Cyber Security Institute

Tuesday, February 28, 2006

Symantec keeps weather eye out for Net threats

Symantec plans to launch the Symantec Internet Threat Meter, a free service meant to inform consumers about the state of Net security.  Available on the Symantec Web site, the new threat meter will provide information on the current risk level associated with specific online activities: e-mail, Web surfing, instant messaging and file-sharing.  The rating is based on triggers related to malicious software, phishing and online fraud, vulnerabilities, online attacks and spam, Cole said.


Monday, February 27, 2006

Cyberthieves Silently Copy Your Passwords as You Type

Most people who use e-mail now know enough to be on guard against “phishing” messages that pretend to be from a bank or business but are actually attempts to steal passwords and other personal information.  In some countries, like Brazil, it has been eclipsed by an even more virulent form of electronic con—- the use of keylogging programs that silently copy the keystrokes of computer users and send that information to the crooks.  These programs are often hidden inside other software and then infect the machine, putting them in the category of malicious programs known as Trojan horses, or just Trojans.  Two weeks ago, Brazilian federal police descended on the northern city of Campina Grande and several surrounding states, and arrested 55 people—- at least 9 of them minors—- for seeding the computers of unwitting Brazilians with keyloggers that recorded their typing whenever they visited their banks online.The fraud ring stole about $4.7 million from 200 different accounts at six banks since it began operations last May, according to the Brazilian police.  The twist here is that the keylogging programs exploit security flaws and monitor the path that carries data from the keyboard to other parts of the computer.


IBM, Novell aid open-source identity project

IBM, Novell and Parity Communications announced that the firms would contributing code to an open-source initiative, known as Project Higgins, which aims to create an identity system that give the user more control over their data.  The project, which is managed under by the Eclipse Foundation, is based on the concept of user-centric identities researched at Harvard Law School’s Berkman Center for Internet & Society.


Saturday, February 25, 2006

Another security breach reported

Following on the heels of an embarrassing security lapse by McAfee and its accounting firm Deloitte & Touche, financial giant Ernst & Young acknowledged Friday that it, too, had lost sensitive data that could be exploited by identity thieves.  In a letter dated Feb. 13, Ernst & Young warned clients that their Social Security numbers were on a laptop that was stolen from an employee’s locked car.  Santa Clara antivirus softwaremaker McAfee warned 9,000 current and former employees in a letter dated Feb. 17 that a compact disc containing their names and Social Security numbers was lost.


Friday, February 24, 2006

January Virus and Spam Statistics: 2006 Starts with a Bang

Commtouch has announced spam and computer virus statistics for the month of January 2006.  The data is based on information continuously gathered by the Commtouch Detection Center, which analyzed more than 2 billion messages from over 130 countries during the month of January.  The numbers are indeed concerning: 19 new email-born significant virus attacks, of which a troubling 8 (42%) were graded “low intensity”, 7 (37%) “Medium Intensity” and 4 (21%) were massive attacks—a rare phenomenon for a single month.  One outbreak of specific interest, consisting of 7 variants, illustrates how viruses are growing in sophistication: the first variant was launched around December 25th as a low intensity virus, however with subsequently released variants the attack’s intensity grew into a massive outbreak towards the end of the month.


Thursday, February 23, 2006

DoD Plans To Deploy RFID In Operations With 24 Nations

The Department of Defense said Thursday it intends to move forward on plans to use active radio frequency identification (RFID) technology to support collaborative military coalition operations with 24 countries.  The group, including Japan, South Korea, Australia, Switzerland and North Atlantic Treaty Organization (NATO) country members will use consistent standards to share information based on International Organization for Standards (ISO) data formats.  The goal to share information and create interoperability between nations hasn’t been an easy task.


Tuesday, February 21, 2006

Microsoft Systems Management Server 2003 R2 Enters Beta

The new version of SMS, due to be shipped around May, automates the updating of third-party applications.  Microsoft’s support for non-Microsoft applications and security improvements in Systems Management Server (SMS) 2003 Release 2 (R2) will expand opportunities for the company and its channel, solution providers said.  Microsoft released SMS 2003 R2 into beta testing, and the Redmond, Wash.-based company plans to release the software update and deployment platform upgrade around May, said Felicity McGourty, director of product management in Microsoft’s Windows Enterprise Management Division.  The R2 version will feature a new Inventory Tool for Custom Updates (ITCU), which will allow businesses and partners to automate the deployment of updates for third-party ISV applications and corporate line-of-business applications. For example, ISVs and partners could use the tool to create and publish software update catalogs that could be imported directly into the SMS console.


