WISH YOU A HAPPY AND SECURE YEAR 2009

Saturday, December 13, 2008

Quote of the day

Quote of the day


Since world war two we've managed to create history's first truly global empire. This has been done by the corporatocracy, which are a few men and women who run our major corporations and in doing so also run the U.S. government and many other governments around the world.

John Perkins

2005

Author of the book titled ' Confessions of and Economic Hit Man'

New IT Term of the day

New IT Term of the day


SSH port forwarding


An SSH service that provides secure and encrypted connections to traditionally non-encrypted services, such as e-mail or news. SSH port forwarding allows you to establish a secure SSH session and then tunnel TCP connections through it. It works by opening a connection to forward a local port to a remote port over SSH. The client software (e.g. your e-mail client) is then set to connect to the local port. With SSH port forwarding passwords are sent over an encrypted connection.

Web site-based crimeware hits all-time high

STATISTICS : Web site-based crimeware hits all-time high

by Elinor Mills

December 10, 2008

The use of malware on Web sites to steal passwords and other sensitive information is skyrocketing, according to a new report from the Anti-Phishing Working Group.

The number of URLs with hidden code for stealing passwords nearly tripled between July 2007 and July 2008, to a record high of 9,529, while the number of malicious-application variants hit a high of 442 this May, the APWG reports in its quarterly report issued this week.

The increase is primarily due to malicious code being used in SQL injection attacks, in which a small malicious script is inserted into a database that feeds information to the Web site. Typically, the host site is legitimate such as BusinessWeek's, not a phishing site created for the sole purpose of stealing consumer data.

The financial-services industry is the most targeted sector for phishing attacks, followed by those focusing on auctions and payment services, the report found.

"Cybercriminals continue to increase their activities to levels never before seen in the five years since the APWG has been monitoring phishing and crimeware," APWG Chairman Dave Jevans said in a statement.

The recession is prompting even more malicious activity online, he said.

"The current financial crisis has also been used by phishers to create new scams that try to scare consumers into entering their usernames and passwords into sites that mimic those of well-known distressed financial institutions," Jevans said. "As the economy degrades, we are seeing a continual increase in malicious and criminal activity on the Internet."

Another report issued this week shows that IT security professionals view cybercrime and data breaches as the top security risks, followed by mobility, outsourcing, cloud computing, mobile devices, peer-to-peer file sharing, Web 2.0 services, and malware.

Meanwhile, respondents who work in IT operations listed outsourcing as the biggest risk, followed by mobile devices and cybercrime, in the 2008 Security Mega Trends Survey conducted by The Ponemon Institute on behalf of Lumension Security. In the survey, 577 respondents work in IT security, and 825 work in IT operations.

Of those surveyed, 83 percent of the IT security workers and 79 percent of IT operations professionals reported that their organization had a data breach due to customer or employee information being lost or stolen. Overall, 92 percent of the organizations have experienced a cyberattack.

Another survey, released on Thursday by CA, looks at behaviors and perceptions among American adults and teens of their safety online.

Fifty-seven percent of adults fear that they may become victims of identity fraud online within the next two years, and 90 percent worry about the security of their personal data. Meanwhile, 35 percent of teens leave their social-networking profiles open to viewing by strangers, 38 percent post their education information, 32 percent disclose their e-mail addresses, and 28 percent reveal their birth date.

Download the report at Anti-Phishing Working Group website – http://www.antiphishing.org/reports/apwg_report_Q2_2008.pdf

Penetration Testing: Dead in 2009???

VIEW : Penetration Testing: Dead in 2009???

By Bill Brenner

CSO

December 08, 2008

http://www.networkworld.com/news/2008/120808-penetration-testing-dead-in.html

Penetration testing: Security experts mention it all the time as one of the essential tools of defense-in-depth. Companies have raked in the dough selling the service and the tools for years.

But is it possible that penetration testing -- the art of probing company networks in search of exploitable security holes that can then be fixed -- is an idea whose time is about to expire?

If you ask Brian Chess, co-founder and chief scientist of business software assurance (BSA) vendor Fortify Software Inc., the answer is yes.

"Death sounds rather gloomy, but stuff in high tech dies all the time," Chess said in an interview Tuesday. "Desktop publishing? Dead -- but not gone. Personal Digital Assistant (PDA)? Many of the concepts are still with us, but the PDA is dead."

Penetration testing is headed for a similar fate, he said. The concept as we know it is on its death bed, waiting to die and come back as something else. That doesn't mean pen testers will suddenly be unemployed, he said. It's just that they "won't be as cool" as they've been in more recent years.

Customers are clamoring more for preventative tools than tools that simply find the weaknesses that already exist, he said. They want to prevent holes from opening in the first place.

"Death doesn't mean it goes away, it means it transforms. Pen testing will be reborn in the area of production monitoring and measurement," Chess said. "The goal won't be that failure is found and must be fixed. The goal is that failures will become a much rarer event."

Naturally, security practitioners who swear by pen testing as a critical component of a layered security program are reacting to his hypothesis with more than a little skepticism.

Jennifer Jabbusch, CISO at Carolina Advanced Digital Inc. in the Raleigh-Durham area of North Carolina, took issue with Chess' basic premise that penetration testing will become a component of monitoring and measuring.

"Pen testing will continue," she said in an exchange over the Twitter social networking site. "Monitoring and measuring is not pen testing. It's what you do after pen testing."

She also faulted the example of desktop publishing being a dead art, saying, "Desktop publishing isn't dead. In fact, it's grown. Now you can design on your desktop and deliver via the Internet for printing at FedEx/ Kinkos."

