Commwarrior claims 1st corporate victim

Yep, that phone virus story just keeps on surfacing, and for those sceptics that think this is nothing to worry about, try this one on for size.

In what is believed to be the first ever serious outbreak of a mobile-phone virus in a company, an outbreak of the Commwarrior.B virus occured at an unnamed Scandinavian company last Wednesday according to F-Secure. According to analysts, "This is the first time a mobile virus has infected an organization, and it's a particularly nasty version of Commwarrior, as it just doesn't give up."

Commwarrior targets mobile phones that use the Symbian Series 60 operating system, and the bug spreads using Bluetooth and multimedia messaging technology, or MMS. One of the employees at the company in question apparently received Commwarrior.B via MMS and then activated it by opening the program. "The virus then sent itself to every address in the address book; it was opened by more employees, who activated it, and it spread.

Same old social engineering tricks catching out people - its just the device that's changed!

See also Phone virus outbreak at Helsinki games and First mobile phone virus site launched

InformationWeek 2005 Security Survey

InformationWeek Research's U.S. Information Security Survey 2005, conducted in July and August in partnership with management-consulting firm Accenture, has been released last week.

A detailed writeup on the survey can be found here.

When asked if their organizations were more vulnerable to malicious code attacks and security breaches than a year ago, only 16% of survey participants say things have gotten worse. The survey was done before Zotob hit though, and the much-talked-about lull in worm attacks--it had been more than a year since Blaster and Sasser ripped through business networks--shouldn't be interpreted as an "all's clear" sign.

The survey, completed on the Web by 2,540 business-technology and security professionals in the United States, shows that the IT community recognizes the ugliness of the situation, even if it overestimates its readiness. Of those respondents who believe their companies are as vulnerable, or more so, than a year ago, 78% point to the increasing sophistication of threats as the cause for their anxieties. Other top concerns are that there are more types of attacks, they're growing in volume, and they're increasingly malicious in nature.

Turk, Moroccan arrested for Zotob outbreak

Just as time is shrinking between when a vulnerability is announced and an exploit arrives, it is heartening to see that so too is the time shrinking for arrests of those responsible.In the past, it has taken law enforcement months and sometimes longer to arrest and prosecute those who write and distribute Internet viruses, worms and other malicious software. And quite often, there's no arrest at all.

Farid Essebar, a Moroccan who used the screen name "Diabl0," and Atilla Ekici of Turkey, who used the moniker "Coder," were arrested in their home countries by authorities who cooperated with U.S. investigators in tracking the origins of the Mytob worm; a damaging variant, Zotob; and a third worm, RBot.The FBI praised Microsoft for its cooperation in the investigation, and attributed the swift resolution of the case to strong international cooperation.

UPDATE - 30 Aug: Turkish law-enforcement officials have informed the Federal Bureau of Investigation that they've identified 16 more suspects thought to have assisted in the creation of the Zotob bot worm. The FBI delivered the update during a speech to more than 650 cybersleuths gathered in Monterey, Calif., to share the latest tools and techniques for fighting high-tech crime. Read the InformationWeek story.

For the latest list of Zotob casualties, look at Wave of network worms strike .

Other recent Security Wrap entries on this topic are :
Zotob slams 13 Daimler/Chrysler plants,
Zotob disables Jefferson 911 services ,
Zotob spews billions of spam messages,
Zotob hits NIPSCO call centre and
Zotob costs Holden $6M

USA prepares for Cyberwar

The noise level on this topic has raised considerably this month and I have pulled together all the relevant postings into the following thought-provoking story.

With about 85% of the USA's critical infrastructure--energy utilities, manufacturing & transportation facilities, telecommunication & data networks, and financial services--in the private sector and not sharing security information with each other, it's no wonder that there are concerns of orchestrated cyberterrorist attacks bringing the country to its knees.

To address this, a new Cyber Incident Detection & Data Analysis Center, or CIDDAC, is being formed to warn law enforcement of critical infrastructure attacks which could be the battlefields of future wars. Several businesses and organizations are testing a new process for anonymously sharing cyberthreat and attack data with their peers and government agencies (through CIDDAC) without being subject to law-enforcement audits or public scrutiny.

To further reinforce the importance of this inititaive, an article in the August issue of IEEE-USA Today's Engineer warns that the information technology infrastructure in the US, including air traffic control systems, power grids, financial systems, and military and intelligence cyber networks, is highly vulnerable to terrorist and criminal attacks, noting that US cybersecurity is 'almost out of control'.

It would only be a matter of time before cyber-terrorists exploited this vulnerability and the Washington Times reports that Islamic extremists are already organising themselves together for a "Digital Jihad". A Web forum called al-Farooq, for Muslim extremists, is calling on its members to organize an Islamist hackers' army to carry out Internet attacks against the U.S. government. The site has posted tips, software and links to other resources to help would-be cyber-jihad warriors and represents a how-to manual for the disruption and/or destruction of enemy electronic resources, including e-mail, Web sites and computer hardware. The forum called for the creation of an Islamist organization, dubbed "Jaish al-Hacker al-Islami," - the Islamic Hacker's Army.

