Sunday, February 4, 2007

Russian expert: Terrorists may try cyberattacks

Energy grid one possible target for Chechen separatists

Jeremy Kirk   

 December 13, 2006 (IDG News Service) -- A Russian computer security expert predicts that terrorists could seek to target the country's critical infrastructure through electronic warfare, a strategy that could raise the stakes in how Russia handles computer crime.

While terrorists aren't believed to currently have the know-how to disrupt critical infrastructure, it would be "very dangerous" if they start learning, said Valery Vasenin, head of the Computer Security Department at the Institute for Information Security Problems (IISP) at Moscow State University.

"I think the phenomenon of terrorism will go in this direction," Vasenin said in an interview at his office. "This is probably the most important problem for the coming years."

Russian's energy grid is a possible target, which could cause widespread blackouts. The air transportation or fuel distribution systems are other possible targets, Vasenin said.

Russia has experienced chilling episodes of terrorism. In September 2004, 331 people, more than half of whom were children, were killed when Chechen separatists stormed a school in Beslan. In October 2002, Chechen rebels took 850 people hostage in a Moscow theater; 117 died after Russian forces used a poisonous gas before entering the premises.

No major cyberterrorism incident in Russia has been recorded. However, the country's infrastructure is becoming more networked and less isolated than before, which could make it more vulnerable to cyberattacks, Vasenin said.

"Russia, at the moment, is average in terms of computer security, like the rest of the world," Vasenin said.

In the 1990s, the Internet in Russia was still viewed as something of a domain for academics, Vasenin said. But the rapid change of technology and emergence of threats has led to greater attention to security issues, he said.

Moscow State University's IISP was established in 2004 to study network security, the psychology of human behavior and the Internet, along with computer forensics and judicial issues.

Russia lacks laws that clearly define computer crime, he said, making it difficult for Internal Affairs Ministry agents to investigate and bring cases. IISP is studying other countries' computer crime laws and formulating recommendations.

"They [the Internal Affairs Ministry] are somewhat unarmed," Vasenin said. "We understand we [Russia] have these problems related to legislation, just as there are worldwide problems."

Through June, Russia recorded 8,400 computer-related crimes, according to figures released by the Internal Affairs Ministry in October. Forty-three percent of the cases were related to online auction fraud, with the remainder comprising information theft, unauthorized access, child pornography violations and others, the ministry said.

Boris Miroshnikov, who heads the cybercrime department in Russia's Internal Affairs Ministry, has called for more trained experts to handle criminal cases that often cross international borders. Miroshnikov's comments at a cybersecurity conference were published earlier this year by Moscow State University.

"Do we have today a school of experts in the field of cybercrimes?" Miroshnikov told conference participants. "Unfortunately, I do not think so."

 

Spy guys

Jon Espenschied

January 12, 2007 (Computerworld) Maybe I'm a little old for it, but I do enjoy the change of pace a big wireless security penetration project provides.  Once or twice a year, I get to put down my thrill-a-minute governance frameworks, quit rockin' out policy advice, and make like the black hats for a week or two. 

There are a few differences between this sort of project and the usual network security assessment.  It also prompts a lot of questions from clients, peers and curious IT staff, most likely because it looks like a lot of fun.  For the most part, it is. 

It goes like this: Instead of heading to Hertz when I hit the ground in a client's city, I hitch a ride over to Penske or a local truck rental outfit and pick up a large plain white van or a midsize box truck for my team.  I'm partial to fiberglass-sided box trucks because they are relatively transparent to radio signals.  This means no external antennas or tell-tale wires trailing out of the cab or back door.

Then we strike out for Goodwill or the local thrift store.  I'm on the frugal side, but I don't fancy sitting cross-legged in the back of a truck for a week. I buy a couple of desks and enough chairs for the consultants that'll be joining us for the exercise, and set them up in the back of the truck. A few twenties will take care of it.  If we're in droll mood and a bit lucky, a couple of disassembled cubicles will fit the bill.

A hefty power inverter (400 or 800 watts) and a couple of power strips heat up the mobile office.  A pass-through door from the cab to the truck box is handy for plugging in a commodity-sized inverter, but a larger one will have to be wired directly to the truck batteries. I will admit to bringing a couple of low-wattage 120 volt LED bulbs to brighten things up with a thrift store granny lamp, and I once bought a really nice rug.  However I've refrained from toting along a too many creature comforts that might overwhelm the truck battery, and I've never brought out a blender for margaritas.  No, sir.

The wireless tools are predictable; laptops with specialized wireless cards, ominous-looking antennas, and a decent magnetic GPS to stick on the roof.  When choosing a wireless PCMCIA card or a replacement MiniPCI card for one's laptop, sensitivity is as important as output power.

Generally one large omnidirectional antenna and one serious directional antenna will do the trick for 2.4-GHz work (802.11b or .11g), but more may be necessary for alternate frequencies (5GHz for 802.11a) or more aggressive attacks.  While some favor the Yagi-style directional antenna for their impressive ray-gun or phallic appearance, I'm a fan of equivalent high-gain flat panels (PDF format) for sheer portability and practicality.

Antennas on tripods are handy for fine-tuning when the truck is parked in an odd spot, but it's more stable to tape or strap them directly to the wall.  Many rental vans have wooden tie-down rails along the inside. It's good to keep in mind that the desire to have a signal source for each available computer should not override basic safety concerns such as making sure there's adequate space around and no people or other obstructions in front of high-gain antennas.  Significant radio frequency energy is not something to be trifled with.

Choosing good coaxial cable is something I learned from Uncle Lloyd.  Even strong signals may be almost lost over a long pigtail, while LMR-400 (PDF format) or equivalent -- the standard half-inch-thick stuff provided by most wireless outfitters -- is so stiff and unwieldy that it may pull out connectors or tug a laptop off a desk.  For a mobile setup, I prefer to dispense with thick cables and pigtails entirely; LMR-240 or similar medium-sized cable with custom connectors or adapters provide low signal loss and portability without having to be duct-taped down every few inches.

