Tuesday, January 26, 2010

Top 10 Security Nightmares of the Decade (source: IDG)


Top 10 Security Nightmares of the Decade
12/31/2009

Blame the Internet for the latest decade of security lessons. Without it, you probably wouldn't even recognize the terms phishing, cybercrime, data breach, or botnet. Let's revisit the top security horrors of the past ten years, and try to remember what we learned from each.

Blame the Internet for the latest decade of security lessons. Without it, you probably wouldn't even recognize the terms phishing, cybercrime, data breach, or botnet. Let's revisit the top security horrors of the past ten years, and try to remember what we learned from each.

1. Cyberwar

What started out small ended up pretty big. Back in February 2000, a Canadian teenager named Mafiaboy used automated floods of incomplete Internet traffic to cause several sites--including Amazon, CNN, Dell, eBay, and Yahoo--to grind to a halt, in what is called a distributed denial of service (DDoS) attack.

Michael Calce, aka Mafiaboy, pleaded guilty to 55 of 66 counts of mischief and was sentenced to eight months detention. Calce later wrote a book about his experience, entitled Mafiaboy: How I Cracked the Internet and Why It's Still Broken. Some experts say that all security threats progress through a cycle that moves from fun to profit to politics, and DDoS attacks were no different: Opportunist criminals next started using DDoS to hold various gambling sites for ransom.

In May 2007, DDoS attacks turned political, with hundreds of online Russian sympathizers blocking Estonian government Websites, all because a World War II memorial had been relocated. The attacks continued through the summer until Computer Emergency Response Teams (CERT) from various nations mitigated them. The following year, Russian organized crime targeted the government of Georgia with a DDoS attack.

While some people think the United States might not be ready for the upcoming cyberwars, experts from CERT are now advising the U.S. government on how better to protect its infrastructure based on the attacks we've seen thus far.

2. Malware Makes Strange Bedfellows

Viruses and worms have always been around, but in the summer of 2001 one aggressive worm threatened to shut down the official White House Website. Code Red, so named because the discoverer was drinking "Code Red" cola from Mountain Dew at the time, warranted an unprecedented joint press conference with the FBI's National Infrastructure Protection Center, the U.S. CERT, the Federal Computer Incident Response Center (FedCIRC), the Information Technology Association of America (ITAA), the SANS Institute, and Microsoft.

Two years later, Microsoft again teamed with the U.S. Secret Service, the FBI, and later Interpol to offer a $250,000 reward for information leading to the arrest of those responsible for SoBig, MSBlast, and other major viruses at the time.

Such public-private cooperation is rare, but it happened again in early 2009 when Conficker was poised to wreak havoc on the Internet at midnight on April 1. That didn't happen, thanks in part to a unique coalition of rival antivirus companies that collaborated with government agencies under the Conficker Working Group name. To this day, this group continues to monitor the worm. Organizations are stronger when they team up against a common enemy, and even security companies can put aside their differences for the common good.

3. MySpace, Facebook, and Twitter Attacks

At the beginning of the decade, security experts at businesses had to struggle with employees' use of instant messaging from AOL, Webmail from Yahoo, and peer-to-peer networks. These applications poked holes in corporate firewalls, opening various ports that created new vectors for malware.

The battle initally focused on server port 80; but by the end of the decade, the top concerns were Facebook, Twitter, and other Web 2.0 applications.

In 2005, a teenager authored the Samy worm on MySpace, which highlighted a central problem of Web 2.0--that user-contributed content could contain malware. Even as Facebook endured a few privacy snafus, it also had its own worm, called Koobface.

In 2009, Twitter came of age, too, attracting its own malware and highlighting the dangers of shortened URLs--with them, you can't see what's waiting on the other side. Twitter also suffered from spam...or did Guy Kawasaki really send you that porn link?

4. Organized Viruses and Organized Crime

After the Melissa virus struck in 1999, e-mail-borne viruses peaked the following year with ILOVEYOU, which clogged e-mail servers worldwide within 5 hours. (See "The World's Worst Viruses" for more about a clutch of the decade's early offenders.)

As e-mail spam filters improved to block bulk mailings, malicious coders looked elsewhere, turning to self-propagating worms like MSBlast, which exploited a flaw in Remote Procedure Call messages, and Sasser, which exploited a flaw in Internet Information Services (IIS). About this time, viruses and worms began using Simple Mail Transfer Protocol (SMTP) to bypass e-mail filters so that the compromised machines could spew pharmaceutical spam to random addresses on the Net.

