Made4Biz Dynamic IT Security News

Hackers threaten elecric supply

Made4biz Security — Sat, 19 Jan 2008 10:27:00 +0000

Needed: Dynamic! Security for Utility Companies.

Can Con Ed be made safe for America? The article from Washington post tells us:

In a rare public warning to the power and utility industry, a CIA analyst this week said cyber attackers have hacked into the computer systems of utility companies outside the United States and made demands, in at least one case causing a power outage that affected multiple cities....

Over the past year to 18 months, there has been "a huge increase in focused attacks on our national infrastructure networks, . . . and they have been coming from outside the United States," said Ralph Logan, principal of the Logan Group, a cybersecurity firm....

Over the past 10 years, electric utilities, pipelines, railroads and oil companies have used remotely controlled and monitored valves, switches and other mechanisms. This has resulted in substantial savings in man power and other costs.

But to do that, the companies have installed wireless Internet connections to link the devices to central offices....

The electric utility industry has also been adding software that allows more coordination among different parts of the electricity grid and will ultimately allow utilities and individuals to control devices remotely. This is a central part of what many firms call the "utility of the future," which will be better able to save energy and reduce greenhouse gas emissions.

"Often there are authentication methods that are less than secure," Logan said. "Sometimes there are no authentication methods."

Dynamic! Security to the rescue, with regional syndication, location and time sensitive security and fool-proof authentication.

Hackers Have Attacked Foreign Utilities, CIA Analyst Says

By Ellen Nakashima and Steven Mufson
Washington Post Staff Writers and Washington Post Staff Writers
Saturday, January 19, 2008; A04

In a rare public warning to the power and utility industry, a CIA analyst this week said cyber attackers have hacked into the computer systems of utility companies outside the United States and made demands, in at least one case causing a power outage that affected multiple cities.

"We do not know who executed these attacks or why, but all involved intrusions through the Internet," Tom Donahue, the CIA's top cybersecurity analyst, said Wednesday at a trade conference in New Orleans.

Donahue's comments were "designed to highlight to the audience the challenges posed by potential cyber intrusions," CIA spokesman George Little said. The audience was made up of 300 U.S. and international security officials from the government and from electric, water, oil and gas companies, including BP, Chevron and the Southern Co.

"We suspect, but cannot confirm, that some of the attackers had the benefit of inside knowledge," Donahue said. He did not specify where or when the attacks took place, their duration or the amount of money demanded. Little said the agency would not comment further.

The remarks come as cyber attackers have made increasingly sophisticated intrusions into corporate computer systems, costing companies worldwide more than $20 billion each year, according to some estimates.

Cyber extortion is a growing threat in the United States, and attackers have radically increased their take from online gambling sites, e-commerce sites and banks, which pay the money to prevent sites from being shut down and to keep the public from knowing their sites have been penetrated, said Alan Paller, research director at the SANS Institute, the cybersecurity education group that sponsored the meeting.

"The CIA wouldn't have changed its policy on disclosure if it wasn't important," Paller said. "Donahue wouldn't have said it publicly if he didn't think the threat was very large and that companies needed to fix things right now."

Over the past year to 18 months, there has been "a huge increase in focused attacks on our national infrastructure networks, . . . and they have been coming from outside the United States," said Ralph Logan, principal of the Logan Group, a cybersecurity firm.

It is difficult to track the sources of such attacks, because they are usually made by people who have disguised themselves by worming into three or four other computer networks, Logan said. He said he thinks the attacks were launched from computers belonging to foreign governments or militaries, not terrorist groups.

Over the past 10 years, electric utilities, pipelines, railroads and oil companies have used remotely controlled and monitored valves, switches and other mechanisms. This has resulted in substantial savings in man power and other costs.

But to do that, the companies have installed wireless Internet connections to link the devices to central offices.

"In the past, if they wanted to go out and read a gauge on a gas well, for example, they would have to send a technician in his vehicle; he would drive 100 miles and physically read the gauge and get back in his truck," Logan said. "Now they can read it from headquarters. But it allows attackers a gateway into the system."

In addition, within the companies' main offices, control equipment can be accessed from more computers than in the past.

The electric utility industry has also been adding software that allows more coordination among different parts of the electricity grid and will ultimately allow utilities and individuals to control devices remotely. This is a central part of what many firms call the "utility of the future," which will be better able to save energy and reduce greenhouse gas emissions.

"Often there are authentication methods that are less than secure," Logan said. "Sometimes there are no authentication methods."

On Thursday, the Federal Energy Regulatory Commission approved eight cybersecurity standards for electric utilities. They involve identity controls, training, security "perimeters," physical security of critical cyber equipment, incident reporting and recovery.

The U.S. electricity grid has always been vulnerable to outages. "Cybersecurity is a different kind of threat, however," Joseph T. Kelliher, the commission's chairman, said in a statement this week. "This threat is a conscious threat posed by a single hacker, or even an organized group that may be deliberately trying to disrupt the grid."

Source

The man in the browser and how to starve him

Made4biz Security — Wed, 28 Nov 2007 10:59:00 +0000

According to Computerworld, the 'Man in the browser' is a new threat to online banking, but we have a solution. Here is the problem:

Criminals infecting PCs with malware that is only triggered when they access their bank accounts are the latest threat to online banking, according to security software supplier F-Secure.

Perpetrators act as a 'man in the browser' by intercepting HTML code in the Web browser. As bank security measures curb more traditional threats such as keystroke logging, phishing and pharming, F-Secure warned, the 'man in the browser' attack will increase.

Once a user's PC is infected, the malicious code is only triggered when the user visits an online bank. The 'man in the browser' attack then retrieves information, such as logins and passwords, entered on a legitimate bank site. This personal data is sent directly to an FTP site to be stored, where it is sold to the highest bidder.

Security products using behavioral analysis were the best solution against such attacks, because the malware was only distributed to the users of specific banking sites, said Mikko Hypponen, chief research officer at F-Secure. This meant anti-malware software vendors were unlikely to be able to quickly release code to tackle all the new threats.

Following the enhancements that banks have made to authentication on their sites, "phishing attacks are becoming less and less effective and attacks of the 'Man in the Browser' are set to increase," he warned.

The man in the browser is just a variant of the horse in the browser. The thief in the browser, human or equine, gets cusomers' identity information and uses it to empty their bank acount or stock brokerage account. The thieves can invent new software devices faster than the problem can be fixed for the most part.

There is one solution that is thief-proof: IDentiWall from Made4Biz-security. IDentiWall can require users to insert a unique one time password that is sent by SMS to the user's cellphone. If a thief tries to access the account, the user will get the same SMS with the one-time password, and has the option of blocking access to the account until username and password can be changed.

IDentiWall can also send users a summary of the transaction for confirmation:

"You asked to debit acct # ____________ by $999.

Press Yes to continue or No to cancel"

The prinicple implemented by IDentiWall is that it gives users control over their online account through a separate, secure channel - their cellphone.

The man installed by thieves remains in the browser, but he isn't being fed anything.

Made4biz Security — Wed, 24 Oct 2007 10:23:00 +0000

Fingerprint system fails to identify black-listed soccer fans

Published 23 October 2007

Dutch researchers test the reliability of finger print biometrics by placing finger print scanner at three Dutch soccer stadiums for the purpose of identifying more than 6,000 "black listed" volunteers; the fingerprint system failed to spot 15 percent to 20 percent of those on a volunteer black-list

This is a story about football, but it has implications beyond the beautiful game. A fingerprint recognition system failed to prevent black-listed fans from entering football grounds and was easily fooled by simple spoofing techniques, according to a trial by Dutch research organisation TNO (organization's motto: "Kennis voor zaken"). Jurgen den Hartog, who undertook the research, said that with a false positive rate of 0.1 percent -- a low rate being a requirement for such a system, given the number of supporters and the fact that false positive could make for trouble -- the fingerprint system failed to spot 15 percent to 20 percent of those on a volunteer black-list, recruited to test the technology, a level he described as "unexpected." "This has serious implications for a lot of other negative identification scenarios," den Hartog told a session of the Biometrics 2007 conference in Westminster last week. "It's very easy not to look like yourself, so I wonder what the impact of these results will be on other programmes."

InfoSecurity's S. A. Mathieson writes that negative identification fails if a black-listed person can fool the system into thinking they are not on that list, involving technically challenging one-to-many checks. Identity verification checks, such as with passports, require only a one-to-one check that the biometric recorded matches the individual, and fails only if someone else's identity is hijacked. Den Hartog said that fooling the fingerprint systems, LScan 100 scanners provided by NEC and HSB, proved easy for the volunteers, who were asked to attempt such spoofing. They used techniques including latent fingerprints on sticky tape and a layer of glue on fingers: "The trick is, do not press too hard," he said of the latter. Both techniques also fooled a spoof-resistant scanner from Lumidigm in TNO's labs. Furthermore, the tests brought up other problems: the devices could check twelve fans a minute at best, but as few as four or five a minute on one occasion when it was in direct sunlight by Feyenoord's ground (Giovanni van Bronckhorst, one of our favorite footballers, is playing for the Rotterdam club). "The french fries stand outside the stadium couldn't do business any more, because of the queue for our gate," den Hartog said. "The live system did not meet important requirements of speed, accuracy and robustness against manipulation," den Hartog concluded. "I think speed and accuracy can be solved, but robustness against manipulation really remains a challenge."

The research involved 6,400 checks at 26 matches at three Dutch football clubs. TNO chose fingerprints in preference to iris or facial recognition, on a range of criteria including speed, reliability, and proof against being fooled.

Yet another example of absence of Dynamic Security's protection

Made4biz Security — Wed, 16 May 2007 14:42:00 +0000

TJX breach-related expenses: $17M and counting

Jaikumar Vijayan

May 15, 2007 (Computerworld) The TJX Companies Inc. today announced that it took a $12 million after-tax charge for the quarter ending April 28 in connection with the massive data breach it disclosed in January.

The charge of 3 cents per share included the costs involved in investigating and containing the intrusion, beefing up computer security, communicating with customers, and various legal and other fees, the company said in its first quarter earnings statement.

The company expects to incur a similar charge of 2 cents to 3 cents per share in the second quarter, as well, TJX said. It also warned investors of even more potential costs down the road. "TJX does not yet have enough information to reasonably estimate the losses it may incur arising from this intrusion, including exposure to payment card companies and banks, exposure in various legal proceedings that are pending or may arise, and related fees and expenses, and other potential liabilities and other costs and expenses," TJX said in its statement.

The Framingham, Mass.-based TJX owns several retail brands, including T.J.Maxx, Marshalls and Bob's Stores.

In January, the company announced that someone had broken into its payment systems and illegally accessed card data belonging to customers in the U.S., Canada, Puerto Rico, the U.K. and Ireland. In filings with the U.S. Securities and Exchange Commission in March, the company said 45.6 million credit and debit card numbers were stolen over a period of more than 18 months by an unknown number of intruders. That number eclipsed the 40 million records compromised in a mid-2005 breach at CardSystems Solutions Inc. and made the TJX compromise the worst ever in terms of the loss of payment card data.

The $12 million charge comes on top of the $5 million in breach-related costs cited by TJX in the previous quarter. And that may just be the tip of the iceberg, said Khalid Kark, an analyst at Forrester Research Inc. in Cambridge, Mass., who released a report last month on all the factors that need to be included when totaling data breach costs.