Others agree penetration will continue, but don't necessarily think Chess' position is all that off the mark.

Max Caceres, director of research and development at Matasano Security in New York, said he can understand the perspective of people who want penetration testing to be part of something larger.

"I can totally see where his customers are coming from," Caceres said. "All things being equal, preventing holes from even existing is a much more interesting approach than riding the find-report-hope-somebody-fixes-it hamster wheel."

But, he added, Chess' prediction may be more of an imagined utopia than a real alternative.

"We have been findings bugs for a while, the most common problems are well understood and documented, yet we keep deploying vulnerable apps," he said. "If we believe true perfection is unattainable -- and I do, particularly for application development, we have yet to invent the tool that produces bug-free code -- then apps will always have bugs that need fixing, and some of them will be security related."

And that's where penetration testing will remain valuable, he said.

Kevin Riggins, a senior information security analyst for a company in the Des Moines, Iowa, area, said it's hard to argue with Chess' premise that the goal should be fewer failures. But he doesn't believe that sentiment has anything to do with the need for or the use of penetration testing. Furthermore, he said, echoing Jabbusch, production monitoring and measuring and penetration testing do not address the same issue.

"The first measures the availability and effectiveness of your production environment," he said in exchanges via Twitter and e-mail. "The second measures its ability to resist intrusion or attack. They are not the same and you can't get from one to the other by transformation."

A better argument for the death of penetration testing is that there will always be issues found, some of which can not be fixed or effectively mitigated, he added. Therefore, what is the real value to the organization in performing this type of test?

"Don't get me wrong, I don't subscribe to this argument either," Riggins said.

In the final analysis, he said, security pros can't stop performing penetration tests until the current compliance requirements are removed. That's not happening any time soon.

"Penetration tests and vulnerability scans help us find where our processes, procedures, and standards might need work," he said.

Crime, New Technologies, Thwart Security Progress

MEGA TRENDS : Crime, New Technologies, Thwart Security Progress

December 9, 2008 10:00 PM

http://securitywatch.eweek.com/exploits_and_attacks/crime_new_technologies_thwart_security_progress.html

Even as organizations invest millions of dollars in security mechanisms meant to defend them against potential threats, business initiatives such as outsourcing, combined with the seemingly unstoppable onslaught of cyber-crime, will continue make it hard to prevent attacks targeting electronic data in the coming year, according to a new research report.

Based on the "Security Megatrends and Emerging Threats for 2009" paper published this week by Ponemon Institute -- which has established itself as a leading source of data related to the impact of data breach incidents -- risks to personal and business information will continue to scale upwards during 2009 despite the best efforts of security consultants, vendors and researchers, along with industry and government regulators.

The continued expansion of productivity-related business strategies including outsourcing, mobility and so-called cloud compuiting, which depend on widely-dispersed electronic infrastructure, along with the maturation of the cybercriminal element, will challenge security protections throughout 2009, the report contends.

Of the near 600 IT professional interviewed by Ponemon researchers for the study, roughly 50 percent indicated a belief that outsourcing poses an "imminent and critical risk" to data security. Cloud-based remote computing infrastructure, the growing crossover of consumer technologies and Web 2.0 social networking tools will also have a detrimental effect on overall security standing over the next 12 months, according to the report.

Cybercrime, in its many forms, remains a "major" headache to organizations in trying to protect their electronic data, some 75 percent of participants in the survey said. The report was sponsored by Lumension, a vendor that specializes in security applications aimed at helping organizations stay up to date with vulnerability patches.

The survey also highlighted the growing marriage of operational and security efforts within many of the organizations responding to the study.

"With the emergence of consumer technology in the workplace, coupled with social networking and Web 2.0 technologies and the increased sophistication of cyber criminals, truly securing an organization's IT environment is an uphill battle," Larry Ponemon, chairman and founder of Ponemon Institute, said in the survey.

"In the next year or two, these challenges will increase in both the breadth and depth of threats - the companies we surveyed made this very clear," he said. "The key for both IT operations and IT security is to find the common ground necessary to better-wage this security battle together."

The survey isolates eight "mega trends" that survey respondents believe will factor heavily into security concerns in '09, many of which are also considered areas ripe with cost-saving or productivity opportunities for most organizations. Those trends were:

v cloud computing

v virtualization

v mobility and mobile devices

v cybercrime

v outsourcing to third parties

v data breaches

v peer-to-peer (P2P) file sharing

v Web 2.0

While half of the IT security experts interviewed for the survey cited outsourcing as a major data security risk, an even higher number (59 percent) of operational IT workers view the business strategy as a significant area of concern. Both groups referenced the inability of third party business partners to sufficiently protect data as their biggest issue related to outsourcing.

Predictably, survey respondents said that their top worry related to data loss is the potential for misappropriated information to find its way into the hands of cyber-thieves (46 percent for IT security, versus 24 percent for IT operations) allowing the bad guys to carry out identity theft and other nefarious activities at the expense of their customers.

A whopping 92 percent of the organizations participating in the study indicated that they have experienced a cyber attack of some kind over the last year.

Mobility clearly remains another area of concern for data incidents. IT security and operational respondents alike (96 percent and 91 percent, respectively) agreed that the growing adoption of laptops and handheld devices will introduce even greater levels of data risk during 2009. One major problem noted by respondents in relation to mobile users was that the inability of organizations to properly identify and authenticate those people coming onto their networks from outside their walls.

The adoption of other newer technologies, both business-oriented and consumer-based, will also opened additional "avenues for cyber thieves to steal trade secrets and confidential business information", according to the report.