Last October, a relatively obscure government body called the Federal Financial Institutions Examina

Last October, a relatively obscure government body called the Federal Financial Institutions Examination Council, or FFIEC, issued what it called guidance but which looks much like a mandate.  Starting in January 2007, financial institutions must provide consumers of online financial services with the same security protection enjoyed by customers buying groceries or gas with a debit card: strong authentication.


Monday, February 20, 2006

Private identities become a corporate focus

The CEO of Sun Microsystems,—infamous for his pronouncement, “You have zero privacy anyway—Get over it.”—took a conciliatory tone on the stage here, allowing that privacy might be something for which consumers should fight.  He warned companies that, unless they protect consumer privacy, they could lose out on significant online growth.  “It’s going to get scarier if we don’t come up with technology and rules to protect appropriately privacy and secure the data, and the most important asset we have is obviously the data on people—our customers and employees and partners,” McNealy told attendees last week.  McNealy joined the heads of other technology companies at the RSA Conference who called for better protection of privacy and more specific ways of thinking about what data needs to be known to identify partners and customers.


What Security Professionals Think about Encryption

How important is encryption to an organization’s security?  We recently completed the 2006 National Encryption Survey to find out what security and data privacy professionals think about using this technology to protect sensitive and confidential information.  According to our findings, encryption has not been embraced by organizations as part of a solution for protecting sensitive data from a security breach.  In fact, only 4.2 percent of companies responding to our survey report that their organizations have an enterprisewide encryption plan.

Key Findings

Most common uses of encryption: Encryption is mostly used to protect sensitive or confidential electronic documents when sending them to another system or location (47 percent).
Only 31 percent encrypt data on a computer storage device such as a server or laptop and 24 percent encrypt sensitive or confidential backup files or tapes before sending them to offsite storage locations.
The primary reason among respondents for not encrypting sensitive or confidential information is concern about system performance (69 percent) followed by complexity (44 percent) and cost (25 percent).


Saturday, February 18, 2006

Biometrics struggle to go mainstream

A host of problems is keeping biometric security from becoming a mainstream application, a panel of experts at this year’s RSA Conference concluded.  “The largest complaint at biometrics conferences is that every year people say that: ‘This is the year of biometrics.’  And then they come back the next year and say: ‘Maybe this is the year of biometrics,’” said Richard Lazarick, chief technologist at CSC Global Security Solutions.  One of the major problems, Lazarick argued, that prevents biometrics from becoming mainstream is lack of agreed standards.


Friday, February 17, 2006

Hot Topics in Tech Security

Executives at the RSA Security Conference here say the answer depends on who’s doing the talking.  SSL-VPN, new generation firewall, authentication, on-demand securuity in applications and security move into every aspect of IT.


Secure Router Market More than Doubled in 2005

It’s one of the most fundamental components of networking technologies, and the market is still growing, at least in terms of unit shipments.  According to Infonetics Research, the global enterprise market shipped 14 percent more routers in 2005 than 2004.  Despite that growth, pricing pressures actually caused a 3 percent decline in overall revenues to $3.3 billion, down from $3.4 billion in 2004.  Growth in the secure router segment, both in terms of units and revenues, was positive.


Accountants reject email monitoring

UK accounting firms are unlikely to use email monitoring systems to check movement of market and client sensitive information in the short term.  This is despite a similar scheme being introduced by one of the world’s biggest investment banks.  Deutsche Bank is set to unveil an email monitoring system to head off market abuse concerns associated with email communication. Many UK accounting organisations, however, have no current plans to watch over client-related emails sent from staff.


Leading mobile communications companies found initiative against mobile spam

At the behest of the GSM Association (GSMA), fifteen network operators have founded a joint initiative against the spread of spam via mobile communications networks and published a “Code of Practice” (PDF file). All of the network operators in Germany except E-Plus and its parent company KPN have signed the agreement. The signatories include US mobile communications giant Cingular Wireless, the Hutchison Group, Turkcell and Indian mobile communications Group Bharti. According to GSMA, the fifteen mobile communications companies serve a total of around 500 million customers in more than 50 countries.  The initiative is focusing on spam sent as a text message or MMS, which has been divided into three categories: first, advertising that the cell phone user did not request; second, messages that directly or indirectly lead to calls of expensive premium services; and third, fraudulent content, such as the spoofs familiar to users of fixed Internet.


Thursday, February 16, 2006

Firms: Don’t expect federated IDs soon

Banks and analysts have seen the adoption of two-factor authentication driven by federal requirements and early adopters, but warn users that their pockets might be filled with dongles and smart cards because a universal access token is years away.


