EYE ON SECURITY

The World of Secure Development.

June 2006

A group of universities, law enforcement agencies, and technology vendors have formed a research consortium to study and combat identity fraud.

The Center for Identity Management and Information Protection (CIMIP) is a collaborative formed to consolidate the independent efforts of organizations researching identity management, information sharing, and data protection. The goal is to come up with some definitive answers on the causes and prevention of identity theft and fraud.

CIMIP will be based at Utica College in New York, and partners such as IBM , LexisNexis, the FBI, the U.S. Secret Service, Carnegie Mellon University, Indiana University, and Syracuse University. Gary Gordon, a professor at Utica, will head the center. CIMIP’s partners will work together to provide resources, gather subject matter experts, provide access to sensitive data, and produce results that will be acted upon. This includes putting into action in the form of best practices, new policies, regulations, and legislation, training opportunities, and proactive initiatives for solving the growing problems of identity fraud and theft, secure sharing of information, and information protection.

CIMIP will not only research the incidence of identity fraud, but will also make recommendations on ways to improve authentication technology, and it will possibly formulate opinions on legislation and regulation. Officials did not give a timetable for the group's research but said it will study identity fraud as it changes over the years, which suggests that the project will be long-term.

Posted by Jon Erickson at 10:22 AM  Permalink |

The Cryptographers' Track, a research conference within the RSA Conference, has issued a call for papers for the conference which will take place February 5-9, 2007 at Moscone Center in San Francisco.

To be considered, contributions must be original research papers pertaining to all aspects of cryptography. Submissions may present applications, techniques, theory, and practical experience on topics including, but not limited to: public-key encryption, symmetric-key encryption, digital signatures, hash functions, cryptographic protocols, tamper-resistance, fast implementations, elliptic-curve cryptography, quantum cryptography, formal security models, network security, e-commerce.

There are a few important dates:

• Submission deadline: July 10, 2006
• Acceptance notification: September 8, 2006
• Proceedings version: October 10, 2006

Posted by Jon Erickson at 07:20 PM  Permalink |

IBM has announced its Secure Shell Library for Java, a tool that automatically encrypts data transmitted from one computer to another (including passwords and information stored in files), and the Security Workbench Development Environment for Java, which lets you test, validate, and secure enterprise-level Java applications that support industry standards such as Java 2 and OSGi.

With Workbench, you can embed authorization and access privileges into the development processes when building new applications, thereby automating the manual work of testing-based approaches by generating suggested security policies without having to run the code. Available at www.alphaworks.ibm.com.

Posted by Jon Erickson at 03:24 PM  Permalink |

"S" seems the operative letter at TechEd 2006, at least when it comes to storage and security, and the names of a pair of companies--Saflink and Spyrus--that have similiar products in the security space.

Among other secuirty devices and software, Spyrus pitches what it calls the Hydra Privacy Card, a USB 2.0 compliant flash card designed for FIPS 140-2 Level 3 security validation. It supposed a variety of cryptographic algorithms, including RSA 1024 and 2048, AES, SHA-1, Elliptic curve cryptography (ECC), and the like. In terms of standards, the device supports the Microsoft CryptoAPI, and various FIPS standards (DES, SHA, DSS, AES, and the like). Up to 2 GB of mass storage is provided by a removable and replaceable miniSD memory media. All data stored on this media is encrypted with Suite B algorithms, with high-performance encryption delivering data access at rates in excess of 20 MB per second. The co-resident Hydra PC authentication services mean that all data stored on the device is securely linked to the identity of its owner, which delivers strong, personal control of and accountability for all data stored on the device. An optional ID verifier sleeve fits over the USB flash drive for biometric (fingerprint) access control.