Basic networking is often overlooked, and can make for long days.  It's generally considered poor form to bogart bandwidth from a convenient unsecured wireless access point while performing a security assessment of an adjacent network. Bring your own. For back-office connectivity, GPRS1xRTT or comparable service is slow but usually adequate, and a low-power Ethernet hub is handy to share one system's connection to the internet and the home office. Sharing the connection over an 802.11 wireless connection would be a silly thing to do.

The most important item, as any seasoned penetration-tester will confirm, is a get-out-of-jail-free letter, preferably signed by a C-level officer for the organization being probed. Each team member ought to have a copy in his or her pocket, and another copy taped to the inside wall of the truck in a visible spot where one can point a terrorist-addled security guard or local peace officer who's unsnapped his holster. Half a roll of gaffer's tape keeps everything in place; don't forget to tape the laptops down to the table for truck-conducted wardriving. 

When the crew settles into their re-covered Barcaloungers, we're ready to roll.  I'm always surprised at large companies that don't bat an eye at large trucks situated in front of the CEO's window, trolling the alleys, or parked in the fire lane all day long.

There's always debate in the wireless security community about assessment software, and there are many good choices.  Excellent commercial products are available, such as Network Chemistry's RFprotect Mobile and AiroPeek from Wild Packets, but I find that the open-source tools KisMAC and the Remote Exploit Auditor's CD give me the most effective and expedient results.

As the name implies, KisMAC is an OS X application inspired by Kismet, the stalwart if not user-friendly Linux wireless security tool. Behind its innocuous interface, KisMAC includes a plethora of survey, data capture, GPS support, and modern key cracking tools. One of my favorite features is the ability to export wireless node findings and locations in KML format for import into the standalone Google Earth application.  Not only does the map detail make for visually stunning presentations that spur executives into actually funding security remediation (gasp!), the terrain elevation information makes it easier to explore anomalies from directional signals and obstructions.

The Auditor CD is actually a collection  of open-source tools for all manner of network security projects, far more comprehensive than can be covered here.  Among others, it provides Kismet with a graphical interface, the inscrutable Wellenreiter, airodump, a host of cracking and exploit gear, and even Bluetooth tools.  If entree is gained or there's work to be done on the wired side, the Auditor CD provides a wealth of other network security tools at one's fingertips.

One of the nicer aspects of the Auditor CD is that it comes as a "live" bootable Linux distribution based on Knoppix. It supports a wide range of wireless cards, and it'll run on just many commodity laptop models without any installation woes.  While building one's own Gentoo-based wireless survey system from the kernel up may be somewhat more appealing than mumblety-peg on slow days in the office, a bootable distribution is king in the back of a cold truck.

We listen and gather data; probe and prod.  We drive, we circle, we sit, we do it again.  Sometimes we find interesting flaws in a corporate wireless network. Other times it's difficult to maintain professional composure when faced with silly configurations or creative new debacles. The pattern of our analysis is driven by collective experience and the areas of assessment we're expected to document, but that's another story.

When we're all done, we pack up our gear, clean out the truck, donate the furniture back to the thrift store (pre-priced!) and head home for final analysis and documentation. Now, about those margaritas...

Jon Espenschied has been at play in the security industry for enough years to become enthusiastic, blasé, cynical, jaded, content and enthusiastic again. He is currently a senior security consultant in Seattle, where his advice has been ignored by CEOs, auditors and sysadmins alike.

 

GoDaddy shutters popular security site at MySpace request

Termination happened without warning, say Seclists keeper

Robert McMillan   

 January 26, 2007 (IDG News Service) -- Internet service provider GoDaddy.com Inc. has come under fire for pulling a popular hacking Web site down this week, allegedly at the request of MySpace.com

GoDaddy pulled the plug on the Seclists.org Web site, knocking about 250,000 pages of archived mailing lists offline for most of Wednesday, apparently because a post to the Full Disclosure discussion list archived on the site contained the names and passwords of MySpace.com users.

Seclists.org hosts widely read archived copies of a number of discussion lists, including Bugtraq and the Daily Dave. It is used by tens of thousands of readers every day, according to the site's owner, Gordon Lyon, who is better known by his hacker pseudonym, Fyodor Vaskovich. Lyon is also the creator of the Nmap network scanning security tool.

MySpace.com and GoDaddy did not reply to calls and e-mails requesting comment, but Lyon said he was told by GoDaddy representatives that his site was pulled at MySpace.com's request.

MySpace was responding to a legitimate concern about its users' privacy. More than a week ago, nearly 60,000 MySpace passwords and user names were disclosed on the Full Disclosure list. They had been collected and posted on a phishing Web site, which has since been shut down, but a copy of the list was also posted to Full Disclosure. Copies of the list can still be found online, leading Lyon to wonder why his mirror copy of the discussion list was singled out.

Though service was eventually restored, Lyon blasted the Internet service provider for acting without giving him time to remove the offending post.

"Instead of simply writing me ... asking to have the password list removed, MySpace decided to contact [only] GoDaddy and try to have the whole site of 250,000 pages removed because they don't like one of them," he wrote Thursday on his Web site. "And GoDaddy cowardly and lazily decided to simply shut down the site rather than actually investigating or giving me a chance to contest or comply with the complaint. Needless to say, I'm in the market for a new registrar."

 

Spotting System Intrusions a Big Challenge for IT

Lag between breach at TJX and its discovery isn’t a surprise, execs say

Jaikumar Vijayan   

 January 29, 2007 (Computerworld) --

Protecting corporate systems against intruders isn’t easy. But detecting a breach that has actually happened can sometimes be even harder, IT managers and analysts said last week in the wake of the high-profile data compromise at The TJX Companies Inc.

The system intrusion at the Framingham, Mass.-based retailer occurred last May but wasn’t discovered until mid-December — seven months later. TJX publicly disclosed the breach two weeks ago.

In a similar incident at Ohio University, a server break-in that exposed the personal data of about 137,000 alumni went unnoticed for more than a year before being discovered last spring along with several other security breaches.

