American companies operating in China have what might be considered a tradition of getting in trouble over privacy and censorship, and Skype, the Internet communications company, is the latest to encounter hot water. Its president has done his best to explain the situation.

Skype Scrambles After Breach And Censorship Revelations
As Josh Silverman wrote, "In China, TOM is the majority local partner in our joint venture that brings Skype functionality to Chinese citizens." Skype - and anyone who bothered to listen to an old announcement - has known for some time that TOM obeyed Chinese laws requiring them to block messages containing certain terms.

The problems began when it turned out that TOM stored the messages; there's a real concern about what government authorities might have seen them. And what's more, a security breach may have exposed the messages to all other sorts of people.

Silverman wrote, "We were very concerned to learn about both issues and after we urgently addressed this situation with TOM, they fixed the security breach. In addition, we are currently addressing the wider issue of the uploading and storage of certain messages with TOM."

Still, Skype's reputation has taken a big hit due to these developments, and we may see the security and censorship issues have a similar effect on the eBay property's growth.

Some security stories relate to fairly harmless issues, but this one might go well beyond "whoops." It seems that LIGNex1 and Hyundai Heavy Industries, two Korean companies that construct things for the military, have had malicious code planted within their computer systems.

Defense Companies Hit By Malicious Code
So you know the (potential) scale of the problem: LIGNex1 deals with missiles, radar, and communications systems. Hyundai Heavy Industries is the world's largest shipbuilder. And it was the National Security Research Institute that found the malicious code. This sounds like the start of some near-apocalypse novel by Tom Clancy, right?

As for who planted the code, how they did it, and what files were affected, details are scarce right now. Chalk it up to government secrecy or (and this is a slightly scarier possibility) true ignorance at the same level.

Anyway, as reported by SC Magazine UK, a National Security Research Institute representative said, "The research institute suspects the culprits are Chinese or North Korean hackers but doesn't know specifically what information they stole. In the worst case, the blueprints of missiles and Aegis ship could have been stolen."

There are a few silver linings and good signs in all of this, however. One came as the spokesperson acknowledged, "It's shocking that our major defense industries are open to attacks from hackers and that our missiles are vulnerable to theft by cyber terrorists. A general review of our cyber security system is needed."

And in all honesty, having the blueprints to something doesn't necessarily mean that a person or country can build it. There are matters of resources and skill to consider, even as spy satellites presumably keep an eye on large factories and shipbuilding facilities.

Finally, at least the blueprints secrets were (maybe) stolen from companies connected to a close ally like South Korea, instead of a government less willing to cooperate with the U.S.

So, assuming we aren't all soon destroyed in either an economic or military sense, things at Korean defense companies may be better in the long term. And hopefully defense corporations located elsewhere in the world will also learn from this development.

The next time you have to take off your shoes and belt at an airport, keep in mind that things could be much worse. You might get detained and questioned for four hours, for example, which is something hacker-turned-security-consultant Kevin Mitnick recently experienced on a return trip from Colombia.

After Airport Stop, Kevin Mitnick Shares Travel Tips
People and companies needn't worry too much that Mitnick's fallen back to the proverbial dark side; accusations weren't really made, and charges were never brought. As told by Elinor Mills, his detainment instead seems like a cautionary tale about wrongful accusations and the defensive measures traveling computer owners should take.

Mills writes, "Agents from the Immigrations Customs Enforcement arrived to question him. They asked why he was in Atlanta and he told them; he was there to moderate a panel at a security conference sponsored by the American Society for Industrial Security. Asked for proof, he fired up a laptop to show them the itinerary in his e-mail. But when he clicked 'yes' to have Firefox clear his private data--an automatic response to a default setting--the agents snatched the laptop away from him, thinking he was deleting evidence."

