|
|
|
Finding The Right Business Management Software
There are several things to consider when looking for a good business management software title, such as the classification of the software, the system it is going to be used in, the platform and the way the workflow is organized. The classification...
Has Hotmail Frozen?
Has Hotmail Frozen? Hotmail has descended slowly, without note, into a state of completely unuseability. The problems are with accessing messages, sending emails, and the dreaded blue screen of email death: "The Server Is Too Busy". Hey Gates, I...
New Trojan Horse Threatens Latest Windows XP
Computers running MicrosoftRelevant Products/Services from Microsoft Windows XP Latest News about Windows XP can be infected by a new Trojan horse program remotely controlled in a victim's system, even after it is patched with Microsoft's latest...
Software For Hard Jobs: Contractors Have Some Powerful Tools In Today's Software
Like a kid jumping into the pool feet first, the building industry has rapidly gone from lagging to leading in the use of computers. A mere 10 years agone, the world was fair acquiring secondhand to Windows 95. And although some progressive...
We'll Just Rule the World Now, OK?
One has to wonder if the corporate directive at Microsoft is as blatant as it seems from the outside. What is it that makes them behave as if monopolistic bullying is an inherent right for the biggest, baddest damned behemoth ever to roam the face...
|
|
| |
|
|
|
|
|
|
Phishing: An Interesting Twist On A Common Scam
You may reprint or publish this article free of charge as
long as the bylines are included.
Original URL (The Web version of the article)
------------
href="http://www.defendingthenet.com/newsletters/Phishing-A
nInterestingTwistToACommonScam.htm" target=_blank>
Phishing: An Interesting Twist On A Common Scam
Title
-----
Phishing: An Interesting Twist On A Common Scam
After Two Security Assessments I Must Be Secure, Right?
-----------------------------------------------
Imagine you are the CIO of a national financial institution
and you've recently deployed a state of the art online
transaction service for your customers. To make sure your
company's network perimeter is secure, you executed two
external security assessments and penetration tests. When
the final report came in, your company was given a clean
bill of health. At first, you felt relieved, and confident
in your security measures. Shortly thereafter, your relief
turned to concern. "Is it really possible that we are
completely secure?" Given you're skepticism, you decide to
get one more opinion.
The day of the penetration test report delivery is now at
hand. Based on the previous assessments, you expect to
receive nothing but positive information......
The Results Were Less Than Pleasing
--------------------------------------
During this penetration test, there were several interesting
findings, but we are going to focus on one that would knock
the wind out of anyone responsible for the security of
online systems. Particularly if you are in the business of
money.
Most people are familiar with the term "Phishing".
Dictionary.com defines the word Phishing as "the practice of
luring unsuspecting Internet users to a fake Web site by
using authentic-looking email with the real organization's
logo, in an attempt to steal passwords, financial or
personal information, or introduce a virus attack; the
creation of a Web site replica for fooling unsuspecting
Internet users into submitting personal or financial
information or passwords". Although SPAM / unsolicited
e-mail and direct web server compromise are the most common
methods of Phishing. There are other ways to accomplish this
fraudulent activity.
Internet Router Compromise Makes For A Bad Day
In this case, the Internet router was compromised by using a
well-known CISCO vulnerability. Once this was accomplished,
the sky was the limit as far as what could be done to impact
the organization. Even though the company's web server was
secure, and the Firewall that was protecting the web server
was configured adequately, what took place next made these
defense systems irrelevant.
Instead of setting up a duplicate login site on an external
system, then sending out SPAM in order to entice a customer
to give up their user ID, password, and account numbers,
another approach, a much more nefarious approach was taken.
Phishing For Personal Or Financial Information
----------------------------------------------
You remember that router that was compromised? For proof of
concept purposes, the router configuration was altered to
forward all Internet traffic bound for the legitimate web
server, to another web server where user ID, password, and
account information could be collected. The first time this
information was entered, the customer would receive an
ambiguous error. The second time the page loaded, the fake
web server redirected the customer to the real site. When
the user re-entered the requested information, everything
worked just fine.
No one, not the customer, nor the company had any idea that
something nefarious was going on. No bells or whistle went
off, no one questioned the error. Why would they, they could
have put the wrong password in, or it was likely a typical
error on a web page that everyone deals with from time to
time.
At this point, you can let your imagination take over. The
attacker may not move forward and use the information
collected right away. It could be days or weeks before it is
used. Any trace of what actually took place to collect the
information would most likely be history.
What Do You Really Get Out Of Security Assessments
----------------
I can't tell you how many times I've been presented with
security assessment reports that are pretty much information
output from an off-the-shelf or open source automated
security analyzer. Although an attacker may use the same or
similar tools during an attack, they do not solely rely on
this information to reach their goal. An effective
penetration test or security assessment must be performed by
someone who understands not only "security vulnerabilities"
and how to run off-the-shelf tools. The person executing the
assessment must do so armed with the tools and experience
that meets or exceeds those a potential attacker would have.
