Information Security Research

Cyber Espionage Report Released

2010-04-06T14:26:00.000-07:00

The Information Warfare Monitor -which is comprised of Citizen Lab, Munk School of Global Affairs, University of Toronto and the SecDev Group- and the Shadowserver Foundation just released "Shadows in the Cloud: An investigation into cyber espionage 2.0.". Rafal Rohozinski, a senior research advisor at the Citizen Lab, Munk School of Global Affairs, University of Toronto puts it: "Cyber espionage has gone industrial. We are witnessing cloud-based techniques and tradecraft from cybercrime being repurposed to target government systems and computers belonging to officials entrusted with state or commercial secrets. Whether the attackers are working for state agencies, or freelancing and selling stolen data or tradecraft on the global graymarket - this report is a clear wake-up call that the threat of advanced persistent threats is very real and requires measured international action. " Are we going to see governments to take precautions against cyber threats? Will see.

Cybercrime costs $559M

2010-03-17T23:41:00.000-07:00

Crime Complaint Center (IC3) reported that cybercrime caused US$559 million loss in 2009. Read more, here.

Wiseguy Ticket Versus Ticketmaster

2010-03-07T13:09:00.000-08:00

Federal Court in NJ put forward an indictment to charge four people associated with Wiseguy Ticket to use sophisticated computer programs to purchase blocks of good tickets from Ticketmaster by violating Ticketmaster's rule on the maximum number of tickets one can purchase for an event through Ticketmaster. The alleged criminals found out a way to bypass measures put in place by Ticketmaster to ensure that only a certain number of tickets can be purchase by each individual. While prosecutors came up with a convincing case, since the guys paid the full price for those tickets, it is still not clear if what happened is a crime or not, according to a NYTimes article.

New Record (!): The biggest incidence of stolen credit card

2009-08-19T09:34:00.000-07:00

This time around, 130 million credit card information is stolen by an American and two unnamed foreign hackers, according to FT. The biggest incidence before this was the TJX case where 45 million credit card info was stolen in 2006. What would be the next? 200 million?

Wallet of the future

2009-08-13T09:04:00.000-07:00

Your cellphone will be your wallet in the future, CNN reports. That means that we will see a lot of viruses and worms targeting cellphones in the near future. Be aware and ready.

Eying on the Twitter

2009-06-22T13:10:00.000-07:00

Cyber criminals target Twitter as Twitter has been increasing popular. It is no surprise to many security experts that these criminals always look for new avenues to explore. This time around, the target is Twitter. Let's wait and see what would be the next target. Here is the CNN report on Twitter.

Malicious Code Threats

2009-06-06T20:32:00.000-07:00

Malicious codes have been causing one of the most significant security challenges for the users of the Internet since its inception. Every year, security practitioners are amazed by the cheer volume of the new security threatening activities. 2008 was no different. The Symantec Internet Security Threat Report indicated that they created 1,656,227 new malicious code signatures 2008, accounting for a 165 percent increase over 2007. While there are many reasons why we see so many new threats, Symantec attributed the explosive growth to the professionalism of malicious code development, which is fueled by the demand for goods and services that facilitate online fraud.

High School student causes cancellation of the graduation ceremony

2009-06-06T19:47:00.000-07:00

It is reported that a high school student in Ohio has stolen tests by hacking into the school's computer system. Apparently, half the seniors cheated or knew of the cheating and didn't report it, according to district officer. The Centerburg school board canceled the traditional ceremony due to cheating scandal just discovered. At the end, all seniors except the hacker did get their diplomas. It is a really "good" message to give: "you can cheat but don't hack" !!! More on this.

Do aerial images threaten the national security?

2009-06-06T11:54:00.000-07:00

Some critics argue that aerial images online endanger national security. What do you think? Here is their argument.

Obama on Information Security

2009-06-06T11:36:00.000-07:00

President B. H. Obama has created a position to oversee a new comprehensive approach to securing America's digital infrastructure. It seems that cybersecurity is one of the USA's top priorities now. More on this. Some people were impressed. Despite the effort, some experts argue that the new game plan lacks specifics and might deliver expectations. More on this. If you are interested in, you can read the White House report on information security here.

Malicious Code Embedded in Power Grids

2009-04-09T08:44:00.000-07:00

According to two former federal officials, hackers have embedded software in the United States' electricity grid and other utility networks, which potentially disrupt utility distribution to the country. While the DHS has not confirmed the incident, concerns over the security of critical infrastructure are increasing. More on this.

2009-04-04T08:22:00.000-07:00

Villagers in Broughton did not allow Google's car to record 3-D Views of their streets. They believe that street view will create an opportunity for criminals to spot burglary targets. More on this, please click here. It is intresting to see such a reaction from a group of people in a country where there are more than 4 million closed-circuit video surveillance cameras (Information Week).