Of those technologies, cloud computing ranked as the top concern, with 61 percent of respondents ranking it as a major security issue.

While there clearly remain no shortage of security and operational-based risks to data protection, according to respondents, the growing closeness of the two areas of focus within IT departments should help improve the situation over time, experts contend.

"Given the breadth and depth of security breaches spanning the globe this year - all of which have had a long-lasting negative impact on organizations and consumers alike - IT security and IT operations professionals have an increasingly critical task at hand, to protect sensitive data wherever it lives in an organization," Pat Clawson, CEO of Lumension, said in a summary.

"What became clear, in conducting this research, is that while these threats will only increase over time, the gap between these distinct groups is starting to close," he said. "This is a great step forward in waging the data security battle - the less siloed and more collaborative IT security and operations groups operate, the more successful they will be in protecting their company's most valued asset: sensitive corporate data and trade secrets."

CRPCC Released Free Wi-Fi Security eBook

BOOK : CRPCC Released Free Wi-Fi Security eBook

CRPCC Team

11 December 2008

A 44 page eBook titled - "Securing Wi-Fi Network" is released by Center for Research and Prevention of Computer Crimes along with Sysman Computers Private Limited, Mumbai on wi-fi security.

The eBook can be downloaded free at www.sysman.in. It is released as a Corporate Social Responsibility (CSR) initiative by CRPCC and Sysman.

The book addresses the burning issue of wi-fi network security in simple language and guide the end-user to secure his/her wi-fi network in 10 simple do-it-yourself steps. The book is the outcome on detailed research by the authors over a period of 3 months. The book has been reviewed and vetted by 12 Indian and International experts.

The authors, Rakesh Goyal and Ankur Goyal are experts in IT Security with 6 books to credit. This eBooks has support of CERT-In and ISEAP project, both of Department of Information Technology, Govt. of India; Data Security Council of India of NASSCOM and Cyber Crime Cell of Mumbai Police.

Few months back, terrorists used unsecured wi-fi networks just before Ahmedabad and Delhi bomb-blasts and the wi-fi subscribers had to face the police action. The eBook is written in response to these incidents and threats.

To download the book – log on www.sysman.in and click on Books in the top header. Click on download SECURING WI-FI NETWORK - V1.0.

Or click this hot link - Download SECURING WI-FI NETWORK - V1.0

Or click here http://www.sysman.org/book.htm

Friday, December 12, 2008

Quote of the day

Quote of the day

Life is an illusion caused by the lack of alcohol.

New IT Term of the day

New IT Term of the day


SSH


Developed by SSH Communications Security Ltd., Secure Shell is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels. It is a replacement for rlogin, rsh, rcp, and rdist.

SSH protects a network from attacks such as IP spoofing, IP source routing, and DNS spoofing. An attacker who has managed to take over a network can only force ssh to disconnect. He or she cannot play back the traffic or hijack the connection when encryption is enabled.

When using ssh's slogin (instead of rlogin) the entire login session, including transmission of password, is encrypted; therefore it is almost impossible for an outsider to collect passwords.

SSH is available for Windows, Unix, Macintosh, and OS/2, and it also works with RSA authentication.

U.S. Is Losing Global Cyberwar, Commission Says

SCARY : U.S. Is Losing Global Cyberwar, Commission Says

Center for Cybersecurity Operations is proposed to protect military, government, and corporate electronics from criminals and other nations

By Keith Epstein

December 7, 2008

http://www.businessweek.com/bwdaily/dnflash/content/dec2008/db2008127_817606.htm

The U.S. faces a cybersecurity threat of such magnitude that the next President should move quickly to create a Center for Cybersecurity Operations and appoint a special White House advisor to oversee it. Those are among the recommendations in a 44-page report by the U.S. Commission on Cybersecurity, a version of which will be made public today. The bipartisan panel includes executives, high-ranking military officers and intelligence officials, leading specialists in computer security, and two members of Congress.

To compile the report, which is entitled "Securing Cyberspace in the 44th Presidency," commission members say they reviewed tens of thousands of pages of undisclosed documentation, visited forensics labs and the National Security Agency, and were briefed in closed-door sessions by top officials from Pentagon, CIA, and British spy agency MI5. From their research, they concluded that the U.S. badly needs a comprehensive cybersecurity policy to replace an outdated checklist of security requirements for government agencies under the existing Federal Information Security Management Act.

The report calls for the creation of a Center for Cybersecurity Operations that would act as a new regulator of computer security in both the public and private sector. Active policing of government and corporate networks would include new rules and a "red team" to test computers for vulnerabilities now being exploited with increasing sophistication and frequency by identity and credit card thieves, bank fraudsters, crime rings, and electronic spies. "We're playing a giant game of chess now and we're losing badly," says commission member Tom Kellermann, a former World Bank security official who now is vice-president of Security Awareness at Core Security.

Obama seems on board

Kellermann should know: He had a hand in crafting the nation's cybersecurity strategy in 2003. But as he tells it, government efforts led by the Homeland Security Dept. have been stymied by bureaucratic confusion and an unwillingness by agencies and corporations to share information about cyber break-ins. The commission's report catalogues incidents afflicting financial institutions, large corporations, and government agencies, including some first detailed publicly over the last year in various BusinessWeek articles. In an ominous note for the private sector, the commission notes that "senior representatives from the intelligence community told us they had conclusive evidence covertly obtained from foreign sources that U.S. companies have lost billions in intellectual property." For more on the spread of malicious software, read Saturday's New York Times article, "Thieves Winning Online War, Maybe Even in Your Computer."

