Friday, July 29, 2005

Pulled presentation spreads like wildfire

#143 As predicted, the Cisco-Lynn affair has spread like wildfire on the blognet and reportedly the presentation in question that was pulled by Cisco and ISS from the Black Hat proceedings (The Holy Grail: Cisco IOS Shellcode And Exploitation Techniques) is already available for download with several blogs linking to the site where the presentation is available.

Reportedly, thousands of copies have been downloaded and the wires are saturated. It would seem that this whole furore has actually led to more copies of the presentation being spread than Cisco or ISS would have wished.

Clicking on the heading link in this blog will take you to a Technorati search for all blogs mentioning Cisco and Lynn, but beware as there are a LOT of entries as the blognet is bulging with this story with discussions of ethical/responsible disclosure, good citizenship and conspiracy theories abounding..

However I am still convinced the opportunity exists for Cisco to make good on this one and hopefully we can expect some positive noises from their side soon.
Rate this post: (Provided by NewsGator)

Cisco, ISS PR Disaster

#142 Bruce Schneier does an interesting, thought provoking analysis of the recent hulaboo at Black Hat regarding heavy handed tactcics against Black Hat conference organisers and security researcher Michael Lynn. Given the popularity of his excellent writings, and his stature in the industry, coupled with the viral nature with which his views will spread accross the Internet, I expect that sooner or later Cisco will attempt to recover from this bad publicity.

The main theme of the article is that "If companies have the power to squelch vulnerability information about their products, then there's no incentive for them to improve security."

With regards to customers and end users of Cisco's products:"Cisco's customers want information. They don't expect perfection, but they want to know the extent of problems and what Cisco is doing about them. They don't want to know that Cisco tries to stifle the truth:"

His final parting shot :"Despite their thuggish behavior, this has been a public-relations disaster for Cisco. Now it doesn't matter what they say -- we won't believe them. We know that the public-relations department handles their security vulnerabilities, and not the engineering department" ...ooh that hurt.
Rate this post: (Provided by NewsGator)

Data Security Bill goes National

#141 Here is the first data security bill in the US to go national. That's really a sign of the times for the security industry isn't it?

Businesses would have to protect credit-card accounts and other sensitive consumer information and notify them when they have been exposed to identity theft, under a National bill approved today by a Senate committee.The vote marks the first time Congress has taken steps to improve data security following a string of breaches that have exposed some 50 million consumers to possible identity theft.

Dozens of retailers, universities, banks, data brokers and other institutions have disclosed breaches this year, ranging from attacks by malicious hackers to losses of backup tapes during transit to storage facilities (see CardSystems breach renews focus on data security). The announcements were prompted by a California state law that requires institutions to make such data breaches public. Seventeen states have since passed similar laws, prompting banks and other businesses to ask Congress to set a single national standard.
Rate this post: (Provided by NewsGator)

Wells Fargo profits from insecurity

#140 When last did you come accross a story where you were unsure whether it brought upon feelings of loathing and disgust or admiration? This is really one for the books....

Federal regulators say Wells Fargo jeopardized the personal information of hundreds of thousands of customers through a string of security breaches over the past two years.

Wells in turn has found a way to profit from the problem.The San Francisco bank, in conjunction with marketing behemoth Trilegiant, is offering a new service called Wells Fargo Select Identity Theft Protection. For $12.99 a month, this includes daily monitoring of one's credit files and assistance in dealing with cases of fraud.

Rate this post: (Provided by NewsGator)

IBM pushes mainframe security

#139 At first when I read this story I thought it mildy amusing, but taking all the recent halaboo around data security breaches and storage security into account I could only admire IBM capitalising on all the noise. Seems they would have us go back to mainframes to be more secure...

Mainframes were considered dinosaurs in the midst of the personal computer revolution and nearly written off for dead when server farms composed of lower-cost Intel or Unix machines from rival like Sun Microsystems Inc. were all the rage in the Internet era. However it would seem there has been somewhat a resurgence in mainframe revenues and IBM seem to think that the security issues are likely to spurn this on.

IBM is upgrading it's mainframes to alleviate data security lapses, double the processing power and spur sales growth. The Boston Globe reports that it's the first upgrade of IBM's base product line in two years and the greater data-crunching power will allow its mainframe computers to secure consumer financial and health records from prying eyes. The new line is called z9 and is the ninth generation of IBM's z-Series mainframes. IBM believes that encrypting everything in the servers will better protect consumer medical and financial data.

You can also read a Gartner research note :"IBM Targets Security Issues with its new Mainframe" where they observe "Organizations seeking to allay security concerns should look to the IBM mainframe as one significant piece of a comprehensive approach to safeguarding corporate data. "
Rate this post: (Provided by NewsGator)

Thursday, July 28, 2005

Security when outsourcing offshore

#138 With all the high profile data breaches in the last two months, all eyes have been turned on the booming offshoring market as a probable massive security risk. Many of these outsourced operations involve handling and processing customer transactions and sensitive personal information, exposing outsourcing facilities to the same risk of data theft occurring domestically.

