AuthenticationWorld Blog

Yesterday, Computerworld ran a story "Call the cops: We're not winning against cybercriminals". In it, Kaspersky Lab's CEO admits that they can't keep up with the criminals. ""We don’t have the solutions," says Natalya Kaspersky, CEO of the company. "We thought it was possible to do antivirus and that was adequate protection. That time is gone."

Their CTO says "The company dedicates 50 engineers to analyzing new malware samples and trying to find ways to block them, but with about 200 new samples per day and growing, it's an uphill fight, he says."

Further, the CEO states "Police have made efforts to prosecute the people behind the malware, but success has been limited. In 2004, there were 100 arrests worldwide. That number rose to a few hundred in 2005, then dropped back to about 100 again in 2006, Kaspersky says. "The stupid guys got jailed," he says. "The smart guys -- it's very difficult to find them.""

Their conclusion? There is a need for international police coordination and legal prosecution.

This article merely confirms the statements made last summer at an international conference in Montreal that criminals would have the upper hand for the next 2-3 years.

Bottom line: Make sure you have multiple layers of identity defenses using stronger and stronger authentication and make sure that you're on top of your security game or you may be very sorry.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Entrust today has announced the introduction of one-time password tokens at $5. This is substantialy below the existing prices offered by competitors such as RSA and Vasco Data Security.

Bearing in mind that one-time password tokens don't stop phishing attacks, this offering however is still very good news. Most enterprises still use passwords as their main form of authentication. As has been well documented, passwords are very insecure. Therefore, enterprises need to consider different forms of authentication. The historical cost of one-time password tokens has been an impediment to wide-spread adoption of this method.

Enterprises considering Entrust's new one-time password offering however, need to consider the use of these as only part of a more in-depth enterprise authentication strategy. As the user drills towards more sensitive information, applications of building access, multi-factor authentication needs to be used.

Even with the use of multi-factor authentication, enterprises must assume that these methods too may be bypassed. Therefore, for protecting the enterprise crown jewels, they should deploy transaction authentication which in addition to the use of strong authentication, checks the user's physical hardware, their IP address, geolocation, time of day and past user history profile before letting the user in.

There is no one silver bullet in authentication. While the Entrust offer makes the use of one-time passwords more affordable, it is only one of many tools an enterprise must use to properly defend itself against attacks from organized crime.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

On Friday, Microsoft confirmed yet another high risk security flaw in one of it's MS Office products, Excel. The hole allows malware to be deposited in the user's computer by merely opening the Excel file. The normal method is to attach this to an email requesting the user to open the file.

This brings to the total of five unpatched high criticality flaws in MS Word and Excel. Several of the Word flaws have been known since early December and as yet remain unpatched.

MS Office resembles Swiss Cheese with all of its security holes. Vista won't stop these types of attacks.

Caveat emptor. Think on it before you click on it for MS Office attachments in your email.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Brad Stone of the New York Times today wrote a story "Study Finds Web Antifraud Measure Ineffective". The article quotes results from a joint Harvard/MIT study on the security effectiveness from using a site authentication stating that the effectiveness out of 60 people worked for only two.

Site authentication is where the user preselects an image to be displayed at login when they are supposed to enter in their uid and password. The technology developed by Passmark in 2004 (which was acquired by RSA) and also produced by several other competitors, is based on the theory that if the user comes to a phishing site and doesn't see their image, then they should be alerted to the fact the site is not real and therefore not enter in their uid and password. However, the study didn't prove this out. Only two people refused to enter in their uid and password while 58 others entered it in despite their being no image.

Changing end user behavior is hard to do. People are used to entering in their uid and password and disregard security mechanisms like the site authentication. I am fairly confident that Microsoft's Vista anti-phishing technology where the tool bar goes green for supposedly safe sites will meet the same kind of response from end users.

Enterprises wanting to secure themselves internally, should take heed from the study. There needs to be stronger authentication in addition to uid and password as the user drills towards more sensitive information and applications. Don't expect one method to provide your security or you'll be sorry.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

The BBC today reported the Microsoft's Vista's Live One-Care failed a test recently done by Virus Bulletin. The article states "While Live OneCare did manage to spot 100% of the macro viruses it was tested against, it missed some wild viruses, polymorphic programs and file infectors.

Live OneCare caught 99.91% of the known active viruses it was tested against. This left it vulnerable to 37 separate malicious programs.

