Author: admini

US-Cert report on spyware

Posted on by admini

Starting on page 10 defensive measures are outlined, emphasizing education and awareness.

It notes that social engineering is a major means of distributing spyware by tricking users into downloading and installing malware.

  • Don’t trust unknown or known high-risk sources.
  • Read the fine print.
  • Pay attention when installing applications.
  • Keep operating systems and software patched.
  • If you are running Windows XP, install Service Pack 2.
  • Use trusted anti-virus and anti-spyware tools.
  • Alternative internet applications
  • Browser configuration.

    • If I had to pick the single most important recommendation in the list, it would be to keep your operating system and software patched, including updating Windows XP to Service Pack 2.

    A lot of spyware and malware is being spread through exploits.

    Much of this can be prevented by keeping Windows updated and avoiding high risk sources, as stated in the first recommendation.

    Porn sites and sites with illegal content, cracks, hacks and warez, are usually the worst offenders.

    Lyrics and wrestling sites are also known offenders.

    The report includes references that are also excellent sources of more information.

     

    Read more

    Repositioning the CISO

    Posted on by admini

    Problem: Organizational Roadblocks Most organizations view the CISO not as a security and risk manager, but as a manager of security assets, like firewalls, intrusion detection/prevention systems, and incident response capabilities.

    According to the 2004 CSO Security Sensor Survey, 38% of respondents place the CISO in the IT chain of command, reporting to the CIO, whose primary responsibility is to maintain the availability of information systems. This placement hinders the CISO’s effectiveness and limits his or her ability to implement change, for a couple of reasons. Security’s message doesn’t reach senior business leadership.

    When the CISO reports to the CIO, a primacy is established. Operational responsibilities take priority over strategic planning. Particularly when threats may cause business disruption, tactical issues take precedence over longer-term planning. It is easier to buy and implement firewalls and intrusion detection systems than to develop security policies and implement a sound awareness program.

    Without long-term planning, the organization will remain trapped in the patch-and-pray scenario.

    “Ideally, the institution should separate the information security program management from the daily security duties required in IT operations. The senior information security officer should be an ‘enterprise’ risk manager rather than a production resource devoted to IT operations. To ensure independence, the information security officer should report directly to the board or senior management rather than through the IT department” (FFIEC Information Technology Examination Handbook).

    Firms who take this approach will realize new benefits from their CISOs. IT-independent CISOs can frame security in terms of business issues rather than IT projects.

    A traditional security manager’s explanation of the recent ChoicePoint fraud case might sound like this: “The server’s verification and authentication processes for the client Web portal were ineffective, thereby facilitating fraudulent access to sensitive back-end systems and personally identifiable data.” When framed in terms of business issues: “The trust model used by ChoicePoint failed in such a way as to compromise the company’s most vital assets.”

    A trust model establishes the standards by which an organization determines who to trust with its assets.

    Organizations have several options as to how to reposition the CISO. They can combine information security with physical security and elevate the senior security officer to CSO, reporting directly to the CEO. The CSO Security Sensor Survey indicates that 34% of its respondents have implemented this change, up 15% from the previous year. By combining physical and cyber security under one executive, the organization gains a holistic view of potential threats and the associated vulnerabilities.

    Elevating the chief security executive to CRO-chief risk officer-makes sense in medium to small enterprises where key executives often assume multiple roles. The benefit in this approach is that the CRO considers areas of risk beyond those dealt with by a CSO or CISO.

    A second compelling reason for many CISOs’ lack of success is their inability to establish a credible economic basis for security investments and to assess information security relative to business initiatives. Much has been said about return on security investment (ROSI) and security metrics. At first glance, metrics seem to be the Yellow Brick Road to the boardroom. However, the CSO Security Sensor Survey reported that 34% of respondents did not use ROSI and had no intention to do so. The problem with ROSI is that its components are too subjective. Right now, there is no standard, statistically valid method of measuring ROSI. Some CISOs are using “homemade” formulas to calculate ROSI, but without sound standards and appropriate rigor, these calculations are not worth the time it takes to create them.

    Solution: Use a Standard, Valid, Reliable Metric Be cautious of traditional security metrics, such as “total number of incidents reported.” When you add more firewalls, the number of incidents reported goes up, not down. Associative-Based upon a best practice or security model that enables comparison within the organization, within the industry, or across industries. One way to achieve an associative metric is to use ISO-17799 as the template for your security program. ISO-17799 is a comprehensive set of controls utilizing the best practices in information security.

    http://www.securityinfowatch.com/print/Security-Technology-and-Design/Homeland-Security/Repositioning-the-CISO/4789SIW2

    Read more

    Tough road for identity tech

    Posted on by admini

    Governments in Western Europe, Southeast Asia and the Middle East have projects in launch mode or in the planning stages.

