Tuesday, November 29, 2005

Investors exposed in brokerage hack

St. Louis-based Scottrade, one of the nation's largest private online stock brokerage houses, has alerted its customers that a hacker break-in may have compromised the security of an untold number of accounts. The company did not disclose how many of its 1.3 million customers may have been affected, but noted that the breach likely only affects those customers who used its eCheck Secure service to transfer money from their bank account to their Scottrade investment accounts.

The company put the blame on its eCheck Secure service provider -- Troy Group Inc. -- which reported that on Oct. 25 a computer hacker had compromised its servers: "As a result, some of your personal information, including your name, driver's license or state ID number, date of birth, phone number, bank name, bank code, bank number, bank routing number, bank account number and Scottrade account number may have been compromised," Scottrade said in a statement on its site.

That's a lot of personal data and clients can't be too charmed, regardles of who gets blamed for the oversight.

CATEGORIES: 1hack, 1id theft, 1breach, 1disclosure
Rate this post: (Provided by NewsGator)

Hackers to target copiers next?

You might think you've heard about every possible security vulnerability in your network, but what about your copiers?

"Network-connected output devices are becoming an absolute primary target of people, foreign and domestic, who are penetrating networks," according to Jim Joyce, senior vice president for office services at Xerox Global Services. "The reason for that is many of them are large devices with large disk drives, with a fair amount of memory and are network connected and are not secure. This laptop [I'm using for this presentation] is probably ten times more secure than any of the output devices we have in our environments today."

Joyce, speaking Tuesday at the two-day Office Document Solutions conference in Boston, was among a number of presenters who implored makers of printers, copiers, scanners, and other such devices to start thinking about more than just selling boxes to customers.
Joyce said during an interview after his speech that Xerox has poured some $20 million in recent years into technologies to better manage office and document systems and is putting a particular emphasis on security these days. He noted that some machines, such as multifunction devices, might have several operating systems in them that could provide security holes if not protected.

CATEGORIES: 1threats, 1vulnerabilities,1hacking
Rate this post: (Provided by NewsGator)

First Trojan using Sony DRM spotted

Virus writers have begun taking advantage of Sony-BMG's use of rootkit technology in DRM software bundled with its music CDs. Sony-BMG's rootkit DRM technology masks files whose filenames start with "$sys$". A newly-discovered variant of of the Breplibot Trojan takes advantage of this to drop the file "$sys$drv.exe" in the Windows system directory. "This means, that for systems infected by the Sony DRM rootkit technology, the dropped file is entirely invisible to the user. It will not be found in any process and file listing. Only rootkit scanners, such as the free utility RootkitRevealer, can unmask the culprit."

The malware arrives attached in an email, which pretends to come from a reputable business magazine, asking the businessman to verify his/her "picture" to be used for the December issue. If the malicious payload contained in this email is executed then the Trojan installs an IRC backdoor on affected Windows systems.

CATEGORIES: 1watergate,1sonygate,1drm,1virus,1trojan
Rate this post: (Provided by NewsGator)

Security reduces PC longevity

Here is an interesting take on endpoint security - security seems to be short-circuiting PC Longevity at the Bank of N.Y.

At Bank of New York, the need for increased security tools on desktops is a key factor in dictating when systems are upgraded. "It used to be that the applications would drive the refresh a lot more than the hardware would," says Michael Kahn, vice president of technology planning at the bank. "Then we ran into all these problems with malware." Machines now include antivirus and firewall programs as well as disk encryption and other security-related utilities, some of which require periodic updates.

"Now we're finding we have utility programs that are driving our life cycle," says Kahn.

CATEGORIES: 1users,1case study, 1endpoint security
Rate this post: (Provided by NewsGator)

Cybercrime bigger than drug trafficking

This is a sobering statistic - proceeds from cybercrime in 2004 topped $105B. Global cybercrime generated a higher payback than drug trafficking in 2004 and is set to grow even further as the use of technology expands in developing countries, a security expert said today.

No country is immune from cybercrime, which includes corporate espionage, child pornography, stock manipulation, extortion, phishing and piracy, said Valerie McNiven, who advises the U.S. Department of the Treasury on the problem. “Last year was the first year that proceeds from cybercrime were greater than proceeds from the sale of illegal drugs, and that was, I believe, over $105 billion,” McNiven said. “Cybercrime is moving at such a high speed that law enforcement cannot catch up with it.”

CATEGORIES: 1cybercrime, 1crime, 1stats,1legal
Rate this post: (Provided by NewsGator)

Friday, November 25, 2005

IOS Exploit and Auditing Tools

Apparently there are 50,000 "owned" Cisco routers out there. With all the recent attention around IOS vulnerabilities and "infrastructure security" I scoured the Internet for IOS Exploit and auditing tools. The results were quite surprising, although recent information on this topic seems hard to come by.

Firstly, I found this really interesting site that has a catalogue of 58 various IOS and PIX exploit and auditing tools for download. Some of the more interesting titles are "Cisco Password revealer", "Default password scanner","Cisco Torch mass scanning, fingerprinting, & exploitation tool", "Brute force utility for Cisco password authentication","Cisco Global Exploiter ","Cisco Configuration Security Auditing Tool","Cisco Systems IOS 11.x UDP echo memory leak remote sniffer","Cisco IOS HTTP Server Vulnerability Scanner " and finally some nefarious sounding programs such as "Cisco Cracker" and "Cisco Nuke".

The attack toolkit, called "CISCO Global Exploiter" seems to be the most downloaded and is available here. It allows anyone to easily launch attacks exploiting ten known, but older vulnerabilities in CISCO IOS devices. The impact of these vulnerabilities range in scope from causing Denial of Service (DOS), to bypassing authentication, and to malicious code execution on the device. While some of these vulnerabilities are old, the tool significantly lowers the barrier to exploitation, and let us not forget that there is a LOT of old IOS out there. The vulnerabilities that it exploits are: Cisco 677/678 Telnet Buffer Overflow Vulnerability, Cisco IOS Router Denial of Service Vulnerability, Cisco IOS HTTP Auth Vulnerability, Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability, Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability, Cisco 675 Web Administration Denial of Service Vulnerability, Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability, Cisco IOS Software HTTP Request Denial of Service Vulnerability,CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability, Cisco Catalyst Memory Leak Vulnerability, Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability, Encoding IDS Bypass Vulnerability (UTF), Cisco IOS HTTP Denial of Service Vulnerability.

Then there is a two part SecurityFocus tutorial called "Exploiting Cisco Routers" Part-1 & Part-2. It shows step-by-step, with screenshots, how amazingly simple it is to exploit Cisco routers with the HTTP authorization vulnerability. Really childs play.

Other "interesting sites" that seem very popular for publishing and downloading Cisco exploits are Getrewted Labs, Milw0rm , and HackingSpirits . You can see from these sites that thousands of these exploits have been downloaded already.

Then there is a new book selling on Amazon that will be published in mid December called Hacking Exposed Cisco Networks . The authors of this book have already published several exploits of new and recent Cisco vulnerabilities on the sites above as part of the research they were conducting in the writing of the book. This is the first book to focus solely on Cisco network hacking, security auditing, and defense issues. Using the proven Hacking Exposed methodology, this book shows you how to locate and patch system vulnerabilities by looking at your Cisco network through the eyes of a hacker. Several thousand books are on order already and this is going to be a highly recommended read for consultants and hackers alike.