Apart from direct expenses related to breach discovery, response and notification, companies also incur a variety of other costs such as those stemming from regulatory fines, lawsuits, and additional security and audit requirements. Several lawsuits have already been filed against TJX, including one by the Massachusetts Bankers Association seeking tens of millions in restitution for banks that were forced to block and reissue thousands of debit cards following the breach.

There are also somewhat less tangible costs such as lost employee productivity and opportunity costs that need to be factored in, Kark said. The expenses disclosed by TJX could be "just a fraction" of what the breach could eventually end up costing the company.

"This is something that is going to play out over years," he said.

IDentiWall is poised to resolve the credit card payment security

Made4biz Security — Tue, 08 May 2007 09:23:00 +0000

Restaurant Chain Beefs Up Payment Card Protections

Jaikumar Vijayan

May 07, 2007 (Computerworld) In the past, credit and debit card security wasn’t a huge concern at The Steak n Shake Co., which operates more than 450 restaurants in the Midwest and Southeast. But it has been a top priority for the chain’s IT organization since last August, when the number of card transactions that Steak n Shake processes annually passed the 6 million mark.

That put the Indianapolis-based chain into the category of businesses that are subject to the most stringent requirements of a data security standard mandated by the major credit card companies.

Moving into the Level 1 classification under the Payment Card Industry (PCI) Data Security Standard had big IT implications for Steak n Shake, said Sean Smith, its director of strategic technology services. The company had been accepting card payments for only about two and a half years, and before August, it was considered a Level 4 merchant — the lowest tier on the PCI scale.

Requirements Multiplied

“We went from ground zero to Tier 1 in a very short period of time,” Smith said. “Our PCI requirements and the difficulty of attaining them changed by a magnitude of sixfold to tenfold.”

PCI requires all entities that handle payment cards to implement a set of 12 security controls, including data encryption, logical and physical access controls, and activity monitoring and logging. Companies are classified into four groups, depending on the number of card transactions they process annually. Businesses that are in the top group like Steak n Shake are required to undergo quarterly network security scans and an annual on-site security audit.

Some of the biggest changes at Steak n Shake had to be made at the restaurant level. For instance, the generic usernames and passwords used in the past to access point-of-sale systems were replaced by a log-in system based on Active Directory that can be centrally monitored and managed. Under PCI, Smith said, “we need to know who is accessing what, when and where.”

The company also had to roll out tools for centrally managing the IT assets in its restaurants and pushing out software patches and antivirus updates to the systems. In addition, Smith said, Steak n Shake can now log and audit all restaurant-level transactions involving payment card data, as required by PCI.

In another facet of the compliance effort, Steak n Shake is replacing its VSAT satellite communications links with a T1 network that will tie each restaurant to headquarters via secure point-to-point virtual private network connections. And to better secure its network perimeter, the chain is adding intrusion-prevention and -detection tools, plus security event management technology with centralized logging and correlation.

Smith declined to disclose what the security upgrades are costing Steak n Shake, which has hired Qualys Inc. to do the required quarterly vulnerability scans of its network perimeter. Qualys will also conduct similar assessments of its internal network to help mitigate potential security threats from insiders.

Implementing and demonstrating the controls needed to comply with PCI at Level 1 can be challenging, said Terry Ramos, director of strategic development at Redwood Shores, Calif.-based Qualys. That’s especially true for a company like Steak n Shake, whose compliance level has abruptly changed, Ramos said. He noted that at Level 4, the PCI mandates are little more than best practices, with no specified validation requirements.

Getting reclassified on the PCI scale “can often be a rude awakening for organizations,” said Chris Noell, president of TruComply, an Austin-based consulting firm that focuses on the payment card industry. Level 4 companies, he added, “are rarely aware of their compliance obligation, much less doing anything about it.”

“The difference can be like night and day,” agreed Gartner Inc. analyst Avivah Litan. “Level 1’s come under a much bigger magnifying glass.”

IDentiWall could stop this thief

Made4biz Security — Wed, 18 Apr 2007 08:49:00 +0000

Georgia man pleads guilty in peer-to-peer crackdown

Grant Gross

April 16, 2007 (IDG News Service) A man from Columbus, Ga., has pleaded guilty to two felonies related to distribution of copyrighted materials over a peer-to-peer network, the Department of Justice announced Monday.

The plea of Sam Kuonen, 24, is the fifth in a series of convictions arising from the DOJ's Operation D-Elite, an ongoing crackdown against the distribution of movies, software, games and music over peer-to-peer networks using the BitTorrent file-sharing technology.

Kuonen was charged with conspiracy to commit criminal copyright infringement and criminal copyright infringement. He faces up to five years in prison and a $250,000 fine, the DOJ said. He faces sentencing July 16 in the U.S. District Court for the District of Kansas.

Operation D-Elite has targeted leading members of a peer-to-peer network known as Elite Torrents, the DOJ said in a news release. In its prime, Elite Torrents attracted more than 133,000 members and facilitated the illegal distribution of more than 17,800 titles, which were downloaded over 2 million times, the DOJ said.

The Elite Torrents network often included illegal copies of copyright works before they were available in retail stores or movie theaters. Kuonen was an "uploader" to the Elite Torrents network, responsible for supplying the network with the first copy of a particular movie or other title that was then made available to the entire network for downloading, the DOJ said.

On May 25, 2005, federal agents shut down the Elite Torrents network by taking control of its main server. Authorities replaced the existing Web page with a law enforcement message announcing that "This Site Has Been Permanently Shut Down by the Federal Bureau of Investigation (FBI) and U.S. Immigration and Customs Enforcement (ICE)." Within only one week, the law enforcement message was viewed over half million times.

The Motion Picture Association of America provided "substantial" assistance to the investigation, the DOJ said.

IDentiWall will resolve this issue.

Made4biz Security — Wed, 18 Apr 2007 08:44:00 +0000

IRS warns of new e-filing scam that rips off refunds

Gregg Keizer

April 16, 2007 (Computerworld) The U.S. Internal Revenue Service is warning Americans of a last-minute online scam where fraudulent sites pose as part of the agency's free tax-preparation service to poach refunds.

On Friday, the IRS issued an alert saying it had uncovered one or more sites masquerading as part of the Free File program. Free File, a partnership with 19 tax preparation services, offers free preparation and e-filing to anyone with an adjusted gross income under $52,000. It's accessible only through the IRS's own Web site.

The bogus sites, however, pretend to be part of the program, duping taxpayers into preparing their taxes and submitting them for e-filing. The criminals have been accepting user information, then substituting their own bank account information for refunds before resubmitting the modified returns to a real Free File participant, the IRS said.

"The final days of the tax season always bring tax scams," IRS Commissioner Mark Everson said in a statement. "Make sure you're really dealing with the IRS. ... The only way to do it is through the secure IRS.gov Web site." The Treasury Department's inspector general for tax administration is investigating.

The IRS regularly warns taxpayers of possible scams; security vendors have also gotten in on the act with e-filing tips of their own.

The April 17 deadline for filing federal returns is two days later than usual this year, because April 15 fell on a Sunday and today is Emancipation Day, a District of Columbia holiday.

Security Solutions - Do all the following or simply deploy Dynamic! Security

Made4biz Security — Sun, 15 Apr 2007 09:47:00 +0000

Security crucial as intruders grow sophisticated

What technology gadgets do the experts love, or would love to have? CNN.com is asking experts in several fields about their favorite high-tech toys. This week, we asked security expert Heath Thompson.

(CNN) -- Heath Thompson is vice president, product development for IBM Internet Security Systems.

The 25-year computer industry veteran says security is going to be increasingly important since consumers are spending more of their lives online and intruders are growing more sophisticated.
Here, he shares with CNN.com some of the key weapons in the security cyberwars.

1) Biometrics: Biometric readers are the key to the future, literally. Not only do they reduce the number of passwords the average consumer has to remember, but they are truly a unique identifier and one of the strongest forms of security. Today fingerprint readers are built into laptops, but in the near future, I believe these readers will replace the traditional lock and key and be built into smart phones, handheld devices and door locks for the car and home.

Eventually, I also anticipate that people will be able to store biometric information over the Internet so they can identify themselves from any location.

For instance, rather than carrying keys for safety deposit boxes, mailboxes and office entry, people will be able to access any secure device at any time through identification over the Internet.

2) Filters: My children are coming into their preteens, and with the popularity of MySpace and YouTube (and the uncertainty of what my children will find) I've begun to think about stronger content filtering that would prevent children from viewing violence, hate, pornography, etc.
Unfortunately, content filtering available through the computer's operating system isn't sufficient. Children are relentless and have figured out how to bypass security settings. Parents need industrial-strength content filtering, and the most economical way to get this would be through their Internet service provider. This type of security would allow parents to control individual usage throughout the home.

3) Portable security: It's getting to the point where encrypted sites are not sufficient for financial and confidential transactions because Internet attackers have coaxed users to download Trojans unknowingly. The Trojans sit dormant on the computer and wait for the user to authenticate to the network. Once a secure connection is established, the Trojans awaken and capture consumers' identities that can be reused or sold.

Consumers need their banks or ISPs to provide dynamic, downloadable security clients to ensure the machines being used, be it at home or at an airport kiosk, are free of Trojans and other malicious software. Consumers need dynamic protection that follows them to provide security regardless of location.

4) Secure Internet connections: Today, the Internet is connected to everything -- game consoles, digital video recorders, printers -- even refrigerators are now Web-enabled. Oftentimes these devices have no security settings installed, much less enabled. And even more often people are unaware these devices present an on-ramp into their home network.

The No. 1 targeted source for attacks is the consumer. When it comes to gaining easy access to user account data, Internet attackers have learned the consumer is much more susceptible and accessible than corporations.

For years corporations have been deploying intrusion prevention technology to keep the bad guys off corporate networks. Considering 68 percent of corporations experience six losses of sensitive data every year due to human error, according to IT Policy Compliance Group, employees need consumer-grade intrusion prevention equivalent to what their corporations have to secure their home Internet connections.

Corporate IPS systems would be cost-prohibitive and excessive for consumers and small business owners; however, if consumers could buy secure Internet connectivity through their ISPs, they would be able to protect their Internet Protocol-enabled devices, from today's ever-evolving threats.

it seems that protection is where we should put our money

Made4biz Security — Thu, 12 Apr 2007 16:10:00 +0000

Just how much will that data breach cost your company?

Jaikumar Vijayan

April 11, 2007 (Computerworld) Want to know just how much a data breach is likely to end up costing your company? Darwin Professional Underwriters Inc. may be able to help.

The Farmington, Conn.-based technology liability insurance company has released a free online calculator that it said allows businesses to estimate -- with a fair degree of accuracy -- their financial risk from data theft.

Darwin's Data Loss Cost Calculator uses proprietary algorithms developed with security breach data from media reports and other industry resources, according to the company. Among them was Ponemon Institute LLC's 2006 security breach and cost-analysis survey of 31 companies that had suffered data breaches.

Basically, the calculator allows companies to get hard cost estimates in three major categories: internal investigation expenses, customer notification/crisis management costs, and regulatory and other compliance expenses. Companies input data in the respective fields in the calculator to get instant estimates for costs associated with breach-related activities such as customer notification, credit monitoring, crisis management consulting, state or federal fines, and attorney fees.

"When we talk with different risk managers and CIOs, the constant refrain we hear is, 'Show me how much it costs when someone breaches our information,'" said Adam Sills, lead underwriter for Darwin's technology and information liability initiatives. "There are different statistics from different sources" that have made it hard for companies to asses their financial risk, he said.