So be careful about every click and keystroke, for one thing. Otherwise, "To protect his privacy and that of his clients, Mitnick encrypts all the confidential data on his laptops, transmits it over the Internet for storage on servers in the U.S., and wipes it from the computer before returning from any international trips, just in case officials decide to search or seize his equipment. He also encrypts his hard drive. And now, he says he is going to keep a 'clone' of his MacBook at home so he will have an exact duplicate of it if it is ever seized."

Depending on what sort of stuff you keep on your computers - and whether or not laws about laptop searches are changed - these steps may be worth imitating. The average business traveler isn't as likely to get stopped as Kevin Mitnick, of course, but the story seemed worth relating.

A workaround emerged from Oracle as news circulated of a remotely exploitable flaw, without requiring authentication, involving the WebLogic platform.

Both the WebLogic Server and WebLogic Express products, acquired by Oracle when the company purchased BEA, suffer from the newly disclosed vulnerability.

SANS Internet Storm Center said the problem stems from the Apache Connector used by the products. A WebLogic advisory noted the flaw could be exploited without authentication.

Sites using Apache servers that are already configured with the mod_security module are protected from this vulnerability by the default core ruleset, according to the advisory. Using mod_security with the WebLogic plug-in for Apache serves as one workaround suggested by Oracle.

The other workaround calls for an edit to httpd.conf and a restart:

It is possible to configure Apache and avert this vulnerability by rejecting certain invalid requests. To do so, add the following parameter to the httpd.conf file and restart Apache:

LimitRequestLine 4000

See: Apache LimitRequestLine documentation for more information

Note: This parameter limits the maximum URL length to less than 4000 bytes.
The problem sounds like a buffer overflow, which IBM Xforce said is stack-based in nature. ZDNet noted Oracle has disclosed 112 vulnerabilities in its products in 2008.

The zero-day nature of the flaw's disclosure, and the lack of a need for authentication, makes it likely an active exploit will emerge. Web application servers like WebLogic regularly provide functionality to sites where financial details pass between visitors and the business site.

As such information holds great appeal for criminals, applying a workaround quickly should be a priority for security pros.

The same critical DNS issue that HD Moore and his associates raced to include in their security testing toolkit, the Metasploit Project, bounced back against the noteworthy security researcher.

Security pros and other techies who see the boundary-pushing actions of Moore and Metasploit as more of a hindrance than a help to security may have enjoyed the schadenfreude surrounding Moore today.

Moore detailed what happened on a blog post at Metasploit. The incident hit an AT&T DNS cache server; the affected machine coincidentally served "as an upstream forwarder for an internal DNS machine at BreakingPoint Systems," which is Moore's company.

"This attack affected anyone in the Austin, Texas region using that AT&T Internet Services (previously SBC) DNS server. The attack itself was not malicious, did not load malware, and from an operational standpoint, had zero impact," said Moore.

Employees at his company noticed problems when the cache-poisoned DNS machine at AT&T returned a 404 error when they tried to reach a particular Google page, a personalized iGoogle one. The phony server "was returning four iframes, one of which showed a fake version of the Google web site, the other three loaded automated ad-clickers from three other compromised servers."

Anyone who has yet to fix DNS machines with the patch that has been widely available since early July needs to take the problem seriously. Within telco giant AT&T, someone did not, and inadvertently demonstrated how rapidly a vulnerable system will see exploit attempts against.

Some of those attacks may even succeed, and it only takes one to pose at least an annoyance, at most a critical data loss threat, to Internet users.

With the emergence of regulatory laws borne out of experience from a variety of embarrassing security breaches, today's corporate leaders face a myriad of repercussions.

These range from serious fines to jail time when found not in compliance with regulations such as Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley (GLB), and Payment Card Industry (PCI), etc.

These regulations are designed to protect the privacy of individuals and to ensure the proper internal controls are in place to maintain confidentiality and integrity of sensitive information.

For example it mandates in the Sarbanes-Oxley act section 404 that any publicly traded corporation must maintain adequate internal controls, ranging from proper financial reporting to the protection of critical assets. This includes designing controls around the premise of protecting consumer data from an information security perspective.