The Securiteam site hosts various Cisco IOS testing and auditing tools : Cisco IOS HTTP Authorization Exploit Code,Cisco IOS Heap Exploit Proof of Concept ,Cisco IOS Interface Blocked by IPv4 Packets (Exploit) ,Multiple Cisco Exploit Codes ,Cisco IOS Software keyword parsing vulnerability , Cisco routers vulnerable to information leakage

Here is a very popular and highly technical tutorial which "Introduces the reader into the fun land of exploiting a routing device made by Cisco Systems", titled Burning the bridge : IOS exploits and another titled A remote Cisco IOS exploit

The most useful and recent tools are available from the Center for Internet Security (CIS) who publish the IOS Benchmark, Audit Tool, and Configuration Guide . The benchmarks define configuration settings for Cisco IOS and PIX devices. These settings are designed primarily to enhance the security of the device itself. The Router Audit Tool (rat) downloads configurations of devices to be audited (optionally), and then checks them against the settings defined in the benchmark. The Router Security Configuration Guide provides technical guidance intended to help network administrators and security officers improve the security of their networks.

Finally, in addition to the CIS scoring tool and the accompanying benchmark guides, the National Institute of Standards and Technology maintains a publicly available resource of more than 50 Security Technical Implementation Guides (STIGs) and checklists. Covering a wide variety of platforms, these resources provide a detailed step-by-step approach for implementing and documenting security settings that are the accepted standards of the U.S. government.

If you are in a real "rush" to get something started then see Lock down IOS & PIX in 10 steps

This was just the findings after a few hours of browsing the 'Net - it makes one wonder what else is out there...

RELATED TOPICS: Jump to the CiscoGate landing page

CATEGORIES : 1ciscogate, 1exploits, 1tools, 1vulnerability,1ios,1hacking,1best practices
Rate this post: (Provided by NewsGator)

Sloppy handheld habits

A third of professionals using mobile devices such as PDAs and smartphones are failing to use passwords or any other security protection, and even store their PIN numbers, passwords and other corporate information on the devices.

The findings, from Pointsec’s Annual Mobile Usage Survey, shows that corporate personnel now store significant amounts of corporate data on their mobile devices, including customer contacts, email details, passwords and bank account details, together with personal and private information such as friends’ details, and personal images, giving little or no consideration to security.

What’s surprising about the survey is people’s propensity to lose the very devices on which their lives depend so much. Last year, 16% of users had lost one, while this year the number has increased to 22%. Of those that lost their device, 81% had not encrypted their information and admitted that they were worried that the information could fall into the wrong hands and either cause embarrassment, or that they would lose "everything" as they hadn't backed-up their information.

RELATED TOPICS : Lost & stolen devices biggest risk, Endpoint encryption to go mainstream, Mobile email devices are a security risk, Lost PDA's pose a security risk

CATEGORIES : 1mobility, 1pda, 1encryption, 1endpoint, 1passwords, 1survey, 1users
Rate this post: (Provided by NewsGator)

Thursday, November 24, 2005

High cost to data breaches

According to two surveys conducted by Ponemon Institute under sponsorship of PGP Corp, there's a high cost to be paid by businesses that suffer security breaches in which sensitive customer data they hold is lost. Not only are the costs high in terms of internal investigations and legal fees, there are indications that customers are taking notice of these security incidents involving their personal data by terminating their accounts or otherwise ending the business relationship.

The surveys done by Ponemon Institute, the Tucson, Ariz.-based think tank on data privacy issues, are entitled "Lost Customer Information: What Does a Data breach Cost Companies?" and "National Survey on Data Security Breach Notification." Both paint a dismal picture about the real-world consequences of fumbling the ball on customer information.

The first report is a survey of 14 organizations that lost confidential customer information and had a regulatory requirement to notify the affected individuals. The 14 organizations primarily hailed from the financial services arena but also included retailers, insurance companies, telecom firms, higher education and healthcare. To cope and recover from a single security breach cost on average $14 million per company per breach or $140 per lost customer record. The direct costs in incremental spending for outside legal counsel, increased call-center costs and related items alone were $5 million.

CATEGORIES: 1privacy, 1breaches, 1costs, 1survey, 1legal, 1stats
Rate this post: (Provided by NewsGator)

Wednesday, November 23, 2005

CiscoGate Landing Page

This "Landing Page" will be continually updated with postings made on this site related to the CiscoGate and IOS Vulnerability episode. Other landing pages are selectable from the sidebar on your screen.

March 2006
The challenge of Cisco device patching

December 2005
Lock down IOS in 10 steps
Hacking to change tack in 2006
Cisco's Chambers on IOS vulnerabilities
ISS witholding another 15 IOS vulnerabilities

November 2005
IOS exploit and auditing tools
IOS makes it to SANS Top-20 vulnerability list
Security set back six years
Cisco IOS next big concern
New IOS flaw patched

September 2005
New critical IOS flaw

August 2005
Cisco.com breached
CiscoGate:The Lynn interview
CiscoGate:Advice for customers
CiscoGate:Microsoft shows the way
Cisco IOS Flaw saga continues

July 2005
Pulled IOS presentation spreads like wildfire
Cisco & ISS Public Relations disaster
Cisco & ISS file for injunction at BlackHat
Cisco coverup ignites BlackHat controversy
Cisco warns of serious IOS flaws

June 2005
Hackers to target Cisco next?

May 2005
Best you patch your IOS now

CATEGORIES: 1landing, 1ciscogate, 1patching
Rate this post: (Provided by NewsGator)

SonyGate Landing Page

This "Landing Page" will be continually updated with postings made on this site related to the SonyGate episode. Other landing pages are selectable from the sidebar on your screen.

January 2006
Sony BMG rootkit still widespread
Sony settles lawsuits

December 2005
Texas adds more to Sony lawsuit

November 2005
First trojan using Sony DRM spotted
SonyGate : Now artists bay for blood
SonyGate : Lawsuits abound
SonyGate : This will be a very expensive mistake
SonyGate : It gets worse
Sony Security Blunder

CATEGORIES : 1landing, 1sonygate, 1drm, 1spyware, 1legal
Rate this post: (Provided by NewsGator)

SonyGate:Artists bay for blood

This just in from LilBambi's blog about the ongoing SonyGate saga.

"Along with lawyers, prosecutors, and furious fans, artists are joining the backlash against the label for slipping a hidden, anti-theft program into users’ computers"

"Overnight, Van Zant’s Get Right with the Man dropped from No. 882 to No. 1,392 on Amazon’s music rankings. By Nov. 22 — after the news made headlines and Sony was deep into damage control, Get Right with the Man was even further from Amazon’s Top 40, plummeting to No. 25,802." - To go from Amazon’s Top 40 to No. 25,802 because of something their “Label” did to them without their knowledge and consent.

Some are trying to say that the sales weren’t impacted. Well, this is a BusinessWeek article that says otherwise. And the artists are not happy about it either.

CATEGORIES: 1watergate, 1drm, 1spyware
Rate this post: (Provided by NewsGator)

IOS makes it to SANS top 20

For the first time, networking products have made it to the SANS Top 20 Vulnerability list...and Cisco IOS dominates the list.

The top vulnerabilities in networking products are identified as Cisco IOS and non-IOS products and Cisco device configuration weaknesses.

