WISH YOU A HAPPY AND SECURE YEAR 2009

Saturday, August 2, 2008

Quote of the day

Quote of the day


Cowardice asks the question: is it safe? Expediency asks the question: is it politic? Vanity asks the question: is it popular? But conscience asks the question: is it right? And there comes a time when one must take a position that is neither safe, nor politic, nor popular- but one must take it simply because it is right.

Martin Luther King Jr.

1929-1968

New IT Term of the day

New IT Term of the day


Proxy Trojan


A type of Trojan horse designed to use the victim's computer as a proxy server. This gives the attacker the opportunity to do everything from your computer, including the possibility of conducting credit card fraud and other illegal activities, or even to use your system to launch malicious attacks against other networks.

How secure is secure enough?

HOLY GRAIL : How secure is secure enough?

Jaikumar Vijayan

Computerworld

July 28, 2008

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=321921&source=NLT_SIC&nlid=92

If there is a Holy Grail in the information security industry, it surely is the answer to the question, "How secure is secure enough?"

It's a question that many security managers have either avoided answering altogether or tried to quickly sidestep by throwing a fistful of mainly pointless operational metrics at anyone who cared to ask.

But with a faltering economy beginning to put the squeeze on IT budgets, and security managers being asked to justify every dollar they spend, there is a growing need to come up with a better answer to the query. Increasingly, there is pressure on IT managers to demonstrate how exactly their security investments are helping them manage threats to their businesses. Companies want to know if the money they are spending on security is too much, too little or just enough.

Answering the question with any degree of accuracy involves art and luck as much as it does science, say security managers. But by adopting the right approaches, it is possible to arrive at a better answer than some might expect, they say.

Here are five steps to help you determine whether your company is secure enough.

1. Decide how secure you want to be.

To know whether your security controls are meeting business objectives, you first have to know how secure you want to be, says Krag Brotby, a consultant at the Information Systems Audit and Control Association (ISACA) and author of several books on security governance models.

There is no such thing as 100% avoidance of all risk, so the goal should be to decide how much you are comfortable with, he says.

"People often talk about acceptable risk," says Brotby, but what you really should focus on is acceptable business impact.

In other words, exactly how much disruption is your business willing to endure from a security compromise before it invests in mitigating potential threats? To make that determination, consider these questions:

v How much is the business willing to spend to mitigate a threat that poses a 1-in-10 chance of causing a business disruption worth about $2,000?

v How much would it be willing to spend on the same threat if it was likely to result in $10 million in damages?

v How long can a critical system be down?

v What sort of recovery-time objectives need to be met?

v What, if any, are the regulatory and industry compliance obligations?

"These are the type of questions that need to be asked at the executive level," Brotby says. "By the time you are through this negotiation process, you have a very strong indication of the acceptable level of impact" and can plan for the future accordingly.

2. Get a handle on asset value.

To manage risk, it's not enough just to know how serious a threat is, says John Meakin, group head of information security at Standard Chartered Bank. You also need to understand the probability of that threat actually being exploited in your environment, the value of the assets that are the targets of the threat and the likely effect on your business. Only then can you really know if the cost involved in mitigating a threat is justified, he says.

That approach has allowed Standard Chartered to do things like defer installing security patches — even critical ones — on some systems because it decided that the effort was not worthwhile, based on the actual risk.

Similarly, it has allowed the bank to permit unauthenticated access to some of its internal systems because there are enough compensating physical security controls.

"Once you use a risk-driven approach, it actually is incredibly liberating. It allows you to challenge some of the long-held rules" related to the use of security tools, Meakin says.

Core to this approach is the need to understand asset value, he says. Not all IT systems are created equal, and not all of them present the same risks or have the same level of exposure to threats. Therefore, it's important to assign a business value to the IT assets in your organization, says Meakin.

Asset value is based on factors such as the criticality of applications or the services supported by an IT asset and its interdependencies with other applications and infrastructure components, he says.

For instance, an Active Directory server that supports multiple business-critical applications would likely be considerably more important than a server running an e-mail application, from a business continuity standpoint.