Should we call Facebook "The Information Blackhole" now?

2009-02-17T09:24:00.000-08:00

Facebook has changed its service terms and conditions. The objective was to re-organize various pieces together in a coherent document. But, the change has brought up a lot of questions about the ownership of the user content after user account is deleted. Read more.

Conficker is the next Slammer!

2009-02-16T10:54:00.000-08:00

30 percent of computers using Windows-based operating systems are vulnerable since they have not been patched with the security fix Microsoft released in October 2008. They are silently waiting for the orders of their masters now. Read more.

Government is getting ready to launch DoS

2008-05-15T10:01:00.000-07:00

Col. Charles Williamson III, an Air Force colonel, is suggesting the U.S. military build its own botnet so that the US will be ready to attack the computer networks of foreign enemies, reported in CNN.com. Are we going to see a Cyber Cold War soon?

Outsourcing Information Security?

2008-04-24T09:36:00.000-07:00

IBM and Tata Communications have announced separately that they enter into the managed security market this week. IBM was the main force behind the idea of outsourcing IT jobs years ago. They were the pioneer of outsourcing. The industry has embraced that idea. Now, IBM is pushing managed security. Does it mean that managed security will be embraced by the industry? We will see.

You've got mail from United States District Court in San Diego!

2008-04-16T10:01:00.000-07:00

If you have received an email from United States District Court in San Diego, it is most likely that the email is a phising. According to NYTimes, this well-crafted attack targets specific larger prey: wealthy and powerful people. Since the letter looks and sounds so authentic, even those who are well-aware of such scams became victims of the latest phising attack (for instance, a lawyer was tricked into to download a piece of application that allows to show the document supposedly sent by the court). This is another example that shows attackers are getting smarter and more focused.

Privacy Protection-- Microsoft Style

2008-04-14T11:40:00.000-07:00

Last week, Microsoft proposed a 5-tier standard for protecting customer privacy when customers are targeted by the online advertisement. According to the proposed standard, customer consent should be sought in five key circumstances:

when site visitors' data is collected for online advertising,
when ads are delivered on unrelated sites,
when sites engage in behavioral advertising,
when personally identifiable information is used, and
when sensitive personal data is used.

Although there is an understanding among players in the online ads industry that there is a need for a better protection of customer privacy when they are targeted with online advertisement, there is no common understanding as to what privacy protection should be. Microsoft's move is considered as one of the boldest among the industry players so far.

According to NYTimes, Microsoft's comments on Friday are "in response to the U.S. Federal Trade Commission's request for comments on its proposed privacy principles that would be self-administered by the online advertising industry."

FTC Tries to keep up

2008-04-07T12:22:00.000-07:00

As more and more customer information is collected, the concerns over privacy escalate. Although there are two sides to the issue, one can wonder where the FTC stands. So far, it appears that the FTC prefers self-regulations on collection and use of the customer data (some people refer to it as 'behavior marketing') over mandatory government regulation.

HSBC Loses Data of 370,000 customers

2008-04-07T11:42:00.000-07:00

HSBC may be facing a fine from British Bankers' Association after the loss of a disk containing customer information. It is reported by Bloomberg that "a disk with personal information from 370,000 insurance customers has been lost in the mail." Although it is indicated that the information in the disk is not extremely sensitive and "there is no reason to suppose that the disk has fallen into the wrong hands", it would not be easy to convince customers whose information is stolen. Today's take-away is again "we should not ignore ensuring the physical security".

Is Apple the new Microsoft?

2008-03-30T14:15:00.000-07:00

MacBook Air is hacked in two minutes in a security conference in Vancouver, BC this week. Microsoft has been criticized for its software development practices which do not pay sufficient attention to the security. Now, it appears that Apple has become the focus of the industry critics. There have been studies arguing that Apple is more security than the Microsoft. But, it seems that the network effect has been the reason why we did not see much security issues in Apple's products in the past. As they become more popular, they will get more attention from the hacker community. The more targets there are out there, the higher chance that a hacker finds a vulnerable device to exploit.

Compliance does not ensure security

2008-03-30T13:44:00.000-07:00

It is once again documented that compliance does not necessarily mean security. It is recently reported that a company has been a victim of an exploit that captures the credit card information of the customers. According to NYtimes, Hannaford Bros. Co.'s supermarkets are across the Northeast and in Florida experienced a massive data breach compromised up to 4.2 million credit and debit cards, the company said Friday.

Although we have seen a similar incident before such as TJMax's data breach, this breach is the first one in which data is stolen during the transmission.

Beyond the usual take-aways, I think the most important take-away from this case is that compliance does not ensure security. Apparently, NYtimes reports that Hannaford Bros. Co. has been in compliance with security standards required by the Payment Card Industry, a coalition founded by credit card companies.