As U.S. businesses, policy-makers and security experts work to stem the tide of data thefts, an equal or greater vulnerability lurks overseas -- the level of network and physical security at outsourced operations of U.S. corporations. (see previous blog India to tighten data security laws ).

Paul Henry of CyberGuard returned from visiting outsourcing facilities in Southeast Asia and India last month and offers advice to U.S. companies on securing their outsourcing operations abroad and protecting customer data. This is the first such article/paper I have come accross on this topic and it is really worthwhile reading.
Rate this post: (Provided by NewsGator)

Cisco, ISS file for Injunction at Black Hat

#137 When there is smoke there is fire... the saga of the previous blog entry continues...

Cisco Systems and ISS late Wednesday filed for an injunction against a former ISS researcher who exposed vulnerabilities in Cisco’s router operating system at the Black Hat conference in Las Vegas earlier in the day.

The motion, filed in U.S. District Court in San Francisco, seeks a temporary restraining order to stop Michael Lynn, a former ISS employee, from further releasing proprietary information belonging to Cisco and Internet Security Systems. The injunction also names the organizers of the Black Hat conference as defendants.

I wonder if these actions are not just going to create more attention than Cisco would want from the hacking community. The message is clear though - Cisco dont want to land up having to go through what Microsoft went through in the last two years. Expect patching and updates on your routers and switches to become as important as desktop and server patching.
Rate this post: (Provided by NewsGator)

Cisco 'Cover Up' Ignites Black Hat Controversy

#136 In a sign of the times that infrastructure security issues will become increasingly important and elevated, and further to my two previous blog entries Cisco warns of serious flaws and Hackers to target Cisco next, a highly controversial deal between Cisco and Internet Security Systems to pull a talk about Cisco vulnerabilities at the Black Hat conference in Las Vegas Wednesday has attendees crying cover up and led to the resignation of a prominent researcher, Michael Lynn, a member of ISS’ X-Force R&D team.

Buzz of the controversy first started when attendees arrived at the conference to find Lynn’s 30-page presentation ripped from the conference materials. Despite the conference materials being removed, Lynn delivered the talk unchanged,but he did so only after resigning from ISS.
Rate this post: (Provided by NewsGator)

Wednesday, July 27, 2005

SANS releases Q205 Report

#135 Multiple Products from Microsoft, Back-up Products from Symantec/Veritas and Computer Associates, plus iTunes and other Media Players Cited in this Second Quarter Update.
More than 422 new Internet security vulnerabilities were discovered during the second quarter of 2005, according to SANS Institute and a team of experts from industry and government. This group has isolated the Top-20 ( most critical vulnerabilities disclosed in Q2 that that need to be addressed through patching and other defensive actions. Individuals and organizations that do not correct these problems face a heightened threat that remote, unauthorized hackers will take control of their computers and use them for identity theft, for industrial espionage, or for distributing spam or pornography.
To be included on the new quarterly update, vulnerabilities must meet five requirements: (1) they affect a large number of users, (2) they have not been patched on a substantial number of systems, (3) they allow computers to be taken over by a remote, unauthorized user, (4) sufficient details about the vulnerabilities have been posted to the Internet to enable attackers to exploit them, and (5) they were discovered or first patched during the second three months of 2005.

The 422 new vulnerabilities discovered or reported during Q2 2005 represent an increase of 10.8% from the first quarter of 2005 (381) and an increase of nearly 20% from the second quarter of 2004 (352).
Rate this post: (Provided by NewsGator)

Deloitte 2005 Security Survey

#134 Deloitte's third annual Global Security Survey was produced with input from Chief Security Officers and security management teams from financial services industry organizations around the world. It attempts to provide broad insight around the question: How does the information security of my organization compare to that of my counterparts?

63 percent of survey respondents believe that security threats to their organisations are becoming increasingly sophisticated. This is aided and abetted by a severe lack of employee awareness and training, with 48 percent of respondents stating that this is a weakness in their organisation. Commonly listed threats included: poor screening of new employees; lackadaisical subcontractor controls; security-ignorant employees and deficient management processes. These internal issues were at the root of most security breaches.
Key findings of the survey:
  1. Managing compliance now relies on input from multiple stakeholders including security and technology
  2. Organisations need to be prepared for the changing nature of threats
  3. While the number of overall security breaches is down, geography and stature of the organisation plays a key role in if it will be breached or not
  4. There is a trend to having the Chief Information Security Officer (CISO) report to the highest levels of the organisation
  5. The boards interest in security is no longer optional, its a requirement
  6. The most effective way to cost justify the security function is to assess the value and impact delivered to the business
  7. Identity and Vulnerability management: the role of these solutions in the compliance world is increasing
  8. Training and awareness is cruicial but significantly lacking

This is well worth a read, even if you are not a financial institution.

