Security Watch | Matt Hines » November 2007

November 27, 2007 | Comments: (0)

Spyware takes malware crown

TAGS: Security

According to new research published by the Computing Technology Industry Association, better known as CompTIA, security admins are being forced to ward off greater volumes of spyware than ever before as other breeds of attack have become less prevalent.

In a survey of just over 1000 organizations recently carried out for the industry group by researchers at TNS, some 55 percent of those IT professionals interviewed said that their employers have dealt with larger numbers of spyware attacks over the last twelve months as other threats have cooled off.

Respondents to the survey charted a lack of user awareness to security issues (54 percent), virus and worm attacks (49 percent), end user driven abuse of IT systems (44 percent) and browser-based threats (41.5 percent) as other leading problems they are being forced to deal with.

In a similar survey conducted last year, respondents had indicated that they were still struggling with more frequent instances of viruses, worms and browser-based attacks, compared to this year's results.

CompTIA officials said in a report summary that the growing spyware issue illustrates just how rapidly the malware community moves from one attack technique to another as they discover new methods for stealing valuable information.

"Spyware was rarely mentioned as a concern just a few years ago," said John Venator, president and chief executive officer, CompTIA. "It's another example of how information security threats are moving targets that can pose great challenges to even the most security-conscious organization."

At the same time, CompTIA warned that organizations cannot become complacent about the other types of attacks, and based on the survey responses it appears that most of those people interviewed are preparing for subsequent shifts in threat delivery patterns.

Asked to identify the types of security attacks they expect to be most troubled by in three years time, viruses and worms (20 percent) still topped the list, followed by spyware (14 percent), wireless threats (9 percent), e-mail-borne exploits (9 percent), phishing (5 percent) and issues related to remote access (5 percent).

In response to all those concerns, CompTIA said that many organizations are prepared to loosen their purse strings, which has to make all the security vendors hoping to cash-ion on the problems whet their lips.

"To combat the seemingly endless waves of cyber-attacks, we found that organizations plan to increase spending across all areas related to security," Venator said. "Nearly one-half indicate they intend to increase spending on security-related technologies, and another one-third expects to increase spending on security training."

Posted by Matt Hines on November 27, 2007 01:57 PM

November 26, 2007 | Comments: (0)

Porn scammers take over PCs

TAGS: Security

The moral of the story is: if you want to look at online porn, you're going to pay for it sooner or later.

Relax, the Zero Day blog has not become the bully pulpit of some smut-loathing voice of hellfire and brimstone.

Rather, it's just that the researchers over at McAfee's Avert Labs group have discovered a truly nasty little form of adware/malware/badware/ransomware that is aimed squarely at the XXX-loving masses.

And while porno sites have long been considered leading sources of malware for unsuspecting URL cruisers (try SiteAdvisor!), this new blend of Web-borne threat appears to be particularly unsavory and underhanded.

Why, you might ask? Because it's a social engineering scheme that tricks people into signing up for expensive services without warning them first, and then begins to shut down their PC by hammering it with pop-ups if they refuse to pay up for the sites.

At least with the old form of ransomware the criminals didn't try to hide who they were. In fact, the idea that they had to communicate with their targets to get paid always made me feel that of all the badware baddies, at least those ransomware types had some form of guts. Of course, those "guts" probably also got a lot of them arrested.

Anyways -- according to Seth Purdy, who blogs on the Avert site, a company identifying itself as Micro Bill Systems (whose adware-like programs have been previously rated as suspicious by other vendors including Sophos) has begun running its scam using a site known as sexxxpassport.com.

The scam works this way: the site offers a free 3-day trial to visitors, but requires that they sign up with Micro Bill Systems to get access. To sign up, the user must agree to an 11 page EULA, without first being required to read it.

Now, if users took the time to read the document they might save themselves from the peril that awaits them, but, if they don't, after three days their trial period ends and they are automatically signed up for a 90 day subscription which will cost them roughly $80.

If that weren't bad enough (because really you could just refuse to pay) at that point the application begins serving pop-up ads to the user, with increasing frequency, demanding payment. And the longer the scam goes unpaid, the more frequently the pop-ups arrive!

In fact, as Purdy notes, Micro Bill Systems admits in its dense EULA language that it will pretty much shut down your computer if you refuse to pay for the, ahem, services.

Quote:

"If You choose to ignore the payment reminders and do not pay the Membership Fee, You hereby understand and acknowledge that the prompt reminders may become more frequent and that You may lose the ability to use Your computer until You have submitted payment. The payment reminders will be active while your computer is online or offline."

So while the researcher never labels the program as ransomware, clearly it is. MBS is fairly well telling the poor suckers who signed up for its program that if you don't pay these hidden fees we tricked you into accepting with our long, legalese EULA, we're taking down your whole machine!

Faced with an otherwise inoperable PC, you could imagine that some people might just give in (especially if they don't savor the notion of explaining to their spouse, or even worse their boss or IT admin, that they killed the PC with porno).