Access Rights

2008-03-21T09:45:00.000-07:00

Three presidential candidates' passport files have been accessed by unauthorized people. The State Department has confirmed that Clinton's and McCain's files have been also accessed by unauthorized employees/contractors after it is discovered that Obama's file's security is breached. Another case of difficulty of managing access rights, especially in the light of complex relations with the contractors. Read more, click here. (Credit: The picture is from MSNBC)

Privacy Breach in Passport Canada Website

2007-12-04T20:32:00.000-08:00

A passport applicant has discovered a severe vulnerability at Passport Canada website. By changing some characters in the address bar, personal information of passport applicants can be retrieved. After the applicant who discovered the vulnerability have informed the agency, the website was taken down for the repair. Agency is silent on the number of people whose personal information is exposed. More on this story, please read this article in G and M.

Sans recommends firms to test employees with fake phishing emails

2007-11-30T15:08:00.000-08:00

Sans' recent report highlights two important security issues which challenge organizations: (1) vulnerabilities in web applications and (2) human vulnerabilities.

Putting locks on your doors and windows

2007-11-29T13:59:00.000-08:00

FBI released a report on "botnets". The number of victimized computers reported by FBI might be different than the industry predictions, it definitely highlights the danger. According to FBI's report, there are more than 2.5 million computers compromised while the security industry predicts a higher number (as many as 5 million infected computers).

Google's New Storage Service: Just wait to hear Security and Privacy Discussions

2007-11-27T13:43:00.000-08:00

Since The Wall Street Journal reported today, we started to hear the same rumor from everywhere including Information Week and many others. The next wave of news and blog entries will be on how dangerous it will be and how the Google's storage service will pose privacy concerns, etc. Wait and see.

Investigators: Homeland Security computers hacked - CNN.com

2007-09-25T01:30:00.000-07:00

It is kind of ironic. The department which is supposed to ensure the security of homeland could not ensure the security of its computers. Is Unisys to blame? You decide: Investigators: Homeland Security computers hacked - CNN.com.

Information Security Controls in Organizations: Multidimensionality of the Construct and a Nomological Model

2006-03-07T13:30:00.000-08:00

In a recent study titled "Information Security Controls in Organizations: Multidimensionality of the Construct and a Nomological Model" that I conducted with Huseyin Cavusoglu, Jai-Yeol Son, and Izak Benbasat, we investigated what determine a firm's emphasis on information security controls, what are major components of information security controls, and how information security performance is influenced by the information security controls. For those who are interested in, please contact me at cavusoglu (_at_) sauder.ubc.ca.

Bruce Schneier reported that financial sector is the most vulnerable to information security-related criminal activities

2005-11-21T23:00:00.000-08:00

Counterpane Internet Security, Inc., released 2005 Attack Trends: Beyond The Numbers. Bruce Schneier (CTO of Counterpane Internet Security, Inc.) provided valuable insight into the analysis of attack data collect between Jan 1, 2005 and Oct. 31, 2005. Results are not so new but very important:

Attacks are getting sophisticated.
Firms with sensitive customer information are more vulnerable.
Financial sector is the most vulnerable to criminal acts.

Forrester found that firms consider reliability, manageability, and cost when shopping for security technologies

2005-10-12T14:31:00.000-07:00

A recent survey conducted by Forrester found that firms do not only focus on the cost of the security-related technologies when they are considering buying them. The most important criteria turned out to be reliability, manageability and the cost--in that order.

Mary Ann Davidson's view of the relationships between software vendor and the security researchers

2005-09-19T15:09:00.000-07:00

Mary Ann Davidson , CSO of Oracle, has recently discussed the differences between perception among security researchers and the reality that the software developers face. Using examples from her company, she addressed three notions that cause conflicts between those groups.

You should be able to fix this in two days
The more notorious I am, the more business I will get
I should always get credit for vulnerabilities I find

To read more on her view, please click here.

Who said that open source is more secure?

2005-09-15T09:09:00.000-07:00

As the number of users of popular open-source software products increases, they are becoming a center of attention for the hacker community. Evidence: hackers have developed exploits that take advantage of a newly published International Domain Name flaw in Mozilla’s Firefox browser. To read more, please click here.

Can the Cisco fiasco teach us the importance of the periodical release and update of patches?

2005-09-10T21:57:00.000-07:00

Looking at the controversy created by a ISS employee who were going to disclose Internet security vulnerabilities in Cisco's Internetwork Operating System (IOS) at the 2005 Black Hat security conference in Las Vegas. Michael Mullins thinks that this should be a lesson to organizations who do not have a standardized policy for the patch management processes. To read more, click here.