Rate this post: (Provided by NewsGator)

Proffessional cybercrime takes hold

#133 Kaspersky has released a free executive guide to the changing face of cybercrime that I found worthwhile reading. We have discussed in a few previous blog entries about this emerging phenomenon "Virus writers go under the radar" and "Ransomware".

Computer attacks have already undergone a radical shift. These attacks have emerged as business for profit and disruption. It’s no longer about teenagers looking for glory. Now it’s become a real business. These malicious attacks can be severe - identity theft, fraud and extortion. They are becoming more frequent and faster than ever before - and there’s no sign of letting up.

In this executive brief, they discuss the magnitude of the new generation of cyber-crime, direction these threats are headed and what is needed to fight back. Registration is required for the download.
Rate this post: (Provided by NewsGator)

Lost PDA's pose security risk

#133 A Smartphone or Wireless PDA carries vast amounts of data and has transformed the mobile work force, but if lost, it can also pose a serious security breach. We have discussed this issue in a previous post, "Smart handelds are dumb security risk"

The Washington Post reports that some companies have already taken measures to counteract that risk, such as adding layers of password protection, encryption and preventing sensitive corporate information from being downloaded. Wireless providers are also developing "neutron bombs" that can wipe out information on these devices at long distances so that a lost PDA doesn't amount to a catastrophic data loss.

As the working force relies more on portable devices to increase efficiency, manufacturers and developers are racing to keep pace with rising security issues
Rate this post: (Provided by NewsGator)

Drive by hacking

#132 In Miami, hackers are obtaining cardholder information on tens of thousands of customers through wireless networks in stores. The New York Times reports that thieves are singling out merchants with strong wireless signals and weakly protected data using a laptop computer enabled with a wireless networking receiver. The culprits robbed these stores of customer information for more than a month. After security upgrades were announced, or investigators showed up on the scene, the cyber-criminals just moved on to the next store already staked out.

Investigators point out that data security is not just the responsibility of major banks and corporations, but it also belongs to retail merchants.
Rate this post: (Provided by NewsGator)

Microsoft:Security biggest challenge

#132 In a technology lecture to thousands of delegates in Singapore, Bill Gates said that Internet Security was Microsoft's biggest challenge. An AFX article on reports that Gates also confirmed Piracy as another huge problem for the software juggernaut, along with privacy issues and controlling spam. Microsoft is currently investing most of its efforts in security.
Rate this post: (Provided by NewsGator)

Bidding war for vulnerabilities

#131 An interesting trend developed this week, after 3Com announced yesterday that it would pay rewards to individuals who provide information on product/software vulnerabilities so that theycould update their security products to mitigate the vulnerability. One day after this, IDefense (acquired by VeriSign two weeks ago) announced it would double its payouts for similar information.

Both companies are vying to be the first to know about security vulnerabilities in other companies' products. The payouts are used to gain a competitive edge over rivals by having their products recognize more vulnerabilities that may be exploited in attacks by cybercriminals. Money has increasingly become an incentive for hackers. Programs such those from 3Com and iDefense offer a legitimate way for them to get paid for their bug hunting. There is also an underground market for information on vulnerabilities. Cybercriminals pay top dollar for previously undisclosed flaws that they can then exploit to break into computer systems.

Only a few companies pay security researchers for finding software vulnerabilities. iDefense's Vulnerability Contributor Program has been around for three years. TippingPoint, part of 3Com, announced its Zero Day Initiative on Monday and will celebrate the launch Wednesday at the Black Hat security conference in Las Vegas.

Rate this post: (Provided by NewsGator)

Monday, July 25, 2005

EU needs another 680,000 security proffessionals

#130 This is an interesting topic that shows that as the industry matures, certifications will become more important , and not less as convential wisdom dictates. Many think that certifications will no longer be required as security matures and becomes less fo a "black art", however, as the industry matures it will become more important and integrated to the business process and this is where the certifications will be targeted

Europe will need another 680,000 information security professionals by 2008, according to a survey by IDC on behalf of the International Information Systems Security Certification Consortium (ISC2). The survey found that most hiring managers (93%) preferred candidates with security qualifications. ISC2 offers certificates for systems security practitioners (SSCP) and professionals (CISSP), and is one of several bodies to provide such qualifications. The survey found that security specialists are also expected to understand business processes, to help minimise risks as new systems are developed.
Rate this post: (Provided by NewsGator)

Friday, July 22, 2005

Bad security can affect 5% of your market cap

#129 When engaging with customers on risk assessments, we often struggle to quantify the effects of bad publicity surrounding a security incident. Well, as this market matures, expect security metrics to become more quantifiable.
Academic researchers have determined that negative publicity associated with a security breach impacting confidential information can cause an average market cap decline of over 5%.
Now according to the Privacy Rights Clearinghouse, in the past five months, over 60 highly publicized data breaches have had the potential to affect over 50 million people. Given the 5% market cap metric the potential downside of a publicised security incident is enormous.
Rate this post: (Provided by NewsGator)

Choicepoint pays the price

#128 The costs associated with this databrokers' security breach just keep mounting. ChoicePoint revealed in February that scam artists had gotten access to personal data on 145,000 Americans, resulting in at least 750 cases of identity theft. The scandal has prompted calls for new legislation to protect consumers' privacy rights.

