Category: News

Previously, these zombie PCs have been used as mail servers to send spam emails directly to recipients. “The Trojan is able to order proxies to send spam upstream to the ISP,” said Steve Linford, director of SpamHaus. Reports suggest that ISPs in the US have already been hit.

Linford predicts that ISPs will see a growth in the volume of bulk mail they send and receive over the next two months, with spam levels rising from75 percent of all email to around 95 percent within a year.

Linford said that ISPs need to act fast to take control of the problem.

“This ups the ante in the need for filters,” said Mark Sunner, chief technology officer for MessageLabs.

http://news.zdnet.co.uk/internet/security/0,39020375,39186364,00.htm

“We’re definitely seeing an increase in the number of [CSIRTs] being formed,” says Georgia Killcrece, leader of the CSIRT development team at the CERT Coordination Center at Carnegie Mellon University.

In many cases, companies are being driven to create CSIRTs by mandates from Washington, industry groups and the upper reaches of corporate management, she says. New requirements in laws such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, and California State Law SB 1386, hold companies accountable for the handling and whereabouts of sensitive data, and respond appropriately to any breaches of customer or employee privacy.

At their best, CSIRTs let companies react in a consistent and coordinated way to events that affect IT systems. “Companies don’t want to have to reinvent the wheel each time an incident occurs. They want to know what to do, gather the right information and pull the right people together,” Killcrece says.

To create an incident response team, start by getting the proper participants together. Business managers, network and desktop administrators, and IT security experts have to be involved, Killcrece says. Legal staff, human resources representatives and senior executives who make funding decisions also should participate in the planning.

When drafting your CSIRT plan, start with the basics, recommends Adam Hansen, manager of security at Sonnenschein, Nath & Rosenthal, a law firm in Chicago.

Companies also need to identify the scope of a CSIRT’s responsibilities, says Troy Smith, senior vice president at Marsh Risk Consulting.

“You have to look at the core software applications that you need to sustain yourselves. If you have one set of systems that are really critical, the scope [of the CSIRT] could be narrow. If you’re an organization that’s very dependent on technology, it could be very broad,” he says.

Howard Schmidt, former White House cybersecurity adviser and the current chief security officer at online auction site eBay, recommends a holistic approach to creating CSIRTs.

“The biggest mistake is to think that you can [create CSIRTs] in a short time-that you’ll set it up and it will be in operation next month,” she says.

Ultimately, the success of an organization’s incident response team will depend on its commitment to that team: the resources and funding allocated, the time put into planning and rehearsing incident response scenarios.

Every CSIRT is special: Identify what your company’s core business processes and systems are, what needs to be done to support and protect those, and how they can be quickly restored if need be.

http://www.nwfusion.com/careers/2005/013105man.html?fsrc=rss-security

More than 8,000 Windows computers running the MySQL database were probably infected with the worm program, referred to as the MySQL bot worm or by the name of the executable file, SpoolCLL, that the worm installs on vulnerable machines.

The program did not spread on its own, but downloaded targets from several Internet relay chat (IRC) servers. Those several have been made inaccessible, virtually stopping the worm, said Oliver Friedrichs, senior manager for incident response at security technology maker Symantec. “We are just seeing residual infections,” Friedrichs said. “The worm cannot connect to those servers, so it has lost its control channel. Without those commands, the worm is not going to be able to spread.”

The worm started infecting systems on Tuesday, according to Symantec’s network of sensors.

While the thousands of compromised systems hardly compare to the millions of systems infected by MSBlast or hundreds of thousands compromised by Microsoft SQL Slammer, the MySQL worm is significant for a different reason: Technically, it’s not a worm, but an example of bot software, designed to infect and control computers. Such programs are numerous (Symantec’s catalog holds more than 6,500) and, as the MySQL worm demonstrates, can easily be turned into programs that spread widely.

“We are seeing a real graying of the lines,” Friedrichs said. “There is really a huge blur now between all the different kinds of threats.”

Bot software represents a significant danger on the Internet because computers compromised by the programs can be controlled by an attacker, allowing anonymous assaults on Web sites, untraceable spam floods and a way for an attacker to steal data. Anyone attempting to trace back the malicious activity will merely find the compromised computer. Most users are unaware that their computer systems contain malicious software. A group of computers controlled by bot software, known as bots or zombies, disrupted Internet service provider Akamai’s network in June.

The MySQL worm, which Symantec refers to as Spybot.ivq, underscores the danger that far more of these programs will start to have an automated function for scanning for vulnerable systems and spreading to any potential victim found. On Thursday, the company that develops the MySQL database software, MySQL AB, emphasized that the bot software spread by exploiting weak passwords and that MySQL runs with elevated privileges under Windows. The company’s security team released an advisory outlining steps that MySQL administrators could use to identify infections and safeguard their systems. The ability to use user-defined functions in MySQL is a feature, not a flaw, said Zack Urlocker, vice president of marketing for MySQL. “Although this vulnerability stems from users not setting a proper password or firewall on Windows, we take full responsibility in helping our users make sure they have a secure environment,” Urlocker stated in an e-mail interview. “This does appear to have been a Windows-only issue…It is unlikely to be an issue on Linux.” Unix-like systems, such as Linux and BSD, run server software, including the MySQL database, as a separate user, shielding many critical system functions from exploitation by such a worm.