    Even in the U.S.–which like the U.K. has long resisted the urge to require citizens to bear ID cards–federal officials are pushing a de facto national ID. ID card projects around the world include efforts to collect biometric data, such as fingerprints, on citizens and permanent residents. The identifiers get stored on a microprocessor chip embedded in a digital card and on a central database.


    Although officials often try to promote the technology as bringing government closer to the people, at bottom they see it as one of the most effective ways to stem the flow of illegal immigrants, crack down on ID fraud and, for many countries, reduce the threat of terrorism. Among the large national ID projects on the drawing board in the West, France and the U.K. are tying their cards to planned rollouts of electronic passports. And although critics of the plans, led by privacy advocates and fiscal conservatives, have been gaining strength of late, officials are not likely to back down, especially after the recent terrorist attacks in London.

    A vast market Reliable estimates of the ID card tech market are difficult to come by. U.S.-based equity research firm Morgan Keegan last year estimated governments worldwide spent $4.8 billion in 2003 to identify and track citizens and residents, mainly through the use of low-tech cards and associated databases and network infrastructure. That is expected to grow to $10.7 billion by 2007, fueled largely by the higher costs for chip-based, or “smart,” cards and biometrics, including the biometric databases and readers.
    “National ID has big growth, and that’s purely being driven by China.” Anoop Ubhey, analyst, Frost & Sullivan Smart card suppliers project they will ship 60 million government ID cards worldwide this year, up by a third from 2004. The estimate includes some health cards that patients use to file their insurance claims.
    U.S.-based printer and PC giant Hewlett-Packard has seized on such projections to help it tout a “National Identity System” offering, which it announced in late May. HP, eager to reduce its dependence on sales of ink cartridges and the fiercely competitive PC business, has cast itself in the role of systems integrator to governments around the world. It hopes to sell officials on complete “identity management systems,” including biometric verification, smart cards and networking software. For this it has enlisted various IT “partners,” including Microsoft. “It’s a crying need from those governments,” says Jim Ganthier, worldwide marketing director for HP’s Defense, Intelligence and Public Safety unit.

    U.S.-based research firm Frost & Sullivan isn’t quite as bullish on the market. It estimates governments worldwide issued just 12.4 million electronic ID cards to citizens and permanent residents last year. It predicts that will increase to 450 million cards a year in 2009. But much of that growth will come from one massive project. “National ID has big growth, and that’s purely being driven by China,” says Anoop Ubhey, an analyst for Frost & Sullivan. “We certainly don’t think the whole project will be completed by 2008.” And Beijing is keeping card costs low and restricting almost the entire $6 billion-plus project to domestic vendors.

    http://news.com.com/Tough+road+for+identity+tech/2100-7341_3-5839928.html?part=rss&tag=5839928&subj=news

    Read more

    Bills could make businesses do more to prevent ID theft

    Posted on by admini

    The Wall Street Journal reported recently that security breaches exposing customer data have triggere
    d lawsuits across the country. The Federal Trade Commission says 9 million Americans had their identities stolen last year, costing businesses and consumers $50 billion a year in fraudulent spending.

    Last month, U.S. Rep. Artur Davis, D-Birmingham, co-sponsored the Consumer Data Security and Notification Act of 2005, along with Democratic Reps. The bill provides stronger consumer protections and enforcement against credit-card fraud and identity theft by expanding federal protections against improper collection and sale of sensitive consumer information. It also provides consumers with advance warning when their personal information is at risk. Davis was joined at a recent press conference at Birmingham Police headquarters by several attorneys general who outlined the challenges they face fighting ID theft. Among Davis’ supporters was Birmingham Police Chief Annetta Nunn, who said someone recently stole a credit card mailed to her home and ran up thousands of dollars in charges. “Congress needs to strengthen federal standards to provide more rigorous safeguards against the rising problem of identity theft,” Davis said.

    Also in July, a Senate Commerce Committee unanimously approved a bill that would clamp down on how corporations handle consumers’ personal information. The Identity Theft Protection Act would require nonfinancial companies, such as data brokers, that handle sensitive personal information to ensure its security and confidentiality with safeguards specified by the Federal Trade Commission. If the security is breached and the company determines it creates a “reasonable risk” of identity theft, the company would have to notify affected consumers or face fines of up to $11,000 per consumer. Ted Stevens, R-Alaska, who chairs the commerce committee, said the full Senate will not vote on the Identity Theft Protection Act until he completes negotiations on a jurisdictional dispute with Senate Banking Committee Chairman Richard Shelby, R-Tuscaloosa.