Conclusion
----------
Whether you are a small, medium, are large company, you must
be very careful about who you decide is most qualified to
perform a review of your company's security defense systems,
or security profile. Just because an organization presents
you with credentials, such as consultants with their
CISSP....., it does not mean these people have any
real-world experience. All the certifications in the world
cannot assure you the results you receive from engaging in a
security assessment are thorough / complete. Getting a
second opinion is appropriate given what may be at stake. If
you were not feeling well, and knew that something was wrong
with you, would you settle for just one Doctor's opinion?
Quite frankly, I've never met a hacker (I know I will get
slammed for using this term, I always do), that has a
certification stating that they know what they are doing.
They know what they are doing because they've done it, over
and over again, and have a complete understanding of network
systems and software. On top of that, the one thing they
have that no class or certification can teach you is,
imagination.
About the Author
About The Author
----------------
Darren Miller is an Information Security Consultant with
over sixteen years experience. He has written many
technology & security articles, some of which have been
published in nationally circulated magazines & periodicals. If you would like to know
more about computer security please visitus at
http://www.defendingthenet.com.
|
|
|
|
|
| Tucows Downloads - Download Freeware and Shareware Software |
| Download freeware, shareware, and demos. Maintains over 45000 software titles that are tested, rated, reviewed and ready to download. |
| www.tucows.com |
|
| Free Software Downloads and Software Reviews - Download.com |
| Download shareware, freeware and Demo software for PC, Mac, Linux, and Handhelds categorized into categories, plus software reviews. |
| www.download.com |
|
| Computer software - Wikipedia, the free encyclopedia |
| This includes application software such as a word processor, which enables a ... Application software is often purchased separately from computer hardware. ... |
| en.wikipedia.org |
|
| Shareware.com - Search for shareware programs and free software ... |
| Search for shareware programs from more than a dozen downloadable software directories. |
| www.shareware.com |
|
| Jumbo: Free & Shareware MP3 files, Games, Screen Savers & Computer ... |
| Source of free and shareware computer programs and utilities for PC and Mac. Evaluate software and read product reviews. Download games and screen savers. |
| www.jumbo.com |
|
| Computer Software in the Yahoo! Directory |
| Browse categories featuring sites devoted to computer software, including shareware and freeware download sites, operating systems, desktop customization, ... |
| dir.yahoo.com |
|
| IEEE Software |
| IEEE Computer Society's magazine covering all aspects of software, including software engineering. |
| www.computer.org |
|
| Free Downloads on ZDNet | Shareware, Trialware, Evaluation Software |
| ZDNet's Software Directory is the Web's largest library of software downloads. Covering software for Windows, Mac, and Mobile systems, ZDNet's Software ... |
| downloads.zdnet.com |
|
| FSF - The Free Software Foundation |
| Free software is a matter of liberty not price. Think of "free" as in "free speech". |
| www.fsf.org |
|
| Apple - Software |
| Software products for your digital life. ... The perfect addition for professional review. QuickTime Broadcaster. Encoding software for live events. ... |
| www.apple.com |
|
| Open Directory - Computers: Software |
| In Partnership with AOL Search. about dmoz | report abuse/spam | help. the entire directory, only in Computers/Software. Top: Computers: Software (38471) ... |
| dmoz.org |
|
| freshmeat.net: Welcome to freshmeat.net |
| About: The Web browser is probably the most frequently used software today, ... Web professionals can use the software for functional testing and regression ... |
| freshmeat.net |
|
| Software - GNU Project - Free Software Foundation (FSF) |
| Listing of the GNU software packages. |
| www.gnu.org |
|
| Sun Software |
| Get enterprise-class software--Solaris 10 OS, the Java Enterprise System, ... Sun Java StorageTek Software reduces cost and complexity with a single, ... |
| www.sun.com |
|
| Internet Real Estate.com -- owns and operates a portfolio of the ... |
| SOFTWARE.COM · SWEEPSTAKES.COM · PHONE.COM PODCAST.COM ... Software.com | Sweepstakes.com | Phone.com | Podcast.com | Shop.com | Safety.com ... |
| www.internetrealestate.com |
|
| Joel on Software |
| A weblog by Joel Spolsky, a programmer working in New York City, about software and software companies. |
| www.joelonsoftware.com |
|
| Amazon.com Software: Computer & video games, business, accounting ... |
| Online shopping for computer & video games, business & office productivity software, software from Microsoft, Apple, Adobe & more; accounting, antivirus, ... |
| www.amazon.com |
|
| IBM Software - Home Page |
| IBM home page for all of its software products, including Lotus and Tivoli, with keyword search, category browse and AZ product names. |
| www.ibm.com |
|
| Opera web browser: Homepage |
| Copyright © 2006 Opera Software ASA. All rights reserved. Skip navigation. Opera Software ... Copyright Opera Software ASA . All rights reserved. ... |
| www.opera.com |
|
| Google Directory - Computers > Software |
| Search only in Software Search the Web ... Software Categorized by Letter: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z ... |
| www.google.com |
|
|