"The closest analogy I’ve come up with: You're offered a free trial of satellite radio for your car," writes Purdy. "Then, a week later, you go to leave for work one morning and find a boot on your car, immobilizing it until you pay up."

I guess the lesson to be learned is to read those EULAs really closely… or to stop looking at Internet porn.
As usual, you make the call.

Posted by Matt Hines on November 26, 2007 02:22 PM

November 21, 2007 | Comments: (0)

Symantec takes stock of top 2007, '08 threats

TAGS: Security

With the Thanksgiving holiday (thankfully) bearing down on us, we've reached that time of the year when experts and prognosticators of all different sorts begin to fill our in-boxes with their reflections on the best and worst of the last twelve months, along with what they expect to emerge as the most important trends of 2008.

And as the throngs of poor souls hurrying past my office window here in Boston in vain hopes of avoiding the impending rush hour travel meltdown thicken (even before eating dinner tomorrow) it would seem that the holiday season is now officially upon us, and thus, it's only fitting to begin the annual cycle of post-mortems and predictions.

For its part, Symantec has had an interesting year, further wrapping its arms around the evolving shift in IT security away from defending devices and networks into more proactively protecting valued information -- and making interesting acquisitions such as its recently-announced buyout of Vontu, a so-called data leakage protection (DLP) tools provider whose products aim to help address that very transition.

Experts from the little yellow box company recently passed along their top security trends for 2007 and issues to watch for 2008. Those lists follow, along with some related observations offered to Zero Day by Kevin Haley, director of product management for Symantec's Security Response team.

Symantec's Top 10 Internet Security Trends of 2007 were:

1. High profile data breaches.

Haley: This trend has forced companies to focus more on securing the entire supply chain and making sure that their business partners are doing as good a job of protecting their information as they have promised to.

2. Vista introduction.

Haley: While a lot of work clearly went into improving the overall security of Microsoft's flagship Windows OS, hackers proved quickly that there's still plenty of opportunities to carry out attacks.

3. Spam.

Haley: Spammers continued to use new technological tricks like image spam, and mainstream events such as the 2008 election to find their way into in-boxes and trick people into opening their messages. The spambot effect has not helped, at all.

4. Professional attack kits.

Haley: The increasing professionalism among malware authors has led to threat kits that make it easier than ever for aspiring attackers to build their wares. Full time product support and frequent updates are hallmarks of the underground trade.

5. Phishing.

Haley: Advanced phishers have also begun selling their ideas for others to carry out via tool kits. Combined with tons of botnet-driven spam and increased targeted of attack recipients, things have not improved much in this segment.

6. Exploitation of trusted brands.

Haley: Using social networking sites and legitimate Web pages to deliver their attacks, the bad guys are exploiting users within the confines of sites that they know, use and trust (for now).

7. Botnets.

Haley: The people at the top of the trade are getting terribly smart and harder to catch. Everyone else is keeping security folks busy enough fighting off their continued attacks. P2P command centers are being used, the networks are being constantly moved around, and there's no end in site for the botnet problem in general.

8. ActiveX vulnerabilities.

Haley: Professionals continue to find new ways to carry out these time-honored attacks, and even though IE7 has been hardened, there's still plenty of room for new malware variants that target ActiveX.

9. Vulnerabilities for sale.

Haley: Even with the recent arrest of a co-founder of the controversial
WabeSabi Labi -- an eBay-like market on which members can buy and sell vulnerabilities -- don’t expect this idea to go away anytime soon.

10. Virtualization.

Haley: While there are likely security benefits to be had from the adoption of virtualization, we don’t yet understand all the problems that the approach could create.

As for its predictions for 2008, Symantec contends that the leading issues will be:

1. Even stronger and more complex botnets
2. Malware threats that take advantage of Web 2.0 technologies such as AJAX
3. Larger numbers of attacks aimed at mobile devices
4. Continued evolution of spam
5. More focus by the bad guys on assailing virtualized machines
6. Attacks crafted to prey upon interest in the 2008 presidential election

"The biggest issue in the industry is this continued evolution toward professionalism by those people behind the attacks, as long as they can make money using some form of malware, botnet spam or phishing, they're going to look for new ways to carry on with that activity," Haley said. "You have this whole supply chain in place now that includes the people finding the vulnerabilities, building the exploits, selling stolen information and turning that data into money; overall it's not a very encouraging outlook."

Posted by Matt Hines on November 21, 2007 12:58 PM

November 20, 2007 | Comments: (0)

Most DNS servers remain vulnerable to exploit

TAGS: Security

A study into the current state of domain name server (DNS) security finds that while the sheer number of systems connecting to the Internet continues to grow quickly, most administrators are still failing to protect their assets.

According to the third annual survey -- based on wide sample testing carried out by network security appliance vendor Infoblox and the Measurement Factory -- the sheer volume of DNS servers connected to the Net increased to 11.5 million systems, up from 9 million in 2006.

And while a good number, some 65 percent of the 80 million or so DNS servers tested, have already been update to BIND 9 the latest version of the popular domain name system software, over 50 percent of the servers were configured to allow recursive queries, a common method for carrying-out spam-feeding pharming attacks.

