Friday, January 5, 2007

2007: Trouble Ahead


DECEMBER 29, 2006 | One thing's for sure about the security threat landscape in 2007: It'll get a lot more personal.

Everybody has an opinion about what the key security threats will be for next year. But the common thread among the plethora of punditry is that security is getting more of a human face, whether you're the victim of an identity theft scam or corporate espionage, or whether you're the double-agent bad guy behind the attack on your own company.

Attackers, motivated by money, are honing in on individuals and their bank accounts and companies, rather than unleashing a worm to wreak havoc. It's all about the people.

And that often requires a connection, and we're not talking Internet connection. Take the guy sitting in the next cubicle: How well do you really know him? Most targeted attacks require a turncoat insider who's got an ax to grind or a buck to make by teaming up with the bad guys, and this unsettling trend is only going to get worse, security experts say.

A recent University of Michigan study found that 70 percent of corporate theft incidents can be traced to an insider, notes Ellen Libenson, vice president of product management at Symark Software, which sells access control and identity management applications.

"Identity theft is not people from the outside coming in. Very often it involves an insider cooperating," Libenson says. Examples include a programmer in financial trouble who needs to pay off his credit card, or an employee whose online poker-playing has bankrupted him.

Libenson says many companies just don't fund projects to control privileged access. "It's hard to plead the case for why an organization needs this," she says. It's both a technology and business policy issue.

The insider threat is about to reach the tipping point, in Libenson's view, especially with organized crime fanning the fire. "The motivation is even greater, with IT budgets sometimes cut thin," she says. "When people see they are losing their jobs, they do stupid things."

Attack venues are evolving to accommodate new targets. This year saw the increase in Web-based attacks, and that's only going to intensify in 2007, security experts say. A recent IDC report found that up to 30 percent of companies with 500 or more employees have been infected via Web surfing, and 20- to 25 percent via email-borne worms and viruses.

Phishing exploits, too, are moving more toward Web attacks, notes Gunter Ollmann, director of IBM-ISS's X-Force. "Phishing [next year] will focus more on directing people to URLs that contain exploits and malware."

Web 2.0 is also opening a can of worms, security experts say. Watch out for end users who frequent social networking sites and Wikipedia, which are the most susceptible to malware and attacks, as well as Web apps that use Ajax and Web 2.0 software. Cross-site scripting (XSS) worms, for instance, that insert malicious code into Web pages can do some scary stuff, according to ScanSafe, like let an attacker change user settings and access account information.

Meanwhile, with more workers on the move with laptops and handheld devices providing a potential entrypoint into the corporate network, attackers will be going wireless next year, too.

Mobile security weighs heavy on Phil Go's mind for next year. As the CIO of national construction firm Barton Malow, Go says he worries about laptops and thumb drives getting lost or stolen in the field. He's currently looking at token authentication for his users, as well as SSL for secure tunneling. "I'm most concerned with securing our mobile workforce."

And in case you were wondering, spam isn't going away next year. Spammers are dynamically recruiting their botnet armies more efficiently, so that battle will continue in 2007.

"The botnets we [Top Layer Networks] exposed were most aggressively used as a tool for distributed denial-of-service attacks," says Mike Paquette, chief strategy officer with Top Layer Networks. "We saw them trying to extort financial gain, [with threats such as] 'or else we'll take down your site' as well as botnets forwarding spam."

Paquette says botnets next year will be more for distributing malware to commit financial fraud. And image spam will make the spam payload harder to detect, he says.

Secure Computing predicts that the 450,000+ unique zombie machines that appear daily will continue to rise. These machines will be tougher to identify and shut down as they become more intelligent and self-sufficient, says Secure Computing, which expects spam to represent 95 percent of all email by the end of next year.


Other goodies to be on the lookout for in '07 include instant messaging-based worms, rootkits, client-side attacks, and attacks on VOIP systems, security experts say. And don't expect Microsoft vulnerabilities to diminish in the wake of the more secure Vista. Bug-finding overall will still be a hot commodity.

"There will be more vulnerabilities found, with better technologies to help discover them, and there's a motivation for doing it," Top Layer Networks' Paquette says. "So there will be more targeted and effective threats."

And if you still aren't convinced about the human factor, consider this: Arbor Networks says the bad guys will continue to get better at conducting counter-surveillance to cover their tracks. That includes mapping researcher and vendor honeypots and poisoning them with misleading and false data, according to Arbor. And here's the kicker: Arbor says it's seeing cyber criminals use their own researchers to discover new vulnerabilities rather than chasing publicly disclosed ones.

Happy New Year.

— Kelly Jackson Higgins, Senior Editor, Dark Reading


Is Wireless Technology Encouraging Fraud?

