Made4Biz Dynamic IT Security News

Hackers threaten elecric supply

Made4biz Security — Sat, 19 Jan 2008 10:27:00 +0000

Needed: Dynamic! Security for Utility Companies.

Can Con Ed be made safe for America? The article from Washington post tells us:

In a rare public warning to the power and utility industry, a CIA analyst this week said cyber attackers have hacked into the computer systems of utility companies outside the United States and made demands, in at least one case causing a power outage that affected multiple cities....

Over the past year to 18 months, there has been "a huge increase in focused attacks on our national infrastructure networks, . . . and they have been coming from outside the United States," said Ralph Logan, principal of the Logan Group, a cybersecurity firm....

Over the past 10 years, electric utilities, pipelines, railroads and oil companies have used remotely controlled and monitored valves, switches and other mechanisms. This has resulted in substantial savings in man power and other costs.

But to do that, the companies have installed wireless Internet connections to link the devices to central offices....

The electric utility industry has also been adding software that allows more coordination among different parts of the electricity grid and will ultimately allow utilities and individuals to control devices remotely. This is a central part of what many firms call the "utility of the future," which will be better able to save energy and reduce greenhouse gas emissions.

"Often there are authentication methods that are less than secure," Logan said. "Sometimes there are no authentication methods."

Dynamic! Security to the rescue, with regional syndication, location and time sensitive security and fool-proof authentication.

Hackers Have Attacked Foreign Utilities, CIA Analyst Says

By Ellen Nakashima and Steven Mufson
Washington Post Staff Writers and Washington Post Staff Writers
Saturday, January 19, 2008; A04

In a rare public warning to the power and utility industry, a CIA analyst this week said cyber attackers have hacked into the computer systems of utility companies outside the United States and made demands, in at least one case causing a power outage that affected multiple cities.

"We do not know who executed these attacks or why, but all involved intrusions through the Internet," Tom Donahue, the CIA's top cybersecurity analyst, said Wednesday at a trade conference in New Orleans.

Donahue's comments were "designed to highlight to the audience the challenges posed by potential cyber intrusions," CIA spokesman George Little said. The audience was made up of 300 U.S. and international security officials from the government and from electric, water, oil and gas companies, including BP, Chevron and the Southern Co.

"We suspect, but cannot confirm, that some of the attackers had the benefit of inside knowledge," Donahue said. He did not specify where or when the attacks took place, their duration or the amount of money demanded. Little said the agency would not comment further.

The remarks come as cyber attackers have made increasingly sophisticated intrusions into corporate computer systems, costing companies worldwide more than $20 billion each year, according to some estimates.

Cyber extortion is a growing threat in the United States, and attackers have radically increased their take from online gambling sites, e-commerce sites and banks, which pay the money to prevent sites from being shut down and to keep the public from knowing their sites have been penetrated, said Alan Paller, research director at the SANS Institute, the cybersecurity education group that sponsored the meeting.

"The CIA wouldn't have changed its policy on disclosure if it wasn't important," Paller said. "Donahue wouldn't have said it publicly if he didn't think the threat was very large and that companies needed to fix things right now."

Over the past year to 18 months, there has been "a huge increase in focused attacks on our national infrastructure networks, . . . and they have been coming from outside the United States," said Ralph Logan, principal of the Logan Group, a cybersecurity firm.

It is difficult to track the sources of such attacks, because they are usually made by people who have disguised themselves by worming into three or four other computer networks, Logan said. He said he thinks the attacks were launched from computers belonging to foreign governments or militaries, not terrorist groups.

Over the past 10 years, electric utilities, pipelines, railroads and oil companies have used remotely controlled and monitored valves, switches and other mechanisms. This has resulted in substantial savings in man power and other costs.

But to do that, the companies have installed wireless Internet connections to link the devices to central offices.

"In the past, if they wanted to go out and read a gauge on a gas well, for example, they would have to send a technician in his vehicle; he would drive 100 miles and physically read the gauge and get back in his truck," Logan said. "Now they can read it from headquarters. But it allows attackers a gateway into the system."

In addition, within the companies' main offices, control equipment can be accessed from more computers than in the past.

The electric utility industry has also been adding software that allows more coordination among different parts of the electricity grid and will ultimately allow utilities and individuals to control devices remotely. This is a central part of what many firms call the "utility of the future," which will be better able to save energy and reduce greenhouse gas emissions.

"Often there are authentication methods that are less than secure," Logan said. "Sometimes there are no authentication methods."

On Thursday, the Federal Energy Regulatory Commission approved eight cybersecurity standards for electric utilities. They involve identity controls, training, security "perimeters," physical security of critical cyber equipment, incident reporting and recovery.

The U.S. electricity grid has always been vulnerable to outages. "Cybersecurity is a different kind of threat, however," Joseph T. Kelliher, the commission's chairman, said in a statement this week. "This threat is a conscious threat posed by a single hacker, or even an organized group that may be deliberately trying to disrupt the grid."

Source

The man in the browser and how to starve him

Made4biz Security — Wed, 28 Nov 2007 10:59:00 +0000

According to Computerworld, the 'Man in the browser' is a new threat to online banking, but we have a solution. Here is the problem:

Criminals infecting PCs with malware that is only triggered when they access their bank accounts are the latest threat to online banking, according to security software supplier F-Secure.

Perpetrators act as a 'man in the browser' by intercepting HTML code in the Web browser. As bank security measures curb more traditional threats such as keystroke logging, phishing and pharming, F-Secure warned, the 'man in the browser' attack will increase.

Once a user's PC is infected, the malicious code is only triggered when the user visits an online bank. The 'man in the browser' attack then retrieves information, such as logins and passwords, entered on a legitimate bank site. This personal data is sent directly to an FTP site to be stored, where it is sold to the highest bidder.

Security products using behavioral analysis were the best solution against such attacks, because the malware was only distributed to the users of specific banking sites, said Mikko Hypponen, chief research officer at F-Secure. This meant anti-malware software vendors were unlikely to be able to quickly release code to tackle all the new threats.

