’t always mean an organization will realize greater protection against TARGETED attacks. It certainly could make a difference in reducing the amount of day to day malware that impacts a windows environment. One point that might be worth mentioning is that while targeted attacks can be launched against any OS, there is a tremendous amount of expertise gained over the past five to seven years against the Windows environment. It will take a similar maturation period to develop tools that are just as sophisticated as the Windows environment for say OS X. Things like rootkits and their associated functionality are incredibly sophisticated and relatively mature in the Windows world.”

Randy Abrams, Director of Technical Education for ESET, says “The Google response is a marketing / public relations response to attempt to show Google is doing something about security by blaming Microsoft for Google’s own patch management and security problems. What were they thinking by running an outdated version of IE 6?”

Abrams agrees “In a targeted attack, the OS is no longer a significant issue. Not only is the OS an attack vector, but installed third-party apps are another attack vector. If an attacker knows your OS and goes after an Adobe flaw, the game still ends up with you on the losing end.”

Kurtz added “Layer 8 is generally the biggest security challenge we have. The same people who fall victim to social engineering will do so via e-mail or IM, no matter what browser or OS they are using.”

ESET’s Abrams sums up with “Google would do much more to improve its security by using current versions of browsers and ensuring greater patch management practices.”

Every organization should abandon IE6 and be seriously exploring a transition from Windows XP. Each has inherent security concerns, and the combination of the two almost begs to be hacked. And, Google in particular has valid reasons to abandon Windows and Internet Explorer that go well beyond security.

But, Google needs to remember that it’s Google. It is a jackpot of sensitive data and information for a successful attacker. Google needs to understand the nature of targeted attacks and have a better security policy than simply a knee-jerk reaction to ban Microsoft software.

Source

Microsoft on Tuesday warned users of a vulnerability in 64-bit versions of Windows 7 and Windows Server 2008 R2 that could expose users to malware attacks.

Exploitation of the bug in the Canonical Display Driver would most likely only cause vulnerable machines to reboot, Microsoft spokesman Jerry Bryant said in a blog post. But it could also be abused to silently install malware, although attackers would first have to bypass memory randomization protections baked in to the operating systems to prevent code execution attacks, he added.

The vulnerability stems from the Canonical Display Driver’s failure to properly parse information copied from user mode to kernel mode. Malicious hackers could exploit it by tricking a victim into viewing a booby-trapped image file on a website or in email. The driver emulates the Windows XP display driver for interactions with earlier Windows graphics engines.

Bryant said a patch would be forthcoming, but didn’t say when. In the meantime, users can prevent attacks by disabling the Windows Aero Theme. To turn it off, choose Start > Control Panel and click on Appearance and Personalization. Then click on Change the Theme. Then select one of the Basic and High Contrast Themes.

Source

For information on IT Security>>>>Click

If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?

Let’s see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.

1. Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
2. The last 4 digits of your social security number.
3. 123 or 1234 or 123456.
4. “password”
5. Your city, or college, football team name.
6. Date of birth – yours, your partner’s or your child’s.
7. “god”
8. “letmein”
9. “money”
10. “love”

Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do…

Hackers, and I’m not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)

One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here.

So, how would one use this process to actually breach your personal security? Simple. Follow my logic:

• You probably use the same password for lots of stuff right?
• Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
• However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
• So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
• Once we’ve got several login+password pairings we can then go back and test them on targeted sites.
• But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. (Read this post to remedy that problem.)

And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker’s computer, and the speed of the hacker’s Internet connection.

Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it’s just a matter of time before the computer runs through all the possibilities – or gets shut down trying.

Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.

Remember, these are just for an average computer, and these assume you aren’t using any word in the dictionary. If Google put their computer to work on it they’d finish about 1,000 times faster.

Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable – but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night?

Believe me, I understand the need to choose passwords that are memorable. But if you’re going to do that how about using something that no one is ever going to guess AND doesn’t contain any common word or phrase in it.