And it doesn't stop there - Mark Rasch, former head of the Justice Department's computer crime unit, has noticed a disturbing trend: Al-Qaida and other terror groups together with foreign governments are trying to hire skilled Internet hackers to penetrate US government and commercial computer networks, he says. And plenty of hackers seem willing to do the work.

Also, the the Washington Post reports that web sites in China are being used heavily to target computer networks in the Defense Department and other U.S. agencies, successfully breaching hundreds of unclassified networks.

With mission-critical networks under attack, the US Department of Defence (DOD) is working furiously to plug infosecurity holes, launching the Manhattan Project. Unless DOD changes how it operates and learns to defend its cyber networks, many military experts say it will not be able to wage an effective battle in the cyberwar that is emerging as the 21st century's biggest challenge.

Telewest gives free security services

UK cable company Telewest is offering a free managed PC security service, called PCGuard, to 850,00 of its Blueyonder ISP customers.

The company was recently forced to blacklist around one million customers over fears a great many of them were unknowingly running compromised PCs which were pumping out spam. At the time the company said security improvements were on the way and today it unveiled PCguard which will offer a firewall, a pop-up blocker, antivirus, anti-spyware, greater parental controls and automatic updates. The service is provided by Canadian managed security service provider Radialpoint. Existing customers will be able to download the service from the Telewest Web site and new customers will get the security components included on their installation CD.

ISPs have increasingly been called upon to take action over the security and integrity of data travelling over their networks. The PCguard service will be "a huge differentiator" between Telewest and a number of its rivals. This is a trend setting event and expect other ISP's to follow suit.

Web of Crime series

PCWorld has published an excellent 5-part series entitled "Web of Crime" which discusses how organised criminals are moving in on the web for financial gain. It discusses how you or your organisation may be the next target of a new breed of professional Internet criminals, who now apply underworld tactics to the Web. Cybercrime is becoming the "cocaine trade of the new century."

We have discussed previously on this blog how we are moving from "pranksters to pro's" in Organised crime gets in on the action, RansomWare , Virus writers go under the radar and Professional cybercrime takes hold .

But this 5-part series is undoubtably the quintessential reference work on this topic and is entertaininly written, well hyperlinked and definately worth the read.

Day 1: Enter the Professionals
Day 2: Zombie PC Armies Designed to Suck Your Wallet Dry
Day 3: Web Gangs Go Global
Day 4: Internet Sieges Cost Businesses a Bundle
Day 5: Who's Catching the Cybercrooks?

Shock State of Spyware Report

Webroot released on Tuesday its second quarterly State of Spyware Report that shows enterprise computers are not winning the battle against malware penetration. The report concludes that uncleaned spyware infections are festering in corporate networks and are letting in even more malware. According to the spyware report, more than 80 percent of enterprise desktops are infected with spyware. That report also found that the number of spyware traces in the wild has doubled and that possible spyware distribution sites have quadrupled since the last quarterly report was released.

On average, enterprise PCs have 27 pieces of spyware on their hard drives, a 19 percent increase in the last quarter alone, while a whopping 80 percent of corporate computers host at least one instance of unwanted software, whether that's adware, spyware, or a Trojan horse.

More concerning, evidence is accumulating that spyware is becoming more malicious than ever. Spyware makers are not satisfied with making their seven cents a click by flooding systems with adware; now they're focusing on identity theft, sometimes from within an organization. Spyware's being used by insiders to, in essence, hack their employer or boss. Instances of such activity during the second quarter included a scandal in Israel and a stymied multi-million dollar bank robbery in the U.K. that was based on spyware.

In a recent Harris Interactive Survey commissioned by Websense in June 2005, Spyware was the leading cause of security problems in the past year, voted by 65% of respondents, ahead of "Employee use of bandwidth clogging applications" at 42%, "Employee use of unlicenced/unsanctioned software" at 39% and finally "Phishing Attacks" at 32%.

Infosec top influencer in next decade

"In your opinion, which ONE of these emerging trends will most influence business computing the remainder of this decade?"

This was one of five questions asked in a survey between August 4 and 15, 2005 with 444 pre-registered attendees for IBM's SHARE User Event in Boston (August 22-26). Information security is the dominant emerging trend most likely to affect business computing over the next five years, according to 31% of those answering the Share survey. Two other significant trends identified in the poll are the shortage of qualified enterprise-class IT professionals (cited by 17% of respondents) and the outsourcing or offshoring of application development and maintenance (14%).

Major concerns about Smartphone security

Wireless vendors are rolling out a new generation of handheld computers called "smartphones" for corporate users, but many network executives say they won't consider them until the means to manage and secure them are clear.

For example, Nokia, which uses the Symbian operating system, recently made available the Nokia 9500 Communicator, a handheld with Wi-Fi and cellular support. Nokia says they're the first smartphones it has designed specifically for corporate use. While Nokia created a VPN client, had Symantec develop anti-virus software and Pointsec for encryption for smartphones, users say that's not enough because wireless PDAs must support remote management to meet many corporate security policies.