Direct financial costs were $11.4M made up of $2M in communications costs to individuals whose data had been compromised and $9.4M for legal and proffesional fees.
Also, ChoicePoint overhauled its business to prevent further breaches. These changes are expected to cost between $15 million and $20 million during 2005.
Rate this post: (Provided by NewsGator)

Microsoft licenses Finjan security patents

#123 The deal gives Microsoft a minority share in the privately held, San Jose, Calif.-based company. It enables the software giant to use ideas developed by Finjan in future products and "covers a broad range of patents that Finjan has developed and acquired in the last nine years in the security space". Financial details of the deal are not being disclosed.

Microsoft has been pushing into the security arena over the past couple years. The company has acquired antivirus and anti-spyware technology and is working on bringing products to market. Also, Microsoft has said security is now top priority when developing its other products. The technology Microsoft has licensed covers ways to monitor Internet traffic and block malicious code based on security policies. The behavior-based system aims to defend corporate networks against viruses and spyware even if the malicious programs are completely new and have never been seen before.
What makes this interesting is that Microsoft has licensed only ideas covered by the patents, but not actual technology such as software code. Another interesting fact is that one of the other private investors in Finjan is Cisco Systems.
Rate this post: (Provided by NewsGator)

Thursday, July 21, 2005

Microsoft buys FrontBridge

#122 Microsoft is finally adding some meat to the bones of its security offering. They made good on their announcements at the Feb '05 RSA Conference I attended in San Francisco, to provide a security offering for its messaging platform by aquiring FrontBridge Technologies, a provider of secure messaging services. The price was as usual, undisclosed.

What makes this aquisition significant? Its the first one they have made with a company that is actually known in the security community! All its previous aquisitions in this space have been with obscure (but good technology) companies. I mean who had ever heard of Giant and Sybari etc? Also, they are buying services instead of technology as Frontbridge provides managed hosted email antispam, managed antivirus, disaster continuity and archiving services. Microsoft makes no bones that it intends offering managed services in addition to security technology. The deal comes almost five months after Microsoft acquired Sybari Software and its anti-virus and anti-spam products. Microsoft now has two of the three methods for delivering e-mail hygiene: hosted (FrontBridge), premise (Sybari) and an appliance.

My view is that while Microsoft and Cisco's security offerings were at the "good enough" stages for a while, the convergence of security with networking and the OS will see these two vendors investing in best of breed technologies to get them beyond this and become the security gorillas I expect them to be by 2007. Heres other versions of this story: Computerworld and Networkworld
Rate this post: (Provided by NewsGator)

Wednesday, July 20, 2005

Website security ignored

#121 Many companies are confessing that their websites were attacked more frequently within the past year. A survey released last week by the Computer Security Institute, states 95 percent of respondents experienced more than 10 Web-site incidents during 2004, up from 5 percent in 2003. Roughly 700 computer-security practitioners in U.S. companies, government agencies, medical institutions, and universities responded to the survey.

Experts say the huge increase occurred because websites provide a gateway for thieves to steal data. Criminals know that companies have vast budgets for network security and often ignore their websites, unaware that the information they provide allows access to more sensitive data.
Rate this post: (Provided by NewsGator)

Hackers turn to fake greeting cards

#120 According to Internet security vendor SurfControl PLC, attackers are increasingly using fake e-mail greeting cards as a way of getting malicious software installed on computers.

Now here is something that will surprise you (it surprised me) - the amount of malicious e-mail being disguised as e-mail greeting cards is up about 90% from last year and now makes up more than half of all malicious e-mail being sent!

Boy that came out of nowhere now didnt it? Its a good thing Christmas and the festive season are not around the corner...
Rate this post: (Provided by NewsGator)

USC says database hacked

A University of Southern California online database containing about 270,000 records of past applicants that included their names and Social Security numbers was hacked last month, officials said yesterday. USC learned of the breach June 20, when it was tipped off by a journalist. It has since shut down the Web site and has notified people whose names and Social Security numbers were in the database of the security breach.
Rate this post: (Provided by NewsGator)

Checkpoint beats estimates

#118 Check Point Software has reported second-quarter results that beat Wall Street's estimates, in part from large deals that were landed and greater belt-tightening. However analysts were concerned that revenue from software licencing had slumped.