The online calculator is "our best guess, using the best information out there for how much this stuff costs," he said. "These are the hard costs that you can quantify when you have a serious situation."

The calculator does not include costs associated with any class-action or other lawsuits that might follow a data breach, he said. Neither does it look at the effect on stock prices or reputation, because such numbers can vary by incident and are much harder to generalize.

Such calculators can be pretty useful in helping companies arrive at a better understanding of the financial implications of a breach, said Pete Lindstrom, an analyst at Midvale, Utah-based Burton Group Inc. "I'm a big fan of calculators," he said. "It grounds security folks in a way that talking ephemerally about brand damage doesn't."

Although the numbers thrown out by Darwin's calculator may not be always accurate for everyone all the time, they give IT managers "a way to think more concretely about the nature of the problem," he said. "We need to collect information like this, even if they are broad estimates, to get smarter. This is as good a start as any."

Avivah Litan, an analyst at Stamford, Conn.-based Gartner Inc., said that such calculators "can give people a way to structure their thinking on the cost implications of a breach. I wouldn't bet my house or my enterprise on these numbers. A lot of the costs are often exaggerated."

Even so, as tools to get people thinking about the hard costs of security breaches, such calculators can at least offer worst-case estimates, she said.

IDentiWall does not relay exclusively on regular credentials, therefore it wouldn't the hackers any good if they stole it.

Made4biz Security — Tue, 10 Apr 2007 09:33:00 +0000

Hackers dupe users with spam about bogus U.S.-Iran war

Gregg Keizer

April 09, 2007 (Computerworld) A weekend spam run tried to dupe recipients into downloading the infamous "Storm Trojan" by attaching files that posed as videos of a bogus missile strike by the U.S. against Iran, antivirus vendors said today.

The unsolicited e-mail, which arrives with provocative subject lines that include "Missle [sic] Strike: The USA kills more then [sic] 20000 Iranian citizens," "USA Declares War on Iran," and "USA Just Have Started World War III," include attached executable files such as video.exe and readme.exe, said Symantec Corp.

"The underlying threats are actually nothing new," said Symantec researcher John McDonald on the company's security response team's blog. "They are simply minor variants of Trojan.Peacomm and W32.Mixor, which have been repacked in an attempt to avoid existing detection and appear to have been largely successful at that." Symantec added that executable file attached to the war-scare spam is actually a worm that downloads and install both Trojan horses.

According to data from MessageLabs Ltd., Peacomm -- also known as Zhelatin -- was the most prevalent piece of malware in the past 24 hours. It accounted for 32% of all malicious code being distributed worldwide, said MessageLabs.

By early today, other security companies, including F-Secure Corp., Fortinet Inc., Kaspersky Lab Inc. and Sophos PLC, had released updated signatures to detect the tweaked threat.

Peacomm, which also goes by the nickname "Storm Trojan," is notable because an outbreak in January and February ended up claiming the prize as the biggest malware assault since mid-2005.

Previous spam runs of the malware have enticed users with romantic subject headings around Valentine's Day; the malicious code has been spread through blogs and instant messaging as well as e-mail.

!!! Dynamic! Security + IDentiWall option help fighting zero-day attacks !!!

Made4biz Security — Tue, 10 Apr 2007 09:26:00 +0000

Multiple Defenses Needed to Fight Off Zero-Day Attacks, Say Experts

Jaikumar Vijayan

April 09, 2007 (Computerworld) The Windows animated cursor flaw that Microsoft patched last week caused widespread concern because attempted exploits of it were unleashed before the patch became available. But there are a variety of steps that companies can take to try to mitigate the risks posed by the ANI vulnerability and other so-called zero-day security threats.

The available measures aren’t a sure bet, IT managers and security analysts cautioned. They added that in the end, patching a flaw is still the most reliable way of protecting systems against attackers who are seeking to take advantage of it. But deploying multiple layers of defenses is a vital element of strategies for dealing with threats for which no immediate fix is available.

For instance, Lloyd Hession, chief security officer at New York-based BT Radianz, said his company is using software from ConSentry Networks Inc. that can quickly detect compromised systems by any anomalous behavior they exhibit, instead of trying to spot infections solely by looking for virus signatures on machines.

“You need to smarten the intelligence within the local network,” said Hession, who added that the ConSentry tool lets IT staffers at BT Radianz control the connections PCs can make with other systems. He said that can help lower the risk that an infected computer will spread malware across a LAN at the company, which provides telecommunications services to financial firms.

“Under the previous model, you could go anywhere in the network once you were within the network,” Hession said. Now there are automated rules specifying the portions of a network that systems are allowed to access. The rules also limit the other machines that PCs can connect to based on the business needs of end users, he said.

Another way to minimize zero-day threats is to adopt strict policies for filtering out e-mail attachments, which attackers often use to try to deliver malware to unsuspecting end users.

Analysts have long advised companies to filter out GIFs, JPEGs, WMVs and other unneeded attachment types from inbound and outbound e-mails. And when deciding which attachments to allow and which to block, it’s a mistake to assume that only certain types are being used maliciously, said Russ Cooper, senior information security analyst at Cybertrust Inc., a security services firm in Herndon, Va.

Cooper noted that both GIFs and JPEGs were considered benign until attackers started hiding malicious code in them. “Don’t go on the basis of whether something is benign or not,” he said. “Look at what you need for your business.”

Malicious hackers also like to use HTML e-mail because it lets them more easily hide and deliver attack code to systems. For instance, several of Microsoft’s e-mail clients, including Outlook Express and Windows Mail for Vista, are vulnerable to attacks that insert a malicious ANI file in an HTML message. Disabling HTML e-mail on systems can help mitigate that risk and blunt many of the phishing attacks that attempt to get users to click on links to malicious Web sites, Cooper said.

Additional Protections
Security analysts also suggested the following measures for blocking exploits of unpatched vulnerabilities:

• Turn off JavaScript to prevent some Web-embedded exploits from reaching end users via their browsers.

• Restrict administrative privileges to stop remote hackers from gaining full administrative control of systems.

• Use updated virus signatures to identify possible attacks from remote sites and initiate responses.

It’s also important to keep an eye on the traffic that’s leaving your network. Many Trojan horses and bot programs communicate with remote systems to get instructions on what to do next or what information they should upload. Using outbound proxies or firewalls to look for and block such communications could prevent malware programs from calling home, said Johannes Ullrich, chief technology officer at the SANS Institute’s Internet Storm Center in Bethesda, Md.

Companies should also consider implementing a “default deny” capability at the perimeter of their networks, Cooper said. The idea behind that approach is to allow only specific traffic in and out of a network gateway while blocking everything else by default.

Cooper said that to determine what traffic should be permitted to enter and leave a network, IT managers can log all inbound and outbound router activity for a period of time to get a picture of what is routinely being transmitted. “If you’re worried about breaking functionality, allow everything that has been going through anyway, and deny everything else,” he said. “It’s a great starting point.”

Increasingly, though, Trojan horses and bot programs are using trusted network ports such as Port 80 and Port 443, which are used by HTTP and HTTPS traffic, respectively, to communicate with the remote systems controlling them. That makes it harder to detect the illicit traffic using outbound filtering, Hession said.

what if the ID thieves couldn't use the stolen IDs? IDentiWall is doing just that!!!!!!!!!!!!!!

Made4biz Security — Sun, 08 Apr 2007 13:27:00 +0000

Q&A: How Betty Ostergren makes life a little harder for ID thieves

Jaikumar Vijayan

April 05, 2007 (Computerworld) If Massachusetts Secretary of State William Galvin finds himself in the news this week -- and he does -- because of concerns that his office's Web site is exposing Social Security numbers and other personal information online, he can thank -- or blame -- Betty "B.J." Ostergren for the publicity. For nearly five years, the feisty 57-year-old former insurance claims supervisor has led a one-person crusade against county and state government officials around the U.S. Her mission: Stop them from posting public records containing Social Security numbers and other personal data online. It's a "stupid" and "reckless" practice that she says has turned the sites into a feeding ground for identity thieves and other cybercriminals.

Ostergren's site, The Virginia Watchdog, boasts a list of public records containing Social Security numbers belonging to well-known figures -- including former Florida Gov. Jeb Bush and former Texas Congressman Tom Delay -- that she accessed from county sites. She also contacts people whose data she finds and asks them to put pressure on officials to take down the records. In just the last week, she persuaded the secretaries of state in Colorado and Arizona to break links to certain commercial documents and tax liens on their sites that contained personal information. Sometimes her efforts don't work -- as in the case of Galvin, who said that online access to the documents is vital for business. Ostergren talked about how a campaign that began with an attempt to keep her own records offline in Hanover County, Va., has grown into a nationwide mission.

Excerpts from the interview follow:

What is the status in Virginia today? How many counties are still making unredacted public records available online? As of today in Virginia, we have 59 circuit court clerks who have certified to the state compensation board that they have online remote access to these records. There are 62, however, who are not -- and my county is one of them. Those records that they have online in this state are deeds, mortgages, estate details, list of heirs of a deceased person, final divorce decrees with children's names, tax liens, power of attorney, name change documents and others. A lot of these records have Social Security numbers on them.

Are there many counties around the country doing this? Yes there are. It's stupid, it's reckless and it's dangerous. You got people who are cops, FBI agents, Secret Service, the CIA, judges, doctors, abused single women, elderly women -- and here you are putting all their information right out there on the Internet, just because they're public records. Here's a thought: If somebody wants to see a public record, why don't they get in their car and drive down to the courthouse or the secretary of state's office? Don't be spoon-feeding criminals with stuff on the Internet.

County clerks say all they are doing is making the same public records that are available in the courthouse available on the Internet. They say businesses need these records. What's wrong with that? Yeah, but they have Social Security numbers in them. I have driven down to Miami-Dade County in Florida and tried to get Gov. Jeb Bush and his wife's Social Security number off a deed at the courthouse, but it wasn't possible. But I sat here at my computer in Hanover County, Va., and got it. Sure, these are open records at the courthouse, as well they should be. But when we first started putting our records in these courthouses however many hundreds of years ago, it was for safekeeping and for different legal purposes. But with the advent of the Internet, everybody wants to put all this crap online with all this personal information, and I just think that it's dead wrong.

So who really is accessing all of this data? Absolutely anybody and everybody can access it. People from outside this country are into these sites and so are people from within this country. Maybe it's your neighbor down the street. A site like the Colorado secretary of state's is free and open. Anybody can just simply sign up and get a password and in a minute you can get right in. [The site has temporarily blocked online access to some records as a result of Ostergren's complaints.] If I want to, I can use a fake name and a fake e-mail account. No one knows who's signing up or who's accessing the records.

But some states and counties require you to pay for these records, don't they? A subscription is no protection. In Virginia, for $25 you can sign up to access Fairfax County, home of Supreme Court justices, home of the FBI, the CIA, Pentagon officials. You have to sign up, you have to give your name and your address and a notarized signature. But big deal. Seven hijackers (involved in the 9/11 attacks) got their fake Virginia drivers license based on a fake notary. So who's to know what's real? You could give them a cell phone number and who's to know that it is not really in India or in Timbuktu? I send in $25 and I get a password and a username back in three days or so and then I'm in there sitting on 33 million records and about 5 million Social Security numbers. What's to stop me from having everyone in my neighborhood come to my house and use my computer? How is the clerk of the court in Fairfax County going to know who is sitting at my chair in front of my computer? That's where you lose control of those records. There are people downloading them by the gazillions. I'm not saying that public records should not be open. I am saying they should not be available online.