Following the enhancements that banks have made to authentication on their sites, "phishing attacks are becoming less and less effective and attacks of the 'Man in the Browser' are set to increase," he warned.

The man in the browser is just a variant of the horse in the browser. The thief in the browser, human or equine, gets cusomers' identity information and uses it to empty their bank acount or stock brokerage account. The thieves can invent new software devices faster than the problem can be fixed for the most part.

There is one solution that is thief-proof: IDentiWall from Made4Biz-security. IDentiWall can require users to insert a unique one time password that is sent by SMS to the user's cellphone. If a thief tries to access the account, the user will get the same SMS with the one-time password, and has the option of blocking access to the account until username and password can be changed.

IDentiWall can also send users a summary of the transaction for confirmation:

"You asked to debit acct # ____________ by $999.

Press Yes to continue or No to cancel"

The prinicple implemented by IDentiWall is that it gives users control over their online account through a separate, secure channel - their cellphone.

The man installed by thieves remains in the browser, but he isn't being fed anything.

Made4biz Security — Wed, 24 Oct 2007 10:23:00 +0000

Fingerprint system fails to identify black-listed soccer fans

Published 23 October 2007

Dutch researchers test the reliability of finger print biometrics by placing finger print scanner at three Dutch soccer stadiums for the purpose of identifying more than 6,000 "black listed" volunteers; the fingerprint system failed to spot 15 percent to 20 percent of those on a volunteer black-list

This is a story about football, but it has implications beyond the beautiful game. A fingerprint recognition system failed to prevent black-listed fans from entering football grounds and was easily fooled by simple spoofing techniques, according to a trial by Dutch research organisation TNO (organization's motto: "Kennis voor zaken"). Jurgen den Hartog, who undertook the research, said that with a false positive rate of 0.1 percent -- a low rate being a requirement for such a system, given the number of supporters and the fact that false positive could make for trouble -- the fingerprint system failed to spot 15 percent to 20 percent of those on a volunteer black-list, recruited to test the technology, a level he described as "unexpected." "This has serious implications for a lot of other negative identification scenarios," den Hartog told a session of the Biometrics 2007 conference in Westminster last week. "It's very easy not to look like yourself, so I wonder what the impact of these results will be on other programmes."

InfoSecurity's S. A. Mathieson writes that negative identification fails if a black-listed person can fool the system into thinking they are not on that list, involving technically challenging one-to-many checks. Identity verification checks, such as with passports, require only a one-to-one check that the biometric recorded matches the individual, and fails only if someone else's identity is hijacked. Den Hartog said that fooling the fingerprint systems, LScan 100 scanners provided by NEC and HSB, proved easy for the volunteers, who were asked to attempt such spoofing. They used techniques including latent fingerprints on sticky tape and a layer of glue on fingers: "The trick is, do not press too hard," he said of the latter. Both techniques also fooled a spoof-resistant scanner from Lumidigm in TNO's labs. Furthermore, the tests brought up other problems: the devices could check twelve fans a minute at best, but as few as four or five a minute on one occasion when it was in direct sunlight by Feyenoord's ground (Giovanni van Bronckhorst, one of our favorite footballers, is playing for the Rotterdam club). "The french fries stand outside the stadium couldn't do business any more, because of the queue for our gate," den Hartog said. "The live system did not meet important requirements of speed, accuracy and robustness against manipulation," den Hartog concluded. "I think speed and accuracy can be solved, but robustness against manipulation really remains a challenge."

The research involved 6,400 checks at 26 matches at three Dutch football clubs. TNO chose fingerprints in preference to iris or facial recognition, on a range of criteria including speed, reliability, and proof against being fooled.

Yet another example of absence of Dynamic Security's protection

Made4biz Security — Wed, 16 May 2007 14:42:00 +0000

TJX breach-related expenses: $17M and counting

Jaikumar Vijayan

May 15, 2007 (Computerworld) The TJX Companies Inc. today announced that it took a $12 million after-tax charge for the quarter ending April 28 in connection with the massive data breach it disclosed in January.

The charge of 3 cents per share included the costs involved in investigating and containing the intrusion, beefing up computer security, communicating with customers, and various legal and other fees, the company said in its first quarter earnings statement.

The company expects to incur a similar charge of 2 cents to 3 cents per share in the second quarter, as well, TJX said. It also warned investors of even more potential costs down the road. "TJX does not yet have enough information to reasonably estimate the losses it may incur arising from this intrusion, including exposure to payment card companies and banks, exposure in various legal proceedings that are pending or may arise, and related fees and expenses, and other potential liabilities and other costs and expenses," TJX said in its statement.

The Framingham, Mass.-based TJX owns several retail brands, including T.J.Maxx, Marshalls and Bob's Stores.

In January, the company announced that someone had broken into its payment systems and illegally accessed card data belonging to customers in the U.S., Canada, Puerto Rico, the U.K. and Ireland. In filings with the U.S. Securities and Exchange Commission in March, the company said 45.6 million credit and debit card numbers were stolen over a period of more than 18 months by an unknown number of intruders. That number eclipsed the 40 million records compromised in a mid-2005 breach at CardSystems Solutions Inc. and made the TJX compromise the worst ever in terms of the loss of payment card data.

The $12 million charge comes on top of the $5 million in breach-related costs cited by TJX in the previous quarter. And that may just be the tip of the iceberg, said Khalid Kark, an analyst at Forrester Research Inc. in Cambridge, Mass., who released a report last month on all the factors that need to be included when totaling data breach costs.

Apart from direct expenses related to breach discovery, response and notification, companies also incur a variety of other costs such as those stemming from regulatory fines, lawsuits, and additional security and audit requirements. Several lawsuits have already been filed against TJX, including one by the Massachusetts Bankers Association seeking tens of millions in restitution for banks that were forced to block and reissue thousands of debit cards following the breach.

There are also somewhat less tangible costs such as lost employee productivity and opportunity costs that need to be factored in, Kark said. The expenses disclosed by TJX could be "just a fraction" of what the breach could eventually end up costing the company.

