Category: News

Companies can now operate a wide range of applications over a single network platform including unified messaging, video conferencing, and flexible remote access. Before the advent of convergence, voice traffic was relatively secure in the protective proprietary operating environment of the customer’s PABX.

Now, however, it is typically just another generic server type platform within a company’s data system and, as such, subject to the same risks that affect the data environment as a whole including worms, viruses and password attacks. With an old-fashioned TDM PBX switch an intruder would typically have to have physical access to the phone line itself in order to attach a bugging device and eavesdrop on calls. Now, just by penetrating the VoIP gateway, he may place the voice conversation itself under threat not just from straightforward listening in, recording and replaying but even in some cases call redirection.

Voice over IP (VoIP) remains a relatively new development, critical security vulnerabilities are being identified all the time, leaving systems at risk from a broad range of potential attacks, leading to possible ‘denial of service’. In spite of these continued threats, there is still some naivety about the sensitivity of the marketplace to voice performance and voice resilience.

Perhaps even more alarmingly the availability of the IP network itself could be at risk, threatening the ability of an organisation to communicate via either voice or data.

And many of the end users to whom they are selling do not have the budget or the in-house resources to manage or even fully understand all the security implications of the growing development of VoIP solutions.

Consequently, there is set to be significant market growth in solutions from the major providers that are designed to protect IP telephony platforms.

In the past, voice networks were generally robust and built on long established and evolved standards. Equally the process of PBX configuration had become almost routine and voice transmission plans, interface and integration processes well rehearsed. Equally, the value of IP telephony security is likely to receive greater recognition and more robust voice security built into the fully converged solutions currently being developed for customers.

If end users are to have full confidence in migrating to VoIP solutions, it is essential that the major providers play a key role in this process.

To understand the nature of this role, you first need to appreciate that VoIP security cannot be seen in isolation. It is just one, albeit critical, part of the complex integration challenge facing providers of converged solutions today.

http://www.ebcvg.com/articles.php?id=761

The assessment guidelines, to be released in NIST Special Publication 800-53A early next month, are designed to enable periodic testing and evaluation of the security controls federal agencies need to put in place, said Ron Ross, project leader of NIST’s Federal Information Security Management Act (FISMA) Implementation Project.

The mandatory security rules themselves were released in February in a separate NIST document, called Special Publication 800-53 (download PDF). That document details the baseline security controls for different categories of federal information management systems.

The security rules cover 17 different areas, including access control, incident response, business continuity and disaster recoverability, and will become a required Federal Information Processing Standard by year’s end for all federal systems except those related to national security. The guidelines are designed to allow federal agencies to assess “if mandated controls have been implemented correctly, are operating as intended and are … meeting the organization’s security requirements,” Ross said.

The NIST assessment guidelines are “very closely aligned” to SP 800-53, Ross said.

The first draft will detail assessment procedures for five of the 17 security controls described in the February document but will eventually include guidelines for all the rules. Every security control mandated in SP 800-53 will have an associated assessment method and procedure, Ross said. For example, a security requirement that federal agencies have formal information back-up processes will have an associated procedure describing how compliance can be evaluated, Ross said.

The guide can be used for agency self-assessments, by certification agents and auditors to do independent testing and even by IT systems developers, according to Ross.

“The goal of 800-53A is right on target,” said Alan Paller director of research at the SANS Institute, a Washington-based security information center.

Too often, a lack of clear guidelines leads to situations where mandated security controls are interpreted in different ways, Paller said. “The greatest mistake is when people write what needs to be done but not how it needs to be done,” he said. How effective the guidelines will be depends on how much detail it provides to information security assessors, Paller said. “If it was written by people who have really protected systems and cleaned up after attacks, it is likely to provide what is absolutely needed,” he said.

On the other hand, if the document was crafted by “policy people” with little hands-on experience, it may not be of much practical value, he said. While such assessment guides can be useful, “if a lot of the underpinning details are not addressed it can give a false sense of compliance,” said Will Ozier president of OPA Inc., a Vacaville, Calif.-based risk management consultancy.

http://www.computerworld.com/securitytopics/security/story/0,10801,102409,00.html?source=x73

“Our research indicates that the majority of organizations tend to think about security solely in terms of technological solutions and not procedure,” says Joe Greene, vice president of IDC Canada.

That’s perhaps a common enough refrain that enterprise network managers can say they’ve heard it all before. The problem is that, for all its repetition, the message doesn’t always seem to get through, and Greene says that’s probably because you can see and touch the results of capital expenditures. But things you can’t buy, like solid procedures, processes and good sense, are ultimately intangible.

“There’s got to be someone’s time involved, and in realistic terms that costs money,” Greene says, “But you see organizations that invest in an anti-virus solution and think ‘okay, we’re fine now.’ The investment itself won’t go very far unless you follow it up, not so much with further investments in products and solutions, but with procedures.”