Periodical release of software patches

2005-05-10T08:56:00.000-07:00

Apple issues patches approximately every month. Microsoft has decided to go with a strict second-Tuesday-of-each-month patch-release schedule. Oracle does the same thing on a quarterly schedule. Evidence is there. All of these, again, show that the importance of patch management. In December 2004, I have presented my work titled "Security Patch Management Can’t Live with it, Can’t Live Without it" in WITS 2004. In that paper, I and my coauthors Huseyin Cavusoglu and Jun Zhang from Tulane University investigated the periodical release and update policy for the software security patches. We have showed that due to different interests of software vendors and users, we can not reach a socially optimal patch management process unless there is some sort of a coordination mechanism. We also showed that cost sharing or liability can achieve the coordination. More information on WITS 2004, go to its website.

Next-Generation Security Software can publish the details: Sybase says.

2005-05-06T08:18:00.000-07:00

Next-Generation Security Software had found six flaws last year in the database maker's products. After NGSSoftware had been scheduled to released its detailed advisories on 22 March, Sybase started a legal fight to stop NGSSoftware publishing the details on the basis of a material breach of the ASE Developer Edition's license agreement. But, there is a happy end in this confrontation as Sybase is dropping its legal threat against NGSSoftware. NGSSoftware has announced that "NGSSoftware believes we have solved the issues with Sybase, and we are working on a joint announcement". To read more.

200,000 customer data may be missing: Ameritrade

2005-05-02T09:09:00.000-07:00

Account information of up to 200,000 customers of Ameritrade may have been stolen as a result of a recent incident in which a package containing tapes with back-up information on customer accounts went missing. This once again raises concerns regarding security of backup tapes.

Is there a need for responsible vulnerability disclosure?

2005-04-29T08:22:00.000-07:00

The new Symantec's report shows that the average number of new vulnerabilities that security professionals have to deal with every week has been increasing. The recent figure is 58 vulnerabilities per week. In light of the new evidence, it does not really make sense to me to say that vulnerabilities should be disclosed publicly even if there isn't any remedy for it. How would security people in enterprises tackle with those vulnerabilities which do not have any fix as it gets very difficult to keep their systems up-to-date with existing patches. The solution should be responsible vulnerability disclosure and rigorous patch management systems.

Microsoft releases new patches

2005-04-13T09:28:00.000-07:00

On April 12, 2005; Microsoft released eight security bulletins related to its products. Among them, five vulnerabilities are rated "critical."

Market for Software Vulnerabilities?

2005-03-02T18:15:00.000-08:00

Despite unethical consequences, some people think that market mechanism for software vulnerability disclosure works. For sure, Immunity Inc. beleives so. Is it because this mechanism improves overall security of the public or because they make tons of money from selling the vulnerability information? Joining its club might cost you as much as $100,000. Read more on this subject.

Bank of America lost tape containing customer information

2005-03-02T08:04:00.000-08:00

Bank of America has lost computer tapes containing financial information on more than one million federal employees. This raised concerns of possibly exposure of data to identity theft. Chairwoman of the Senate Homeland Security and Governmental Affairs Committee Susan Collins is now seeking an explanation of how the bank will protect the affected federal employees. Read more.

Security Guideline from NIST

2005-03-02T07:58:00.000-08:00

After receiving 'D+' for information security from FISA-mandated survey, federal agencies now have a guideline which is designed by NIST to improve their security control. NIST's guideline spans 17 key security areas to ensure that federal agencies have certain security controls, policies and procedures in place, which are required by FISA. Read more.

GeCAD published only the summary of the Microsoft Vulnerability

2005-01-27T08:17:00.000-08:00

After Microsoft released a patch (MS05-001), GeCAD NET has announced that the patch does not enough to remove vulnerability and that they have exploited the systems even if relevant patches were applied. To many, what makes this type of disclosure responsible is that the identifier does not release the details of the vulnerability and how it can be exploited. To read more.

Another Irresponsible Vulnerability Disclosure

2005-01-26T16:12:00.000-08:00

Recently, Immunity, a security consulting firm, published an advisory highlighting four security holes in Apple Computer's Mac OS X. Interestingly, advisory came for the vulnerabilities that the security company had known about for seven months but had kept to itself and its customers instead of disclosing the problem to Apple. This is another example of irresponsible vulnerability disclosure, which is criticized by many software vendors, users, and industry practitioners. Read more. Another one on this.

Experts Say Litigations are coming.

2005-01-17T11:19:00.000-08:00

Although there is no record yet of any company being sued over these laws, it's just a matter of time. "You're going to see increasing litigation for security breaches, especially when the result is identity theft or financial losses," says Behnam Dayanim, a privacy attorney with the international law firm of Paul, Hastings, Janofsky & Walker. Read more.