3. Implement a control framework.

Once you have a good idea of the desired state of security, choose the most appropriate set of technology, management and process controls to help you get and stay there.

Perhaps the most efficient way of doing this is to implement an internal framework that maps business and risk management requirements to their appropriate IT controls, says Eric Litt, chief information security officer at General Motors Corp.

"In order to make good decisions, you need to have a framework for your security program," he says.

Standards such as the Cobit control framework, ISO 17799/27001 and COSO can help IT organizations identify the controls that will help them meet their particular business needs and comply with regulatory requirements, Litt says.

"You get every single tool underneath the sun," he says. "That's what these frameworks provide for you."

The ISO 27001 and 27002 frameworks can help a company develop policies, procedures and processes for meeting its risk management and compliance objectives, Litt says. They also provide a list of technology controls that need to be used to meet those objectives.

For example, the frameworks can be used to decide the appropriate tools to meet an internal data access control objective or to comply with a statute that requires data logging and auditing capabilities.

A formal framework gives companies a way to quickly assess how effectively their controls are working, because each security control is mapped to a specific business or compliance objective, says Marc Othersen, an analyst at Forrester Research Inc.

"It shows why a control is there in the first place. It links security controls to IT risks and shows what would happen if a particular control fails," says Othersen. "The IT risk management goal is to put context around a control failure."

4. Measure everything.

Use metrics to ensure compliance with control objectives. The audiences for such metrics and the purposes those metrics serve can vary, so it's important to ensure that all aspects of an IT security program are measured.

A metrics program that is focused purely on operational data — such as firewall log data or antivirus data — offers no navigational or management metrics, says ISACA's Brotby.

"If I don't have good policy compliance, is it because people don't know how to do it or because they are ignoring my policy?" he says.

To understand such issues, GM has established a four-tiered metrics framework to collect and analyze performance data on multiple aspects of the company's information security program.

GM's Metrics Framework

The audiences for information security metrics and the purposes those metrics serve can vary, so it's important to ensure that all aspects of an IT security program are measured. The layers on the GM pyramid do not represent a hierarchy; they are simply used to separate metrics by purpose and by audience. The minute-by-minute operational metrics, for example, help IT managers determine whether security tools are working as intended. The process layer helps the company decide whether course corrections are needed. The executive layer helps the information security team communicate with top management.

EXECUTIVE METRICS

(e.g., return on investments, and areas of overinvestment or underinvestment)

PROGRAM METRICS

(e.g., effectiveness of security training, governance and compliance programs)

PROCESS METRICS

(e.g., effectiveness of a security change-control process or an event remediation process)

OPERATIONAL AND TACTICAL METRICS

(e.g., incident logs, antivirus statistics, security tool uptime, software patch availability)

The right metrics can help businesses track, trend and report on security performance, says Ed Cooper, vice president of marketing at Skybox Security Inc., a vendor whose risk-modeling products are used by organizations such as Standard Chartered Bank. The trick is to know which metrics make sense for each stakeholder, how to gather the information and what language to present it in, he says.

"Everybody looks at risk from their own point of view. Metrics have to be put into some sort of relevancy" for each perspective, Cooper says.

5. Monitor all controls.

Implementing controls for dealing with security threats is one thing. Testing, monitoring and validating them is another. "If you have key controls on critical processes, you need continual monitoring to make sure they are working," Brotby says.

This sort of monitoring can be part of a broader IT governance program or compliance and auditing effort.

Often, many of the controls that companies are using to manage risk were originally implemented in response to some tactical issue. Many companies, for instance, have implemented network behavior analysis tools in response to concerns over so-called zero-day threats that take advantage of unpatched software vulnerabilities.

It's important to tie controls back to a specific business risk and then monitor them to ensure that they are indeed doing what they were intended to do.

"The problem with controls is that they are put in place reactively to a particular problem, and then they pile up, so you get layers of controls that people don't know are controls," Brotby says.

To a large extent, governance is what you are doing when you gather metrics to prove compliance with an internally or externally driven security requirement, Meakin says.