We have already seen that laptops were the most likely culprits in the recent PnP Microsoft vulnerability - multiply that by 10 times as many mobile smartphones in circulation and you get the idea...It's a classic example of technology getting ahead of security.

And the security worry level has only increased in the past year with the introduction of a slew of varied handheld computers and devices such as the iPod, servers on a data stick, Blackberries, Web-access cell phones, and wireless PDAs and pocket PCs. Not only do all these new devices boast large storage capacities, they also can sustain high data transfer rates thanks to USB, Firewire, Bluetooth, or WiFi connectivity.

Manufacturers of the new smartphones, which began to appear about a year ago, are attempting to entice organizations into buying in bulk as this is where the next growth market is, and you can expect Blackberry , Nokia , Palm and Motorola all competing heavily by using central management capability as the enabling agent for corporate penetration.

We covered the smartphone security issue in a previous blog entry entitled "Major Smartphone worm by 2007 ". Also, InformationWeek has an excellent article on Securing Handhelds which discusses how to deal with the proliferation of mobile and handheld devices from a security perspective.

Zotob slams 13 Daimler Chrysler plants

A round of Internet worm infections related to the Zotob outbreak knocked 13 of DaimlerChrysler's U.S. auto manufacturing plants offline for almost an hour this week, stranding some 50,000 auto workers as infected Microsoft Windows systems were patched, a company spokesperson told eWEEK. Plants in Illinois, Indiana, Wisconsin, Ohio, Delaware and Michigan were knocked offline at around 3:00 PM on Tuesday, stopping vehicle production at those plants for up to 50 minutes.

The company, which has headquarters in Stuttgart, Germany, is still counting the total number of vehicles that it lost as a result of the disruption, but plans to make up the lost production over time, he said. However losses have been pegged as "not insignificant". DaimlerChrysler is still dealing with suppliers that are also dealing with infections, but does not know whether there will be any disruption in supplies and parts from those third-party companies.

However, the company is "Monday morning quarterbacking" and looking into the outbreak to see if changes need to be made in the way software patches are distributed. Some companies may have deprioritized patching because of a recent drought of high-profile worms and viruses, said John Pescatore, a vice president at analyst firm Gartner Inc. "There hasn't been a major worm since Sasser [in April 2004]. We've been seeing signs of complacency about patching," he said. A similar drop-off in worms in 2002 is also believed to have lulled IT staff into relaxing about patches, which led to a number of widespread outbreaks in 2003, such as SQL Slammer and Blaster.

Zotob disables Jefferson 9-1-1

PORT HADLOCK -- Jefferson County officials suspect that the software virus called "Zotob" affected computer systems serving emergency and county services for about 10 hours on Friday.

Jeffcom 9-1-1 dispatchers reported that their computer system failed at 12:45 p.m. Friday, preventing access to law enforcement information, such as arrest warrants and driving records. The glitch also affected eight dispatch communication lines, reducing the number of available 9-1-1 lines.

Zotob spews billions of spam messages

It looks like the recent outbreak of the Zotob worm and its variants has moved to the next level, triggering a surge in spam over the last 24 hours.

The increase in spam traffic due to Zotob is enormous," said Dmitri Alperovich, a CipherTrust research engineer. "Billions of new spam messages were delivered over the last 24 hours, which we believe are being sent by the hundreds of thousands of new zombies created by Zotob variants."

So it would seem that even those users not effected by the outbreak are likely to feel the effects

For more information about zombies, see: Ciphertrust Zombie Stats

Scammers pose as execs in 'spear-phishing'

Spear phishing has emerged as one of several kinds of "targeted attacks" that experts said have grown more common in 2005. Rather than posing as a bank or other online business, spear phishers send e-mails to employees at a company or government agency that appear to come from a powerful person within the organization.

Unlike basic phishing attacks, which are sent out indiscriminately, spear phishers target only one organization at a time. Once they trick employees into giving up passwords, they can install Trojan horse programs or other malicious software to ferret out corporate or government secrets.

At the U.S. Military Academy in West Point, N.Y., several internal tests found that cadets were all too willing to give sensitive information to an attacker posing as a high-ranking officer. "It's the 'colonel effect.' Anyone with the rank of colonel or higher, you execute the order first and ask questions later,"

Zotob hits NIPSCO call center

The Zotob network worm put the Northern Indiana Public Service Co. (NIPSCO) call center in Merrillville in emergency-only mode for several hours Tuesday.The call center was only taking calls for such emergencies such as outages, gas leaks or carbon monoxide leaks after the virus struck NIPSCO computers. The virus also struck computers at NIPSCO parent company NiSource Inc., which is headquartered in Merrillville.

Zotob costs Holden $6M

Holden was forced to shut down its vehicle assembly plant in Adelaide for several hours after its computer network was infiltrated by what was thought to be the Zotob virus. Holden said its systems were infiltrated early on Wednesday and the company stopped production until lunchtime. Zotob affected various software programs at Holden, including those used to set up the computer chips in each car.

A sobering case study in the quantitative measure of damages from a security incident...