What are states doing about it? There are some states like Florida that passed a law giving clerks and recorders until Jan. 1, 2008, to get Social Security numbers offline. If a person found out that their Social Security number was online, they can put in a written request and have it removed. In December 2005, North Carolina passed a law allowing citizens to remove their Social Security numbers and a couple of other things like driver's license numbers from online records. A person can put in a written request to have their personal information removed. What's the problem with that? Well, it puts the burden on the citizens, and most of them don't even know this little scheme is going on until they get a phone call from me.

What's your advice to people on this issue? I believe one person can make a difference. I have woken people up. I always hear from people and they are always thanking me for what I am doing. And I say, 'Don't just thank me. Spread the word. Do something to help me.' When I die, somebody has to give me credit for what I've done.

Dynamic Security is the only solution. Need I say more?

Made4biz Security — Thu, 05 Apr 2007 17:18:00 +0000

Don't use WEP for Wi-Fi security, researchers say

Peter Sayer

April 04, 2007 (IDG News Service) The Wi-Fi security protocol WEP should not be relied on to protect sensitive material, according to three German security researchers who have discovered a faster way to crack it. They plan to demonstrate their findings at a security conference in Hamburg this weekend.

Mathematicians showed as long ago as 2001 that the RC4 key scheduling algorithm underlying the WEP (Wired Equivalent Privacy) protocol was flawed, but attacks on it required the interception of around 4 million packets of data in order to calculate the full WEP security key. Further flaws found in the algorithm have brought the time taken to find the key down to a matter of minutes -- not necessarily fast enough to break into systems that change their security keys every five minutes.

Now it takes just three seconds to extract a 104-bit WEP key from intercepted data using a 1.7-GHz Pentium M processor. The necessary data can be captured in less than a minute, and the attack requires so much less computing power than previous attacks that it could even be performed in real time by someone walking through an office.

Anyone using Wi-Fi to transmit data they want to keep private, whether it's banking details or just e-mail, should consider switching from WEP to a more robust encryption protocol, the researchers said.

"We think this can even be done with some PDAs or mobile phones, if they are equipped with wireless LAN hardware," said Erik Tews, a researcher in the computer science department at Darmstadt University of Technology in Darmstadt, Germany.

Tews, along with colleagues Ralf-Philipp Weinmann and Andrei Pyshkin, published a paper about the attack, showing that their method needs far less data to find a key than previous attacks: Just 40,000 packets are needed for a 50% chance of success and 85,000 packets for a 95% chance, they said.

Although stronger encryption methods have come along since the first flaws in WEP were discovered, the new attack is still relevant, the researchers said. Many networks still rely on WEP for security: 59% of the 15,000 Wi-Fi networks surveyed in a large German city in September 2006 used it, with only 18% using the newer WPA (Wi-Fi Protected Access) protocol to encrypt traffic. A survey of 490 networks in a smaller German city last month found 46% still using WEP and 27% using WPA.

In both surveys, over a fifth of networks used no encryption at all, the researchers said in their paper.

Businesses can still protect their networks from the attack, even if they use old hardware incapable of handling the newer WPA encryption.

For one thing, the researchers said, their attack is active: In order to gather enough of the right kind of data, they send out Address Resolution Protocol requests, prompting computers on the network under attack to reply with unencrypted packets of an easily recognizable length. This should be enough to alert an intrusion-detection system to the attack, they said.

Another way to defeat such attacks, which use statistical techniques to identify a number of possible keys and then select the one most likely to be correct for further analysis, is to hide the real security key in a cloud of dummy ones. That's the approach taken by AirDefense Inc. in its WEP Cloaking product, which was released Monday.

The technique means that businesses can cost-effectively protect networks using old hardware, such as point-of-sale systems, without the need to upgrade every terminal or base station, the company said.

If a network supports WPA encryption, though, users should rely on that instead of WEP to protect private data, Tews said.

"Depending on your skills, it will cost you some minutes to some hours to switch your network to WPA. If it would cost you more than some hours of work if such private data becomes public, then you should not use WEP anymore," he said.

Made4biz Security — Thu, 05 Apr 2007 10:39:00 +0000

Five best practices for mitigating zero-day threats like Windows ANI

Jaikumar Vijayan

April 03, 2007 (Computerworld) The Windows animation bug (ANI) caused widespread concern because exploits against it became widely available before Microsoft Corp. could release a patch. But like other zero-day threats before it, there are measures companies can take to at least try to mitigate the risk from unpatched vulnerabilities, security experts said.

The measures are not a sure bet. And in the end, patching a flaw is still the most reliable way of protecting against exploits seeking to take advantage of it, they said. But deploying multiple layers of defenses is vital to dealing with threats for which no immediate fix is available.

Among them are the following:

Restrict e-mail attachments

One of the ways hackers hope to exploit the ANI flaw -- which Microsoft patched earlier today -- is by trying to get users to click on malicious attachments in spammed e-mails. One way of dealing with this sort of an attack vector is by having strict policies in place for filtering out e-mail attachments.

Security experts have for a long time now advised companies to filter out gif, JPEG, WMV and pretty much most attachment types they don't need from inbound and outbound e-mails. When deciding which attachments to allow and which to deny, it's a mistake to assume that only certain attachment types are maliciously used, said Russ Cooper, senior information security analyst with Cybertrust Inc.

"Don't go on the basis of whether something is benign or not," Cooper said. After all, both gif and JPEG attachments were once considered benign until hackers started hiding malicious code in them. "Instead, look at what you need for your business," he said.

If there is a business need for accepting e-mails with attachments -- from a business partner, for example -- see if there's a way to restrict them to just that business partner. Or if you need to exchange zip files, for instance, consider the possibility of renaming the extension to something that just your company and your business partner knows -- and permit only attachments with that extension into your network, Cooper said. "Then you can put gif, JPEG and even animated cursors if you have a need for them into those attachments," he said. "If you say 'I only want to allow these attachments and nothing else,' you have eliminated every zero-day" threat via e-mail attachments, he said.

Disable HTML e-mail

Hackers and other bad guys like HTML e-mail because it allows them to more easily hide and deliver attack code to a desktop. For instance, several of Microsoft's e-mail clients, including Outlook Express and Windows Mail for Vista, are vulnerable to attacks that insert a malicious ANI file in an HTML message. Disabling HTML can help mitigate this risk, Cooper said. By doing so, you are also blunting a lot of the phishing attacks that attempt to get users to click on URL links to malicious sites, he said.

Keep an eye on the LAN

Consider tools that don't rely on virus signatures alone to detect infected systems. Instead, implement a way to quickly detect a compromised system by any anomalous behavior it might exhibit, said Lloyd Hession, chief security officer at BT Radianz, a New York-based company that offers telecommunications services to the financial industry.

Also have a way to limit the damage an infected system can do to other LAN-connected systems, he said. BT Radianz, for instance, uses a tool that allows it control over the connections a desktop makes with other systems within the LAN. "Under the previous model, you could go anywhere in the network once you are within the network," Hession said.

Now, there are rules that specify what parts of a network to which a system is allowed access. The rules also spell out what systems that same system can connect to based on the user's business requirements. Such control can help mitigate the risk of an infected computer spreading malicious code to other systems within a network. "You need to smarten the intelligence within the local network" to detect zero-day attacks faster, he said.

Filter outbound traffic

It's not enough just to inspect the traffic that's coming into your network; it's vital also to keep an eye on what's going out. Many Trojans or bot programs that get installed communicate with a remote system for further instructions on what to do next or what to download. Using outbound proxies or firewalls to look for and block such communications is one way to prevent Trojans and bots from calling home, said Johannes Ullrich, chief technology officer at the SANS Internet Storm Center (ISC) in Bethesda, Md.

Consider implementing a "default deny" capability at the perimeter, Cooper added. The idea is to permit only specific traffic in and out of a network gateway, while blocking everything else by default, Cooper said.

"What we are talking about is inbound and outbound rules on your router" to block, for example, outbound IRC attempts and SMTP requests, he said. To get an idea of what traffic to permit through the network, log all inbound and outbound router activity for a period of time and use that information to decide what's permissible and what's not, he said. "If you are worried about breaking functionality, allow everything that has been going through anyway and deny everything else," he said. "It's a great starting point."

Increasingly, Trojans and bot programs have begun using well-known ports such as Port 80 to communicate with the remote systems controlling them. That makes it harder to detect such traffic using outbound filtering, Hession said.

Turn off JavaScript; don't give users administrative privileges

Turning off JavaScript would have prevented some of the Web-embedded ANI exploits from reaching the user via the browser, Ullrich said. Restricting administrative privileges would have mitigated the fallout from an exploit by ensuring that a remote hacker wouldn't gain full administrative control of a system.

Ultimately, "you are less likely to go into emergency patch mode if you have other measures in place" for dealing with such threats, said Ken Dunham, director of Verisign Inc.'s iDefense rapid response team.

Such measures include content filtering at the gateway for ANI files, using updated antivirus software, using snort signature to identify and initiate responses to possible attacks from remote sites and user education, Dunham said.

it seems that we aught to speed up IDentiWall to kill all that phishing

Made4biz Security — Tue, 03 Apr 2007 14:20:00 +0000

Theft of 45.6M Card Numbers Largest Heist Yet

Jaikumar Vijayan

April 02, 2007 (Computerworld) After more than two months of refusing to reveal the size and scope of the high-profile intrusion into its systems, The TJX Companies Inc. finally disclosed details about the extent of the compromise.

In filings with the U.S. Securities and Exchange Commission last week, the company said 45.6 million credit and debit card numbers were stolen from two of its systems over a period of more than 18 months by an unknown number of intruders.

That total eclipses the 40million records compromised in the mid-2005 breach at the former CardSystems Solutions Inc., and makes the TJX incident the worst publicly disclosed compromise involving the loss of personal card data.

The systems that were broken into were located at TJX’s Framingham, Mass., headquarters. The theft is the worst on record involving personal data.

In addition, personal data provided in connection with the return of merchandise without receipts by about 451,000 people in 2003 was also stolen, the filing said.

Disappearing Data

Top Commercial Card Data Breaches in U.S.

• The TJX Companies Inc. - 46.5 million

• CardSystems Solutions Inc. - 40 million

• iBill Internet - 17.8 million

• BJ’s Wholesale Club Inc. - 8 million

• Circuit City Stores Inc. - 2.6 million

Source: Privacy Rights Clearinghouse

Avivah Litan, an analyst at Gartner Inc., expressed surprise at the scope of the breach. “I had heard rumors that it was bigger than CardSystems, but I was still somewhat shocked it was actually this big.”

The number of stolen records “makes this the biggest card heist ever,” Litan said. “It proves there are very sophisticated cybercriminals out there at large who have the potential to wreak havoc on pure-payment systems. If this isn’t a wake-up call for stronger card and payment system security, I’m not sure what is.”

In its filing, TJX said it is in the process of contacting individuals affected by the breach.

“Given the scale and geographic scope of our business and computer systems and the time frames involved in the computer intrusion, our investigation has required a substantial period of time to date and is not completed,” the company said.

Framingham, Mass.-based TJX, the owner of T.J. Maxx, Marshalls and Bob’s Stores, disclosed inJanuary that someone had illegally accessed one of its payment systems and stolen card data from an unspecified number of customers in the U.S., Canada, Puerto Rico, the U.K. and Ireland.

At the time, TJX said it believed the intrusion took place in May 2006 but wasn’t discovered until mid-December — seven months later. A few weeks after its initial disclosure of the breach, the company said that an investigation by IBM and General Dynamics Corp. had concluded that the intrusion may have taken place in July 2005.