The security software giant on Tuesday reported revenue of $144.6 million in the quarter ending June 30, up 14 percent from the same period a year ago. Check Point reported net income of $78 million, or 31 cents a share, in the quarter, up 23 percent from the previous year. Excluding charges related to acquisitions, Check Point posted a profit of 32 cents a share.

New products accounted for 30 percent of the company's revenue. During the quarter, Check Point introduced its NGX platform, which serves as a unified security architecture. The company also introduced a wireless security appliance for its Check Point VPN-1 Edge product line.
Rate this post: (Provided by NewsGator)

Tuesday, July 19, 2005

IM users soar to 867M

#117 Yes, I'm on the IM bandwagon again. Increasing management and security concerns mount as messaging hits the big time with 867 million users in 2005, predicted to grow to 1.2 billion users by 2009. According to a survey of IM use within 523 organisations worldwide conducted by Radicati Group, the majority of IM traffic in 2005 exists on public networks (12.5 billion messages sent per day), where the technology first took hold.

The report divides the IM market into public IM networks, enterprise IM vendors and IM management vendors. IM management is expected to become an increasingly integral part of the market, as enterprises that currently rely on public IM networks look to management vendors for security against the rising onslaught of worms and viruses carried by IM traffic. Archiving and logging of IM to meet the increasingly stringent demands of corporate compliance regulations is also expected to boost demand for management tools, according to Radicati Group.
Rate this post: (Provided by NewsGator)

Monday, July 18, 2005

Definition of IT Security

#116 I came accross this wonderful definition of IT security. It really drives home the point that people are all viewing it from the wrong perspective.

Three things you need to know about security:

First, we're stuck with a notion that security is withholding our progress, when in reality -- when properly applied -- security allows you to go faster, because it gives you the controlled environment you need in order to succeed and implement new applications.

Second, security is supposed to be boring. It's the cop walking the beat. To whatever extent the Internet brought about this idea of fighting spies and espionage, white hats and black hats, evil hackers and all those exciting things -- that's completely wrong. The only people doing that are the ones who are failing to do all the boring, mundane, operational things that keep all that 'exciting' stuff away. Security is your standard, process-oriented approach to any control infrastructure. It's not supposed to be sexy or exciting. It's all about coming in to work every day, doing the right things and continuing to do them over time.

Thirdly, successful security means we're changing the future. We deal in a world of uncertainty and probability, and we're trying to decide what we should be doing if we were going to be attacked or hacked tomorrow. Based on that decision, we then implement our security controls. If we're successful, we don't get attacked tomorrow -- so we changed that future. I consider Y2K the biggest security success of all time, because there were actually lines of code being changed to thwart this notion of what would go wrong. Success means nothing happened.

Pete Lindstrom, CISSP and Research Director, Spire Security LLC.
Rate this post: (Provided by NewsGator)

CSI/FBI 2004 Survey results

#118 The CSI/FBI Computer Crime survey is regulary reviewed by security proffessionals and customers alike on an annual basis. The survey, which included about 700 respondents from government and a variety of industries, found that the average losses related to computer attacks dropped by 61 percent in 2004. On average, companies reported that computer and network attacks cost them $204,000 last year, down from an average of $526,000 in 2003.This marks the fourth consecutive year that this number has declined. Part of the reason for the drop is the fact that companies have simply become better at protecting themselves and product/AV vendors have been stepping up to the bar.
However, the cost of information theft jumped considerably in 2004. The heat of hacker activity has moved to identity theft. The survey found that the average net loss attributable to unauthorized information access jumped from more than $51,000 in 2003 to more than $300,000 last year. Attacks that resulted in the theft of proprietary information cost companies more than $355,000 on average in 2004, up from $169,000 the previous year.
Rate this post: (Provided by NewsGator)

Sunday, July 17, 2005

Worldwide digital attack damages $500B

#115. This is actually a February report, but not a lot of people know about it (including myself as of today). But I think its important. Its the first time I've been to this site too.

According to research firm mi2g Intelligence Unit, the worldwide economic damage inflicted by overt and covert digital attacks, malware, phishing scams, DDoS attacks, and spam ranged between $470 and $578 billion in 2004.

According to my estimates that 10 times the value of the actual IT security market itself!
Rate this post: (Provided by NewsGator)

Friday, July 15, 2005

Security Wrap email Digest

We now compile a quarterly HTML eMail Digest of all the previous months' postings. The digest normally gets sent out two to three weeks after the last month of the quarter has closed, so RSS feeds, daily email digests and this web site are still the best place to obtain up to date information.

The quarterly digest contains an analysis of the previous months' most important events and what they mean or what trends they indicate. It also contains a list of the most read (popular) stories as well as the top ten high-impact events for the month. Finally it lists a shortened text version of every single posting made in the months. If you are interested in a story you can click through to the full posting on the blog web site.

Simply email with subject title "PLEASE SUBSCRIBE ME" together with your name, company and country to receive the monthly digest. These details are not used for any other purposes other than to send you the monthly digest.

