Firewall worm debuts new risks

CFS April04.qxd

07/04/2004

12:30

Page 1

(Black plate)

April 2004

London Police to form intelligence cell with companies Security for profit — 4 Domain security — 17

Editor: Sarah Hilley Editorial Advisors: Peter Stephenson, US; Silvano Ongetta, Italy; Paul Sanderson, UK; Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P.Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Charles Cresson Wood. Bill J. Caelli Editorial Office: Elsevier Advanced Technology, PO Box 150 Kidlington, Oxford OX5 1AS, UK Tel: +44-(0)1865-843645 Fax: +44-(0)1865-843971 Email: [email protected] Subscription Price for one year: (12 issues) US$833/¥102,240/
769.00 including first class airmail delivery subject to our prevailing exchange rate Price valid to end of 2003 Subscription Enquiries: Orders and Payments: For customers residing in the Americas (North, South and Central America): Elsevier Journals Customer Service 6277 Sea Harbor Drive Orlando, FL 32887-4800, USA North American customers: Tel: +1 (877) 839-7126 Fax: +1 (407) 363-1354 Customers outside US: Tel: +1 (407) 345-4020 Fax: +1 (407) 363-1354 Email: [email protected] For customers in the rest of the World: Elsevier Science Customer Support Department PO Box 211, 1000 AE Amsterdam, The Netherlands Tel: (+31) 20-3853757 Fax: (+31) 20-4853432 Email: [email protected] To order from our website: www.compseconline.com

Publishers of Network Security Computers & Security Computer Fraud & Security Computer Law & Security Report Information Security Technical Report

Contents Analysis London police to form intelligence cell with companies 1

The London Metropolitan police is setting up a covert unit with corporations to share intelligence about cybercrime. Speaking at the Computer & Internet Crime event in London recently Assistant Commisioner Tarique Ghaffur, head of the Specialist Crime Directorate at the Met said that a better way to quantify the costs of computer crime has to be found. "We will be setting up a covert intelligence cell with industry where information about losses is shared," he said. "Industry doesn't want to share losses, they prefer to sack people," said Ghaffur. This is only a stop gap as sacked offenders will continue to swindle other companies, warned the Assistant Commissioner.

He confirmed that the Met sees examples of habitual offending. "We have seen several examples of infiltration and attacks in banking." And the profile of hackers is changing, "they are more mature, and likely to work in IT these days," he said. So far the Met has some high profile cases under its belt; bringing cases against hackers such as Caffrey, McIllroy and Vallor. Police need information, said DI Clive Blake at the same event. "Disruption" of criminal activities is an alternative approach, that can be pursued rather than prosecution if necessary.

Firewall worm debuts new risks

1

UK post office links to ATM network with Thales’ encryption technology 2 Netsky & Bagle dominate virus top 10 in March 2 Nigerian fraudster jailed

3

EC called on to protect outsourced data 3

News In Brief

2,3

Profitable security Computer security for fun and profit 4

End-user security Using security: easier said than done

6

Phishing The future of phishing

11

Firewall worm debuts new risks A network worm, Witty, that exploits security vendors' Internet Security Systems firewall software has demonstrated a new turning point in malware malevolence warns an Internet analysis group.

Audit

The Cooperative Association for Internet Data Analysis (CAIDA) is concerned about haw rapidly the Witty worm was unleashed after disclosure of the exploited vulnerability. Witty is the fastest emerging worm ever according to CAIDA.

ID Theft

The worm emerged less than two days after the vulnerability was disclosed. It exploits a buffer overflow flaw in ISS RealSecure and BlackICE. Colleen Shannon at CAIDA said, "As the payload of worms is published, more information

The transmutation of GIGO and the cult of assumption 12

Identity theft

14

Getting the Whole Picture Policy domain mapping

17

Events

20

CFS April04.qxd

07/04/2004

12:30

Page 2

(Black plate)

news

In Brief ISP, COMCAST DISCONNECTS ZOMBIES A US-based Internet Service Provider, Comcast is cutting off its customers from Internet access if they are being used to distribute spam.