Similar in appearance (if not functionality) is the Saflink EntryPoint Standard Editioneliminates password inconvenience by using biometric authentication. It utilizes a 2GB USB 2.0 dedicated security device, client software, and USB tokens to provide security for Windows logon. There are several layers of security, including the inability to copy the USB drive. To connect the EntryPoint appliance to a domain, simply mount the appliance to a server rack and connect an Ethernet cable from the appliance to an Active Directory network. Once physically installed, administrators can run through the Initial Appliance Setup Web application to con.gure EntryPoint specifically to their Active Directory network.

Posted by Jon Erickson at 02:37 PM  Permalink |

Microsoft has already made several announcement related to security at this week's TechEd 2006. Ted Kummert, vice president of Microsoft's Security, Access and Solutions Division (SASD), had this to say about the announcements.

Q: Can you give us a quick overview of the security product news being announced today?

Kummert: Today we are outlining our updated security product strategy and roadmap and announcing the new Microsoft Forefront brand, which will be rolled out with the next wave of our business security and secure access products across client server and network edge.

Q: Tell us about the next generation of Microsoft Forefront products.

Kummert: The first Microsoft Forefront products will be Forefront Client Security (formerly Microsoft Client Protection), scheduled for open beta in the fourth quarter of this year, and the next generation of our Antigen products. Forefront Security for Exchange Server and Forefront Security for SharePoint are timed to coincide with the upcoming Microsoft Exchange Server 2007 and Office 2007 launches. As Microsoft ISA Server continues to evolve, customers can also expect a Forefront version of our integrated edge security and access gateway. To provide customers with further choice and flexibility, Forefront products will be available as stand alone solutions or as part of the Enterprise CAL suite, the Exchange Enterprise CAL suite or an integrated security product suite.

Q: What are the key customer pain points Forefront products seek to address?

Kummert: Customers are facing a broader, more complex and diversely motivated threat landscape. Attacks are increasingly advanced, more carefully targeted and often aimed at specific applications. In protecting themselves from these threats, customers are faced with a vast array of solutions, each of which will protect a given point against a specific threat. However, implementing such a combined collection of security solutions can provoke configuration and integration difficulties, making it more costly and complex to manage, control and report on the security of their environment.

By equipping customers with the ability to effectively secure their environment and securely enable the access scenarios their businesses require, Forefront products will help them unlock the full business value of IT applications and infrastructure.

Q: Today you announced product news on Microsoft ISA Server 2006 and Forefront Client Security. How will these products add value to customers?

Kummert: Microsoft ISA Server 2006 is an integrated edge security gateway that helps protect IT environments from Internet-based threats while providing users with fast and secure remote access to applications and data. ISA Server addresses key customer needs in a number of increasingly prevalent business scenarios.

For Branch Office customers who need to connect to and secure branch offices while efficiently utilizing network bandwidth, the product provides HTTP compression, caching of content--including software updates – and site-to-site VPN capabilities integrated with application-layer filtering. To address the growing prevalence of Web-based threats, ISA Server also provides Web Access Protection with a hybrid proxy-firewall architecture, deep content inspection, granular policies, and comprehensive alerting and monitoring capabilities. Finally, for customers who require secure access to Microsoft Exchange, SharePoint and other Web applications from outside the corporate network, ISA Server 2006 offers Secure Application Publishing. This is a huge value add for companies with large remote workforces, companies like Northwest Airlines, who take advantage of ISA’s tight integration with Active Directory and Exchange to provide secure remote access to applications.

Microsoft Forefront Client Security (formerly Microsoft Client Protection), is currently in private beta and feedback from this program has led us to make a number of enhancements to the product. One of the key challenges customers face when protecting desktops and laptops is that of controlling and managing the state of client security across the organization.

As a result of customer feedback, we have enhanced two key features designed to improve system manageability; the State Assessment Scan, which helps determine which machines need patches or are configured insecurely, and Single Profile Configuration, which simplifies security policy implementation across the organization. By simplifying the visibility and management of desktop and laptop security, we can enable IT administrators to better secure their environments, regardless of where those machines may be located. Microsoft Forefront Client Security will be available as a public beta in the fourth quarter of this year, and is expected to be broadly available in the second quarter of next year. Microsoft Forefront Client Security’s scanning engine and definition updates benefit from the malware data Microsoft collects from a number of sources, including our Malicious Software Removal Tool (MSRT). Today, we released a whitepaper detailing the malware threats we’ve detected and analyzed over the last 15 months through the MSRT.