"Compliance means showing these are the risks and these are the controls, and, yes, I have mapped those controls to the regulatory requirement," he says. "The fact I am measuring is a demonstration of proper governance."

Taking such steps will be challenging for large companies where the security environment has grown in response to tactical considerations as opposed to strategic ones.

BBC fined £400,000 over unfair phone-ins

MEDIA FRAUD : BBC fined £400,000 over unfair phone-ins

Mark Sweney and Leigh Holmwood

The Guardian,

July 31 2008

http://www.guardian.co.uk/media/2008/jul/31/bbc.television

The BBC has been fined a record £400,000 by Ofcom for "unfair conduct of viewer and listener competitions" in shows including Children in Need and Comic Relief.

Ofcom imposed the fine, the highest the media regulator has imposed on the BBC, for numerous breaches of its broadcasting code relating to "faking winners and misleading its audience".

Last year's BBC1 charity shows Comic Relief and Sport Relief have been hit with £45,000 fines and Children in Need from 2005 received a £35,000 Ofcom sanction. The name of a fictitious winner was read out on air on Children in Need.

Liz Kershaw's 6Music show, which faked winners of listener competitions on up to 17 occasions, got the biggest individual fine, £115,000.

The other Ofcom fines for viewer and listener deception were for the Jo Whiley show on Radio 1, £75,000; Russell Brand's 6 Music show, £17,500; the Clare McDonnell show on 6 Music, also £17,500; and BBC children's TV series TMi, £50,000.

In the Russell Brand show a staff member posed as a competition winner in an edition of the show that was billed as live but was recorded. Listeners who called or texted had no chance of winning. Ofcom singled out the digital station's former head of programming, Ric Blaxill, saying it was concerned that deception was undertaken with his "full knowledge".

The Jo Whiley show faked a competition winner on two occasions.

Ofcom can fine the BBC a maximum of £250,000 a transgression. The fines will be paid from licence fee payers' money to Revenue & Customs.

Overall, Ofcom found that the BBC failed to have "adequate management oversight" of its compliance and training procedures to ensure the audience was not misled. It added that although viewers and listeners paid the cost of their calls to take part in the contests, the BBC did not receive any money from the entries.

The BBC Trust, which holds the corporation to account, said it regretted that the fine would lead to a loss of licence fee payers' money. It said the BBC made a public apology last summer and "a firm commitment to put its house in order".

In a statement, the BBC said it had put in place a training programme for over 19,000 staff, technical protections, guidance to programme makers on the running of competitions and a strict code of conduct.

Broadcasters have so far been fined a total of £11.1m over fakery cases over the past year. Earlier this year ITV was fined a record £5.67m for the abuse of premium rate lines on shows including Ant and Dec's Saturday Night Takeaway.

IOC admits to accept China Internet censorship

BROKEN PROMISE : IOC admits to accept China Internet censorship

Steven Schwankert

IDG News Service

July 31, 2008

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9111159&source=NLT_VVR&nlid=37

BEIJING — The International Olympic Committee admitted yesterday that it made a deal with Chinese officials to accept censorship of the Internet during the Beijing Olympic Games, which begin Aug. 8.

"IOC officials negotiated with the Chinese [so] that some sensitive sites would be blocked on the basis they were not considered Games-related," said Kevin Gosper, chairman of the IOC's press commission, according to press reports. "I regret that it now appears BOCOG [the Beijing Organizing Committee for the Games of the XXIX Olympiad] has announced that there will be limitations on Web site access during Games time," he added.

BOCOG's top spokesperson said today that Web sites that are "banned" will remain so.

"If a few Web sites are difficult to browse, it's mainly because they have spread content that is banned by the Chinese laws," Sun Weide told the state-run Xinhua News Agency. "The Internet is regulated according to law in China, just like in other countries."

He called Internet access in China and during the Olympics "sufficient." "The channel is smooth for foreign journalists in Beijing to report the games and report China using the Internet," Sun said.

Press freedom groups reacted quickly to the admission.