SANS said a worrying trend this year has been the fresh attention given to critical security holes in network devices like the routers and switches that keep traffic moving across the Internet. "Network devices often have on-board operating systems and can be programmed just like computers," the institute said. "Compromises of network devices can provide attackers one of the most fruitful platforms for eavesdropping and launching targeted attacks."
Recently Gartner recommended that enterprises running Cisco IOS pay close attention to IOS vulnerabilities, treat them seriously and follow the guidelines within advisories to upgrade to a newer version of software at the earliest possible opportunity. Gartner recommends that enterprises take immediate action to shield their network using a layered defense, including network-based intrusion prevention (IPS) technologies, to block exploits while executing normal test-and-patch deployment processes.
We have warned about IOS on several previous postings, see Cisco IOS next big concern. The main warning we made was that patching IOS is a non-trivial and possibly costly affair and plans need to be set afoot now rather than later when it is too late. The last thing an organization would need is to be pushed into a corner where an emergency patching / upgrading triage could bring down their network without the appropriate testing.
The SANS Top-20 2005 is a consensus list of vulnerabilities that require immediate remediation. Four years ago, the SANS Institute and the National Infrastructure Protection Center (NIPC) at the FBI released a document summarizing the Ten Most Critical Internet Security Vulnerabilities. Thousands of organizations used that list, and the expanded Top-20 lists that followed one, two, and three years later, to prioritize their efforts so they could close the most dangerous holes first.

Vulnerabilities on this year's list are defined by four criteria:

  1. They affect a large number of users;
  2. They have not been patched on a substantial number of systems;
  3. They allow computers to be controlled by a remote, unauthorized user;
  4. Sufficient details about vulnerabilities are available to enable attackers to exploit them

RELATED ARTICLES : Security set back 6 years, Cisco IOS next big concern, New IOS flaw patched, New critical Cisco IOS flaw, CiscoGate : Advice for customers

CATEGORIES: 1ios, 1infrastructure, 1vulnerabilities, 1patching, 1trends, 1first

Rate this post: (Provided by NewsGator)

Security set back 6 years

Attackers don't go after operating systems like they used to. They've found bigger fish to fry in flawed applications like the average AV, database, IM, Backup software or media player program. They're also paying more attention to flaws in the routers and switches that keep the Internet afloat and are successfully stealing data from government networks.

That's the consensus among security experts who contributed to the SANS Institute's Top 20 vulnerability list for 2005. The Bethesda, Md.-based organization released the list Tuesday morning, and its research director said the findings show a major backslide in efforts to achieve ironclad information security.

"The bottom line is that security has been set back nearly six years in the past 18 months," SANS Institute Research Director Allan Paller said in an e-mail exchange. "Six years ago attackers targeted operating systems and the operating system vendors didn't do automated patching. In the intervening years, automated patching protected everyone from government to grandma. Now the attackers are targeting popular applications, and the vendors of those applications do not do automated patching. Here we go again."

During a press conference Tuesday morning, Paller added, "These applications, other than AV, don't have automated patching. We're back to the stone age. Getting patches and figuring out how to install them -- those days are back in spades."

I can really relate to this - I have a few clients asking for strategies to upgrade their Cisco IOS and keep it regularly patched and best practices, methodologies and tools to achieve this are sorely lacking.

CATEGORIES: 1patching, 1threats, 1vulnerabilities, 1trends
Rate this post: (Provided by NewsGator)

Tuesday, November 22, 2005

Top Security Mistakes to avoid

The initial story Top Security Mistakes to avoid Ver 2 on this blog seemed quite popular.

It was one of the most read stories in the Top stories for October 2005 list.

It also got posted as a story combined with the results of the Dimension Data CxO Assessment survey at the Security.NL web site, titled "Top 19 gemaakte fouten bij een beveiliginsstrategie"

Dimension Data Netherlands issued a press release on the findings here

The results of the CxO Security Assessemnt can be found here

CATEGORIES : 1links, 1opinion, 1trends, 1best practices
Rate this post: (Provided by NewsGator)

FEATURE:Outsourcing = bad security?



In response to growing concerns about security and the ever increasing complexity of management of these newly installed point devices, many companies turned to the same companies who managed their existing network infrastructure or to the emerging band of managed security service providers. This seemed the logical response for anyone looking to offload the complexities or security management and alleviate the need for high priced technical talent. The problem was most of the contracts contained clauses in the fine print absolving the service provider of liability and accountability for security incidents. Many such contracts promised little more than notification of events which couldn’t be confirmed as false positives. This level of service puts the onus on the customer to respond to and resolve the incidents reported. In many cases this was a surprise to an unprepared client in their hour of need. Of course, these same service providers were able to assist in the incident response for additional hourly fees.
Outsourcing security has been a hot topic of debate for some time. There is a strong argument for both sides and no sign of consensus on the horizon. The facts are simple yet overwhelming for many:
  1. Addressing security and IT risk is not optional;
  2. Legislation and liability are driving security to the top of CIO’s priority lists;
  3. There is a real awareness problem in bridging the gap between the business people and the technologists;
  4. Technology is ever changing, so security is a moving target;
  5. Good security resources are hard to find and costly to hire and retain;
  6. Outsourcing security does not transfer accountability or liability to the service provider.

Regardless of if you choose to outsource or go in-house for security, the challenge is in getting executive support and alignment between the business units and the security function. In the worst case, these relationships are adversarial and conflict between groups results in a decrease in productivity. In the best case, the security officer understands the business and is able to communicate clearly the threats to business operations and show that effective risk management actually enables the business. Many enterprises make the mistake of outsourcing their security as part of generic outsourcing agreement before obtaining this alignment and the outsource then leads to a false sense of security or a "tick in the box".

NEXT : CAVEAT EMPTOR (Let the buyer beware)

NOTE : Thanks to Chris Thatcher from our North American practice who assisted with this chapter.

CATEGORIES : 1feature, 1outsourcing, 1advice, 1best practices

Rate this post: (Provided by NewsGator)

Norwich Union locks down removable media

Norwich Union has locked down employees' access to USB memory sticks, rewritable DVD drives and floppy discs on 48,000 desktop PCs, as part of a drive to secure and control sensitive financial and customer information. The initiative, which has added £10 to the cost of supporting each desktop, will help the firm meet increasingly stringent compliance regulations which require financial services firms to secure sensitive customer data.

It aims to protect the company from the potential risks of disgruntled employees misusing sensitive information or staff inadvertently introducing malicious code, viruses or spyware on to the firm's network. "We are talking about price- sensitive information, the impact of viruses, and the potential of spyware. The company, part of the Aviva group, began rolling out centrally controlled software, supplied by SecureWave, to restrict access to removable storage devices as part of its upgrade from Windows NT4 to Windows XP.

The firm ruled out a complete ban on USB ports, recognising that some staff needed them for their work. It decided that staff who need access to USB ports, either to use printers or memory sticks, would have to produce a business case to do so. "We operate a policy of least privilege. By default you get nothing. If you are a call centre operator answering phones and accessing different applications, you get zero control of your PC, whereas if you are a developer, you would expect to have free rein." Norwich Union monitors data transfers into and out of the organisations, and restricts staff to using designated folders to send data. It keeps logs of the transactions.

CATEGORIES : 1mobility, 1data protection, 1removeable media, 1best practices, 1case study, 1endpoint security
Rate this post: (Provided by NewsGator)

SonyGate : Lawsuits abound

Several legal suites are springing up in the wake of SonyGate and my guess is that this is going to be providing Sony management with a lot of headaches for a very, very long time. Perhaps if Sony management had not been so dismissive of the whole episode in the beginning and discarding it as "technobabble", things might not have turned out so bad for them. To add insult to injury, and demonstrating the futility of copy protection, it appears that with a small bit of tape on the outer edge of the CD the copy protection is completely disabled.