"This is something that is going to play out over years," he said.

IDentiWall is poised to resolve the credit card payment security

Made4biz Security — Tue, 08 May 2007 09:23:00 +0000

Restaurant Chain Beefs Up Payment Card Protections

Jaikumar Vijayan

May 07, 2007 (Computerworld) In the past, credit and debit card security wasn’t a huge concern at The Steak n Shake Co., which operates more than 450 restaurants in the Midwest and Southeast. But it has been a top priority for the chain’s IT organization since last August, when the number of card transactions that Steak n Shake processes annually passed the 6 million mark.

That put the Indianapolis-based chain into the category of businesses that are subject to the most stringent requirements of a data security standard mandated by the major credit card companies.

Moving into the Level 1 classification under the Payment Card Industry (PCI) Data Security Standard had big IT implications for Steak n Shake, said Sean Smith, its director of strategic technology services. The company had been accepting card payments for only about two and a half years, and before August, it was considered a Level 4 merchant — the lowest tier on the PCI scale.

Requirements Multiplied

“We went from ground zero to Tier 1 in a very short period of time,” Smith said. “Our PCI requirements and the difficulty of attaining them changed by a magnitude of sixfold to tenfold.”

PCI requires all entities that handle payment cards to implement a set of 12 security controls, including data encryption, logical and physical access controls, and activity monitoring and logging. Companies are classified into four groups, depending on the number of card transactions they process annually. Businesses that are in the top group like Steak n Shake are required to undergo quarterly network security scans and an annual on-site security audit.

Some of the biggest changes at Steak n Shake had to be made at the restaurant level. For instance, the generic usernames and passwords used in the past to access point-of-sale systems were replaced by a log-in system based on Active Directory that can be centrally monitored and managed. Under PCI, Smith said, “we need to know who is accessing what, when and where.”

The company also had to roll out tools for centrally managing the IT assets in its restaurants and pushing out software patches and antivirus updates to the systems. In addition, Smith said, Steak n Shake can now log and audit all restaurant-level transactions involving payment card data, as required by PCI.

In another facet of the compliance effort, Steak n Shake is replacing its VSAT satellite communications links with a T1 network that will tie each restaurant to headquarters via secure point-to-point virtual private network connections. And to better secure its network perimeter, the chain is adding intrusion-prevention and -detection tools, plus security event management technology with centralized logging and correlation.

Smith declined to disclose what the security upgrades are costing Steak n Shake, which has hired Qualys Inc. to do the required quarterly vulnerability scans of its network perimeter. Qualys will also conduct similar assessments of its internal network to help mitigate potential security threats from insiders.

Implementing and demonstrating the controls needed to comply with PCI at Level 1 can be challenging, said Terry Ramos, director of strategic development at Redwood Shores, Calif.-based Qualys. That’s especially true for a company like Steak n Shake, whose compliance level has abruptly changed, Ramos said. He noted that at Level 4, the PCI mandates are little more than best practices, with no specified validation requirements.

Getting reclassified on the PCI scale “can often be a rude awakening for organizations,” said Chris Noell, president of TruComply, an Austin-based consulting firm that focuses on the payment card industry. Level 4 companies, he added, “are rarely aware of their compliance obligation, much less doing anything about it.”

“The difference can be like night and day,” agreed Gartner Inc. analyst Avivah Litan. “Level 1’s come under a much bigger magnifying glass.”

IDentiWall could stop this thief

Made4biz Security — Wed, 18 Apr 2007 08:49:00 +0000

Georgia man pleads guilty in peer-to-peer crackdown

Grant Gross

April 16, 2007 (IDG News Service) A man from Columbus, Ga., has pleaded guilty to two felonies related to distribution of copyrighted materials over a peer-to-peer network, the Department of Justice announced Monday.

The plea of Sam Kuonen, 24, is the fifth in a series of convictions arising from the DOJ's Operation D-Elite, an ongoing crackdown against the distribution of movies, software, games and music over peer-to-peer networks using the BitTorrent file-sharing technology.

Kuonen was charged with conspiracy to commit criminal copyright infringement and criminal copyright infringement. He faces up to five years in prison and a $250,000 fine, the DOJ said. He faces sentencing July 16 in the U.S. District Court for the District of Kansas.

Operation D-Elite has targeted leading members of a peer-to-peer network known as Elite Torrents, the DOJ said in a news release. In its prime, Elite Torrents attracted more than 133,000 members and facilitated the illegal distribution of more than 17,800 titles, which were downloaded over 2 million times, the DOJ said.

The Elite Torrents network often included illegal copies of copyright works before they were available in retail stores or movie theaters. Kuonen was an "uploader" to the Elite Torrents network, responsible for supplying the network with the first copy of a particular movie or other title that was then made available to the entire network for downloading, the DOJ said.

On May 25, 2005, federal agents shut down the Elite Torrents network by taking control of its main server. Authorities replaced the existing Web page with a law enforcement message announcing that "This Site Has Been Permanently Shut Down by the Federal Bureau of Investigation (FBI) and U.S. Immigration and Customs Enforcement (ICE)." Within only one week, the law enforcement message was viewed over half million times.

The Motion Picture Association of America provided "substantial" assistance to the investigation, the DOJ said.

IDentiWall will resolve this issue.

Made4biz Security — Wed, 18 Apr 2007 08:44:00 +0000

IRS warns of new e-filing scam that rips off refunds

Gregg Keizer

April 16, 2007 (Computerworld) The U.S. Internal Revenue Service is warning Americans of a last-minute online scam where fraudulent sites pose as part of the agency's free tax-preparation service to poach refunds.

On Friday, the IRS issued an alert saying it had uncovered one or more sites masquerading as part of the Free File program. Free File, a partnership with 19 tax preparation services, offers free preparation and e-filing to anyone with an adjusted gross income under $52,000. It's accessible only through the IRS's own Web site.

The bogus sites, however, pretend to be part of the program, duping taxpayers into preparing their taxes and submitting them for e-filing. The criminals have been accepting user information, then substituting their own bank account information for refunds before resubmitting the modified returns to a real Free File participant, the IRS said.