"Yet another broken promise," said Reporters Without Borders, in a statement. "Coming just nine days before the opening ceremony, this is yet another provocation by the Chinese authorities. This situation increases our concern that there will be many cases of censorship during the games. We condemn the IOC's failure to do anything about this, and we are more than skeptical about its ability to 'ensure' that the media are able to report freely."

RSF's Web site is blocked to users in China.

"The Chinese government's controls on the Internet are contrary to the free reporting environment promised by the hosts and contradict International Olympic Commission assurances that the press will be able to operate as at previous games. Thousands of visiting journalists will now get to experience the censorship that reporters and other Internet users in China have to put up with every day," said a statement on the Web site of the Foreign Correspondents Club of China, an association of China-based foreign journalists.

China's insistence on Internet censorship violates assurances given to the IOC at various points, most recently in April. "We were satisfied by the assurances we received across a number of areas — media service levels, including Internet access, brand protection, environmental contingency plans for improved air quality, and the live broadcast feed," said IOC Coordination Commission Chairman Hein Verbruggen, during his final pregames visit to Beijing in April.

China blocks access to Web sites containing pornography, violence and antigovernment material, including political views opposing the Chinese Communist Party and those expressing support for independence for Taiwan, Tibet and Xinjiang.

Also Read :

Chinese Hotels to spy on Olympics guests, says U.S. senator

He claims Chinese authorities forced foreign-owned hotels to install eavesdropping equipment

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9111043

Exploit reveals the darker side of automatic updates

AUTO RISK : Exploit reveals the darker side of automatic updates

Neil McAllister

PC World

July 30, 2008

http://www.pcworld.com/article/149105/2008/07/exploit_reveals_the_darker_side_of_automatic_updates.html?tk=rss_news

A recent study of Web browser installations showed that far too few are up to date with the latest security patches. And browsers aren't alone; as my dear old mum can attest, it can be hard to keep up with operating system and application patches when all you want to do is use your computer for work. It should come as no surprise that many PCs are vulnerable to security exploits that could otherwise be prevented.

Firefox got top marks in the browser study because of its automatic update feature, which notifies users of the latest patches as soon as they're available. A growing number of vendors are using a similar approach, automatically checking for updates whenever you use their software.

But now it turns out that automatic updates aren't always all they're cracked up to be. A new exploit called Evilgrade can take advantage of automatic updaters to install malicious code on unsuspecting systems, and your computers could be more vulnerable than you think.

Evilgrade is designed as a modular framework that accepts plug-ins capable of mounting attacks on a variety of software packages that employ their own autoupdate procedures. Currently supported targets include the Java browser plug-in, WinZip, Winamp, OpenOffice.org, the LinkedIn Toolbar, iTunes and Mac OS X. Still more plug-ins could be developed in coming months.

The exploit works by pretending to be a genuine upgrade site and sending malicious code when your software was expecting a patch. The code might be anything, from a Trojan horse to a keylogger that intercepts passwords and user accounts.

Making use of the exploit isn't quite as easy as just pressing a button. It requires a preexisting "man in the middle" condition, in which an attacker sets up a fake Web host that can intercept traffic traveling between a client and a genuine server. Although that might be pretty tricky to achieve ordinarily, the recently disclosed DNS security flaw leaves many sites wide open.

So what can you do about a security flaw that exploits the very system that's meant to patch security flaws? First, you should definitely make sure you have the DNS flaw taken care of at your site. That will block Evilgrade's attack route.

Next, read the documentation for Evilgrade and be aware of what software may be used on your network that could be vulnerable to the exploit. If the software is important enough to your organization, get in touch with its vendor or developers and voice your concerns about the security of its autoupdate function.

Finally, if security is a high priority at your organization, you may want to consider disabling automatic updates for selected software by blocking their autoupdate sites in your firewall rules. Most software that supports automatic updates also allows you to download and install patches manually (though the individual patch files may be more difficult to locate).

For now, the risk imposed by Evilgrade is probably minimal, but don't be lulled into complacency. Automatic software updates may be convenient, but they also take one of the most important PC security functions out of the hands of the user. That can easily lead to a false sense of security; and when you let your guard down, that's how they get ya.

