French gaming site serving ZeuS crimeware for over 8 weeks

Summary: According to researchers from Avast, the high trafficked Assassinscreedfrance.fr web site, has been serving ZeuS crimeware variants to its visitors for over 8 weeks.

Cybercriminals are constantly scanning the Web for exploitable and misconfigured web applications, and blogging platforms such as WordPress for instance.

Not surprisingly, hundreds of thousands of legitimate web sites remain susceptible to remote exploitation, which on the majority of occasions are serving malicious content to unsuspecting end and corporate users.

According to researchers from Avast, the high trafficked Assassinscreedfrance.fr web site, has been serving ZeuS crimeware variants to its visitors for over 8 weeks. Moreover, the researchers point out that the web site is among the remaining 1,841 legitimate web sites serving the same crimeware variant.

The web site is currently returning a “Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /homepages/23/d207590046/htdocs/wp-content/plugins/countdown-timer/fergcorp_countdownTimer.php on line 1050” error message.

How did the malicious attackers obtained access to the affected gaming web site? By exploiting the outdated WordPress version running on this domain. Avast is also confirming that based on an analysis of 6000 affected .com web sites, a huge percentage of them are susceptible to exploitation through outdated and vulnerable WordPress plugins.

Users are advised to keep an eye for newer version of the popular blogging platform, including the introduction of new versions of the WordPress plugins currently in use by their web sites.





Password Safe Project

Password Safe

The security of Twofish in a password database

Many computer users today have to keep track of dozens of passwords: for network accounts, online services, premium web sites. Some write their passwords on a piece of paper, leaving their accounts vulnerable to thieves or in-house snoops. Others choose the same password for different applications, which makes life easy for intruders of all kinds.

With Password Safe, a free Windows utility designed by Bruce Schneier, users can keep their passwords securely encrypted on their computers. A single Safe Combination–just one thing to remember–unlocks them all.

Password Safe protects passwords with the Twofish encryption algorithm, a fast, free alternative to DES. The program’s security has been thoroughly verified by Counterpane Labs under the supervision of Bruce Schneier, author of Applied Cryptography and creator of the Twofish algorithm.

Password Safe features a simple, intuitive interface that lets users set up their password database in minutes. You can copy a password just by double-clicking, and paste it directly into your application. Best of all, Password Safe is completely free: no license requirements, shareware fees, or other strings attached.

See the Twofish page for more information on the Twofish algorithm, including links to other products that use Twofish.

PC World Review
PC World Blog Review
The Security Pub Review
Nomad Mobile Research Center Review of Password Safe 1.7
PC Magazine Editors’ Choice


Password Safe is now an open source project. The current version as of June 30, 2011 is 3.26. To download it, or for technical support, please visit its Sourceforge page.



Paper: Risk and Trust

I’ve just receive a new white paper “Risk and Trust”. I wanted to put in context the ongoing discussions about RBAC vs ABAC and authentication against the bigger picture of data clouds, push vs pull and programmable internet applications. All of which I propose requires an enterprise risk and trust assessment framework.

The paper is available at http://www.authenticationworld.com/Risk%20and%20Trust.pdf


12 Character passwords

I recently replied to a post on a Linkedin discussion group asking if 12 character passwords are required? All the talk about password lengths really makes me chuckle. Obtaining passwords short or long, is so very easy using social engineering that it negates the use of a password with special characters and X length. When I go onto client sites one of the first things I do is look under keyboards, behind the screens etc, where I usually find the password written down.

About 60 years ago, the military realized that sounds from keyboards could be diagnosed to determine what was being typed as well as screen emissions. Today, in many non-military enterprises, the easiest way to obtain passwords is to pay a janitor to install a keyboard logger on key people’s computers. It only takes 10 seconds or so to install.

My bottom line is authentication should be based on risk. The use of uids and passwords is the weakest form of authentication for all the reasons mentioned above. Therefore, uids and passwords should only be used for systems and applications where the risk is low. Stronger forms of authentication should be used for higher risks.

However, before we leap to discussing stronger forms of authentication, perform an enterprise risk analysis for all physical and logical assets. This is the starting point for any discussion about authentication and not on the individual authentication method. Most enterprises I have been in don’t have all this done. They also usually don’t have an authentication risk chart assigning values to the weakest form of authentication to the strongest forms.

Once you have the risk assessment and the authentication risk chart, it’s time to meet with the business owners and discuss ease of use versus security. For example, a trading desk application that can make trades of hundreds of millions of dollars is a critical risk. However, the business owner will not want to have excessive security to authenticate since time is of the essence and will opt for what appears to be a low form of authentication security. However, in these situations other physical security, business processes and applications that monitor to whom the trades are made, values, etc,. are then put in place to compensate.