Email the same address with subject title "UNSUBSCRIBE ME" if you wish to stop receiving the digest and have your details removed from our database.
Rate this post: (Provided by NewsGator)

Major Windows exploit 'days away'

#114 I don't normally cover virus alterts and so forth on this site however there are several new trends that have developed and been covered in this site this month that relate to this warning from Microsoft.

The first thing that I want to point out is that we are nearing zero-day expolits. "Hackers are actively exploiting two serious security vulnerabilities in Windows, Microsoft warned on Tuesday as it released "critical" alerts about the flaws." It does not take very long (days) before some major new announced vulnerability is exploited.

The second thing is that hackers are now focussed on growing their botnet armies as opposed to getting their names in the press and causing havoc and mayhem. "Attackers are already using the JView Profiler flaw to download and install Trojan horses on victims' machines," said Dan Hubbard, senior director at Websense Security Labs. The Trojan horses would let the miscreants remotely control the hijacked PCs and make it part of a network of such computers known as a botnet, an increasing cyberthreat."

Now the real worrying thing is that because hackers are now trying to go "under the radar" with more focussed, smaller and less public/destructive "aquisitions" of botnets we may never really know how successful their exploit is will we? Hmm.
Rate this post: (Provided by NewsGator)

Thursday, July 14, 2005

Cisco warns of serious flaws

Further to a previous posting where we discussed the next big security problems moving from Microsoft to Cisco (or more specifically to the infrastructure as opposed to the desktop), Cisco Systems identified several vulnerabilities in its products this week that could lead to denial-of-service attacks. The most noteworthy flaw was reported Tuesday when Cisco warned that hackers could cripple its IP telephony networks by exploiting flaws in its CallManager software, an essential component of Cisco's IP telephony technology, which is used for call signaling and call routing.

I know of hundreds of IP telephony networks installed in the last year where customers never even considered security - treating the infrastructure components like "toasters and VCR's". Still to this day I dont believe adequate attention is being given to this area despite well known published frameworks for securing IPT networks published by the Information Security Forum (ISF).
Rate this post: (Provided by NewsGator)

IT Governance Institute study results

#112 Further to the previous article on corporations being ingnorant of hacker risks here is an interesting result from this recent survey : Fewer than 25 percent of organizations regularly review external risks, IT Governance Institute study reveals in part one of research series.The study, described in Information Risks—Whose Business Are They?, also reveals that the board of directors or CEO signs off on the IT risk management plan in only one-third of all organizations.
“The lack of attention to external risks and the lack of business involvement in the IT risk management plan are worrying given the extensive reliance on outsourcing and service providers, and the globalized nature of many organizations" the article notes. Best practices identified in Information Risks advise that top management should share responsibility with the IT department for IT risks. Results show the opposite is true in most organizations. According to the study, IT risk management is the responsibility of IT management—not the business—in 80 percent of organizations.
Well if security starts at the top then this explains the sorry state the industry is in...
Rate this post: (Provided by NewsGator)

Firms ignorant of hacker risk

#111 Want to know why being in charge of security is such a tough job?
Although a network security breach is rated the number one worry keeping IT managers awake at night, most admit that they have no way accurately to measure and report on the degree of risk posed by hackers. This is according to a survey of 1,700 chief information officers, chief security officers and security directors that some 60 per cent are unable to determine whether their network security risk is decreasing or increasing over time. In addition, almost 60 per cent admitted that they are unable to generate reports about applications or vulnerabilities on their network by region, business unit or business owner.
The Vulnerability and Risk Management Trend Survey, conducted by security firm nCircle, also revealed that over half of respondents have no way to verify and manage compliance with their own internal security policies. Respondents also identified the management of regulatory compliance as a growing business concern. Fifty per cent of respondents stated that it takes their company more than a month to compile information for compliance reporting.
In terms of future investments in security technology, respondents indicated that they are planning to add identity, access and vulnerability management technology in the next year.
Rate this post: (Provided by NewsGator)

Shocking e-mail stats

#110. Now heres something shocking to think about from two seperate articles.

First, the horrendous news that just 10 per cent of all email is a genuine message, with the volume of spam email, phishing attacks, trojans and virus-infected email messages rising 600 per cent in the past year. While junk mail has been on the rise for some time, phishing spam and pharming viruses are growing fast. Read it over here.

Then, the dishearteneing news that users are flocking to read and buy from spam messages. Eleven per cent of the internet population buys goods that are advertised in spam email messages, according to a survey from Radicati Group.Those purchases however often didn't work out. Another nine per cent said they had lost money due to an email scam. Hey, those spam guys are onto a good business model right? Read it over here.
Rate this post: (Provided by NewsGator)

Banks go simple on security

#109 Stung by recent high-profile security breaches, Bank of America Corp. is rolling out a new online banking security system called SiteKey, aimed at making it harder for cyberthieves to crack customer accounts - and by the looks of things they have gone the simpler is better route.