Posted by Jon Erickson at 10:13 AM  Permalink |

Cybersecurity? Don't worry, Uncle Sam is on it, at least according a new plan recently released by the Interagency Working Group on Cyber Security and Information Assurance, under the direction of the National Science and Technology Council.

Entitled "Federal Plan for Cyber Security and Information Assurance Research and Development," the document outlines the R&D plans the Feds have to bolster future security technologies and capabilities.

Among the findings and recommendations the plan puts forth are:

• Target Federal R&D investments to strategic cyber security and information assurance needs.
  
• Focus on threats with the greatest potential impact, particularly in terms of increasing the overall security and information assurance of IT systems.
  
• Make cyber security and information assurance R&D both an individual agency and an interagency budget priority.
  
• Build in security from the beginning, by supporting fundamental R&D into inherently more secure next-generation technologies that will replace today’s insecure, patchwork infrastructure.
  
• Develop and apply new methods and technologies for measuring IT component, network and system security.
  
• Implement more effective coordination with the private sector, including improving communication and coordination with operators of both federal and private-sector critical infrastructures with shared interests.
  
• Foster a broad partnership among government, the IT industry, researchers and private-sector users, including international partners, to develop, test and deploy a more secure next-generation Internet.

These (and other) general recommendations are based on technology trends identified by the report, including:

• The increasing complexity of IT systems and networks, which present mounting security challenges for both the developers and consumers.
  
• The evolving nature of the telecommunications infrastructure, as the traditional phone system and IT networks converge into a more unified
  architecture.
  
• The expanding wireless connectivity to individual computers and networks, which increases their exposure to attack. In hybrid or all-wireless network environments, the traditional defensive approach of “securing the perimeter” is not effective because it is increasingly difficult to determine the physical and logical boundaries of networks.
  
• The increasing interconnectivity and accessibility of (and consequently, risk to) computer-based systems that are critical to the U.S. economy, including supply chain management systems, financial sector networks, and distributed control
  systems for factories and utilities.
  
• The breadth and increasingly global nature of the IT supply chain, which will increase opportunities for subversion by adversaries, both foreign and domestic

Specifically, the report suggested that the top technical and funding priorities for cyber secuirty R&D include:

• Authentication, authorization, and trust management
  
• Access control and privilege management
  
• Attack protection, prevention, and preemption
  
• Wireless security
  
• Software testing and assessment tools

Other technical priorities include:

• Large-scale cyber situational awareness
• Secure process control systems
• Security of converged networks and heterogeneous traffic
• Detection of vulnerabilities and malicious code

Posted by Jon Erickson at 08:28 AM  Permalink |

PandaLabs has detected a data theft scam using the new I variant of the Briz Trojan. According to data obtained by PandaLabs from the page the attackers used to control the network, some 2700 computers spread across more than 120 countries were infected.

The creator (or creators) of this newly uncovered network have been distributing Briz.I from certain web pages, mostly related with illegal or pornographic content. PandaLabs is working alongside other security companies to identify and close down each of the websites related to this network and prevent the threat from spreading.

The emergence of Briz.I could be the consequence of the scam for creating and selling customised versions of Briz, recently discovered by PandaLabs. According to Luis Corrons, director of PandaLabs:

It is possible that the creator of the original Trojan has decided to profit directly using the same Trojans that were sold before, alternatively, Briz.I could be a new version of one of the examples that was sold while the previous scam was still in operation .

Briz.I infiltrates infected systems under the name "iexplore.exe", simulating an Internet Explorer process. Once on the system, it downloads a file that sends information (including the IP address or country of the infected computer) to the attacker’s website. Another of its components integrates in Internet Explorer capturing all information entered by users in online forms, such as e-mail passwords or details for entering online banking services. This malware allows the computer to be used as a gateway for connecting to other pages and masking the identity of the attacker, who can also remotely access files on the local computer.

