Security Matters Newsletter - November 2005

Key clicks betray passwords, typed text

Eavesdroppers armed with a shotgun microphone or a small recording device could make off with a computer user's sensitive documents and data, three university researchers said in a paper released this week.

The researchers, from the University of California at Berkeley , found that a 10-minute recording of a person typing at the keyboard reveals enough information for a computer analysis to recover nearly 90 per cent of the words entered. The recording can be low quality - the researchers used a $10 microphone - and the system does not need previous samples of a user's typing to perform the analysis. Moreover, the technique can frequently guess a person's password in as little as 20 attempts

Read full article here (reproduced from The Register)

UK under attack from Asian Trojans

Key organisations have been hit by a wave of data stealing programs

Three hundred key business and government organisations are threatened by a wave of data-stealing attacks from Asia , the government has warned.

According to the National Infrastructure Security Co-ordination Centre (NISCC), hackers in East Asia have developed Trojan horse programs that attempt to steal information from certain parts of the critical national infrastructure (CNI). The CNI is made up of finance, transport, telecoms, energy and government bodies.

Read full article here (reproduced from ZD Net UK)

Are your data and systems exposed to external attack?

Taking a radical new approach to the delivery of Vulnerability Assessment Services, Hytec's very different 3-Level approach assesses an organisation's vulnerability to attack:

• from the Internet
• from compromised DMZs
• from compromised hosts on the internal networks

Read full article here (published on www.Hytec.co.uk)

Five steps to enterprise security

Detecting network attacks is as much an art as a science, and that's not likely to change any time soon.

There is no lack of systems for detecting security breaches - IT managers can avail themselves of software tools, services and appliances ranging from firewalls to IDSes (intrusion detection systems) to log analysis programs to managed service providers. That's the science. Mastering the art of detecting the actions of a motivated, inventive attacker takes human detectives who are just as ingenious and relentless as their opponents.

Read full article here (reproduced from eWeek)

The 24-Hour Organisation

Protecting your critical information assets does not stop once the security architecture has been implemented, nor must it stop when your IT security team goes home.  Just as your premises are more likely to be broken into overnight, your data and applications are more likely to be breached outside normal working hours.

Read full article here (published on www.Hytec.co.uk)

Europe 's IT directors doubt VoIP security

Almost half of European IT directors believe VoIP networks are “inherently insecure”, with the figure rising to 56 percent among computing professionals working in the financial sector, newly published research has claimed.

Read full article here ( Reproduced from SC Magazine )

Finding the Right Mix for Information Assurance

As security experts, we probably all have had the conversation about the value of technical, operational and managerial security controls. It usually goes something like this: ''My network (or system, or application) is very secure. Periodic vulnerability scans are conducted, security patches are installed as identified, and virus detectors are implemented. Additionally, there are DMZs, firewalls, and Intrusion Detection Systems (IDS), as well as Intrusion Prevention Systems (IPS). Yep, we are totally secured. All that other policy stuff does not matter.''

Read full article here ( Reproduced from eSecurityPlanet.com )