Other anti-virus products that failed the tests included G-Data AntiVirusKit, McAfee VirusScan Enterprise 8.51 and Norman Virus Control 5.90."

This test was against known viruses, bots and worms. The article then quotes John Hawes from Virus Bulletin ""Although many improvements have been made, Vista cannot fend off today's malware without help from security products," he said."

I would argue that even with the use of other anti-virus vendors' products, tests from Malware-test.com suggests that most vendors are missing 50% of the malware.

Caveat emptor. Don't rely upon what the vendor's marketing spiels tell you.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Today in Searchcio.com Shamus McGillicuddy wrote an article "SMARTPHONES EASY TARGET FOR HACKERS, EXPERTS WARN". The article explores the risks from executives who are increasingly using smartphones to access and download sensitive applications and information.

The article quotes Stan Schatt, vice president and research director at ABI Research in Oyster Bay, N.Y. "Schatt said at least 30 forms of malware written specifically to exploit smartphone operating systems have been identified during the past two years. He estimated that as many as 90% of smartphones are exposed and unsecured right now."

The danger is that malware on a smartphone will capture the uid and password authentication most commonly used as a security mechanism. With this the criminals then have access to the applications and information the executive who uses the smartphone.

The answer is to have a layered identity authentication architecture. For general low risk access, continue to use the uid and password. As the executive drills towards sensitive apps and information, use stronger authentication such as one-time password tokens, bimoetrics, voice recognition etc. Then place transaction authentication around the enterprise crown jewels.

If you're not doing this, your enterprise is at high risk of a major security breach.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Today, hackers successfully attacked 3 of 13 servers critical to managing internet traffic according to CNN. In "Hackers hit key Internet traffic computers" the article states "Hackers briefly overwhelmed at least three of the 13 computers that help manage global computer traffic Tuesday in one of the most significant attacks against the Internet since 2002. Experts said the unusually powerful attacks lasted for hours but passed largely unnoticed by most computer users, a testament to the resiliency of the Internet."

It goes on to state "Experts said the hackers appeared to disguise their origin, but vast amounts of rogue data in the attacks were traced to South Korea."

It is great that the internet didn't go down during the attempt. However, it is still very worrying that 3 of the critical servers went down.

I have blogged repeatedly on DNS attacks and in one blog "Partnering with criminals" said that enterprises must give some thought to partnering with criminals to protect themselves from DNS attacks until the international authorities and the technology catches up. I have also blogged on possible interim strategies for preventing DNS attacks.

What chance does a mid-size enterprise, with a small IT department, have against these types of attacks that can successfully take down 3 of 13 critical internet servers?

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Computerworld ran an article today "RSA: New threats could make traditional antivirus tools ineffective" that stated "Signature-based technologies are now "crumbling under the pressure of the number of attacks from cybercriminals," said Art Coviello, president of RSA Inc., the security division of EMC Corp. This year alone, about 200,000 virus variants are expected to be released, he said. At the same time, antivirus companies are, on average, at least two months behind in tracking malware. And "static" intrusion-detection systems can intercept only about 70% of new threats."

The article quotes Amir Lev, president of Commtuch Software Ltd. "New server-side polymorphic viruses threats like the recent Storm worm, however, contain a staggering number of distinct, low-volume and short-lived variants and are impossible to stop with a single signature, Lev said. Typically, such viruses are distributed in successive waves of attacks in which each variant tries to infect as many systems as possible and stops spreading before antivirus vendors have a chance to write a signature for it.

Storm had more than 40,000 distinct variants and was distributed in short, rapid-fire bursts of activity in an effort to overwhelm signature- and behavior-based antivirus engines, Lev said.

By the time a signature is released for one variant, it has often already stopped circulating and has been replaced by several other variants, he said. "

This confirms the many blogs I have written stating that relying upon existing anti-virus and intrusion detection systems as the primary enterprise defense is not enough. Have in place layers of authentication security or you might be a victim rather than a healthy survivor of a criminal attack.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Computerworld published an article today "Study: Weak passwords really do help hackers" in which a study at the University of Maryland had four computers online for 24 days. There was 270,000 intrusion attempts (roughly one every 39 seconds). Approximately 825 attacks were successful.

Most of these attacks used dictionary scripts. Thus weak passwords were usually quickly guessed. The project leader, Michel Crukier, stated "Weak passwords are a real issue," Cukier said."