"The final days of the tax season always bring tax scams," IRS Commissioner Mark Everson said in a statement. "Make sure you're really dealing with the IRS. ... The only way to do it is through the secure IRS.gov Web site." The Treasury Department's inspector general for tax administration is investigating.

The IRS regularly warns taxpayers of possible scams; security vendors have also gotten in on the act with e-filing tips of their own.

The April 17 deadline for filing federal returns is two days later than usual this year, because April 15 fell on a Sunday and today is Emancipation Day, a District of Columbia holiday.

Security Solutions - Do all the following or simply deploy Dynamic! Security

Made4biz Security — Sun, 15 Apr 2007 09:47:00 +0000

Security crucial as intruders grow sophisticated

What technology gadgets do the experts love, or would love to have? CNN.com is asking experts in several fields about their favorite high-tech toys. This week, we asked security expert Heath Thompson.

(CNN) -- Heath Thompson is vice president, product development for IBM Internet Security Systems.

The 25-year computer industry veteran says security is going to be increasingly important since consumers are spending more of their lives online and intruders are growing more sophisticated.
Here, he shares with CNN.com some of the key weapons in the security cyberwars.

1) Biometrics: Biometric readers are the key to the future, literally. Not only do they reduce the number of passwords the average consumer has to remember, but they are truly a unique identifier and one of the strongest forms of security. Today fingerprint readers are built into laptops, but in the near future, I believe these readers will replace the traditional lock and key and be built into smart phones, handheld devices and door locks for the car and home.

Eventually, I also anticipate that people will be able to store biometric information over the Internet so they can identify themselves from any location.

For instance, rather than carrying keys for safety deposit boxes, mailboxes and office entry, people will be able to access any secure device at any time through identification over the Internet.

2) Filters: My children are coming into their preteens, and with the popularity of MySpace and YouTube (and the uncertainty of what my children will find) I've begun to think about stronger content filtering that would prevent children from viewing violence, hate, pornography, etc.
Unfortunately, content filtering available through the computer's operating system isn't sufficient. Children are relentless and have figured out how to bypass security settings. Parents need industrial-strength content filtering, and the most economical way to get this would be through their Internet service provider. This type of security would allow parents to control individual usage throughout the home.

3) Portable security: It's getting to the point where encrypted sites are not sufficient for financial and confidential transactions because Internet attackers have coaxed users to download Trojans unknowingly. The Trojans sit dormant on the computer and wait for the user to authenticate to the network. Once a secure connection is established, the Trojans awaken and capture consumers' identities that can be reused or sold.

Consumers need their banks or ISPs to provide dynamic, downloadable security clients to ensure the machines being used, be it at home or at an airport kiosk, are free of Trojans and other malicious software. Consumers need dynamic protection that follows them to provide security regardless of location.

4) Secure Internet connections: Today, the Internet is connected to everything -- game consoles, digital video recorders, printers -- even refrigerators are now Web-enabled. Oftentimes these devices have no security settings installed, much less enabled. And even more often people are unaware these devices present an on-ramp into their home network.

The No. 1 targeted source for attacks is the consumer. When it comes to gaining easy access to user account data, Internet attackers have learned the consumer is much more susceptible and accessible than corporations.

For years corporations have been deploying intrusion prevention technology to keep the bad guys off corporate networks. Considering 68 percent of corporations experience six losses of sensitive data every year due to human error, according to IT Policy Compliance Group, employees need consumer-grade intrusion prevention equivalent to what their corporations have to secure their home Internet connections.

Corporate IPS systems would be cost-prohibitive and excessive for consumers and small business owners; however, if consumers could buy secure Internet connectivity through their ISPs, they would be able to protect their Internet Protocol-enabled devices, from today's ever-evolving threats.

it seems that protection is where we should put our money

Made4biz Security — Thu, 12 Apr 2007 16:10:00 +0000

Just how much will that data breach cost your company?

Jaikumar Vijayan

April 11, 2007 (Computerworld) Want to know just how much a data breach is likely to end up costing your company? Darwin Professional Underwriters Inc. may be able to help.

The Farmington, Conn.-based technology liability insurance company has released a free online calculator that it said allows businesses to estimate -- with a fair degree of accuracy -- their financial risk from data theft.

Darwin's Data Loss Cost Calculator uses proprietary algorithms developed with security breach data from media reports and other industry resources, according to the company. Among them was Ponemon Institute LLC's 2006 security breach and cost-analysis survey of 31 companies that had suffered data breaches.

Basically, the calculator allows companies to get hard cost estimates in three major categories: internal investigation expenses, customer notification/crisis management costs, and regulatory and other compliance expenses. Companies input data in the respective fields in the calculator to get instant estimates for costs associated with breach-related activities such as customer notification, credit monitoring, crisis management consulting, state or federal fines, and attorney fees.

"When we talk with different risk managers and CIOs, the constant refrain we hear is, 'Show me how much it costs when someone breaches our information,'" said Adam Sills, lead underwriter for Darwin's technology and information liability initiatives. "There are different statistics from different sources" that have made it hard for companies to asses their financial risk, he said.

The online calculator is "our best guess, using the best information out there for how much this stuff costs," he said. "These are the hard costs that you can quantify when you have a serious situation."

The calculator does not include costs associated with any class-action or other lawsuits that might follow a data breach, he said. Neither does it look at the effect on stock prices or reputation, because such numbers can vary by incident and are much harder to generalize.

Such calculators can be pretty useful in helping companies arrive at a better understanding of the financial implications of a breach, said Pete Lindstrom, an analyst at Midvale, Utah-based Burton Group Inc. "I'm a big fan of calculators," he said. "It grounds security folks in a way that talking ephemerally about brand damage doesn't."

Although the numbers thrown out by Darwin's calculator may not be always accurate for everyone all the time, they give IT managers "a way to think more concretely about the nature of the problem," he said. "We need to collect information like this, even if they are broad estimates, to get smarter. This is as good a start as any."