Open Source Software in Government

2005-01-07T16:32:00.000-08:00

Almost every government around the globe is considering the use of open source software. It is reported that they have been doing research to facilitate the development or the adoption of the open source software. Among others, they consider that open source is a less costly alternative that encourages the development local software industry which is crucial to establish cheaper IT standards in the long run. Argentina, Brazil, Bulgaria, Chile, Colombia, France, Italy and Peru have considered legislation mandating the use of open source software, while Bahrain, Belgium, China and Hong Kong, Costa Rica, France, Germany, Iceland, Israel, Italy, Malaysia, Poland, Portugal, the Philippines, and South Africa have policies to give open source options preferential treatment. Recently, Venezuela plans to migrate to open source software in governmental agencies and has founded an open source academy to provide expert support. More.

What security industry wants?

2004-12-08T08:05:00.000-08:00

Security industry demands three things for the Bush administration:

1. spend more on computer-security research,
2. share threat information with private-sector security vendors and facilitate information sharing (I believe, including facilitating the vulnerability disclosure process),
3. set up an emergency computer network that would remain functional during Internet blackouts. Read more.

Government presses for industry cooperation

2004-12-08T08:02:00.000-08:00

The Bush administration developed a plan to improve security that relies heavily on industry cooperation. The Homeland Security Department has worked to increase coordination between law-enforcement officials and security vendors. In the mean time, security industry demands more from government to give necessary authority to those law-enforcement people to oversee the information security. Read more.

Monthly release cycle policy is broken

2004-12-07T19:20:00.000-08:00

Microsoft broke its monthly patch cycle and released a patch for the IFRAME vulnerability in Internet Explorer (IE) December 1, 2004. Read more.

Tenet says there is a need for regulation

2004-12-07T19:10:00.000-08:00

George Tenet said that greater government regulation of the Internet and telecommunications networks is needed in order to guard against terrorist attacks. The terrorists are trying to couple attacks on telecommunication networks with physical attacks and are increasingly researching cyber-attacks. Read more.

Need for automated tools for software code audit

2004-12-07T19:01:00.000-08:00

Former DHS (Department of Homeland Security) National Cybersecurity Division director Amit Yoran, speaking at the e-Gov Institute's information assurance conference, called for automated tools to help software vendors uncover flaws in their code, but predicted that such tools would not be ready for widespread use for ten years. 95% of flaws come from nineteen common and well understood programming mistakes. However, many developers lack the academic background or specialized training to avoid such mistakes. Read more.

Federal Managers struggle with patching and compliance, a survey reports:

2004-11-23T16:02:00.000-08:00

According to a survey of federal security managers published by Intelligent Decisions, the top concerns facing federal networks are patching, network compromises, and compliance with the Federal Information Security Management Act (FISMA). Almost half the respondents said the private sector should improve the quality assurance of their softwares. Federal managers often lack both the labor and money to meet FISMA requirements, especially managers with budgets of less than $500,000. Managers spend an average of three hours each day on compliance rather than strategic security planning. The survey finds that as managers' budgets increase, the amount of time necessary for compliance decreases: managers with less that $500,000 spent 45% of their time on compliance, while those with budgets over $10 million only spent 27%. The survey is based on telephone conversations with 25 of 117 federal security managers.

Microsoft decides to patch the vulnerability discovered recently by Finjan

2004-11-23T15:55:00.000-08:00

This is not because the software has a problem, it is because the social engineering can be used to attack users by exploiting the vulnerability discovered by Finjan. Originally, Microsoft has totally denied the possibility of the vulnerability that was reported in Finjan's advisory. Silicon.com.

Oracle is moving to quarter patch update cycle

2004-11-22T23:54:00.000-08:00

On January 18, 2005, Oracle will begin releasing patches for Oracle Database, E-Business Suite, Application Server, Oracle Enterprise Manager, and Collaboration Suite on a quarterly cycle. The quarterly patches, which Oracle calls "Critical Patch Updates," will address both security fixes and general software updates. The quarterly cycle is designed to give customers more flexibility in planning software updates. Systems administrators can plan system shutdowns and software installations to fit with business processes, such as quarterly reviews. Oracle says it will deviate from its quarterly cycle if a security company issues a "high-severity security alert," especially if an exploit is found in the wild. The quarterly cycle is also expected to help Oracle develop well-integrated and well-tested patches. Read more.

Microsoft hopes to extend patching cycle

2004-11-22T23:48:00.000-08:00

Microsoft is working towards its ultimate goal of producing an operating system which will not require any patching. Of course, this is an ideal scenario, maybe impossible to reach. However, the company wants to reach a stage where patch cycle is extended to six months, instead of the current practice of a month. Read more at Znet.