In addition, even though a far greater number of DNS servers that were tested are running BIND 9 -- which Infoblox experts cited as a significant benefit to overall security, based on the new platform's proposed architectural and security improvements -- less than one percent of the systems that were studied supported DNSSEC (DNS Security Extensions), one of the biggest security features boasted in the BIND 9 update.

In another worrisome finding, the study reports that the number of DNS servers it surveyed that still allow zone transfers to arbitrary requestors increased, rising to 31 percent in 2007 up from 29 percent one year ago.

As Infoblocs explains in the report, "allowing zone transfers to arbitrary queries enables duplication of an entire segment of an organization’s DNS data from one DNS server to another and can leave them as easy targets for denial-of-service attacks."

So, even if a lot more people are using BIND 9, they're failing to utilize some of the most powerful methods for putting an end to DNS cache-poisoning and a number of other popular attack vectors.

"It's certainly a mixed bag, but we've made some important progress, I thought that it would have been harder to get so many people to move to BIND 9 than it might be to do some other work, because it's an involved process," said Cricket Liu, vice president of architecture at Infoblox.

Liu said that many of the recursive query and zone transfer issues could be addressed far more easily than it might have been for admins to make the move to BIND 9.

"The fact that so many domain servers are allowing recursive queries says to me that people still just don't understand the risks," he said. "But overall, it's mostly encouraging because some of the things that need to be done are not hard to do, they simply require some reconfiguration, not a wholesale upgrade."

Unfortunately, the expert believes that much as with other vulnerabilities, the remaining DNS server security issue won't be addressed by many organizations until there is another major attack that takes advantage of the weakness.

In other findings, the report said that use of the Microsoft's DNS Server software fell by nearly 50 percent, and now only accounts for 2.7 of the servers tested in the survey. Liu attributed that trend to major concerns over security holes known to exist in the software that have been previously assailed by attackers.

In one piece of news that does improve the outlook for slowing spammers, the primary beneficiaries of vulnerable DNS servers, the report said that use of the Sender Policy Framework (SPF) e-mail authentication standard increased to 12.6 percent in 2007 compared to only 5 percent last year.

The key issue in getting effort like SPF to succeed is attracting a large base of end users, Liu observed.

"One year ago you only had a one-in-twenty chance of being able to check the information for domain name using SPF, and now it is one-in-eight, that certainly bodes well for SPF's success," he said. "It's key to build a critical mass."

Posted by Matt Hines on November 20, 2007 12:59 PM

November 19, 2007 | Comments: (0)

Process leads to information leakage

TAGS: Security

With security vendors pushing complex technologies such as data leakage prevention (DLP) and network access control (NAC) as elixirs for organizations' information security headaches, a recent study aimed at examining enterprises' intellectual property usage policies points to a glaring lack of planning.

The study -- prepared by Enterprise Strategy Group and sponsored by Reconnex, a provider of DLP appliances -- finds that while companies seem more willing than ever to allow people to access their proprietary data, many organizations may be failing to identify and protect the very assets they're so worried about losing.

Vendors and analysts tell us that enterprises are snapping-up security products -- including the many flavors of DLP, and there are many -- that are aimed specifically at blocking the theft of intellectual property and sensitive information such as customer data.

However, of the hundred-odd North American IT security pros that ESG recently interviewed -- who worked for companies ranging from 1,000 to more than 20,000 employees -- 46 percent admitted that they have no standard policies and procedures for classifying data as IP across their entire organization.

That comes despite the fact that 66 percent said that their organizations share a moderate to substantial amount of information with business partners.

How does one protect information when they don't know where it is -- while giving access to it to other people?

Furthermore, while those interviewed said that their employers plan to share more IP with their partners in the next several years, few have plans to expand their process for reviewing how the information is exchanged and protected.

ESG found that:

- Only 41 percent of respondents worked at organizations that have a formal process to determine which IP can be shared.
- Only 42 percent indicated that their organizations review their IP access and usage policies more than once per year.
- While 64 percent were confident that their employer's security department is aware of all business partners who have access to IP, only 54 percent were confident that their organizations knew the specific IP that their business partners can access.

"The way that these companies classify, monitor and manage access is still pretty messy, they need to put some better processes and safeguards in place or they're going to get burned," said Jon Oltsik, the ESG analyst who authored the study.

"It's almost a little surprising how much data they are sharing and how aggressive their plans are to do more, especially among the larger end users," he said. "They can't stop the business train from moving down the tracks, but it's surprising how poorly some of these companies are managing security; they need better policies in place and better management of access controls."

One of the biggest procedural issues that contribute to the problem is that so many different people within a typical organization are involved in defining just what information constitutes IP. From legal departments and business managers (51 percent), to IT (46 percent), the network of people needed to make an official determination often leads to a failure of process, Oltsik said.

So, it would seem that companies could probably do themselves a huge favor merely by retooling their IP classification, usage and access enforcement policies.

Part of those efforts, Oltsik said, could involve the employment of some form of DLP.