Normally, these controls are defined and established through a risk analysis that identifies potential threats and weaknesses. The development of a policy framework based on this audit untimely drives the definition of what would be considered "adequate" controls.

However, in 2007 the industry suffered a record-breaking loss of information stemming from data security breaches ranging from stolen laptops to hijacked advertising. This was exemplified in the highly publicized Monster.com attack. According to an article in CIO Magazine, a Trojan stole more than 1.6 million records belonging to several hundred thousand people from Monster Worldwide Inc.'s job search service.

Despite established security policy, these breaches lead to public dismay and a loss of consumer confidence. Take for example the TJ Maxx incident that exposed 45.7 million credit card numbers, according to details in a filing with the Securities and Exchange Commission last year. The breach eventually cost the retailer millions of dollars in both hard costs incurred and stock value reduction.

These incidents raise several interesting questions. Were these security breaches a result of undetected malware, perhaps a targeted attack orchestrated by a foreign hacker group? This certainly appears to be the case as more and more targeted attacks are involving malware of some shape or form. Take for example the recent incident with popular supermarket chain Hannaford. Why did the internal controls established according to company policy fail to protect assets from being compromised? And what are the real risks and implications of undetected malware as it pertains to regulatory compliance?

These are all good questions, especially concerning the changing crimeware landscape and its evolution from curiosity to financial gain. Not surprisingly, this trend has a considerable part do with the dramatic increase in information exposure in 2007.

According to the PandaLabs 2007 Annual Report, a majority of identity theft and financial fraud incidents in 2007 were related to Banker Trojans that infected individual consumers, thus, stealing credentials and other personal information that could be used to gain profit.

Furthermore, if we put this into perspective we are more at risk then we were a few years ago when the primary concern was the prevention of network worms that caused data destruction.

In that day and age, controls were designed around the need to ensure the integrity and availability of information assets. CIOs and IT Managers designed and implemented systems that had the primary goal of ensuring that their users had access to information. At that time security was a secondary concern in this scenario, because the threats were different and much less sophisticated.

Today we face a new breed of threats with different motives: financial gain through targeted attacks. In fact targeted attacks in 2007 showed a marked increase over previous years with respect to online fraud.

The mentality of CIOs and IT Managers has shifted to a security focused mind-set, especially with the advent of recent high-profile security breaches. What's alarming is the rate at which malware is developed and released to infect victims on a daily basis. In a 2007 report published by Panda Research, entitled "From Traditional Antivirus to Collective Intelligence," PandaLabs saw over 4000 new strains per day last year.

This is mainly due to the overwhelming inability for security vendors to respond to an ever increasing rate of new malware strains, thus, the anti-virus industry is not really protecting their customers. Signatures are generated on the basis of what the vendor considers a threat and thereby traditional AV products may not reflect actual reality. As a result, we are witnessing a literal denial of service against vendor resources.

Therefore, a large number of malware currently circulates the Internet undetected, thus, resulting in a large number of companies infected despite having up-to-date security solutions.

The rapid pace at which cyber criminals seed the industry with new threats contributes to the overall problem that is causing technical safeguards to fail, thus, putting the corporation at risk of violating regulatory standards which could untimely lead to serious consequences if sensitive information is leaked.

For example, in a health care organization one undetected Trojan could make a case for a serious risk of violation of HIPAA §164.308(a) (4) that pertains to protecting health information: "implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a) (4) [Information Access Management]"
A False Sense of Security - Audit and Assessment Standards

When doing a security audit to ensure that adequate controls are in place from an information security perspective, the auditor is normally looking at whether the corporation is in adherence to a defined policy. Furthermore, a security audit encompasses some of the following questions:- Are passwords difficult to break?

- Are computers up-to-date with the latest security patches?

- Do any vulnerabilities exist in the operating system or applications installed?

- Are there Access Control Lists (ACLs) implemented on shared resources to control access to them?

- Have unnecessary services or applications been removed from computers that could potentially expose the resource?