TJX has confirmed that its systems were first accessed in July 2005 and then on several more occasions in 2005, 2006 and even in mid-January 2007 — after the breach was discovered. However, no data appears to have been stolen after Dec. 18, when the intrusion was first noticed, it said.

The systems that were broken into, which were located at the company’s headquarters, processed and stored data related to payment cards, checks and merchandise returned without receipts.

The data breach affected customers of TJX’s T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico. Also affected were customers of its Winners and HomeSense stores in Canada and TK Maxx stores in the U.K., the company said.

The filing said the company is having difficulty determining exactly what kind of data was stolen, because a lot of the data is deleted by TJX in the normal course of business.

“In addition, the technology used by the intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006,” the company said. It did not identify the technology.

Customer names and addresses were not included with any of the card data believed stolen from the Framingham systems, TJX said.

The company said that by April 3, 2006, it had begun to mask payment card personal identification number data, “some other portions of payment card transaction information” and check transaction data.

The company reported that it has spent about $5million in connection with the breach. It warned that potential future costs are still undetermined and noted that several lawsuits have been filed against it since the breach was announced.

One TJX shareholder, the Arkansas Carpenters Pension Fund, recently sued the company for its failure to divulge more details about the breach.

TJX’s disclosure came just days after six Florida residents were arrested and charged with launching a multimillion-dollar statewide credit card fraud ring using information stolen from the company. Losses experienced by Wal-Mart Stores Inc. and other retailers due to the fraud have so far totaled at least $8 million.

Dynamic Security with the IDentiWall option could resolve the issue for them

Made4biz Security — Sun, 01 Apr 2007 09:13:00 +0000

Failed VA security contract was 'an open checkbook,' report says

Jaikumar Vijayan

March 29, 2007 (Computerworld) A 10-year, $103 million contract for a security incident response center at the Department of Veterans Affairs (VA) had to be aborted after less than three years because of funding problems caused by bad planning and administration.

Instead of yielding a state-of-the-art security readiness and response capability, the contract became "an open checkbook" that resulted in the award of nearly two dozen noncompetitive task orders, inflated prices, overpayments and unaccounted-for equipment purchases totaling $35 million.

Those are just some of the findings of an audit by VA Inspector General George Opfer into the planning, award and administration of the Central Incident Response Capability (CIRC) contract awarded to the Veterans Affairs Security Team LLC (VAST) in July 2002. VAST was incorporated as a Texas-based limited liability corporation one week before the contract was awarded. The now-defunct company was owned by several small businesses led by Washington-based SecureInfo Corp.

According to Opfer's report, much of the problems with the $102.7 million CIRC contract had to do with the addition of requirements for a Managed Security Services (MSS) component. While there appears to have been adequate acquisition planning for the CIRC requirements, there is no evidence of similar planning for MSS requirements, the report said. In fact, it is still unclear when the decision was made to include MSS requirements in the CIRC contract. There is also no documentation to show that the VA's program office considered at any point whether it would make sense to award separate contracts.

"We found that deficiencies in the planning, solicitation, evaluation of proposals, award and administration of the contract for MSS resulted in uncontrolled spending, overpayments and illegal contracting actions that resulted in the ultimate demise of the contract due to lack of funding," Opfer said in his report.

One modification -- made three months after the contract was awarded to VAST -- added new language that changed the MSS component from a firm fixed-price contract to a so-called Indefinite Delivery Indefinite Quantity contract. "The modification allowed VA to issue task orders to fill requests from field facilities and Office of Cyber Security for MSS at additional cost," Opfer said in his report. The VA began issuing such task orders in August, shortly after the contract was signed -- even though the contract change that legitimized such orders was not made until October, the report said.

Under the original pact awarded to VAST in 2002, $82.9 million was earmarked for recurring labor costs over 10 years, with the remaining $19.8 million meant for equipment and supply costs. But because of the task orders, the potential value of the contract shot up from $102.7 million to about $250 million. Though this sort of a "cardinal change" was prohibited, it was still approved by the VA's Office of General Counsel. That approval came one day after counsel asked for an opinion on the modification by the officer in charge of the contract, Opfer noted in his report.

"This made the contract an open checkbook in that it resulted in the award of 22 noncompetitive task orders valued at approximately $48.6 million, with little assurance of price reasonableness and no planned funding," the report said. At least 17 of the task orders were out of scope and thus prohibited changes under the original contract, Opfer said in his report.

A lack of clarity surrounding the modifications may have resulted in VAST being overpaid about $3.8 million for MSS services it never delivered and an additional $4.7 million in duplicate payments. On top of that, the VA also spent about $35 million on equipment and supplies, but has no record of what the equipment is or where it may be. Because the VA revised the tasks that were the basis of the original award -- and sought new proposals from VAST -- it wound up paying about $6.76 million more than had been earmarked for the original contract in the first year.

As a result of the errors, the VA managed had spent about $91.8 million in less than three years when the plug was pulled.

Opfer's report also blasted the VA's vendor selection process. Little due diligence appears to have been put into evaluating vendor qualifications and ensuring that the prices being quoted were reasonable.

For instance, the CIRC contract was specifically meant for small businesses, which VAST was not, Opfer said. VAST, in its original response to the VA contract, described itself as a joint venture involving six small businesses teamed with three large businesses -- Compaq, Signal and SAIC. Such an association should have automatically disqualified VAST as a small business, the report said.

Just before the contract was awarded, VAST also changed its status from joint venture to limited liability corporation with no small business status. And because VAST appeared to have no assets, the VA may be hard-pressed to recover any excess money it paid the company, the report said.

Christopher Fountain, CEO of SecureInfo, disagreed with Opfer's conclusions and denied that VAST had been overpaid during its work for the VA. "At no time during the review were we alerted to any such concerns" by the IG's office, Fountain said. "They never told us they had found anything" that was a cause for concern during the review, he said.

In fact, when the contract was allowed to expire, it was VAST that incurred "several million dollars in liability" resulting from equipment purchases and other expenses, he said. Fountain also disagreed with Opfer's conclusion that VAST was not a small business. He maintained that the company was in fact a small business at all times during its contract with the VA.

"We believe that the government realized great value from the work we did perform for them," Fountain said. "We believe we [set up] one of the most advanced security operations center in the federal government."

Also disagreeing with Opfer's finding was the VA's acting general counsel. In a statement responding to Opfer's audit, the general counsel's office maintained that the modifications made to the CIRC contract were legal.

But Robert Howard, the assistant secretary of IT for VA, said in a response that he concurred with the report's findings and had launched an inventory of equipment as recommended by Opfer.

The VA did not respond to a request for comment.

IDentiWall is the solution for human errors

Made4biz Security — Sun, 01 Apr 2007 09:11:00 +0000

TJX data breach: At 45.6M card numbers, it's the biggest ever

Jaikumar Vijayan

March 29, 2007 (Computerworld) After more than two months of refusing to reveal the size and scope of its data breach, TJX Companies Inc. is finally offering more details about the extent of the compromise.

In filings with the U.S. Securities and Exchange Commission yesterday, the company said 45.6 million credit and debit card numbers were stolen from one of its systems over a period of more than 18 months by an unknown number of intruders. That number eclipses the 40 million records compromised in the mid-2005 breach at CardSystems Solutions and makes the TJX compromise the worst ever involving the loss of personal data.

In addition, personal data provided in connection with the return of merchandise without receipts by about 451,000 individuals in 2003 was also stolen. The company is in the process of contacting individuals affected by the breach, TJX said in its filings.

"Given the scale and geographic scope of our business and computer systems and the time frames involved in the computer intrusion, our investigation has required a substantial period of time to date and is not completed," the company said.

Framingham, Mass.-based TJX is the owner of a number of retail brands, including T.J.Maxx, Marshalls and Bob's Stores. In January, the company announced that someone had illegally accessed one of its payment systems and made off with card data belonging to an unspecified number of customers in the U.S., Canada, Puerto Rico and potentially the U.K. and Ireland.

At the time, TJX said it believed the intrusion took place in May 2006 but wasn't discovered until mid-December -- seven months later. A few weeks later, the company revised those dates and said that an investigation by IBM and General Dynamics, two companies it hired in the wake of the breach discovery, believed the intrusion may have taken place in July 2005.

Several banks and credit unions around the country and in the other affected regions had to block and reissue thousands of payment cards as a result of the breach.

In its filing, TJX confirmed that its systems were first accessed illegally in July 2005 and then on several occasions later in 2005, 2006 and even once in mid-January 2007 -- after the breach had already been discovered. However, no data appears to have been stolen after Dec. 18, when the intrusion was first noticed.

The systems that were broken into were based in Framingham and processed and stored information related to payment cards, checks and merchandise returned without receipts. The data breach affected customers of its T.J.Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico. Also affected were customers of its Winners and HomeSense stores in Canada and TK Maxx stores in the U.K.

It is hard to know exactly what kind of data was stolen because a lot of the information accessed by intruders was deleted by the company in the normal course of business. "In addition, the technology used by the intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006," the company said. It did not elaborate on the technology it was referring to.

Customer names and addresses were not included with any of the payment card data believed stolen from the Framingham systems, TJX said. Also, the company "generally" did not store Track 2 data from the magnetic stripe on the back of payment cards for transactions after September 2003, TJX said. Also by April 3, 2006, the company had begun to mask payment card PIN data and "some other portions of payment card transaction information" as well as check transaction information, the company said.

"We are continuing to try to identify information stolen in the computer intrusion through our investigation, but other than the information provided ... we believe that we may never be able to identify much of the information believed stolen," TJX said.

The company has so far spent about $5 million in connection with the breach, although it is hard to say what other costs may be incurred, the company warned. It cited several lawsuits that have been filed against it since the breach was announced. The company was sued recently by the Arkansas Carpenters Pension Fund, one of its shareholders, for its failure to divulge more details about the breach.

Avivan Litan, an analyst with Stamford,Conn.based Gartner Inc., expressed surprise at the scope of the breach. "I had heard rumors that it was bigger than CardSystems, but I was still somewhat shocked it was actually this big."

The number involved in the breach "makes this the biggest card heist ever," she said. "It proves there are still very sophisticated cybercriminals out there at large who have the potential to wreak havoc on pure-payment systems and who have already stolen millions of dollars from consumers and financial institutions," she said.

"If this isn't a wakeup call for stronger card and payment system security, I'm not sure what is," she said.

TJX's disclosure comes just days after six Florida residents were arrested for allegedly launching a multimillion-dollar statewide credit card fraud ring using information stolen from the company. Losses experienced by Wal-Mart Stores Inc. and other retailers because of the fraud have so far totaled at least $8 million.

The coming IDentiWall era will protect us from phishers and ID thieves

Made4biz Security — Wed, 28 Mar 2007 17:30:00 +0000

Web attacks get personal

Matt Hines

March 27, 2007 (InfoWorld) Malware purveyors are increasingly tailoring their virus distribution and attack techniques to take advantage of different classes of end-users, according to researchers with the Internet Security Systems' X-Force team at IBM.

Top experts with the Atlanta-based research operation said that malware writers, phishing scheme operators, and botnet herders are more frequently employing so-called personalization tools to make their attacks more effective.

Much like the online marketing companies that gather bits of information to target advertising at individual Web users, cyber-criminals are creating malware outlets and code executions that scan readily-available details about users' computing habits and traits to find appropriate recipients for their work.

