Cyber Security Institute

Friday, March 31, 2006

Privacy Groups Herald House Data Breach Bill

The House Energy and Commerce Committee unanimously approved a federal data breach bill this week that consumer advocates applauded as “a reasonable compromise” between citizens’ protection and businesses’ responsibilities.  The 41-0 vote Wednesday on the Data Accountability and Trust Act (DATA) moves the legislation to the full House, where it’s not yet scheduled for a vote.


Identity theft hit 3.6 million in U.S.

About 3 percent of households were hit by some sort of ID theft during the first six months of 2004, according a DOJ.  According to a comprehensive survey conducted by the U.S. Department of Justice (DOJ), identity theft is affecting millions of households in the U.S each year and costing an estimated $6.4 billion per year.  The data comes from the Justice Department’s National Crime Victimization Survey, which interviews members of 42,000 households across the country every six months to better understand the nature, frequency and consequences of crime.  The DOJ has been compiling this information for more than 30 years, but this marks the first time it has asked households about identity theft, said survey author Katrina Baum, a statistician with the Justice Department’s Bureau of Justice Statistics.


Thursday, March 30, 2006

What Is Wireless Security

The new standard in wireless networks—802.11g—offers speed, security, and performance.  It is also the most widely employed standard in corporate internal wireless LAN networks.  You can transfer data at up to 54Mbps using 802.11g (which is five times the speed of older 802.11b wireless networks).  And wireless LANs provide some obvious benefits: they always provide on-network connectivity, they do not require a network cable, and they actually prove less expensive than traditional networks.  But to take advantage of these benefits, your wireless LAN needs to be properly secured.  This extra level of security complexity adds to the challenges network administrators already face with traditional wired networks.  This article covers the types of attacks wireless networks encounter, preventive measures to reduce the chance of attack, guidelines administrators can follow to protect their company’s wireless LAN, and an excellent supply of online resources for setting up a secure wireless network.


Tuesday, March 28, 2006

IDC: Data Centers Becoming Smaller, Faster

U.S. data centers are starting to look trimmer and run faster thanks to virtualization and automation tools, according to research firm IDC.  Data centers are becoming more utilized and therefore denser and hotter. The number of pieces of data center equipment is also slimming down to include fewer machines.  For example, with virtualization, customers can run multiple operating systems on one machine, reducing the number of machines they need to run their businesses.


Monday, March 27, 2006

Phishers Hack Bank Sites, Redirect Customers

Phishing scammers recently hacked the web sites of three Florida banks and redirected their customers to spoof pages, marking an apparent milestone in phishers’ use of bank web sites to construct more credible frauds.  The intrusion was detected about an hour after it started, ElectroNet CEO Allen Byington told the Tallahassee Democrat.

Friday, March 24, 2006

Managed Security Services Ready For Growth

Security solution providers are jumping on the managed services bandwagon in growing numbers.  Currently only about 20 percent of solution providers that offer managed services reported offering security services, according to the IPED survey, making it the least most frequently offered managed service of the nine areas in the study.  IBut it was also the No. 1 fastest-growing area, with nearly one-third of solution providers that offer or planned to offer managed services indicating they would add managed security to their portfolios over the next 12 to 18 months.  As customers continue to adopt managed VoIP and network services, there will be a continuing shift toward managed security services as well.


Check Point calls off Sourcefire buy

Security company Check Point Software Technologies called off its planned $225 million acquisition of intrusion-prevention firm Sourcefire on Thursday, a week before a federal watchdog was scheduled to release a report which insiders say would have blocked the merger on the grounds of national-security interests.  ” Given the complex technology, the complexity of the process, the current scrutiny of CFIUS, we have come to the conclusion that that it may be simpler and better to pursue other partnership alternatives or take more time to work with the government.”


Tuesday, March 21, 2006

VoIP security at odds with QoS

Network managers need to start thinking very carefully about implementing voice over IP (VoIP) security to maintain LAN performance, avoid denial of service (DoS) attacks on IP phones and software platforms, and stop hackers listening in to private conversations.  Speaking at a roundtable forum at Cebit this month, experts said it could take another two years before the right balance of security and quality of service (QoS) in enterprise VoIP systems can be found.