- Are computers regularly scanned for malware?The missing element in a security audit, however, is assessing for sophisticated active threats (e.g. kernel-mode root-kits, stealth Trojans, key-loggers, etc). Therefore the current assessment tools and verification methodologies used to validate controls rely mostly on identifying weaknesses or potential risk to assets; for example, a vulnerability scan or an untimely penetration test will tell the auditor of potential avenues for attack. But, the number one question to ask is: are assets already compromised with undetected malware?

There are a wide range of technical safeguards that can be implemented to significantly reduce potential exposure and the organization's overall risk, however hackers have devised ways to circumvent these. For example the most common infection vector is via the web through malware laced web-sites that have been compromised and altered in some way, shape or form. Therefore, a majority of malware (if not detected via signatures or proactively by other technologies) will simply evade perimeter defenses (firewalls, network intrusion prevention, etc.) and make its way to the end-point, especially if it is "targeted" in nature, and with a limited number of hosts designated to be infected.

There are certainly other ways to reduce risk. For example, corporations can implement a policy that limits the administrative access a user has to his or her own PC and other resources on the network. While this reduces the overall risk of unauthorized access, it is not the final solution as hackers tend to abuse system privileges (going around established ACLs) by exploiting applications and other flaws in the operating system.

Proactive defenses such as Host Based Intrusion Prevention (HIPS) can substantially raise the bar in terms of detection, anywhere between 80 and 90 percent (source: "From Traditional Antivirus to Collective Intelligence," Panda Research, 2007). With malware 1.0 this model was acceptable; but with the rate and volume of new threats emerging on a daily basis hundreds or even thousands of threats over time can be missed.

Public companies that must adhere to regulatory laws, must also adopt better internal controls to ensure that hidden infection points are discovered and removed before any exposure occurs. Better yet, modern assessments must take into consideration the possibility of assets already compromised by hidden and undetected malware.

Summary

Regulatory compliance is an interesting but challenging topic that every public corporation, no matter what size or shape, is untimely affected by. Organizations must evolve their security best practices to include better assessment methodologies that take into consideration crimeware innovations and available technologies that not only assess weaknesses, but locate active unnoticed infection points.

Over the past five years, the anti-virus market has experienced tremendous growth as many new technologies have emerged in response to current conditions.

What was once a market consisting of very few players has evolved into a multi-billion dollar enterprise consisting of dozens of companies with huge assortment of anti-virus products varying in focus and quality.

According to analysts, the global anti-virus market is forecasted to surpass $58 billion by 2010 with the introduction of new technologies in the areas of data loss prevention, virtualization security, security-as-a-service and many others.

Despite this growth, the technology behind anti-virus today is highly inefficient when it comes to protecting against modernized threats. This is fueled by the fact that vendors simply can't keep up with all of the new malware surfacing each and every day. The situation has created a breakdown in the quality and effectiveness of their underlying core technology. 1

This problem is evident in today's high-profile security incidents. According to the Identity Theft Resource Center (an organization that tracks incidents relating to exposure of confidential information), the number of recorded breaches more than doubled in the first quarter of 2008. 2

This problem is even more visible when you take into account the current application delivery model employed by various end-point technologies today.

This agent-based delivery model introduces several challenges, not only on the side of administration, management and ease of use, but to the degree necessary to provide an adequate level of protection against zero-day, zero-hour, and zero-minute threats.

This traditional model has the following characteristics:

· Upgrades require time and effort to implement, leaving a dangerous window of opportunity to become infected. This problem is amplified if the upgrade includes engine revisions to detect new strains of malware.

· Enterprise protection suites require deployment of a dedicated management infrastructure that in some cases will require additional hardware.

· Some end-point protection suites that use a policy driven system are particularly complex to manage and maintain, therefore the total cost of ownership will increase overtime.

· Anti-malware intelligence has traditionally resided on the end-point, thus, the trade-off between security and resource consumption has always been a challenge.