Avivah Litan, an analyst at Stamford, Conn.-based Gartner Inc., said that such calculators "can give people a way to structure their thinking on the cost implications of a breach. I wouldn't bet my house or my enterprise on these numbers. A lot of the costs are often exaggerated."

Even so, as tools to get people thinking about the hard costs of security breaches, such calculators can at least offer worst-case estimates, she said.

IDentiWall does not relay exclusively on regular credentials, therefore it wouldn't the hackers any good if they stole it.

Made4biz Security — Tue, 10 Apr 2007 09:33:00 +0000

Hackers dupe users with spam about bogus U.S.-Iran war

Gregg Keizer

April 09, 2007 (Computerworld) A weekend spam run tried to dupe recipients into downloading the infamous "Storm Trojan" by attaching files that posed as videos of a bogus missile strike by the U.S. against Iran, antivirus vendors said today.

The unsolicited e-mail, which arrives with provocative subject lines that include "Missle [sic] Strike: The USA kills more then [sic] 20000 Iranian citizens," "USA Declares War on Iran," and "USA Just Have Started World War III," include attached executable files such as video.exe and readme.exe, said Symantec Corp.

"The underlying threats are actually nothing new," said Symantec researcher John McDonald on the company's security response team's blog. "They are simply minor variants of Trojan.Peacomm and W32.Mixor, which have been repacked in an attempt to avoid existing detection and appear to have been largely successful at that." Symantec added that executable file attached to the war-scare spam is actually a worm that downloads and install both Trojan horses.

According to data from MessageLabs Ltd., Peacomm -- also known as Zhelatin -- was the most prevalent piece of malware in the past 24 hours. It accounted for 32% of all malicious code being distributed worldwide, said MessageLabs.

By early today, other security companies, including F-Secure Corp., Fortinet Inc., Kaspersky Lab Inc. and Sophos PLC, had released updated signatures to detect the tweaked threat.

Peacomm, which also goes by the nickname "Storm Trojan," is notable because an outbreak in January and February ended up claiming the prize as the biggest malware assault since mid-2005.

Previous spam runs of the malware have enticed users with romantic subject headings around Valentine's Day; the malicious code has been spread through blogs and instant messaging as well as e-mail.

!!! Dynamic! Security + IDentiWall option help fighting zero-day attacks !!!

Made4biz Security — Tue, 10 Apr 2007 09:26:00 +0000

Multiple Defenses Needed to Fight Off Zero-Day Attacks, Say Experts

Jaikumar Vijayan

April 09, 2007 (Computerworld) The Windows animated cursor flaw that Microsoft patched last week caused widespread concern because attempted exploits of it were unleashed before the patch became available. But there are a variety of steps that companies can take to try to mitigate the risks posed by the ANI vulnerability and other so-called zero-day security threats.

The available measures aren’t a sure bet, IT managers and security analysts cautioned. They added that in the end, patching a flaw is still the most reliable way of protecting systems against attackers who are seeking to take advantage of it. But deploying multiple layers of defenses is a vital element of strategies for dealing with threats for which no immediate fix is available.

For instance, Lloyd Hession, chief security officer at New York-based BT Radianz, said his company is using software from ConSentry Networks Inc. that can quickly detect compromised systems by any anomalous behavior they exhibit, instead of trying to spot infections solely by looking for virus signatures on machines.

“You need to smarten the intelligence within the local network,” said Hession, who added that the ConSentry tool lets IT staffers at BT Radianz control the connections PCs can make with other systems. He said that can help lower the risk that an infected computer will spread malware across a LAN at the company, which provides telecommunications services to financial firms.

“Under the previous model, you could go anywhere in the network once you were within the network,” Hession said. Now there are automated rules specifying the portions of a network that systems are allowed to access. The rules also limit the other machines that PCs can connect to based on the business needs of end users, he said.

Another way to minimize zero-day threats is to adopt strict policies for filtering out e-mail attachments, which attackers often use to try to deliver malware to unsuspecting end users.

Analysts have long advised companies to filter out GIFs, JPEGs, WMVs and other unneeded attachment types from inbound and outbound e-mails. And when deciding which attachments to allow and which to block, it’s a mistake to assume that only certain types are being used maliciously, said Russ Cooper, senior information security analyst at Cybertrust Inc., a security services firm in Herndon, Va.

Cooper noted that both GIFs and JPEGs were considered benign until attackers started hiding malicious code in them. “Don’t go on the basis of whether something is benign or not,” he said. “Look at what you need for your business.”

Malicious hackers also like to use HTML e-mail because it lets them more easily hide and deliver attack code to systems. For instance, several of Microsoft’s e-mail clients, including Outlook Express and Windows Mail for Vista, are vulnerable to attacks that insert a malicious ANI file in an HTML message. Disabling HTML e-mail on systems can help mitigate that risk and blunt many of the phishing attacks that attempt to get users to click on links to malicious Web sites, Cooper said.

Additional Protections
Security analysts also suggested the following measures for blocking exploits of unpatched vulnerabilities:

• Turn off JavaScript to prevent some Web-embedded exploits from reaching end users via their browsers.

• Restrict administrative privileges to stop remote hackers from gaining full administrative control of systems.

• Use updated virus signatures to identify possible attacks from remote sites and initiate responses.

It’s also important to keep an eye on the traffic that’s leaving your network. Many Trojan horses and bot programs communicate with remote systems to get instructions on what to do next or what information they should upload. Using outbound proxies or firewalls to look for and block such communications could prevent malware programs from calling home, said Johannes Ullrich, chief technology officer at the SANS Institute’s Internet Storm Center in Bethesda, Md.

Companies should also consider implementing a “default deny” capability at the perimeter of their networks, Cooper said. The idea behind that approach is to allow only specific traffic in and out of a network gateway while blocking everything else by default.

Cooper said that to determine what traffic should be permitted to enter and leave a network, IT managers can log all inbound and outbound router activity for a period of time to get a picture of what is routinely being transmitted. “If you’re worried about breaking functionality, allow everything that has been going through anyway, and deny everything else,” he said. “It’s a great starting point.”