The approach uses any information that is found to isolate the right attack to deliver based on factors like the particular Web browser or operating system that an individual who being targeted is using.

By combining the more intelligent threat delivery approach with hard-to-detect Trojan, botnet, and cross-site scripting attacks, cutting-edge criminals are finding plenty of ways to take advantage of end users, said Gunter Ollman, director of security strategy for IBM ISS.

"With every Web page request, people send out a header that describes their browser and also tells you what language the request is being made in and sometimes even the cache level of the host it is running on; there's a lot of information in there, including the IP address of the person making the request," Ollman said.

According to X-Force's 2006 annual report on security trends, 30 percent of malicious Web sites were already using personalization techniques by the end of last year. The company said it is expecting that number to grow rapidly in 2007.

"By combining the IP address and all the host details in the browser, we're seeing that attackers build sites that ensure they only use exploits that will work against a specific host," the expert said.

In addition to determining which version of browser or OS software someone is using, many of the attacks can assess what level of security patch a particular program has in place, according to the researcher.

Cyber-criminals are also loading malware-infected Web pages with numerous code execution threats to assault many different aspects of varied sets of users with dozens of pieces of code being served up on a single URL.

Many of the threats are hidden in individual elements of Web pages, including flash files, pdfs and images, which may each contain multiple attacks meant to take advantage of different vulnerabilities.

Ollman said that ISS has also observed that these more advanced malware efforts are also collecting IP address information from end users to ensure that they don't repeatedly send the same threats to their computers. The smartest groups are also trading information about IP addresses known to be used by security researchers to keep their latest work from being discovered.

"If you browse that type of malware site, it will serve exploit code, but only try it once; they know that people might start to get suspicious if the same part of a site crashes twice or acts abnormally," said Ollman. "These attackers don't want people to get copies of their new code or to know what sites they have hosting the content; they know that sites get closed down or added to black lists very quickly these days if they're not careful."

Ollman said that most of the exploits do not deliver spyware, but instead pass along smaller files known as droppers that are less likely to be identified by anti-virus systems that sit quietly but then call out across the Internet and draw-in real malware programs.

Many of the eventual spyware programs that are downloaded are even stealthy, the researcher said. The attacks frequently wait until a user opens a specific site or application before springing to life and beginning to intercept users' details, according to ISS's research.

IDentiWall case

Made4biz Security — Wed, 28 Mar 2007 17:26:00 +0000

ID theft threats have surged 200% since Jan. 1

Gregg Keizer

March 28, 2007 () Identity theft threats jumped 200% in the first two months of 2007, a security company said today, noting that fraudsters have shifted to simpler, more effective tactics.

Cyveillance Inc. of Arlington, Va., compiled data from its Internet sweeps to report that the average daily count of URLs hosting malicious downloads climbed to 60,000 in February, 200% over the December 2006 figure. A single-day spike in midmonth came close to 140,000 such sites.

"The traditional phishing technique is being replaced by putting a URL in the e-mail," said Manoj Srivastava, Cyveillance's CTO. "The trend now is to use the browser as the attack vector."

Phishing attacks have shifted from the usual e-mails that try to con users into visiting reproductions of legitimate pages, then duping them into entering their personal information. Instead, thieves simply stick a link in an e-mail message and count on users' gullibility.

"It works," Todd Bransford, vice president of marketing for Cyveillance, said when asked what might be behind the rise. "It's proved to be a highly effective way of taking control of someone's PC."

Malicious sites typically exploit browser vulnerabilities to conduct "drive-by" downloads, installing bot Trojans that let a hacker control the machine or password-stealing keyloggers on compromised systems.

Srivastava speculated that another reason for the rapid rise in malicious sites is, ironically, the effectiveness of antiphishing software. "The phishing detection business has gotten good -- ours included -- and [so] it's far easier to detect conventional phishing techniques" than to gauge the potential for harm from a Web site.

The quick climb might also be a result of the increasing ease with which identity thefts are crafted. "[Phishing] kits have become common. It's so simple to launch attacks now that there's something of a geometric progression going on with the numbers," said Srivastava. "The economics and risks involved being what they are, more people are learning about identity theft and how to make money from it. This looks like an inflection point."

Cyveillance also uncovered hundreds of thousands of credit and debit card account numbers in its sweeps of IRC channels and server logs of botnet operators. In the first two months of the year, the company's monitoring technology found more than 320,000 credit and debit card numbers, more than 1.4 million potential Social Security numbers and approximately 1.3 million account log-on credentials.

"We're pretty solid on those numbers," said Srivastava. Although the Social Security numbers were not actually verified, he said, they match the nine-digit criteria and the algorithm used to construct the numerical strings.

you can hide your information or you can also use IDentiWall

Made4biz Security — Wed, 28 Mar 2007 16:59:00 +0000

Calif. official ends online access to public records with Social Security numbers

Jaikumar Vijayan

March 27, 2007 (Computerworld) Three years after it first made available certain documents containing Social Security numbers and other sensitive data on its Web site, the California secretary of state's office last week finally shut down online access to the records because of identity theft concerns.

In a statement (download PDF), Secretary of State Debra Bowen said her office was also freezing bulk electronic sales of its Uniform Commercial Code (UCC) database until all but the last four digits of Social Security numbers were removed from documents. There are approximately 2 million UCC filings on record with the secretary of state's office; about a third contain Social Security numbers.

Bowen said her office is considering using redaction technology to block out the first five digits of the Social Security numbers from UCC documents. And it has posted a warning online urging UCC filers not to include the numbers in their documents. Bowen also announced support for legislation sponsored by state Assembly member Dave Jones (D-Sacramento) that would require no more than four digits from an individual's Social Security number on public records -- both at the state and county levels.

Officials in Bowen's office could not be reached for comment.

UCC documents are financial statement filed with the state by banks and other creditors when an individual takes out certain types of loans. The documents are considered public records and are available for purchase by the public. Over the past few years, several states have been posting images of such records on their Web sites without redacting any of the sensitive information -- much to the outrage of privacy advocates.

"This is yet another place where our laws haven't kept pace with advances in technology," Bowen said in the statement. "To make the agency more business-friendly, previous Secretaries of State have made these records available on the Internet. However, until we find a way to remove all but the last four digits of people's Social Security numbers from the records in the electronic database, I've decided to pull the plug on the system."

Bowen's decision came just weeks after her office was notified by Jones about the easy availability of Social Security numbers on its Web site, and the danger that poses for potential identity theft.

An aide to Jones today described how he purchased about 20 UCC records from the site at $6 per record and discovered that 14 of them contained Social Security numbers, full names, addresses and even images of signatures. "It was totally easy to get those records," said the aide, who asked his name not be used. All it involved was clicking through as a nonsubscriber, entering some basic contact information and credit card details and searching for records using common last names, he said. One record contained Social Security numbers for seven people.

"Californians like to fancy ourselves about being so good on privacy," the aide said. "But what we saw on the site was mind-boggling." Because state laws prohibit the posting of such information in public records at the county level, "it was surprising to see this happening at the state level."

But California is not the only state to post UCC documents on the Web, nor is it the first one to take the postings down, said B.J. Ostergren, a privacy advocate in Richmond, Va., who has been pressing state and county governments to remove such data from their Web sites.

Ostergren runs The Virginia Watchdog, which has for the past several years documented cases where county governments and secretary of state offices around the country have routinely posted sensitive data online. Many are moving to block online access to the information because of heightened privacy concerns, she said. Some, such as the Ohio secretary of state's office, did so only after being threatened with a class action lawsuit. Even then, that state has not been entirely successful in removing the sensitive information.

Among the states that have pulled down images of UCC documents with Social Security numbers are Oregon, Missouri, New Mexico, Vermont, New York and North Carolina, Ostergren said. But several other states continue to make UCC documents containing sensitive data either available for free or for purchase, she said. The list includes Florida, Georgia, Iowa, Maryland and Massachusetts, Ostergren said.

IDentiWall, IDentiWall, IDentiWall.......

Made4biz Security — Wed, 28 Mar 2007 16:56:00 +0000

UK e-crime chief: Cyber criminals are undeterred

Jeremy Kirk

March 27, 2007 (IDG News Service) Last year, the United Kingdom dissolved the National High-Tech Crime Unit (NHTCU), the agency responsible for investigating computer crime. The unit was folded into the Serious Organized Crime Agency (SOCA), a new organization that investigates fraud, drug trafficking and immigration-related crime. Critics charged that online crime would become a lower priority.

Nearly a year later, SOCA is "not achieving the kind of long-term impact on serious and organized crime ... that's needed," said William Hughes, SOCA's director general, at the International e-Crime Congress in London on Tuesday.

The agency has a 94 percent conviction rate and made 684 arrests from April 2006 through February, mostly for drug trafficking but also including some e-crime, Hughes said. However, online banking fraud in the U.K. continues unabated. Online banking fraud losses in the U.K. rose to $44.5 million in 2006, up from $30.8 million in 2005 and $16.2 million in 2004, according to the Association for Payment Clearing Services, a payments trade group,

Sharon Lemon, a 30-year police veteran who headed the NHTCU, is now in charge of the e-crime unit within SOCA. She spoke on the sidelines of the e-crime conference on how the new unit has been running since becoming part of SOCA last year. What follows is an edited transcript of the interview:

IDG News Service: Given the growth in online crime, how do you prioritize cases?

Sharon Lemon: It's such a big area that we've had to really regroup and consider what our priorities are. To enable that, we need to be informed, so we've got a comprehensive knowledge base. We're not just randomly chasing people who happen to attract our attention. We've got a quite significant assessments team who assess the crime on the Internet and assess the threat, look at the new approaches. As a result, we'll consider the best operation. So it's much more focused and thought through.

IDGNS: How significant is the amount of money lost as part of an incident?

Lemon: If you have a look at the combined effect of many, many low-level amount frauds, that's organized crime. By attacking some 300,000 people for a small amount, it's the same as one person losing £300,000. We look at emerging trends, what's happening on the criminal forums and then decide what's the best approach. It's not always traditional prosecution. We've got to look at different approaches. Traditional prosecutions always have a place, but they are very long and complex, and by the time we get to court, the cyber criminals have come up with something new. So we need to be as flexible and responsive as they are.

IDGNS: What types of online crimes has the unit focused its energy on?

Lemon: Most of our investigations have been around fraud, which I summarize as lying to get your money. A lot of traditional investigation techniques apply but just online. I think we get a bit intoxicated by the IT element of it. It's just normal crime. That's why we need our international partners, because with this type of crime it's not the person next door, it could be the person on the other end of the world.

IDGNS: Can you describe the backgrounds of investigators in the unit?

Lemon: We've got a really good mix. We've got traditional law enforcement and we have experienced technical people. We have people interested in the subject matter, a really diverse group. That's changed. Previously in the NHTCU, it was mostly law enforcement. We found that having people from different sectors has proved really effective, and we're hoping perhaps to do some industry exchanges and perhaps get some people from academia. That's our approach.

IDGNS: The U.K. recently amended its computer crime law and increased the penalties for some offenses. Do you think that will have some deterrent effect?

Lemon: No, I don't think that really at the moment cyber criminals have got any real threat from law enforcement. I'm not proud to say that, but that's the way I feel.

rest assure that the soon coming IDentiWall will solve the fishing problem

Made4biz Security — Wed, 28 Mar 2007 16:52:00 +0000

PayPal asking e-mail services to block messages

Jeremy Kirk

March 27, 2007 (IDG News Service) PayPal, the Internet-based money transfer system owned by eBay Inc., is trying to persuade e-mail providers to block messages that lack digital signatures, which are aimed at cutting down on phishing scams, a company attorney said Tuesday.

