CyberSecurity Institute

While sophisticated hackers might always find a way into a system, many companies, such as the two mentioned above, are guilty of some basic failings which would have been discovered within minutes of penetration testing, according to a leading expert.

Dan Newman has been running one of the most popular certified ethical hacking courses for three years at the UK-based Training Camp and says he’s not seen a single student from an e-commerce company put forward to attend, while financial institutions, government departments and the military are well up on the need for penetration testing. “We had one guy who worked for a retailer but he funded it himself because he was actually looking to move into a new job in a different sector,” said Newman. While this doesn’t mean e-commerce sites have never honed their penetration-testing skills, Newman is confident he’d have seen some of them through his classroom at least, or heard of their efforts if such skills were commonly used in the online retail sector.

Newman walked Builder UK sister site silicon.com through a very basic ‘hack’ which simply involves changing cookies to access any number of customers’ details on one ecommerce Web site. By doing so a hacker would be able to download paid-for documents from other users’ accounts with one keystroke.

Newman blames a lot of the failings on the pressures of the retail environment and on developers charged with getting functionality online in time to meet demand, rather than when it is ready. “I used to be a developer and I used to make the same mistakes they do,” said Newman. Newman said a lot of the time “they’re getting things out there as quickly as they can” without regard for security. “Some Web sites are just bulging at the seams,” said Newman, referring to the multitude of security weaknesses just waiting to be exploited in the e-commerce sector.

Firebox.com is one online retailer happy to talk about its penetration testing. “Our IT team regularly check all of our security and always start with anywhere there could be a potential problem and thankfully they have always been pleasantly surprised but you still have to test,” said the spokeswoman. “I feel bad for a lot of companies who buy products from vendors who know nothing of security,” added Newman.

But just because e-tailers deal with a third party vendor doesn’t abdicate responsibility for carrying out their own thorough penetration testing.

http://uk.builder.com/webdevelopment/scripting/0,39026636,39247453,00.htm

An identity metasystem is much like a metadirectory, according to industry watchers. A metadirectory, or uber-directory service, is designed to users to view data from different directory systems in a unified way.

In a white paper published this month to the Microsoft Web site, Microsoft describes the identity metasystem this way: “This metasystem, or system of systems, would leverage the strengths of its constituent identity systems, provide interoperability between them, and enable creation of a consistent and straightforward user interface to them all.

“The ID metasystem is a new concept that we just started talking more formally about last week,” said Michael Stephenson, director of product management with the Microsoft Windows Server team. The identity metasystem is an outgrowth of the WS-* Web services architecture that Microsoft and its partners have been championing for the past couple of years. Stephenson said that while the digital ID platform vision advances, Microsoft and its partners will continue to submit the various WS-* protocols to standards bodies in a royalty-free manner.

As outlined by Microsoft in its metasystem white paper, the digital ID metasystem will build on top of two of the WS-* protocols: the WS-Trust and WS-Metadata Exchange ones. Security token servers and WS-SecurityPolicy-based clients that require user-identification-vertification will plug into this base.

According to Microsoft, “Examples of technologies that could be utilized via the metasystem include LDAP claims schemas, X.509, which is used in Smartcards; Kerberos, which is used in Active Directory and some UNIX environments; and SAML, a standard used in inter-corporate federation scenarios.”

Microsoft envisions individual vendors building their own implementations of the digital ID metasystem. Infocard Infocard, which is similar to a virtual credit card or membership card, will be the common user interface for the Microsoft digital-ID metasystem, Stephenson said. Company officials have said that Microsoft will build into future versions of Windows, starting with Longhorn, an InfoCard client.

http://www.microsoft-watch.com/article2/0,1995,1817451,00.asp

While reports of this type of crime have circulated for several years, most victimized companies remain reluctant to acknowledge the attacks or enlist the help of law enforcement, resulting in limited awareness of the problem and few prosecutions.

Extortion is “becoming more com’monplace,” said Ed Amoroso, chief information security officer at AT&T. “It’s happening enough that it doesn’t even raise an eyebrow anymore.”

“In the past eight months we have seen an uptick with the most organized groups of attackers trying to extort money from users,” said Rob Rigby, director of managed security services at MCI (Profile, Products, Articles). While MCI has been asked to help with prosecutions in other cybercrime cases, Rigby says he does not recall a service provider being subpoenaed in a DDoS extortion case.

Quantifying the extortion problem is difficult because the FBI, ISPs and third-party research firms can’t provide figures on the number of DDoS attacks that include demands for money. An indeterminable number of victims are choosing to meet the demands of extortionists rather than turn to law enforcement because they’re worried about negative publicity.

The law does not prohibit paying, said Kathleen Porter, an attorney at Robinson & Cole LLP in Boston, who has extensive experience with e-commerce and Internet law. Companies are not required by law to report these crimes, Porter said, adding that she suspects that many are reticent to do so because they fear being sued over the risks that such an attack might create for their customers.

Anti-DDoS services cost around $12,000 per month from carriers such as AT&T and MCI, said John Pescatore, an analyst at Gartner Inc. The most popular type of anti-DDoS equipment used by service providers is Cisco Systems’s (Profile, Products, Articles) Riverhead gear and Arbor Network’s detection tools. This equipment can filter about 99 percent of the attack traffic, Pescatore said, although sometimes network response times drop by a few seconds.

Last fall, the Bellevue, Wash., payments-processing firm, which authorizes credit card transactions for more than 114,000 merchants, had its Internet-based service disrupted by extortionists demanding payment to cease a massive DDoS attack.

“Today, we’ve not yet seen a successful apprehension of anyone involved,” said Authorize.Net President Roy Banks.

http://www.infoworld.com/article/05/05/16/HNddosextortion_1.html?source=rss&url=http://www.infoworld.com/article/05/05/16/HNddosextortion_1.html