While only 17 percent of respondents said their organizations currently use network-based data DLP appliances, companies like Reconnex claim that their filtering devices can help locate, catalogue and protect IP "across an organization."

Other companies propose similar results using security gateways or endpoint-based filtering software, also known as the so-called DLP agent approach.

Analysts like Oltsik seem to believe that network and agent-based products will be eventually become a single product set. The DLP space has recently been overwhelmed by consolidation among the many startups pitching each type of product, and some like Reconnex and Vontu -- acquired by Symantec -- that claim to have both.

It certainly seems likely that companies like Symantec, McAfee and IBM, among others, will soon offer both pieces in unison as part of larger security offerings.

Among the dozens of DLP tools providers that remain independent, Reconnex appears to be seen as interesting based on its approach that involves a heavy element of data classification, in addition to its filtering skills.

Whether that makes the company a long term bet as a standalone, or merely another DLP acquisitions target is not immediately clear.

Regardless of all the vendor hype, it is clear that companies will continue to find themselves at the crossroad of two major and seemingly unavoidable trends, those being, the demand to allow greater access to valuable information, and a rising number of attacks aimed specifically at stealing that same data.

"With the data-sharing, that horse is out of the barn, certainly some companies will slow down to bolster security, but my expectation is that business will trump security concerns and people will live with the risk if they can drive productivity," Oltsik said. "Regulations will help convince some people to do a better job, but, this is an issue of broken business processes at its center."

Posted by Matt Hines on November 19, 2007 11:01 AM

November 13, 2007 | Comments: (0)

Building a botnet taxonomy

TAGS: Security

Botnets have become so multifarious and diverse that at least one researcher is attempting to address the problem by creating a taxonomy that seeks to label all the different iterations of the attacks to help in the fight against the threats.

Jose Nazario, senior security engineer at infrastructure security specialist Arbor Networks, said in a recent phone interview that he hopes the effort will help his company and other security researchers predict and counteract emerging changes in botnet herders' tactics.

"We should be able to see earlier if a new technology is being used or there is some major shift in activity," Nazario said. "We're actually tracking more botnets than ever before at this point, as many as 1800-2000 each day, but the good news is that reaction rates from the security community are improving and people are generally more aware of the problem and taking care of the attacks faster."

The idea with the botnet taxonomy, which will be broken down into several sub-categories based on observed botnet activity and technological makeup, is to start by studying the network structure of each attack.

Some botnets remain more centralized, working under specific command and control centers, while others have morphed into more distributed models, as with the P2P zombie networks behind the Storm Worm/Trojan.

Looking at issues such as whether individual botnets are IRC-based, Web-based, DNS-based or operating under some other strategy will eventually help network operators block the attacks, the researcher claims.

For instance, if an attack is IRC or Web-based, admins can merely block the involved communications to internal servers, whereas with DNS-based botnets people must block the involved entries themselves, he said.

"There's huge fragmentation among the different technologies being used by the individual botnets, part of that is for differentiation, to evade detection, or to respond to the defenses built into security products," said Nazario. "We hope to detect and highlight new trends whenever we can, and point them out to our friends in AV; the network is important for fighting this stuff, but so is the host, and if AV can't keep up there will always be issues for end users."

The taxonomy will primarily provide researchers with a window into the directions botnet herders will flock next and attempt to abstract various features of the threats for use by fellow academics and anti-malware experts, the researcher said.

Getting the project off the ground was relatively easy, but figuring out all of the implications of his findings and taking those observations to a deeper level to use in a predictive role is proving more challenging, according to Nazario.

However, if the effort works out as he hopes it should, the researcher contends that it may allow law enforcement and research experts to track the actual players involved in running the schemes.

Overall, Nazario said that most carriers and large enterprises do seem to be handling the botnet scourge better than in previous years, but he said that they still always tend to be "a day late," when it comes to blocking the threats.

"It's a reactionary game, but there are a lot of new products to help," he said. "Essentially it remains a race of tools and endurance, and there is no shortage of pressure on the people on either side of the fight."

As botnets have risen in prominence, so has competition between the operators of the armies of zombie PCs, according to the researcher. This has led to infighting among the botnet operators and increased technological advancement on the part of those trying to remain leaders on their side of the market.

"There's a lot of competition at the lower levels in particular, as with the huge number of operators they are all under pressure to differentiate and go places where their rivals haven't been," said Nazario. "The big guys are constantly looking for the next blue water opportunity; they're becoming stealthier at infecting, updating their malware code on a faster basis, and using more rootkits to hide from AV systems."

"To a certain extent the botnet operators are becoming victims of their own success, but that's what happens when you find something that works, and then tools emerge that make it easier to pull off," he said. "That's how you end up with the scenario we see today -- which includes smaller numbers of people working on the next new techniques, while you also have a large number of novices at the helm of thousands of nodes that they've compromised relatively easily."