So far, no agreements have been reached, but the idea is one that PayPal would like to see from other e-commerce businesses, said Joseph E. Sullivan, PayPal's associate general counsel, at the International E-Crime Congress in London.

An agreement with, for example, Google Inc. for its Gmail service could potentially stop spam messages that look legitimate and bypass spam filters.

PayPal is using several technologies to digitally sign its e-mails now, including DomainKeys, Sullivan said. DomainKeys, a technology developed by Yahoo Inc., enables verification of the sender and integrity of the message that's sent.

PayPal is one of the most highly spoofed brands, with fraudsters sending out spam to lure vulnerable users to look-a-like Web sites where their log-in details and passwords are collected and abused for profit.

Once a hacker has gained control of a PayPal account, it's possible to send money to other PayPal accounts or purchase goods. PayPal has introduced rules to counter fraud, such as limits on how much money can be transferred. PayPal also compensates users who've had their accounts hijacked, Sullivan said.

But the phishing problem is getting worse than when he started working for eBay five years ago, Sullivan said.

Last week, Sullivan said he got a call from his father, who said he'd fell prey to a phishing scam. While spam filtering technologies have improved and awareness around phishing is rising, users tend to be the weakest point, falling for sometimes very convincing social engineering tricks.

"I think one lesson we've learned is that education isn't going to stop this," Sullivan said. "Phishing attacks are too good now. Every company that does business on the Internet is being targeted by phishing scams now."

The number of phishing sites is also rising. A report released last week by the Anti-Phishing World Group, a consortium of vendors and government agencies, said the number of fraudulent Web sites in January reached an all-time high of 29,930.

here we go again...

Made4biz Security — Tue, 27 Mar 2007 14:32:00 +0000

Senators question smart card ID requirements

Grant Gross

March 26, 2007 (IDG News Service) Senators and privacy advocates on Monday questioned a U.S. government plan to move ahead with smart card drivers license requirements, saying the cost will run into the billions of dollars and the cards could allow the government to track residents.

The Real ID Act, tacked onto a military spending bill in 2005, would require states to save digital copies of source documents such as birth certificates for drivers licenses and it would require states to share information in their drivers license databases. The goal of the new cards, which would include digital photographs and personal information in a machine-readable chip, would be to better ensure that the people carrying the ID cards are who they say they are.

Congress passed the Real ID Act in response to the Sept. 11, 2001, terrorist attacks on the U.S. The 9/11 Commission recommended that the government take steps to better ensure the validity of U.S. IDs. The pilot of the airplane that crashed into the Pentagon held three state drivers licenses, all of them fake, said Robert Barth, assistant secretary for policy development at the U.S. Department of Homeland Security.

"Real ID is fundamental to the security of our nation," Barth told the Senate Subcommittee on Oversight of Government Management.

But Senator George Voinovich, an Ohio Republican, complained that much of the cost for implementing Real ID would be passed on to states. DHS has estimated the cost of implementing Real ID at $14.6 billion over 10 years.

Voinovich also questioned how secure the cards would be. "You're going to be able to guarantee that information is going to remain private?" he asked Barth.

No one can guarantee that any data will be 100 percent secure, Barth answered, but a federal system would be "vastly, vastly" more secure than 50 separate state drivers license systems. "Whenever you have human beings involved ... you can't say there's zero risk," he said.

Voinovich pressed the question, asking if there were technological methods of defeating the proposed ID cards.

"We're going to provide the safeguards and do everything possible to prevent that from happening," Barth said.

Privacy advocates have also questioned the Real IDs, saying the data on the cards would allow the government to track citizens. "The machine readable zone on each Real ID license will provide a digital trail everywhere it is read," said Timothy Sparapani, legislative counsel for the American Civil Liberties Union.

Members of Congress have proposed that the Real ID card be required in order to vote, get a new job, obtain government benefits and travel on airplanes and trains, Sparapani said. "Senators should expect that no person would be able to function in our society without providing a Real ID-compliance license," he said.

In addition, the advocacy group the Center for Democracy and Technology said during a press briefing last week that the legislation doesn't restrict which employees of state drivers license bureaus can access the databases of private information. The Real ID act has no requirement for the security of the shared databases, said Jim Dempsey, CDT's policy director.

"The act doesn't mention the word privacy, and it barely mentions the word security," Dempsey said.

But Senator John Warner, a Virginia Republican, defended the Real ID Act. "We've got to come to the realization that the life before us is not the life behind us," he said. "We are facing some very, very serious threats."

A new cold war irrupted just because they didn't use Dynamic! Security

Made4biz Security — Sun, 25 Mar 2007 14:53:00 +0000

Oracle charges 'corporate theft,' slaps SAP with lawsuit

Todd R. Weiss

March 22, 2007 (Computerworld) Painting a picture of what it calls "corporate theft on a grand scale," enterprise software vendor Oracle Corp. today sued German software rival SAP AG, alleging that SAP "has stolen thousands of proprietary, copyrighted software products and other confidential materials that Oracle developed to service its own support customers."

In a 44-page lawsuit (download PDF) filed today in U.S. District Court in the Northern District of California, Oracle alleges that SAP "has copied and swept thousands of Oracle software products and other proprietary and confidential materials onto its own servers" as part of a plan to compile "an illegal library of Oracle's copyrighted software code and other materials."

"This storehouse of stolen Oracle intellectual property enables SAP to offer cut rate support services to customers who use Oracle software, and to attempt to lure them to SAP's applications software platform and away from Oracle's," the lawsuit alleges. Oracle said it filed the suit to "stop SAP's illegal intrusions and theft, to prevent SAP from using the materials it has illegally acquired to compete with Oracle and to recover damages and attorneys' fees."

A spokesman for SAP Americas declined to comment on the suit. "We have just been notified of the lawsuit, and have taken note of the Oracle press release. We are still reviewing the matter, and, until we have a chance to study the allegations, SAP will follow its standard policy of not commenting on pending litigation," said Bill Wohl.

The amount of damages being sought by Oracle was not revealed in the lawsuit.

The suit cites 11 claims, including allegations that SAP violated the Federal Computer Fraud and Abuse Act and the California Computer Data Access and Fraud Act; engaged in unfair competition; engaged in intentional and negligent interference with prospective economic advantage; and civil conspiracy.

The lawsuit also alleges that "SAP is engaged in systematic, illegal access to -- and taking from -- Oracle's computerized customer support systems. ... SAP gained repeated and unauthorized access, in many cases by use of pretextual customer log-in credentials, to Oracle's proprietary, password-protected customer support Web site."

The alleged incidents were discovered in late November 2006, according to the lawsuit.

The case may reflect a recent trend, as third-party support services firms try to lure IT managers away from getting their support from the original software vendor toward lower-cost options from other providers.

The lawsuit alleges that "the access and download activity Oracle observed on its systems in late November and December 2006 did not resemble the authorized, limited access to which its customers were entitled. Instead, SAP employees using the log-in credentials of Oracle customers with expired or soon-to-expire support rights had, in a matter of a few days or less, accessed and copied thousands of individual software and support materials."

In one case, using one customer's credentials, "SAP suddenly downloaded an average of over 1,800 items per day for four days straight (compared to that customer's normal downloads averaging 20 per month)," according to the suit. "Other purported customers hit the Oracle site and harvested software and support materials after they had canceled all support with Oracle in favor of SAP's TN division.

"Oracle has found many examples of similar activity," the lawsuit said -- including more than 10,000 unauthorized downloads of material relating to hundreds of different programs.

The downloads originated from an Internet Protocol (IP) address in Bryan, Texas, which is the location of an SAP America branch office and home to its wholly owned subsidiary SAP TN. SAP TN, according to the lawsuit, provides technical support services for versions of Oracle's PeopleSoft and JD Edwards applications. The lawsuit goes on to allege that SAP's motivation for its activities began after Oracle's January 2005 acquisition of PeopleSoft.

"SAP AG had no answer for the business proposition the new Oracle offered," the suit alleged. "Not only do many SAP AG customers use Oracle's superior database software programs, but now Oracle offered a deeper, broader product line of enterprise applications software programs to compete against SAP AG."

"Rather than improve its own products and offerings, SAP AG instead considered how to undermine Oracle," the suit states. "One way was to hit at Oracle's customer base -- and potentially increase its own -- by acquiring and bankrolling a company that claimed the ability to compete with Oracle support and maintenance services on Oracle's own software products."

An Oracle spokeswoman also declined to comment on the lawsuit.

Charles King, principal analyst with Pund-IT Inc. in Hayward, Calif., called the lawsuit "a curious state of affairs. Oracle has been trying very hard to remake itself as a company that looks more like SAP than as the classic Oracle," King said.

SAP provides a wide range of end-to-end business software applications, which is what Oracle has been trying to do through its acquisitions over the last several years, he said.

"For SAP, the database is one part ... but simply one part of the technical underpinnings" needed by users. "Oracle started on the database side, and as time has gone on, the company has recognized that being a database specialist [alone] was not a way to sustain growth."

Oracle reacted by adding other application lines and becoming more like SAP, King said. "I think they've become very successful at pursuing that strategy."

Mervyn Adrian, an analyst with Cambridge, Mass.-based Forrester Research Inc., said that until the case is dissected, it's important not to assume that any of the alleged actions were done by SAP as corporate policy. Instead, any activity could have been the work of individual employees.

"One always has to be careful to separate the acts of individuals from corporate acts," Adrian said. "It's hard for me to believe that a company would build such a program to do such a thing. It seems less than credible."

It is, however, "pretty routine for people [and companies] to look at each other's [Web] sites and grab whatever they can," he said. In cases such as those alleged in the Oracle lawsuit, that "usually represents misguided behavior on the part of individuals," he said.

"This may turn out to be a tempest in a teapot," with someone ultimately being found to have done something wrong and then being disciplined, Adrian said. "I frankly doubt that [SAP is] driving its strategy based on pirated information on what their competition is doing. I don't think what they find in a Dumpster at Oracle changes their strategy on any basis." Computerworld's Marc L. Songini contributed to this report.

FYI

Made4biz Security — Sun, 25 Mar 2007 14:42:00 +0000

Ten dangerous claims about smart phone security

Jon Espenschied

March 23, 2007 (Computerworld) My heart sank when I first saw Al Gore pull out his BlackBerry. It was in the waning weeks of the 2000 presidential campaign, and there he was on the TV, tapping away on his then-novel converged device. Though I had no evidence, I was positive that whatever he was reading had already been perused by some conservative skunk works, with his responses scrutinized not long after. Given recent revelations about the opposition's ethics and panting obsession with domestic spying, I still suspect that any eavesdropping technically possible at the time was probably being done.

So imagine my dismay when I saw Sen. Barack Obama pulling a BlackBerry from his coat pocket shortly after announcing his candidacy for president. Like many others addicted to their converged devices (Sen. John McCain was apparently indulging during the last State of the Union speech, not sleeping), he's become a constant user, and he now uses it to manage a large portion of his communications. While I hope these politicians have IT staffers paying attention to this sort of thing, more often than not, a series of underinformed security and privacy assumptions are made shortly before sensitive information starts flowing.

Many common assumptions about the security and privacy of smart phones or other handheld converged devices are off-base or just flat-out wrong. For any high-value target -- whether that's a political candidate or an organization with valuable financial or personal data -- a little more thought ought to go into the process of selecting and deploying any device handling important data. It makes sense then to challenge the more widespread assumptions and consider how to handle oft-ignored risks.