Another Irresponsible Vulnerability Disclosure: Microsoft Needs Some Help

2004-11-15T22:56:00.000-08:00

Security tools maker Finjan Software warned on Wednesday that it found as many as 10 security flaws in the last update to Microsoft's flagship operating system, Windows XP Service Pack 2. In a statement that contained few details, the U.K. company claimed that the vulnerabilities could enable attackers to remotely access a victim's files, remove security measures aimed at Internet threats and run programs without any notification to the user.
The company did not wait for Microsoft to fix the issues, as many security companies do, and used the announcement to push its own wares as a way to be protected from the threats. This move is interpreted by many as an effective publicity generation. The overall objective of the security industry should be to improve security of the society. Although researchers are acknowledged when the fix for the vulnerability arrives if they follow responsible vulnerability disclosure process, some still choose to put the society at risk by going to immediate public disclosure. To read more on this recent issue, please go to News.com.

Do blackhats release their exploits strategically?

2004-11-10T19:46:00.000-08:00

The creators of the latest MyDoom variant, which exploits a recently discovered iFrame vulnerability in Internet Explorer, may have timed the release of the viruses to throw Microsoft's monthly patch cycle into disarray. In its latest monthly update on Tuesday, Microsoft was not able to fix a serious vulnerability in the Internet Explorer browser because the flaw was discovered only a few days before the company's regular update was due. The two variants of the MyDoom virus were released earlier this week, leaving the software giant without any option but to ignore the problem--for now. Public disclosure of the vulnerability has been criticized since it does not allow the vendors to be able to develop their patches before information about vulnerabilities becomes public. Since the recent vulnerabilities are announced publicly just couple of days before the Microsoft patch cycle, the software giant did not enough time to develop, test, and ensure that the patch is stable. Therefore, fixes for the recent two vulnerabilities are not included in the last update. This was good news for the malicious users because they can exploit the vulnerability for a conceivable time since the fixes are not included in this batch. This is, however, bad news for the society overall. This should definitely bring up the discussion of the legitimacy of the public disclosure. More.

Vulnerability is discovered in Morgan Stanley online banking

2004-11-09T18:16:00.000-08:00

Online banking continued its run of security issues, as a vulnerability has been discovered in Morgan Stanley’s online banking website. The flaw was reported to BBC Breakfast, and enables users to access their credit card information by entering only the first digit of their credit card number. Tim Pickard, strategic marketing director for EMEA at RSA Security, commented that two-factor authentication would dramatically improve the security of online banking consumers, and that Morgan Stanley’s vulnerability would not be a problem if they used two-factor authentication.By Computeractive.

A man is charged with selling the Windows' code

2004-11-09T18:08:00.000-08:00

William P. Genovese, Jr., 27, was charged November 9, 2004 with unlawfully distributing a trade secret, a charge that carries a maximum prison sentence of ten years and a maximum fine of $250,000 fine if convicted. Mr. Genovese allegedly sold secret source code from Windows NT 4.0 and Windows 2000, and was discovered after posting a message on this website offering the code for sale. Federal prosecutors said a Microsoft-hired investigator and an undercover Federal Bureau of Investigation (FBI) agent downloaded the code after submitting electronic payment.
By Reuters.

Market punishes security breaches severely

2004-11-08T20:14:00.000-08:00

Professor Huseyin Cavusoglu found that "The announcement of an Internet security breach is negatively associated with the market value of the announcing firm. Breached firms, on average lose approximately 2.1% of their market values within two days surrounding the events. This translates into $ 1.65 billion average loss in market capitalization per incident." This and many other findings have been recently published in International Journal of Electronic Commerce. His study co-authored with S. Raghunathan and B. Mishra has been regarded as the most rigorous study that uses event study methodology. More.

Open source advocates are upset after the recent mi2g's study: open source systems expose to more attacks than Microsoft.

2004-11-08T20:10:00.000-08:00

A number of security experts are questioning the findings of a report from mi2g which names Linux the "most breached" operating system. The report is based on an examination of over 235,000 successful attacks against computers permanently connected to the Internet from November 2003 through October 2004. The study found that Linux accounted for 65% of breaches, with Windows coming in second at 25%. Open source advocate Bruce Perens criticizes the report for not factoring in the main problem, automatic virus attacks, which even the report admits have greater economic impact on Windows systems. Linux servers running Apache account for nearly 64% of web servers. Rob Enderle, principal analyst with the Enderle Group, notes that mi2g's methodology on a number of previous studies has been questionable, and describes the recent study as more of a media event than a serious investigation. The study found BSD and Apple's Mac OS X as the most secure operating systems with less than 5% of breaches each; however, both systems have few users, and BSD users in particular tend to be highly competent. The report may indicate that widely deployed systems with poorly trained users a more vulnerable, Mr. Enderle argued, adding that results should be normalized based on skills and usage. By Internetweek.