I couldn't agree more - ordinary consumers couldn't be fussed with complicated security and carrying dongles and tokens about with them that the dog chews or falls into the swimming pool. So now here is an example of what I call "human friendly" security.

Instead of the traditional user name-password setup, the banks' users select one of a thousand different images, write a brief phrase and pick three challenge questions. The challenge questions - all things that only the customer would be able to provide, such as the year and model of their first car - are then used along with a customer ID and a passcode to guard access to the account. Now heres the bit that I really like - the system also allows customers to verify that they are indeed at Bank of America's Web site when they log on for online banking. By clicking on a SiteKey button, they can see the secret image they selected and their phrase; if those things don't appear, they could be at a spoof Web site or the target of a "phishing" scheme. So the Bank is sure its the real user and the user is sure its the real bank. Neat.
Rate this post: (Provided by NewsGator)

Wednesday, July 13, 2005

All eyes on security management tools

#110 Network and systems management vendors have been on a shopping spree of sorts for some time now, and the current must-have item on their list is security information management (SIM). Following Micromuse's announcement earlier this month that it would acquire GuardedNet for $16.2 million, and Cisco's foray with Protego Networks, industry watchers speculate that the purchase might mark the beginning of the end for pure-play SIM vendors . In a recent blog post (Gartner Magic Quadrant for SIM) we examined the various pure-plays.
Acquisition isn't the only route vendors are taking to deliver SIM. Cisco also licenses SIM technology from netForensics to augment its network security plans; HP last month announced it had partnered with ArcSight to provide OpenView Compliance Manager; and storage giant EMC joined forces with SenSage to couple its Centera storage products with SenSage's event log collection and retention features. CA and IBM Tivoli separately offer stand-alone or bundled management applications that deliver SIM capabilities.
Security information should definitely be integrated with network management information in terms of common workflows and databases, and the market will consolidate," says George Hamilton, a senior analyst with The Yankee Group. "But management vendors may not be taking into account the fact that security has the steepest innovation curve of any technology out there."
Rate this post: (Provided by NewsGator)

IM security in a mess!

#109 I hate to go onto the IM bandwagon again but I just couldn't resist this one. I have stated the various issues and threats that will lead to IM becoming a real headache for security in a previous post, and thought that this information resource would be useful for you to keep tabs on this area of security.

The IMLogic Threat Center, a global consortium that provides threat detection and protection for IM and peer-to-peer (p-to-p) applications, recently issued its second quarter 2005 report on the rise of IM security threats. Launched with the support of the Internet security vendors Symantec, Sybari Software and McAfee and the IM providers America Online, Microsoft, and Yahoo, the IMlogic Threat Center is a knowledge base for known IM and p2p vulnerabilities and provides rapid response and guidance for protection against newly detected threats.
The report says there has been a "sharp" 2,747 percent increase in new IM threats -- including viruses, worms, SPIM (spam over IM), malware, and phishing attacks -- in second quarter 2005, compared with the same period a year ago. IMlogic also issued more than 15 priority alerts to enterprises and IMlogic Threat Center subscribers in second quarter 2005 in response to the increasing frequency of reported IM threats.
Rate this post: (Provided by NewsGator)

Arrest for hopping onto home WiFi

#108 I had to double take when I read this one. I recently installed a WiFi network for my new ADSL link at home and when I searched for the newly installed access point for the first time I saw my two neighbours' AP's - unprotected. I still joked with my wife that I could cancel our ADSL line and use the neighbours' WiFi networks to jump onto their links!

Then I came accross this article - A man who allegedly accessed a home Wi-Fi network in St. Petersburg, Florida, from a parked car got logged off the hard way: He was arrested and charged with a felony. Benjamin Smith III, 40, was arrested on April 21 outside the home of Richard Dinon and charged under a Florida law that prohibits unauthorized access to a computer or network.

I kid you not!
Rate this post: (Provided by NewsGator)

Hackers to target Cisco next

#107 Being a gorilla makes you a big target. Just ask Microsoft. Now that the heat seems to be off Microsoft for a while, there is speculation that Cisco is next. Virus writers rub their hands in glee imagining the havoc the could wreak by compromising one router.

Vulnerability researchers predict the emergence of router worms: malware designed to automatically spread from router to router like wildfire, thereby bringing down vast segments of network infrastructure. Researchers for security vendor McAfee Inc. have designated router worms a major future threat. “It’s now the rage to find vulnerabilities and it was easy to find them in Microsoft operating systems. Then people started going after Apple, so you’re starting to hear more about those. When they exhaust these easy things, then they’ll start going after Cisco boxes,” says Jimmy Kuo, fellow for the McAfee Anti-Virus Emergency Response Team (AVERT).

How should the perplexed network manager prepare to deal with a threat that may or may not materialize? According to this article, an attitude change is needed. "Many system administrators think of routers as a VCR or toaster, but they need to start thinking of it as a computer because it can be attacked in the same way as a computer can be. If people want to protect themselves against router attacks, it comes down to paying the same attention to routers as their Windows system."