U.S. Warns of Coming Online Threats

The top Internet threats for 2006 will include more attacks targeting instant-messaging networks and handheld devices, the Department of Homeland Security and the National Cyber Security Alliance predicted.  The National Cyber Security Alliance, a central clearinghouse for security awareness and education, teamed with the Department of Homeland Security to create a list of emerging threats in the hope that more U.S. consumers will prepare themselves for attacks.  The predictions, which include cautions about an oncoming wave of identity hacks against online brokerage accounts, have been prepared over the past year, according to the NCSA, with the aim of focusing attention on online protection.  According to the report, there are four main emerging threats likely to grow in the coming year: hackers using instant messaging to spread viruses and worms; phishing becoming more widespread; virus attacks on cell phones and PDAs; and hackers targeting online brokerage accounts.


Mobile virus growth outpaces PC malware

The number of mobile viruses is climbing faster than PC viruses, according to research from security software vendor McAfee.  Data on virus numbers since 2004 was compared to the number of PC viruses since 1990 and the results show that mobile malware numbers are rising faster than for PCs. So far over 200 mobile viruses have been detected in the wild.  “We do not want to over hype the threat, as this is not an epidemic,” said Drew Carter, senior product manager at McAfee’s Mobile Initiatives division.  “Nevertheless it is a steeper growth curve than for PCs. If things continue at this pace we will reach a similar state of affairs as exists in the PC market before very long.”


Firms: Don’t expect federated IDs soon

Banks and analysts have seen the adoption of two-factor authentication driven by federal requirements and early adopters, but warn users that their pockets might be filled with dongles and smart cards because a universal access token is years away.  An E*TRADE Bank executive said that the company had more than $700 million in accounts protected by two-factor authentication and that customers that use a second factor have tripled the money in the accounts compared with a control group that only uses passwords.


Wednesday, February 15, 2006

‘Security in the cloud’ is not the way to go

One of the basic philosophies of security is defense in-depth: overlapping systems designed to provide security even if one of them fails.  An example is a firewall coupled with an intrusion-detection system (IDS).  Defense in-depth provides security because there’s no single point of failure and no assumed single vector for attacks.  If we could build a new Internet today from scratch, we would embed a lot of security functionality in the cloud.  [For email ]They do a great job of filtering out spam and viruses, but it would be folly to consider them a substitute for anti-virus security on the desktop. 

Smart organizations build defense in-depth: e-mail filtering inside the cloud plus anti-virus on the desktop.  Real-time monitoring and response is what’s most important; where the equipment goes is secondary.


Good security news in short supply

With the start of the new year, it’s time to take a shot at predicting the key trends that will define the field of information security in 2006.  Predications include: New attack vectors will grow precipitously, Rootkits become familiar to the masses, Secure development processes become mandatory, Security management moves to network operations, Key management becomes a major new requirement, More security outsourcing, More security Outsourcing.


Tuesday, February 14, 2006

Microsoft, RSA, Sun And Encryption

Every day, business users and eventually consumers will be moving closer to storing more of their digital identities and authentication on smart cards and USB devices, even pass them through the air via Bluetooth protocols.  Microsoft, RSA Security and Sun Microsystems set the pace and tone of the coming generation of encryption with upgrades to their roadmaps, authentication tools and partnerships that will push more encryption into the wider business world.  Consumer-facing support for smart cards and two-factor authentication in more devices, from a smart card to a USB plug-in to Bluetooth support, aren’t far behind, either.  Bill Gates, Microsoft Chairman, touted an updated roadmap for Active Directory and upcoming support for smart cards, which Microsoft calls “InfoCards” on the server side for customers as well as support for InfoCards in the next version of IE, currently in beta.


Enterprises use freeware to beat cyber-spies

Freeware application SpyBot Search & Destroy is the most popular anti-spyware tool used by Australian enterprises, according to a report on the domestic security market by analyst firm Frost & Sullivan.  Commenting on the Australian Information Security Satisfaction Monitor (AISSM) study, its author, Frost & Sullivan security analyst James Turner, said although the result was unusual, he was not surprised that a freeware application could take first spot in such an important area of security.  In second place came Ad-Aware, an anti-spyware application that is available as both a free version for personal use as well as an enterprise version, which costs around US$28 per user per year.  Turner admitted that the survey did not ask which version of Ad-Aware was being used by enterprises but said he was surprised that Symantec’s anti-spyware products could still compete sufficiently—even though the basic Hosted Mail Security product costs around US$42 per user—to be placed third.