RIAA SUES OVER 500 The Recording Industry Association of America has sued another 532 people including 89 university students.

BIG FOUR DEVELOP RISK MEASUREMENT STANDARDS The major accounting firms and other enterprises are devising an IT security risk measurement capability for big companies. The Risk Preparedness Index is being created by the Global Security Consortium according to Computerworld.

SSL FLAWS HIT CISCO SSL implementations on some Cisco products based on OpenSSL code are vulnerable to attack. However the products are only vulnerable if they have the HTTPS service enabled.

CREDIT AGENCY NOTIFIES CUSTOMERS OF BREACH Over 1400 Equifax Canada customers have been advised of a major security breach. The compromised files include social insurance numbers, bank account numbers and credit histories.

about how to write a viable worm is available to potential attackers. As worms spread successfully, the individuals crafting them become more experienced.” In a report Caida said, 'Witty reached its peak after approximately 45 minutes, at which point the majority of vulnerable hosts had been infected.' "Compared to commercial software available today, worms are pretty simple pieces of code. Generally the most difficult part of creating a worm is finding a vulnerability that a worm can exploit automatically," said Shannon. The new worm shows that patching is getting to be a less effective way of defending networks as there was insufficient time to patch in the case of Witty. Shannon said, “there is no defense against unknown vulnerabilities, and for many organizations it is practically impossible to deploy a patch in less than 24-48 hours, so in some cases there is literally nothing companies can do.” Witty had a destructive payload and spread rapidly considering the fact that it had a relatively small pool of vulnerable machines according to Shannon.

ISSN: 1361-3723/04 © 2004 Elsevier Ltd. All rights reserved. This journal and the individual contributions contained in it are protected under copyright by Elsevier Science Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use. Permissions may be sought directly from Elsevier Science Rights & Permissions Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, email: permissions@ elsevier.com. You may also contact Rights & Permissions directly through Elsevier’s home page (http://www.elsevier.com), selecting first ‘Customer Support’, then ‘General Information’, then ‘Permissions Query Form’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (978) 7508400, fax: (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) 207 436 5931; fax: (+44) 207 436 3986. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal

2

UK Post Office Links to ATM network with Thales' encryption technology Brian McKenna The UK Post Office has rolled out a wide area network encryption technology to protect its connections to the Link ATM network as it upgrades from X.25 to IP. This coincides with a major programme that the Post Office has introduced for the payment of state benefits electronically. The Post Office is, so far, the only LINK member to have adopted Thales' Datacryptor product to securely connect to the LINK network to provide banking services. "The Post Office wanted a 'belt and braces' level of security, with encryption at both ends of each transaction - at the device and network level", said Scott Housley, head of corporate relations at Link. "There were two drivers behind the Post Office's decision. One was that we were upgrading from X.25, and the Post Office was looking for a higher level of security than is mandatory within the Link network". Paul Jackson, director of marketing at Thales eSecurity said that "the Post Office had an X.25 network and were looking to move to IP. Now, the risks with IP are higher so they wanted a higher level of security on the network".

LINK processes over two billion transactions per year for the UK's largest institutions and independent ATM deployers. It is the world's busiest ATM network. The Datacryptor deployment went "incredibly smoothly", said Housley. "From a Link point of view it was similar to adding a new member to the network." P&C Communications, a Thales partner, worked with LINK for 18 months to develop and implement the deployment. According to Thales, a benefit of the Datacryptor 2000 installation was the fact that while parts of a transaction are already encrypted, the product provides a final blanket encryption of all the IP data using the 3DES algorithm. Thales' Paul Jackson was not in a position to say who else had pitched for the project originally, but commented that the generic alternative to

circulation within their institutions. Permission of the publisher is required for resale or distribution outside the institution. Permission of the publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Contact the publisher at the address indicated. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the publisher. Address permissions requests to: Elsevier Science Rights & Permissions Department, at the mail, fax and email addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02065 Printed by Mayfield Press (Oxford) Ltd