Posted by Matt Hines on November 13, 2007 12:28 PM

November 09, 2007 | Comments: (0)

Report - 90 percent of Web apps still vulnerable

TAGS: Security

It may not be surprising that Web applications security software provider Cenzic contends that a large number of online programs could use some overall improvement -- but, according the company's latest research, a whopping 90 percent of all Web apps it has studied are vulnerable to some form of attack.

On Monday, the company will release its third quarter assessment of the current state of Web applications security, along with its list of the leading vulnerabilities it has discovered in its research.

According to Mandeep Khera, vice president of marketing for Cenzic, the outlook hasn't improved much over the last few months as" thousands of corporations and government agencies" have done nothing to protect their applications, which he said continue to harbor serious flaws.

"With each quarter, new application vulnerabilities are building up and organizations are falling behind in protecting [themselves]," Khera wrote in a report summary sent to InfoWorld ahead of the official announcement.

"We continue to be surprised by the inaction or insufficient action of thousands of corporations and government agencies toward securing their Web applications," he said. "We are not talking about being [one hundred percent] secure at the application layer. We are simply talking about initiating some action, making it at least somewhat difficult for cyber-criminals to gain access."

Based on data gathered from the company's managed services business unit and other sources, Cenzic contends that of the estimated 100 to 150 million Web applications online today, an overwhelming majority are still likely vulnerable.

In its Q3 Trend Report, Cenzic details 1,471 unique published vulnerabilities it observed during the timeframe, with cross-site scripting (XSS) and SQL injection standing as the most prevalent issues.

Of the vulnerabilities cited by the company, it said that roughly 70 percent could be classified as "easily exploitable."

Among the other trends highlighted in the report is the presence of an increasing number of vulnerabilities being uncovered by the firm that it relates to Web 2.0 technologies such as AJAX.

Security researchers are increasingly warning that the nature of such technologies -- largely designed to up the speed and interactivity of Web-based systems and sites -- and the relative inexperience of many developers writing the applications will combine to create an even more dangerous landscape of assailable flaws.

According to the report, the top 10 vulnerabilities found in commercial and open source Web applications during Q3 were those identified in:

-Bugzilla Webservice
-Sun Java System Access Manager
-Rational Clearquest
-Tomcat Host Manager
-Apache mod-proxy
-Java Runtime Environment
-Apache Tomcat
-Sun Java Systems Web Serve
-IBM WebSphere Application Server
-Java Web Start JNLP

More details on the individual vulnerabilities and their implications can be found in the full report, located here.

Among the findings garnered from the company's security assessment and penetration testing service work during the quarter were observations that:

-Seven of 10 analyzed Web applications engaged in insecure communication practices that could potentially lead to the exposure of sensitive or confidential user information during transactions.

-Cross-site scripting continued to be the most common injection flaw type, affecting six out of 10 Web applications.

-Two out of 10 Web applications were found to be vulnerable to types of SQL injection attacks that could result in a direct compromise of the application’s back-end user by an attacker.

-Four in 10 applications failed to properly implement structured exception handling, allowing an attacker to generate SQL error messages or application errors that revealed information useful in planning further attacks against the application.

-Information leaks and exposures, cross-site scripting and authorization and authentication flaws were among the most prevalent vulnerabilities.

Posted by Matt Hines on November 9, 2007 01:56 PM

November 07, 2007 | Comments: (0)

Data most at risk via smaller breaches

TAGS: Security

TJX Companies customers, sit tight!

Well, maybe not that tight, especially since there have already been several concrete instances where data stolen from the retailer has been misused by fraudsters (and arguably that's how the company originally discovered the breach anyway).

However, according to a new study published by software vendor ID Analytics, people whose information is stolen in smaller batches are far more likely to be victimized by criminals than those whose data is leaked among larger groups of records.

Perhaps that deduction seems obvious -- as people's information that is mixed in among only a few hundred names would appear to also be victims of the numbers game when it comes time for ID thieves to carry out their scams -- but the conclusion does make the notion of rating breaches on their sheer size, as we in the media have been wont to do, seem fairly pointless.

In that sense, we might want to cover smaller, targeted breaches more closely than larger incidents going forward -- at least in terms of the potential impact for the involved victims. If you buy into the theory, the theft of 100 accounts from a financial services company should be consider much worse for those involved than TJX-like breaches of millions of IDs.

According to the study -- which is based on the company's analysis of more than 10 million records that have already been involved in breach incidents -- ID Analytics researchers found that the rate of misuse of stolen personal data ranged from one in 200 identities for breaches of fewer than 5,000 records, to a misuse rate of less than one in 10,000 identities for breaches of more than 100,000 records.

Overall, the company said that it only discovered five incidents where the breached identities it was tracking were victimized by criminals among all of the records it studied.

Two of those cases were involved with incidents where company employees were found to be guilty of carrying out the data theft. In both cases, the resulting misuse was linked to identities geographically close to the site of the employee theft, ID Analytics reported.

So, when it comes to ID theft it would seem that there's safety in numbers, especially if the breach was carried out by third party attackers.

Among the other findings of the report is the conclusion that fraudsters who are participating in "organized misuse of breached identity data" tend to churn through personal records very quickly.

