Cyber Security Institute

Tuesday, January 31, 2006

Identity Theft Laws Elevate Security to the C-Level

Information security should start from the top, experts say.  Numerous breaches in customer data security in 2005 have fueled calls for federal legislation that could lead to onerous security demands on financial institutions that hold consumer information.  Even if legislators show restraint in demanding new controls, it’s time for banks to create C-level security positions, experts suggest.  “


23% of corporate networks rely on users applying security patches themselves

More than 65% of IT managers surveyed by LanDesk are continuing to experience security breaches and are seeking additional methods of securing their organization beyond just anti-virus software.  60% of respondents said that their organization does not have a way of scanning devices attempting to connect to their network and quarantining any system that does not meet their company’s security requirements.


Security consortium creates guidelines

A new consortium of security companies has established guidelines for defining spyware and testing anti-spyware products.  The guidelines could help consumers determine the risks posed by new software and the effectiveness of anti-spyware products.  At a time when the number of spyware applications doubles each year, security companies are banding together to find ways to eliminate confusion about how to test security products.


Monday, January 30, 2006

BMC, Oracle Increase Identity Management Focus

Many businesses are realizing the need to have a fool-proof method for identifying users of their computer networks, to both protect their data and meet federal regulations such as HIPPA and SOX.  BMC Software, for one, is trying to position itself as the go-to security vendor for adding identity-management features to Microsoft .Net environments.  Oracle, meanwhile, says it’s on the lookout to partner with a vendor that that offers single sign-on software to add to its portfolio of identity management offerings, which are largely the result of an acquisition spree over the past few years.


Sunday, January 29, 2006

Vista will not ship with antivirus

Instead of implementing AV protection to its new product, as promised, Microsoft is going to sell the anti-virus product unbundled through its OneCare online service, according to Jim Allchin, co-president of Microsoft’s platform products and services division.


Friday, January 27, 2006

U.K. bill would increase penalties for cybercriminals

The British government has proposed sharply increasing penalties for computer crimes, which are taking a financial toll on U.K. businesses.  The Police and Justice Bill would amend the Computer Misuse Act of 1990, a Home Office spokeswoman said Friday. It would increase the maximum penalty for unauthorized modification of a computer from five years to 10 years, a provision that would cover all forms of DDoS (distributed denial-of-service) attacks, she said.


Symantec warns of notebook dangers

Some respondents claimed that their mobile device was worth as much as £5 million.  Symantect also revealed that just 42 per cent of companies automatically back up employees email on laptops, while 45 per cent actually leave backup to the users themselves.


Good worms back on the agenda

A researcher has reopened the subject of beneficial worms, arguing that the capabilities of self-spreading code could perform better penetration testing inside networks, turning vulnerable systems into distributed scanners.  The worms, dubbed nematodes after the parasitic worm used to kill pests in gardens, could give security administrators the ability to scan machines inside a corporate network but beyond a local subnet, David Aitel, principal researcher of security firm Immunity, said at the Black Hat Federal conference.  “Rather than buy a scanning system for every segment of your network, you can use nematodes to turn every host into a scanner,” he said during an interview with SecurityFocus.  “You’ll be able to see into the shadow organization of a network—you find worms on machines and you don’t know how they got there.”


Gartner Says Don’t Deploy 802.11n until 2007

Companies should stay away from next-generation Wi-Fi equipment described as 802.11n compliant, Gartner has warned.  Expect these technology investments to be good for at least four more years,” a group of three Gartner analysts recommended, adding that 802.11n should not be considered until 2007.



Microsoft’s Allchin: Buy Vista for the security

If new features won’t get you to upgrade to Vista, security enhancements should, Windows chief Jim Allchin has urged.  Microsoft has already touted the bells and whistles it is putting into Windows Vista, the operating system successor to XP that’s due out by the end of the year.  Other changes include improved touch-screen support and a Windows sidebar that can display all kinds of information such as upcoming appointments, just-in e-mail messages and a clock.  But if none of that strikes your fancy, Vista will still be worth getting, thanks to its better defenses against phishing attacks, spyware and other malicious code, Allchin said.


Thursday, January 26, 2006

Bots Nearly Triple In 2005

The number of bots released in 2005 was almost triple that of the year before, Madrid-based Panda Software, spotlighting the growing problem of PC hijacking.  That’s not surprising, considering the large number of variations attackers crank out for some bot families.  The Gaobot clan (also dubbed “Agobot”) alone spun off more than 6,000 variants last year.  Botnets, which are typically controlled by a “herder,” or handler, can be composed of thousands, or hundreds of thousands, of contaminated PCs.