Enterprises still using passwords must strengthen their passwords users choose in order to help mitigate the threat from password attacks.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Robert Vamosi posted an interesting blog today on CNET "Hacking intranet web sites from the outside". He attended an RSA presentation by Jeremiah Grossman, CTO of White Security. The blog describes the attack on an intranet:

"In several live demonstrations, Grossman showed how it was possible, by appending the URL in a victim's browser with a call to remotely hosted JavaScript to see a victim's browser history or learn an internal IP address. With such information, he was then able to scan the internal network and locate any valid servers operating inside the corporate firewall. He showed how an attacker could mask all this by creating a simple iframe over the legitimate browser screen, so the victim could use the browser to surf the Net, unaware that JavaScript was running in the background. For fun, the attacker could send messages to the victim that would appear as alert dialog boxes."

Perhaps as ominous, the blog continues on to describe these types of attacks being initiated from web enabled printers or web enabled UPS strips. What is worrisome is that these types of attacks won't be picked up by anti-virus or other malware detecting devices.

There are so many relatively easy attack vectors into an enterprise. The bottom line is to have multiple layers of identity authentication strength behind the firewall, the anti-virus and intrusion detection systems.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

On Friday, the BBC published an interesting article "Keeping secrets from web spies". The article gives a reasonable overview of the use of passwords as well as the risks from things like keyboard loggers and other malware.

Passwords are the weakest form of security. While the article mentions things like keyfobs that contain one-time passwords, it doesn't mention that these too are subject to phishing attacks.

The article also doesn't mention how to remember complicated passwords. It is only through the use of memory tricks that complicated, longer passwords can be memorized and recalled in the user's brain.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Brian Krebs has an interesting blog this past week on Vishing "Cell phones: the new phish food". Becoming more common is the use of 1-800 numbers sent out in emails to lure the unsuspecting user into calling a bogus number and inputting sensitive identity information which the criminals use.

The best way to avoid this attack is:
1. Never click on any email links unless you are expecting it.
2. Google the 800 number and see if it is owned by the company in question.
3. Call up the company on a phone number listed on the company's website which you find from Google and ask them if the number is valid.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Last fall, I published a series of blogs on a new form of attack called "Blue Pill" using virtual hardware to create what is thought to be a currently indefensible form of attack and one to which the new Vista would also be susceptible. I was thinking of this when reading a recent blog by Brian Krebs of the Washington Post titled "Perils in Parallels?".

He was quite concerned about virtual software. In his blog he described how he had installed the Vista operating system on top of Mac OS X using "Parallels" a virtual machine program. What bothered him was that Vista could rewrite and delete any files in the Mac operating system running underneath it.

While I agree that this is serious, I expect the manufacturers to remedy this. What came to my mind was the increasing use of virtual machine software and Blue Pill. By using Blue Pill the criminals can move the entire operating system into a virtual machine without the system admins even knowing about it.

This type of attack is ready for prime time. Beware of the use of hardware virtual machines.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

At RSA last week, a small US company called Immunity rolled out a new product "Silica" that allows hand held penetration testing for wireless devices surreptitiously. The sleek hand held device allows:

"* Tell SILICA to scan every machine on every wireless network for file shares and download anything of interest to the SILICA device. Then just put it in your suit pocket and walk through your target's office space.
* Tell SILICA to actively penetrate any machines it can target (with any of Immunity CANVAS's exploits) and have all successfully penetrated machines connect via HTTP/DNS to an external listening port running Immunity CANVAS Professional.
* Mail SILICA to your target's CEO, then let it turn on and hack anything it can as it sits on their desk.
* Have SILICA conduct MITM attacks against people on a wireless network."

The CEO of the firm, the former CIO of Bloomberg, is quoted in eweek's article "Wireless Hacking Tool Makes Splash at RSA":
"The former CIO cooked up the idea for the mobile hacking device while at Bloomberg, where she was constantly worried about the use of rogue access points and unprotected wireless networking systems.

Whether being used to carry out man-in-the-middle attacks against unguarded wireless users or to seek out file shares sitting on people's desktops, the device is a convenient platform for proving the need for stronger access protection, according to the executive.

"People can ship this to their operations anywhere in the world to help test the vulnerability of their corporate networks," the CEO said. "We think there's a real market for this type of device."