I have just completed reading SONY:The Private Life by John Nathan and could not help but thinking how Sony's life has been chequered with corporate and strategic blunders that they never seem to learn from. The classic VHS vs. Betamax wars are now subjects of corporate training. A Google search for "Sony mistakes" or "Sony Blunders" yields a few hundred pages of very interesting reading too, and Sony features prominently on most books titled "Greatest corporate blunders", "Worst strategic mistakes" etc. Anyway, on to the lawsuits...

The attorney general for Texas filed a suit against the music giant for allegedly violating the Consumer Protection Against Computer Spyware Act of 2005. "Sony has engaged in a technological version of cloak-and-dagger deceit against consumers by hiding secret files on their computers. Consumers who purchased a Sony CD thought they were buying music. Instead, they received spyware that can damage a computer, subject it to viruses and expose the consumer to possible identity crime." The state is seeking civil penalties of $100,000 for every violation of the anti-spyware law, attorney's fees and investigative costs.

The Electronic Frontier Foundation (EFF) filed a class action lawsuit against Sony BMG on Monday. Two other legal firms, Green Welling and Lerach, Coughlin, Stoia, Geller, Rudman and Robbins, joined the digital consumer advocacy group in the suit filed in Los Angeles County Superior Court. The lawsuit is the EFF's response to the music giant's tepid acknowledgment of the security and privacy issues that came with music released on copy-protected music CDs, lawyers said. The EFF is seeking compensation for any damages caused by the digital rights management technology and a refund for the copy-protected CDs, lawyers stated. While the EFF lauds Sony for taking initial steps to fix issues related to one form of the rootkit, known as First4Internet XCP, the filing claims that a second variation of the software, labeled as SunnComm MediaMax, has not been addressed and affects 20 million of the involved CDs.

RELATED TOPICS: Sony security blunder, SonyGate: It keeps getting worse, SonyGate:This will be a very expensive mistake, SonyGate: Now artists baying for blood

CATEGORIES: 1watergate, 1privacy, 1rootkits, 1spyware, 1legal, 1lawsuit, 1drm
Rate this post: (Provided by NewsGator)

Monday, November 21, 2005

Cartoon : Botnets

CATEGORIES: 1cartoon, 1botnets
Rate this post: (Provided by NewsGator)

Compliance undermines security

Companies that make regulatory compliance the sole driver of their information security efforts could be weakening their long-term security posture instead of improving it, according to IT managers at the 32nd annual Computer Security Institute conference held this week. Therefore, it’s better to make compliance a by-product of a broader corporate security strategy and not its sole end objective, they said. Those warnings come at a time when regulatory compliance requirements have made information security a topic of board-level discussion. The results of an annual global survey, released earlier this month by Ernst & Young, for instance, showed that compliance issues have replaced worms and viruses for the first time as the biggest driver of information security.

Compliance is a measure of your security posture relative to the specific regulations you are looking at. In one sense, it is of value to the information security community because it does give external validation of the things you’ve been working on. But using compliance with a specific regulation as a measure of overall security is risky and can create a false sense of security. A lot depends on whether companies tend to view compliance as the ceiling of their security efforts or as a minimum set of requirements within a broader security framework.

RELATED TOPICS :Sarbanes Oxley worsens security, Compliance takes top spot, IT Security takes back seat to compliance, InfoSec advisory role in decline, Why Bosses worry about security , InfoSec tops CFO concerns , Impact of regulations on IT Security , Executive guide to compliance and security

CATEGORIES : 1compliance, 1conference, 1trends, 1best practices
Rate this post: (Provided by NewsGator)

Security still top spending priority

A recent survey of 100 US IT executives predicts that IT spending will decrease slightly in 2006 as more businesses worry about global economic conditions, but security software and enterprise IT upgrades remain top concerns, according to Goldman, Sachs & Co.

Security software has been a long-running priority among the executives on Goldman's survey panel, and nothing has changed that mindset based on the current results. Spending on antivirus products has eased up after a flurry of activity, but chief information officers (CIOs) continue to focus on improving security in areas like identity management and regulatory compliance, the survey said.

CATEGORIES : 1survey, 1spending, 1compliance
Rate this post: (Provided by NewsGator)

Compliance takes top spot

The sheer number of regulations and the consequences of not complying with them has escalated information security to the boardroom. Compliance with regulations is now the primary driver of information security within many companies, for the first time surpassing worms and viruses. This is according to an annual global information security survey by professional services provider Ernst & Young.

Despite the increased awareness of regulatory compliance, information security as a function is not becoming a natural part of organisation’s strategy, says the report.“The gap continues to widen between the growing risks brought on by rapid changes in the global business environment and what information security is doing to address those risks.”

Other concerns for IT managers today include the lack of experienced security specialists and new technology that promotes mobile workers.“Because the majority of organisations have built their security system without the mobile component to it, the growing mobile technology is a change they need to get to grips with.” The survey also shows that few organisations actively manage third party security risks. More and more organisations are trading information electronically with clients and suppliers, but security management doesn’t keep track of that extensive use.

More than 1300 companies, governments and non-profit organisations in 55 countries participated in the survey. Two thirds responded that compliance with regulations such as Sarbanes-Oxley or the EU’s 8th Directive is the most important driver of information security.

RELATED TOPICS : IT Security takes back seat to compliance, InfoSec advisory role in decline, Why Bosses worry about security , InfoSec tops CFO concerns , Impact of regulations on IT Security , Executive guide to compliance and security

CATEGORIES : 1compliance, 1survey, 1stats
Rate this post: (Provided by NewsGator)

Boeing exposes 161,000 identities

A laptop computer containing names, social security numbers and other sensitive information of 161,000 current and former employees of Boeing Co. was stolen recently, the U.S. aerospace manufacturer said Friday. Some of the employee information on the laptop included banking information and birth dates, Boeing said.

Boeing, which said it notified authorities, said it is notifying each of the affected individuals and would pay for their enrollment in fraud protection and credit monitoring programs. Interestingly enough the lack of any mention of encryption leads us to believe there was none.

RELATED TOPICS : Personal Info is top concern, Laptops pose massive security risk, Data encryption tops user concerns, Endpoint data encryption ignored, Lost and stolen devices biggest risk, Endpoint encyption to go mainstream

CATEGORIES: 1identity theft, 1victims, 1theft, 1mobility, 1encryption
Rate this post: (Provided by NewsGator)

Sonygate:Very expensive mistake

In an ironic twist, it would seem that Sony's copy protection mechanism has itself violated open source copy protection rules. The XCP program (rootkit) creating all the fuss will installs itself on Windows-operated personal computers when consumers play one of 49 CDs from Sony BMG. The program forces consumers to use a music player that comes with the program. This music player contains components from an open-source project, an MP3 player called LAME, it has emerged. Open-source software, if used, needs to be identified as such, so that it can be freely shared with others.

Responding to public outcry over the unsecure software, the music publishing venture of Japanese electronics conglomerate Sony and Germany's Bertelsmann said last week it would temporarily suspend the manufacture of music CDs containing XCP technology. Sony BMG then went a step further and announced it would recall 4.7 million CDs with the rootkit. In a further step, Sony on Friday offered to exchange 2.1 million CD's already sold with the copy protection software for new unprotected CD's. The Sony exchange offer is immediately available, and the company will pay all shipping charges in both directions.

Microsoft's antivirus team said Tuesday it would add a detection and removal mechanism to rid a PC of the Sony DRM copy-protection software, because it jeopardized the security of Windows computers. Symantec, McAfee and CA already have removal tools.

