Check If Your cPanel/WHM Server Is Vulnerable Over SSL V2 or V3

Here is a quick script for you to check if your cPanel/WHM server is vulnerable. Execute the following as root. If you get ANY cipher output, your server can be considered vulnerable. Replace the XXX.XXX.XXX.XXX with your server’s IP Address. Run this in Terminal as root. If there is no output, your SSL versions are securely disabled.

for port in 21 443 465 993 995 2083 2087 2078 2096; do echo “Scanning $port”; for cipher in $(openssl ciphers -sslv3 ‘ALL:eNULL’ | sed -e ‘s/:/ /g’); do echo -n | openssl s_client -sslv3 -cipher “$cipher” -connect$port 2>&1 | grep -i “Cipher is”; done; done

Best Practices for Dealing with Targeted Attacks

Our friend Eugene Shultz, CISM, CISSP at Emagined Security is speaking and we recommend our security friends, partners, and clients to attend.

Date: 2 November 2010, 3pm GMT
Duration: 1 hours

As malware proliferation continues, so do the instances of organised attacks, such as the recent Stuxnet threat against industrial control systems.

The criminal intent on display is just one example of many instances that continue to impact enterprises, but go unreported by the media.

Join our panel of security experts for what promises to be an entertaining and fascinating insight into the world of advanced targeted attacks, where we aim to provide answers to the following questions: Continue reading

Computing with Secrets, but Keeping them Safe

A cryptographic method could see cloud services work with sensitive data without ever decrypting it.
By Tom Simonite

A novel technique could see future Web services work with sensitive data without ever being able to read it. Several implementations of a mathematical proof unveiled just last year will allow cryptographers to start making the proposal more practical.

In 2009 Craig Gentry of IBM published a cryptographic proof that was that rare thing: a true breakthrough. He showed that it was possible to add and multiply encrypted data to produce a result that–when decrypted–reveals the result of performing the same operations on the original, unencrypted data. It’s like being able to answer a question without knowing what the question is. Continue reading

Security Breach Exposes 114,000 iPad Owners

An AT&T security breach has exposed the email addresses of thousands of elite iPad customers including the White Chief of Staff.

According to ValleyWag, the breach, which comes just weeks after an Apple employee lost an iPhone prototype in a bar, exposed the most exclusive email list on the planet, a collection of early-adopter iPad 3G subscribers that includes thousands of A-listers in finance, politics and media, from New York Times Co. CEO Janet Robinson to Diane Sawyer of ABC News to film mogul Harvey Weinstein to Mayor Michael Bloomberg. It even appears that White House Chief of Staff Rahm Emanuel’s information was compromised. Continue reading

Large-scale attack on WordPress

According to various reports, in the past few days a number of websites created using WordPress have been hacked. While the attack initially appeared to be limited to web sites hosted by American ISP DreamHost, it has since become apparent that blogs hosted at GoDaddy, Bluehost and Media Temple have also been affected. Unconfirmed reports by WPSecurityLock suggest that other PHP-based management systems, such as the Zen Cart eCommerce solution, have also been targeted. Continue reading

New attack today against WordPress

Update 2: Simple clean up solution:

Update 1: Note that we are not blaming WordPress here. I am assuming that if the problem was on WordPress itself, the number of infected sites would be much much bigger. Maybe a plugin is vulnerable or someone stole lots of passwords. Also, all the hacked sites were on shared hosts, no one so far on a private server.

We are seeing multiple reports today of WordPress sites (running their latest version) getting compromised. The initial reports today were restricted only to Dreamhost, but now we are seeing the same pattern on blogs hosted at GoDaddy, Bluehost, Media temple and other places. Continue reading

Top Ten Most Critical Web Application Security Vulnerabilities

Web application security is often viewed incorrectly as a set of server and host-based security issues, rather than code-level and configuration-based security vulnerabilities. Although servers and hosts may still be the cause for exploitations, it is critical that security professionals recognize the major impact of poorly written web applications as well as how their applications and servers are configured separately and in combination. The Internet is increasingly responsible for handling and storing information and files of a sensitive nature requiring security and protection. Keeping hackers at bay and assuring the privacy of private and proprietary documents is paramount. Below are the top ten security vulnerabilities and how Security Programmers mediate these to prevent exploitation.