I think that not only should enterprises use the device to test their network but also be aware that hacking their untested wireless devices just got a lot easier. It's time to strengthen the authentication on enterprise wireless devices.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Last week at RSA, a joint presentation was given that demonstrated the interoperability of different mulit-platform and mutli-protocol identity authentication standards. The presentation "Open Source Identity Services - Multi-platform and Multi-protocol interoperability with Bandit, Higgins and others" can be found here. The presentation was proof that there is a hope for meshing together different identity and authentication technologies already in place in most enterprises. Let's look at the three components in the presentation to understand the significance of what they demonstrated.

Higgins is an extensible, platform-independent, identity protocol-independent, software framework that can support existing and new applications. It does this via:
* An identity attribute service (IdAS) that supports multiple identity context providers abstracting information from LDAP, SAML, OpenID, Infocard and RDF
* An Infocard provider and Security Token Service (STS) which uses IdAS from multiple identity providers
* Ability to use multiple forms of agents such as web-based and client-side card managers, browser extensions, and user interface (infocard selectors)

Higgins has been referred to as the Switzerland of identity. By being a neutral state it effectively allows different identity standards to inter-operate.

Bandit is an open-source project sponsored by Novell that implements open standard protocols and specifications such that identity services can be constructed, accessed and integrated from multiple identity sources. One of it's goals is to provide enterprises with consistent identity services for authentication, authorization and auditing.

Bandit does this by using the following:
* Identity attribute service from Higgins (IdAS)
* Authentication services (CASA) which uses client credential store and authentication services, simple security token service with Kerberos support, server side authentication modules (JAAS, JACC and mod-CASA).
* Role engine (leveraging Sun's XACML)
* Audit record framework (ARF) which uses a event submission framework using standard structured format for identity data

The Pamela Project champions robust, open source relying party code development and integration for information card technologies. Developed by Pam Dingle of Nulli Secundus, the demonstration showed a plugin for Wordpress. Pam is an awesome identity analyst and an Inforcard specialist.

What the demonstration did was the following:
1. Accessed a wiki through a gateway using username and password (in this case it came from a user account in a Novell Account Manager (NAM) and NAM acting as the gateway acting as a Liberty Alliance Service Provider.)
2. Generate managed card from a personal card (received it's identity data from NAM using Higgin IdAS and LDAP)
3. Access wiki through gateway with card (managed card link from personal card and NAM acting as the relying party)
4. Access wiki directly with the card (authorization and audit based on card data using Bandit components)
5. Accessed Pamela Project WordPress blog with card

This is the fore-runner of what typical identity transactions will look like in the near future in most enterprises. Hats off to the Higgins, Bandit and Pamela project members!

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Computerworld is running a story today "Mobile attacks jumped fivefold in 2006, study says" in which it quotes a newly released McAfee study claiming a fivefold increase in the number of security attacks reported on mobile devices.

The article states "According to data gleaned from more than 200 mobile operators worldwide, an overwhelming majority -- 83% -- said that their subscribers have been hit by some kind of mobile device infection. "This research clearly demonstrates that mobile security is moving quickly up the industry agenda, with the number of malware incidents rising," Victor Kouznetsov, McAfee's senior vice president of mobile security, said in a statement."

The article also states "Predictions of widespread mobile device attacks -- while made annually by security vendors and analysts -- have not yet been borne out. That was backed up by the survey, which noted that attacks involving between 1,000 and 100,000 devices accounted for just 15% of all reported security events."

So, the future is unfolding more or less as predicted. With the rise in use of mobile devices comes new attacks on them. Make sure your mobile is secure. Enterprises must consider using layers of identity stronger identity authentication. Also make sure that your NAC ensures that the mobile devices all have the most recent patches before allowing connection to your network.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Last week, Andrew Rulfe in E-Commerce Times wrote an article "Out-of-Band Authentication Protects Online Financial Data". In the article Andrew, VP of Authentify, states that financial institutions need to use out of band authentication methods, such as the telephone, to reduce risk to the enterprise and the financial institution's customers.

He states in the article:
"Here's how it works: During the attempt to transfer the funds out of the account, the online criminal would have been required to answer a telephone associated with the account in order to complete the transaction. The automated call consists of voice prompts directing the account owner to speak a confirmation number displayed in the Web browser.