Kellermann describes a behind-the-scenes effort by several members of the commission, five of whom are advisers on President-elect Barack Obama's transition team, to convince him of the need for action "to stop the hemorrhaging of national secrets, proprietary information, and personal data. We need to begin to deal with this cancer." Informal briefings by members of the commission, starting last July, seem to have affected Obama's thinking, sources say. Those who worry about the problem are heartened by his July 16 vow to "declare our cyber-infrastructure a strategic asset" and to "bring together government, industry, and academia to determine the best ways to guard the infrastructure that supports our power." At the time, the candidate also pledged that, if elected, he would appoint a "national cyber advisor" who would report directly to the President.

The Threat from China

Over the past 11 months, BusinessWeek has examined high-tech security threats to U.S. weapons systems and to government and defense industry computer networks. The three main installments in the BusinessWeek series were based on previously undisclosed documents and interviews with more than 100 current and former government employees, defense industry executives, and people with ties to U.S. military, space, and intelligence agencies. They are: E-spionage (BusinessWeek, 4/10/08), Dangerous Fakes (BusinessWeek, 10/2/08), and The Taking of NASA's Secrets (BusinessWeek, 11/20/08).

As the world's corporations, governments, military forces, and computer users have gravitated to the Web, so have competitors, adversaries, criminals, and spies, including government-backed electronic operatives establishing footholds for potential attacks, according to groups such as the congressionally created U.S.-China Economic & Security Review Commission, which warned on Nov. 21 of the threat from China (BusinessWeek.com, 11/21/08).

"The damage from cyber attack is real," states the cybersecurity group's report, referring to intrusions last year at the departments of Defense, State, Homeland Security, and Commerce, and at NASA and the National Defense University.

Hacking for 'friendly fire'

The report continues: "The Secretary of Defense's unclassified e-mail was hacked and DOD officials told us that the department's computers are probed hundreds of thousands of times each day; a senior official at State told us the department has lost 'terabytes' of information; Homeland Security suffered 'break-ins' in several of its divisions, including the Transportation Security Agency; Commerce was forced to take the Bureau of Industry and Security offline for several months; NASA had to impose e-mail restrictions before shuttle launches and allegedly has seen designs for new launchers compromised. Recently, the White House itself had to deal with unidentifiable intrusions in its networks."

The report mentions some of the most severe threats, such as those being faced by U.S. war fighters in Iraq and Afghanistan, only hypothetically. It notes, for instance, that "the U.S. has a 'blue-force tracking' that tells commanders where friendly forces are located," and then goes on to posit a scenario under which an opponent could turn some of the blue signals to red, a color used to flag adversaries' forces. The implication is that an intruder might, for instance, provoke a so-called friendly-fire incident in which U.S. fighters mistakenly target U.S. personnel.

At least six members of the commission approached by BusinessWeek declined to share specifics of the most recent intrusions into the computers of companies, the Pentagon, the U.S. Central Command, and important centers of military operations such as Bagram Air Base in Afghanistan. Defense and intelligence officials also declined to describe the operational impacts of that massive penetration of corporate and military networks, but they did confirm that it culminated Nov. 22 in the raising of U.S. Strategic Command's threat level—known as INFOCON—which entailed banning plug-in devices such as thumb drives throughout the U.S. military and in some allied forces. Emergency briefings were also given to Obama and President Bush.

U.S. military fights agent.btz

As first reported Nov. 28 by Los Angeles Times in "Cyber-Attack on Defense Department Computers Raises Concerns,", the intrusion and compromise of the U.S. military networks began with a piece of malicious software—or malware—known as agent.btz, which has also afflicted corporate networks in recent months, U.S. military officials and private cybersecurity specialists confirmed. Such intrusions have grown increasingly sophisticated and difficult to trace to their origins. The latest generation of malware, developed by gangs and governments with large sums of money at their disposal, can easily cloak its activities and capabilities.

Complicating the cleanup is not only the nature of the malicious software, but the sheer scale of the task: The U.S. military has around 7 million vulnerable electronic devices. U.S. military officials tell BusinessWeek that assuring themselves that they have cleansed their computers of the intruders that gained a foothold via agent.btz has grown increasingly uncertain and expensive. Forensics examinations and the reprogramming of each computer—which continues in the Pentagon, in Central Command headquarters in Tampa, and in military installations in Afghanistan—costs around $5,000 to $7,000 per machine, sources said.

Kellermann and other computer security consultants declined to discuss the threat to the U.S. military, though several said they were intimately familiar with it. But Kellermann said it was yet another example of how "the cyber security threat has really gotten out of control. But it's not only a national security threat. It's an economic security threat."

(The same threats are glaring at India and other countries, as well - Editor)

Chinese Hacking Led to Govt Email Order

RISK : Chinese Hacking Led to Govt Email Order

Bharti Jain

ET Bureau

8 Dec 2008

http://economictimes.indiatimes.com/News/PoliticsNation/Chinese_hacking_led_to_govt_email_order/articleshow/3806214.cms

NEW DELHI: Officials in the PMO have been asked not to use google mail for official communication in view of Chinese hackers having broken into the PMO’s internal networking systems recently.

The news of cyber spying on PMO communications by the Chinese comes close on the heels of hackers, also from China, having gained access to the ministry of external affairs’ internal communications network. Similar cyber attacks were also reported at National Informatics Centre (NIC), suspectedly aimed at the National Security Council.

