Category: News

New attack vectors will grow precipitously
Look for a big increase in the number of attacks via instant-messaging clients, Internet Protocol telephony, cell phones, Bluetooth and XML.
Rootkits become familiar to the masses
Rootkits become familiar to the masses A rootkit is an extremely clandestine type of malware that hides itself within operating system kernels or application binaries.
Secure development processes become mandatory
Users are simply fed up with sloppy vulnerability-ridden code and weak security support from most independent software vendors. Look for large organisations to clamp down by placing contractual demands on software providers mandating that they implement security processes and metrics or take a hike. Microsoft is ahead of the pack in this area, while “unbreakable” Oracle lags way behind and could lose major contracts as a result.
Security management moves to network operations
At an enterprise level, network security depends on spotting anomalous activities and capturing security events.
Key management becomes a major new requirement
Database, networking, storage and firewall vendors either have or will add encryption to their solutions in 2006.
More security outsourcing It’s hard enough to administer a firewall and intrusion detection systems, to also deal with abundant security solutions for e-mail, IP telephony, Web services, wireless devices, and so on.

“We’re laying the foundation for what we need,” Gates said in a speech at the RSA Conference 2006 here. Even with the advancements, Gates said he wasn’t naive enough to think the password would go away overnight. “I don’t pretend that we are going to move away from passwords overnight, but over three or four years, for corporate systems, this change can and should happen,” he said.

Replacing passwords is part of Microsoft’s endeavor to simplify security, which Gates said is dearly needed. “We have an overly complex system today,” he said. Vista and Microsoft’s upcoming security products, such as Windows OneCare Live and Microsoft Client Protection, will make life easier for consumers, he said.

Microsoft has described InfoCard as a technology that gives users a single place to manage various authentication and payment information, in the same way a wallet holds multiple credit cards. InfoCard is Microsoft’s second try at an authentication technology after its largely failed Passport single sign-on service, unveiled in 1999. InfoCard attempts to address the complaint many critics had with Passport, which was that people’s information was managed by Microsoft instead of by the users themselves and the businesses with which they dealt. Although Microsoft has talked about InfoCard, and early versions of the InfoCard code were released to developers last year, Gates’ speech marked one of the first times Microsoft has demonstrated publicly just how it might work.

In a presentation, Microsoft showed how a consumer could use a self-generated InfoCard to log in to a car rental site and then use a separate InfoCard from a membership group to get a discount on the rental.

Internet Explorer 7 will support InfoCard, Gates announced. The technology will also be available for Windows XP, Microsoft said. InfoCard is one of several technologies Microsoft is developing for Vista, but the company is also making it available for XP.

Microsoft acknowledged that replacing passwords is something that needs to be done at the system level, but Gates said the company is also working on technologies to enable various identity systems used on the Internet to work together, something it calls the Identity Metasystem. In order to provide people with better identity verification as they do business online, Microsoft is asking for a stronger type of digital certificate, a so-called high-assurance certificate. Digital certificates are already widely used today in Web browsers to show that traffic on a Web site is encrypted and that a third party has identified the site and has vouched for its validity. But in recent years, standards of verification have slipped, undermining the sense of security implied by the padlock. That’s why Microsoft and others have called for a new type of certificate.

Microsoft on Tuesday announced the first beta of Microsoft Certificate Lifecycle Manager, a tool meant to streamline provisioning, configuration and management of digital certificates and smart cards, the company said.

Gates also touted several of the other security capabilities that will be part of Windows Vista. In a demonstration, Microsoft showed its anti-spyware technology, as well as a new mode that runs Internet Explorer in its own “sandbox” so Internet code can’t cross over into the rest of a PC.

As expected, the company on Tuesday released a second beta version of Windows AntiSpyware, now called Windows Defender. The first test version of the spyware-fighting tool has been popular, with more than 25 million downloads from Microsoft’s Web site. Windows AntiSpyware has been available in a beta version since January of last year. The program is designed to protect PCs against spyware, which is software installed on a system that’s designed to watch the computer user’s activity without his or her knowledge. Windows Defender already exists by that name in the latest preview release of Vista. Microsoft plans to ship Windows Defender as part of the operating system, it has said. At last year’s RSA Conference, Gates announced that Microsoft would deliver anti-spyware at no cost.