Microsoft rolls out an early notification service for the upcoming patches

2004-11-08T19:59:00.000-08:00

The software maker will provide a summary of planned security bulletins three days in advance. Microsoft announced that everyone will have access to advance information about pending security updates. In its statement, Microsoft said the new policy is in "response to customer feedback." According to Microsoft, the advance notifications will include how many security bulletins may be released, how severe the security problems being fixed are, and a list of the affected products. The information provided in the notification will be general and won't disclose vulnerability details or other information that could put customers at risk. By Information Week.

Early warning to general public by Microsoft

2004-11-08T19:50:00.001-08:00

Although Microsoft has been giving information regarding the content of its updates in advance to selected customers, but it is now providing the information to all customers. However, the advance information will only include general information and will not disclose vulnerability details that could put customers at risk. The first example of this new practice is the information about November 9th 2004 ISA Server update. Microsoft said that the vulnerability in ISA server is important, its second highest classification. More.

2004-11-08T19:50:00.000-08:00

Simply obtaining password worked again to compromise !

2004-11-08T19:44:00.000-08:00

An inmate in Colorado has accessed sensitive information on a county sheriff and nearly 1,000 other local-government employees after he obtained a password into the county's computer system, Colorado authorities announced on November 5, 2004. By Reuters.

Another Virus writer joins anti-virus firm

2004-11-08T19:25:00.000-08:00

After German security company Securepoint hired Sven Jaschan, who were self-confessed creator of the destructive NetSky and Sasser worms, as a trainee software developer in September 2004, Benny, ex-member of the 29A virus-writing group, is hired to work as the main developer at Zoner Anti-Virus (ZAV), part of Zoner Software. By Register.

Legislation might create a negative impact on risk management

2004-11-06T02:57:00.000-08:00

According to banking security expert Michael Colao, director of Information Management at Dresdner Kleinwort Wasserstein, recent legislation is having a negative effect on risk management, as companies struggle to deal with increased governance. Information technology mangers are being tied up in red tape by the requirements of data protection, Sarbanes-Oxley, Basel II and other corporate governance reforms. Mr. Colao says some chief information officers are relying on complicated processes rather than sound judgment in order to protect themselves from measures that make IT managers legally responsible for adherence to corporate governance rules. Tim Pickard, strategic marketing director at RSA Security EMEA, added that the nature of EU directives makes it nearly impossible for global CIO’s to be fully compliant. The Register.

Virus report points to profit-hungry hackers

2004-11-06T02:52:00.000-08:00

According to a report by security company Trend Micro's TrendLabs, malware cases rose 22% in October 2004, with Trojan horses accounting for 47% of cases. The report concluded that these results vindicate earlier claims that motivation of malware authors is shifting from notoriety to profit. While most of the top worms and viruses were in decline, the Netsky.P worm, which was the most frequently reported malware, registered a 30% increase in infections over September 2004. The report attributed users’ penchant for opening unknown attachments for the worm’s continued prevalence. You can read at CNet.

The dutch kid will be pressed charges for the DoS Attack

2004-11-06T02:44:00.000-08:00

The Dutch government plans to press civil, and possibly criminal, charges against an eighteen-year-old for a distributed denial of service attack that disabled a number of government websites for four days. The defendant is also suspected of belonging to the "0x1fe Crew", a group of fifteen hackers protesting recent cabinet decisions. The suspect apparently revealed his actions and personal details on a television program, leading to his arrest. The government has taken a number of measures, including purchasing increased bandwidth, in order to withstand future attacks. If found guilty, the suspect faces fines amounting to tens of thousands of euros. Read more

How will spyware products react to Internet Spyware Prevention Act

2004-11-06T02:41:00.000-08:00

According to Mike Healan, editor of SpywareInfo.com, spyware makers will split into two groups in response to the recently passed Internet Spyware Prevention (I-SPY) Act: one group will appear to comply with regulations while the other will develop spywares that are harder to detect and remove. Anti-spyware vendors will have difficulties determining which programs comply with spyware laws while blocking the more malicious variety. Aluria Software plans to do both by leading companies out of the spyware market and into legitimate advertising. A number of spyware companies have contacted anti-spyware vendors to find out how their products can be counted among the acceptable adwares. However, many producers of malicious spyware are outside the United States and the jurisdiction of I-SPY. Security firm Webroot currently finds 80 new variations of existing spywares and 20 new spywares each week. Research firm Gartner estimates that eighty to ninety percent of computers have some form of spyware. Antivirus vendors are expected to offer anti-spyware tools as spywares become more of a threat. Ream more

Microsoft policy makes sense

2004-10-30T17:45:00.000-07:00

Security Experts agree that Microsoft's approach in patch management makes process more predictable. Microsoft Corp. has moved to a monthly patch-release cycle one year ago. Uncertainty of Microsoft's earlier approach in which the patch is released as soon as it is developed makes it costly for users to manage patches, the current approach drastically alleviate the issue. "What it gives you is the consistency you need to factor patching into your overall [systems management] process," Krauthamer, director of information systems at Advanced Fibre Communications Inc. in Petaluma, Calif., said. "It's a great thing if you can spend just one night a month doing patches." To read the article by Jaikumar Vijayan, click here.