Now that is food for thought isn't it?
Rate this post: (Provided by NewsGator)

Sarbox worsens security

#106 Now this is an excellent take on the downside of Sarbanes Oxley compliance. As I stated in a previous blog, corporations seem to fear legal risk more than security risks and this article notes that Sarbox could divert all the attention and spending in one direction at the expense of other more prevalent security risks.

The Information Security Forum, an international security association, said Monday that it calculates that many of its members expect to spend more than $10 million each on information security controls to comply with regulations laid down by Sarbanes-Oxley.

The ISF warns that SOX ignores security issues that are extremely important when dealing with risks to information, such as business continuity and disaster recovery. This makes it important to integrate compliance into a wider IT security and corporate governance strategy, it said. Well said!

Rate this post: (Provided by NewsGator)

Computer hijacking quadruples

#105 Incidents involving malicious code, also known as "bot" code, reached 13,000 from April through June, according to a report from antivirus-software maker McAfee. That's quadruple the number tracked by the company in the previous three months. McAfee estimated that 63 percent more machines were exploited by bot programs and by spyware and adware.

You will notice a absense of large scale virus and worm "pandemics" lately, since as reported in previous blog entries (Virus writers go under the radar), hackers are now being replaced by proffessionals going "under the radar" and implementing targeted attacks for mostly financial gain, and the McAfee report confirms this trend.

Expect to see more incidents of infection, but less pandemics. This is also borne out by a report released by Symantec today "Hacking for dollars" which notes that "the benefit of creating a widespread worm on the Internet has really been superseded by the potential of monetary gain."
Rate this post: (Provided by NewsGator)

Tuesday, July 12, 2005

Encrypt or invite disaster

#104 There has been a lot of focus on encryption lately, given all the data theft recently.There are plenty of options available today for securing/encrypting your data and many of these options are just simply overlooked.Encrypting your data does not have to be an expensive rollout like moving from NT 4.0 to Active Directory.
There are many types of encryption, from complete encryption at the enterprise level down to the often overlooked encryption of an individual’s workstation. Encryption is as important as a firewall. You wouldn’t leave your network unprotected by a firewall -- we all know that’s as foolish as just giving a hacker your enterprise or domain admin password. Nor should you leave your sensitive data unencrypted; encryption ensures that your data is secure.
Rate this post: (Provided by NewsGator)

2005:Year of the data breach

#103 To date, 2005 has been full of holes. Security holes, that is. Whether it’s missing Social Security numbers of 1.2 million federal workers, alumni information for 120,000 Boston College graduates or 40 million credit card numbers hacked by criminals, the year has been dubbed, “The year of the data breach.”

A Washington Post report states that close to 50 million accounts have been exposed to the possibility of identity fraud since January, and experts agree that these crimes are not new, but due to new legislation, we’re told more than we have been in the past.

The blame is being put squarely at the door of poorly designed software, inattention to data security and an underappreciation of the problem by top management in corporations and other institutions.
Rate this post: (Provided by NewsGator)

e-Commerce under blanket of fear

#102 e-Commerce is buried beneath a blanket of fear. Online purchases, according to some observers, are down by nearly half; Internet banking by nearly a third. Tales of lost credit information, worms in credit processing computers and missing tapes have made customers —and everyone else — nervous about revealing personal information over the Web.
We also covered this topic previously in a previous blog entry - Security concerns severely stunt e-commerce.

This is serious stuff!

This is an interesting article that looks at things from the consumer and merchant point of view and some new ways of using credit cards over the internet that safeguard its details. I really liked the closing remarks, namely "Customers will eventually come to realize that it's not the Internet that they should worry about but rather companies whose security practices are not up to snuff."
Rate this post: (Provided by NewsGator)

Smart handhelds are dumb security risk

#101 Nearly half of UK businesses do not secure smart handheld devices to the same high level they secure laptop computers. Given the explosion of Blackberry devices and the wireless email-on the go phenomenon, this is likely to create security problems in the future.

Researchers from Quocirca found increasing use of connected devices but few businesses taking action to secure data or access to the machines. The problem is made worse by low levels of user support and training from companies' internal IT departments. As with my company these days, the users go an buy their own PDA's and then demand wireless email from the IT Department who are struggling to keep up with demand.

Quocirca points out that most of the barriers to securing mobile devices are human not technical. It recommends companies set policies for use of smart devices and make sure workers know what it is. Researchers noted that the vast majority of devices are not even protected by a simple password.
Rate this post: (Provided by NewsGator)

Friday, July 01, 2005

Taking a break

I will be on leave for a week, and will continue with postings on Monday 11th. I will ensure interesting events that occured during this period find their way into the site, so you wont miss anything important.
Rate this post: (Provided by NewsGator)