IE 7 also was announced at last year’s RSA event. It includes many security and privacy protection capabilities, such as mechanisms designed to combat phishing attacks, spyware and other threats. Cyberattackers have exploited security flaws and weaknesses in the current version of Microsoft’s Web browser in many attacks. A public preview of IE 7 was released in late January.

http://news.zdnet.com/2100-1009_22-6039177.html

Active Directory is one of the most widely used technologies by Microsoft customers.

RSA Security then stepped up to advance the authentication ball with a bunch of partners that will build in its encryption software to more hardware devices, including USB, wireless and Flash memory cards.

And Sun announced its plans to integrate its Elliptic Curve Cryptography (ECC) in its Java System Web Server 7.0, which is a big chunk of its Java Enterprise system.

In the past few years, smart cards have not taken off in the mainstream business world, but with three major technology players making moves to advance encryption into more devices, that’s changing.

Released to a new beta in late January, IE7 now includes support for an InfoCard for users to add authentication and encryption to Web-based transactions. The roadmap includes expanded capabilities that customers will see in future versions of Windows Server, he said, which is still code-named “Longhorn.”

http://www.internetnews.com/dev-news/article.php/3585216

“During the first few years of the e-commerce boom, many merchants were willing just to get the sale at the expense of increased fraud,” says René Pelegero, former director of global payments for Amazon.com turned consultant. “Over the last two or three years, the tide has begun to turn.”

Merchants fervently want not only to prevent fraud but also to transfer some of the liability onto the credit card associations and banks, as brick-and-mortar retailers have done. The credit card industry says it is addressing those concerns with programs like Verified by Visa and MasterCard’s SecureCode, but adoption by retailers has been slow. All the while, online credit card fraud continues its inexorable rise, with the CyberSource study pinning 2005 losses at $2.8 billion, 8 percent more than the year before.

If a cardholder reported that a charge was fraudulent, the bank issued what’s known as a “chargeback”—essentially, the bank took back the money and gave it to the cardholder. If the merchant then submitted the cardholder’s signature, the merchant didn’t have to pay the chargeback. If merchants didn’t follow the rules or racked up too many chargebacks, the card associations could ban them from accepting credit cards. They can’t get a regular signature, and they are leery of introducing anything into the checkout process that slows down the transaction. This means that merchants who do business online are being forced to invest in antifraud defenses—both technological and human—like they’ve never had to before.

The billing address is used for the address verification service (AVS), which allows a merchant to find out whether the billing address provided by the customer matches the one in the bank’s records. Although the method isn’t perfect, 75 percent of online retailers use it, making it the most widely used tool, according to the CyberSource study. For physical confirmation, retailers often ask for the card verification number (CVN, sometimes called CID or CVV).

Tracy Brown, cochairwoman of the Merchant Risk Council, a trade group founded to help retailers control fraud, says that CVN was an attempt to move online credit card transactions from single-factor to dual-factor authentication. CardCops’ Clements says that now when he sees thieves advertising stolen credit cards with “full information,” it means the information includes not only the cardholder name, billing address, credit card number and expiration date, but also the CVN.

As with most retailers that have sophisticated antifraud systems, the processes at ShopNBC are largely automated. Each order goes through a complicated, proprietary decision tree. At any point, the order can be released as good, pushed along for an additional check, or flagged as suspicious and sent to a team of 20 investigators. The way it works is through a software package called 3D Secure, which hooks into the merchant’s order processing and does the confirmation for both programs. Javery is a pretty good, if unofficial, spokesman for Visa. He says the implementation cost was low. “It took just one developer less than a couple weeks to get this up and running and tested and deployed,” he says, noting that the system paid for itself in “a short time frame” and did not increase the number of shoppers who abandoned their shopping carts.

The payoff—beyond lower fraud rates—is exactly what merchants have been clamoring for for years. According to Visa, retailers who sign up for Verified by Visa get a 5 percent to 10 percent reduction in the rate they pay to process all Visa transactions that involve a consumer credit card or debit card. What’s more, if the customer enters the Verified by Visa password, the liability for that transaction shifts to the bank that issued the card if it turns out to be fraudulent.