The hackers, by breaking into the communication networks of officialdom, gain access to emails through which officials communicate policy and decisions to other ministries and arms of the government. Mostly found to be mounted from dial-up internet connections in China, at least 3-4 attacks are reported everyday on Indian servers.

The NIC is said to have also traced the IP addresses used to hack into PMO communication networks to China. The hackers had basically targetted email communications using google mail, or Gmail.

Based on the findings, the PMO has sent across instructions to all its officers and staff to desist from using google mail for sending of receiving official communication. The exposure of official communications within the PMO to hackers has raised a question mark on security of cyber systems used by the government for internal confabulations and policy making. Though key communications within the government are encrypted and secure, the Chinese hackers appeared to have exploited the alleged security loopholes and are using programmes and designing software that can decrypt the system and bypass the security systems installed.

The cyber assault has the Indian security agencies worried, as it exposes India’s official networks to constant scanning and mapping by the Chinese. This, experts fear, may arm Beijing with a strategic advantage in the event of a conflict, as hackers would know exactly how to disable the networks or distract them.

The National Technical Research Organisation (NTRO) under National Security Adviser M K Narayanan is tasked with coordinating with NIC experts to encrypt official communication and firewall networks against hackers. However, the limited resources available restrict the agency from hiring the best IT brains, most of whom are in the private sector, to create fully secure cyber networks that can withstand all attempts at hacking.

It seems the government is simply going by the premise that “prevention is better than cure.” So, rather than devising impregnable cyber defence mechanisms, it is falling back on eliminating the most hacked mail service.

New Chinese Rule Require to Disclose Security Technology

CHINA : New Chinese Rule Require to Disclose Security Technology

China irks US with computer security review rules

Bonnie Cao

Associated Press

Dec 8, 2008

http://tech.yahoo.com/news/ap/20081208/ap_on_hi_te/as_tec_china_us_tech_tensions

BEIJING - The Chinese government is stirring trade tensions with Washington with a plan to require foreign computer security technology to be submitted for government approval, in a move that might require suppliers to disclose business secrets.

Rules due to take effect May 1 require official certification of technology widely used to keep e-mail and company data networks secure. Beijing has yet to say how many secrets companies must disclose about such sensitive matters as how data-encryption systems work. But Washington complains the requirement might hinder imports in a market dominated by U.S. companies, and is pressing Beijing to scrap it.

"There are still opportunities to defuse this, but it is getting down to the wire," said Duncan Clark, managing director of BDA China Ltd., a Beijing technology consulting firm. "It affects trade. It's potentially really wide-scale."

Beijing tried earlier to force foreign companies to reveal how encryption systems work and has promoted its own standards for mobile phones and wireless encryption.

Those attempts and the new demand reflect Beijing's unease about letting the public keep secrets, and the government's efforts to use its regulatory system to help fledgling Chinese high-tech companies compete with global high-tech rivals. Yin Changlai, the head of a Chinese business group sanctioned by the government, has acknowledged that the rules are meant to help develop China's infant computer security industry by shielding companies from foreign rivals that he said control 70 percent of the market.

The computer security rules cover 13 types of hardware and software, including database and network security systems, secure routers, data backup and recovery systems and anti-spam and anti-hacking software. Such technology is enmeshed in products sold by Microsoft Corp., Cisco Systems Inc. and other industry giants.

Giving regulators the power to reject foreign technologies could help to promote sales of Chinese alternatives. But that might disrupt foreign manufacturing, research or data processing in China if companies have to switch technologies or move operations to other countries to avoid the controls. Requiring disclosure of technical details also might help Beijing read encrypted e-mail or create competing products.

"I think there's both a national security goal and an industrial policy goal to this," said Scott Kennedy, an Indiana University professor who studies government-business relations in China. "I'm sure before they came out with this, there was a discussion with industry and industry probably was giving them lots of requests about what should be included."

American officials objected to the rules in August at a regular meeting of the U.S.-China Joint Commission on Commerce and Trade.

"We don't believe China imposing these regulations is consistent with its trade commitments," said a U.S. Embassy spokesman, who spoke on condition of anonymity in line with official policy. "If there is an international standard that has been agreed upon by the international community, then that's the standard."

China agreed to delay releasing detailed regulations pending negotiations, but has not postponed the May enforcement deadline. No date has been set for more talks.

"We don't really view them announcing a delay in publication as a resolution to the issue," the American official said.

The agency that will enforce the rules, the China Certification and Accreditation Administration, said in a written statement they are meant to protect national security and "advance industry development." But it did not respond to questions about what information companies must disclose and how foreign technology will be judged.

An official of one foreign business group said companies were reluctant to talk publicly for fear of angering Chinese authorities while negotiations were under way.

Microsoft, Cisco, Sun Microsystems Inc. and security-software makers McAfee Inc. and Symantec Corp. did not respond to requests for comment. A spokesman for chip maker Intel Corp. said it would obey Chinese law but did not respond to questions about how it might be affected. A spokeswoman for personal computer maker Dell Inc. said it could not comment until detailed regulations are released. A spokesman for IBM Corp. said its products are not covered by the rules.

China has one of the largest technology markets, with more than 253 million Internet users and 590 million mobile phone accounts. It has tried to leverage that to promote its high-tech industries, which lag foreign competitors.

China prompted an outcry in 2006 when it tried to require computer and phone companies to use its WAPI wireless encryption standard. That would have given Chinese companies that developed the standard a head start in creating products and let them collect royalties from foreign competitors. Beijing dropped its demand after Washington complained it was a trade barrier.

In 2001, Beijing tried to require computer and software suppliers to disclose how their encryption systems worked. That was scrapped after companies said the demand was too broad and trade secrets might fall into the hands of Chinese competitors.