Thursday, July 31, 2008

Quote of the day

Quote of the day

In order to rally people, governments need enemies. They want us to be afraid, to hate, so we will rally behind them. And if they do not have a real enemy, they will invent one in order to mobilize us.

Thich Nhat Hanh - Vietnamese monk

New IT Term of the day

New IT Term of the day


provisioning


(1) The process of providing users with access to data and technology resources. The term typically is used in reference to enterprise-level resource management. Provisioning can be thought of as a combination of the duties of the human resources and IT departments in an enterprise, where (1) users are given access to data repositories or granted authorization to systems, applications and databases based on a unique user identity, and (2) users are appropriated hardware resources, such as computers, mobile phones and pagers. The process implies that the access rights and privileges are monitored and tracked to ensure the security of an enterprise's resources.

(2) The process of providing customers or clients with accounts, the appropriate access to those accounts, all the rights associated with those accounts, and all of the resources necessary to manage the accounts. When used in reference to a client, provisioning can be thought of as a form of customer service.

Banks teach online customers bad habits

CYBER HABITS : Banks teach online customers bad habits

July 29, 2008

http://www.columbiatribune.com/2008/Jul/20080729Busi012.asp

SAN FRANCISCO (AP) - Many banks are unwittingly training their online customers to take risks with their passwords and other sensitive account information, leaving them more vulnerable to fraud, new research shows.

Web surfers could find themselves the victims of identity theft because they’ve been conditioned to ignore potential clues about whether the banking site they’re visiting is real.

That’s the conclusion by University of Michigan researchers who found design flaws in 76 percent of the 214 U.S. financial institution Web sites they studied.

The study, to be presented Friday at a security conference, examined the sites of top banks and smaller institutions alike. The researchers aren’t detailing which banks had problems, however.

The researchers found that many banks silently redirect users to third-party sites, plop "secure login" boxes on insecure Web pages and improperly use Social Security numbers or e-mail addresses as default user names.

The research didn’t uncover vulnerabilities in the Web sites themselves or problems with the sites’ coding that could allow criminals to break in. Instead, it found design flaws that teach people bad surfing habits.

One of the biggest problems: Even if the login boxes on banks’ pages are properly secured - meaning they send and receive encrypted data through a technology known as Secure Sockets Layer - if the full page itself isn’t protected with the same technology, it’s more difficult to tell whether the site is real or fake.

SSL-equipped sites show a padlock icon in the address bar and signal not only the encryption technology but also that the site’s owner is legitimate.

Also, if users aren’t notified that they’re being taken to another site, then it’s hard to determine if the new site is trustworthy because the online registration certificate carries a different company’s name.

So even if they were inclined to dig that deep, consumers could still fall victim to "phishing" scams because they’re accustomed to entering personal information into a site that isn’t their bank’s - and hasn’t been clearly vouched for by the bank.

Hackers could take advantage by sending them bogus pages dressed up like the bank’s Web site. That site would then redirect to another site under the criminal’s control, and users might not question the redirection. The best policy is to not click on links sent in e-mails.

China blamed for cyber-terrorism

BLAME : China blamed for cyber-terrorism

'Titan Rain' came from Chinese servers, says security expert

by Robert Blincoe

vnunet.com

28 Jul 2008

http://www.vnunet.com/vnunet/news/2222622/china-blamed-hack-attacks

China has been accused of sponsoring cyber-terrorism at a conference organised by the UK Home Office.

Professor John Walker, managing director of forensics consultancy Secure-Bastion, said at the International Crime Science Conference in London last week that the Chinese government was behind the 'Titan Rain' attacks on the US and the UK.

The attacks were identified as coming from servers in China, but the Chinese government has never officially been accused of being behind the assault.

Professor Walker's claims will add to the paranoia about Chinese hackers attacking visitors and business people travelling to the Beijing Olympics.

The academic made his comments during a Q&A session when he was asked about state-sponsored terrorism. "This big problem has become more focused," he said.