Increasingly, though, Trojan horses and bot programs are using trusted network ports such as Port 80 and Port 443, which are used by HTTP and HTTPS traffic, respectively, to communicate with the remote systems controlling them. That makes it harder to detect the illicit traffic using outbound filtering, Hession said.

what if the ID thieves couldn't use the stolen IDs? IDentiWall is doing just that!!!!!!!!!!!!!!

Made4biz Security — Sun, 08 Apr 2007 13:27:00 +0000

Q&A: How Betty Ostergren makes life a little harder for ID thieves

Jaikumar Vijayan

April 05, 2007 (Computerworld) If Massachusetts Secretary of State William Galvin finds himself in the news this week -- and he does -- because of concerns that his office's Web site is exposing Social Security numbers and other personal information online, he can thank -- or blame -- Betty "B.J." Ostergren for the publicity. For nearly five years, the feisty 57-year-old former insurance claims supervisor has led a one-person crusade against county and state government officials around the U.S. Her mission: Stop them from posting public records containing Social Security numbers and other personal data online. It's a "stupid" and "reckless" practice that she says has turned the sites into a feeding ground for identity thieves and other cybercriminals.

Ostergren's site, The Virginia Watchdog, boasts a list of public records containing Social Security numbers belonging to well-known figures -- including former Florida Gov. Jeb Bush and former Texas Congressman Tom Delay -- that she accessed from county sites. She also contacts people whose data she finds and asks them to put pressure on officials to take down the records. In just the last week, she persuaded the secretaries of state in Colorado and Arizona to break links to certain commercial documents and tax liens on their sites that contained personal information. Sometimes her efforts don't work -- as in the case of Galvin, who said that online access to the documents is vital for business. Ostergren talked about how a campaign that began with an attempt to keep her own records offline in Hanover County, Va., has grown into a nationwide mission.

Excerpts from the interview follow:

What is the status in Virginia today? How many counties are still making unredacted public records available online? As of today in Virginia, we have 59 circuit court clerks who have certified to the state compensation board that they have online remote access to these records. There are 62, however, who are not -- and my county is one of them. Those records that they have online in this state are deeds, mortgages, estate details, list of heirs of a deceased person, final divorce decrees with children's names, tax liens, power of attorney, name change documents and others. A lot of these records have Social Security numbers on them.

Are there many counties around the country doing this? Yes there are. It's stupid, it's reckless and it's dangerous. You got people who are cops, FBI agents, Secret Service, the CIA, judges, doctors, abused single women, elderly women -- and here you are putting all their information right out there on the Internet, just because they're public records. Here's a thought: If somebody wants to see a public record, why don't they get in their car and drive down to the courthouse or the secretary of state's office? Don't be spoon-feeding criminals with stuff on the Internet.

County clerks say all they are doing is making the same public records that are available in the courthouse available on the Internet. They say businesses need these records. What's wrong with that? Yeah, but they have Social Security numbers in them. I have driven down to Miami-Dade County in Florida and tried to get Gov. Jeb Bush and his wife's Social Security number off a deed at the courthouse, but it wasn't possible. But I sat here at my computer in Hanover County, Va., and got it. Sure, these are open records at the courthouse, as well they should be. But when we first started putting our records in these courthouses however many hundreds of years ago, it was for safekeeping and for different legal purposes. But with the advent of the Internet, everybody wants to put all this crap online with all this personal information, and I just think that it's dead wrong.

So who really is accessing all of this data? Absolutely anybody and everybody can access it. People from outside this country are into these sites and so are people from within this country. Maybe it's your neighbor down the street. A site like the Colorado secretary of state's is free and open. Anybody can just simply sign up and get a password and in a minute you can get right in. [The site has temporarily blocked online access to some records as a result of Ostergren's complaints.] If I want to, I can use a fake name and a fake e-mail account. No one knows who's signing up or who's accessing the records.

But some states and counties require you to pay for these records, don't they? A subscription is no protection. In Virginia, for $25 you can sign up to access Fairfax County, home of Supreme Court justices, home of the FBI, the CIA, Pentagon officials. You have to sign up, you have to give your name and your address and a notarized signature. But big deal. Seven hijackers (involved in the 9/11 attacks) got their fake Virginia drivers license based on a fake notary. So who's to know what's real? You could give them a cell phone number and who's to know that it is not really in India or in Timbuktu? I send in $25 and I get a password and a username back in three days or so and then I'm in there sitting on 33 million records and about 5 million Social Security numbers. What's to stop me from having everyone in my neighborhood come to my house and use my computer? How is the clerk of the court in Fairfax County going to know who is sitting at my chair in front of my computer? That's where you lose control of those records. There are people downloading them by the gazillions. I'm not saying that public records should not be open. I am saying they should not be available online.

What are states doing about it? There are some states like Florida that passed a law giving clerks and recorders until Jan. 1, 2008, to get Social Security numbers offline. If a person found out that their Social Security number was online, they can put in a written request and have it removed. In December 2005, North Carolina passed a law allowing citizens to remove their Social Security numbers and a couple of other things like driver's license numbers from online records. A person can put in a written request to have their personal information removed. What's the problem with that? Well, it puts the burden on the citizens, and most of them don't even know this little scheme is going on until they get a phone call from me.

What's your advice to people on this issue? I believe one person can make a difference. I have woken people up. I always hear from people and they are always thanking me for what I am doing. And I say, 'Don't just thank me. Spread the word. Do something to help me.' When I die, somebody has to give me credit for what I've done.

Dynamic Security is the only solution. Need I say more?

Made4biz Security — Thu, 05 Apr 2007 17:18:00 +0000

Don't use WEP for Wi-Fi security, researchers say

Peter Sayer

April 04, 2007 (IDG News Service) The Wi-Fi security protocol WEP should not be relied on to protect sensitive material, according to three German security researchers who have discovered a faster way to crack it. They plan to demonstrate their findings at a security conference in Hamburg this weekend.