Security Web Programmers are often not given the clout nor the attention they deserve. Security programmers apply a much higher degree of attention, detail, and time to programming. Secure software may require more time and money than insecure software. A comparison must be made between the cost of securing web applications, and an insecure web application bringing the business down or releasing sensitive information to potentially nefarious hackers. Continue reading

How to Protect Your Funds Online

By Craig Priess
March 8, 2010 11:34 AM ET
CSO –  The rise in popularity and the pervasive nature of online banking over the last decade have been meteoric. The power of convenience has largely trumped customer fears about security, but there are signs that the tide may be turning. Perhaps exacerbated by the global recession and shocks to the financial markets, cybercriminals have been targeting business bank accounts at increasing frequencies over the last year, catapulting the conversation about online banking security into corporate realms. With cybercriminals readjusting their focus from individual to much more lucrative business accounts, this disturbing trend is now getting the attention of authorities such as the FBI, FDIC, and Department of Homeland Security, and has been described by many as a leading cybercriminal trend for 2010.
Also see Cyber Attackers Empty Business Accounts in Minutes with ACH Fraud
Particularly because employers are increasingly liable for these incidents, with Regulation E of the Federal Electronic Funds Transfer Act not protecting business accounts as it does for individuals, businesses must reexamine their online business banking practices to proactively protect themselves from such attacks and the associated potential monetary losses. Banks, too, must amplify their security practices to combat the tactics cybercriminals are now using to perpetrate this type of fraud.
Business Banking Attacks on the Rise
Consider that in a single month this past August, no less than the FDIC, NACHA (the Electronic Payments Association), the Financial Services Information Sharing and Analysis Center (FS-ISAC) and IT advisory firm Gartner Inc. all published alerts about rising Internet threats to business banking.
The following month, the Senate Committee on Homeland Security and Governmental Affairs held a special hearing to discuss cybercriminals targeting small- and medium- sized businesses. New protective cybersecurity legislation has been introduced, co-sponsored by Committee Chairman Joe Lieberman (ID-Connecticut) and Ranking Member Susan Collins (R-Maine). Reports of victimized businesses continue to inundate the media into 2010, with several companies even suing their banks.
The losses are substantial. The Washington Post reported that recent victims include a school district near Pittsburgh that lost $700,000 and an electronics testing firm in Baton Rouge that lost $100,000. One of Guardian Analytics’ customers recently intercepted an attempted ACH transfer of $800,000 for a business banking customer in a scheme involving more than 80 smaller transactions arranged to be sent to unwitting mules. For many small- to medium-sized businesses, these types of losses are catastrophic and can potentially mark the beginning of the end if banks refuse to reimburse them.
Cyberfraud Schemes Becoming Highly Sophisticated
Cybercriminal activity is constantly evolving to capitalize on new profit streams. In the case of business banking, by stealing in amounts under $10,000 from business accounts, online fraudsters have managed to avoid triggering traditional fraud alerts. The malware used to initially gain access to accounts is often so well written that the connection comes from an authorized and authenticated computer—a legitimate computer and session that has been hijacked—circumventing even token-based authentication. The money is then transferred to “money mules,” often recruited over Internet job boards, who unwittingly help fraudsters all the while they work for a legitimate company.
The use of electronic funds transfers—such as the increasing volume of automated clearing house (ACH) transactions for corporate payments—is making this channel a particularly attractive target for fraud. Historically low-risk, the ACH network has recently expanded to include more participants and new types of non-recurring payments such as web-initiated ACH files. Over the past year, the FDIC has reported an increase in the number of reports and the amount of losses resulting from unauthorized transfers from business customers whose online business banking software credentials were compromised. A J.P. Morgan study found that 71 percent of financial institutions experienced attempted or actual payments fraud in 2008. This number jumps to 80 percent for firms with revenues more than $1B.
Corporate account takeovers employing ACH fraud are becoming more prevalent. Criminals are targeting corporate cash management accounts and moving money out via seemingly innocent consumer accounts. The crook starts by stealing user IDs and passwords of cash management account owners, and by signing up random consumers via phishing attacks. The offer asks them to accept money into their accounts and then transfer it to the criminal’s offshore account while retaining a five percent commission. Clever social-engineering techniques in their phishing e-mails get consumers to sign up. After the groundwork has been laid, the crook simply goes into the corporate cash management account and transfers funds, using ACH fund transfer facilities, out of the corporate account to the phished consumer accounts. The victimized commercial banks generally fail to recover the stolen funds.
Taking Action: Preventing Business Banking Fraud