Since completing the transaction depends on the user's ability to answer the phone number the account owner has given the bank and to successfully speak the confirmation number displayed in the browser, a person attempting to make a transfer without access to the out-of-band network (the account holder's phone) is denied.

Simply said, hackers can be armed with much, if not all, of a user's personal information, but that does not allow them to answer the user's phone or replicate the user's voice.

The phone works particularly well as an out-of-band authentication network. Along with being easy to use, it has the ability to produce an audible record of the transaction. The transaction record can include a .wav file recording of the user speaking the confirmation number, the record of the number dialed and answered, time stamps from the telephone network or even real-time voice biometric comparison."

Generally speaking, I believe he is heading down the right road. The use of the phone is a valuable weapon in reducing the risk of financial fraud. However, it needs to be part of a transaction authentication solution.

As Bruce Schneier constantly points out, most authentication mechanisms can be bypassed in phishing attacks. He says that authenticating the transaction is where the energy should be placed.

Therefore, the financial institution needs to have filters in place for every transaction. At low withdrawal amounts, the uid and password may be accepted. The financial institution may accept the risk that there is a fraud but that the cost of managing it with out of band authentication is more than the potential loss.

The transaction software also monitors the frequency and time of day for withdrawals. Therefore, when the transaction software sees frequent withdrawal amoiunts, at low dollars, it may then step in and either alert the bank or proceed with the use of out of band authentication.

For higher risk dollar withdrawals, the transaction software will automatically proceed to the use of out of band authentications since the risk now outweighs the cost of the out of band transaction.

For even higher amounts, the transaction software may monitor the user's physical computer, it's IP address, geo-location, time of day and user pattern. Then based on what it sees, the transaction software may use the out of band authentication with even more authentication mechanisms as well as possibly alerting financial institution's managers in real time before allowing the transaction to proceed.

This is the future for financial institutions as well as for most other enterprises. When the risk outweighs the cost it is time to use transaction software coupled with out of band authentication such as the telephone.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Computerworld today ran an article titled "'Storm Trojan' ignites worm war". The article states:
"Symantec Corp. researchers said that the "Storm Trojan," aka "Peacomm," is now spreading via AOL Instant Messenger (AIM), Google Talk and Yahoo Messenger.

An alert to some Symantec customers pegged the new infection vector as "insidious" because the message -- such as the cryptic "LOL ;)" -- and the included URL can be dynamically updated by the attacker. Even worse, according to Alfred Huger, senior director of Symantec's security response team, "it injects a message and URL only into already-open windows. It's not just some random message that pops up, but it appears only to people [you are] already talking to. That makes the approach very effective."

Moreover, the server from which the malware is downloaded to the victim's PC can be quickly changed by the attacker using the Trojan's peer-to-peer (P2P) control channel. "Everything can constantly change," said Huger. "

This is the second time since January that the Trojan worm has struck. Then, it used storm warnings in the message titles about massive European storms. The article also documents the vicious nature of the malware by containing within it denial of service attack modules:

"Among the multiple second-stage components downloaded to Windows PCs compromised by Peacomm, said Stewart, is a DDoS module that can be enabled at will by the attacker and aimed at any site. The January target list included spamnation.info, which was knocked offline for eight days starting Jan. 12. The better-known spamhaus.org was an indirect victim, too.

Systems hijacked by Peacomm have also conducted DDoS attacks against at least five domains used by the creators of the noted Warezov (or Stration) worm. After a busy September and October, Warezov was credited by some analysts as the genesis of 2006's massive fourth-quarter spike in spam volume. "

The article also concludes that most of the DDos attacks are against other crminal malware trying to gain control over the bots.

So there you have present day reality. Criminals are now fighting each other for control over bots while industry and police agencies are so far behind it isn't even funny.

Make sure your enterprise is prepared for IM based attacks. Then assume that some will be successful and have multiple layers of authentication strength behind the firewall.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Today Microsoft finally issued patches covering the majority of their major security flaws. The high criticality flaws reported in December concerning Word have been patched. This means that it took nearly two months from the time of report until a patch was available.

The issued security patches is one of their largest ever.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Computerworld ran an interesting article yesterday titled "Spam, viruses, botnets: Can the Internet be saved?" The article is based upon the premise "The most sanguine of observers say that even if the Internet is able to avoid some kind of digital Armageddon brought on by spammers, hackers, phishers and cyberterrorists, it nevertheless will drown in a flood of mobile gadgets, interactive multimedia applications and Internet-enabled devices, including phones, cars, home appliances and radio frequency identification tags."