The gap between the intrusion at TJX and its discovery isn’t entirely surprising, given the myriad ways attackers can gain access to systems and then conceal their tracks, said Drew Maness, a senior security strategist at a large entertainment company that he asked not be named.

“The reason it’s so difficult [to discover a data breach] is because it can come at you from any angle,” Maness said. “With physical security, it’s very rare that someone breaks in through a side wall on the eighth floor. With computer security, they come in through that side wall.”

To quickly and consistently detect such intrusions, IT managers need to be able to collect and analyze literally every transaction flowing through their networks in real time, according to Maness. “You’ve got to know what every single packet on the network is doing, where it’s coming from, where it’s going and which ones are bad,” he said.

That can be a huge challenge, considering the sheer number of transactions and the terabytes of storage space required on a daily basis to store log data about all of them, said David Jordan, chief information security officer for Virginia’s Arlington County. It also requires comprehensive modeling of typical network behavior enterprisewide so any abnormal activity can be pinpointed, Jordan said.

Few Existing Products

For now, at least, there are few out-of-the-box products that can help companies do end-to-end log collection and real-time data correlation and analysis, said Amer Deeba, vice president of marketing at Qualys Inc., a vulnerability management services provider in Redwood Shores, Calif. And the cost of custom-building such capabilities can be prohibitive, added Deeba.

But there are some tools that IT managers can use to address parts of the challenge, Deeba noted. For instance, several logging and monitoring tools are available for quickly detecting unauthorized database activity.

USEC Inc., a $1.6 billion energy company in Bethesda, Md., uses an appliance from Guardium Inc. to monitor the activities of the administrators who manage the Oracle and SQL Server databases underlying its financial applications. The Guardium device can detect unauthorized changes and other policy violations that could affect the integrity of USEC’s financial data, said CIO David Vordick.

The technology also enables USEC to monitor compliance with Sarbanes-Oxley financial reporting regulations and provides the company with a real-time security-alerting capability, Vordick said.

Accor North America, a Carrollton, Texas-based operator of hotel chains such as Red Roof Inns and Sofitel, is using an appliance from Imperva Inc. to detect unusual database activity as it occurs. Such tools let companies move from a “passive security” model to a more aggressive one, said Jaimin Shah, a senior security engineer at Accor.

Being able to do the same kind of monitoring of all network and system assets could help companies detect suspicious activity more quickly, Shah said. “The problem is that monitoring generates a tremendous amount of logs,” he said, adding that “getting the right information as quickly as we can” is a challenge.

Vendors such as LogLogic Inc. are beginning to offer more efficient ways to sift through log data, Maness said. But he still expects it to take up to 10 years to develop true end-to-end capabilities for tracking networks.

 

 

Trojan code more common than Windows flaws

Report indicates that four out of five threats are Web-based

Michael Crawford   

 January 29, 2007 (Computerworld Australia) -- The 2007 Sophos Internet Threat Report, released last week, indicates a seismic online shift towards using Web-based threats as a way to spread malicious code and dupe users into downloading it.

The United States, China, Russia, the Ukraine and the Netherlands rounded out the top five malware hosting countries for 2006.

Trojan-like malicious code, which outnumbered Windows-specific Internet-based worms in 2005, rose to 80% of all threats in 2006. In 2005 that figure was 62%.

Paul Ducklin, head of technology for Sophos Asia Pacific, noted that there is no direct link between malware hosting and botnets, as often a computer can be tweaked to send spam but for some reasons could not be used to serve malware.

"Infected e-mail through attachments has gone down to one in 44 and the fact it has fallen is not because there is less malware, but that the bad guys are more determined to create distinct bits of malware, and these bad guys are no longer enamoured with mass mailing malware because it draws attention," Ducklin said.

"2006 saw an explosive growth of Web based downloaders and 41,536 new pieces of malware but overall the amount of e-mail containing infected attachments was down to one in 337. November saw 7612 new threats. The average has been roughly 8,000 a month,which is around 113 per day with five released every hour."

The report also found that 75% of all phishing e-mail sent during 2006 targeted either PayPal or eBay users, and the first incidents of voice phishing was discovered where scammers redirected e-mail recipients to a telephone number as opposed to a fraudulent Web site.

Ducklin said even company switchboards are being replicated to give this scam more success.

"We're not talking about completely replicating the switchboard but it is a call to action, getting a switchboard in the same way of ripping off other stuff," Ducklin said.

"Obviously you cannot just speak English, but the big deal with VoIP is that it makes the cost of calls to the recipient very low."

The top malware family for 2006, as recorded by Sophos, was Mytob, which accounted for 30% of the problem. Netsky, Sober, Zafi, Nyxem, Bagle, MyDoom, Stratio, Clagger, and Dref rounded out the top 10.

 

Vermont agency warns 70,000 of possible data compromise

Social Security numbers and other information may have been exposed

Jaikumar Vijayan   

 January 30, 2007 (Computerworld) -- The Vermont Agency of Human Services (AHS) today started sending letters to about 70,000 individuals in the state warning them of a computer compromise that may have exposed their Social Security numbers and other personal data.

The breach was discovered on Dec. 8 and involved a computer running an application that is used for collecting delinquent child support payments from noncustodial parents in the state. The "bank match" application is used to run quarterly matches of names with nine financial institutions in the state to establish whether delinquent parents have assets that can be used to pay off their child support obligations.

Each quarter, the state sends all nine financial institutions a list including names, Social Security numbers and bank or credit union account information for people who are behind on child support payments. If names from the list match the names of account holders, the institutions are required by state law to transmit that information -- using encryption -- back to the AHS.

But the AHS server that was hacked stored the data in unencrypted fashion, said Heidi Tringe, communications director for the state agency. Tringe added that the AHS now plans to stop keeping the information on the server altogether. "The original design called for the computer to store the data," she said. "That will no longer happen."

Not all of the personal data on the compromised computer belonged to people who were behind on their child care payments. Tringe said information about more than 58,000 customers of the New England Federal Credit Union ended up on the server because the Williston, Vt.-based NEFCU mistakenly sent more information than required to the AHS.