Many Data Centers Still Have No Risk Management Plan

More than 75% of all companies have experienced a business disruption in the past five years, including 20% who say the disruption had a serious impact on the business, according to a recent survey of data center managers.  Despite the critical nature of data center operations to business, nearly 17% reported they have no risk management plan, and less than 5% have plans that address viruses and security breaches.  The predictions: Within the next five years, one out of every four data centers will experience a serious disruption; by 2015, the talent pool of qualified senior-level technical and management data center professionals will shrink by 45%; by 2010, nearly 70% of all data centers will use some form of grid computing or virtual processing; by 2010, more than half of all data centers will have to relocate to new facilities or outsource some applications; and over the next five years, power failures and limits on power availability will halt data center operations at more than 90% of companies.


Monday, March 20, 2006

Debit-card fraud underscores legal loopholes

Recent widespread debit-card fraud likely has roots in three major data leaks that occurred in the last six months, two of which have yet to be publicly disclosed by the companies involved.  Consumers have noted a large increase in the amount of debit-card fraud since the beginning of 2006, as well as a wide recall of cards by banks and financial institutions.  Three major incidents are likely fueling the fraud, according to financial and security experts.  A breach associated with bulk-goods retailer Sam’s Club last autumn likely resulted in millions of debit-cards potentially being put at risk, according to financial-industry insiders.  A second, smaller breach affecting hundreds of thousands of debit cards has been connected to office-supply retailer OfficeMax, although that company has denied any breach of its systems.  And, the most recent data leak occurred in an ATM network and likely affected millions of debit-cards as well, banking executives told SecurityFocus.  Despite security-breach notification laws on the books in 23 states, credit-card companies and financial institutions have not named the sources of the breaches.


Friday, March 17, 2006

DNS recursion leads to nastier DoS attacks

A new kind of denial-of-service (DoS) attack has emerged that delivers a heftier blow to organisations’ systems than previously seen DoS threats, according to VeriSign’s security chief.  The new DoS attacks first emerged in late December and kicked into high gear in January, before dying down four weeks ago, said Ken Silva, VeriSign’s chief security officer.


Thursday, March 16, 2006

Poor security blamed for increase in internal fraud

Poor internal security procedures and insufficient employee authentication systems are leaving UK businesses prone to internal fraud and intellectual property theft, according to a computer crime survey.  Employees at one in five large UK organisations can gain unauthorised access to sensitive information because of insufficient identity and access management processes, says the Department of Trade and Industry’s (DTI’s) biennial security report.  Separate research published this week by BDO Stoy Hayward says employee fraud rose 80 per cent last year, costing firms £67m.


Wednesday, March 15, 2006

Cybercrime a greater threat than physical crime

IT managers now believe that cybercrime is more costly to their organisations than physical crime.  Even more alarmingly, nearly three-quarters of IT managers (74 percent) believe that there are more threats from their own users.  That’s according to a survey carried out by Braun Research on behalf of IBM, the company surveyed more than 2,400 IT managers in 16 countries to gauge their views on computer security.  There were some stark differences between the countries: There were some stark differences between the countries: US managers were more confident that they had safeguards in place, 83 percent of them boasted that they had adequate saefguards in place to combat cybercrime, that’s compared to just 53 percent of their international counterparts who could make such a claim.


Hackers cash in on financial sector attacks

The financial sector has been identified as the most attacked by hackers in an annual review of hacking activity by security firm Counterpane and email management company MessageLabs.  The finance and banking sectors picked up nearly 40 per cent of all Trojan attacks last year, and manufacturing was the next worst affected at 22 per cent.  “The new Trojan programs do not have to trick victims into revealing their password.  Instead, they wait for the victim to perform their normal banking business.  While the victim checks their balance, the Trojan silently siphons money out of the account.”  However, the most common target for spyware was the pharmaceuticals sector, which received nearly half of all spyware infections.


Wednesday, March 08, 2006

Perspective:  Data risk and consequences

The current Federal Trade Commission has little tolerance for companies that fail to take appropriate security measures to protect the financial data of their customers.  Indeed, the commission just settled charges brought against CardSystems Solutions and its successor, Soldius Networks, doing business as Pay By Touch Solutions, for allegedly not taking adequate security measures to protect the sensitive information of tens of millions of people.  The settlement will require CardSystems and Pay By Touch to institute a comprehensive information security program that will include audits by an independent security professional every other year for 20 years.  If they fail to properly protect the financial data of their customers, companies ought to expect FTC scrutiny.