Then it begins to review the state of rethinking the internet from a clean slate including:
* FIND (Future of Internet Design) - A number of different projects funded by the NSF. One of which is "Ethane":
- Ethane - "which centralizes security rather than putting it all around the network in firewalls, virus scanners and the like. With Ethane, all communications are turned off by default. A host joining the network must get explicit permission from a centralized server before it can connect to anything except that server. And the server won’t grant permission unless it is able to determine the location and identity of the requestor."

* GENI - a $300-400 million dollar NSF project. "The Global Environment for Networking Innovation, or GENI, will be a giant test laboratory stretching across the U.S., complete with wired and wireless computers, routers, switches, management software and subnets of wireless, cellular, sensor and radio devices. It will include a fiber-optic backbone and tail circuits to some 200 universities."

However, if you're looking for an answer soon...THERE ISN'T ONE.

For example, the Ethane project leader is looking at a 15 year horizon. This means that we will have to deal with the onslaught of security risks we have now for a long time to come. You'll have to use layers and layers of stronger authentication security until new systems arrive to help you out.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Last week Wired News ran a story about a different approach to laptop security for the $100 laptop in the One Laptop Per Child project whose purpose is to give a laptop to every child in the developing world. The interesting thing about the story was the security approach taken.

The article states the following:

"Instead, the XO will premiere a security system that takes a radical approach to computer protection. For starters, it does away with the ubiquitous security prompts so familiar to users of Windows and antivirus software, said Ivan Krstic, a young security guru on break from Harvard who's in charge of security for the XO.

"How can you expect a 6-year-old to make a sensible decision when 40-year-olds can't?" Krstic asked in a session at the RSA Conference. Those boxes simply train users to check "yes," he argued.

Krstic's system, known as the BitFrost platform, has only one user prompt (turning on the camera) and imposes limits on every program's powers. Under BitFrost, every program runs in its own virtual machine with a limited set of permissions. Thus a picture viewer can't access the web, so even if a hacker comes up with an exploit that lets him control the program, he couldn't use it to grab all the photos on the laptop and upload them to the internet.

"Applications can no longer run rampant," Krstic said. "Spyware becomes very, very hard. It can't spy on the keyboard. You can only spy on how a user uses their program."

Krstic contrasts this approach to Microsoft's Windows XP where every program, including Solitaire, has the right to access the web, turn on the video camera, open spreadsheets and send e-mail.

Programs downloaded to the computer can't "request a set of permissions that let (them) do bad things," Krstic said, unless that software has been certified by a trusted authority, which will be either One Laptop Per Child or one of the countries signed onto the project. Users can, however, manually assign more power to a particular program through the security control panel.

Krstic's objectives are to attack the problem of malware by removing the economic incentive to attack, and to make security usable."

This approach is worthy of following. It may actually limit the effectiveness of malware attacks going after the uid and password authentication.

How it fares when out there in the world remains to be seen. If and when there is an economic incentive to attack the laptop, the real test will be seen. So far however, the approach looks good.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Wired Magazine produced a very interesting story on February 2 of this year. Called "Steal this download" it contains a 25 page PDF file story about David Thomas, a high tech criminal who for several years ran a website on behalf of the FBI selling credit cards and other identity theft type crimes.

To put credit card theft into perspective the story says:
"The full scope of the problem is hard to judge, but nonetheless staggering. U.S. banks lost $546 million to debit card fraud in 2004, according to banking research firm Dove Consulting, and credit card fraud losses were estimated to be about $3.8 billion globally in 2003 according to The Nilson Report."

The story documents the arrest of Shadowcrew, a much publicized credit card gang, in other stories documented as having 5,000 members. The story is interesting not because it gives an insider view into one view of credit card crime but because of what it states towards the end of Thomas's story. The story states:

"The Shadowcrew bust was touted as a major success by law enforcement. Since the initial action, subsequent arrests in Operation Firewall have brought the total number of carders nabbed to 38 globally. Authorities say the suspects trafficked in more than 1.5 million stolen credit card numbers, resulting in losses estimated to be at least $4 million. The sting also netted more than 8.5 terabytes of forensic evidence -- the equivalent of 2.2 billion pieces of paper -- and involved more than a dozen criminal task forces in the United States and elsewhere."