I pity the poor user who has 12 character passwords to remember (with upper, lower case and special characters) that are changing every 60-90 days. They will end up writing them down to remember them and thus eliminate whatever security the security administrator was thinking to prevent others who are going to “crack” the code.


Identity for the unwashed

Sitting here at this year’s Burton Catalyst conference, I am very excited about the future of identity management. This blog will focus on identity management becoming adopted by the millions of small and medium businesses around the planet…without them knowing about it!

Here at Catalyst I sit surrounded by identity management gurus and its faithful. However, if you stand back and look at who’s attending this conference every year, it’s what I call the Fortune 1000-2000 crowd. The attendees are focused on implementing identity management for large enterprises. The vendors are equally focused on doing the same. But I can smell change in the air.

Millions of small and medium businesses don’t even know the words identity management, nor would they care to. Their interest is in producing goods and services that earn them their incomes. So how will they adopt identity management?

Sitting here listening to the cloud computing presentations, I think that most folks are missing the true revolution of cloud computing. It isn’t the Fortune 2000 who are going to become the biggest adopters quickly…it will be the small businesses.

Most enterprises are 1-100 employees. Most don’t have IT folks and if they do, they surely aren’t trained in identity management.

I believe that most of these enterprises will quickly embrace cloud computing because it offloads the complexity of IT on to others who can manage it for them. Take for example, my friend Derek Small’s company, Nulli Secundus.

Nulli is one of the planet’s pre-eminent identity management consulting companies. With a staff under 50, they are a small boutique business filled with “geeks” or what I jokingly tell Derek is his company of “plumbers”. However, over the last two years, Derek has moved his company to using most of their IT functions into the cloud. It cut’s their costs, simplifies their infrastructure requirements and is reachable from anywhere on the planet where they are working.

Derek’s company is doing what most other small companies are going to do. They will use software as a service models, with payroll, email, “office suite”, accounting, marketing and over time manufacturing software, being run from the cloud. These businesses don’t have the “deep roots” challenges that the opening presentation on cloud described this morning elucidating the problems that large IT depts would face in migrating their functions to the cloud.

Small businesses will see, exactly as Derek’s company did, the business opportunities of using cloud and software as a service and very quickly port over.

When this happens, it opens up all sorts of new ways of doing things for the business. I predict that quickly banks, telco’s and payroll companies will begin to maneuver to become the trusted identity hub for these small and medium businesses. They will use tools like virtual directories to take the identity information from the payroll system and then be able to do authentications and federation services for the small businesses.

Companies like Ping Identity and Fugen are poised for rapid growth in my own opinion. Why?

Ping just announced partnership with Google. It’s Ping connect product enables enterprise to quickly build connectors and conduct federation. Their product fits well with my vision of small businesses quickly federating.

Fugen is a company that I will describe in my next blog. They are key to the ability to create “federation factories” focusing on the business processes and tools requied.

I predict that over the next two to three years, hundreds of thousands and millions of small businesses will begin to use identity management without knowing it. They will authenticate, be provisioned and deprovisioned and federate as required…all done as a service and not broken out as stand alone products.

It’s the beginning of identity for the unwashed. Let the revolution begin!


What happened to my biometric?

Over the past two years, there has been a significant increase in the use of biometrics for authentication. It is becoming more commonly used to purchase groceries, to gain access to physical premises, passing through passport control and for logging on to computers. There are some dangers with this trend and that’s what this blog discusses.

First of all, a biometric is no secret. It’s a piece of who you are. Therefore, the use of biometrics to authenticate an identity poses risk to the identity if their biometric is stolen. What are you going to do if your digital finger scans or prints are stolen? Relying solely on a biometric for authentication is therefore not recommended especially in instances where the identity is in one physical place and digitally logging on to access something that is held elsewhere,

There is also the issue of privacy. Let’s say that the enterprise you work for uses a fingerscan to gain access to certain facility areas of the enterprise. You leave the enterprise. What current legal requirements are there on the enterprise to remove the digital fingerscan registration from their databases? In most countries currently….none. What happens to the identity when the database is broken into in the future and the data is compromised? Will the identity even be notified that the database has been compromised? In most cases currently, no.

I think that technology is moving far faster ahead of our current state, national and international laws. The identities need to know that when they givve up a portion of who they are to authenticate, that they can be sure that the identity data will not be mis-used and when they terminate or express to a commercial use to desist using their biometric (like for a grocery store checkout) will be deleted.