China also developed its own standard for third-generation mobile phones to compete with two global standards. But it agreed to let Chinese carriers use all three standards after U.S. and European officials expressed concern that it might try to keep out foreign technology.

21 million German bank accounts for sale

SALE : 21 million German bank accounts for sale

by Robert McMillan

December 8, 2008

IDG News Service

http://www.itworld.com/security/58947/report-21-million-german-bank-accounts-sale

Black market criminals are offering to sell details on 21 million German bank accounts for €12 million (US$15.3 million), according to an investigative report published Saturday.

Reporters for WirtschaftsWoche (Economic Week) managed to obtain a CD containing 1.2 million accounts after a November face-to-face meeting with criminals in a Hamburg hotel, according to the magazine.

Posing as buyers working for a gambling business, the journalists were able to strike a price of €0.55 per record, or €12 million for all the data. They were given a CD containing the 1.2 million accounts when they asked for assurances that the information they would be buying was legitimate.

That CD contained the names, addresses, phone numbers, birthdays, account numbers and bank routing numbers of the theft victims, they reported. In some cases, the victim's account balance was also provided. The data was most likely collected from call center employees, the magazine reports.

Although banking passwords were apparently not included on the CD, criminals would be able to use this data to withdraw funds from a victim's account, said Thierry Zoller, an independent security consultant based in Luxembourg.

Scammers could use this type of information to initiate a large number of debits from German banks, making each withdrawal small in hopes that it would not be noticed by the victim, he said.

This is the second high-profile German data breach in the past two months. In October, Deutsche Telekom reported that thieves had stolen a storage device containing account information on about 17 million customers of its T-Mobile Germany subsidiary. That breach did not involve bank or credit card information, however.

When sold in small quantities, full bank account details can fetch as much as $1,000 per record, said Avivah Litan, an analyst with Gartner Research. "Without a doubt, bank accounts yield the highest value in the black market," she said.

She said that it's remarkable that this type of breach was reported in Germany.

"You'd think Germany would have some of the tightest controls around bank account data," Litan said. "Europe has very strong privacy laws and Germany is one of the biggest enforcers of those privacy laws. So I think the fact that this data was available on the German black market shows how far the criminals have gone."

Quote of the day

Quote of the day

Political language. . . is designed to make lies sound truthful and murder respectable, and to give an appearance of solidity to pure wind

George Orwell

New IT Term of the day

New IT Term of the day


SQL injection


A form of attack on a database-driven Web site in which the attacker executes unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet, bypassing the firewall. SQL injection attacks are used to steal information from a database from which the data would normally not be available and/or to gain access to an organization’s host computers through the computer that is hosting the database.

SQL injection attacks typically are easy to avoid by ensuring that a system has strong input validation.

Digging Deeper Into the Check Free Attack

TREND : Digging Deeper Into the Check Free Attack

By Brian Krebs

SecurityFix, washingtonpost.com

December 6, 2008

http://voices.washingtonpost.com/securityfix/2008/12/digging_deeper_into_the_checkf.html

The hijacking of the nation's (US) largest e-bill payment system this week offers a glimpse of an attack that experts say is likely to become more common in 2009.

Atlanta based CheckFree acknowledged Wednesday that hackers had, for several hours, redirected visitors to its customer login page to a Web site in Ukraine that tried to install password-stealing software.

While this attack garnered few headlines, there are clues that suggest it may have affected a large number of people. CheckFree claims that more than 24 million people use its services. Avivah Litan, a fraud analyst with Gartner Inc., said CheckFree controls between 70 to 80 percent of the U.S. online bill pay market. Among the 330 kinds of bills consumers can pay through CheckFree are military credit accounts, utility bills, insurance payments, mortgage and loan payments.

A spokeswoman for Network Solutions, the Herndon, Va., domain registrar that CheckFree used to register its Web site name, told Security Fix Wednesday that someone had used the correct credentials needed to access and make changes to CheckFree's Web site records. Network Solutions stressed that the credentials were not stolen as a result of a breach of their system, suggesting that the user name and password needed to make changes to CheckFree's Web site could have been stolen either after a CheckFree employee's computer was infected with password-stealing malware, or an employee may have been tricked into giving those credentials away through a phishing scam.

There are several indications that the credentials may have been stolen through a phishing attack aimed at Network Solutions customers. Roughly one month ago, Network Solutions warned that phishers were trying to trick its customers into entering their Web site credentials at a fake Network Solutions Web site.

At about that same time, a similar phishing attack was spotted spoofing eNom, the second-largest domain name registrar, according to registrarstats.com (Network Solutions has the fourth largest stable of domain names, data from RegistrarStats shows).

Interestingly, CheckFree.com was not the only site that the attackers hijacked and redirected back to the Ukrainian server. Tacoma, Wash., based anti-phishing company Internet Identity found at least 71 other domains pointing to the same Ukranian address during that same time period. Of those, 69 were registered at either eNom or Network Solutions, and all appeared to be legitimate domains that had been hijacked.

Still, the phishing angle suggests that the attackers managed to phish not only an employee at CheckFree, but an employee who happened to know the credentials needed to administer the company's site records. This may seem like a logical stretch, and perhaps it is.

Regardless of how the credentials were stolen, however, the registrars remain an attractive target for cyber criminals, according to a sobering study (PDF) released this summer by a security advisory group to Internet Corporation for Assigned Names and Numbers (ICANN), which oversees domain registrars.