RELATED LINKS: SonyGate : It gets worse, Sony security blunder

CATEGORIES: 1open source, 1legal, 1watergate,1rootkit
Rate this post: (Provided by NewsGator)

Friday, November 18, 2005

Regulators force banks to 2-factor authentication

Banking websites are going to need to improve their security and update their authentication methods at the behest of US federal regulators, who are claiming that security needs go beyond simply using passwords, which have become increasingly simple for hackers and other Internet criminals to take advantage of.

US regulators have demanded that banking websites implement a two-factor authentication system by the end of 2006. This demand was communicated to the banks when regulators from the Federal Financial Institutions Examination Council sent them a letter earlier in October.

The Federal Financial Institutions Examination Council has also put forward the idea that financial institutions should make use of software or technology that can plot a user’s physical location and compare that information to the information on file regarding the user’s physical address. One of the most prominent ways in which theft of classified information occurs is through phishing. According to the Anti-Phishing Working group, 13,776 different types of phishing attacks were recorded during August.

CATEGORIES: 1e-commerce, 1id theft, 1phishing, 1passwords, 1 regulation, 1compliance
Rate this post: (Provided by NewsGator)

1685 new viruses in October

October 2005 heralds the biggest increase of new viruses in 17 years. According to anti-virus firm Sophos, which began monitoring the proliferation of viruses in 1988, 1685 new viruses were discovered since the end of September.

This increase is possible because authors tend to shy away from creating new strains of viruses and instead simply bombard users with a number of new variants of backdoor malware. According to F-Secure, another anti-virus company, numerous “malware families” have produced over 700 variants, as every time a new element is added to the existing code, a variant is produced. This is a popular trend that is continuing to grow.

CATEGORIES: 1viruses, 1stats, 1trends
Rate this post: (Provided by NewsGator)

Employee email habits a risk to business

A new survey conducted by Harris Interactive for Fortiva, shows a substantial discrepancy between employees’ perceived and actual risks. Results of the survey show that 68% of U.S. employees who use e-mail at work have sent or received e-mail via their work e-mail account that could place their company at risk. Despite this, 92% of these employees do not believe they have ever sent a risky e-mail.

The Harris survey, which examined the e-mail habits of more than 1,000 individuals who use e-mail at work, uncovered a number of issues that should raise concerns for businesses. A majority of employees who use e-mail at work (61%) admit they have used e-mail at work for personal use. Results also show that nearly half (48%) say they have sent or received joke e-mails, funny pictures/movies, funny stories of a questionable tone. And 22% say they have sent or received a password or log-in information via e-mail.

While 73% of the respondents indicated that they are aware of corporate e-mail policies, less than half (46 percent) claimed they always adhere to the policy.

CATEGORIES: 1email security, 1message security, 1survey
Rate this post: (Provided by NewsGator)

Personal info is top concern

Only 16 per cent of people are confident that internet sites will treat their personal information properly, according to a new survey by the Information Commissioner's Office that found widespread concern about data protection laws and practices. Four out of five people are concerned about how their finances or health and safety will be affected if their personal data falls into the wrong hands, according to the research published today.

The survey, carried out by research firm SMSR Ltd, shows that protecting personal information is now regarded as one of the top three most socially important issues in the UK – ranked only behind concerns over crime prevention and improving education standards. Without prompting, over half (52 per cent) of the 1,000 respondents told researchers that they were concerned that their personal details may be passed on to unknown organisations. When prompted, over 80 per cent expressed concerns about the use, transfer and security of personal information.

CATEGORIES: 1privacy, 1survey, 1identity theft, 1e-commerce
Rate this post: (Provided by NewsGator)

SonyGate: It gets worse

It seems that Sony has really got itself into hot water about its ill-advised copy protection scheme for its music CD's that used rootkits to install spyware on users' computers. (See previous entry : Sony security blunder .)

In the face of huge condemnation from the security community, Sony announced on Nov 11th that it was temporarily halting production of that copy-protection scheme. But as the revelations of their scheme became uncovered, the pressure grew and on Nov 14th the company announced it was pulling millions of copy-protected CDs from store shelves and offering to replace customers' infected CDs for free.

But Sonygate has now evolved into an epic of class-action lawsuits in California and elsewhere, and the focus of criminal investigations. The rootkit has even been found on computers run by the Department of Defense, to the Department of Homeland Security's displeasure which means Sony theoretically could be prosecuted under U.S. cybercrime law.

And now Microsoft and the big anti-virus companies are coming under fire for allowing millions of computers to become infected since mid 2004 without doing anything about it. They are accused of not treating the rootkit as malicious as it was a multinational corporation that put it on computers and not a criminal organization.

It now appears that at least 568,200 nameservers have witnessed DNS queries related to the rootkit which corresponds to millions of PC's infected worldwide. If you want to see a planetary representation of infected DNS nameservers then see USA , Asia and Europe.

Pretty pictures, but ugly data - welcome to Planet Sony!
Rate this post: (Provided by NewsGator)

Tuesday, November 15, 2005

Sony security blunder

Ouch...this has to go in as our first "Classic quote" for Security Market Wrap!

Two weeks ago a Windows operating system expert named Mark Russinovich described how Sony's new controversial DRM copy protection technology for CD's, named XCP (Extended Copy Protection) used "rootkit" cloaking techniques to hide itself on his computer. (See here). At the time, Russinovich described the software as "digital rights management gone too far," and criticized it for not warning users that it would become virtually undetectable and extremely difficult to remove.

This caused somewhat of a heated battle between Sony and the security community.Rootkit software uses a variety of techniques to gain access to a system and then cover up any traces of its existence so that it cannot be detected by system tools or antivirus software. Russinovich and other computer experts were concerned that hackers might somehow use XCP's cloaking ability to hide their software from antivirus products. That prediction came true Thursday when the first variations of a malicious Trojan program that exploited the XCP software began circulating on the Internet.

A day later, Sony announced that it was abandoning the project. The Sony Rootkit issue as it became known, prompted calls for an office clampdown on CD use.

CATEGORIES: 1classic quote, 1rootkits, 1DRM, 1rights management

Rate this post: (Provided by NewsGator)

Juniper buys Funk for NAC

Just weeks after announcing its first dedicated product for network access control, Juniper Networks Inc. on Monday said it was buying Funk Software Inc. to boost its network access security products.The move will bring Juniper into more direct competition with chief competitor, Cisco Systems Inc., in the market for NAC solutions.

Juniper will pay $122 million for Cambridge, Mass.-based Funk in an all-cash transaction that must still be approved by the companies' shareholders. Juniper plans to use the Funk technology to extend enforcement of network access control from the company's Net Screen firewalls to Layer 2 switches. Funk made its name providing access control technology such as RADIUS (Remote Authentication Dial In User Service), which allows organizations to validate the credentials of users who are trying to access a network. The company was an early supporter and adopter of the TNC open-source NAC technology (see blog entry First TNC product launched )

In May, the company announced new versions of the Steel Belted Radius server and 802.1x Odyssey client that supported TNC standards for client integrity checks and user quarantining. Funk's ability to interoperate with TNC-compliant technology from third-party vendors like Check Point Software Technologies and McAfee was attractive to Juniper, which wants to build a unified architecture for access control that supports "best of class" products from third parties, rather than requiring customers to change their infrastructure just to acquire network access control features.