"Up to last year people did not take it very seriously, and then there were state-sponsored Chinese groups and all sorts of groups attacking the UK and the US and getting into the infrastructure. That happened again earlier this year."

The International Crime Science Conference is organised by the Centre for Security and Crime Science at University College London. The Home Office is one of the conference sponsors.

Walker contributed to the House of Lords Science and Technology Committee's report on Personal Internet Security published on 8 July.

"There is a problem with state-sponsored electronic terrorism," he told the audience.

"No matter how much collaboration you have internationally, if you have a state-sponsored terrorist coming out of China or Russia you are not going to get them.

"If they are state-sponsored e-criminals they are doing it for a purpose. And you cannot extradite them."

A formal complaint about Professor Walker's remarks was made to Gloria Laycock, director of the UCL Centre for Security and Crime Science.

Titan Rain is the name given by the US government to a coordinated series of attacks on US computer systems. Hackers gained access to many US computer networks, including those at Lockheed Martin and Nasa.

Bluetooth Monitoring in Britain

TRACKING : Bluetooth Monitoring in Britain

Bluetooth Big Brother uses mobiles and laptops to track thousands of Britons

By David Derbyshire

22nd July 2008

http://www.dailymail.co.uk/sciencetech/article-1036931/Bluetooth-Big-Brother-uses-mobiles-laptops-track-thousands-Britons.html

A Big Brother network of hidden scanners is monitoring hundreds of thousands of Britons without their knowledge, it emerged yesterday.

Scientists track people walking around cities, using the Bluetooth signals from their mobiles, laptops and handheld computers.

Scanners in bars, offices and universities register nearby Bluetooth devices and send the information to a central database.

The Cityware project, which is funded by £1.2million of taxpayer's money, started in Bath three years ago and is designed to chart how pedestrians use city centres.

It will be used to improve their design, learn how people use public transport and shops and work out how epidemics can spread.

There are thousands of scanners globally, of which 1,000 are actively tracking passers-by at any one time. Three-thousand people in Bath were monitored in one weekend alone.

Privacy campaigners fear the scanners have echoes of the Will Smith thriller Enemy of the State

The scientists behind Cityware deny they are intruding on privacy, despite growing concerns over Britain's surveillance society.

They say the signals they get from phones and laptops do not reveal personal information. But critics say the signals can contain the owner's details.

Bluetooth devices use radio signals to communicate with each other.

Thousands of people in Bath are unaware their movements may have been tracked through their bluetooth mobiles

If Bluetooth is switched on, a gadget will broadcast its name and ID number to anyone within 100 yards.

The name can be changed by the owner and often includes their own name, email address or phone number.

The scanners convert the data into maps showing the movement of people over time.

Bath MP Don Foster said: 'This is another infringement of our civil liberties and another step closer to the Big Brother state.

'We need a guarantee that all data is made anonymous before it is analysed.'

Simon Davies, of human rights watchdog Privacy International, said: 'This could become the CCTV of the mobile industry.

'It would not take much to make this a surveillance infrastructure over which we have no control.'

Bath University academic Eamon O'Neill, director of Cityware, said: 'We are recording only radio signals that are publicly available.

'We don't know who is carrying the phone.'

Cyber losses cost Canadian cos $637,000 a year

COST : Cyber losses cost Canadian cos $637,000 a year

29 July 2008

http://canadianpress.google.com/article/ALeqM5iEs4mK_c0EhIWuPedOQ8vQ7SKO7Q

http://www.newswire.ca/en/releases/archive/July2008/28/c7490.html

TORONTO — Information technology security breaches cost the average publicly traded Canadian company $637,000 a year, says a new study by the University of Toronto's business school.

In government, the annual cost of so-called cyber crime is $320,000 per organization, while the cost to other private companies is $294,000 a year, says the study by the Rotman School of Management and Vancouver-based Telus Corp.

Surveys in the United States show the cost of data security breaches more than double year over year, a trend that is also happening in Canada, says Walid Hejazi, a business economics professor at the Rotman school.

"IT security is a C-suite level business issue," Hejazi said in a release.