Shortly after Microsoft's Reward program netted Sven Jaschen, author of Netsky and Sasser, in 2004, the image of a single author creating viruses in a parents' basement fell out of favor, replaced by organized crime operations with financial ties to porn and bulk pharmaceutical companies. (In 2005, PCWorld wrote a series on the problem, "Web of Crime.") Groups such as the Russian Business Network (RBN) ran sophisticated spam campaigns, including pump-and-dump penny-stock spam.

5. Botnets

With the financial backing of organized crime syndicates came widespread and clever innovations in malware.

In 2007, the Storm worm--which began like any other virus--started talking to other Storm-compromised computers, forming a network of compromised computers all using the Overnet peer-to-peer protocol. This protocol allowed the operator to send out a spam campaign or to use the compromised computers to launch a DDoS attack.

Storm was not alone. Nugache, another virus, was building a botnet, too. And there were others. Today, botnets have spread to the Mac OS and Linux operating systems. The chances are approaching 50/50 that you might have at least one bot on one of your computers now.

6. Albert Gonzalez

It wasn't organized crime but rather a confederacy of criminals that caused some of the largest data breaches over the last few years--attacks that victimized Dave & Busters, Hannaford Brothers, Heartland Payment Systems, and TJX, to name just a few. One man, Albert Gonzalez, pleaded guilty for most of these heists, and was implicated in others. Gonzalez and his crew entered malicious code through the Web-facing sites of these major companies. In turn, the malware infiltrated the internal network, where it could look for unencrypted credit card data.

To combat such data breaches, in 2005 the Payment Card Industry (PCI) produced 12 requirements that all of its member merchants must follow; the PCI Security Council updates those requirements every two years. What lies ahead is end-to-end encryption of the credit card data, so that your personal information is never in the clear from cash register to card brand.

7. Gone Phishing

More effective than spam, yet short of a full-blown data breach, is phishing. The idea here is that a creatively designed e-mail can lure you into visiting a believable-looking site designed solely to steal your personal information. Often these sites use "fast flux," the ability to switch domains quickly so that you can't lead law enforcement back to the site.

Using logos and designs from banks and e-commerce sites, some phishing sites seem entirely realistic, a vast improvement over the crude pages full of misspellings of a few years ago. The best defense? Don't click!

8. Old Protocol, New Problem

Behind the Internet are protocols, some of which today perform functions far beyond what they were originally designed to do. Perhaps the most well-known of the overextended protocols is the Domain Name System (DNS), which, as IOActive researcher Dan Kaminisky explained in 2008, could be vulnerable to various forms of attack, including DNS cache poisoning.

DNS converts a Website's common name (for example, www.pcworld.com) into its numerical server address (for example, 123.12.123.123). Cache poisoning means that the stored address for a common name could be incorrect, thus leading a user to a compromised site rather than to the intended site--and the user had no way to know. Kaminsky managed to keep the flaw known to a limited group of companies for about six months, and then rolled out a coordinated series of patches that seemed to address many of the more serious vulnerabilities.

Similarly, researcher Marsh Ray of PhoneFactor discovered a hole within SSL/TLS, one that allows for man-in-the-middle attacks while authenticating the two parties. This wasn't a vendor-specific problem, but a protocol-level flaw. Ray, like Kaminsky, also set about coordinating a patch among affected vendors. However, a second researcher stumbled upon roughly the same thing, so Ray felt compelled to come forward with his vulnerability, even though some of the patches are still to come.

Disclosures such as these have hastened the move to newer standards, such as DNSSEC, which authenticates data in the DNS system, and a newer version of SSL/TLS. Look for the replacement of existing protocols to continue in the coming years.

9. Microsoft Patch Tuesdays

A decade ago, Microsoft released its patches only as needed. Sometimes that was late on a Friday afternoon, which meant that bad guys had all weekend to reverse-engineer the patch and exploit the vulnerability before system administrators showed up for work on Monday.

Starting in the fall of 2003, Microsoft released its patches on a simple schedule: the second Tuesday of every month. What has become known as "Patch Tuesday" has, over the last six years, produced a crop of fresh patches every month, except for four. Oracle patches quarterly, and Adobe recently announced that it would patch quarterly, on or near Microsoft's Patch Tuesday. Apple remains the only major vendor that doesn't adhere to a regular cycle for its patches.

10. Paid Vulnerability Disclosure

Independent researchers have debated for years whether to go public with a newly found flaw or to stay with the vendor until a patch is created. In some cases the vendor doesn't get back to the researcher, or doesn't make publication of the flaw enough of a priority, so the researcher goes public. On the other side of the fence, criminals certainly don't go public, knowing that such vulnerability information is worth serious money on the black market.