ID Analytics said that criminals typically exploit a stolen identity for no more than two weeks before moving on.

So, there's a good chance that by the time you are informed that your data has been stolen by someone, it may have already been exploited, or it may never be, as companies typically tend to wait at least a few weeks before informing their customers of any incident where their ID information is put at risk.

Further -- in a conclusion that stands at odds with much that has been written and said about the underground economy that has sprung up around the trade of stolen personal records -- the vendor submits that there is no evidence that fraudsters misusing breach data have been selling the information broadly, or distributing it over the Internet.

"This finding is significant because one of the greatest potential risks of data breaches is the broad dissemination of personal information to others with criminal intent," the report said.

I'm not sure what to make of that conclusion. Almost every data security expert you talk to will tell you that these underground ID data marketplaces exist, but, clearly in the case of the 10 million records that ID Analytics researched, there wasn't much evidence of this trend.

Finally, and to no one's surprise, the ID Analytics report found that criminals tend to link breached personal data to a limited set of phone numbers or addresses to carry out fraud.

The firm concludes that this means that criminals work to associate identities with a small group of phone numbers and addresses for verification purposes to carry out their misdeeds and receive the ill-begotten goods they ordered in somebody else's name.

So, the idea there is that researchers and law enforcement officials should conceivably be able to more effectively track down more identity thieves if they can uncover some of this relatively small pool of numbers and locations to which a lot of the fraudulent activity that was observed can be linked.

The company said this conclusion also ties into the trend toward misuse of information stolen by employees in their local environments.

"These findings show new insights into the workings of internal data theft, particularly how fraudsters may favor those identities that represent easier access to physical addresses where the perpetrator could receive or intercept credit cards, stolen goods and bank statements," the report contends.

See you at TJ Maxx!

Posted by Matt Hines on November 7, 2007 02:53 PM

November 06, 2007 | Comments: (0)

Windows Home Server hits the streets and a Macrovision Vulnerability

TAGS: Security

Okay, I was just thinking about recommending the Windows Home Server (WHS) to some of my very small SMB clients, especially since it actually seems to solve some of their very specific problems, namely remote access to files via the web, automated backups of network machines, and monitoring of other systems on the network. All with no muss and no fuss.

If this is all true, and it all works the way it's planned, then it just might make my recommendations easier when it comes to having a simple SMB solution that I can recommend to my micro SMBs (MSMBs?). On the other hand, if it doesn't then I'll hear about it for years to come. And what's up with requiring that the user have an existing firewall? Why not connect the SMB Internet connection right into the WHS, making it a firewall and direct hub for communications? I'm guessing, conservatively, that a least 10 percent of all newly deployed WHS machines will be open to the Internet. I wonder how fast those will be p0wned once connected to the Web?

Macrovision Vulnerability

Seems that Microsoft is aware of some limited attacks on this vulnerability. This effects the Macrovision secdrv.sys driver on supported editions of Windows Server 2003 and Windows XP. Check it out to see if you could be potentially open to attack.

Posted by Victor R. Garza on November 6, 2007 08:43 AM

November 05, 2007 | Comments: (0)

Puper takes aim at the Mac

TAGS: None

According to Dave Marcus of McAfee's AvertLabs, it seems that OSX/Puper (aka Zlob) has infected over 4 million Windows machines over the past two years (this is according to McAfee stats). Check out this link for the scoop on Puper.

So, what does that mean to you, the Mac user? Probably not much in the immediate future (or even in the distant future), but it's just another chink in the armor, yet another hole in the dike. Welcome to the mainstream. I guess if you get attacked with more vehemence then that means you're a more flavorful target. I really don't think that your machine will be zombified in the next few weeks, but it just takes one hole for an organization to be successfully exploited. You've become yet another statistic on the malware highway. Happy travels.

 

I originally found out about this Puper event from ConnectIT and that took me to Dave's postings on the AvertLabs page. I've had the chance to meet and hang out with Dave at several security and McAfee events and he's the type of guy you want watching your enterprise. He's extremely sharp with a wit to match. We're lucky to have guys like him on our side in the computer security business.

Posted by Victor R. Garza on November 5, 2007 08:39 AM

November 04, 2007 | Comments: (0)

Fire damage in San Diego cuts communications

TAGS: None

Sunday night a week ago I was packing up to help out in San Diego. The San Diego fires, it seems, had ravaged the Camp Pendleton area and had severely disrupted communications between the Naval Hospital there and several remote clinics, and I was on my way to help.

One thing that I know many people don't think about after a fire has ravaged an area is the irreparable damage that's done to the copper and fiber infrastructure in the area.

 

In the two days that I was prepping to leave the naval personnel on-site had grabbed some fiber optic cable and were rebuilding as fast as they could. Based on the recommendations from the Hastily Formed Networks Center at the Naval Postgraduate School, they were also looking at satellite communications gear as a temporary means of keeping voice and data communications up and running. So, other than acting as a remote consultant, it looked as if I wasn't needed as much as just three days before. Of course, this is the reason I don't like telling people that I'm going to a remote site. Sometimes I'm left with my bags packed and nowhere to go.