· The memory and CPU foot-print is directly proportional to the size of the signature file. Therefore, the growth of new threats will ultimately affect the user's experience.

· On average, the foot-print for leading products is anywhere from 100MB to 150MB, depending on the modules enabled (i.e. firewall, anti-virus, anti-spam, host intrusion prevention, etc).

· Most end-point products on the market today have a very narrow, short sighted view of the threat-landscape and do not provide protection for all malware currently in circulation and affecting users.

· Nodes do not share intelligence amongst themselves, thus, reducing the overall efficiency to detect and prevent against targeted attacks.

When we examine this security model further, the small and medium size business (SMB) market will be affected the most. The traditional anti-virus model introduces significant challenges for SMBs who have tight budgets for security. This is especially true as they often do not have the expertise or resources in-house to manage and administer complex anti-malware solutions.

The best alternative that an SMB can take when it comes to security is out-sourcing their services to a hosted infrastructure and/or adopting a Security-as-a-Service model. This helps reduce complexity and time to market when implementing new security technologies and will not require a high degree of skill to maintain the solution.

Security-as-Service revolves around the concept known as Software-as-Service or SaaS. SaaS changes the way that applications are currently delivered to customers by hosting them "in the cloud" and providing a web interface to interact with the applications. Previously, software had to be installed directly on the user's system and managed inside the business or manually remote controlled by an outside service provider.

Customers of an SaaS solution benefit from real-time up-to-the-minute content provided on a continuous basis through a subscription model making life a lot easier. This model allows companies, their IT consultants, managed service providers or value added resellers to more efficiently manage protection against malicious malware, freeing up valuable time and resources to stay focused on the business.

In conclusion, the SaaS model offers an alternative approach to the way that end-point security is delivered today. Since 2008 and 2009 will certainly focus on consolidation (anti-virus, data leakage prevention, end-point encryption, etc), it is essential that SaaS be adopted as an industry standard in end-point security protecting businesses from the SMB to the very large enterprise.

1 PandaLabs Research Study 2007:
http://research.pandasecurity.com/
archive/Think-you_2700_re-protected_3F00_-Think-again.aspx

2 http://www.idtheftcenter.org/artman2/publish/
m_press/Breach_List_2008_Q1.shtml

The latest threat to online banking accounts involves fraudsters using multi-step schemes that involve different interaction points with financial institutions.

Cyber-criminals commit this multi-channel fraud by first breaching an account via the online channel to steal valuable information such as account balances, check images, or signature blocks, in order to commit wire, check and other types of offline fraud that never gets linked to the original breach online.

Unfortunately, the online channel's role in these schemes is often overlooked. This is precisely what makes this kind of fraud so effective - and hard to catch. Financial institutions only register the final transaction fraud, and cannot account for the original breach, which often occurs in the online channel. Add this to the fact that consumers don't know it is happening, and the fraudsters have a perfect opportunity to continuously get away with this crime.

Case in point is what happened recently to a leading financial institution that serves tens of thousands of customers daily. Despite aggressive efforts to safeguard its online environment, fraudsters pulled off a startling multi-channel fraud scheme.

Here's how the fraud scheme worked:

1. The fraudster called the institution's customer service number and, using social engineering techniques, reset the online account password and contact phone number.

2. The fraudster accessed the online account, learned more about the customer's online activities, and downloaded check images containing the customer's signature.

3. The fraudster then called on a separate institution using the stolen information to open a new account in the victim's name.

4. A wire transfer was arranged to empty the victimized account and credit the new account at institution #2. Because the names on the accounts were the same and the fraudster had provided a phone number under his/her control and a valid signature, an offline verification of the transfer by phone, as a second means of identification, passed and was authorized.

5. The fraudster withdrew his loot piecemeal, visiting separate branches in a state different than the victim's.

Legacy Fraud Detection Methods Blind to Online Activity

When fraudsters use schemes involving multiple interactions with different touch-points across an institution, they aren't caught because the precursor online channel breach is often overlooked.