After years of back and forth, in recent times one or two security companies have decided to pay researchers to stay quiet; in exchange, the company works with the necessary vendor to see that the patch is produced in a timely fashion and that clients of the company get details of the flaw sooner than the general public.

For instance, at the CanSecWest Applied Security Conference, Tipping Point Technologies annually awards $10,000 to the researcher who can hack a given system. And payment-for-vulnerabilities programs have matured in recent years. For example, in Microsoft's December 2009 Patch Tuesday release, all five of the Internet Explorer vulnerabilities patched can be attributed to the iDefense Zero Day Initiative program.

Robert Vamosi is an award-winning computer-virus and security columnist, and a security analyst.

Copyright © 2010 | IDG Connect | 492 Old Connecticut Path | Framingham MA 01701 USA | www.idgconnect.com

Friday, January 22, 2010

Online crooks steal £2.6bn in gathering crime wave (source: Financial Times)

Online crooks steal £2.6bn in gathering crime wave
By Maija Palmer, technology correspondent

Published: January 15 2010 02:00 | Last updated: January 15 2010 02:00

Online fraud has become common and is growing rapidly, writes Maija Palmer .

An estimated £2.61bn was stolen online from people in the UK in the year to September, according to a YouGov survey.

About one person in eight was a victim of identity fraud during that period, and the average amount stolen was £463.

The value of online banking swindles rose 55 per cent to £39m in the six months to June, according to Financial Fraud Action UK . Criminals obtain account passwords and siphon off money.

Credit card ID theft - in which criminals get hold of card details and use them to buy goods and services, often via the web - rose 23 per cent to £23.9m in the first half of last year.

Often customers are duped into revealing their account details on websites masquerading as bank sites, or lists of account details are stolen directly from retailers' computer systems.

An underground economy exists in which stolen card and account details are bought and sold, sometimes for as little as 50p.

Moneybookers, the online payment service, estimated in a survey that during the Christmas period online retailers lost about £105m - 0.8 per cent of their takings - as a result of cards that turned out to be stolen.

AVG, an online security group, estimated that shoppers lost £185m - about 2 per cent of total spending - on fraudulent websites during the Christmas period.

The money was deducted but the goods were never sent and - sometimes - the site simply disappeared.
.Copyright The Financial Times Limited 2010. You may share using our article tools. Please don't cut articles from FT.com and redistribute by email or post to the web.

Tuesday, January 19, 2010

Hackers are cracking bank security - Techworld.com

Hackers are cracking bank security - Techworld.com

Posted using ShareThis

Employees increasingly found to be downloading illegal files (source: Infosecurity.com)

Employees increasingly found to be downloading illegal files
15 January 2010

As if companies have not had enough IT security headaches already, it seems that a growing number of firms have problems with their staff illegally downloading copyrighted files whilst at work.
Research just published by ScanSafe, the software-as-a-service specialist, shows there has been a 55% increase in employees attempting to download illegal software, especially MP3 files, in the workplace over the last three months.

Worryingly, the firm says, all too often an employer will be held legally responsible for any wrongful acts committed by an employee "in the course of their employment" even if it is expressly prohibited by the employer. The report, says the company, should act as wake up call for companies to ensure that they are not at risk for legal liabilities.

To compile its figures, ScanSafe says it now processes data across more than 100 countries for millions of employees, giving it the industry's most significant insight into the latest trends in web traffic and malware.

The report comes as a US student, Joel Tenenbaum, has just been been fined $675,000 for illegally downloading music.

The court case, says Spencer Parker, ScanSafe's director of product management, focused on 30 tracks that Tenenbaum admitted downloading – he was subsequently fined $22,500 per song. Over the years, he said, consumers have taken a carefree approach to illegally downloading music, not expecting to be held accountable for their actions.

High-speed internet connections have enabled even faster illegal downloads and, alarmingly, more and more people are choosing to do so in the workplace.

"Employees mistakenly assume they can use the internet at work in exactly the same way as they use it at home and this is potentially one of the reasons for this steady increase in illegal download attempts over recent months," he said. "Inappropriate internet use in the workplace can put the employer at risk for legal liabilities," he added.

According to Parker, often an employer will be held legally responsible for any wrongful acts committed by an employee "in the course of their employment". This phrase, he explained, is very widely constructed – "an act may be considered" in the course of employment even if it is expressly prohibited by the employer.

This, he says, is `vicarious liability', which means that, even if a legal claim is unsuccessful, dealing with claims can make very substantial demands on management time and involve quite significant legal costs.

"Downloading illegal content is a double whammy for employers as not only does it put them at risk legally, but it also puts the company network at risk of being infected with malware. A large majority of free illegal downloading websites are often riddled with malware." he said.