Briz.I is specifically designed to go unnoticed by both users and security companies. It does this by covering its tracks once each of the components has carried out the task. It also modifies the "hosts" file in Windows to prevent users from accessing web pages of security companies and it disables the Windows firewall.

Posted by Jon Erickson at 11:17 AM  Permalink |

According to a recent research report commissioned by RSA Security, the number of wireless networks in some of the world's major financial centres continues to rise at an explosive rate.

The largest year-on-year rise was discovered in London, where there are 57% more wireless network access points today than in 2005. The percentage increase in New York was an impressive 20%. In Paris, the increase from 2004 to 2006 was 119%. It comes as no surprise that encryption of wireless networks is also on the increase:

• London WEP usage rose from 65% in 2005 to 74% in 2006
  
• New York WEP usage rose from 62% in 2005 to 75% in 2006
  
• Paris has the highest levels of encryption at 78%, an increase on 2004's figure of 69%

That's the good news. On the flip side:

• London has 26% of its business networks unsecured
• New York has 25%
• Parisians has 22% of its business networks unsecured

In terms of the number of wireless networks configured according to default network settings, making it easier for intruders to find ways to penetrate networks:

• London has 22% of access points still had default settings
  
• New York has 28% of access points using default settings
  
• Paris has 21% of access points still having default settings

The number of wireless hotspots continues to rise in some of the world's major financial districts. Last year's research detected 210 wireless hotspots on the London route; by 2006 this figure had risen to 364--a year on year increase of 73%. In New York, the annual growth rate was 15%, and almost 20% of all wireless access points were found to be hotspots. In Paris, only 68 wireless hotspots, equalling 12% of all access points, were discovered.

Although the purpose of the research was not to look for rogue hotspots--temporary wireless access points designed to look like the genuine article to capture users' confidential information--they do present a potential security issue to which business and consumers should be alert. For example, Capgemini UK has built a test system on a laptop which emulates a commonly seen hotspot. In its own private tests the company has observed devices connecting to this sample rogue hotspot, presumably because they have been unable to distinguish it from the real thing.

Posted by Jon Erickson at 03:22 PM  Permalink |

The European Commission has released a report entitled "A Strategy for a Secure Information Society: Dialogue, Partnership and Empowerment" which calls for more education on IT security, and a common framework for collecting incident data.

According to Darkreading's Tim Wilson, the EC states in the report that European spending on IT security "represents only around 5 to 13 percent of IT expenditure, which is alarmingly low." The commission calls for a cross-border effort to educate users about security and to unify disjointed national efforts to track exploits.

The report calls for the EC's European Network and Information Security Agency (ENISA) "to study the feasibility of a European information sharing and alert system to facilitate effective responses to existing and emerging threats to electronic networks." Such a system would require the creation of a multilingual EU portal to provide detailed information on threats, risks, and alerts, the commission said.

The EC also proposes to benchmark security-related policies and practices among its member nations, "to help identify the most effective practices so they can be deployed wherever possible on a broader basis throughout the EU." The commission also proposed a cross-border effort to educate users on security practices.

Another proposal calls for businesses, users and government agencies to hold a "multi-stakeholder debate" on the balance between security and privacy, including the implications of RFID technology on end user privacy. The commission plans to hold a business "event" to stimulate the development of "a culture of security in industry."

"The nature of the threat is changing, and so must our response," said Viviane Reding, the EC's Information Society and Media Commissioner, in a statement. "In the past, hackers were motivated by a desire to show off. Today, many threats come from criminal activities and are motivated by profit. What we need is a renewed strategy."

The EC is scheduled to make a report to the European Union Council and Parliament in the middle of next year to gauge its progress on the proposed activities.

Posted by Jon Erickson at 11:19 AM  Permalink |