Tools drive point-and-click crime

BBC News reports that new software tools make stealing data from users as easy as browsing the web. The easy-to-use tools are being created by malicious and criminal hackers to run the networks of compromised home computers they control.

The web-based tools put a friendly front-end on managing the compromised machines making up so-called botnets. Before now the preferred method of controlling botnets has been using Internet Relay Chat via a server that the malicious hacker or criminal owns. The tools also change the type of traffic passing between controlling server and bot. This makes it harder for firewalls and other security programs to spot and stop communication between the two.

Given the gazillion compromised zombie machines out there its quite scary that another level of less sophisticated hackers can now get in on the action.

Wave of network worms strike

The recent spate of about 17 worms that has broken out among media companies and other US corporations since the weekend has infected about 250,000 unpatched Windows 2000 systems in over 175 companies including CNN, ABC News, The Financial Times, The New York Times, Associated Press news agency, Caterpillar, General Electric Co., United Parcel Service Inc., American Express, Visa, DaimlerChrysler, Boeing Co., SBC Communications, Canadian Imperial Bank of Commerce, BMO Financial Group, Bell Canada, Monroe County, San Diego County, Massachusetts Registry of Motor Vehicles and Kraft Foods.

The worms are varieties of three families -- "Zotob", "Bozori" and "IRCbot", that all exploit a recent Microsoft plug 'n play vulnerability on unpatched Windows 2000 systems, which runs on approximately 48% of business PCs. There has been a quiet spell since the last major network worm last year, and everyone has been predicting a major "blaster category" worm outbreak for some time now. Well now it has finally happened. There are a number of trends we should observe from this recent outbreak:

First, analysts have warned the attacks showed that hackers have gained a dangerous advantage in speed in the battle over network security. A few years ago, it would have taken several weeks or months -- not days -- for a virus to be released to exploit flaws in Windows. This sets up a race between technology managers who must update their systems to fix vulnerabilities and virus writers aiming to exploit holes before they are patched. Once Microsoft issued patches for the vulnerability, network managers have simply not had the time to protect themselves from the worms that appeared soon thereafter. The importance of "just in time patching" will soon start sinking in. See Virus writers moving faster with attacks.

Second, the multiple worms are hitting individual organizations rather than computer users at large. These worms are not having an impact on the Internet but they do have a substantial effect on organizations running Windows 2000 without last week's Microsoft patch installed. The pain is being felt "on the inside" since the number of potential victims was limited by the fact that the operating system was never marketed as a consumer product. It is most likely that infections are from corporate laptops according to analysts, which would explain the media companies being hardest hit as they have huge amounts of mobile laptops. The importance of laptop and mobile security will also start sinking in.

Third, security researchers claim the outbreak is tied to a "botwar" between rival virus writers, which has a financial motive. There appear to be three different virus-writing gangs turning out new worms at an alarming rate, as if they were competing to build the biggest network of infected machines. A botnet of about 5,500 "zombies," or compromised computers, typically costs spammers, phishers or other crooks about $350 a week. See Watch out for the worm wars and Bot battle brewing .

Lastly, we will see a LOT more variants of Zotob and the IRCbots because of the success of this initial outbreak. We can also expect to see other threats incorporate the exploit.

Security spending shifts

A year ago, 54% of security spending was aimed at keeping viruses, worms, spam, spyware and other cyber threats outside the perimeter; now it’s at 33%.

Meanwhile, authentication and encryption have gained to account for over one quarter of security projects, a big jump from just 7% a year ago.

Computer virus threats have relatively calmed down in recent months, which can help explain why security initiatives have shifted gears.

ZDNets' Datapoint latest IT Prirorities data (see insert) shows that spending on cyber threats has dropped significantly in recent months, freeing up resources for what may be long-awaited authentication, encryption, and disaster recovery projects.

But that doesn't mean security pros are easing up. Spyware and spam continues to be a major threat to enterprises.

The Great De-Perimiterization Debate

I have been harping on about the Jericho Forum for some time now (see Do you know about the Jericho Forum? ) .The mission of its seven dozen members, which include Barclays Bank, Boeing and Eli Lilly, is to make the IT industry aware that it needs a new style of access control and data integrity product that pushes control deep inside intranets.

This week, winners of the much anticipated Jericho Forum contest were announced (see Jericho Forum Challenge winners announced .) The winning security architecture, "Balancing the Equation; Enterprises moving to the de-perimeterised world need to adopt a ‘core’ mentality based on controlled access to systems", was one of eight papers submitted.

Now NetworkWorld has published an excellent face-off debate on the winning architecture, and de-perimiterisation in general. The face-off looks at four viewpoints,

1. "De-perimiterisation is the way forward for security" and
2. "Jericho forum paper misses the mark" and
3. "Are firewalls expendable?"
4. "Firewalls: Jericho winner paints a new security picture"

This is really a must read for security practioners and customers alike... very topical.

Black market for data on Australians

It seems that the story we covered a while back on the security breach at an Indian Call centre won't go away-an undercover operation that allegedly found customers' data for sale by outsourcers has rocked the Indian software and service industry.

According to a Australian Broadcasting Corporation shock TV report yesterday, there's a thriving black market for highly sensitive, personal and financial details about Australians leaked from offshore call centers operating in India. (see program transcript) .