"In an increasingly information-based society, managing data security is fundamental to business strategy."

Monday's study came less than a week after Calgary-based discount airline WestJet announced it would prevent passengers from using credit cards at check-in kiosks at airports across Canada.

The decision was made after financial institutions reportedly began investigating isolated fraud incidents stemming from the use of credit cards to get boarding passes.

The Rotman-Telus study examined the IT security practices of more than 300 Canadian businesses.

Such studies are often commissioned by companies to help promote their products and services, inform consumers or, in this case, bring attention to the need to improve technology security.

Full results of the Rotman study will be made public Tuesday at the Information Systems Audit and Control Association's 2008 international conference in Toronto.

Monday, July 28, 2008

Quote of the day

Quote of the day

For what is the best choice, for each individual is the highest it is possible for him to achieve.

Aristotle

New IT Term of the day

New IT Term of the day


proof-of-concept virus


A proof of concept virus is written by an individual with advanced programming skills, usually to 'show off' their programming talents or to point out a vulnerability in a specific software. Usually authors of proof-of-concept viruses will send these programs to an anti-virus software developer, and the programmer would be more apt to produce a blueprint on how the virus would work, rather than launching the virus maliciously.

Rustock botnet spams again

ACTIVE VOLCANO : Rustock botnet spams again

Chuck Miller

SC Magazine

July 25 2008

http://www.scmagazineus.com/The-Rustock-botnet-spams-again/PrintArticle/112940/

A large-scale botnet called Rustock is forwarding spam with shocking headlines to exploit users and increase its spread.

Security vendor Marshal is warning that web sites - predominantly in the United States and China - have been targeted in the campaign.

The security vendor warned that a variety of sensational headlines are being used to lure victims into clicking on a malicious link.

Some of the headlines include:

“Yahoo sold to Microsoft, record price;”

“Bush Down to 8 Friends on Myspace;”

"Martian Soil Fantastic for Growing Weed Says NASA;"

“Obama Is Anorexic Over-Exerciser."

“Al Qaeda Reports Declining Revenues in Fiscal '08.”

“Some of the headlines are hard to take seriously and some of them are believably enticing,” said Phil Hay, lead threat analyst for Marshal's TRACE Team.

Hay said the Rustock spammers appear to be experimenting to see which types of headlines solicit the most hits from recipients.

However, if a recipient clicks on one of these links in the e-mail, a web page opens with a fake web video and a popup window that prompts the user to install a file called “codecinst.exe” so that the video will play properly. Doing so downloads malware that installs the botnet software.

“They are trying to disguise the installation of the executable under a believable pretext,” said Hay.

Marshal's records revealed that the Rustock botnet included more than 150,000 infected PCs and distributes close to 30 billion spam messages daily, which in terms of volume makes it one of the biggest malicious spam campaigns ever seen.

“Rustock is not a name many people are familiar with but it is well known within the security industry. Today it is one of the most established spambots. Rustock has been operating in various forms for more than two years,” said Hay.

At one point, it was responsible for 21 percent of the spam clogging inboxes, according to Marshall in a report earlier this year.

New Canadian Cyber Forensic Organization Created

INITIATIVE : New Canadian Cyber Forensic Organization Created

Press Release - Concordia University

July 21, 2008

http://mediarelations.concordia.ca/pressreleases/archives/2008/07/new_canadian_cyber_forensic_or.php?&print=1

MONTREAL : Bell Canada, the Competition Bureau of Canada, Concordia University, Rogers Communications and Microsoft Canada Co., are proud to announce that they are working towards the establishment of the National Cyber Forensics Training Alliance Canada (NCFTA Canada). This new Alliance will be hosted by Concordia University in Montreal.

“There is a recognized need for industry, academia, and law enforcement to work together and share information about cyber incidents in a neutral venue to identify and mitigate threats” said Dr. Louise Dandurand, Vice-President, Research and Graduate Studies, at Concordia University. “NCFTA Canada is the appropriate and relevant response to such a need and Concordia is proud to host such an important organization.”