10 of the BEST for SECURITY

The typical computer network isn’t like a house with windows, doors and locks.  It’s more like a gauze tent encircled by a band of drunk teenagers with lit matches” - Robert David Steele, former CIA analyst and CEO of Open Source System It must have taken vast amounts of self-discipline to avoid radiating smugness: When American Water was infected by the Sasser worm last year its exposure was limited to just 19 hosts out of a potential 10,000, thanks to early detection and active intervention.  During the same period, a sister company suffered 4000 infected machines - virtually its entire infrastructure.  “The remediation alone, much less the business interruption quantification, was in excess of a half a million [US] dollars value to us,” says American Water director, security, Bruce Larson.


Second Phone Data Privacy Bill Approved

Targeting both telephone data brokers and telecoms, a House panel today approved legislation that bans the sale, lease or rental of confidential telephone records.  The bill also strengthens the ability of the Federal Trade Commission (FTC) to pursue the thriving online black-market sale of phone data.  It is now an express violation of the FTC Act for a person to use false pretenses to obtain or sell confidential phone data, a practice widely known as pretexting.  In addition, the legislation mandates that the Federal Communications Commission (FCC) write stricter regulations for telecoms to protect the confidential phone data of their customers.


Top 50 malicious code samples reveals

While past attacks were designed to destroy data, today’s attacks are increasingly designed to silently steal data for profit without doing noticeable damage that would alert a user to its presence, the company said.


Phishing fraudsters aim to outpace site shutdowns

In a move designed to ensure potential phishing victims always link to a live website, fraudsters have developed so-called “smart redirection” attacks.  Smart redirection attacks involve creating a number of similar phishing websites based at different locations.  Emails that form the basis of phishing attacks pose as security messages from online banks in an attempt to dupe a tiny proportion of recipients who happen to be customers of the bank, into visiting a bogus site and handing over account information.  According to the Anti-Phishing Working Group, almost 50,000 phishing websites were created last year, with more than 7,000 appearing in December alone.


Tuesday, March 07, 2006

Patching window is getting shorter

Internet Security Systems has published a report which shows that hackers and cyber criminals are developing malicious codes to exploit known vulnerabilities much faster than before.  Analysts from X-Force, the research and development team at ISS evaluated 4472 vulnerabilities in both hardware and software during 2005.  From the public announcement of the vulnerability on the internet, the report highlights that 3.13% of threats discovered had malicious code that surfaced within 24 hours, whereas 9.38% had code that surfaced within 48 hours.



Combating Identity Theft

Identity theft is the major security concern facing organisations today.  Indeed, for the banking industry, it is the number one security priority for 2006.  In a recent survey of security budget holders and influencers of UK banks, 73% of respondents cited identity management as the top transaction security concern.  The survey also showed that identity management has moved from being fifth to the most important driver for transaction security spend in UK banks. In addition, the number of UK banks assigning separate budgets for identity management has risen from 22% to 60% since 2003.  ID theft has increased by 500% since 1999 and now costs the UK economy £1.3bn a year.


Computer hacking laws discussed in Parliament

The House of Commons heard the first reading of The Police and Justice Bill which, if approved, could lead to tougher prison sentences for computer hackers and virus writers.


IT security top concern for fed CIOs

Chief information officers (CIOs) at U.S. government agencies say they have made progress on several key issues, including IT security and modernizing their IT infrastructure, but still face major challenges in security and other areas, according to a survey released Tuesday.  Government CIOs told interviewers sent by the Information Technology Association of America (ITAA) they’ve made progress in establishing IT security as a priority, expanding security awareness among staff and, in several cases, appointing a chief security officer, according to the survey.  But IT security and privacy remain federal CIOs’ top concerns, said Paul Wohlleben, a partner at Grant Thornton, which compiled the survey for ITAA. 


Black market thrives on vulnerability trading

As criminals have woken up to the massive reach afforded to their activities thanks to the Internet, hackers too are now able to avoid risking prison sentences by simply selling on their findings.  Graeme Pinkney, a manager at Symantec for trend analysis, told us: ‘People have suddenly realised that there’s now a profit margin and a revenue stream in vulnerabilities.  Vulnerabilities are being turned up in web applications because that’s where hackers are looking for them.  Some 80 per cent of the top 50 exploits analysed by Symantec turned out to be ‘revenue-written’, according to Pinkney.  Distributed denial of service attacks rose 51 per cent over the six-months prior to 1,405 a day.


