Category: Trends

This is a more invasive approach than phishing, which relies on deception rather than infection, tricking people into giving their information to a fake Web site.

“These Trojans are very selective,” said Cristine Hoepers, general manager of Brazil’s Computer Emergency Response Team, which runs under the auspices of the country’s public-private Internet Steering Committee.

According to data compiled by computer security companies in 2005, the use of “crimeware” like keyloggers to steal user names and passwords — and ultimately cash — has soared. The antivirus company Symantec has reported that half of the malicious software it tracks is designed not to damage computers but to gather personal data. About one-third of all malicious code tracked by the company now contains some keylogging component, according to Ken Dunham, the company’s rapid-response director.

And the SANS Institute, a group that trains and certifies computer security professionals, estimated that at a single moment last fall, as many as 9.9 million machines in the United States were infected with keyloggers of one kind or another, putting as much as $24 billion in bank account assets — and probably much more — literally at the fingertips of fraudsters.

The Federal Deposit Insurance Corporation, responding to the growing threat of cybercrime to the financial industry, stiffened its guidelines for Internet banking in October, effectively ordering banks to do more than ask for a simple user name and password.

“These can be developed by a 12-year-old hacker,” said Eugene Kaspersky, a co-founder of Kaspersky Labs, an international computer security and antivirus company based in Moscow.

http://www.nytimes.com/2006/02/27/technology/27hack.html?_r=1&ei=5094&en=bd1daecaefa11240&hp=&ex=1141102800&oref=slogin&partner=homepage&pagewanted=print

Richard Palmer of Cisco Systems’s security technology group said SSL-based VPNs are very hot. In the firewall space, he’s detecting deeper interest in inspection technologies The growth is spread out across many product areas and focused on innovating in these areas,” he said during a panel discussion during the RSA Security conference here.
Mike Nash, corporate vice president of the Microsoft security technology unit, said customers are responding positively to Microsoft’s progress in making Windows more secure. “The interest now is in more aspirational scenarios that require a higher level of trust, such as authentication and authorization,” he said. Nash said they include delivering security improvements in both the next version of Windows Vista and its Longhorn server suites. At the same time, we’re making sure we improve core platform capabilities, such as isolation, anti-malware technology and better network isolation, he added. “We’re doing a lot of work around making sure Kerberos (define) is a native and pervasive part of the Windows platform, and especially in depending on multi-factor authentication.”

Looking ahead at next year, Thomas Noonan, chairman and CEO of Internet Security Systems (ISS), said the next-generation approach to security is seeping into vendors’ wares. I don’t mean patches that provide new [security] signatures, but on-demand services that bring the security infrastructure to life in extensible ways that had not been capable before.”

Another big trend we’re seeing, said Cisco’s Palmer, is that security is no longer thought of in isolation terms. “We’re seeing customers trying to balance the equation between and among risk, convenience and cost: convenience in helping end-users get to an application, but also administer the app.

ISS’s Noonan added: “I personally believe that on-demand services or online services are going to play a huge role in [security] because they’re flexible, they’re extensible and the networks are reachable.”

http://www.internetnews.com/security/article.php/3586091

The AISSM report also revealed that Australian enterprises are under attack from both internal and external threats. According to the report, 57 percent of respondents said they found spyware installed on multiple computers; 22 percent revealed that they have discovered at least one illegitimately installed keylogger on their system, which Turner describes as ‘mindblowing’.

http://www.zdnet.com.au/news/security/soa/Enterprises_use_freeware_to_beat_cyber_spies/0,2000061744,39237993,00.htm

The goal of the WAFEC project is to help organizations evaluate WAFs, said project leader Ivan Ristic, founder of Web application security company Thinking Stone Ltd. in London. The project group, which is made up of WAF vendors, security professionals and WAF users, spent most of 2005 debating the various requirements.

A WAF can use a proxy-based architecture, a deep packet inspection-based architecture — or both. The intent, said Jeremiah Grossman, a project contributor and founder and chief technology officer of WhiteHat Security in Santa Clara, Calif., is not to recommend certain features, but rather to “give someone a way to compare one firewall to another.” Categories covered in the document include deployment architecture, HTTP and HTML support, detection techniques, protection techniques, logging, reporting, management, performance and XML.

WAFs target the application layer, not the network WAFs address different issues than network firewalls, which defend the perimeter of a network, Kraynak said. If you don’t have a Web application firewall in front of the application, you don’t know what’s happening and you’re not in control,” he said. Grossman added: “We’ve had network firewalls for many years, and nobody claims they stop everything.

WAFs haven’t taken hold Boston-based Yankee Group has labeled the WAF market “mature” but says it has not really gained traction. In comparison, the overall security market has grown at a 20% to 30% pace during the past five years, according to Yankee Group. Yankee Group predicts that the WAF market as it exists today will be subsumed in a few years by a larger market: application assurance platforms, which will combine WAFs, database security, XML security gateways and application traffic management segments.

http://searchappsecurity.techtarget.com/originalContent/0,289142,sid92_gci1163145,00.html

The government must assess the risk associated with certain data types so companies aren’t notifying consumers every time a breach of even noncritical data occurs,” asserts Jerry Cerasale of the Direct Marketing Association (DMA), a New York-based trade association representing more than 5,200 direct, database and interactive marketers.

Fred Cohen, a principal analyst at Burton Group (Midvale, Utah), says enterprises should consider creating new positions or morphing existing ones to prepare for such legislation. “The position of a chief information security officer (CISO) exists at many large firms, but it has not been a C-level position,” says Cohen.

http://www.banktech.com/showArticle.jhtml?articleID=177102701

1.) More damages, but fewer epidemics.
2.) Accelerated legislation, some litigation.
3.) Points of attack move beyond Microsoft’s Operating System.
4.) Mobile phone and PDA/ Smartphone virus concerns.
5.) Spyware a major issue.
6.) IM and P2P will become a bigger headache.
7.) Messaging security will get serious.
8.) Data protection energized as publicized data breaches in the United States intensify.
9.) Convergence will accelerate; security becomes embedded in the infrastructure.

http://www.csoonline.com/read/010106/caveat010906.html