Cyber Security Institute

Friday, December 30, 2005

Phishers Stay One Step Ahead

Fraudsters stayed a step ahead of gullible Internet users in 2005 by fine-tuning their tactics and turning to more sophisticated strategies, a U.K.-based Web monitoring firm said in December 2005.  Open redirects were one of favorite tactics of phishers in 2005, said Web tracking and anti-phishing company Netcraft, and a good example of fraudsters’ increasing proficiency.  Redirects, essentially scripts on the Web server, are used by legitimate domains to redirect users to other parts of a large site from, for instance, the home page.  Phishers can sometimes exploit these scripts to send users to a fraudulent site when users click on a link in a real site.  Netcraft pointed to several examples of redirection attacks in 2005, including one that used an incorrectly configured government site to fool users into giving up Social Security and credit card numbers.


Wednesday, December 28, 2005

Marriott Says Customer Data Missing

The timeshare unit of Marriott International Inc. is notifying more than 200,000 people that their personal data are missing after backup computer tapes went missing from a Florida office. .  The computer tapes were stored in Orlando, where the unit is based.


Wednesday, December 14, 2005

When Security Makes Business Sense, First and Foremost

ROI and quantitative analysis is useful, but prioritizing security projects and focusing on objectives is smart business.  Quantitative methods may provide useful input, but they’re no substitute for careful reasoning about which security expenditures will help make your enterprise more successful overall.  The company has a baseline of security spending that is nondiscretionary and necessary to satisfy the its regulatory and internal audit requirements.  ROI and other quantitative analysis may help provide a common framework with other technology investments, but you should prioritize and justify security spending by having a solid discussion of your application objectives and their exposures.  Because so much of today’s security budget is dedicated to mandatory items, only a fraction is left for discretionary projects.  Risk-management philosophy pervades today’s companies, and it’s apparent on both the revenue- and cost-generating sides of the house.


Tuesday, December 13, 2005

Gartner: Put Pandemic Plans In Place For 2006

Citing World Health Organization (WHO) claims that a pandemic is “almost certain,” Gartner analyst Ken McGee posted several recommendations in an online note to clients.  “Enterprises should take the widespread agreement on the strong likelihood of a pandemic—and the U.S. Congressional Budget Office (CBO) projections of the devastating economic consequences of such a pandemic—as a signal to take immediate action,” wrote McGee.


Intel Researchers Sneak Up on Rootkits

The chip maker’s Communications Technology Lab, in a project called System Integrity Services, has created a hardware engine to sniff out sophisticated malware attacks by monitoring the way operating systems and critical applications interact with hardware inside computers.


Monday, December 12, 2005

Could a U.S. Shift to IPv6 Cost $75B?

Moving to IPv6 will present a number of challenges for the U.S. federal government, not the least of which is the associated price tag, which could hit $75 billion.  A new 63-page report issued late last week by the IPv6 Summit and Juniper Networks offers U.S. federal agencies a bevy of suggestions on how best to go about transitioning to IPv6.  The government is supposed to be on a relatively rapid path toward IPv6 migration since the Office of Management and Budget (OMB) mandated (PDF file) this past August that the federal government move to IPv6 by June 2008.  Last week’s report, titled “IPv6 Best Practices World Report Series: Guide for Federal Agencies Transitioning to IPv6,” recommends that federal agencies develop a business case for moving to IPv6, centralize their migration tactics and define metrics to help track transition progress.


ISF Warns Of Spit And Other New Security Threats From VoIP

A new report from the Information Security Forum (ISF) warns that along with existing security problems associated with IP networks, VoIP will present new and more sophisticated threats - such as caller ID spoofing, voice modifiers, SPIT (voicemail SPAM) and packet injections.  With VoIP now poised to hit the business market in a big way, the ISF believes that failure to address these serious risks may bring voice communications to a grinding halt and result in identify theft and loss of sensitive information.  With a combination of caller ID spoofing and freely available voice modification software, it is relatively easy to pose convincingly as someone else—similar to web site spoofing and phishing.