My students at AT&T didn't seem to mind, I actually lost several students from my Northern California class as they drove south to help repair the devastation. I won't see them for upwards of a month as they also rebuild the copper and fiber infrastructure in the area.

Since I had worked on satellite communications gear as part of the USNS Comfort mission that I had recently returned from I went searching for service bundles that I could pass along to the guys in San Diego. Prices for satellite service aren't cheap (as I'll tell you when I post my Hughes BGAN 9201 review) but if you need it, you need it.

And then two days later we had a 5.6 magnitude earthquake in the Bay Area. Just some minor damage, but lots of things fell off shelves and broken glass was abundant.

An earthquake isn't what causes most of the property damage, it's the fires that ravage the area after the geologic event.

Is your organization ready for a fire? One that could melt your fiber and copper lines and leave you without communications, access to the Internet and links to your other facilities? Do you have you gear/systems/contingencies ready for such a disaster?

I know that many in California are thinking about just these issues...

Posted by Victor R. Garza on November 4, 2007 10:00 PM

November 03, 2007 | Comments: (0)

Thirty days on the USNS Comfort

TAGS: Security

 

As many of you may or may not know I recently spent a month onboard the USNS Comfort hospital ship in South America as part of their humanitarian mission in that part of the world. It was definitely an interesting experience and one where I was able to take a look at security from a completely different perspective.

First off, I want to apologize to all those people who may not have known I was leaving. Based on the calls and emails I received when I got back there were quite a few of you. I didn't want to tell too many people I was going in case I didn't end up on the mission (like the Camp Pendleton trip this week, but that's for another post). Of course my teaching workload increased before I left as well, which is one of the reasons I haven't been posting recently.

For those of you that don't know, the USNS Comfort (T-AH 20) is a large hospital ship that was recently on a 120 day goodwill mission to South America and the Caribbean. The medial staff onboard provided care to over 100,000 people in thirteen different ports, which included: Belize, Guatemala, Panama, Nicaragua, El Salvador, Peru, Ecuador, Columbia, Haiti, Trinidad, Guyana and Suriname.  I was on the ship from Trinidad in September and ending up riding it back to Norfolk, VA in October.

Of course being on the ship just makes me appreciate the people who choose being in the military as their profession. These individuals have a hard job, many times in very difficult circumstances, and that hard job, in this case, was exacerbated by being on the water - as an Air Force buddy of mine put it, "everything just takes longer on a ship".

The mission overall seemed to go well, at least from my perspective, but it could have gone smoother as several people have pointed out.

Why was I there?

My job was to evaluate new technologies and to assess their applicability for existing and future Humanitarian Assistance and Disaster Relief (HA/DR) missions. I was tasked to do this by the Hastily Formed Networks group at the Naval Postgraduate School. So far the HFN group has assisted during the tsunami disaster in Thailand, the Katrina disaster and most recently with HA on the USNS Comfort.

You may ask, what does this have to do with enterprise security? Well, being prepared for a disaster is, of course, one thing that many people give lip service to, but don't look at the true possibility of it ever happening (I've unfortunately seen way too many cases of people saying that their organization was prepared for something as simple as a power outage, but yet nothing worked when the power went out). So, I'll be giving you a brief look at these technologies along with the normal reviews of enterprise hardware and software that I'm known for.

I took along quite a few pieces of equipment that I tested and evaluated for this and future missions. Portable satellite terminals, satellite phone, SKYPE phones, solar panels of various sizes and setups. I took quite a few things with me and I'll be posting reviews here or in the Tester Center portion of the site.

Posted by Victor R. Garza on November 3, 2007 08:17 PM

November 02, 2007 | Comments: (0)

Industry groups stump for cyber-security laws

TAGS: Security

If Congresses passes the cyber-crime legislation approved by the Senate Judiciary Committee on Thursday, government prosecutors will be armed with valuable new tools to carry out the fight against online fraudsters, according to the bipartisan lawmakers who authored the regulation, and some IT security organizations.

Industry groups including the Cyber Security Industry Association (CSIA) are coming out in support of the Leahy-Specter Identity Theft Enforcement and Restitution Act of 2007. Meanwhile, organizations including the Internet Security Alliance (ISAlliance) are asking for subsequent legislation to encourage businesses to better defend themselves from attacks and data leaks.

Along with provisions aimed at helping individuals who suffer identity fraud to seek restitution from their assailants for time and money spent regaining their reputations, the latest version of the Leahy-Specter Bill aims to make it easier for law enforcement officials to go after criminals by lowering some of the legal thresholds that have previously made it hard for suspects to be charged.

IT security experts have long complained that many issues of jurisdiction, and prosecution requirements regarding the size of cyber-crime cases that can be pursued by lawmakers, have stood in the way of jailing more perpetrators of online scams and other attacks.