CATEGORIES : 1aquisition, 1NAC
Rate this post: (Provided by NewsGator)

EU doubts VOIP security

VOIP networks are "inherently insecure", according to almost half of Europe's IT directors. A study commissioned by European business communications company Viatel confirms that DoS attacks and viruses are viewed by IT directors as very real threats to VoIP networks. Those in financial services were particularly concerned.

Respondents indicated that they see the estimated 50-percent cost savings and advanced functionality of VoIP as a significant enough reason to make the switch and override their security fears. In addition, companies are apparently comfortable with the reliability of VoIP - with two-thirds (67 percent) of those questioned saying they believe today's IP networks are robust enough to carry voice. That percentage rose to an astounding 80 percent in the financial services sector.

RELATED TOPICS : Dial VOIP for vulnerability , VOIP driving security market , US Govt. report tackles VOIP security

CATEGORIES : 1VOIP, 1survey, 1convergence
Rate this post: (Provided by NewsGator)

Wednesday, November 09, 2005

FEATURE:Outsourcing = bad security?



The realisation had finally set in that traditional Firewall and Antivirus technologies, as covered in the origonal outsouring contracts, were not standing up to the new, emerging threats such as self-replicating worms, port 25 (mail), port 80 (web), P2P exploits and Spyware. Internal IT assets that were becoming infected were infecting other internal assets. A detection and response strategy within the perimeter was now required to supplement the ailing protection strategy. Many enterprises were also not aware that their insurance policies did not cover them against malicious code attacks. Others who tried to buy coverage found there were few policies being written that protected against digital attacks.

Everyone was jolted into action. 2004 was a very busy year for my company. There was much piloting and testing of Intrusion Prevention (IPS) and other appliances to solve specific problems. My company was involved in much of this "exploratory" phase with outsourcers and customers. But once satisfied with the tests/results, the issue would come up as to who was going to pay for all this technology. I have been embroiled in many 3 months periods of to-and-fro between customer, ourselves and outsources as to to who is going to pay for all this new gear and even better still, who is going to manage it.

Now the big mistake made by clients and outsourcers alike (and some technology providers and systems integrators that were none the wiser too I might add) is that they thought that deploying this technology would solve their issues. What they did not realise was that they were solving particular issues, in much the same way they invested in Firewalls, VPNs and Antivirus and thought "Well that's sorted security out." So even while IPS appliances, Application firewalls, host-IPS, desktop firewalls and IDS was being installed all over the show everyone lost sight of the bigger picture, namely that security needs to be a holistic process involving people, process and technology.

Outsourcing contracts were modified to include the provision and management of additional security hardware at strategic points within the network and that was that - on to the next problem so to speak. Actually to be honest, these measures did ease things for a short while. To make matters worse, it actually got quiet in the press for a while as we had a lull of outbreaks of worms and viruses - and this leads us into the next chapter


CATEGORIES : 1feature, 1outsourcing
Rate this post: (Provided by NewsGator)

FEATURE:Outsourcing = bad security?



After the disruptive outbreaks of Blaster (aka W32/Blaster, LovSan, MSBlast, W32/Posa), SoBig, Nachi, Sasser and others, almost every corporation effected now rated the threat from malicious code as top on their risk/threat management agenda. As mentioned before, what made these recent outbreaks all the more interesting is that many corporations were infected from within their own trusted network or from their own trusted users. This was despite aggressive antivirus, IDS and other traditional security investments made by these organisations. The reasons for this were:

  1. These were “zero day” attacks with no known signatures. IT managers would arrive at work the next morning to find they had already been infected from say the Far East overnight, before antivirus or mail vendors released signatures.
  2. Contractors and workers with laptops infected from elsewhere, infected the internal network when connecting to it.
  3. External VPN or remote access/wireless connections terminating in the network core (bypassing DMZ's and firewalls) introduced infections
  4. eCommerce and business partners, traditionally “trusted” were used as launch platforms by malicious code to attack the customers resources
  5. Branch networks not under tight control of the central IT department or outsourcer were used as launch platforms against the central network and other branches.
  6. Patch management was not proving scalable as a defence mechanism due to the effort and frequency of the updates required, and the shrinking window of vulnerability.

What this now highlighted is the fact that the single trust model to the internal network and the traditional approach to protection and detection no longer applied!

The wave upon wave of mass network worms and virus outbreaks in 2004 (In fact 2004 is tagged among the security community as "The Year of the Worm".) were getting far more sophisticated and starting to really hurt. Blaster and Sasser were so devasting that IT departments and outsourcers alike couldnt sweep the issues under the carpet anymore. Besides the press having a field day of the issue, company CEO's PC's were rebooting, Finance departments couldnt access their mail or systems anymore and point of sale systems were brought down. (Believe me when store tills in major retail outlets go off the air you soon see how security becomes a business survival issue and budget getting miraculously unlocked). Clearly something had to give...


CATEGORIES: 1Feature story, 1Outsourcing, 1Best Practices, 1Trends

Rate this post: (Provided by NewsGator)

Bluecoat removes encryption blindspot

Encrypting Web traffic can protect privacy and secure transactions, but it can also provide a cover for viruses, spyware and other pests trying to get into a corporate network. Secure Sockets Layer, or SSL, has many legitimate uses, but also provides an "encrypted tunnel" that lets malicious code and phishing sites bypass most network security methods. BlueCoat announced Tuesday that it is updating its proxy product, ProxySG, to eliminate that "blind spot" in network security.

To improve corporate security, the new feature will enable organizations to decrypt SSL traffic so they can scan traffic for malicious code and other threats, the Sunnyvale, Calif.-based company said. It would also enable companies to provide better internal policy enforcement by, for example, governing which encrypted applications their employees are allowed to use.

CATEGORIES:1vendor announcements, 1encryption, 1ssl, 1web security,1content security
Rate this post: (Provided by NewsGator)

IT Facts Security Roundup

80% of companies leak confidential information via IM systems
About 80% of companies studied by Reconnex had some form of confidential data pass through their instant messaging systems in August-September 2005. Just 10-13% of companies had sensitive data pass into secured email systems.

Executives worry about security (26%) and costs (23%)
Economist Intelligence Unit and AT&T polled 236 executives in 50 countries regarding their top concerns. Security was ranked first at 26%, followed by implementation costs at 23% and the cost of new equipment at 19%.

58% of IT executives measure security through manual reporting
According to Preventsys survey of 385 IT executives on IT security measurement, 58% of respondents indicate they measure security through manual reporting, relying on spreadsheets and email to track, report and share information. 4% have an entirely automated process for security reporting, while the remainder used a mixed approach.

22 atacks on P2P networks in October 2005
Posted by ZDNet Research @ 12:10 am
Akonix Systems tracked 22 new attacks on P2P networks in October 2005, a 19% increase over September 2005.

80% of Internet users worried about identity theft
Some 80% of Internet users say they're at least somewhat concerned someone could steal their identity from personal information on the Internet. A majority of users asked say they've stopped giving out personal information on the Web and 25% told Consumer Reports they've stopped buying online.

Adware is a $3 bln industry
Webroot Software estimates "adware" alone generates nearly $3 bln annually, based on financial disclosures from some companies that push such products.

Rate this post: (Provided by NewsGator)

Top stories for September

Rate this post: (Provided by NewsGator)

OpsSec tops outsourcing trend

Infrastructure management outsourcing accounts for a large proportion of the overall European outsourcing market. Today, an average of 55% of European firms outsource some sort of infrastructure management activity, with 63% of very large firms engaged in this area. But, at the same time, firms are becoming smarter about the way they handle these contracts: 87% of them have opted for a selective outsourcing strategy, while an average of 45% of firms also have a single methodology for evaluating and selecting infrastructure management outsourcers.