Here are some password tips:

1. Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the number ‘0′, or even better an ‘@’ or ‘*’. (i.e. – m0d3ltf0rd… like modelTford)
2. Randomly throw in capital letters (i.e. – Mod3lTF0rd)
3. Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
4. Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
5. You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn’t work if you don’t use the same password everywhere.
6. Since it can be difficult to remember a ton of passwords, I recommend using Roboform for Windows users. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. If you’d like to download it without having to navigate their web site here is the direct download link. (Ed. note: Lifehacker readers love the free, open-source KeePass for this duty, while others swear by the cross-platform, browser-based LastPass.)
7. Mac users can use 1Password. It is essentially the same thing as Roboform, except for Mac, and they even have an iPhone application so you can take them with you too.
8. Once you’ve thought of a password, try Microsoft’s password strength tester to find out how secure it is.

By request I also created a short RoboForm Demonstration video. Hope it helps…

Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn’t important because “I don’t get anything sensitive there.” Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank’s Web site and tell it I’ve forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?

Often times people also reason that all of their passwords and logins are stored on their computer at home, which is safe behind a router or firewall device. Of course, they’ve never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network — after which time they will own you!

Now I realize that every day we encounter people who over-exaggerate points in order to move us to action, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven’t even mentioned.

I also realize that most people just don’t care about all this until it’s too late and they’ve learned a very hard lesson. But why don’t you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn’t completely in vain.

Please, be safe. It’s a jungle out there.

Source

Facebook is employing aggressive legal means in combination with technical measures in order to stop hackers from abusing its social-networking site, according to its chief security officer, Max Kelly.

The company is constantly under fire from hackers trying to spam its 400 million registered users, harvest their data or run other scams.

Facebook’s security team started off with just a few people, said Kelly, who began working at Facebook in 2005 after a stint as a computer forensic analyst for the U.S. Federal Bureau of Investigation. He gave a keynote presentation at the Black Hat security conference on Tuesday.

Now, as many as 10 percent of Facebook’s 1,200 employees are involved in security-related functions for the site, Kelly said. Its core security team consists of 20 people, a site integrity team of around 15 people and 200 others that are part of a user operations team that monitors illegal activity.

With the right data, it is relatively easy to identity where the attacks are coming from, even if a specific individual can’t be identified. If an attack is under way, it’s important to understand the person’s motivation, Kelly said.

“We diligently go after attackers on this site,” Kelly said. “We want to know what people are attacking us and why.”

Facebook has integrated its security incident response team with its law enforcement team, which allows both groups to use some of the same tools in order to respond to a security incident, Kelly said.

On the technical side, Facebook has automated systems that detect when someone is using the site in a way that is different from the normal user. Those systems can then employ countermeasures, such as limiting the number of messages a user can send, employing CAPTCHAs (Completely Automated Public Turing tests to tell Computers and Humans Apart) and disabling accounts, Kelly said.

Facebook’s security teams tends to worry less about vulnerabilities, focusing instead on the actual attacks, Kelly said. It allows Facebook to focus on the individuals behind the attacks and trying to frustrate those attackers.

The site is also rewarding individuals who responsibly disclose security problems by giving them credit on its security page. “If it’s a really good hack, we’ll probably end up hiring you,” Kelly said.

Facebook has pursued a variety of criminal and civil penalties against those who abuse the site, using laws such as the U.S. CAN-SPAM act, which levies penalties of as much as $100 per spam message, Kelly said. Facebook has “dozens” of lawsuits in the works, he said.

The company has had some notable successes with this strategy.

In November 2008, it was awarded one of the largest judgments ever, winning statutory damages of US$1.3 billion (later reduced to $873 million). That suit charged Adam Guerbuez of Canada, Atlantis Blue Capital and 25 other unnamed people for falsely obtaining login information for Facebook users and then sending spam to those users’ friends. Although the individuals charged are in Canada, Facebook could still pursue the money. Even if it doesn’t, the judgement still has an impact, Kelly said.

“It means that any asset that goes through the United States, we have a claim,” Kelly said. “It makes the cost of doing business in the U.S. much more prohibitive.”