"But the long-term effects of the operation on curbing criminal activity have proven to be almost nil. It wasn't long after Shadowcrew went down before new carding sites, such as CardersMarket and the International Association for the Advancement of Criminal Activity, or IAACA, popped up to take its place. And the bust opened the way for new problems as well."

"Amir Orad, executive vice president of security company Cyota (now owned by RSA Security), which has a command center in Israel from where researchers monitor the carding boards, says Operation Firewall made it more difficult for law enforcement to track carders. Once Shadowcrew went down, the community morphed from a small number of large carding sites to a larger number of small sites that have become harder to trace and infiltrate. And many of the most serious criminals have disappeared from the boards altogether, taking their activities further underground."

""What we see clearly is that taking down ... one group doesn't solve the problem, it creates multiple small problems," Orad says. "(We) haven't seen a major impact of those arrests besides maybe the publicity and the awareness that this whole crime costs."

Others have also disputed law enforcement's characterization of the significance of Shadowcrew's role in cybercrime, saying the website was more a sandbox for kiddie criminals than a virtual Cosa Nostra, and that those who were arrested were mostly low hanging fruit."

What this story documents is the inefficiency of the law to catch and substantially diminish organized crime. Let's take a low average of $500 million lost by credit card fraud to US banks every year since 2004. That makes 1.5 billion for the last three years. The Shadowcrew amounted to $4 million. Let's assume that's only what the government can prove and be generous and say that the amount they stole was 10 times or even 100 times that. Where are the prosecutions for the other $1 billion?

And remember, that's only the US we're talking about. There was reported to be $3.8 billion stolen globally in 2003. Using this number for each of the successive years that amounts to a staggering $11.4 billion over the last three years.

Make no mistake. It is well organized crime that is behind the majority of the authentication theft going on and they are not being arrested. As the wired story notes, it's only the new age script kiddies and relatively low lifes like David Thomas and Kim Taylor who are getting caught and imprisoned.

People like these were paying $1000 per day to hackers to to crack banks and card processing databases. What is worse is that most security experts agree that organized crime is now attacking non-financial enterprises using targeted attacks. Imagine the arsenal that the real organized crime has who has literally billions of dollars in revenue can spend to crack enterprise security systems? What protection do you have in place against this?

Make sure you use layered strong authentication security or you will be sorry.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Yesterday, Cisco announced in an advisory that its routers using the Cisco Internetwork Operating System (IOS) beginning with "12.3" and "12.4" have flaws that allow a hackers to potentially circumvent the Intrusion Prevention System (IPS) with malware and also allow routers to crash. This is very important to take note of since many enterprises deploy these routers. Patches and upgrades are available.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Sophos today issued a press release "Heart attack: Valentine virus strikes at email inboxes" claiming that a widespread worm posing as a St Valentine's Day greeting has represented over 76% of all malware at Sophos's global network of virus monitoring stations.

The press release states:
"Subject lines used in the attack are many and varied, but all pose as a romantic message. Some of them include "A Valentine Love Song", "Be My Valentine", "Fly Away Valentine", "For My Valentine", "Happy Valentine's Day", "My Lucky Valentine", "My Valentine", "My Valentine Heart", "My Valentine Sunshine", "Send Love On Valentines", "The Valentine Love Bug", "The Valentines Angel", "Valentine's Love", "Valentine's Night", "Valentine Letter", "Valentine Love Song", "Valentine Sweetie", "Valentines Day Dance", "Valentines Day is here again", and "Your Love on Valentine's".

Attached to the emails are files called flash postcard.exe, greeting postcard.exe, greeting card.exe, or postcard.exe which contain the worm.

"This new Valentine attack is spreading hard and fast across the net, accounting for over three quarters of all the malware we've seen at email gateways around the globe since February 14 began," said Graham Cluley, senior technology consultant. "People will be truly love sick if they let the virus run on their PC." "

Don't open any email and click on a link or attachment unless you are expecting the email, even if it's from someone you know. Otherwise, you may suffer loss of your authentication credentials and also have your computer become a bot.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Microsoft, after yesterday receiving security patches fixing four critical security holes in Word, today announced yet another Word security hole. The Microsoft Security Advisory says the attack can be launched by merely opening the document.

This means that since early December there hasn't been one day when Word has been open to a highly critical malware attack. That's a comforting thought isn't it? The Microsoft Office Swiss Cheese has wide gaping holes that seem to be growing.