"Online security is one of the most important realities facing our industry today", said Michael Freeman, Director of Product Management at Bell, speaking on behalf of the industry partners. "The NCFTA's collective approach provides an excellent opportunity to address these issues in a comprehensive way and on an industry-wide basis. Bell is happy to play a role in this important initiative."

NCFTA Canada will enable and develop partnerships between the public sector, law enforcement agencies, the private sector and academic organizations that will reduce the impact of cyber-crime affecting Canadians.

“The Competition Bureau is pleased to be participating in the establishment of NCFTA Canada,” said Andrea Rosen, Deputy Commissioner, Competition Bureau. “Given the increase in high tech crimes targeting businesses and consumers, collaboration with our Canadian partners in the creation of this task force is essential.”

NCTFA Canada will combine resources, intelligence, expertise and R&D efforts to effectively and cooperatively work on:

v promoting information security in Canada;

v investigating mutually defined cyber-crime targets to gather intelligence, define prevention methods, and develop counter-measures;

v developing and publishing information or processes that will help protect organizations or individuals from cyber-crime;

v carrying well-focused collaborative research and development initiatives;

v developing and sharing tools that aid in the investigation or prevention of cyber-crime;

v building relationships with organizations having similar vision both nationally and internationally;

Lack of computer security hits 4 million Germans

RISK : Lack of computer security hits 4 million Germans

DPA

27 Jul 2008

http://www.earthtimes.org/articles/show/221684,lack-of-computer-security-hits-4-million-people-in-germany.html

Berlin - Germans no longer think twice about paying the rent or auctioning off an old tennis racquet online. The internet is now part of everyday life for 80 per cent of Germans. But a recent survey by Forsa, an opinion research institute, showed that 4 million Germans have fallen victim to computer crime. They account for 7 per cent of all computer users over 14 years, according to BITKOM, the Federal Association of the Information Industry, Telecommunications and New Media.

Around 1 per cent of those questioned said they had suffered financial losses from online banking or online auctions. An additional 3 per cent reported dubious Internet Dialer programs. Another 2 per cent reported damage due to viruses.

The survey also showed that many personal computers lack security programs. While 83 per cent of respondents had a virus protection program on their computer, only 67 per cent used a firewall. Additionally, only 28 per cent used an encryption program while 7 per cent had no security mechanisms whatsoever.

EU Senate adopt new Cyber-crime Bill

LAW : EU Senate adopt new Cyber-crime Bill

Ankur Goyal with CRPCC Team

July 28, 2008

EU Senate has adopted on July 9th 2008, a new bill on cyber-crime. This bill will be submitted to the Chamber of Deputies in the next few days.

The bill would punish 13 computer activities:

  1. non-authorized access to an information device or automated system

  1. obtaining, transferring or providing of non-authorized data or information

  1. disclosure or misuse of personal information and data

  1. destroying, making unusable or degrading other people"s objects or electronic data

  1. introducing and distributing viruses

  1. severer sentencing for introducing or distributing of viruses followed by damage

  1. electronic deception (phishing)

  1. attack on security service or public utility

  1. interruption or disruption of telephone, telegraph computer, or electronic services, communication device, computer networks or computer system

  1. falsification of electronic public data and

  1. falsification of private electronic data (credit card and mobile phone cloning, for example)

  1. discriminating against people regarding race or color disseminated through computer networks (amendment to the Afonso Arinos Law)

  1. receiving or storing pictures with pedophile content (amendment to the Child and Adolescent Statute).

The new bill provides for penalties of up to three years in prison.

Introduced by Eduardo Azeredo (PSDB-MG) in 2005, the bill is to go before the Chamber of Deputies for adoption of the latest amendments before being submitted to the full Chamber for a vote in the coming weeks.

A senate press relations bureau release on 10 July said: "This law will not be applied to those who use the Internet correctly, including those who download music, talk on chat platforms, write their views on a blog, search for information or any other similar activity. A good Internet user will not be punished. Only the growing security that we are developing as regards technology use will change Internet usage."

This Day in History

Thanks for your Visit