Source

For two years as a researcher with security company FireEye, Atif Mushtaq worked to keep Mega-D bot malware from infecting clients’ networks. In the process, he learned how its controllers operated it. Last June, he began publishing his findings online. In November, he suddenly switched from de­­fense to offense. And Mega-D–a powerful, resilient botnet that had forced 250,000 PCs to do its bidding–went down.

Targeting Controllers

Mushtaq and two FireEye colleagues went after Mega-D’s command infrastructure. A botnet’s first wave of attack uses e-mail attachments, Web-based offensives, and other distribution methods to infect huge numbers of PCs with malicious bot programs.

The bots receive marching orders from online command and control (C&C) servers, but those servers are the botnet’s Achilles’ heel: Isolate them, and the undirected bots will sit idle. Mega-D’s controllers used a far-flung array of C&C servers, however, and every bot in its army had been assigned a list of additional destinations to try if it couldn’t reach its primary command server. So taking down Mega-D would require a carefully coordinated attack.

Synchronized Assault

Mushtaq’s team first contacted Internet service providers that unwittingly hosted Mega-D control servers; his research showed that most of the servers were based in the United States, with one in Turkey and another in Israel.

The FireEye group received positive responses except from the overseas ISPs. The domestic C&C servers went down.

Next, Mushtaq and company contacted domain-name registrars holding records for the domain names that Mega-D used for its control servers. The registrars collaborated with FireEye to point Mega-D’s existing domain names to no­­where. By cutting off the botnet’s pool of domain names, the antibotnet operatives ensured that bots could not reach Mega-D-affiliated servers that the overseas ISPs had declined to take down.

Finally, FireEye and the registrars worked to claim spare domain names that Mega-D’s controllers listed in the bots’ programming. The controllers intended to register and use one or more of the spare do­­mains if the existing domains went down–so FireEye picked them up and pointed them to “sinkholes” (servers it had set up to sit quietly and log efforts by Mega-D bots to check in for orders). Using those logs, FireEye estimated that the botnet consisted of about 250,000 Mega-D-infected computers.
Down Goes Mega-D

MessageLabs, a Symantec e-mail security subsidiary, reports that Mega-D had “consistently been in the top 10 spam bots” for the previous year (find.pcworld.com/64165). The botnet’s output fluctuated from day to day, but on November 1 Mega-D accounted for 11.8 percent of all spam that MessageLabs saw.
Three days later, FireEye’s action had reduced Mega-D’s market share of Internet spam to less than 0.1 percent, MessageLabs says.

FireEye plans to hand off the anti-Mega-D effort to ShadowServer.org, a volunteer group that will track the IP addresses of infected machines and contact affected ISPs and businesses. Business network or ISP administrators can register for the free notification service.
Continuing the Battle

Mushtaq recognizes that FireEye’s successful offensive against Mega-D was just one battle in the war on malware. The criminals behind Mega-D may try to revive their botnet, he says, or they may abandon it and create a new one. But other botnets continue to thrive.

“FireEye did have a major victory,” says Joe Stewart, director of malware research with SecureWorks. “The question is, will it have a long-term impact?”

Like FireEye, Stewart’s security company protects client networks from botnets and other threats; and like Mushtaq, Stewart has spent years combating criminal enterprises. In 2009, Stewart outlined a proposal to create volunteer groups dedicated to making botnets unprofitable to run. But few security professionals could commit to such a time-consuming volunteer activity.

“It takes time and resources and money to do this day after day,” Stewart says. Other, under-the-radar strikes at various botnets and criminal organizations have occurred, he says, but these laudable efforts are “not going to stop the business model of the spammer.”

Mushtaq, Stewart, and other security pros agree that federal law enforcement needs to step in with full-time coordination efforts. According to Stewart, regulators haven’t begun drawing up serious plans to make that happen, but Mushtaq says that FireEye is sharing its method with domestic and international law enforcement, and he’s hopeful.

Until that happens, “we’re definitely looking to do this again,” Mushtaq says. “We want to show the bad guys that we’re not sleeping.”

Source