Courtesy of TechWeb


JANUARY 2, 2007 | I realize I'm taking a somewhat precarious position by speaking out against the ever-expanding move to mobile computing. However, I believe we're seriously facilitating online fraud by failing to address the lack of meaningful security on mobile devices.

First, let's clear the air: I have nothing against mobile access per se. Indeed, I wouldn't be caught dead without my BlackBerry. But as a technology consumer and corporate IT executive, I take issue with ISPs, technology vendors, and device manufacturers that disregard security concerns when developing methods for consumers to access their banking information, for instance.

How many mobile devices routinely come with antivirus or anti-Spyware software already installed? Or better yet, how many ISPs or carriers even offer effective security tools? While numerous ISPs tout their ability to protect your computer from a variety of evils—malware, crimeware, viruses, spyware, and the like—how many wireless carriers advertise their ability to protect your mobile device from these same threats?

New Internet-access devices seemingly appear monthly, and I'm not just talking about new E-mail devices and smart phones. Many gaming systems either offer an Internet-access option or plan to include such access as basic functionality in the near future. But how well protected is your PlayStation from keystroke loggers and Trojans? Consider the following:

  • According to Japan's Computer Emergency Readiness Team (CERT), virtually all cell phones in that country have Internet functionality, making them the most heavily targeted devices for phishing scams and malware. So the malevolent capability exists—the criminals just haven't targeted the United States yet.
  • SMiShing—SMS-based phishing—infects not only mobile devices, but wired computers as well. Many people routinely forward SMS messages to their PCs because linked Web sites are easier to view. Criminals are aware of this and write their SMS message accordingly. By doing so, they're using SMS to effectively target wired computers.

What do you really know about the wireless network you just logged on to? We don't really know who runs those servers and what kind of security is on them. In Japan, some enterprising employees at a coffee shop installed their own software on the company's servers so they could perform a man-in-the-middle attack and get the online banking credentials of everyone who logged on to their bank accounts while getting their caffeine fix for the day.

Consider the TV commercial that shows a couple of buddies at the coffee shop making a debit-card payment online. See the fellow in the corner with the big smile? He's on a laptop running a wireless hotspot, and in their bank account at the same time—happily transferring money to his own account!

The simple truth is that mobile computing offers little security protection today, and few people understand the risks. For the most part, financial institutions like ours have been left to protect online users from these threats—after all, it's our own customers who are at risk.

A cooperative effort between the banking industry and the companies that develop wireless technologies would do much to address these problems. Working in partnership to identify and mitigate security issues before new technologies are released could very well be the answer to developing a safe and secure mobile society. Let's not worry about just how mobile we are until we all work together to find a way to secure the mobility we have.

Hackers, crackers, scammers, spammers, spoofers, and phishers all lurk in the cyberworld. They're a thoroughly reprehensible bunch that deserves a minimum of two weeks in the stocks.

But let's face it, fraud in its many forms has been with us throughout history. We always manage to remain a step behind the criminals, and new electronic media only seem to encourage the fundamentally evil misapplication of human intelligence.

Wireless is merely the latest medium to offer its capabilities to people who should know better than to take advantage of their fellow human beings. The question before us is whether wireless in some way represents a unique, new vehicle for wrongdoing, and deserves special treatment of a legislative or other nature as a consequence. The answer to me is: Are you kidding? No way.

The wireless industry was always a target of fraud. Cloning cell-phone handsets was a billion-dollar problem for the industry, but new technologies have taken the sport out of that. There have even been problems with investment scams surrounding bidding on the auctions used to allocate frequencies to particular carriers.

But no problem in wireless is as great as the use of these devices and services for good old end-user fraud. The beauty of wireless from the perpetrator's perspective, of course, is its fundamental location independence. It's a lot tougher to get caught if one is always on the move. Access to cheap prepaid or even stolen—hey, why stop with just one crime?—cell phones simply allows rotten individuals to stay ahead of the law.

While it may be argued that E-commerce providers and wireless networks offer too much access without enough protections, I submit that the bad guys will still stay ahead of the curve. Wi-Fi networks might ramp up security, and E-commerce services might build in better protections, but those out to steal personal financial data or hack into a network will still find a way.

The ability to pop into your favorite coffee shop and check E-mail or bank balances is as convenient as it is potentially dangerous. Yet no one would advocate banning Starbucks, or cellular-phone networks, or metro-scale Wi-Fi networks, or any other network, wired or wireless, just because the technology can be misused by criminals or employed carelessly by the end users it was created to serve. Matches are great for lighting one's fireplace, but they can also be used for arson. As far as I know, nobody's lobbying Congress to ban matches. There's an upside and a downside to every technology; wireless is no different.