Network management and operational security are the preferred service types that firms outsource, but other types of services — like help desk support and business continuity — will get further consideration in the short term.

The vendor preferences picture is especially interesting: Global IT providers, telcos' services arms, and local vendors are now equally attractive to buyers from very large and $1 billion-plus firms. Forrester expects fierce price and service competition to continue in this market.

My personal (and I supposed biased) viewpoint on this last observation is that as network, systems and security management all converge, enterprises will seek out those systems integrators skilled in IP networks, platforms, systems management and security as the infrastructure service providers of choice - and there are not many of them around...

CATEGORIES: 1analyst report, 1forrester, 1outsourcing, 1client trends, 1convergence
Rate this post: (Provided by NewsGator)

Security key to convergence

Another great spin on the recent survey from the Economist Intelligence Unit (EIU). Really worth a read! Over two-thirds of corporate executives view ensuring reliable network security as the single most critical factor in the successful implementation of a converged IP network according to a new survey from AT&T in co-operation with the Economist Intelligence Unit (EIU).

The EIU global survey of 236 senior executives, representing firms from 50 countries and more than 20 industries, addressed the electronic security implications of network convergence and reported that for the second year running, security remains at the top of the list as the most critical network attribute of network performance, ahead of cost, complexity and business disruption.

More than sixty percent of all executives surveyed say that processing customer data online exposes their firms to electronic security breaches, more than any other type of vulnerability. Yet three years from now, 62% of the respondents expect to have implemented IP through most or all of their organisations.

Respondents reveal a clear link between their firms' technology-related goals and their chief information vulnerabilities. Among some of the key benefits of convergence—the enabling of deeper electronic collaboration with customers as well as remote and mobile working—are also a prime area of network vulnerability. (This ties in with what we saw at the Dimension Data global customer Special Interest Group for security a few weeks back.)

The survey suggests that business leaders are coming to grips with electronic security—better understanding the nature of threats, and setting organisational structures and spending patterns in place to ensure they are met in a robust way. Corporate spending on network security is levelling off at about 15% of IT budgets, suggesting a commitment on the part of the executive suite to maintain spend at a relatively high level to ‘maintain the defences.’

The bottom line? Enabling a truly collaborative enterprise—in which information is shared regularly with customers and other stakeholders, and in which mobile or remote employees are able to access this and other mission-critical company data—requires secure IP networks. Inasmuch as expanding collaboration is seen by executives as a means to enhance competitive advantage, ensuring robust network security may be seen as critical to the achievement of a strategic business objective.

These and other findings are presented in a new report called Network Security: Safeguarding the collaborative enterprise, which is now available here. Recommended reading!

CATEGORIES: 1survey, 1trends, 1convergence, 1strategy, 1collaboration
Rate this post: (Provided by NewsGator)

Infosec market will never mature


Further to my previous opinion piece on Multifunction appliances a market gamble , I stumbled accross this excellent and entertaining piece by Steven Hofmyer on why the IT Security market is different to other technology markets and will "never mature". Some quotes from his piece:

"Clearly, getting all your goods from one location would be easier, but there are several reasons why this is unlikely to ever work in security. The IT security industry is different from other IT industries, because the nature of the problem is always changing. A solution that is effective today is useless tommorow, because the attackers are always coming up with new ways of compromising security. This requires continual innovation on the part of the defenders, and unfortunately, the big players are very poor at innovation. "

"Of course, the giants don't address these new threats effectively and so there is a feeding frenzy as the big boys snap up the small companies that do. So in the near future, we can see ongoing consolidation and mass extinction, but it won't last long: the next new threat will emerge and the whole process will repeat. Along the way, those giants that aren't nimble enough or lack foresight, believing they can rely on outdated technology, will topple. But the important point is that they can never get ahead of the game, they can never have the complete solution: that is just a pipe-dream."

CATEGORIES: 1Opinion piece, 1consolidation, 1convergence, 1acquisitions
Rate this post: (Provided by NewsGator)

Robust EMEA Infosec Market

The market for enterprise security products in Europe, the Middle East and Africa grew substantially in Q2 2005, increasing 29.4 percent year on year, according to new research by Canalys. The industry analysts say Cisco retained the number one position and looks set to perform strongly in the second half. Second-ranked Symantec closed the gap to Cisco and is well positioned with revamped products and its Sygate acquisition.

Canalys' ranking of the top enterprise security vendors for EMEA, based on shipment value:
  1. Cisco: 17.5% market share
  2. Symantec: 15.2% market share
  3. Nokia: 9.4% market share
  4. McAfee: 7.5% market share
  5. Check Point: 7.2% market share

CATEGORIES: 1Market Report, 1Stats,1market research, 1market share

Rate this post: (Provided by NewsGator)

Tuesday, November 08, 2005

CIO's fear IP Network security

Despite high levels of concern about the security of IP networks, companies are planning to press ahead and roll out the technology regardless, according to research from the Economist Intelligence Unit (EIU).

Over two thirds of the 236 global chief executives and chief information officers questioned said that network security is a major concern when it comes to switching to a totally IP network. But the same proportion were planning to deploy the technology anyway. Security concerns rank more highly than worries over the cost of network installations, and wireless network protection is seen as a key risk area. Viruses and worms are still seen as the main problems, but the respondents see these and most other threats decreasing over the next two years. However, they expect targeted attacks from internal staff, either espionage or sabotage, to rise.

CATEGORIES : 1Survey, 1research, 1trends, 1concerns
Rate this post: (Provided by NewsGator)

Cisco IOS : Next big concern

I felt like a lone voice in the wilderness on the topic of Cisco IOS vulnerability in various postings (see New IOS flaw patched) over the past two months, but now finally the mainstream press is getting onto the topic.

Which operating system, embedded in more than 80% of enterprise IT environments, and constituting 60% of the the Internet infrastructure, represents one of the fastest-growing hacker targets and potentially the most-devastating information-security vulnerability? Hint: It ain't Windows.

Cisco Systems' Internetwork Operating System now sits at the center of the information security vortex. Because IOS controls the routers that underpin most business networks as well as the Internet, anyone exploiting its flaws stands to wreak havoc on those networks and maybe even reach into the computer systems and databases connected to them. Cisco is working hard to better shield its routers and other network equipment from the risks, but there are reasons to believe Cisco security will become a bigger problem before it gets better. The sheer amount of Cisco equipment installed, the many versions of IOS involved, the difficulties of upgrading that software, and the IOS vulnerabilities already out there or yet to be discovered present a major challenge to network administrators and security professionals.

This is an excellent article and worth a read.

CATEGORIES: 1IOS, 1vulnerability, 1patching,1infrastructure security
Rate this post: (Provided by NewsGator)

UK DoS attacks are legal

In a landmark ruling, a British teenager has been cleared of launching a denial-of-service (DoS) attack against his former employer, in a ruling that delivers another blow to the Computer Misuse Act (CMA).

Sitting at Wimbledon Magistrates Court, District Judge Kenneth Grant ruled that the youth, who can't be named for legal reasons, had not broken the CMA, under which he was charged. He was accused of sending five million emails to his ex-employer, causing the firm's email server to crash.