Among the provisions in the legislation -- previous versions of which had already been twice approved by the Senate Judiciary Committee before Thursday's vote -- making it easier to prosecute hackers, crackers, spammers, adware purveyors, phishers and fraudsters are those that:

-Broaden federal statutes regarding victims of online fraud to include small businesses.
-Eliminate the need for attackers to carry out crimes in an interstate or international fashion to face prosecution.
-Establish stiffer penalties for distributors of spyware or keylogger programs, regardless of the size of attacks.
-Eliminate monetary thresholds for pursuit of crimes that damage victim's computers, establishing crimes that total less than $5,000 in damage as misdemeanors.
-Criminalize threats to leak information stored on computers, and so-called ransomware scams.

"The Identity Theft Enforcement and Restitution Act is a good, bipartisan measure to help combat the growing threat of identity theft and other cyber crimes to all Americans," Sen. Patrick Leahy (D-VT) said in a statement. "This carefully balanced bill protects the privacy rights of American consumers, the interests of and business and the legitimate needs of law enforcement."

According to the CSIA -- which is led by a panel of CEOs from leading IT security providers including CA, F-Secure, Symantec and Qualys -- the Leahy-Specter Bill would "update antiquated computer crime laws to account for 21st century criminal behavior" if it is passed.

The bill would specifically answer complaints from the Department of Justice that "technical constraints related to definitions and gaps in the federal laws used to combat identity theft [that] have allowed modern day identity thieves to go unpunished," the CSIA said in a statement.

"The increasing complexity of the crimes involving computers and sensitive personal information has clearly outstripped the legal structure crafted years ago to deal with the subject. In less than a decade, we have seen computer crime evolve from adolescent pranks for pride and sport to organized crime and terrorism of a magnitude that our laws simply did not envision," said CSIA President Tim Bennett.

"The economy is the clear winner when consumers have confidence that cyber-criminals can not hide behind loopholes in old laws," he said.

Along with the CSIA, organizations including the Consumers Union, Microsoft and the AARP have thrown their support behind the bill.

For its part, ISAlliance -- a non-profit collaboration between the Electronic Industries Alliance (EIA), other trade associations and Carnegie Mellon University's CyLab project -- is calling for additional legislation that would reward companies for improving their overall IT security standing.

According to the group, the most effective way to "assure an effective and sustainable defense system" for electronic data would be to create market incentives that motivate more companies to adopt IT security best practices.

In testimony before the House Subcommittee on Cyber Security last month, ISAlliance President Larry Clinton proposed that Congress should create a "Cyber Safety Act" to create the incentives.

"Users must come to believe that cyber-security is in their own self interest," Clinton said.

Among the suggested rewards that Clinton outlined in his testimony were benefits to be doled out to companies for procurement of security tools, performance of security-related human resources reviews, and the use of cyber-crime insurance.

Posted by Matt Hines on November 2, 2007 04:11 PM

November 01, 2007 | Comments: (0)

Crimeware pushed to Mac OS X

TAGS: Security

Someone wants to steal your Apple.

Well, not really, but attackers certainly do hope to steal the personal and financial data of users of Apple's Mac OS X operating system, according to researchers at McAfee.

In a blog post filed by McAfee Avert Labs researcher Allysa Myers on Wednesday, the company said that the Puper malware family, which has assailed Windows PCs since at least 2005, has recently been modified into a new variant aimed specifically at Mac OS X users.

Puper is best-known as one of the handful of exploits being delivered in recent months via hacked profiles on the popular MySpace social networking Web site. In many other cases it is being delivered through phishing schemes.

Myers said that the Apple-oriented versions of Puper are currently being distributed widely through online video codec download programs.

When a site carrying the Puper codec is accessed by a Mac, she said, the download which is offered is typically a DMG file, rather than the EXE file one would expect to encounter when using Windows.

Depending on a user's browser settings, the program may run automatically, Myer said, and once it runs, the program begins installing an application which has been aptly named as "MacCodec."

The researcher said that while the program is running it creates a script which is designed to launch "a scheduled task to change the DNS to point to a malicious server."

"In effect, instead of getting valid entries for Web sites like you would expect, you're now getting whatever this malicious site decides to point you to," she said. "That could be a phishing site, that could be more malicious files, you can no longer trust that the URL you expected to get will be what is delivered to you."

The researcher also contends that the people behind the new Mac attack are no amateurs, but well-known cyber-criminals with ties to loads of previous threats.

"This is no [proof of concept]; this is not a drill," Myers writes. "Dozens of fake codec sites are serving the malicious disk image file to Mac Web browsers."

While Mac fans have long defended that Apple's software is far less vulnerable to attacks than rival OS products made by Microsoft, security experts have countered that it would only be a matter of time until malware writers aimed more of their efforts at users of the Mac platform -- especially as threats have become more financially motivated and targeted at smaller groups of users.

"People have been predicting that as soon as financially motivated malware came to the Mac neighborhood, its denizens could no longer be so smug about security issues," said Myers. "This is a very simple piece of malware, and yet it works. Time will tell if this family will wreak as much havoc as it has on Windows."

Posted by Matt Hines on November 1, 2007 11:20 AM