Gates: End to passwords in sight

For years, Microsoft Chairman Bill Gates has had his sights set on the password as the weak link in the computer security chain.  Now, with Windows Vista, Gates feels he finally has the right weapons to supplant the password as a means of verifying who is who on computers and over the Internet.  The new operating system, due later this year, introduces a concept called InfoCards that gives users a better way to manage the plethora of Internet login names and passwords, as well as lets third parties help in the verification process. Vista will also make it easier to log on to PCs using something stronger than a password alone, such as a smart card.


Monday, February 13, 2006

Cisco readies security enhancements

Cisco Systems in the United States is expected to unveil several enhancements to its security lineup that are designed to bolster its management offerings and ability to secure applications that reside on the network.  Cisco, as part of its adaptive security efforts to monitor and secure access to applications on the network, is debuting its Content Security and Control Security Services Module.  This module, designed for the Cisco Adaptive Security Appliance (ASA) 5500 series, aims to deliver Anti-X services that combine antivirus, anti-spyware, file blocking, antispam, URL blocking and content filtering.  Cisco is also expected to unveil a software upgrade for the ASA 5500 series. In the area of managing the network, Cisco is also introducing a new version of the Cisco Security Manager and an upgraded version of its Cisco Security Monitoring, Analysis, and Response System (MARS).


Sun to unveil security offerings

Sun Microsystems is expected to announce two security initiatives in the United States, one introducing a form of encryption for its next-generation Sun Java System Web Server and another that re-slices the way it delivers security features for Solaris.  As part of its initiatives, Sun plans to introduce Sun Java System Web Server 7.0 with support for Elliptic Curve Cryptography (ECC).  The company also plans to nix its tradition of offering Solaris in two flavours—one for the masses and another version with extensive security enhancements that are targeted to government agencies, financial institutions and health organisations.


Saturday, February 11, 2006

Security Staffing Survey

According to our recent Security Staffing survey, IT security executives believe their organizatons are in greater jeopardy due to staffing shortages than their peers that oversee corporate security. Corporate security organizations outsource more than IT security departments and the most frequently outsourced positions were security guards and guard management, while IT security were more likely to outsource data back up and biometrics.  Stress levels Close to half (45 percent) of the security executives in our survey describe the stress level among their staff as high, while 14 percent say it’s very high.  Turnover Two-thirds (67 percent) say that turnover is not a problem in their security departments currently while 33 percent report varying degrees of turnover issues.  For those companies reporting turnover problems, salary (63 percent) and demanding workloads/burnout (57 percent) were the biggest causes.  Thirty-seven percent of CSOs say that their inadequate staffing levels are jeopardizing the security of their company’s facilities and an additional 34 percent say that while their staff is stretched, security is adequate.


Choke Point

After a customer loads up an online shopping cart, after he hands over a credit card number and a shipping address, after he hits the “buy” button—-after all that, there is a moment of truth that has profound implications for the U.S. economy.  That is the moment when the retailer decides whether or not to ship the order.  Just because the bank approves a credit card doesn’t mean it’s not stolen.  Millions of compromised credit cards are in circulation, and many won’t be replaced until they are known to have been misused.  With law enforcement overwhelmed by the problem, e-commerce merchants—-not the credit card associations, not the banks—-are often the ones left holding the empty bag.  Choose wrong, and the retailer loses either a legitimate sale or the merchandise and the transaction fee.  “You stick your neck out every time you ship something out without [getting] an imprint and signature,” says Joe Williams, CSO of the high-end retailer Sharper Image, which had $250 million of revenue in card-not-present transactions (comprising Internet, telephone and mail orders) in 2004.


Friday, February 10, 2006

What’s Next For The FTC And Net Threats?


Google Desktop 3 criticized [or why Security doesn’t like “free” desktop tools]

A new feature in Google Desktop 3 that allows people to search for documents across multiple computers poses privacy risks and should not be used, a consumer digital rights nonprofit and a security company are warning.  Google released the latest version of its desktop search application on Wednesday.  It includes an option that allows people who regularly use several computers to search for items stored on multiple computers simultaneously.  Once the Search Across Computers function is enabled, text copies of documents and Web history are automatically transferred to the other computer that has Google Desktop installed.  When the user searches on one computer for information, the second computer is automatically searched.  The Electronic Frontier Foundation warned consumers that the government or litigious rivals could subpoena the search engine for the information stored on the Google servers before it is deleted, which Google said is within 30 days.  The threat is underscored by the recent Justice Department request to Google, Microsoft, Yahoo and America Online for random Web search records.