1. It's just a phone with cool features, right?

No, it's not. There's been a major shift in smart phone architecture in the past few years. Yesterday's phone ran an embedded operating system with software hooks written for the specific model's CPU, interface, vocoder and radio. Today's mobile converged device is more likely to run software considerably more advanced and versatile than desktop systems just 10 years ago. That versatility is an enemy of security because it turns the underlying security architecture on its head.

It used to be that a phone or small handheld device had a default-deny security model, because every feature was added from the ground up. There were no extraneous services running on the device, because every one was purpose-built. Now most converged devices run commodity operating systems, such as Symbian OS (owned in part by Nokia and Sony Ericsson) or Microsoft's Windows CE/Mobile family, that have portability as a core design goal. This means there are plenty of communications services and data handling hooks in the code base, and it's up to phone and application developers to ensure unused code is removed or disabled where not appropriate.

No one wants to annoy customers, so more often than not, a wide range of services and interfaces is included and enabled -- equivalent to a default-allow stance. While I'm a fan of open systems, it's worth evaluating a mobile device that provides the features you want and no more in the base configuration -- perhaps a "feature phone" instead of a smart phone -- and place less priority on the capacity for upgrades and expansion.

2. It's stable, just like any other purpose-built appliance.

Don't assume that the lack of operating system patches and application updates for a smart phone means that they aren't needed. In the short history of mobile malware, Symbian received bad press by playing host to the first, the Cabir worm. However, Windows CE wasn't far behind with the Duts virus and Brador Trojan. Even single-purpose network devices are periodically found vulnerable to network and service exploits, and vendors ought to make updates available in a timely manner.

The bad news is that mobile platform vendors are still very slow to issue operating system and application patches. The only practical way to mitigate this is through a mix of process and technology: Teach users proper skepticism of e-mailed attachments and unexpected connection or update confirmations, and implement anti-malware programs for those who just keep clicking "OK."

3. Communications are encrypted from end to end.

BlackBerry and Sidekick users may have heard that their communications are encrypted "end to end," but e-mail and other communications are encrypted only from the phone to the phone company or service provider's servers. Beyond that point, e-mail, instant messages and file transfers may be transmitted unencrypted over the public Internet by default.

This is less of a concern for closed organizations where everyone involved uses the same services, but vendors, partners, consultants and others outside the organization often use their own e-mail addresses and smart phones on other carriers. There's no guarantee of message encryption in these cases, and the risk is no better or worse than any other Internet e-mail.

4. The connection's secure unless I use Wi-Fi in a cafe.

Some might be concerned about the cellular connection itself. The GPRS and EDGE data protocols used by T-Mobile and Cingular are based on GSM, and GSM authentication algorithms such as A5 have been broken in ways that allow a motivated eavesdropper to reconstruct voice and data conversations with only a few thousand dollars of equipment. CDMA and associated algorithms are mildly more secure (PDF format), but many carriers choose not to implement all of the security controls available because of performance and handset compatibility.

Use a VPN to mitigate this problem for sensitive data and make sure essential services are encrypted at the application level using SSL or similar protocols. While it might seem redundant, using a voice-over-IP client through a smart phone's VPN data connection is one way to ensure that voice calls are private. Direct SIP-compliant VoIP clients are best for this; closed-protocol applications such as Skype Mobile may try to route across a public connection even if a VPN is available. It also may relay connections between NAT endpoints through random clients on the Internet, so it's not a good candidate in this scenario.

It's also worth noting that VoIP with AEC, one of the features of Windows Mobile 5, is not encryption. AEC refers to Acoustic Echo Canceling, not the NIST Advanced Encryption Standard ("AES ") described in FIPS 197.

5. E-mails and messages are secure from prying eyes.

Whoever controls your smart phone application server has access to your data. While smart phone service providers and software packages all provide a modicum of access control, administrators with root access can always get at your information if they want.

While your corporate IT department might not be spying on marketing on behalf of finance, Obama might want to take note that congressional IT organizations that serve both Democratic and Republican senators have had several incidents involving e-mail disclosures to other parties. In the midst of the Mark Foley scandal, it was interesting to note a person described in the media as a "Democratic operative" was able to retrieve and forward messages sent months earlier from a Republican representative's smart phone.

Know where messages and other data reside when sent from a smart phone. If service is provided by a neutral vendor, make sure you have a service-level agreement that considers whether your data may be commingled with other businesses -- possibly your competitors -- on the same systems. Those with specific competitive concerns ought to run their own systems using their own administrative staff. Obama would do well to use a device controlled by the Democratic National Committee or his own campaign, rather than one managed by Senate IT staff and easily influenced pages.

6. Using a mobile phone constitutes out-of-band communication.

A phone call over a landline used to be an acceptable method for communicating out-of-band administrative information. For example, a system administrator might call you back at your desk to verbally give you a new password (which you then changed, right?). This worked because the desk phone was isolated from the network and system resources to which you were being given access.

Not so anymore. If you lose your smart phone and IT calls you back on that mobile number to confirm the trouble ticket, is it a meaningful method of verifying the identity or location of the person who answers? Of course not. Possession of the number means little if anything anymore, especially since most phones will allow answering of an incoming call even when locked.

IT help desks should cross callbacks off the list of acceptable methods of identity verification for anything to do with mobile devices or remote access. The new BlackBerry Smart Card Reader is a viable option for those who need to authenticate using something they possess, and while similar options lag a little on other platforms, they are available.

7. I trust the integrity of data and applications on a smart phone.

On modern desktop and server systems, file systems with journaling, database-like features and integrated backup are common. Not so with mobile devices, where almost all data integrity relies upon some sort of synchronization with a stable fixed server system for backup and management.

Windows Mobile users can use a variety of synchronization options to ensure that messages and data on the mobile device are consistent with a central Microsoft-based repository such as Exchange, SharePoint or even Groove file-share workspaces. BlackBerry Enterprise users have over-the-air device security options that include data synchronization and backup, and remote shutdown options for lost devices. (A product called SyncBerry provides advanced sync and backup features to SyncML-capable systems, and extends some of the BlackBerry goodness to Symbian users.)

T-Mobile's Sidekick, on the other hand, stores very little data locally because it's constantly synchronizing with the servers at Danger Inc., the manufacturer. If the device is lost, damaged or reset, data can be reloaded on the device by logging in with a name and password. However, this means that data is stored at a service provider with which individuals have a rather one-sided service-level agreement unsuitable for corporate use.

All of this can be protected by setting the device to require a passcode at start-up. If the wrong passcode is entered four times on Sidekick, local data is erased but can be restored by a remote password reset on the management Web site. Security administrators might lament the scarcity of people who use this feature, but it's interesting to note that the young thief who acquired up the now-famous Sidekick II in New York last year was identified and arrested only because she had access to the phone, sent messages and took pictures of herself -- which then synchronized with the legitimate owner's account on the Danger servers.

What about application integrity? OK, you say, you'll just install digitally signed or approved applications. A few months ago, some enterprising pot-stirrers managed to buy a BlackBerry code-signing key from RIM (arguably the most security-oriented of the smart phone vendors) for $100, no questions asked. This is all bad. Users tricked into giving network access to unsigned applications may be opening themselves up to all sorts of spyware, message relay and other malware, but signed applications don't even require consent to suspicious prompts. It's far better to teach astute users about acceptable applications and forbid the rest from installing anything. The choice of installable applications ought to be from a whitelist -- or no list.

8. Information deleted from a smart phone is gone, right?

Most converged devices have relatively small storage capacities, and use variants of the venerable FAT file system. When a file is deleted, the markers for the beginning and end of the data on the storage media are removed so that it is no longer retrievable by normal means (orphaned). However, the actual data remains until it's overwritten. There are no guarantees against orphaned data. In fact, the whole practice of cell phone forensics rests on the availability of orphaned data and logs.

I'm not aware of any smart phone that comes with a secure delete function to remove orphaned file system data. Perhaps, Apple will include the file system wiping option from OS X in its forthcoming iPhone, but it's not present in any of the other major players' offerings. With many smart phones offering basic word processing and spreadsheet applications, residual data from deleted copies becomes even more of an issue.

IT staffers responsible for disposal of outdated smart phones should use tools to ensure that residual data is removed. The simple method is to copy and erase chunks of data onto the device in a manner that fills the flash memory or hard disk, but forensically sound methods are available from various vendors. If the device memory can't be erased, it should be destroyed -- a damaged but repairable smart phone ought not be found in the trash. Those resorting to a hammer are advised to remove the Li-Ion battery first.

9. Spying on my smart phone is hard.

Think spying on your activities is hard? Think again. Most smart phones have no equivalent of Bluetooth authentication when plugged in; they just become slave USB devices and give up all your data. Worse yet, a rogue employee, jealous husband or political opponent can buy backdoor malware ... uh, "remote phone monitoring" software here and keep ongoing tabs on communications. If they manage to install the spendy version on your phone (or trick you into doing it), it even includes remote microphone activation and generates a tidy Excel spreadsheet of your activities each day.

Flexispy is cheap, oriented toward consumers and very worrisome. It's only available for Symbian so far, but less-polished remote viewing software or illicit copies of management tools are available for BlackBerry, Windows Mobile and other platforms. It's not clear if anti-malware products send alerts upon finding these, so the best policy now is to educate users on physical security and admonish them not to install unexpected software or updates.

10. Abuse is minimal because the network and phones are constrained.

Four words: Remember ASCII art porn. Network miscreants will work with what's available, and resource limitations only make those inclined to misbehave do so in more creative ways. The difference is that smart phones are quite capable, and modern 2.5G and 3G phone networks provide surprisingly adequate bandwidth. For example, there are now multiple BitTorrent clients for Symbian as well as other platforms, some phones are adept at seamlessly switching between cellular and unsecured Wi-Fi networks, and with the price point for 4+ GB flash cards dropping below $100, there's lots to worry about.

To paraphrase Steve Jobs, misuse of technology is a social problem, not a technological one. Having a well-defined policy for the use of converged devices is essential prior to deployment. Conversely, rolling out smart phones without proper guidance will lead to all sorts of havoc. Users might respect pay-per-minute airtime as a corporate asset, but unless instructed otherwise they'll think of flat-rate data services as free connectivity on someone else's network (not covered by your policy), and the phone itself as corporate tribal adornment suitable for display anywhere, anytime.

More to consider

Am I advocating Naomi Campbell's method of disposing of one's fancy mobile? No, in fact, just this month I bought a new smart phone. While I'm no fan of troublesome devices -- two colleagues recently commented that their new WM5 phones rarely crash more than once per day now -- mobile e-mail and Internet access are quickly becoming de rigueur. I made a list of the functions I needed and tried to avoid models that included features I would not use or could not secure.

Readers looking for a structured set of criteria for evaluating and selecting a specific smart phone product are encouraged to read NIST Special Publication 800-48 (PDF format). It's a little dated, but when mobile system and application developers are rediscovering every mistake they made a decade ago with remote desktop and laptop systems, these old documents are right on the mark.

Jon Espenschied has been at play in the security industry for enough years to become enthusiastic, blasé, cynical, jaded, content and enthusiastic again. He is currently a senior security consultant in Seattle, where his advice has been ignored by CEOs, auditors and sysadmins alike.

This column has been edited to correct a misstatement: The Symbian OS is in fact owned in part by Nokia and Sony Ericsson.