Because of these issues, Parker argues that organisations should formulate internet usage policies and educate employees on the goals of their policies, including making clear the potential consequences of non-compliance. Employers, he says, should also require staff to sign and acknowledge their understanding of acceptable web use during working hours.



This article is featured in:
Compliance and Policy • Internet and Network Security

Monday, January 11, 2010

Govcert: vertrouw niet op SMS-authenticatie (bron: Computable)

Aanbieders van sms-authenticatiediensten, bijvoorbeeld voor online bankieren, moeten op korte termijn aanvullende maatregelen nemen om te voorkomen dat kwaadwillenden gerichte aanvallen kunnen uitvoeren op gebruikers van die diensten. Dat zegt het computerincident-responsteam van de Nederlandse overheid Govcert. Volgens de instantie is het uitvoeren van gerichte aanvallen gemakkelijker geworden nu onderzoekers Karsten Nohl en Sacha Kriβler in december een methode presenteerden voor het afluisteren van gsm-verkeer.

Dat maakt Govcert bekend in een factsheet met de titel Afluisteren van gsm-communicatie dichterbij. De organisatie adviseert om geen nieuwe sms-authenticatietoepassingen te ontwikkelen die afhankelijk zijn van versleuteling tussen een gsm-basisstation en de mobiele telefoon van een gebruiker.

De factsheet verschijnt naar aanleiding van de aankondiging van beveiligingsonderzoeker Karsten Nohl dat inmiddels alle kennis aanwezig is om gsm-gesprekken af te luisteren. Die aankondiging deed hij op de op de beveiligingsconferentie CCC, die de laatste week van december werd gehouden in Berlijn.

Misbruik dichtbij gekomenOnderzoekers Karsten Nohl en Sacha Kriβler presenteerden in oktober 2009 een methode voor het afluisteren van gsm-verkeer. De twee riepen de hackersgemeenschap toen op om gezamenlijk rekenwerk te doen, waarmee dat raden naar sleutels sneller verloopt. Die arbeid is inmiddels voltooid. Kwaadwillenden kunnen de resulterende 'rainbowtabellen' misbruiken om gsm-gesprekken en sms-berichten af te luisteren.

Na voor enkele duizenden euro's een gsm-basisstation te hebben aangeschaft, kunnen ze zich voordoen als een nieuw gsm-netwerk. Publiek misbruik is volgens Govcert dan ook 'dichtbij gekomen'.

Bron: security / Nieuws11-01-2010 10:54 | Door Jolein de Rooij (Computable)

Sunday, January 10, 2010

SSL-protocol aangepast wegens beveiligingslek (bron: security.nl)

SSL-protocol aangepast wegens beveiligingslek
9 januari 2009

Een zeer ernstig beveiligingslek in het SSL-protocol, gebruikt voor het versleutelen van gevoelig internetverkeer, zal binnenkort tot het verleden behoren nu engineers een oplossing hebben gevonden. De kwetsbaarheid is in alle software aanwezig die SSL gebruikt, zoals browsers en e-mailclients. Via het lek is het mogelijk om data aan een versleutelde HTTPS transactie toe te voegen en vervolgens cookies, wachtwoorden en andere vertrouwelijke informatie te stelen. Een werkgroep bedacht deze oplossing, die nu door de Internet Engineering Steering Group (IESG) is geaccepteerd.

Dit betekent een aanpassing van het SSL-protocol, zodat aanvallers geen data tussen twee endpoints kunnen injecteren. Het nieuwe protocol wijzigt de manier waarop programma's de parameters voor een bestaande SSL-verbinding met elkaar uitwisselen. Al deze "renegotiations" zullen voortaan op "cryptografische wijze" aan de SSL-verbinding worden gebonden waar ze over worden uitgevoerd.

Patch
Toch kan het nog wel even duren voordat de benodigde patches zijn te downloaden. "Nu dat de standaard beslist is, moeten mensen hun implementaties klaarmaken en ervoor zorgen dat die zich aan de standaard houden", zegt Steve Dispensa, CTO van PhoneFactor. Het bedrijf maakte begin november het lek bekend. "Er moet nog het nodige gedaan worden", gaat Dispensa verder. Deze pagina houdt bij hoe ver leveranciers als Mozilla, Cisco en Microsoft zijn met het ontwikkelen en uitbrengen van een patch.