Right after the holidays, MasterCard announced similar incentives; merchants who support SecureCode will be eligible for rates that the company describes as “comparable to those for face-to-face transactions,” or up to 16 percent lower than previous rates.

Avivah Litan, vice president and research director at Gartner, has been watching the situation for years, and she is heartened by the card associations’ taking on more risk. “Before, it was every online retailer on their own when it came to online commerce fraud control, and they were all duplicating their efforts,” Litan says. “It was extremely decentralized and extremely inefficient.
But places like Citibank and Bank One have spent hundreds of millions of dollars protecting against fraud over the past years, and they’ve gotten really good at it. You’re just shifting the liability around, but if you can shift it to someone who can fight it effectively, we’re much better off.”

Still, that’s not happening on any great scale right now. Widespread adoption would have to start with the merchants. Banks are in no hurry to speed adoption, since it increases their liability. Consumers, who have zero-liability protection against credit card fraud, have little incentive to sign up for the program. Michael Yakel, a Visa vice president who runs the Verified by Visa program, tries to put a happy face on the numbers, noting that the program has seen a 150 percent increase from a year ago.

Ironically, the point at which enough retailers such as ShopNBC see the ROI of the program may be the point at which it stops having one. “The card associations have done a brilliant job convincing consumers that the cards are safe and that they have no liability,” Pelegero says. So until the merchants feel either more pain from fraud chargebacks—or more benefit from transferring liability—it seems inevitable that they’ll continue to pick away at the problem, trying to eliminate fraud where they can and write it off where they have to.

After all, there’s just one thing that’s worse for online retailers than arriving at that moment of truth, that moment after a customer loads up an online shopping cart, after he hands over a credit card number and shipping address, after he hits the “buy” button and the merchant has to decide whether or not to ship the order.

http://www.csoonline.com/read/020106/choke_point.html

Eric Allred, who works at Anti-Spyware Coalition member Microsoft as an anti-spyware response coordinator, said the existence of several bodies could make the work of each group less effective. In January, it published guidelines for identifying and combating spyware. It also issued tips for makers of anti-spyware tools to help them deal with companies that complain their software has been inappropriately flagged.

Trusted Download Program Launched in November, the program promises to use certification to guarantee an application does only what it says. It’s backed by America Online, Yahoo, CNET Networks, Verizon and Computer Associates.

Spywaretesting.org An initiative launched last month by a consortium of antivirus companies. It plans to draft standards for spyware samples and testing, help consumers determine the risks posed by new software and the effectiveness of anti-spyware products. The members are McAfee, Symantec, Trend Micro, ICSA Labs and Thompson Cyber Security Labs. The formation of the group came just months after the collapse of the Consortium of Anti-Spyware Technology vendors, or Coast, which had many of the same goals. Coast fell apart after it allowed a company suspected of making adware to join, a decision that prompted the departure of several key members. The program is run by privacy watchdog Truste and backed by America Online, Yahoo, CNET Networks, Verizon and Computer Associates. It plans to publish a blacklist of offending software and publicly shame the companies that create such applications. It is not a settled question,” said Luis Villa, senior technologist at the Berkman Center for Internet & Society at Harvard Law School. Spywaretesting.org is an initiative launched last month by antivirus companies McAfee, Symantec and Trend Micro, along with ICSA Labs and Thompson Cyber Security Labs.

http://news.com.com/Spyware+fight+attracts+a+crowd/2100-1029_3-6037999.html?tag=nefd.lede

Police claim this is set up through fictitious companies, including one American firm named World Transfer, although the mules could be unaware that their computers are being used for theft.

A dozen Russian thieves, described by police as being typically aged between 20 and 30, and several Ukrainian masterminds of the scam have been arrested in Moscow and St Petersburg. The authorities were alerted in November 2004, when a bank customer noticed a large sum missing from his account.

Nicolas Woirhaye, a security expert, said the French authorities were alerted to scams every three weeks. “All the French victims were trapped because they didn’t have any [computer] protection,” he said.

http://www.guardian.co.uk/france/story/0,,1703777,00.html#article_continue