According to Tringe, the NEFCU on two occasions -- in July 2004 and again in October 2005 -- sent over encrypted files via a communication method not used by the state. That resulted in a larger-than-required file of information being received by, and stored on, the compromised AHS server, she said.

John Dwyer, president of the NEFCU, said the agency on those two occasions used an "all accounts" method for transferring data instead of the "matched accounts" method used by the Vermont agency. It was only on those two occasions that this sort of data transfer happened, he said.

"We were never informed of the error," Dwyer said. "If we had been, we certainly would've corrected it."

The 58,000 names represent nearly all of the NEFCU's members at that time. "We've grown bigger since then," Dwyer said.

The Windows-based system that was broken into at AHS appears to have been the target of an automated attack and not a directed one, Tringe said. "It looked like the system had been infected by several bots," which were then used to store various files on the computer -- including a copy of the TV show Bones, she said.

The compromise was detected when the agency's IT staff noticed several of its computers being pinged by the breached server, she said. According to Tringe, the compromised server had "several weaknesses that could have been exploited," including a missing Microsoft Corp. security patch, she said. "Unfortunately, we have no way to determine what particular weakness was exploited." In this case, there is evidence of suspicious activity occurring on the computer prior to the patch being released.

"Our initial exams showed no evidence to indicate that any personally identifiable or financial information had been accessed," she said. But since there is no way of confirming that, the state decided to alert individuals of the potential compromise of their data, she said.

Letters are being sent to account holders at the following nine institutions: Central Vermont Public Service Employees Credit Union, First Brandon National Bank, Federal Family Credit Union, Granite Hills CU, Merchants Bank, New England Federal Credit Union, Northfield Savings Bank, Opportunities Credit Union and the Vermont State Employees Credit Union.

 

Ach, du spammer!

German police target of very specific email, malware

John Blau    February 01, 2007 (IDG News Service) -- Germany's Federal Criminal Police Office (BKA) is once again the target of criminal forces on the Internet.

Spam e-mail allegedly sent by the police office is making the rounds in the German-speaking region of Europe. The e-mail contains an attachment with malware that has yet to be classified and is thus slipping by some antivirus programs, according to the BKA Web site.

The subject line of the e-mail reads "Ermittlungsverfahren," or investigation. Recipients are informed that they face charges and should open the attached document, fill it out and return to the police office.

Once opened, the malicious code affects some undisclosed functions of the user's PC and sends itself to the addresses listed in the user's address book.

Telephone lines at the BKA were largely blocked Thursday as numerous recipients of the malicious spam called a telephone number listed in the e-mail that is the main number of the police's press office.

In November, the BKA was the target of a similar malicious spam attack. This one involved an attachment with a worm also designed to automatically send itself to the addresses listed in the computer user's address book.

The BKA urges PC users to delete the spam e-mail without opening it and to update their antivirus software.

 

Call the cops: We're not winning against cybercriminals

Kaspersky seeks police help with fighting cybercrime

Tim Greene    February 01, 2007 (Network World) -- Kaspersky Lab Thursday will acknowledge that cybercriminals have the upper hand and cooperative international policing is needed to protect honest users.

"We don’t have the solutions," says Natalya Kaspersky, CEO of the company. "We thought it was possible to do antivirus and that was adequate protection. That time is gone."

Solving the problem is beyond the capabilities of security vendors alone, she says, and coordinated efforts among countries are needed. Kaspersky Lab is expected to share these assertions during a press conference in New York City Thursday.

A Federal Trade Commission official will join Kaspersky in the call for more law-enforcement involvement in punishing the authors and disseminators of malware as well as those who exploit it to commit monetary crimes. Also joining in will be James Lewis, a director and senior fellow at the nonprofit Center for Strategic and International Studies, which advises governments on security and prosperity.

The group will champion international agreements that create better channels for tracking cybercrime across international borders.

Kaspersky's CTO Eugene Kaspersky says security software vendors are overwhelmed. The company dedicates 50 engineers to analyzing new malware samples and trying to find ways to block them, but with about 200 new samples per day and growing, it's an uphill fight, he says.

"No antivirus company can come before you and say we can handle everything," Kaspersky says. "It's responsible to be vocal."

Police have made efforts to prosecute the people behind the malware, but success has been limited. In 2004, there were 100 arrests worldwide. That number rose to a few hundred in 2005, then dropped back to about 100 again in 2006, Kaspersky says. "The stupid guys got jailed," he says. "The smart guys -- it's very difficult to find them."

Part of the problem is the global nature of the Internet, which enables the author of malware in one country to sell it to someone in another country who wants to use it to trigger crimes in yet other countries. Police in any of the countries involved may find some of those responsible, but they lack the coordination to root out everyone along the chain, Kaspersky says.

Software designed to block malware is effective, but cannot stop all attacks, Natalya Kaspersky says. "We are just like the police. They miss many cases but they do their best. We try to prevent everything, but we cannot do miracles."

 

Survey: ID fraud in U.S. falls by $6.4B

Eric Lai

 

February 01, 2007 (Computerworld) Identity fraud in the U.S. fell by $6.4 billion, or 12%, last year, with the most damaging kind -- fraudulent new account openings -- dropping the most, according to a survey released today.

But the good news was balanced by results showing that young adults, despite their tech-savviness, are at greater risk for ID fraud, and that a fraud-detection "digital divide" separating the wealthy and the poor was also emerging, according to Javelin Strategy & Research.

"Lower-income people (less than $15,000 per year) are less likely to be victimized by ID fraud, but it tends to last twice as long," said James Van Dyke, president of the Pleasanton, Calif.-based research firm. And the trauma of fraud tends to cause poorer people, whether the fraud was committed online or not, to shun the Internet and other technology that could potentially cut their risk of ID fraud.

"Lower-income people essentially run away from computers," he said.

The latest annual survey from Javelin found that total ID fraud in 2006 added up to $49 billion, down from $55.4 billion in 2005. The percentage of people affected by fraud has steadily fallen from the first survey in 2003, when it was 4.7%, to 3.7% last year.