Kama Sutra worm set to bite next week

Security vendor IronPort warned Thursday that these machines are now hard-coded to propagate the virus on Feb. 3.  Companies are unlikely to be directly affected if they are running up-to-date antivirus software, because the major antivirus vendors have now released patches.  But IronPort warned that companies could experience secondary effects, as the virus tries to propagate itself by harvesting e-mail addresses on an infected machine.  This will cause additional e-mail and network traffic and a possible slowdown in e-mail response time,” said Jason Steer, a technical consultant at IronPort.  F-Secure has reported that Nyxem.E reached the top position on Thursday in its virus statistics list, with 21.7 percent of all reported infections.


Wednesday, January 25, 2006

Zero-day details underscore criticism of Oracle

A security researcher released details of a critical flaw in Oracle’s application and Web software on Wednesday, criticizing the company for not cooperating with the security community and taking too long to fix software issues that threaten its customers.  The flaw occurs in the way that a module in Oracle’s Apache Web server distribution handles input and could give external attackers the ability to take control of a backend Oracle database through the Web server, said David Litchfield, principal researcher of database security firm Next-Generation Security Software, during a presentation at the Black Hat Federal security conference.


Cambridge prof warns of Skype botnet threat

A discovery by a Cambridge professor this week highlights an easy to perform denial-of-service (DoS) attack using VoIP as a wrapper for the malicious traffic.  As a growing amount of VoIP traffic is passed across the internet, concern is being raised that bot networks could be orchestrated to overlay VoIP on their attacks, thereby preventing detection of the source.



Tuesday, January 24, 2006

Online crime matures beyond adolescence

Cybercrime is moving from broad ego-driven outbreaks to much smaller targeted attacks aimed at stealing sensitive data or extorting money from companies, IBM stated in its 2005 Global Business Security Index Report released on Monday.


19 Ways to Build Physical Security into a Data Center

There are plenty of complicated documents that can guide companies through the process of designing a secure data center—-from the gold-standard specs used by the federal government to build sensitive facilities like embassies, to infrastructure standards published by industry groups like the Telecommunications Industry Association, to safety requirements from the likes of the National Fire Protection Association.  Read this [excellent] article to find out how a fictional data center is designed to withstand everything from corporate espionage artists to terrorists to natural disasters.


Top Security Trends for 2006

As a result of working with hundreds of companies on security projects, Chris Thatcher and his teammates at Dimension Data have set forth predictions for the top security trends for 2006.


Phacing the Phacts on Phishing

Nearly a quarter of PC users are targeted by monthly phishing attempts, according to a national study of online security.  Phishing is, of course, the practice of sending bogus but authentic-looking e-mails, purportedly from a trusted organization, to consumers in hopes of tricking them into revealing personal information.  It’s one of the fastest-growing crimes in the world, and the survey conducted by AOL and the National Cyber Security Alliance indicates there’s no reason to expect that to change anytime soon.


Monday, January 23, 2006

CIOs Line Up Top Issues in ‘06

Leveraging IT to help grow their company’s business tops the agenda for Chief Information Officers, according to a survey of some 1,400 CIOs just released by Gartner.  While such core issues as security and cost controls remain a concern for CIOs, the Gartner study revealed that making their businesses easier for customers to deal with by improving business processes is a top business priority for the second consecutive year.  Controlling enterprise operating costs and security technologies ranked second among the CIO’s ranking of top ten business and top ten technology priorities respectively.


Sunday, January 22, 2006

Fear of fraud hampers UK online banking

The UK’s Financial Services Authority (FSA) has warned banks that they must do more to help consumers to deal with online banking fraud, warning that consumer confidence in internet banking is currently very fragile.  According to the regulator’s Financial Risk Outlook 2006, to be published on Wednesday, half of active internet users are ‘extremely’ or ‘very’ concerned about the potential fraud risk of making an online transaction.  A survey carried out for the FSA by NMG Financial Services Consulting/IPSOS, shows that consumers who conduct their banking online are taking steps to protect themselves against fraud, by installing security software on their PC, but over a quarter do not know when they last updated their software or update it infrequently.


IronPort Gets Tougher On Spam

Getting tougher on spam, San Bruno Calif.-based e-mail security vendor IronPort is enhancing its SenderBase e-mail traffic monitoring network with URL tracking and Web reputation data filtering.  Assessing the reputation of the e-mail sender was not enough to block spam and phishing attacks that are becoming increasingly complex, said IronPort’s vice president of technology Pat Peterson.