The CMA, which was introduced in 1990, explicitly outlaws the 'unauthorised access' and 'unauthorised modification' of computer material. Section 3, under which he was charged, concerns unauthorised data modification and tampering with systems. The defence counsel argued that sending a flood of unsolicited emails would not cause unauthorised access or modification, as the email server was set up for the purpose of receiving emails.

Judge Grant told the court that "the computer world has considerably changed since the 1990 Act", and that there was little legal precedent to refer back to. He then ruled that DoS attacks were not illegal under the CMA.

CATEGORIES: 1legal, 1dos, 1ddos, 1law, 1ruling,1legal
Rate this post: (Provided by NewsGator)

Top stories for October

Rate this post: (Provided by NewsGator)

McAfee endpoint solution launched

McAfee (Profile, Products, Articles) Inc. expects to release the first beta version of its McAfee Policy Enforcer software next week. The product will give the company a foothold in an emerging market for products that ensure that "end-point" devices such as desktop and notebook PCs are secured and within policy.

McAfee's software can find and scan devices on the network to ensure that computers have up-to-date patches and security software before giving them access to the network. Policy Enforcer is designed to be integrated with McAfee's ePolicy Orchestrator management and reporting software and will work with a variety of hardware, including Cisco Systems Inc. switches compatible with that company's NAC (Network Admission Control) technology and virtual private network products from Nortel Networks Corp. and Juniper Networks. The new product will bring McAfee into competition with rival Symantec Corp. in this emerging market. In August, Symantec acquired Sygate Technologies Inc., in Fremont, California, which sells similar end-point security products.

CATEGORIES : 1antivirus, 1NAC, 1endpoint security, 1product announcement,1compliance
Rate this post: (Provided by NewsGator)

Microsoft calls for national privacy law

Microsoft Corp. today called on Congress to enact a new federal privacy law, a move that is sure to prompt lawmakers to consider whether consumer privacy both online and offline should go further than merely requiring companies to notify people when their personal and financial data is lost, stolen, or inadvertently disclosed.

In an eight-page document released on Capitol Hill today, Microsoft outlined a series of steps it would like to see Congress take to preempt a growing number of state laws that impose varying requirements on the collection, use, storage and disclosure of personal information.

CATEGORIES: 1regulation, 1data privacy, 1laws,1legal
Rate this post: (Provided by NewsGator)

Unsecured WiFi to be outlawed?

According to a new proposal being considered by a suburb of New York City, any business or home office with an open wireless connection but no separate server to fend off Internet attacks would be violating the law. Politicians in Westchester County are urging adoption of the law--which appears to be the first such legislation in the U.S.--because without it, "somebody parked in the street or sitting in a neighboring building could hack into the network and steal your most confidential data." Representatives from the county's information technology department drove around downtown White Plains, N.Y., with laptop computers and detected 248 open wireless connections in less than half an hour, the county reported. Half lacked "visible security" features.

The draft proposal offered this week would compel all "commercial businesses" with an open wireless access point to have a "network gateway server" outfitted with a software or hardware firewall. Such a firewall, used to block intrusions from outside the local network, would be required even for a coffee shop that used an old-fashioned cash register instead of an Internet-linked credit card system that could be vulnerable to intrusions. Scott Fernqvist, special assistant to the county's chief information officer, said Friday that he thought "the law would apply" to home offices as well.

The proposed law has two prongs: First, "public Internet access" may not be provided without a network gateway server equipped with a firewall. Second, any business or home office that stores personal information also must install such a firewall-outfitted server even if its wireless connection is encrypted and not open to the public. All such businesses would be required to register with the county within 90 days.

CATEGORIES: 1legal, 1compliance, 1wireless, 1data privacy
Rate this post: (Provided by NewsGator)

Australia Zombie crackdown

The Australian government on Monday recruited five Internet service providers to hunt down virus-infected computers used to send spam or launch denial-of-service attacks from within the country.

Senator Helen Coonan, minister for communications, information technology and the arts, launched the Australian Internet Security Initiative (AISI), which is being run on a three-month trial basis by the Australian Communications and Media Authority (ACMA). Anthony Wing, manager of the anti-spam team at the ACMA, said that the application, which took "some months" to build, can identify computers located in Australia that are being used for "illicit reasons." "(The application) identifies IP addresses that have been used for illicit reasons; for example, spamming," Wing said. "There are a range of sensors...that identify them. Those infected IP addresses are then fed to the relevant ISP. They know who their customers are, so (they) can contact them."

The five ISPs will regularly receive a list of IP addresses identifying those computers on their networks that have been demonstrating "zombie-like" behavior. The ISPs then will be responsible for contacting customers and helping disinfect their computers or disconnect them from the Internet altogether.

RELATED TOPICS: Zombies, DDos rife at major ISP's

CATEGORIES: 1zombie, 1spam, 1clean pipes, 1Ddos, 1dos, 1ISP
Rate this post: (Provided by NewsGator)

Hackers empty brokerage accounts

More and more computer hackers are lifting passwords from home PCs and emptying online brokerage accounts. Home PC users are particularly vulnerable since high-speed and wireless connections have made it easier for hackers to get in, and 84 percent of computer users keep sensitive personal information, including financial data, on their home PC.

Securities & Exchange Commission investigators said they are investigating dozens of such schemes at the moment and noted that it is a new and growing area that is more intricate and more complicated than other Internet-related securities frauds - and it is still evolving.

So far, $20 million has been stolen from online brokerage accounts in the last year, but with $1.7 trillion worth of assets in online brokerages, Web investing is a lucrative pursuit for online thieves.

CATEGORIES: 1victims, 1trends, 1hacking, 1fraud
Rate this post: (Provided by NewsGator)

Pizza chains half-baked security

Papa John's has beefed up security for its Web-based e-mail system after the pizza chain learned that internal e-mail and customer data had been exposed. The leak at the Louisville, Ky.-based pizza chain made internal corporate e-mail and thousands of customer comments available to anyone with a Web browser. The customer comments included names, addresses, phone numbers and e-mail addresses of customers.

Papa John's on Monday added password protection to its Web-based e-mail system and the online customer suggestion database, after it was notified of the leak by CNET News.com. The company's action came hours after information exposing the system's insecurity was published to the popular Full Disclosure security mailing list. While the Web-based system now requires a password, some of the information is still available in the cache of Google's search engine. For example, one internal Papa John's e-mail discusses the company's challenges in re-establishing itself in Mexico and Puerto Rico after the departure of a key employee.

CATEGORIES: 1victims, 1hack, 1web security,1data privacy
Rate this post: (Provided by NewsGator)

Friday, November 04, 2005

Botnet mastermind charged

Botnets are big business—at least according to authorities who announced the first U.S. case against an alleged computer hacker, who authorities believe netted $60,000 in cash and a BMW from a personal army of zombie computers. Federal authorities arrested a 20-year-old California man Thursday and charged him with running a network of 400,000 compromised computers called a "botnet," including computers used by the U.S. government for national defense.

Jeanson James Ancheta, of Downey, Calif., was arrested by FBI agents Thursday morning and charged with spreading a Trojan horse program, called "rxbot," and using it to build a network of around 400,000 infected computers. He is also charged with illegally uploading advertising software ("adware") onto compromised systems. Among Ancheta's alleged victims were computers at the Weapons Division of the U.S. Naval Air Warfare Center, and machines belonging to the U.S. Department of Defense's Defense Information Systems Agency, according to a statement from Debra Wong Yang, U.S. Attorney for the Central District of California.

CATEGORIES: 1arrests, 1botnets, 1zombies, 1adware,1conviction,1legal
Rate this post: (Provided by NewsGator)