CyberSecurity Institute – Page 377 – Security News Curated from across the world

Two thirds of emails now spam: official

Posted on May 25, 2004December 30, 2021 by admini

Spam hotspots are emerging as the global levels of junk mail worldwide continue to increase. MessageLabs figures also indicate significant regional variations and spam “hot spots”, despite attempts to deter spammers through legislation. Currently, email traffic sent to the United States, the UK, Germany, Australia and Hong Kong represents more than 97 per cent of the global spam volumes being filtered by MessageLabs. The figures suggest spammers are targeting English-speaking countries and regions where the proliferation of Internet/email usage is at its highest. The majority of spam originates in the US, with Boca Raton, Florida the worldwide capital of junk mail.

Mark Sunner, Chief Technology Officer at MessageLabs, commented “The US presents the widest market for spammers in terms of Internet access and adoption of email as a communications tool. While it currently has the worst global figure at 83 per cent, it’s only a matter of time until the UK falls victim to similar volumes in around six-months time, whilst Asia-Pacific countries will likely see the same impact in 12 months time. “Countries where English is a widely-used language, particularly in electronic communication, will always be a natural target for spammers as mass mailing in one common language is by far the easiest way for them to disperse their messages,” he added.

A study from rival message filtering firm Clearswift out yesterday suggests financial spam (37.8 per cent) is close to overtaking pharmaceutical spam (40 per cent) as the most common form of junk email. Sexually explicit spam has been on decline ever since, accounting for only five per cent of total spam seen by Clearswift last month.

US Federal Trade Commission rules insisting that porno spam needed to be labelled as “SEXUALLY-EXPLICIT” came into effect last week. US laws (the CAN-SPAM Act) allow companies to send junk email without prior consent but it does at least criminalise hiding the true origins of spam. European anti-spam laws insist on prior consent but largely fail to criminalise spamming. Only Italy and Australia, as far as we’re aware, have anti-spam laws that both insist of prior consent backed up by criminal sanctions against offenders.

More info: http://www.theregister.co.uk/2004/05/25/spam_deluge/

Antispam framework scores Microsoft endorsement

Posted on May 25, 2004December 30, 2021 by admini

Microsoft said on Tuesday that it had agreed to combine its Caller ID efforts with the SPF, a specification crafted by Pobox.com Chief Technology Officer Meng Wong.

A recent crop focuses on the idea that ISPs could publish the range of Internet Protocol addresses associated with their e-mail domains. If there’s no match, the recipient’s ISP can safely assume that the message is spam–or at least fraudulently addressed. The combined SPF and Caller ID, which has yet to be named, will use XML (Extensible Markup Language) to let Net service providers post IP addresses in the Domain Name System, the giant database that translates alphanumeric domain names like “news.com” into numerical IP addresses for Web servers.

“The convergence of the two proposals is a very positive milestone in the war on spam and brings together the best of both SPF and Caller ID,” said Microsoft spokesman Sean Sundwall. AOL, which in December began testing SPF, hailed Microsoft’s collaboration with Wong. “We welcome Microsoft to the position we have long held concerning the attributes of SPF,” AOL spokesman Nicholas Graham said. “And on the need for a joint standard that is about more than one technical standard, one technology or one company. We were the first ISP to agree to test and implement SPF, back in December, and we think this convergence is the right approach at the right time.”

Other systems for authenticating mail are also in progress. Sendmail and Yahoo have gotten behind DomainKeys, which authenticates e-mail through digital signatures and is not mutually exclusive with DNS-based systems.

More info: http://zdnet.com.com/2100-1104_2-5220253.html

Ballmer Beats Security Drum

Posted on May 24, 2004December 30, 2021 by admini

As expected, Ballmer’s opening keynote included several references to security as the software giant’s “number one priority” and the announcement of Web Services Enhancements (WSE) 2.0, a security-centric tool upgrade that uses the latest Web services protocol specs.

The issues you are having [with malicious hackers] are unacceptable,” Ballmer declared. “Unfortunately, there is no easy way to deal with it. There is no way to snap our fingers and make it all go away but I want to make it clear that, from top to bottom, security is the number one priority.”

In the midst of Ballmer’s assurances, Redmond released a complete overview of the features of the Internet Security and Acceleration Server (ISA) 2004 which will feature support for unlimited multiple networks and enhanced VPN filtering. ISA Server 2004, which comes in two editions — Standard and Enterprise — is a combination application layer firewall, virtual personal network (VPN) and Web caching repository. The ISA Server upgrade, which powers the filtering and inspection of all VPN traffic, has also been tweaked to offer VPN client inspection for Microsoft Windows Server 2003-based quarantine services. When installed on a system running Windows Server 2003, Microsoft said the ISA Server 2004 would offer the ability to create custom firewall user groups, extensive protocol support and improved support for FTP upload/ download policy and Web publishing.

A Secure Server Publishing feature can also be used to help protect Web servers, e-mail servers, and e-commerce applications from external attacks, Microsoft said.

More info: http://internetnews.com/ent-news/article.php/3358481

Microsoft to show off ID federation

Posted on May 24, 2004December 30, 2021 by admini

The technology, which won’t be available until the software giant releases Windows Server 2003 R2 in the second half of 2005, will interoperate with other companies’ identity management software, said Michael Stephenson, lead program manager for Windows Server 2003. “Federated identity lets companies securely extend their applications to suppliers and external users,” he said.