A new proposal for information security regulations

2004-10-28T22:37:00.000-07:00

Ira Winkler, CISSP, CISM, argues that self-relating will no longer work for information security. He proposes a set of regulating rules that every computer, system, or network should obey when it is connected to the public network. He points out that we can't continue to ignore the fact that we're negligently enabling the attackers. While we can always expect miscreants to attack us, either maliciously or for profit, studies by the Defense Information Systems Agency and the Computer Emergency Response Team indicate that more than 97% of successful attacks are preventable. To read his opinion, click here.

Information Security is an economics problem rather than a technical one

2004-10-28T22:12:00.000-07:00

Bruce Schneier, a security expert and chief technology officer at Counterpane Internet Security Inc. , stresses that information security isn't a technological problem. It's an economics problem. And the way to improve information technology is to fix the economics problem. Do that, and everything else will follow. To read more, from computer world.

Liability in Information Security

2004-10-28T22:04:00.000-07:00

Bruce Schneier of Counterpane Internet Security Inc. has articulated that we should start thinking about liability in dealing with information security problems. He also pointed out that "There are no real consequences to the vendors for having bad security or low-quality software. Even worse, the marketplace often rewards low quality. More precisely, it rewards additional features and timely release dates, even if they come at the expense of quality. " You can read more on this issue in his recent article.

Fear Does Sell in Security

2004-10-28T19:37:00.000-07:00

According to a survey by Watchguard, almost half of the respondents admitted that fear is the most effective way for the security vendors to motivate customers to invest in a particular security technology. 30 % of 150 customers surveyed identified that rational assessment of costs and benefits is the most effective driver to persuade themselves to make an security investment decision. To read more, http://www.nwfusion.com/newsletters/vpn/2004/1025vpn1.html.

Firms Take Government Regulations Seriously

2004-10-28T19:22:00.000-07:00

Firms are revising their IT spending to improve their compliance with new regulations. The Sarbanes-Oxley Act is seen as having the most impact on enterprises’ information security management planning in 2004 with 36 per cent of the companies surveyed by NetSec. Basel II came in as the second most important piece of regulation with 25 per cent naming it as having the most impact on information security management planning. BS7799-2:2002, the government's gold standard for information security, came in third with just 19 per cent even though it was rated as the best framework for defining companies’ Information Security Management Systems. To read more, http://www.theregister.co.uk/2004/10/27/netsec_security_survey/.

Big UK Businesses straggle with Vulnerabilities and Patches

2004-10-28T19:10:00.000-07:00

Security consultancy NetSec reported that most large companies are struggling to protect themselves against security threats based on a survey conducted in UK. It revealed that a new security threat could take more than six hours to contain accross big organizations. To read more, http://www.theregister.co.uk/2004/10/27/netsec_security_survey/.

New Worm Targets Google and Microsoft

2004-10-28T19:05:00.000-07:00

A new variant of the Zafi worm, Zafi.C, was discovered October 27, 2004. Zafi.C attempts to launch a distributed denial-of-service (DDoS) attack against Google.com, Microsoft.com, and miniszterelnok.hu, the website of the Hungarian prime minister. http://www.silicon.com/0,39024729,39125376,00.htm

Information Security is Crucial for IT Security

2004-10-28T18:58:00.000-07:00

Vnunet.com reported that UK chief security and intelligence coordinator, Sir David Omand, says increased information-sharing between government departments and businesses and increased staff training are keys to improving the UK’s information technology security. Following the publication of the government’s first review of UK public and private sector security initiatives, Sir David said cyber-security now affects all sectors of the government and economy, and that the public and private sector must work together to address vulnerabilities and threats as soon as they are discovered.
To read the full story, please go to http://www.vnunet.com/news/1159016 .

Security News Mailing List

2004-10-28T11:09:00.000-07:00

Institute For Security Technology Studies at Dartmouth College has been preparing reports called Security in the News. Security in the News provides security professionals, and government and law enforcement officials with timely and salient information on cybercrime, cyberterrorism, malware and other information-security issues at the strategic level. You can access to the daily report at http://news.ists.dartmouth.edu/todaysnews.html. You can also subscribe to the daily email update at http://news.ists.dartmouth.edu/cgi-bin/signup.cgi.