Category: News

1. ATM Network Fraud According to Paul Kocher, president and chief scientist of Cryptography Research Institute, the number one area that institutions will see fraud growing over the next year is in ATM networks.

2. Check Fraud The area of check fraud is also becoming continuously more sophisticated, and the underlying technological systems haven’t kept pace with the sophistication of the adversaries, says CRI’s Kocher.

3. ‘Laser-Guided’ Precision Strikes The organization and sophistication of criminals is increasing, and so is the sophistication of their attacks.

4. Phishing Attacks To Continue In 2008, the financial services industry has seen an increase in the numbers of phishing attacks that are expected to continue into 2009, including sophisticated spear phishing and Rock Phish attacks.

5. Check Image Fraud Traditionally, after a successful phishing attack, the criminal would extract the needed information and go onto the online account and remove the victim’s bank funds.

6. Zero Day Attacks Another area that financial institutions will need to keep an eagle eye on is the shift in the way financial fraud is happening.

7. Low ‘N Slow Attacks Imagine having the best firewalls, intrusion detection systems and an unbeatable monitoring system installed, says eIQnetwork’s Rothman.

8. Drive-By Attacks Deliver Institutions need to educated and warn customers and employees to beware the online look-alikes and infected websites, says Tom Wills, Javelin Strategy Research’s Senior Analyst for Security & Fraud.

9. Phones Will Be Ringing All institutions need to keep a close ear and eye on their phone channel, says Wills.

10. Insider Threat This is one of the most important issues that financial institutions are going to face in the coming year, says Jody Westby, Adjunct Distinguished Fellow at Carnegie Mellon University’s CyLab and CEO of Global Cyber Risk, a Washington, DC-based cyber intelligence firm.

http://www.bankinfosecurity.com/articles.php?art_id=1098

DNS is critical to the functioning of the Internet, linking IP addresses with domain names. Thanks to security researcher Dan Kaminsky, awareness around the DNS and its shortcomings have been greatly elevated this year.

DNSSEC is a key solution to ensuring that the DNS cache poisoning attack that Kaminksy first warned about cannot occur. “Collaboration of this kind is how DNSSEC was developed in the first place, and it’s how BIND’s DNSSEC feature development was sponsored,” Paul Vixie, a leading authority on DNS and the founder of Internet Systems Consortium (ISC) told InternetNews.com. “Now it’s the thing I suspect a lot of IT managers are waiting for so that they can relax a little bit and see DNSSEC as non-controversial, worthy of investment.” DNSSEC provides a form of signed verification for DNS information, which is intended to assure DNS authenticity.

Vixie’s BIND DNS server has had DNSSEC capabilities since 2004, though global deployment of DNSSEC has been in the single digits due to a number of implementation related challenges.

The new coalition will aim to identify and overcome the challenges and make DNSSEC deployment a global reality. One of the key players in the new DNSSEC coalition is VeriSign, the vendor that controls the Internet’s root domain servers for the .com and .net domains. “We firmly believe that DNSSEC is a technology that requires implementation and it solves a specific problem that nothing else solves,” Pat Kane, vice president of naming services at VeriSign told InternetNews.com. The specific problem in Kane’s view is man in the middle cache poisoning attacks like the one discovered by Kaminsky.

The basic idea behind the attack is that DNS server responses can be tampered with to redirect end users to different sites, so a user could type in “Google.com” and be taken to a phishing site instead. With encryption signed DNS information from DNSSEC, a domain name would be validated to ensure authenticity. Though DNSSEC is something VeriSign is supportive of, Kane cautioned that it is not a solution for everything that ails the Internet.

http://www.internetnews.com/infra/article.php/3789181/Coalition+to+Secure+DNS+Takes+Shape.htm

The document, produced in August for the Pentagon’s department for acquisition, technology and logistics and first reported last week by Inside Defense, says that the task force will also address the fact that the increasing use of non-U.S.

A report last year from the Defense Science Board warned that the globalization of the supply chain, with software for high-technology systems increasingly developed outside the United States, created targets for unfriendly countries or other U.S. adversaries.

http://washingtontimes.com/news/2008/oct/27/army-defense-task-force-targeting-hackers/

Even though strides are being made to define standards for extending Ethernet to handle data center applications, these advances will not be a panacea, according to vendors. Indeed, proprietary extensions to those standards, which are being defined by the IEEE and the Technical Committee T11 of the InterNational Committee for Information Technology Standards, will still be required to address customer requirements for data center-optimized Ethernet. Additionally, vendor marketing may confuse the issue even more as some have adopted different acronymic brands that essentially refer to the same technology.

A group of vendors is driving standards for Converged Enhanced Ethernet (CEE), an extended version of Ethernet for data center applications. Cisco participates in the CEE standards efforts, though refers to the technology as Data Center Ethernet (DCE).

A new kind of Ethernet CEE and DCE describe an enhanced Ethernet that will enable convergence of LAN, storage-area network and high-performance computing applications in data centers onto a single Ethernet interconnect fabric. Currently, these applications have separate interconnect technologies, including Fibre Channel, InfiniBand and Myrinet. This forces users and server vendors to support multiple interconnects to attach servers to the various networks, a situation that is costly, energy and operationally inefficient and difficult to manage.