Indeed, maintaining a safe network is as much a question of using existing assets as of acquiring new ones. And ensure you have the proper controls in place to make sure things are happening.”

Spyware and adware would not be so much of a problem if users could be made aware of the perils of clicking through the link on that tempting fishing message or downloading allegedly “free” software that, in fact, installs a battery of resource-hogging nasties on company systems.

For the IT department, eternal vigilance is the price of network security. Some of these things are no-brainers, particularly when it comes to defending against malicious network-borne code like viruses and worms.

On the other hand, it’s easy to slip into a complacent, false sense of security when there haven’t been recently any headline-grabbing worm and virus scares like Blaster and Slammer. However, the risks are so great and the costs so low that Greene says it’s important to institute processes that keep IT staff and the enterprise as a whole at a state of readiness.

“It requires constant vigilance to make sure that employees are aware of the dangers, and to be prepared to deal with problems as soon as they emerge,” he says. There are fewer no-brainers, but Greene says that the same vigilant mindset can go a long way to prevent the worst excesses of the on-line criminal element.

At the end of the day, the best security is a product of the kind of thing that money can’t buy: attention to detail, a willingness to keep systems maintained and a mindset that hopes for the best by preparing for the worst. It’s just common sense, Greene says, but the problem with that is that common sense isn’t always that common.

http://www.networkingpipeline.com/164300859

According to the Anti-Phishing Working Group (APWG), a collection of over 1,400 companies, banks, ISPs, and government agencies, April saw a large increase in the number of credit unions targets by phishers. Both relatively large regional credit unions to niche institutions that serve narrow groups of workers were targeted, said the APWG. “Hackers are modifying their attack methods by shifting away from attacking popular or large institutions,” said the APWG in its report.

Other trends in April, said the APWG, included a slight decline in the number of phishing e-mails — it dropped about 4 percent from March’s tally — and a 1.6 fall in the number of phishing Web sites.

There’s also evidence that phishers are cooperating, said the APWG, which noticed several occasions in April when multiple attacks were launched simultaneously at the same target.

“This points to a common root, or — at least — some interconnection and organization among phishers,” concluded the report.

April’s report can be downloaded in PDF format from the APWG Web site.

http://www.techweb.com/wire/security/164300203

For the study, titled “Open to Exploitation: American Shoppers Online and Offline” and released today, 1500 adult U.S. Internet users were asked true-or-false questions about topics such as Web site privacy policies and retailers’ pricing schemes.

Most respondents failed the test, correctly answering, on average, 6.7 of the 17 questions. 75 percent of respondents wrongly believe that if a Web site has a privacy policy, it will not share their information with third parties.

Almost half of respondents (49 percent) can’t identify “phishing” scam e-mail messages, which information thieves dress up to look as though they came from a legitimate company, such as a bank or store, to lure users into entering sensitive information.

62 percent of respondents don’t know that an online store can simultaneously charge different prices for the same item based on information it has on different shoppers–a practice that can make users victims of what the study’s authors call “price discrimination.”

To address the problems identified in the study, the Annenberg Public Policy Center is proposing three measures.

http://www.pcworld.com/news/article/0,aid,121099,00.asp

In 2003, it was agreed by the International Civil Aviation Organisation (ICAO) that the initial international biometric standard for passports would be facial mapping, although additional biometrics such as fingerprinting could be included. Currently, for example, all foreign visitors entering the US have their two index fingers scanned, and a digital photograph taken before they are granted entry. Most visitors are also required to obtain a visa.

Michael Chertoff, US Secretary of Homeland Security, last week said this the EU and US were close to a deal on the introduction of biometrics in passports for those seeking entry to the US, and urged the EU to ensure compatibility between EU and US biometric systems. According to press reports, Chertoff has also asked the UK to consider chip compatibility in respect of the proposed UK national identity card scheme. These decisions have been reinforced by a decision of the Council of Ministers of the European Community to introduce a common format passport for member states. The decision of the UK government to link the ID cards with the passport means that the UK’s ID card will be compatible with international passport standards.

The US had initially set 26 October 2004 as the date by which Visa Waiver Program travellers were supposed to present a biometric passport for visa-free travel to the US, but extended it for one year when it became clear that the 27 states that are eligible for the Program including the UK would be unable to comply. Biometric passports have been identified by governments throughout the world as a key factor in the fight against terrorism, and their implementation is being driven by the US. “By October 26, 2004, in order for a country to remain eligible for participation in the visa waiver program its government must certify that it has a program to issue to its nationals machine-readable passports that are tamper-resistant and which incorporate biometric and authentication identifiers that satisfy the standards of the International Civil Aviation Organization (ICAO).”

http://www.theregister.co.uk/2005/05/30/us_eu_biometric_id_compatability/