"The problem hasn't gone away, but we have turned a corner," Van Dyke said.

Moreover, new account fraud, which involves perpetrators stealing victims' personal information and creating bank or credit accounts that they can raid for cash and abandon, dropped significantly from 2005 to 2006, from 1.52% of Americans to 1.05%. The total cost of that fraud also fell 25%, to $17.9 billion. And the average value of the fraud fell 30%, to $7,261 per victim.

Javelin's annual survey is sponsored by leading financial institutions, including Visa, Wells Fargo Bank and CheckFree Corp. But Van Dyke emphasized that neither the survey, which quizzed 5,000 people by telephone, nor its results, were influenced by the sponsors.

People making more than $150,000, while the most likely to be victimized at 7.3%, also tend to take the smartest measures to prevent future fraud, such as canceling paper statements and monitoring their accounts online.

"They know computers are here to stay and use them to their advantage," he said.

Young people between the ages of 18 to 24 were also at a higher risk for ID fraud, at a rate of 5.3%. Van Dyke attributed that mostly to carelessness. Young people were less likely to stop receiving paper statements or to shred them. And belying their Web smarts, they were much less likely to use antivirus, antispyware or firewall software.

He conceded, though, that lifestyle issues, such as the greater likelihood of young people having roommates and also moving from apartment to apartment, may also raise their risk.

Javelin has long emphasized that its results show that while online fraud caused by shadowy elements may grab headlines, most fraud is committed by people close to the victims and/or through decidedly low-tech means.

The 2006 survey results continue to bear that out, Van Dyke said. Of the 42% of victims who knew how their personal information was stolen and the fraud committed, only 4% said phishing was the cause, while 38% said the cause was a stolen wallet or credit card.

All told, online causes of fraud, including phishing, viruses or spyware, totaled just 16% of identity fraud. That is up from the 9% of ID fraud cases that started online in 2005, though Javelin said its sample size is so small that the increase is not statistically significant.

Of 31% of victims who knew the perpetrator's identity, one-quarter said it was a family member or relative, while 23% said it was a friend, neighbor or in-home employee. By contrast, just 2% were people they'd met over the Internet, and another 2% were employees at a financial institution.

Van Dyke said he didn't think that in the remaining 70% of cases that the population of perpetrators was skewed differently.

Van Dyke said that the drop in new account fraud could be credited in part because of changing practices by banks and credit card companies to detect fraud more quickly, as well as enable customers to nip it in the bud.

For instance, some banks now let customers permanently turn off the option to transfer money internationally, a favorite tactic of scammers who have compromised a victim's existing account.

So what can people do to stop fraud? Van Dyke's top recommendation is to get rid of paper bank statements and invoices, which he said was more effective than shredding them after the fact. People should also carry only the personal pieces of ID that are absolutely necessary. Other forms of identification, such as Social Security cards or rarely used credit cards, should be left in secure places, such as a personal safe.

Online, people should also use strong PINs and passwords and never provide personal information except when it is a trusted source.

 

Trojan code more common than Windows flaws

Report indicates that four out of five threats are Web-based

Michael Crawford    January 29, 2007 (Computerworld Australia) -- The 2007 Sophos Internet Threat Report, released last week, indicates a seismic online shift towards using Web-based threats as a way to spread malicious code and dupe users into downloading it.

The United States, China, Russia, the Ukraine and the Netherlands rounded out the top five malware hosting countries for 2006.

Trojan-like malicious code, which outnumbered Windows-specific Internet-based worms in 2005, rose to 80% of all threats in 2006. In 2005 that figure was 62%.

Paul Ducklin, head of technology for Sophos Asia Pacific, noted that there is no direct link between malware hosting and botnets, as often a computer can be tweaked to send spam but for some reasons could not be used to serve malware.

"Infected e-mail through attachments has gone down to one in 44 and the fact it has fallen is not because there is less malware, but that the bad guys are more determined to create distinct bits of malware, and these bad guys are no longer enamoured with mass mailing malware because it draws attention," Ducklin said.

"2006 saw an explosive growth of Web based downloaders and 41,536 new pieces of malware but overall the amount of e-mail containing infected attachments was down to one in 337. November saw 7612 new threats. The average has been roughly 8,000 a month,which is around 113 per day with five released every hour."

The report also found that 75% of all phishing e-mail sent during 2006 targeted either PayPal or eBay users, and the first incidents of voice phishing was discovered where scammers redirected e-mail recipients to a telephone number as opposed to a fraudulent Web site.

Ducklin said even company switchboards are being replicated to give this scam more success.

"We're not talking about completely replicating the switchboard but it is a call to action, getting a switchboard in the same way of ripping off other stuff," Ducklin said.

"Obviously you cannot just speak English, but the big deal with VoIP is that it makes the cost of calls to the recipient very low."

The top malware family for 2006, as recorded by Sophos, was Mytob, which accounted for 30% of the problem. Netsky, Sober, Zafi, Nyxem, Bagle, MyDoom, Stratio, Clagger, and Dref rounded out the top 10.

 

Hackers commit offsides hit

Dolphins' Web sites hacked in advance of Super Bowl

Robert McMillan    February 02, 2007 (IDG News Service) -- The Web sites of Dolphin Stadium and the Miami Dolphins, host to Sunday's Super Bowl football game, have been hacked, and malicious code on those sites have been attempting to infect PCs for at least a week, security experts said Friday.

The breach on the stadium site was discovered by Websense Inc.'s automated tools on Jan. 26, but the engineers at the company were not alerted to the problem until this week, when Websense customers complained that they were unable to visit the site.

The dolphinsstadium.com and miamidolphins.com sites are affected by the attack, as are mirror copies of those sites such as proplayerstadium.com. Security experts strongly advise Web surfers to avoid these sites until the compromise is contained.

"If you go to the [Dolphins'] Super Bowl Web site with a Web browser that's not running the latest and greatest patches from Microsoft, you could get exploited," said Dan Hubbard, Websense's senior director of security and technology research.

Miami Dolphins spokesman George Torres said that the matter is being investigated.