In an unrelated study conducted last year, Internet Identity examined some 12,305 domain names used by U.S. banks, and found that 70 percent of them were registered at a single domain registrar: Network Solutions.

In a note to Security Fix, Internet Identity President Rod Rasmussen said the 12,305 domains covers the entire banking industry plus select e-commerce and infrastructure providers, which is more like 30,000 institutions. He said the reason for the apparent disparity between those two numbers is that there are a large number of banks and credit unions that use third party platforms for their online banking.

"That means that those platform providers are especially tempting targets, as they have dozens or even hundreds of small financial institutions that they handle online banking and other transactions for," Rasmussen said. "Those small institutions have no control over the DNS for those platform providers so are completely dependent upon them to make sure their domains are secure. CheckFree would certainly fit into that platform provider category."

Gartner's Litan said this raises the question: What kind of security mechanisms are in place at Network Solutions to ensure that someone armed with the credentials for any of these Web sites can't simply redirect visitors to a malicious or counterfeit Web site? Perhaps other financial institutions have insisted on additional security measures, but all that was needed in this case to seize control over CheckFree's site was a single set of credentials.

"If all that's protecting a bank's Web site is a user name and password, that's kind of like having a massive vulnerability in the core of the Internet," Litan said. "This could have been a lot worse, and if they can do it to CheckFree, they can do it to other banks."

A spokesperson for Network Solutions declined to discuss what - if any - additional security measures the company has in place for bank Web sites. Likewise, CheckFree isn't saying much about the attack, except that it is implementing an aggressive outreach plan to help affected users assess their computers and clean the malicious software if their PCs have been infected. The company says it has begun notifying potentially affected users, and that those customers will receive complimentary McAfee anti-virus software and Deluxe ID Theft Block credit monitoring service.

"In addition, affected users will also have a special McAfee link to assess their computers to see if any viruses exist and if they do, will be provided a free clean up as well as complimentary updated antiviral software," CheckFree said in a statement. "We are working with our clients to provide this service."

CheckFree declined to answer any specific questions, such as how they know exactly how many and which customers may have been affected. Security Fix heard from a trusted source who claims to have had direct access to a log of visitors to the Ukrainian site during the hours that CheckFree's site was being redirected there. That source, who asked to remain anonymous so as not to compromise his role in the investigation, said the log indicates that at least 5,000 people were redirected to the Ukrainian site during the 4 and ½ hours of the attack early Tuesday morning. It is unclear whether that was a count of visitors whose systems were successfully infected with the malicious software the site was trying to foist, or whether it was a simple log of the number of visitors to the site.

The incident, however, highlights an attack that we are likely to see more frequently next year, said Panos Anastassiadis, chief executive at Cyveillance, a cyber intelligence company in Arlington, Va.

"This type of attack is going to come in a dozen flavors in the coming months," Anastassiadis said. "Registrars don't comprehend the layers of security they may be forced to put in place as a result."

Two held over BNP membership leak in UK

ARREST : Two held over BNP membership leak in UK

Pair arrested in Nottinghamshire as part of inquiry into alleged offences under the Data Protection Act

Angela Balakrishnan and agencies

guardian.co.uk

December 5 2008

http://www.guardian.co.uk/politics/2008/dec/05/bnp-leak-arrests

Police have arrested two people in Nottinghamshire over the leak of the BNP membership list on the internet.

The arrests came as part of an investigation by the Welsh police, who are in charge of the case, and the information commissioner's office.

Police said the pair, who have not been named, were held in connection with alleged offences under the Data Protection Act.

A spokesman for Dyfed Powys police said: "We can confirm that last night Nottinghamshire police arrested two people as part of a joint investigation with Dyfed Powys police and the information commissioner's office in conjunction with alleged criminal offences under the Data Protection Act.

"The arrests followed an investigation into a complaint received about the unauthorised release of the BNP party membership list."

The revelation of the party's 13,500-strong membership list last month caused an uproar after thousands of people were identified as supporters of the far right. The exposure left many facing the risk of dismissal from work, disciplinary action or vilification.

The list, which was thought to include those who had expressed an interest in the party but had not signed up, included the names of police officers, solicitors, a doctor and a number of teachers. As well as names and addresses, the list included details such as home and mobile phone numbers and email addresses.

The BNP said the list dated from 2007 and some people on it were no longer members.

The party leader, Nick Griffin, claimed that he knew the identity of the person who published the list, describing him as a "hardliner" senior employee who left the party last year.

The BNP is known to go to considerable lengths to conceal the identities of its members. Membership lists are held on computer spreadsheets, usually by an official based in York. Limited lists are sent to local organisers as encrypted attachments to emails that can be accessed only by officials who have been given a password.

When SOP and Checks & Controls are bypassed!

VERGE : When SOP and Checks & Controls are bypassed!

A hoax call that could have triggered war – an example of Social Engineering

By Zaffar Abbas

The Dawn, Pakistan

06 December 2008

http://www.dawn.com/2008/12/06/top2.htm

ISLAMABAD, Dec 5: Nuclear-armed Pakistan went into a state of 'high alert' last weekend and was eyeing India for possible signs of military aggression, after a threatening phone call made to President Asif Ali Zardari by someone from Delhi who posed himself as the Indian External Affairs Minister Pranab Mukherjee.

Whether it was mere mischief or a sinister move by someone in the Indian external affairs ministry, or the call came from within Pakistan, remains unclear, and is still a matter of investigation. But several political, diplomatic and security sources have confirmed to Dawn that for nearly 24 hours over the weekend the incident continued to send jitters across the world. To some world leaders the probability of an accidental war appeared very high.