A report from Next-Generation Security Software (NGSSoftware) published last July described the mechanism for exploiting Windows systems through the MySQL database’s user-defined functions. Code to do just that was published on the Internet in December.

Microsoft was not immediately available for comment on whether the installation of code by exploiting MySQL’s user-defined functions could be blocked on Windows.

http://news.zdnet.com/2100-1009_22-5555242.html

The international survey of 900 taxi drivers reveals that absent minded passengers are leaving sensitive information up for grabs because they fail to use password and encryption facilities on mobile devices.

In the last six months in London, 63,135 mobile phones (an average of three phones per taxi), 5,838 PDAs and 4,973 laptops have been left in licensed taxi cabs. Cab drivers in Helsinki, Oslo, Munich, Paris, Stockholm, Copenhagen, Chicago and Sydney also took part in the study which revealed wide international differences.

Londoners left more than double the number of laptops in the back of taxis compared with other cities. In Chicago, the mobile device most likely to be left behind were PDAs, with one taxi driver reporting finding 40 in his taxi in the past six months.

Danes were most forgetful when it came to mobile phones, leaving seven times as many in the back of cabs as Germans or their Swedish neighbours.

The survey in London was conducted by TAXI, the magazine for the Licensed Taxi Drivers Association magazine, and sponsored by Pointsec, a mobile security outfit. Pointsec carried out a similar study in London three and a half years ago and recorded 71 per cent fewer PCs left in the back of cabs. Magnus Ahlberg MD of Pointsec commented “It is alarming to see that the problem of losing mobile devices has accelerated so dramatically since 2001, with more people than ever losing their mobile devices in transit.

In fact, mobile users are in a worse position now, because they are far more reliant on using their mobile devices to store massive amounts of sensitive information, with very few concerned about backing it up or protecting it.”

With such forgetful passengers it’s just as well that taxi drivers are generally an honest bunch. According to the survey, an average of 80 per cent of passengers were reunited with their mobile phones and 96 per cent with their PDAs and laptops – with the cab drivers in almost all cases tracking down their owners. However, the case was very different in Australia, with only 46 per cent of laid-back passengers bothering to reclaim their mobiles and only 18 per cent being reunited with their laptops.

Stuart Pessok, editor of TAXI commented: “Often people are working whilst being driven around in taxis and its common-place for them to forget their mobile devices.

Luckily if they forget them in a taxi, there is a good chance they’ll get them back, but will they be so lucky if they forget them in an airport, restaurant, train or tube?

UK taxi drivers reported finding a “harp, a throne, £100,000 worth of diamonds, 37 milk bottles, a dog, a hamster, a suitcase from the fraud squad and a baby” in their cabs.

http://www.theregister.co.uk/2005/01/25/taxi_survey/

Michael Colao, director of information management at merchant bank Dresdner Kleinwort Wasserstein, says this has little to do with bolstering information security and everything to do with ensuring there is no risk of senior managers going to jail.

Failure to apply with tighter compliance laws can result in criminal sanctions. Breaches to Italy’s rigorous data security and privacy laws, for example, are punishable by up to three years imprisonment regardless of whether an information security breach has taken place. So far, Italian authorities have not served any notable enforcement action against data slackers. But some multinationals are taking no chances: Microsoft, for example has revised its global policy to apply with Italian regulations, according to Colao, speaking yesterday at the Computer and Internet Crime Conference in London.

California’s security breach disclosure law obliges companies to notify their customers of security breaches exposing personal information, such as social security numbers, applies only to the state. But US banks are beginning to use it as a model for their national policy.

Although the most security conscious organisations are applying the most restrictive policies nationally or internationally other firms remains apathetic about establishing a security policy of any description. According to Calao, tighter rules could could perversely create a wider gap between the security-conscious and the apathetic, with some IT directors simply burying their heads in the sand.

http://www.theregister.co.uk/2005/01/25/international_security_policy/

The danger of attacks with insider information was illustrated earlier this month with the arrest of a California man accused of breaking into mobile phone network T-Mobile USA’s database and reading e-mails and files of the U.S. Secret Service, and by the exploits of a hacker who breached a hospital’s database and changed mammogram results.

The nature of threats to network security has changed as sophisticated hackers learned to tap into sensitive information flowing through telecommunications’ servers, especially those that provide wireless and Internet access.

Security experts at Intrusic captured 4,466 passwords and 103 master passwords allowing global access to corporate databases while monitoring one Internet service provider for a 24-hour period, Intrusic President Jonathan Bingham said.

“Telecoms and cable companies are pretty high on the list simply because of their huge customer bases,” Koetzle said. “If they can crack T-Mobile’s database they can get user names and passwords for (millions of) subscribers at all once.” In a statement, T-Mobile, a Deutsche Telekom AG unit, said it “quickly put in safeguards to prevent further access and began an investigation” after a hacker broke into its internal computer systems in 2003 and accessed data on 400 customers.

The key to cutting down on damage from inevitable insider attacks is to constantly monitor data flow and train employees to guard passwords and access to computers, he said. Stan Quintana, director of managed security services at AT&T Corp added that among the “best practices” AT&T advocates is that its customers periodically hack into their own networks.

http://www.usatoday.com/tech/news/computersecurity/2005-01-24-hackers-listening-in_x.htm