    The Alabama Republican has asserted jurisdiction over sections of the Senate Commerce bill that deal with the Fair Credit Reporting Act. The American Banker recently reported that Shelby is drafting a bill that sources speculate may bar financial services companies from using service providers that do not follow strict data security standards. Gardner said recent high-profile data security breaches have exposed the vulnerability at many U.S. companies. “Identity theft is a major problem and businesses must adjust to prevent it,” he said.

    http://www.al.com/business/birminghamnews/index.ssf?/base/business/11243568066180.xml&coll=2

    Read more

    Hackers’ Prowess on Display at Defcon Conference

    Posted on by admini

    Defcon is a no-man’s land where customary adversaries — federal agents vs. digital mavericks — are supposed to share ideas about making the Internet a safer place.

    This year’s hot topics included a demonstration of just how easy it may be to attack supposedly foolproof biometric safeguards, which determine a person’s identity by scanning such things as thumb prints, irises and voice patterns.

    Banks, supermarkets and even some airports have begun to rely on such systems, but a security analyst who goes by the name Zamboni challenged hackers to bypass biometrics by attacking their backend systems networks.

    Radio frequency identification tags that send wireless signals and that are used to track a growing list of items including retail merchandise, animals and U.S. military shipments– also came under scrutiny. A group of twentysomethings from Southern California climbed onto the hotel roof to show that RFID tags could be read from as far as 69 feet (21 meters). That’s important because the tags have been proposed for such things as U.S. passports, and critics have raised fears that kidnappers could use RFID readers to pick traveling U.S. citizens out of a crowd.
    RFID companies had said the signals didn’t reach more than 20 feet (six meters), said John Hering, one of the founders of Flexilis, the company that conducted the experiment.

    An annual highlight of the conference is the “Meet the Feds” panel, which this year included representatives from the FBI, NSA and the Treasury and Defense departments. Morris and other panel members said they would love to hire the “best and brightest” hackers but cautioned that the offer wouldn’t be extended to lawbreakers. During the session, Agent Jim Christy of the Defense Department’s Cyber Crime Center asked the audience to stand.

    Some federal agents were indeed taking careful notes, though, when researcher Michael Lynn set the tone for the conference by publicizing earlier in the week a vulnerability in Cisco routers that he said could allow hackers to virtually shut down the Internet. That flaw was patched in April, but Lynn showed that Cisco hadn’t quite finished the repair job — that the same technique could be used to exploit other vulnerabilities in Cisco routers. Cisco and ISS went to court to try to stop Lynn from going public, but Lynn quit ISS and spoke anyway.

    “We’re never going to secure the Net if we don’t air and criticize vulnerabilities,” said David Cowan, a managing partner at venture capital firm Bessemer Venture Partners.

    During a session on ATM machines, Morris said thieves have been able to dupe people out of their bank cards and passwords by changing the software in old ATM machines bought off eBay for as little as $1,000 and placing the machines out in public venues.

    http://www.technologyreview.com/articles/05/08/ap/ap_080405.asp

    Read more

    Government, Financial Top Targets Of Security Attacks

    Posted on by admini

    The government sector was the most targeted industry, with more than 54 million attacks, while manufacturing ranked second with 36 million attacks, financial services was third with approximately 34 million, and healthcare was hit with more than 17 million attacks – accounting for more than 137 million of all attacks this year.

    IBM has seen a resurgence of targeted phishing attacks for money laundering and identity fraud purposes, believed to be largely driven by criminal gangs that have become more astute in the creation and delivery of such attacks.

    According to its latest Global Business Security Index, in the first half of the year, there were more than 35 million phishing attacks launched to steal critical data and personal information for financial gains. Spawns of phishing threats such as ‘spear phishing’ – highly targeted and coordinated attacks at a specific organisation or individual designed to extract critical data – increased more than ten-fold since January of this year alone.

    Unlike in previous years, when viruses were mainly created and launched to slow down and cripple IT systems, these types of ‘customised’ attacks have shown their potential to defraud businesses, steal identities and intellectual property and extort money, while damaging the brand and eroding customer trust.

    The ratio of spam to legitimate email continuously decreased over the course of the last six months, from 83 percent in January to 67 percent in June 2005, while virus-laden email increased fifty percent over the same period. At first glance what appears to be good news, the levelling off of massive outbreaks that cripple IT environments on a regional or global basis in the past six months seemingly indicates that hijacking computers to send spam is no longer the network disruption of choice.

    “IBM advises its clients to rapidly adopt a holistic, enterprise-wide approach to security and risk management,” said John Lutz, general manager, Financial Services Sector, IBM. “To protect their critical data, infrastructure, brands, and money, IBM advises businesses to rethink how they protect their operations, business processes and governance structures.

    http://www.ebcvg.com/articles.php?id=825

    Read more