The Indianapolis Colts face the Chicago Bears in the National Football League's championship game, one of the most anticipated sporting events of the year in the U.S.

The Dolphins' sites serve up malicious JavaScript code that exploits two known Windows vulnerabilities, Hubbard said. It then attempts to connect with a second Web server that installs a Trojan downloader and a password stealing program on the victim's computer. The Trojan program lets the attackers install malicious software at a later date, he said.

The Web sites that downloaded the malicious software is based in China, and was operating on and off on Friday morning, according to Roger Thompson, chief technology officer at Exploit Prevention Labs Inc.

The Microsoft flaws that were exploited by hackers on the sites were both patched by October, but the breach is significant, Thompson said.

"It's a pretty big deal," he said via instant message. "A lot of people check out football stuff at work, and I bet lots of companies are not patched, even through October."

The NFL's Superbowl.com Web site is not affected by the hack, Thompson said.

Websense published an alert on the hack Friday morning, after first notifying the Miami Dolphins, Hubbard said.

 

Microsoft ships SSL VPN software

It's a combination of its Whale Communications and ISA Server

Robert McMillan    February 01, 2007 (IDG News Service) -- Microsoft Corp. has introduced a new product combining the Whale Communications virtual private networking (VPN) software it bought last year with the latest version of its Internet Security and Acceleration Server (ISA Server), the company said Wednesday.

Called the Intelligent Application Gateway 2007 (IAG 2007), the software will give remote users a way to access Outlook e-mail accounts, as well as corporate applications while outside of the company firewall. Whale's software uses the Secure Sockets Layer protocol and can be used to gain VPN access via the browser.

Microsoft and Whale had offered a combined version of their products since December 2005, but IAG 2007 is the first version of this software released since Microsoft purchased Whale in July 2006.

The software's licensing has been changed to allow customers to pay one price for the Application Gateway and various add-ons like network connectors, software modules and Intelligent Application Optimizers. Microsoft did not say how much it would charge for the new software.

IAG 2007 can be purchased in preconfigured appliances built by Network Engines Inc. and Celestix Networks Inc.

 

Opinion: Four laws Congress needs to pass now to boost computer security

Ira Winkler

 

February 01, 2007 (Computerworld) Even though we have a new Congress, I doubt that much will change with regard to computer security. While a law related to identity theft will probably be passed in one form or another, I expect that it will be trivial and not deal with preventing the theft of individuals' personal information. Corporate lobbyists have proved themselves to be too adept at manipulating members of Congress so they don't pass laws requiring companies to be proactive, especially with regard to security measures.

Identity theft is a symptom of poor computer security. There are two underlying methods of identity theft: hacks of vendor computers, and client-side attacks. Vendor hacks are the result of poor security on the part of the vendor and often lead to the theft of thousands, or millions, of credit card numbers, at once. The laws passed in this regard basically state requirements that vendors have to follow once data is stolen. However, they do not lay out computer security requirements. The hope is that if vendors have to act if their security fails, they will try to better protect themselves. All you have to do is browse Computerworld.com to see how well that's working.

Congress, however, has taken no action to address client-side attacks targeting the end user. These include phishing, keystroke logging and virus attacks. The underlying enabler of these attacks are the bot networks that grow unchecked. Botnets are networks of PCs that have been compromised by a remote attacker through known vulnerabilities on the PCs. The attacker then has the compromised PCs do his bidding without the knowledge of the PCs' owners.

Bots send out billions of spam e-mails and their evil cousins, phishing messages. Just as important, bots are used for distributed denial-of service-attacks. DDoS attacks use thousands of computers to simultaneously send data packets to a victim's computer to overwhelm the computer and the supporting network infrastructure. The attackers then use the DDoS attacks to extort money from owners of various Web sites. For example, it's common for online gambling sites to be threatened prior to a major sporting event, where the attacker will say, "Unless you pay me $50,000, I will take you down for a day before the event." A successful attack could cost a good-sized gambling site more than $1 million.

Likewise, DDoS attacks have targeted critical elements of the Internet, such as the root DNS servers. Those attacks have crippled segments of the Internet for periods of time. It should be expected that similar attacks will occur in the future and will attempt to do even more damage. Frankly, I believe that if there is a significant Internet attack, it will involve bot networks.

So, for Congress to do anything that helps protect consumers and the critical Internet infrastructure as a whole, it must pass laws that require proactive processes to protect computers, not that tell people how to deal with the resulting mess.

Here are more reasons for enacting computer security laws:

  • According to reports, the percentage of unsolicited e-mail sent out via bot networks is in excess of 90%. Messages are also growing in size. The number and the size of messages will only continue to grow, so you can assume a very large percentage of Internet traffic is a result of bots.
  • From my personal observations, an unprotected computer will fall victim to dozens of attacks an hour. This implies that botnet scans are constant and responsible for a large volume of Internet traffic.
  • Botnet-related attacks result in billions of dollars in lost productivity and added costs annually. ISPs and large organizations spend billions to increase bandwidth as spam and other botnet-related attacks take up network volume, and billions more is spent on security software and the related hardware to prevent botnet-related attacks.

With the above in mind, the following laws are needed to at least begin to protect businesses, consumers and the Internet itself:

1. Make ISPs (and all organizations providing computer access to more than 100 people) responsible for filtering scan and attack traffic across their networks.

ISPs were declared "publishers" by the Child Online Protection Act. The legal effect of this was that ISPs were found to be not responsible for the content or intent of the data packets going across their networks. While it may be reasonable to say that an ISP might have no clue that a JPEG file going across its network has child pornography, thousands of ACK packets sent instantaneously are a different story. Attack and scan traffic is easy for ISPs to detect and block. The more scans that are blocked, the fewer compromised systems there will be. Any increase in time to process data packets is easily made up by the overall decrease in the amount of network traffic.

2. Make ISPs (and all organizations providing computer access to more than 100 people) responsible for knocking customer PCs off their network if they become bots.