Browsers to get sturdier padlocks

The yellow security padlock in Web browsers, weakened by lax standards and loose supervision, will get reinforced next year with tougher requirements and browser updates.  The browser icon was designed to show that traffic with a Web site is encrypted and that a third party, called a certification authority, has identified the site and vouches for its validity.  To solve that problem, a group of companies that issue the Secure Socket Layer certificates are working with major Web browser makers to develop a new type of “high assurance” certificate.  What’s new: A group of companies is working to rebuild trust in the SSL security certificates issued to Web sites by developing industrywide standards for a stronger, “high assurance” product.

Bottom line: The tougher certificates, coupled with browser developments, could help fight “phishing,” which threatens the multibillion-dollar online retail market.


Wednesday, December 07, 2005

Security threats soar in 2005

Nearly 16,000 new viruses, worms and Trojans have appeared in 2005, but criminals are moving their focus to niche targeted groups with specially customised malware to steal data and cash.  The huge increase in the number of malware programs stems from the activities of criminal gangs intent on using trojans, worms and viruses to make a profit, according to a new report from anti-virus software firm Sophos, entitled the Security Threat Management Report 2005.  These gangs have been focusing their efforts on a smaller number of victims, who are targeted with customised malware, so that the creators of the virus can evade the attentions of anti-virus software vendors and security providers.


Gartner: Stop mission-critical BlackBerry use

Wait until the RIM/NTP dust settles…


Tuesday, December 06, 2005

Mobile Security for Global Businesses

A recent study on the Indian Network security market by Frost & Sullivan reveals that Nokia has a market share of 3.9% of the entire security market.  In the firewall/VPN market, Nokia has a 4.7% share.  Frost & Sullivan expects Nokia to shape up as a major player in the coming years on account of Nokia?s product/solution portfolio expansion into various new security platforms.  Today business is all about information and how the right information is sent to the right people at the right time and right place for them to convert it into a business advantage.


Computer security incidents cost NZ businesses millions

According to an Internet Security Survey conducted by the NZ Employers and Manufacturers Association Northern in November, the range was “conservatively estimated” from the lowest to the median costs of the disruptions reported by 356 businesses, extrapolated across the country’s 123,000 businesses employing more than one person.

About half the sample’s respondents said the cost in the last 12 months was between $500 to $10,000, including rework, lost work, repairs and lost business.  “For instance, 91 per cent of companies employing 20 people or less have antivirus software installed compared to 84 per cent of companies employing more than 20 people.  Of that relatively modest investment, 55.8 per cent invested five per cent or less on security in 2005—level pegging with the 55.7 per cent that spent five per cent or less in 2004.


Eight steps for integrating security into application development

Most organizations spend a tremendous amount of resources, time and money to protect their network perimeters from Internet-borne threats and hackers.  But no matter how good a defense may be, it usually falls short in addressing the vulnerabilities inside the network at the application layer.  Recent research findings indicate that the application layer is one of the highest-risk areas and where the most potential damage can occur, either through insider targets or lack of protection.  As a result, confidential company information can be exposed, resulting in harm to a company, its customers and its reputation.

While many variables affect Web application security, improving security in a few key areas can help eliminate vulnerabilities.


Friday, December 02, 2005

DSW Settles Data Theft Case

Discount shoe retailer Designer Shoe Warehouse, which discovered in March that information on 1.5 million customers had been stolen, has agreed to do more to keep identity thieves at bay, the Federal Trade Commission said Thursday.  In a settlement, the Columbus-based company will put in place a comprehensive security program and have its systems audited by independent experts every other year for 20 years, the government said.


Thursday, December 01, 2005


Spending on Sarbanes-Oxley compliance will top $6 billion in 2006, on par with the $6.1 billion spent in 2005, according to a new report out today from AMR Research Inc.  But the emphasis is shifting, the Boston-based consulting firm found, with a greater percentage of the budget going to technology, as companies seek to automate and monitor the many controls required to comply with the 2002 federal act.  AMR is predicting that budgets allocated to head count will fall by 8% next year to $2.3 billion, or 39% of total spend on SOX compliance.