As always, deploy layers of stronger identity authentication security to mitigate the enterprise risk.

Guy
www.authenticationworld.com
guy.huntngton@authenticationworld.com

There are over 30 million Cisco routers out there in the planet. Then add several more million for D-Link and Netgear each. That's one whole lot of routers busy routing IP packets. Many of them are now used in homes and small businesses. Now for the bad news.

Many of them are installed using the default passwords and id's like "Admin". A paper published in December by researchers at Indiana University called "Drive by pharming" , outlines how this can be easily used to create pharming attacks. Here's how it works.

A criminal creates a webpage that contains JavaScript and Java Applets. This script works with several of the leading router vendors. If the script finds out that you haven't changed the default router id and password settings, it then takes control of your router. It then changes the DNS settings.

For example, let's say that you are trying to get to your financial website "bank.com". You enter this in the browser url bar. However, the browser is taken to a phony bank.com website via the router. Unbeknown to you, if the website is well done, which is the current usual phishing sites, then you proceed to log on to the phony bank.com website, entering in your id, password and other stronger authentication mechanisms like tokens. Now the criminals are in control and can milk your bank account. This same methodology can be used in non-financial enterprises.

Most people don't look at the url bar after typing in an address. If so, they might notice the change to the address to bank-phoney.com. Therefore this type of attack will work.

Furthermore, the underlying cause for this is the installation of the default router id and password. For most small business enterprises, all of this stuff is mumbo-jumbo. They simply install the router and get on with their business.

This type of attack then makes use of poor authentication at two levels: the router and the user at the browser. Don't get caught in the eyes of this attack!

Make sure that you change the default settings on the router. Always pay attention to the url's displayed in the browser after typing in addresses. If you don't then you may become victim to a drive by pharming.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Ryan Narine yesterday wrote a blog titled "Browser beware: Unpatched holes in Firefox, IE 7". This blog demonstrates a serious security hole in IE browsers as well as Firefox. Readers should take note.

In IE browsers the user's keystrokes when entered for say a blog, captcha, web chat etc. It then can use the typed information to go read sensitive files on your computer. For a live demo, go here.

Firefox has different problems. The browser has problems that could allow the browser to be connecting to a bank but instead is communicating with the criminals. For an example, click here.

Be very careful when using your browser. A NoScrip plugin can be used in Firefox until a patch is issued. Instructions for this are provided on the demo Firefox page link given above.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Many people complain about the time it takes vendors to first of all formally recognize a security hole exists in their product, develop a patch, properly test it to make sure it is compatible with previous product versions and then release it. Especially with Microsoft, where so many security holes exist, and where so many users around the world can be affected, their monthly update patch schedule means that hackers have a month or in some cases, two to three months between when a patch appears after a high risk security hole is found.

Many IT executives are not entirely unhappy with Microsoft's monthly update. Ryan Narine recently did a series of interviews with executives about this. The comments range from being mostly happy with the monthly schedule to growing fears about the enterprise becoming vulnerable to attacks in between patches.

Personally, I feel that the coupling together of botnets with organized crime having very large financial resources to pay hundreds or thousands of programmers over $1,000 per day to develop attacks, means that many small and for sure mid-size enterprises are now becoming at risk of an attack in between patches. The programmers produce the code, the criminal gang may then set up a local strategy to use a combination of social engineering and code attacks, the botnets can be used to deliver the code and all of a sudden the enterprise is under attack. The chance that a mid-size enterprise has sophisticated intrusion prevention beyond the usual anti-virus and firewall is low. Thus, in my own opinion, these types of attacks will have growing rates of success.

An inside story from the vendor's perspective can be found by reading Alan Hargreaves Sun Blog on their recent fast track for fixing a telnet attack. This attack was a huge hole but was relatively easy to fix.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

In addition to the medium to high risk Cisco router security holes I earlier blogged about this week, Cisco has reported more security problems affecting its Pix 500 series security appliances, its 5500 series of adaptive security appliances, and its firewall services module. The security holes allow hackers to crash a networking appliance and bypass security policies. Additionally,a related vulnerability could be used to corrupt access control lists. This could allow traffic that should be blocked to pass into the corporate network.

Check the Cisco site to confirm whether or not your Cisco products can be affected. Fixes are available.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com