Category: Warnings

The company issued an advisory on its Web site, warning customers of the vulnerability that affects the Cisco Unity unified communications software package versions two, three and four.

It also warned of a similar problem on Cisco Guard, a tool that helps protect companies from denial-of-service attacks.

Cisco Unity is a unified communications software package that allows users to listen to email over the telephone or check voice messages from the Internet. When integrated with a third-party fax server, it can even forward faxes to any local fax machine. The problem with Cisco Unity is that it creates certain user accounts with default passwords when integrated with Microsoft’s Exchange program. If the password isn’t changed when Unity is installed, outside users could log on and read incoming and outgoing email messages. They could also gain access to certain administrative functions.

Cisco has posted a solution on its Web site. The simplest fix is to change the default passwords on the accounts. The accounts with default passwords that should be changed can be found on the Web site.

In October, Cisco announced several security upgrades for its unified communications products. Specifically, it offered higher security on voice messages.

Cisco also warned about a vulnerability on Cisco Guard, an application to counter denial-of-service attacks. Like the Cisco Unity product, Cisco Guard comes with default usernames and passwords. The problem can be fixed by changing these settings.

Denial-of-service attacks occur when a network is flooded with so many packets that switches, routers and servers stop processing them and continuously reboot. The Cisco Guard product detects traffic anomalies and then diverts this traffic to protect the server that was targeted in the attack.

http://news.zdnet.co.uk/internet/security/0,39020375,39181665,00.htm

The group received reports of 1,518 active phishing sites during November, up from 1,142 in October.

Reports of phishing Web sites have grown by an average rate of 28% monthly since July, as scam artists broadened their efforts to lure customers of companies that do business online, according to Peter Cassidy, secretary general of the APWG.

The APWG is an industry group of representatives from law enforcement and private sector companies, including leading Internet service providers, banks and technology vendors.

Phishing scams are online crimes that use spam to direct Internet users to Web sites that are controlled by thieves, but designed to look like legitimate e-commerce sites. Users are asked to provide sensitive information such as a password, bank account information or a credit card number, often under the guise of updating an account.

Customers of 51 online brands were targeted by phishing scams in November, compared with 44 brands in October, Cassidy said. However, just six companies drew more than 80% of all phishing scams, he said.

The APWG no longer identifies the organizations that were the most popular targets of phishing scams, citing resistance from the group’s industry members, he said. However, eBay and Citibank were phishers’ top targets in past months, according to previous APWG reports.

The creation of phishing Web sites in October and November resumed the torrid pace it reached in mid-August, after dropping off for much of September. Phishing attacks have emerged as a potent threat in 2004. More than 18 million e-mail messages linked to the attacks have been stopped this year by e-mail security provider MessageLabs.

Industry groups, including the APWG, responded by calling attention to new attacks and working to shut down Web sites used in the scams to harvest personal information from unsuspecting Internet users.

Recently, leading companies and law enforcement agencies unveiled a new antiphishing initiative. Digital PhishNet brings together companies such as Microsoft, America Online and VeriSign with the FBI, Secret Service and U.S. Postal Inspection Service to improve coordination when identifying and shutting down phishing sites.

Like other companies, including Internet service provider Earthlink and eBay, GeoTrust distributes a free Web browser plugin that warns users when they visit phishing Web sites.

http://www.nwfusion.com/news/2004/1210phishwebs.html

As a result, companies that are implementing grid technologies need to pay special attention to issues such as user authentication, authorization and access control, as well as auditing and data integrity — both when data is in storage and while it’s in transit.

Ensuring that adequate measures are in place for responding to the effects of worms and viruses, which can be amplified in a grid setup, is also crucial in grid computing, IT managers say.

Most of the problems that users have to deal with in a grid environment are similar to the ones they face in nongrid environments, says John Hurley, senior manager for distributed software and systems integration at The Boeing Co.’s mathematics and computing technology group in Seattle.

A grid installation harnesses the combined power of numerous servers and PCs to run applications and services as one large system.

The potential severity of grid-related security problems depends largely on the context in which grids are being used, says Dane Skow, deputy computer security executive at the Fermi National Accelerator Laboratory in Batavia, Ill.

“When you talk to people about grids, they have different scenarios in mind — everything from clusters in the same room run by the same infrastructure team to global power-grid-like infrastructures,” says Skow.

Research grids, for instance, typically provide access to users from multiple organizations and security domains. User access, authentication and authorization in such an environment can be a big challenge, given the fact that there’s no single identity authority, says Skow, who is also part of the security group at the Global Grid Forum, a Lemont, Ill.-based organization with members from more than 400 vendors and user companies.

