CyberSecurity Institute

Malware, spam, phishing, spyware, bots and root kits are raking in big bucks and fighting them effectively is a huge challenge, Aucsmith said in a presentation at the Windows Hardware Engineering Conference in Seattle. “We’ve seen an explosion of criminal enterprise moving onto the Net in the last 18 months or so,” he said in describing hacker motivation trends. Among other ills, spam serves as a gateway for artificially generated web traffic, phishing, identity theft and credential theft. “People are making a lot of money with spam,” he said flatly.

Over 60 percent of all Internet users have visited a spoofed site and over 15 percent have been tricked into providing personal data, he said.

They have control channels and can communicate back to whoever created them. Later they can become keystroke loggers hunting for financial or software license information.

“There are your moms’ machines, compromised by a bot. A whole collection of them just look for Windows CD keys.”

Aucsmith said the “herders” who operate bot networks offer to rent out their bot networks.

Aucsmith noted major growth in root kits since the launch earlier this year of Microsoft’s Anti-Spyware product, which is available as a free download. But he said rook kits still pose a significant technical challenge, can defeat anti-spyware products and will continue to offer financial incentives to support spyware and adware.

When fighting these threats, a big problem network security pros encounter is legacy systems, Aucsmith said, noting for example that the security kernel for Windows NT was written before there was a World Wide Web and before TCP/IP was the default communications protocol. Some Windows NT boxes, nonetheless, remain connected to the Web.

http://www.techweb.com/wire/security/161601341

It’s the first bill of its kind in the nation, said its author, state Sen.

Supporters of the bill, including the American Civil Liberties Union and the Electronic Frontier Foundation, say unchecked use of the technology, known as radio frequency identification, or RFID, could trample people’s privacy and aid identity thieves.

“I have real concerns about the suitability of RFID technology for government identification documents,” said Simitian, D-Palo Alto. “I thought that it probably made sense to try to develop some kind of boundaries.” Simitian introduced the Identity Information Protection Act of 2005 in February after a rural elementary school just 40 miles north of the state capital ditched plans to outfit students with electronic IDs amid protest from parents and students. The case, which involved Brittan Elementary School in Sutter, Calif., got national media attention.

“The issue of RFID in identification documents really hit home with what happened in Sutter,” said Nicole Ozer, technology and civil liberties policy director of the ACLU of Northern California.

Brittan Elementary had issued the electronic badges to seventh- and eighth-graders in an effort to attain better class attendance records and tighten campus security.

Critics said the technology, which is also used to track livestock, was dehumanizing.

Consumer advocates also worry about the ability of data thieves to intercept RFID signals or break into databases storing the information collected by such systems. The RFID chips are designed to broadcast personal data, such as name, address and date of birth, to special receivers at close range.

The California bill also puts the state at the forefront of a national debate. The U.S. State Department plans to issue passports containing RFID chips soon, and schools and libraries across the country are experimenting with them, too.

A Republican-backed federal measure that has passed a vote in the U.S. House of Representatives proposes implanting RFID chips in driver’s licenses.

Businesses are also ratcheting up their use of the technology.

“My hope is that it will underscore the importance of these issues and prompt a wider and more thoughtful debate at a national level,” Simitian said.

Simitian’s bill would prohibit identity documents created or issued by the state containing computer chips that can be read remotely. Identity documents include driver’s licenses, ID cards, student ID cards, health insurance or benefits cards, professional licenses and library cards. It allows for some exceptions, though, including the use of electronic IDs for prisoners and for newborn babies in hospitals. It would also permit government workers to use them to access secured areas.

The bill would make any surreptitious gleaning of data from RFID chips, government-issued or otherwise, a misdemeanor punishable by up a year in jail and a $5,000 fine.

A number of lawmakers in other states, including Maryland, Missouri, Nevada, South Dakota, Utah and Virginia, have proposed RFID regulations, but few states have actually passed laws.

Even California has proved resistant to such efforts. A bill introduced there last year to regulate commercial use of the technology was killed by the state assembly after facing opposition from numerous business groups.

http://news.zdnet.com/2100-1035_22-5689358.html

The Jericho Forum, whose membership includes many chief security officers from FTSE 100 companies, will push for the removal of encryption restrictions within the next three-to-five years.

“This is a big problem for us,” said Nick Bleech, a member of the Jericho Forum and an IT security director for Rolls Royce. “We have 200 locations [around the world]. In industrialised countries it’s not a problem, the real problem comes from places like China. But the Chinese government is extremely keen to further new development.”

Countries such as China, Russia, Israel and Saudi Arabia, have stipulated strict rules governing the use of encryption tools, and in some cases banned the practice.

The Jericho Forum, which is looking to move away from the perimeter model for cybersecurity in favour of an approach that would make data totally secure, hinted this could cause problems for e-commerce.

“But I don’t think we’ll come up with a universal solution that will solve everything. We don’t have the clout to do that yet. We’ve got to lobby governments across borders, find out what restrictions there are and close them. At the moment it is a variable nightmare. The time frame is three to five years before this comes to fruition.”

Bleech said that governments usually respect each others’ encryption policies and make concessions for each other. Bleech was speaking at Infosecurity 2005, which ends on Thursday.

http://news.zdnet.co.uk/internet/security/0,39020375,39196486,00.htm