Mathematicians showed as long ago as 2001 that the RC4 key scheduling algorithm underlying the WEP (Wired Equivalent Privacy) protocol was flawed, but attacks on it required the interception of around 4 million packets of data in order to calculate the full WEP security key. Further flaws found in the algorithm have brought the time taken to find the key down to a matter of minutes -- not necessarily fast enough to break into systems that change their security keys every five minutes.

Now it takes just three seconds to extract a 104-bit WEP key from intercepted data using a 1.7-GHz Pentium M processor. The necessary data can be captured in less than a minute, and the attack requires so much less computing power than previous attacks that it could even be performed in real time by someone walking through an office.

Anyone using Wi-Fi to transmit data they want to keep private, whether it's banking details or just e-mail, should consider switching from WEP to a more robust encryption protocol, the researchers said.

"We think this can even be done with some PDAs or mobile phones, if they are equipped with wireless LAN hardware," said Erik Tews, a researcher in the computer science department at Darmstadt University of Technology in Darmstadt, Germany.

Tews, along with colleagues Ralf-Philipp Weinmann and Andrei Pyshkin, published a paper about the attack, showing that their method needs far less data to find a key than previous attacks: Just 40,000 packets are needed for a 50% chance of success and 85,000 packets for a 95% chance, they said.

Although stronger encryption methods have come along since the first flaws in WEP were discovered, the new attack is still relevant, the researchers said. Many networks still rely on WEP for security: 59% of the 15,000 Wi-Fi networks surveyed in a large German city in September 2006 used it, with only 18% using the newer WPA (Wi-Fi Protected Access) protocol to encrypt traffic. A survey of 490 networks in a smaller German city last month found 46% still using WEP and 27% using WPA.

In both surveys, over a fifth of networks used no encryption at all, the researchers said in their paper.

Businesses can still protect their networks from the attack, even if they use old hardware incapable of handling the newer WPA encryption.

For one thing, the researchers said, their attack is active: In order to gather enough of the right kind of data, they send out Address Resolution Protocol requests, prompting computers on the network under attack to reply with unencrypted packets of an easily recognizable length. This should be enough to alert an intrusion-detection system to the attack, they said.

Another way to defeat such attacks, which use statistical techniques to identify a number of possible keys and then select the one most likely to be correct for further analysis, is to hide the real security key in a cloud of dummy ones. That's the approach taken by AirDefense Inc. in its WEP Cloaking product, which was released Monday.

The technique means that businesses can cost-effectively protect networks using old hardware, such as point-of-sale systems, without the need to upgrade every terminal or base station, the company said.

If a network supports WPA encryption, though, users should rely on that instead of WEP to protect private data, Tews said.

"Depending on your skills, it will cost you some minutes to some hours to switch your network to WPA. If it would cost you more than some hours of work if such private data becomes public, then you should not use WEP anymore," he said.

Made4biz Security — Thu, 05 Apr 2007 10:39:00 +0000

Five best practices for mitigating zero-day threats like Windows ANI

Jaikumar Vijayan

April 03, 2007 (Computerworld) The Windows animation bug (ANI) caused widespread concern because exploits against it became widely available before Microsoft Corp. could release a patch. But like other zero-day threats before it, there are measures companies can take to at least try to mitigate the risk from unpatched vulnerabilities, security experts said.

The measures are not a sure bet. And in the end, patching a flaw is still the most reliable way of protecting against exploits seeking to take advantage of it, they said. But deploying multiple layers of defenses is vital to dealing with threats for which no immediate fix is available.

Among them are the following:

Restrict e-mail attachments

One of the ways hackers hope to exploit the ANI flaw -- which Microsoft patched earlier today -- is by trying to get users to click on malicious attachments in spammed e-mails. One way of dealing with this sort of an attack vector is by having strict policies in place for filtering out e-mail attachments.

Security experts have for a long time now advised companies to filter out gif, JPEG, WMV and pretty much most attachment types they don't need from inbound and outbound e-mails. When deciding which attachments to allow and which to deny, it's a mistake to assume that only certain attachment types are maliciously used, said Russ Cooper, senior information security analyst with Cybertrust Inc.

"Don't go on the basis of whether something is benign or not," Cooper said. After all, both gif and JPEG attachments were once considered benign until hackers started hiding malicious code in them. "Instead, look at what you need for your business," he said.

If there is a business need for accepting e-mails with attachments -- from a business partner, for example -- see if there's a way to restrict them to just that business partner. Or if you need to exchange zip files, for instance, consider the possibility of renaming the extension to something that just your company and your business partner knows -- and permit only attachments with that extension into your network, Cooper said. "Then you can put gif, JPEG and even animated cursors if you have a need for them into those attachments," he said. "If you say 'I only want to allow these attachments and nothing else,' you have eliminated every zero-day" threat via e-mail attachments, he said.

Disable HTML e-mail

Hackers and other bad guys like HTML e-mail because it allows them to more easily hide and deliver attack code to a desktop. For instance, several of Microsoft's e-mail clients, including Outlook Express and Windows Mail for Vista, are vulnerable to attacks that insert a malicious ANI file in an HTML message. Disabling HTML can help mitigate this risk, Cooper said. By doing so, you are also blunting a lot of the phishing attacks that attempt to get users to click on URL links to malicious sites, he said.

Keep an eye on the LAN

Consider tools that don't rely on virus signatures alone to detect infected systems. Instead, implement a way to quickly detect a compromised system by any anomalous behavior it might exhibit, said Lloyd Hession, chief security officer at BT Radianz, a New York-based company that offers telecommunications services to the financial industry.

Also have a way to limit the damage an infected system can do to other LAN-connected systems, he said. BT Radianz, for instance, uses a tool that allows it control over the connections a desktop makes with other systems within the LAN. "Under the previous model, you could go anywhere in the network once you are within the network," Hession said.

Now, there are rules that specify what parts of a network to which a system is allowed access. The rules also spell out what systems that same system can connect to based on the user's business requirements. Such control can help mitigate the risk of an infected computer spreading malicious code to other systems within a network. "You need to smarten the intelligence within the local network" to detect zero-day attacks faster, he said.