Though the software the company plans to show off won’t be available anytime soon, Stephenson wanted to underscore that Microsoft is playing well with others: “We have been working closely with others in the industry on interoperability.” Microsoft’s interoperability demonstration is the latest move in the software giant’s plans to push for the ubiquitous use of identity management and Web services.

Along with IBM, the company has been a cheerleader for the adoption of the Web Services standard by the Organization for the Advancement of Structured Information Standards, or OASIS.

WS-Security, which includes many of the federated identity specifications, passed muster in April. The Web Services framework competes to some extent with the E-Business Extensible Markup Language (ebXML), which has also been adopted by OASIS.

Both sets of services aim to allow Web sites to offer services to other e-commerce sites.

However, to share identity between sites on the Web and between servers inside a company only three options currently exist: the security assertion markup language (SAML) 1.1, the WS-Security standard or the Liberty Alliance’s standard, which has become the base for the next version of SAML, 2.0. Such identity services promise to allow partners to share secure access to services by letting a person who signs in to one server access any other partner’s server without having to sign in.

Originally, Microsoft had hoped that its Passport service would be the single-stop place for people to store their information on the Web. However, businesses and consumers did not agree, and so the software giant started to work on federated services. While Microsoft played well with its partners, the software giant and the Liberty Alliance are still at odds. Microsoft and the Liberty Alliance have still not committed to supporting each others’ standards. Stephenson said he is “very hopeful” that the two will work together.

The Liberty Alliance boasted on Monday that it offers the most mature method for sharing identity information. “The WS family of specifications in general, with the exception of WS-Security, are not in any usable standards form,” said Michael Barrett, vice president of privacy and security for American Express and president of Liberty Alliance’s management board.

More info: http://news.com.com/Microsoft+to+show+off+ID+federation/2100-7347_3-5219584.html?part=rss&tag=feed&subj=news

For liability purposes, the courts have declared terrorism to be a predictable security threat

Posted on May 23, 2004December 30, 2021 by admini

In the class-action litigation brought by families of Sept. 11th victims against the airlines, airport security companies, airplane manufacturers and the owners and operators of the World Trade Center, the court examined two main elements:1.

Whether the various defendants owed a duty of care to the people in the World Trade Center and on the planes that crashed; and 2. In finding that the case should go to a jury, the court stated that we impose a duty on a company when the relationship between the company and user requires the company to protect the user from the conduct of others. This duty of care extends to private companies.

But the court also made a revolutionary declaration with respect to foreseeability. The court stated that, typically, a criminal act (such as terrorism or hacking) severs the liability of the defendant, but that doctrine has no application when the terrorism or hacking is reasonably foreseeable. The court went on to note that the danger of a plane crashing if unauthorized individuals invaded the cockpit was a risk that the defendant plane manufacturer should reasonably have foreseen—indicating that terrorist acts are indeed foreseeable.

A second case involved Verizon and the Maine Public Utilities Commission. The case dealt with whether Verizon could get a waiver for certain performance failure penalties that it was required to pay. Verizon argued that it should not have to pay, since its website went down due to the Slammer worm. The commission found that viruses and worms are foreseeable events, as evidenced by the regular security bulletins issued by software companies. The commission found that Verizon had not taken the reasonable steps available to it; steps that competitors AT&T and WorldCom did take (installing patches to ward against Slammer). Ultimately, the commission found that Verizon should be held accountable for its failure, indicating that virus attacks are also completely foreseeable events.

So now that threats to technology and other systems are no longer considered unforeseeable, what is a conscientious CSO to do? They must be able to prove they use best practices with respect to policies for information management, security, implementation of those policies and disaster recovery plans.

More info: http://www.csoonline.com/read/050104/flashpoint.html

Brightmail finds sanctuary with Symantec

Posted on May 21, 2004December 30, 2021 by admini

The deal will improve Brightmail’s position, although the prospect of Microsoft entering the anti-spam market is still a significant threat. The deal has long been expected, despite the fact that Brightmail filed its IPO documents just a few weeks ago.

The companies have had a close relationship since July 2000. Symantec owns 11 per cent of Brightmail already, and has a seat on the board.

In the year ending 31 January, 2004, Brightmail made about 20 per cent of its $26m revenue from an anti-virus add-on it offered using Symantec’s software.

Enrique Salem, Brightmail’s CEO, said the deal presents synergies without excessive crossover. “Symantec has the market-leading anti-spam software for consumers, and we have the market-leading product at the gateway,” he said. He also said that Brightmail’s OEM partners, which include IronPort Systems and Borderware Technologies, are safe following the deal.

Andrew Lochart, VP of product marketing at BMS rival Postini, was surprisingly positive about the news. “It eliminates one of the leading independent private companies from the market, which means the other companies, like Postini, all move up a notch,” he said. Mr Lochart also said the firm has rarely seen Symantec in competitive situations in the past. It also gives Postini, which has its sights set on an IPO too, a benchmark by which it could judge its own value.

Brightmail is probably a lot safer inside Symantec, which continues to grow and generate cash rapidly on the back of its consumer antivirus business, than it would have been alone, but both firms see Microsoft as a looming threat.

Microsoft is Brightmail’s biggest customer, bringing in more than 10 per cent of its revenue, but is expected to build its own anti-spam software. It is also expected, at some point, to offer its own flavor of antivirus software, competing with Symantec.

More info: http://www.theregister.co.uk/2004/05/21/brightmail_finds_sanctuary/