Monday, March 06, 2006

Risky Sites Account for 5% of traffic

A significant number of visits to Web pages could place consumer’s computers at risk, security startup SiteAdvisor stated in a recent release.  The company, founded by graduate students from the Massachusetts Institute of Technology, uses a legion of automated virtual computers to scan the Internet for dangerous Web sites.  SiteAdvisor has scanned sites that account for 95 percent of all Web traffic, rating the dangerous pages as ‘red’, questionable pages as ‘yellow’, and legitimate sites as ‘green’.


Sunday, March 05, 2006

Customers voice concern over IP telephony security

Security fears are the biggest concern of internet protocol (IP) telephony customers worldwide, according to a senior Alcatel executive.  Speaking to IT Weekly at the Alcatel Enterprise Forum in Paris, France, last month, Gabriel Karam, marketing and business development manager for enterprise solution devices, Africa, Middle East, India and Turkey, said tackling security issues was a key priority for the company.  “What we are seeing is that security is the main concern of customers.”


Friday, March 03, 2006

Antivirus groups fight over Crossover sharing

A virus that spreads from PCs to mobile devices has become the focus of a power play between the antivirus industry and the relatively young Mobile Antivirus Research Association, which obtained the only sample of the program.  The Mobile Antivirus Research Association, a collection of professors, authors and security professionals, announced it had “characterized’ the first program to spread from PCs to a mobile device, a virus dubbed Crossover.  In a rare occurrence in computer-virus circles, MARA appears to be the only organization to obtain a copy of the program—normally, such virus samples are sent by the creator to the major antivirus firms and shared among virus experts.  The exclusive access to the virus, and MARA’s insistence that companies join its membership before being given access to the code, has antivirus companies up in arms.  Among other rules, the document would have required that the company share its entire database of virus samples, Hyppönen said.  However, without the agreement, the Mobile Antivirus Research Association would not know if a new member would abide by the rules, said member and spokesperson Cyrus Peikari, the author of five books on security and the CEO of security firm Airscanner.  “Malware trading, which is illegal in many countries, should be done with a written chain of custody,” Peikari said.


Thursday, March 02, 2006

Hunt Intensifies for Botnet Command & Controls

Operating under the theory that if you kill the head, the body will follow, a group of high-profile security researchers is ramping up efforts to find and disable the command-and-control infrastructure that powers millions of zombie drone machines, or bots, hijacked by malicious hackers.  A botnet, which is short for “robot network,” is a collection of broadband-enabled computers that have been commandeered by hackers for use in spam runs, distributed denial-of-service attacks or malware installation.  The compromised machines are controlled by a “botmaster” via an IRC (Inter Relay Chat) server installed illegally on a high-bandwidth educational or corporate network.  “If that command-and-control is disabled, all the machines in that botnet become useless to the botmaster.  It’s an important part of dealing with this problem,” said Gadi Evron, a botnet hunter who helps to manage the anti-botnet fightback.


Top Ten Vulnerabilities for March 2006

Null Session/Password NetBIOS Access
Multiple Vendor SNMP Request and Trap Handling Vulnerabilities
AT&T WinVNC Server Buffer Overflow and Weak Authentication Vulnerabilities
Cisco IOS Telnet Service Remote Denial of Service Vulnerability
Writeable SNMP Information
SSH Protocol Version 1
OpenSSH Multiple Memory Management Vulnerabilities
Microsoft IIS WebDAV PROPFIND and SEARCH Method Denial of Service Vulnerability
Unauthenticated Access to FTP Server Allowed
Statd Format Bug Vulnerability


Wednesday, March 01, 2006

Locking In Network Security

When Cisco first launched into network security, its Self-Defending Network (SDN) strategy sounded more like a wishful marketing pitch than reality.  To wit, up until this year it was received with a mixture of skepticism and optimism.  But with the slow and steady acquisitions of security vendors and updates to its existing products, Cisco’s SDN strategy is coming of age quickly despite ongoing challenges to its hegemony from competitors such as Avaya and Juniper Networks.  The proliferation of viruses, worms, malware, denial-of-service attacks and other threats have made security a top priority for companies connected to the Web.  “SDN still has a ways to go, but if you had asked me a year ago, I would have said a long way,” says Jay Kirby, vice president of sales at Troubadour, a Houston-based solution provider.  “If you’re looking at a best-of-breed [multivendor] solution, you may not have a lot of cooperation or communication when you open a support incident.”  The flip side of the integration story is that while the Cisco products do work in mixed-vendor networks, they are not based on open protocols, so other security vendors are limited in their abilities to develop their products to work with SDN.