Tags: authenticatie,encryptie,man-in-the-middle,ssl,

Friday, January 8, 2010

CWI: RSA nadert houdbaarheidsdatum (Bron: Computable 20100108)

security / Nieuws08-01-2010 11:26 | Door Jolein de Rooij | Tags: Beveiliging, E-commerce | Gerelateerde bedrijven: EMC | Er zijn nog geen reacties op dit artikel | Permalink
CWI: RSA nadert houdbaarheidsdatum
De huidige rekenkracht van computers maakt het volgens het CWI noodzakelijk om op termijn te gaan werken met langere RSA-sleutels dan 1024-bits. De komende jaren bestaat er echter nog geen beveiligingsrisico, zo zegt het onderzoeksinstituut. RSA is een encryptiealgoritme dat veel gebruikt wordt voor de beveiliging van online betalingen.

Onderzoekers van de Cryptology and Information Security groep van het Centrum Wiskunde & Informatica (CWI) in Amsterdam hebben in samenwerking met onderzoeksgroepen uit Duitsland, Frankrijk, Japan en Zwitserland een RSA-sleutel van 768-bits gebroken door de priemfactoren hiervan te vinden. Een 768-bits RSA-sleutel is een getal van 232 decimale cijfers.

De veiligheid van RSA is gebaseerd op de moeilijkheid om een heel groot getal te ontbinden in twee priemgetallen. In 1999 werd echter voor het eerst een 512-bits RSA-sleutel gekraakt en in 2005 een 663-bits RSA-sleutel. De onderzoekers stellen dat als de trend van de afgelopen tien jaar zich voortzet de huidige standaard van 1024-bits RSA-sleutels over tien jaar even kwetsbaar zijn als 768-bits RSA-sleutels dat nu zijn. Dit resultaat onderstreept volgens het onderzoeksinstituut het belang om de 1024-bits sleutel geleidelijk te upgraden.
Gedistribueerde rekenarchitectuurDe komende jaren bestaat er echter nog geen beveiligingsrisico, zo zegt het onderzoeksinstituut. Om de 768-bits RSA-sleutel te ontbinden in priemfactoren hebben de onderzoekers gedurende een periode van tweeënhalf jaar gebruik gemaakt van duizenden computers, op verschillende locaties. De totale hoeveelheid rekentijd die hiervoor gebruikt is, staat gelijk aan het gedurende een heel jaar onafgebroken op topsnelheid laten rekenen van 1700 2.2GHz cores.

De afkorting RSA verwijst naar de ontwerpers van het algoritme: Ron Rivest, Adi Shamir en Len Adleman. RSA werd in 1977 door hen ontwikkeld. In 1982 richtten ze samen RSA Data Security op. Het RSA-patent is momenteel in handen van EMC, dat het beveiligingsbedrijf in 2006 overnam.


Read more: http://www.computable.nl/artikel/ict_topics/security/3213247/1276896/cwi-rsa-nadert-houdbaarheidsdatum.html?utm_source=Nieuwsbrief&utm_medium=E-mail&utm_campaign=Redactiemailing#ixzz0c1VwBUCo

Sunday, January 3, 2010

Major Identity breaches reported to state authorities - june/november 2009 (source Boston.com)

Eastern Bank:
2,499 Massachusetts residents affected when checking account data were mailed to the wrong customers.

Moriarty & Primack, a Springfield accounting firm:
1,617 residents affected when three laptops were stolen, including more than 1,100 employees and retirees of client Smith College.

Nashbar Direct, an online bicycle equipment dealer in Ohio:
5,318 residents affected when a hacker broke into the company’s servers.

Alpha Software Inc. of Mass.:
994 residents affected when customer credit card numbers were stolen from company’s servers.

University of Massachusetts at Amherst:
A hacker intrusion into school computers revealed Information on “thousands’’ of former students spanning 1982 to 2002. No exact number given.

Blue Cross and Blue Shield of Massachusetts:
39,000 health care providers from Massachusetts affected because their personal data were stored on a stolen laptop.

Wyndham Hotels and Resorts:
1,146 residents affected when a hacker penetrated the hotel company’s data center.

T-Mobile USA:
490 Massachusetts residents affected after a fraud ring gained unauthorized access to their account data.

JPMorgan Chase Bank:
9,015 residents named on missing computer tape.

Network Solutions LLC:
14,677 residents affected when hackers broke into company servers.

DLP Lamp Source:
960 residents affected after company’s website was compromised.

Eagle Bank:
2,431 residents affected by unauthorized disclosure of debit card data.

LexisNexis:
About 8,900 residents affected when unauthorized persons got access to company servers.

Data breaches affect million state residents - The Boston Globe

Data breaches affect million state residents - The Boston Globe

Posted using ShareThis

Security compliance: The root of insanity - Feature - Techworld.com

Security compliance: The root of insanity - Feature - Techworld.com

Posted using ShareThis