AirDefense Delivers AirDefense Personal 3.0

AirDefense has launched AirDefense Personal 3.0, the industry’s most comprehensive real-time threat detection and automated response for mobile workers. AirDefense Personal 3.0 enables administrators to easily create and automatically enforce wireless policies across the enterprise and provide end-to-end wireless intrusion prevention platform inside and outside of the office.  More than half of all workers within an enterprise will be outfitted with notebook computers within the next three years and almost all of these devices will be wirelessly enabled, according to J. Gold Associates.  In fact, within the next two to three years, suggests the Boston area research firm, knowledge workers will be mobile more than 50 percent of the time, working from diverse locations including the office, home, hot spots and customer sites.


Friday, January 20, 2006

BANK SECRECY ACT Sharing Suspicious Activity Reports With Controlling Companies

The Financial Crimes Enforcement Network (FinCEN) and the federal banking agencies (FDIC, FINCEN, OCC, OTS) are providing guidance to confirm that sharing a Suspicious Activities Reports (SAR) with a controlling company in accordance with specified procedures is acceptable.


Hacker PC networks getting harder to find

Hacked computer networks, or botnets, are becoming increasingly difficult to trace as hackers develop new means to hide them, says security experts.  Botnets are used to send spam, propagate viruses and carry out denial of service attacks - something that has again come to light with a high-profile attack on The Million Dollar Home Page, a novel advertising website idea by a British college student.  Extortion schemes are frequently backed by the muscle of botnets, and hackers are also renting the use of armadas of computers for illegal purposes through advertisements on the Web, said Kevin Hogan, senior manager for Symantec Security Response.


Symantec to Fortify its Compliance Software

Security vendor Symantec will unveil new policy and compliance software next month as part of its integration of the BindView assets, has learned.  The move comes after Symantec agreed to acquire BindView in October for $209 million in a bid to offer a more comprehensive security and policy compliance for customers.  The Cupertino, Calif., company has tucked BindView’s assets into its portfolio and will unveil them as the Symantec Policy Manager and Symantec Compliance Manager in early February, said a source close to the company.


Tuesday, January 17, 2006

Microsoft Pushes Windows XP SP3 To Late 2007

Microsoft has pushed back the delivery date of the next major Windows XP service pack update to the second half of 2007, as much as a year later than earlier reports had indicated.  According to Microsoft’s recently updated service pack road map, Windows XP Service Pack 3, or SP3, will release sometime after June 2007.  The date, which Microsoft says is preliminary, is about a year later than some 2005 reports cited after CEO Steve Ballmer held forth in Scandinavia.


DHS grant kit offers cybersecurity guidance

The Homeland Security Department’s new preparedness unit is urging state governors to prepare cybersecurity plans, adopt a new national XML-based model for information-sharing and implement newly developed common rules for geospatial content.  The recommendations are some of the most detailed that the federal government has made to states and local governments to date on using IT in the fight against terrorism.  The IT-related guidance is included in the fiscal 2006 grant application kit for the distribution of $3.9 billion in federal homeland security grants to states and localities this year, published by the preparedness directorate.


An Inside Look at IPSec in Vista

IPSec has traditionally been used to secure remote access connections.  In the last few years this has been changing, as IPSec moves from the WAN into the LAN to secure internal network traffic against eavesdropping and modification.  The whole thing is pretty complex to set up and manage, and though IPSec management tools were improved in Windows XP, they’re not really very intuitive to use.  Things are going to be better in Windows Vista, at least to a degree.


Monday, January 16, 2006

Web applications are easy targets

This year kicked off with yet another panic over a vulnerability in Windows, this time an image-handling flaw that exposed users to attack if they encountered a malicious Windows Metafile (WMF).  The WMF bug caused significant damage, but less than some expected, which may indicate that the industry is gradually learning to manage client security.

Operating systems, even Windows, are getting more secure.  Automatic software updates, running with limited user rights, safer web browsers and better firewalls are gradually making a difference.  By contrast, problems with web applications are harder to manage.


Friday, January 13, 2006

ISPs, telcos and police voice fears over data retention cost

The data retention directive contains some serious flaws but the most serious is that it does not make clear who will pay for it, experts say European legislation on data retention which is in soon to become law in Britain contains some serious flaws, according to technical and legal experts.  The data retention directive that the UK, Ireland and Sweden pushed into EU law last month would make it a requirement for telecommunications companies and ISPs to save information about customers’ phone calls and electronic communications for up to two years.