Given the rise in recent rise in these targeted attacks against businesses, security officers should be anxious but educated, taking steps to prevent the potential significant losses. Here are some practical tips to protect your company from online business banking fraud:
Choose a bank with proactive fraud prevention technologies. Ask your bank if they have a fraud monitoring system in place to proactively detect suspicious online account activity, how they respond to alerts and how quickly. Despite increased regulation, many financial institutions still have not implemented the latest technologies beyond user authentication that are necessary to fight today’s sophisticated threats. Your bank’s online account platform is only as secure as the technology behind it.
Educate your financial managers on the risks and threats. Forward the latest advisories from your bank or regulators, such as the FDIC, to whoever manages your online business accounts, perhaps even to the entire finance department as well as heavy online users such as the CEO. Distribute the latest cyber attack reports to the entire IT group so more stakeholders can become educated about cybercrime and its methods.
Isolate your Internet banking activities. Dedicate specific machines or facilities to hosting your Internet banking activities, and harden their defenses to external attack. Don’t transact financial business on machines hosting non-transactional systems or applications, such as Web browsing, since this continual exposure to the public Internet creates another potential weak link in your layered security effort.
Understand your bank’s fraud loss policy and procedures. If your business becomes the victim of online banking fraud, you have fewer rights than you do as an individual consumer. Ask your bank what their policies are on protecting business accounts, investigating possible fraud incidents, assigning fault in a claim and making your accounts whole. Better to understand your risk exposure and have a plan of attack before entering any dispute with your bank.
Monitor for irregularities and missing funds. It is imperative for any business to always be on the lookout for abnormalities. Many banks offer transaction alerts so customers can be automatically and instantly notified of important account activity. One is called a “debit block”, used to stop any transactions from going through except those that are preauthorized. Ask your bank about such services, and sign up for them.
Re-examine your anti-malware software and firewalls. Keeping your network’s anti-malware and firewalls updated, particularly in the Finance Department, is Job No. 1 for security pros. Falling behind on updates and patches could jeopardize your business’s entire financial health. In the event of a breach, your bank will automatically assume that your machines have been compromised. Be ready to prove them wrong.
Banks should be taking the recent attacks seriously. If you work at a financial institution, here are some recommendations for what you should be doing to protect both yourself and your customers:
Assume that customer machines have been compromised and react accordingly. Forward-looking banks already do this by implementing sophisticated back-end fraud prevention solutions that go beyond multi-factor authentication and look for anomalies in individual customer behavior to reveal account compromises. Fraud attempts will happen, so you have to think proactively.
Strengthen your online fraud defenses. Would your current fraud system recognize online fraud like the ones detailed above? If not, it’s time to strengthen your security defenses. Security should be commensurate to the risks, which is the essence of the FFIEC authentication guidance of 2005.
Review customer policies. Revisit terms of use for ACH transactions in to ensure bank and customer obligations are clear and consistent with security policies as well as legal and regulatory requirements.
Educate management and employees on the threat. Distribute the latest fraud attack reports cross-functionally beyond the fraud team, so more stakeholders can become educated about questionable transactions as well as understand the risks to the institution should a business customer fall victim.
Be proactive. Don’t let your institution get unexpectedly tangled in lawsuits. Meet with legal counsel to discuss procedures following a business banking fraud discovery. Know your rights should a customer ever decide to sue. At best, avoid losing lucrative customers by assuring them that you have the most effective fraud prevention solutions in place.
Educate customers on the threat. Initiate programs to educate financial managers within small business customer organizations—forwarding the latest fraud advisories and stressing distribution to heavy online users such as the CEO, CFO and accounting. Aim to increase general customer awareness of optional security features of your online banking platform such as dual control of transfers, and advocate use of the latest anti-malware software and security firewalls.
Craig Priess is founder and VP of Products and Business Development at Guardian Analytics.
CSO –  The rise in popularity and the pervasive nature of online banking over the last decade have been meteoric. The power of convenience has largely trumped customer fears about security, but there are signs that the tide may be turning. Perhaps exacerbated by the global recession and shocks to the financial markets, cybercriminals have been targeting business bank accounts at increasing frequencies over the last year, catapulting the conversation about online banking security into corporate realms. With cybercriminals readjusting their focus from individual to much more lucrative business accounts, this disturbing trend is now getting the attention of authorities such as the FBI, FDIC, and Department of Homeland Security, and has been described by many as a leading cybercriminal trend for 2010. Continue reading