In sharp reaction to the report, the Australian Attorney General Philip Ruddock warned companies operating in Australia to take the country's Privacy Act and its penalties seriously, regardless of where their offshore call center or IT operations are handled.

Starting with the security breach at an Indian call centre last month, a few discussions and topical papers circulated the Internet regarding security when outsourcing offshore. Sharp focus was brought to concerns over data security in call centres and we can expect more focus on this area as legislation and compliance bites deeper, and customers become more aware of their exposure in off-shoring agreements. You can also expect companies bidding for offshore business to use the Security angle to differentiate their services in the market.

UPDATE 18 August: Australia's federal privacy commissioner has opened a formal investigation into possible violations of the Privacy Act by Telstra Corp. mobile reseller Switch Mobile and call center outsourcer One Touch Solutions. See story at ComputerWorld.

Symantec buys Sygate

The stakes in the "Admission Controlled Infrastructures"/"Integrity Architectures"/"Endpoint Integrity" security market have just got a whole lot bigger. Security powerhouse Symantec has bought compliance specialist Sygate. If you recall, Sygate has been building products to check the integrity, security and compliance of endpoint PC's, servers and mobile devices since aunty fell off the bus-probably even invented the concept.

Sygate, based in Fremont, Calif., sells software to help customers comply with regulations by ensuring that servers, PCs and mobile devices meet security requirements. Its software also governs which devices are permitted access to which network resources. Sygate has about 200 employees. The market for corporate software products is consolidating, and Symantec is among those bulking up. In addition to the $10.5 billion it paid for Veritas, Symantec spent nearly $500 million in the previous year to pick up TurnTide, Brightmail, On Technology and SafeWeb.

There is absolutely no doubt in my mind that this approach to security is the next big wave - there are just too many big hitters like Cisco, 3Com, IBM, Microsoft, Symantec, McAfee etc. all pitching their integrity architecture wares. The question is which one will prevail, and how will customers react to the myriad of alternatives available out there? Will they hold back until one emerges as a leader? This is a crucial time now for those wanting their approaches to prevail - it will all depend on adoption. The big fish are going to be hunting down early adopters...and that is the battlefield where this war will be won.

See also previous blog entires for Cisco 1st out the blocks with Integrity Architecture and End-point integrity security market is hotting up

Dilbert goes phishing (cartoon)

I just couldn't resist posting this cartoon - time to lighten things up on this blog anyway!

Krispy Kreme chiefs blamed for bad security

You will remember a while back that we published a list of Top IT Security mistakes to avoid.

Two of them were "I can't be held legally accountable for lax security" and "Security is the IT departments problem." Well, it looks like the management team at Krispy Kreme found out the hard way...

Two Krispy Kreme executives, CEO Scott Livengood and COO John Tate, are under investigation for failing to establish financial controls that led to errors and possible fraud. A Financial Times article on MSNBC.com reports that Livengood and Tate failed to establish management tone, environment and security controls essential for meeting Krispy Kreme's responsibilities as a public company.

Phone virus outbreak at Helsinki games

Visitors to the World Athletics Championships in Finland have had to brave wind and rain, and now officials say they face the possibility of catching the world's first mobile phone virus. Officials in mobile-mad Finland, home to the world's largest cell phone maker, Nokia Corp., said there had been outbreaks of the Cabir virus at Helsinki's Olympic Stadium. "At most we are speaking about dozens of infections, but during a short period and in one spot, this is a huge number,"

Cabir, first reported in June 2004 (see "Antivirus firm says it has detected first mobile-phone worm"), uses Bluetooth short-range wireless signals to jump between cell phones. That means it can spread over distances of up to 30 feet, which in a packed stadium could include dozens of phones. Since it was invented, the virus has so far spread to more than 20 countries, from the U.S. to Japan and from Finland to South Africa.Cabir drains the power of an infected phone as it tries to replicate itself on nearby mobiles, but the most damaging viruses could disable the unit entirely, requiring a factory reset.

See also First mobile phone virus site launched and Major Smartphone worm by 2007

Cryptography enters mainstream

#162 The nCipher 2005 Cryptography in the Enterprise Survey, which queried a cross-section of 237 security decision-makers at organizations worldwide, reveals that cryptography is no longer a niche technology. To the contrary, cryptography already underpins a wide array of security functions, and espondents indicate that they plan to rapidly expand their use of cryptography in the near future indicating that cryptography is rapidly maturing as a mainstream security tool.

This expanded use of cryptography will result in an explosion in the number of cryptographic keys, and equally there will be a wider array of policies under which these keys are governed. In order to enforce security policies consistently, manage risk and comply with regulatory requirements, enterprises will need a robust, automated and centralized key management system.