Common industry practice registers the final fraud transaction as the breach point, and case forensics employ limited resources to return insight that cannot trace the original breach to the online channel. When accessed only for reconnaissance, the online channel records no "transaction" for detection. This is precisely what makes multi-channel fraud so effective - and so hard to catch. Moreover, what kind of fraud is our previous example to be classified? Is such a loss wire fraud, check fraud, or simply "online account fraud"?

A next-generation approach to online fraud prevention is needed if we are to continue to inspire customer confidence in the online channel. According to Javelin Research's 2007 Identity Fraud Survey Report, it takes an average of 60 days for consumers to even detect that fraud has occurred. This leaves fraudsters with a perfect opportunity to commit successful multi-channel fraud crimes if financial services providers don't take pre-emptive steps to protect both their customers and their bottom line. New best practices and back-end technologies that focus on online behavior can better isolate and prevent multi-channel fraud at the source.

Modeling Individual Account Behavior Stops Fraud at Its Source

An emergent best practice is to employ predictive models of individual customer online behavior to detect when the "customer" logging in isn't who they say they are, even if they pass authentication. Beyond simple machine signature technology, user profiling technologies rely on trended analysis of behavior account by account. They start by understanding what "normal" behavior is for each individual customer - and admit that there is no single pattern of "normal" behavior to write an anti-fraud rule against.

Dynamic, model-based analysis of account activity "does the math" - piecing together what are by themselves may seem like weak indicators of fraud until a powerful pattern emerges. Behavior that deviates from what is expected becomes suspicious - the more the deviation, the deeper the suspicion. This comprehensive analysis allows for more granular risk scoring and better correlation with offline activity patterns. A byproduct of this behavioral analysis also allows for a rich history of online activity that aids investigation and forensics.

Using these techniques, institutions can identify the fraudster via the alerts to online activity outside the customer's predicted behavior. Deploying strong analytics at the source - the online channel - ensures that fraudsters' attacks are shut down before any damage is done.

Something new may be on tap to replace Storm as the big botnet pest, as its size decreased substantially in April.

Efforts to clean up the Storm botnet drove it down to 5 percent of its original size in April. This puts current estimates of Storm-botnetted machines at around 100,000 machines.

Security vendor MessageLabs said ongoing efforts associated with new Storm cleanup tools purged the malware from infected computers. Some estimates put Storm's botnet at 2 million machines before the big purge took place.

"April was a month of unpredictability, Mark Sunner, Chief Security Analyst at MessageLabs, said in a statement. Storm's decline happened while incidents of attacks escalated.

MessageLabs claimed to observe 70 targeted spam attacks with Trojans per day in April. The upcoming Beijing Olympics persists as a major factor in such spam, with Olympics-related subject lines common for those attacks.

An old spam standby received a bit of a makeover, MessageLabs noted. Criminals are creating fake profiles on business networking sites like LinkedIn to lend credence to the typical 419 scam. They direct recipients to check out their "credentials" on the site to assure them they are dealing with a real person and not some common criminal.

An arrest in Budapest turned up one Vlad Constantin Duiculescu, aka Vladuz, a thorn in the side of the online marketplace.

A business deal turned out to be a sting, and Vladuz took a deep wound from it. His time roaming around eBay's forums using pilfered credentials and generally making a nuisance of himself to the company has been at least interrupted for now.

The Register cited Romanian news reports that Vladuz ended up wearing handcuffs after his attempt to sell a software application to interested buyers instead brought police to his door. EBay has been chasing Vladuz for over a year.

His exploits reached eBay's forums, where he managed to pose as an official eBay representative. He and eBay disputed how far he was able to get in to their systems; Vladuz claimed extensive access, while eBay denied that.

If eBay's account is accurate, they believe Vladuz caused about a million dollars in damages from his exploits. For now, Vladuz will enjoy jail cuisine for a 29-day period. Further details about the 20-year-old's fate have not been revealed.