And I'm really left to wonder exactly what we might do if we did want to control wireless. We already have the ability to track cell phones and Wi-Fi devices, with no GPS required. That makes it easy, more or less, to find stolen phones and known criminals foolish enough to identify themselves. But how could we track or otherwise locate someone using Skype on an open (unsecured) Wi-Fi connection?

I don't think too many people would advocate monitoring the Web, wireless or otherwise. Apart from the obvious technical and constitutional issues, we don't have the technology to do so. Besides, it's just too easy to hide one's identity—and maybe that's as it should be.

Few CIOs are worried enough about the potential for fraud to keep workers wired. CIOs know that the perils of mobile technologies are many, but the benefits of a wireless workforce are even greater. The best a CIO can hope for is smart users who follow smart corporate policies.


InfoSecurity tops list of executive worries

Jan 2, 2007 3:50 PM

The compromise of corporate information systems is the number-one worry of business executives, according to a survey of 197 senior executives at corporations with $1 billion or more in annual revenue.

The survey, conducted by Harris Interactive, revealed that 61 percent of the executives cited data breaches as their biggest worry. Terrorism (55 percent) and corporate malfeasance (40 percent) round out the top-three potential crisis situations.

"No business can survive without customer trust," said Harris Interactive's Mike Dabadie, president of the company's Brand and Strategic Consulting practice. "In today's computerized economy, customers trust companies with a lot of sensitive personal and financial information. Any breach of data security that would compromise that trust can have a devastating impact on the company's reputation."

Other findings reveal that workplace violence was cited by 21 percent as a major worry; industral accidents were cited by 28 percent.

Fittingly, 74 percent of the respondents say that their company has crisis management plans in place to deal with these situations. Of those companies with crisis management plans, 40 percent have, at least once, used a component of the plan.


»  E-Mail
»  Print
»  Discuss
»  Write To Editor
»  Digg
»  Slashdot

Microsoft: Vista's Secure, Not Perfect

Disclosure of a zero-day vulnerability doesn't alter the claim that Vista is the safest Microsoft operating system so far, says company's security manager.

Last week's disclosure of a zero-day vulnerability in Windows Vista doesn't put a lie to the claim that it's the safest Microsoft operating system so far, a company security manager has said.

"The finding of vulnerabilities in any software is to be expected," said Stephen Toulouse, senior product manager with Microsoft's security technology group, in a blog posting earlier this week. "This is all part of the process of creating complex software today, and no one is immune to it. It's not, as they say, big news to us in the security industry."

Proof-of-concept code for an unpatched bug in all supported versions of Windows, including Vista, went public last week, prompting warnings from security vendors who classified the flaw as a low or medium threat. Microsoft has said it was "closely monitoring" the situation, but has not released any additional information since Dec. 22.

Toulouse countered that the exploit doesn't invalidate Microsoft's contention that Vista is more secure than its predecessor, Windows XP. "This product [is] the most secure version of Windows we've produced to date. That doesn't mean 'zero vulnerabilities.' No one can claim that crown," he added.

He also predicted that users would see more vulnerabilities early in Vista's lifespan than in previous versions of Windows. "We're probably going to see a higher initial rate of reported vulnerabilities to us than with previous versions of our products, given the early view researchers have had into Vista," Toulouse said. "This is going to help make the product stronger before many of the threats against it have a chance to emerge."

Other Microsoft executives, including Jim Allchin, the soon-to-retire head of the Windows unit, and chief executive Steve Ballmer, have repeatedly said that Vista will prove to be the most secure Windows yet. Like Toulouse, Allchin also has noted that no software can be considered 100% safe.

Said Toulouse: "No one will ever get the software right 100% out of the gate."


Brief: Cybersaboteur Sentenced To Eight Years

Former systems administrators took down ex-employer's servers.

The former systems administrator convicted in July of launching a cyberattack on UBS PaineWebber four years ago was sentenced to 97 months in jail in U.S. District Court in Newark, N.J., last week. Roger Duronio, 64, stood impassive as Judge Joseph Greenaway Jr. handed down the sentence. "This wasn't an instance when an individual argues that 'I had a bad day, and I made a mistake,'" said the judge.

Duronio was found guilty of computer sabotage and securities fraud for planting a so-called logic bomb that took down as many as 2,000 servers in UBS PaineWebber's central data center in Weehawken, N.J., and in branch offices around the country.


Made4biz Security Translating real-world security knowhow into state of the art security systems.
Made4biz Security

Turn on Sound for Demos:
Bill Gates Demo (Location-based)
Elvis Demo (Location/Context-based)
Clint Eastwood Demo (Temporal-based)

Powered by Blogger

Subscribe to
Posts [Atom]

Technorati Profile

RSS Syndication

Made4Biz Security Inc