Highlights:

• 74% of respondents are using or plan to use cryptography to underpin at least five different security functions.
• Results show significant future expansion to more than five security functions including: remote connectivity; data-at-rest; authentication of people; authentication of programs, computers or devices; data integrity; and data in motion.
• SSL is already widely used to protect e-commerce transactions over the Internet, with 81% of respondents using SSL for internet-facing servers.
• 46% of respondents said they are using or plan to use 802.1x technologies to authenticate devices, and control user traffic to a protected network and reduce the security vulnerabilities associated with connections
• 25% of respondents have already deployed or plan to deploy TPMs (Trusted Platform Modules) in desktops and laptops within the next two years to encrypt data, protect cryptographic keys and to perform encryption within a secure hardware environment.

ID theft ring hits 50 banks

#161 A major identity theft ring has been discovered that affects up to 50 banks, according to Sunbelt Software, the security company that says it uncovered the operation. The operation, which is being investigated by the FBI, is gathering personal data from "thousands of machines" using keystroke-logging software. The data collected includes credit card details, Social Security numbers, usernames, passwords, instant-messaging chat sessions and search terms. Some of that data is then saved in a file hosted on a U.S.-based server that has an offshore-registered domain.

The data theft is carried out by a Trojan horse downloaded at the same time as CoolWebSearch and a mail zombie, Sunbelt said. Patrick Jordan, a Sunbelt employee, discovered the identity theft ring while researching a variant of CWS, which is a malicious program that hijacks Web searches and disables security settings in Microsoft's Internet Explorer Web browser.

Publicized security breaches to rocket

#160 According to the Privacy Rights Clearinghouse (PRC), 61 U.S. organizations have reported exposures of personal information of more than 50 million individuals in the past 180 days. PRC keeps the best list of breaches reported since February's watershed incident at ChoicePoint, where criminals obtained 145,000 customer accounts and sparked a series of congressional hearings on the subject of data security.

Nineteen states have now joined California in requiring organizations to notify individuals if their Social Security numbers, driver's license numbers, financial account numbers or other sensitive information is exposed to unauthorized people (see table 2). What'll be the impact of a continuing stream of publicized security breaches? It won't do anything good for customer confidence. A Conference Board survey released in June reported that 41% of customers are purchasing less online than a year ago because of security fears (see Survey: Consumers growing wary of buying online).

Trends like this affect all companies, even those with solid security.

Jericho Forum Challenge winners announced

#160 Researchers from a Swedish security software house, have scooped the first Jericho Forum Challenge at the BlackHat convention in Las Vegas. Tomas Olovsson & Jamie Bodley-Scott of Appgate won the prize for their paper, "Balancing the Equation; Enterprises moving to the de-perimeterised world need to adopt a ‘core’ mentality based on controlled access to systems", which was one of eight papers submitted.

They proposed replacing a central firewall with a set of distributed firewalls throughout the network. These can be co-ordinated and managed from a central server but provide individual protection for users and applications and make them invisible to unauthorised people. The Challenge was set up to find tools that fit the Forum's idea of what computer security architecture is needed in three to five years time; flexible systems don’t rely just on building a security perimeter but on hardening of all levels of data.

Second place went to P. A. Galwas & A. Peck - nCipher "A reference architecture to achieve safety in a de-perimeterised world that is predicated upon mutual authentication and confidentiality." Download their paper here.

This event is more important that the cursory glance gives it credit for - we posted an article on the Jericho Forum and its importance in shaping the future a while back. I feel the output of this forum will have a large impact on future architectures for ultimate deperimiterisation, which must first be achieved through re-perimiterisation.

Secure routers 27% of security market

#158 Underscoring the current trend of security converging into the network and platforms technology areas, a Infonetics report states that Secure Enterprise Router sales jumped 19% in 1st quarter of 2005 even as revenue continues to slip quarter-over-quarter across most enterprise router categories due to ongoing price pressure.

There is hardly a customer I deal with that isn't thinking of , or already has budgeted to upgrade core enterprise routers with Secure Routers, or refresh branch router infrastructure with Cisco's Integrated Services routers.

According to Infonetics, worldwide enterprise router revenue totaled $750 million in 1Q05. Secure routers now make up 13% of worldwide router revenue, and will grow to 27% of the market by 2008

First car Bluetooth exploit demoed

#157 This car vulnerability thing just won't go away. See Car computers at risk from viruses and Cars safe from viruses....for now. At first it was viruses we needed to be concerned about but it looks like the first demonstrable bluetooth exploit is more subtle. Released late last week at the "What the Hack" computer security conference in Liempde, Netherlands, Car Whisperer is software that tricks the hands-free Bluetooth systems installed in some cars into connecting with a remote Linux computer so hackers can eavesdrop what you are saying in your vehicle or even "gatecrash" your in-car conversation.

Using a special directional antenna that allowed the extention of the normally short range of Bluetooth connections to about a mile, a demonstration was able to listen and send audio to about 10 cars over a one-hour period. The best way to avoid being "Car Whispered" is to simply connect the in-car system to a Bluetooth phone, because only one such device can be connected at a time.

If you happen to hear a disembodied computer voice tell you to "drive more carefully" next time you're behind the wheel, you've probably met the Car Whisperer. The Car Whisperer software, which includes an audio clip that says, "Hello there. This is the Trifinite Car Whisperer. Drive carefully," can be found at Trifinite's Web site.