So, many in the industry — including Brocade, EMC, NetApp, Emulex, Fujitsu, IBM, Intel, Sun Microsystems and Woven Systems, in addition to Cisco and Force10 — are proposing Ethernet as a single, unified interconnect fabric for the data center. These vendors point to its ubiquity, familiarity, cost and speed advances: 10Gbit/sec. But in its current state, Ethernet is not optimized to provide the service required for storage and high-performance computing traffic — speed alone won’t cut it, vendors said.

Ethernet, which drops packets when traffic congestion occurs, needs to evolve into a low- latency, “lossless” transport technology with congestion management and flow control features, according to backers. “You need to make sure Ethernet will behave in the same way as Fibre Channel itself,” said Claudio DeSanti, a technical leader in Cisco’s storage technology group. DeSanti is vice chair of T11 and technical editor of the IEEE’s 802.1Qbb priority-based flow control project within the Data Center Bridging (DCB) task group.

T11’s FCoE defines the mapping of Fibre Channel frames over Ethernet so storage traffic can be converged onto a 10Gbit/sec. The IEEE’s DCB task force is defining three standards — 802.1Qau for congestion notification, Qaz for enhanced transmission selection and Qbb for priority-based flow control. Where Ethernet standards fall short Vendors said these standards should be solid enough to implement in products and deploy in data centers by late 2009 or early 2010. The DCB standards will be final in March 2010, four months later than initially planned because of some outstanding but not insurmountable issues, according to Pat Thaler, chair of the DCB task group in the IEEE.

But some leading-edge customers need a pre-standard lossless Ethernet implementation now, vendors said; and even when these standards are complete they will be incomplete, others pointed out. “A particular area where we feel these standards don’t really address is the avoidance of congestion — primarily with respect to load-balancing traffic first before we rate limit traffic at the source,” said Bert Tanaka, vice president of engineering at Woven Systems. “They are really targeted for a fairly small fabric — maybe hundreds of nodes,” he said. “But if you’re trying to scale to multiple hops and larger fabrics, it’s not clear it would scale to something like that.”

Apart from the standards efforts, CEE and DCE may raise some operational challenges, according to Chuck Hollis, EMC’s global marketing chief technology officer.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9117639&source=NLT_PM&nlid=8

The operator of the .org TLD has also committed to the system, according to the Commerce Department.

But to get the full benefits of DNSSEC requires domain name registrars, domain name registries, Internet service providers and others to upgrade their software. “DNSSEC-signed root zone would represent one of most significant changes to the DNS infrastructure since it was created,” according to a notice issued by the Commerce Department in the Federal Register, a daily digest of U.S. government notices.

As it stands now, TLD operators send changes to the Internet Assigned Numbers Authority, which is part of the Internet Corporation for Assigned Names and Numbers. ICANN then sends the changes to the U.S. National Telecommunications and Information Administration, which is part of the Commerce Department. The heavy involvement of the U.S. government in how the Internet’s addressing system is administered, as well as the interests of VeriSign, has drawn criticism that the process is too U.S.-centric. And there appears to be a battle brewing over which entity will manage the cryptographic keys required to sign the root zone file.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9116900&source=NLT_PM&nlid=8

802.1AE is a completed standard and will be appearing soon in hardware.

Organizations have the option of encrypting frames that traverse the wire, but in theory, there are few reasons not to encrypt. We say “in theory” because of the potential performance impact encryption has on switch capacity and delay.

The default encryption algorithm, AES-GCM, will require a hardware upgrade in network infrastructure and host network interface cards. 802.1AE implementations must conform to performance characteristics defined in the standard.

The downside is that any products that transparently process network traffic, like load balancers, traffic shapers, and network analyzers, will be blind to 802.1AE-protected traffic.

802.1X-REV builds on 802.1X to support features like authentication of multiple devices on a single switch port and key distribution for 802.1AE devices. Rather than manually creating and installing keys in network devices, 802.1X-REV makes key management part of the protocol in a fashion similar to 802.11i or WPA/WPA2.

Many organizations’ physical wiring has one physical LAN port per desk or cubicle, and 802.1X on a wired network was originally designed to be deployed on a one-host-per-port basis. However, it’s now common for sites to have multiple hosts per port. For example, voice-over-IP phones have their own LAN port to plug into a desktop or laptop, which means two network devices per port. Recognizing this is a problem, switch vendors provide workarounds such as allowing one unauthenticated device to be placed on a specific virtual LAN, but a subsequent device has to authenticate before getting access to the network. Cisco allows its Cisco Discover Protocol to pass through an 802.1X port, which allows discovered devices to access a designated VLAN. Switches such as the HP ProCurve allow multiple hosts to authenticate, and the switch creates virtual ports based on a device’s MAC address and authentication state. If a workstation is connected to a VoIP phone and was properly authenticated, someone could simply clone the workstation’s MAC address and connect to the network through that VoIP phone.

If your company is in the planning stages of a switch upgrade, it might be a good idea to put off deploying the access layer until your chosen vendor supports 802.1AE and 802.1X-REV. Like all encryption technologies, 802.1AE will have an impact on network design.

Switches can send duplicate frames to a mirror port on a switch so that packet analyzers and intrusion-detection systems can process the frames, but that is not a perfect solution. For example, a full-duplex 1-Gbps link is capable of sending and receiving 1 Gbps simultaneously, for a total capacity of 2 Gbps.

http://www.informationweek.com/news/infrastructure/ethernet/showArticle.jhtml?articleID=210605169