Filter outbound traffic

It's not enough just to inspect the traffic that's coming into your network; it's vital also to keep an eye on what's going out. Many Trojans or bot programs that get installed communicate with a remote system for further instructions on what to do next or what to download. Using outbound proxies or firewalls to look for and block such communications is one way to prevent Trojans and bots from calling home, said Johannes Ullrich, chief technology officer at the SANS Internet Storm Center (ISC) in Bethesda, Md.

Consider implementing a "default deny" capability at the perimeter, Cooper added. The idea is to permit only specific traffic in and out of a network gateway, while blocking everything else by default, Cooper said.

"What we are talking about is inbound and outbound rules on your router" to block, for example, outbound IRC attempts and SMTP requests, he said. To get an idea of what traffic to permit through the network, log all inbound and outbound router activity for a period of time and use that information to decide what's permissible and what's not, he said. "If you are worried about breaking functionality, allow everything that has been going through anyway and deny everything else," he said. "It's a great starting point."

Increasingly, Trojans and bot programs have begun using well-known ports such as Port 80 to communicate with the remote systems controlling them. That makes it harder to detect such traffic using outbound filtering, Hession said.

Turn off JavaScript; don't give users administrative privileges

Turning off JavaScript would have prevented some of the Web-embedded ANI exploits from reaching the user via the browser, Ullrich said. Restricting administrative privileges would have mitigated the fallout from an exploit by ensuring that a remote hacker wouldn't gain full administrative control of a system.

Ultimately, "you are less likely to go into emergency patch mode if you have other measures in place" for dealing with such threats, said Ken Dunham, director of Verisign Inc.'s iDefense rapid response team.

Such measures include content filtering at the gateway for ANI files, using updated antivirus software, using snort signature to identify and initiate responses to possible attacks from remote sites and user education, Dunham said.

it seems that we aught to speed up IDentiWall to kill all that phishing

Made4biz Security — Tue, 03 Apr 2007 14:20:00 +0000

Theft of 45.6M Card Numbers Largest Heist Yet

Jaikumar Vijayan

April 02, 2007 (Computerworld) After more than two months of refusing to reveal the size and scope of the high-profile intrusion into its systems, The TJX Companies Inc. finally disclosed details about the extent of the compromise.

In filings with the U.S. Securities and Exchange Commission last week, the company said 45.6 million credit and debit card numbers were stolen from two of its systems over a period of more than 18 months by an unknown number of intruders.

That total eclipses the 40million records compromised in the mid-2005 breach at the former CardSystems Solutions Inc., and makes the TJX incident the worst publicly disclosed compromise involving the loss of personal card data.

The systems that were broken into were located at TJX’s Framingham, Mass., headquarters. The theft is the worst on record involving personal data.

In addition, personal data provided in connection with the return of merchandise without receipts by about 451,000 people in 2003 was also stolen, the filing said.

Disappearing Data

Top Commercial Card Data Breaches in U.S.

• The TJX Companies Inc. - 46.5 million

• CardSystems Solutions Inc. - 40 million

• iBill Internet - 17.8 million

• BJ’s Wholesale Club Inc. - 8 million

• Circuit City Stores Inc. - 2.6 million

Source: Privacy Rights Clearinghouse

Avivah Litan, an analyst at Gartner Inc., expressed surprise at the scope of the breach. “I had heard rumors that it was bigger than CardSystems, but I was still somewhat shocked it was actually this big.”

The number of stolen records “makes this the biggest card heist ever,” Litan said. “It proves there are very sophisticated cybercriminals out there at large who have the potential to wreak havoc on pure-payment systems. If this isn’t a wake-up call for stronger card and payment system security, I’m not sure what is.”

In its filing, TJX said it is in the process of contacting individuals affected by the breach.

“Given the scale and geographic scope of our business and computer systems and the time frames involved in the computer intrusion, our investigation has required a substantial period of time to date and is not completed,” the company said.

Framingham, Mass.-based TJX, the owner of T.J. Maxx, Marshalls and Bob’s Stores, disclosed inJanuary that someone had illegally accessed one of its payment systems and stolen card data from an unspecified number of customers in the U.S., Canada, Puerto Rico, the U.K. and Ireland.

At the time, TJX said it believed the intrusion took place in May 2006 but wasn’t discovered until mid-December — seven months later. A few weeks after its initial disclosure of the breach, the company said that an investigation by IBM and General Dynamics Corp. had concluded that the intrusion may have taken place in July 2005.

TJX has confirmed that its systems were first accessed in July 2005 and then on several more occasions in 2005, 2006 and even in mid-January 2007 — after the breach was discovered. However, no data appears to have been stolen after Dec. 18, when the intrusion was first noticed, it said.

The systems that were broken into, which were located at the company’s headquarters, processed and stored data related to payment cards, checks and merchandise returned without receipts.

The data breach affected customers of TJX’s T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico. Also affected were customers of its Winners and HomeSense stores in Canada and TK Maxx stores in the U.K., the company said.

The filing said the company is having difficulty determining exactly what kind of data was stolen, because a lot of the data is deleted by TJX in the normal course of business.

“In addition, the technology used by the intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006,” the company said. It did not identify the technology.

Customer names and addresses were not included with any of the card data believed stolen from the Framingham systems, TJX said.

The company said that by April 3, 2006, it had begun to mask payment card personal identification number data, “some other portions of payment card transaction information” and check transaction data.

The company reported that it has spent about $5million in connection with the breach. It warned that potential future costs are still undetermined and noted that several lawsuits have been filed against it since the breach was announced.

One TJX shareholder, the Arkansas Carpenters Pension Fund, recently sued the company for its failure to divulge more details about the breach.

TJX’s disclosure came just days after six Florida residents were arrested and charged with launching a multimillion-dollar statewide credit card fraud ring using information stolen from the company. Losses experienced by Wal-Mart Stores Inc. and other retailers due to the fraud have so far totaled at least $8 million.