Cisco.com Breached

#156 Showing that it happens to the best of us, Cisco Systems' customers received e-mails Wednesday from the networking company advising them of a security breach of its Web site. The company said Cisco.com has been compromised and that customers needed to change their passwords.

Cisco probably has oodles of security gear protecting its web site and it's more likely to be a vulnerability in Web applications than Cisco equipment. This just goes to show how application level (port 80) vulnerabilities and web security has still got a way to go.

Some commentators suggest that the hack was a result of Cisco being targeted by hackers in the wake of the Ciscogate affair, however this is just pure speculation at this time. The point is Web applications are vulnerable and if you conduct e-commerce or collect sensitive information from your web sites, you must take a closer look at its security , beyond just the Firewalls, Antivirus, IDS's and IPS's you have installed on the network.

If it can happen to Cisco it can happen to anyone.

Ciscogate:The Lynn interview

#155 In an exclusive interview with Wired News, Mike Lynn discusses the events behind the scenes leading up to this week's IOS exploit disclosure at Black Hat, and what he thinks it means for the security of the internet.

This is an absolutely MUST read, and actually quite disturbing (how Cisco and ISS management handled various things). Given all the legal attention Lynn has been receiving of late I doubt if he would not be telling the truth for fear of further reprisals. For another highly recommended "inside view", Lynn's attorney, Jennifer Granick has a detailed weblog about what happened at BlackHat and DefCon and the various lawyer meetings with Cisco.

The most significant quote out of all of this for Cisco customers to take heed of is "(Right now) nobody patches Cisco routers because there's been this culture (that) there's just never anything that can go wrong (with them). So, unless there's some really critical thing that's making it crash, people don't install the patches.... We have to change the public perception about patching now, and that cause is not best served by pretending that there's not a problem and saying maybe you can talk about this next year.... The time to talk about this is before the critical problem comes around. "

There is a nice reflection of this interview as well as comments on how unpatched Cisco routers are in customers networks on the Lil Bambi weblog. Also, Computerworlds' IT BlogWatch lists how other security bloggers are reacting to revelations from the Lynn interview.

..and two amazing predictions made before the event that were spot on the money...

13 July Hackers to target Cisco next?
13 May Best you start thinking about patching your IOS now

UPDATE 1: Here's some news about the FBI's investigation into Lynn leaking trade secrets.

UPDATE 2: Bruce Schneir makes a point in his blog update by quoting : "Copies of Lynn's talk have popped up on the Internet, but some have been removed due to legal cease-and-desist letters from ISS attorneys, like this one. Currently, Lynn's slides are here, here, here, here, here, here, here, here, here, here, here, here, here, and here" .

UPDATE 3: ZDnet in Australia posts an interesting article about ISS defending its actions. Michael Lynn's former employer has insisted it has treated him fairly throughout the Cisco IOS flaw affair, but others in the industry remain unconvinced, especially The founder and chief executive of Check Point, Gil Shwed, who accused ISS of hypocrisy and using the disclosure of vulnerabilities to drum up business. "It's not for research activities, it's not done to promote the community... it's done for marketing, it's done to promote ISS," he said at a Check Point user event in Bangkok, Thailand.

Security Consultants blamed for Cardsystems breach

#154 In their testimony before the United States House of Representatives Committee on Financial Services, Subcommittee on Oversight, CardSystems, which reportedly exposed credit card transaction records of approximately 40 million people because they stored these transaction records in contravention of rules established for VISA and MasterCard processors, found someone who wasn't at the table to blame -- not VISA, not MasterCard, not their sponsoring bank, not themselves and not their customers. They blamed their auditors and security consultants.

And while they were at it, they also reportedly blamed the California mandatory disclosure law, SB 1386, claiming that without the law, the company would have suffered no losses. Well, still the data would have been lost, just nobody would have known about it.

Interesting times indeed...the case points out a serious problem with understanding the nature of auditors, security consultants, and the relationship between these consultants and the underlying client. The consulting contract is supposed to reflect a meeting of the minds between the parties. Invariably however, the parties come to the table with differing expectations about what they are buying and selling. In the case of CardSystems' Security consultants they thought they were auditing discrete parts of the payment processing network for compliance with VISA's standards. CardSystems, on the other hand, apparently thought they were purchasing "hacker insurance" and a guarantee that they would never be subject to attack.

Ciscogate : Advice for customers

#153 Well after all the noise about Ciscogate, the question that begs answering is "What are customers to do about it?" There are bound to be plenty of postings on this topic and we will monitor them, but here is the first one out of the blocks which is actually quite nicely written "Advice : What to do before IOS disaster strikes"

Even though the exact exploit demonstrated during the (in)famous Black Hat presentation was not disclosed, Lynn showed enough details to prove that the exploit is real and achieved by a reliable process and that previous misconceptions that routers and switches are not exploitable are false. Coupled with the fact that the Cisco clampdown on the exploit details failed, the theft of the Cisco IOS source code last year, and that hacking communities have openly stated they will work around the clock to build an exploit, we can assume that it would be highly prudent for Cisco, suppliers and customers to take this threat seriously.