It all started late on Friday, November 28. Because of the heightened tension over the Mumbai carnage, some senior members of the presidential staff decided to bypass the standard procedures meant for such occasions, including verification of the caller and involvement of the diplomatic missions, and transferred the late-evening call to Mr Zardari. The caller introduced himself as Pranab Mukherjee and, while ignoring the conciliatory language of the president, directly threatened to take military action if Islamabad failed to immediately act against the supposed perpetrators of the Mumbai killings.

As the telephone call ended many in the Presidency were convinced that the Indians had started beating the war drums. Within no time intense diplomatic and security activity started in Islamabad. Signals were sent to everyone who mattered about how the rapidly deteriorating situation may spiral out of control. Prime Minister Yousuf Raza Gilani was advised to immediately return to the capital from Lahore, and a special plane (PAF chief's) was sent to Delhi to bring back the visiting Foreign Minister Shah Mehmood Qureshi early in the morning on Nov 29 even when he was already booked to return by a scheduled PIA flight the same evening.

It was against this backdrop that some top Pakistani security officials briefed a few media persons on Saturday afternoon about a "threatening phone call" by the Indian external affairs minister to "someone" at the top in Islamabad. They also talked of Delhi's decision to put its air force in a state of "high alert", and described the following 24 to 48 hours as extremely critical. One of the top security officials even announced the possibility of shifting tens of thousands of troops from its western border with Afghanistan to its eastern frontier with India.

Sources said that during this period the Pakistan air force was at the highest alert. Among the citizens of Rawalpindi and Islamabad, who may have noticed fighter jets screaming overhead on Saturday morning, none would have known that the warplanes were mounting patrols with live ammunition. One senior official refused to call it a panic decision. "War may not have been imminent, but it was not possible to take any chances," he told Dawn.

Intense diplomatic efforts that started late on Friday went on throughout the following day. During this period phone calls were made from Islamabad to some of the top officials and diplomats in Washington, including Condoleezza Rice, and the US Secretary of State called Mr Mukherjee and others in India in a night-long effort to understand what might have gone wrong, and to persuade the two sides to bring down the temperature.

During this time, it was also revealed, an attempt was also made by the mysterious caller, claiming to be the Indian external affairs minister, to speak to the US Secretary of State, but due to specific checks laid down by the Americans, the call couldn't get through to Dr Rice.

These sources said that when Condoleezza Rice contacted Mr Mukherjee in the middle of the night to inquire about the reasons for hurling such threats at Pakistan he reportedly denied having any such conversation with President Zardari. The Indian minister reportedly told Dr Rice that the only telephonic conversation he had was with his Pakistani counterpart on Friday when Mr Qureshi was still in Delhi. And, according to him, the tone of that discussion was quite cordial --- a fact later confirmed by the Pakistani foreign minister at a news conference in Islamabad on Saturday.

As the international effort to defuse the tension intensified, matters started to clear up and by late Saturday evening calm began to prevail. But sources admit that those 24 hours made many people in Islamabad and Delhi and, perhaps in Washington, quite anxious. Perhaps for this reason, the Americans decided against taking any further chances, and Condoleezza Rice was asked to travel to the region to personally ensure the return from the brink.

Since then investigators have tried to track down the number from where the call was made. Some of the senior diplomats and intelligence officials are convinced the source of the mischief was someone in the Indian external affairs ministry. They base their case on the Caller ID, which established a Delhi number. On the other hand, the Indians have told the Americans that no call was made from any of the numbers of the external affairs ministry, and have hinted at the possibility of manipulation in the caller ID.

But, as admitted by a top official in Islamabad, the more serious issue was the by-passing of the standard operating procedure to put such a call through to the President almost directly without even verifying the identity of the caller. In such a situation, the procedure is to take down the number and the message, consult the foreign ministry, involve the high commission, and then to call back on the given number. The sources said none of this was done.

As a result, the hoax call to the presidency triggered a major diplomatic crisis. Since then, the authorities have reworked the procedures by putting enough checks and filters for such high-level contacts in order to avoid embarrassment in the future.

IT Act amendments to align with European Cyber Convention

LAW : IT Act amendments to align with European Cyber Convention

BS Reporter / Hyderabad

December 04, 2008,

http://www.business-standard.com/india/news/it-act-amendments-to-be-in-lineeuropean-cyber-convention/11/41/50610/on

The proposed amendments in the legal framework of the IT Act 2006 will be in line with the European Cyber Convention, said Gulshan Rai, director-general of the Indian Computer Emergency Response Team (CERT-In).

“We are in the process of amending our legal framework to address issues posed by new technologies and new crimes being observed in the cyberspace. The Parliament standing committee has made a number of suggestions to make the legal framework of the IT Act 2006 more comprehensive. Based on the suggestions, we have made amendments in the Act. These amendments deal with data security and data privacy, identity theft, cyber terrorism, child pornography, Spam, phishing and online frauds,” he said at the Internet Governance Forum 2008 in Hyderabad on Wednesday.

Post the amendments, corporate bodies will have to implement best security practices to secure data collected by them while providing services. Any leakage of the data of their account will result in payment of compensation to the victim, he said, adding “We will be moving these amendments in the Parliament session which is being convened shortly.”

“The challenge, however, still remains in training police and judicial officials to collect, analyse and present digital evidence in courts. We are working in this direction,” he added.

Also see-

http://www.hindu.com/2008/12/05/stories/2008120556241400.htm and

http://mangalorean.com/news.php?newstype=local&newsid=103793

This Day in History

Thanks for your Visit