Any system that is clearly behaving as a bot should be immediately logged off a network. An end user who starts flooding the network with tens of thousands of e-mail messages, or who starts to send hundreds of thousands of DOS packets, is clearly compromised or otherwise abusing privileges. It is blatant and therefore easy to spot. More important, it is easier to identify and stop offending traffic at the source than for a victim under attack to identify and contact the appropriate administrators to stop the attacks.

3. Make end users liable if losses are incurred because of outdated security software.

We cannot push all requirements to the ISPs. End users who leave their computers vulnerable to being controlled by others are also at fault. All PCs connected to the Internet should have the latest patches installed, as well as updated firewall, antivirus and antispyware software. While these tools won't prevent everything, they can decrease a computer's susceptibility to compromise exponentially. Those who fall victim to an attack because they don't have the appropriate software and updates would be financially responsible for their own loss and potentially the loss they cause others. Just as individuals are legally required to keep their cars in safe condition to protect others on the road, they should be required to keep their computers safe to protect others on the Internet.

4. Write some kind of law concerning efficient security software.

I have been wrestling with how to word this one. A law like this is especially important if people are required to install and run security software. People have uninstalled their antivirus and antispyware software because it brought their systems to a crawl. Security software vendors must make performance a critical feature of their software.

While there are other laws I could recommend, these are the most fundamental and easy to implement. I know there may be criticisms. For example, some smaller, and even larger, ISPs and organizations will say they can't afford the software and staffing needed to kill end-user access as required. First, these companies are already spending money to provide bandwidth for all of the malicious traffic. Second, if they can't afford to protect their network properly, they shouldn't be in that business.

That is probably the key point. Can you imagine a trucking company saying that highway safety laws shouldn't be enacted because that would be too expensive? Likewise, can you imagine a private citizen saying that he doesn't want to properly maintain a car's safety? Of course not, as they would be endangering the safety of others. If people want to have access to the Internet, or financially profit from it, they should likewise be required to take precautions so that they don't endanger others.

All of the current regulatory discussions in Congress and local legislatures generally involve identity theft and are in reaction to the current hype. They are also reactionary in their effects in that they deal with what to do after information is stolen, and not with the fact that the thefts should have been prevented in the first place. Most important, they do not fundamentally improve security. We need laws that are proactive in preventing identity theft and all other likely attacks. These proposed laws go a long way in doing so.

Ira Winkler is president of the Internet Security Advisors Group. He is a former National Security Agency analyst and author of Spies Among Us (Wiley, 2005).

 

Trade group gives Feds low cybersecurity grade

D is for data breach...

Grant Gross    January 31, 2007 (IDG News Service) -- The Cyber Security Industry Alliance has given the U.S. government D grades on its cybersecurity efforts in 2006, and renewed its call for Congress to pass a comprehensive data protection law in 2007.

The CSIA, a trade group representing cybersecurity vendors, gave the U.S. government D grades in three areas: security of sensitive information, security and reliability of critical infrastructure, and federal government information assurance. (See the report in PDF format.)

"Government needs to take these issues very seriously," said Liz Gasster, the CSIA's acting executive director and general counsel.

Among the problems in 2006: The U.S. Department of Veterans Affairs reported a data breach involving the personal information of 26.5 million military veterans and family members. Other agencies also reported multiple lost laptops containing personal information. The CSIA called on agencies to notify citizens of data breaches.

After a rash of reported data breaches in early 2005, members of Congress introduced multiple bills requiring companies with data breaches to notify affected consumers. But a breach-notification law failed to pass, partly because of jurisdictional fights between multiple congressional committees.

A comprehensive data security bill should include breach notification, but also a requirement that all organizations holding sensitive data -- including private companies, government agencies, nonprofits, and educational institutions -- use reasonable security standards, Gasster said. The U.S. Federal Trade Commission has taken action against several companies, but a comprehensive law would give the FTC or another agency broad jurisdiction to investigate data breaches, she said.

The CSIA is optimistic a comprehensive data breach law will pass in the next year, even though it stalled in the last Congress, Gasster added. Major data breaches continue to happen, and consumers will increase the pressure on Congress to act, she predicted. In mid-January, retailer TJX Companies Inc. reported a massive data breach.

"Consumers just are not going to put up with is," Gasster said.

Here's how the CSIA generated its government cybersecurity grades:

·                                 Security of sensitive information, grade D: Congress ratified the Council of Europe Convention on Cyber Crime, allowing the U.S. to work with other signatories on cybersecurity investigations, but failed to pass a comprehensive law to protect sensitive personal information.

·                                 Security and resiliency of the critical information infrastructure, grade D: The Department of Homeland Security appointed an assistant secretary for cybersecurity and telecommunications and implemented some cybersecurity program, but it hasn’t offered a clear agenda for its top cybersecurity research and development priorities or established a survivable emergency coordination network to handle a large-scale cybersecurity disaster.

·                                 Federal information assurance, grade D: Government continues to offer a "mixed bag of successes and failures," the CSIA said, with progress within the White House Office of Management and Budget's enforcement of cybersecurity directives and implementation of U.S. President George Bush's Homeland Security Presidential Directive 12, requiring agencies to start issuing smart identification cards. But the government needs to do a better job in several areas, including security issues with telecommuting and releasing information on the cost of cyberattacks, the CSIA said.

In addition to a comprehensive data protection bill, CSIA called for the U.S. government to strengthen the power of agency chief information officers and called on agencies to increase testing of cybersecurity controls.

 

IBM Researchers Predict More Vulnerabilities in '07
January 30, 2007

By  Matt Hines

New research indicates that enterprises will continue to grapple with long lists of dangerous software vulnerabilities during 2007, with experts at IBM predicting continued growth in the number of flaws found in popular products over the next twelve months.

According to a report published by IBM's ISS (Internet Security Systems) X-Force research team on Jan. 30, the group observed just under 7,250 vulnerabilities during calendar 2006, which breaks down to an average of 20 new software flaws being isolated every day, and represents a 40 percent increase over the number of vulnerabilities discovered during 2005.