In contrast, a grid being run by a private-sector company typically uses internal resources and is accessed by users whose identities are already stored in an internal directory. As a result, it’s easier to get a grip on identity management in a company grid than it is with grids in a research setting, Skow says.

Companies that are deploying grids also must protect data during transmission on the network via encryption, says Jikku Venkat, chief technology officer at United Devices Inc., an Austin-based vendor of technologies for aggregating computing resources into clusters and grids.

Addressing grid security may not involve new technologies, but because of the increased potential vulnerability, protective measures become more urgent.

http://www.computerworld.com/securitytopics/security/story/0,10801,97815,00.html

The malware exploited a vulerability in Internet Explorer that was announced earlier this month; Microsoft says a fix is more than two weeks away.

Hackers used banner ads to launch a widespread attack in Europe over the weekend. The hackers apparently broke into a that delivers banner ads for Germany’s Falk eSolutions and loaded malicious code on banner advertising that appeared on hundreds of Web sites. “Early Saturday morning an unauthorized individual exploited a weakness in a load balancer on the European AdSolution network.” The purpose of the exploit was to establish a redirect to malicious code through a javascript component of Falk’s ad delivery.

The malware exploits the Bofra/IFRAME vulnerability in Internet Explorer, which was announced earlier this month. Systems that have been upgraded to Windows XP Service Pack 2 reportedly are not affected.

“In total, potential redirects to this exploit code represented less then 2 percent of EU ad requests and under 0.1 percent of U.S. ad requests during this time period,” Falk eSolutions says in a notice on its site.

GMT, the virus was removed from all Falk European and U.S. networks, and normal ad delivery was restored,” the company says.

http://enterprise-security-today.newsfactor.com/story.xhtml?story_title=Hacker-Exploit-Spreads-Virus-Through-Banner-Ads&story_id=28597&category=intrusion

A report issued on Thursday by Meta Group found that 57 percent of the people surveyed at 300 companies worldwide use IM at work for personal chitchat more often than for job-related communications.

In a nod to IM as a productivity tool, Meta found that 56 percent of employees use the applications at home for work-related activity.

“We believe that by 2008, most new employees will be assigned an IM account when they start a job, just as they are issued an email account today.” As a result of IM’s growing popularity, Tzirimis said an increasing number of companies are looking at ways to track employee use of the applications.

A recent survey released by ePolicy-AMA found that 60 percent of US companies now use software to monitor incoming and outgoing external email and that 27 percent of employers use software to track internal email between employees.

Tzirimis recommends that more companies use tools for tracking IM use, because the software potentially an even larger security threat than email, based on the sort of attacks designed to take advantage of the applications.

http://news.zdnet.co.uk/business/employment/0,39020648,39173540,00.htm

Gartner defines social engineering as “the manipulation of people, rather than machines, to successfully breach the security systems of an enterprise or a consumer”. This involves criminals persuading a user to click on a link or open an attachment that they probably know they shouldn’t.

Rich Mogull, research director for information security and risk at Gartner, said social engineering is more of a problem than hacking. “People, by nature, are unpredictable and susceptible to manipulation and persuasion. Studies show that humans have certain behavioural tendencies that can be exploited with careful manipulation.” “Many of the most-damaging security penetrations are, and will continue to be, due to social engineering, not electronic hacking or cracking,” said Mogull.

According to Mogull, identity theft is a major concern because more criminals are “reinventing old scams” using new technology. “Criminals are using social engineering to take the identity of someone either for profit, or to gather further information on an enterprise. This is not only a violation of the business, but of someone’s personal privacy,” said Mogull.

Rob Forsyth, managing director at Sophos in Australia and New Zealand, told ZDNet Australia about a ‘malicious and cynical’ scam that recently targeted unemployed Australians. According to Forsyth, the potential victim received an email that purported to come from Credit Suisse bank advertising a job opportunity. The email asked the recipient to go to a Web site that was an almost exact replica of the actual Credit Suisse site — but this version contained an application form for the ‘vacancy’. Forsyth said the replicated Web site was recreated so thoroughly that it took experts ‘some time’ to confirm that it was actually fake. It took us some time to determine it was a fake site. It was not necessarily groundbreaking but quite a clever combination of technology.

“They are targeting those people in the community that are most in need — those seeking work. It is exactly those people that might be vulnerable to this kind of overture,” said Forsyth.

http://news.zdnet.co.uk/internet/security/0,39020375,39172157,00.htm