Whilst all the focus is on the IPv6 vulnerability exposed at Black Hat on Thursday, a quick perusal for all the vulnerabilities that effect IOS (I could find at least 5 since Nov 2004) would seem to indicate that a patch upgrade would be prudent.

Although a patch is available for all the IOS vulnerabilities, we can safely assume that most routers on the Internet are unpatched (see previous blogs Hackers to target Cisco next? and Best you start thinking about patching your IOS now.) Also simply upgrading the IOS is a non-trivial affair and the problem that now faces the industry to patch all routers is no different to the patching problems plaguing Microsoft customers for the last two years.

The message is clear : Start planning your upgrades now:

1. Inventory all Cisco routers in your infrastructure ASAP
2. Identify all routers that can be upgraded to the latest version
3. Create a testing lab for the new IOS images
4. Create a plan to replace the old routers ASAP
5. Create a plan to upgrade routers to the latest IOS images
6. Create a response plan in case you are exploited in the interim
7. Plan to patch your infrastructure regularly from now on

Ciscogate - Microsoft shows the way?

#151 I am wondering if Microsoft isn't capitalising on Cisco's recent souring of relations with the hacking and security community by getting their PR to spin this story 2 days after the Cisco-Lynn saga ("Microsoft wants to meet more hackers." )

However the CNET article makes for interesting reading and upon reflection one wonders if Cisco should't take a leaf out of Microsofts book as Microsoft have learnt a few hard lessons over the last two years when all hacking activity was focussed at their vulnerabilities. Come to think of it, Microsoft are far better off these days since less publicised virus and malicious code outbreaks are being linked to flaws in their software and an intense focus on rectifying flaws in their software coupled with some aggressive patch updates over the last two years seems to have turned hackers attentions elsewhere.

The story shows how much Microsoft has "cosied up" to the hacking community with its highly successfull "Blue Hat" date with hackers becoming a regular affair, with biannual events where outsiders demonstrate flaws in Microsoft's product security. At Black Hat, Microsoft rented the Pure Nightclub in Caesars Palace on Thursday to treat the security community to a party with techno music and free cocktails. The company also threw an after-party at another Las Vegas hotel. By hosting such parties and the Blue Hat event, Microsoft may be seeking to influence the security community. For example, Microsoft regularly preaches "responsible disclosure" of flaws, in which software makers are given time to repair a problem. Microsoft doesn't want researchers to go public with information on vulnerabilities before the company has had a chance to provide a patch.

More recently, 3Com and iDefence announced that they would pay rewards (see blog entry bidding war for vulnerabilities) to individuals who provide information on product/software vulnerabilities so that they could update their security products to mitigate the vulnerability.

Sure, Microsoft products have significantly more potential flaw vectors than Cisco's, but I'm sure Cisco could take a leaf out of their (and others') book instead of the heavy-handed "siege mentality" approach the community seems to be lambasting them for right now.

Car computers at risk from viruses

#150 It would seem that this issue is raising its head again, after we reported on it in a previous blog entry, Cars safe from viruses...for now when after exhaustive testing, Finnish security firm F-Secure has failed to make a virus leap from a mobile phone handset to a car's onboard communications system.

According this the CNN article linked in this blogs heading, car industry officials and analysts say hackers' growing interest in writing viruses for wireless devices puts auto computer systems at risk of infection. As carmakers adjust on-board computers to allow consumers to transfer information with MP3 players and mobile phones, they also make their vehicles vulnerable to mobile viruses that jump between devices via the Bluetooth technology that connects them.

The maturation of the mobile virus threat was brought to the fore with the launch of the worlds' first mobile phone virus web site 2 months ago.

Cisco IOS Flaw Saga Continues

#150 A lot has happened since the last posting on this topic.

Further to my previous entry regarding the posting of the Cisco IOS vulnerability on several web sites after researcher Michael Lynn was gagged, more legal action was initiated on Friday 29th through cease and desist orders on the websites in question. Richard Forno, a security specialist and author, said in an e-mail that he received a cease-and-desist letter from lawyers representing Internet Security Systems. He subsequently pulled the presentation from his Infowarrior.org Web site and replaced it with a fax he said came from the law firm of Piper Rudnick Gray Cary, counsel for ISS. The slides are still available for public download on other Web sites, including Cryptome.org. The presentation was also distributed on the popular Full Disclosure security mailing list on Friday.

Also on Friday, Cisco released a security advisory about the flaw, to much criticism and debate of "too little to late" by the security community who are questioning why the vulnerability is only coming out in the open now and the tactics used by Cisco to silence the researcher and suppress the information.

The incident spilled over into the DefCon event where the hacking community has rallied behind Lynn and sharply critisised Cisco and Corporate America. Also at Defcon, a nightmare scenario for Cisco has begun to unfold as hackers and researchers team up and vow to exploit the vulnerability exposed by Lynn.

Finally the mainstream news gets hold of the story with BBC reporting a story "Cisco struggles to plug net leak" , CNN reporting "Hackers take a crack at Cisco Flaw" and Reuters reporting "Hackers race to expose Cisco internet flaw"