·                                

Perhaps even more imposing is the researchers' contention that more than 88 percent of the newly-found vulnerabilities in '06 could be exploited remotely, an all-time high, with over 50 percent allowing hackers to gain access to devices after the flaws have been flaunted.

With the launch of high-profile new software systems such as Microsoft's Windows Vista operating system in 2007, the researchers with IBM, based in Armonk, N.Y., are predicting that the next twelve months could be even more threatening from a security standpoint.

While developers of Vista and other products are putting more effort into securing their code and eliminating security loopholes, the experts said that the sheer complexity of such programs will create even more vulnerabilities.

Another mitigating factor will be the arrival of many new third-party products meant to run on Vista, the Atlanta-based ISS team said, as well as the growing use among malware code writers of so-called fuzzing tools, which automate the process of ferreting out software loopholes.

As desktop security tools have stemmed the flow of malware programs arriving in e-mail in-boxes, the use of fuzzing tools has helped hackers isolate weaknesses in Web browsing software, making the Internet the top source of malware, said Gunter Ollmann, director of security strategy for IBM ISS.

Spammers' fake newsletters slip by e-mail filters. Click here to read more.

"The script kiddies of old went off to university and learned how to build and use fuzzing programs, and they're taking that experience and applying it to uncover vulnerabilities in content-level applications," said Ollmann.

"While the amount of [malware] content making it through from e-mail has gone down, and the volume of payloads making it to the desktop without being filtered has dropped, attackers have honed into Web browser vulnerabilities and there's less protection out there for this sort of threat, even within enterprises."

Ollmann said that IBM's researchers believe that the use of fuzzers has led to the rise in malware programs that attack application vulnerabilities, and that the technique will continue to take root among hackers.

Underground malware communities are taking full advantage of the newly-discovered flaws, and are using them to gain entry to devices and install other malware, he said.

Next Page: Picking on weak browsers.

It has also become easier for attackers to use the vulnerabilities in browser programs to build engines on Web servers that detect what type of software an individual is using and then launch malware programs that can take advantage of applications with holes that they have discovered. The malware writers are also using people's IP address information to tailor the content they attempt to deliver to a certain target.

"If a malware site such as this sees Internet Explorer 6, they send something different than if they see IE 7; there's a lot of logic in these engines," Ollmann said. "The site will look at the first request the browser makes and then find the right payload to deliver when the browser makes a second request. It happens that fast."

The researcher said that malware communities are also sharing lists of IP addresses to find specific sets of targets to assail with their programs, and to help identify accounts used by security software makers to help detect new attacks and code variations.

Traditional signature-based anti-virus products, versus behavior-oriented tools, are still failing to stop even those threats aimed at well-known vulnerabilities, according to Ollman, who noted that the most popular exploit used to infect Web browsers with malware in 2006 was the Microsoft MS-ITS vulnerability, first disclosed in 2004.

Over the course of 2006, June was the month that saw the highest volume of new software vulnerabilities, while the week before the Thanksgiving holiday was the busiest week of the year.

IBM reported that so-called downloaders, also known as Trojan Viruses, which install themselves and attempt to retrieve other malware programs, represented the most popular form of threat seen in '06, accounting for 22 percent of all attacks.

Among the other findings highlighted in the report was news that the volume of spam increased by 100 percent during the last year, and that the United States, Spain and France were the three top sources of spam worldwide.

In a reflection of the number of experienced users and businesses run in Germany, German was the second most popular language for spam e-mails, Ollmann said, but the volume of spam written in English still represents approximately 92 percent of the messages.

In a nod to the art of simplicity, the most popular subject line for spam in 2006 was "Re: hi," according to the report. South Korea accounts for the highest source of phishing e-mails, according to the report, and Web sites that host pornographic or sex-related content represented 12 percent of the Internet last year.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraine's eWEEK Security Watch blog.

 

Hackers use brokers to sell software vulnerabilities

An ongoing question in the IT security world revolves around the question of whether a researcher or analyst who discovers a security flaw should publicly reveal what he has found. The question is critical because the company whose software contains the flaw may not be as interested in fixing it as the consumer, and without public disclosure users may not ever be aware of their own vulnerabilities. Yet if the vulnerability is disclosed before the company can issue a patch, hackers will quickly seize on the newly revealed opportunity. One solution is called smart disclosure, which involves the researcher informing the company first, providing adequate time for it to fix the problem, and then announcing it publicly.

Of course, the above is premised on the idea that the researcher is a well-intentioned academic thinking nothing of material gain. The more avaricious have found that they can do much better -- economically, not morally -- by selling information related to software vulnerabilities. When they want to do so, they often turn to Adriel Desautels, co-founder of security group Secure Network Operations Software (SNOSoft), whose main job is as a broker of hacker data between researchers and third parties. "Significant flaw research," he explained recently, could be sold for more than $75,000. "I've seen these exploits sell for as much as $120,000," Desautels told SecurityFocus.

The practice is increasingly common, with flaw bounty programs such as TippingPoint's Zero-Day Initiative (ZDI) and iDefense's Vulnerability Contributor Program (VCP) making it easier and adding institutional legitimacy. (Microsoft, for example, patched at least seventeen flaws reported by the two programs in 2006.) Desautels, however, works independently with freelance researchers. "One of the reasons why the hacking community is so frustrated with large corporations is because these corporations are making a killing off their research and they are not seeing fair value for their work," Desautels said. Going through Desautels is also much more lucrative than using ZDI or VCP, with prices said to be five and ten times higher. "We continually have to justify where we recoup the cost," said 3Com's Terri Forslof. "Mainly, we consider that we recoup it in research -- look how much you would have to pay a top-notch researcher."

-read more in Robert Lemos's SecurityFocus report

 

Made4biz Security Translating real-world security knowhow into state of the art security systems.
Made4biz Security

Turn on Sound for Demos:
Bill Gates Demo (Location-based)
Elvis Demo (Location/Context-based)
Clint Eastwood Demo (Temporal-based)

Powered by Blogger

Subscribe to
Posts [Atom]

Technorati Profile

RSS Syndication

Made4Biz Security Inc