Ontario issues guidance on RFID use

NEWS

Editorial Office: Elsevier Ltd, The Boulevard, Langford Lane Kidlington, Oxford OX5 1GB, United Kingdom Programme Editor: Steve Barrett Tel: +44 (0)1865 843239 Fax: +44 (0)1865 853971 Email: [email protected] Web: www.networksecuritynewsletter.com Editor: Danny Bradbury Email: [email protected] Senior Editor: Sarah Gordon International Editoral Advisory Board: Dario Forte, Edward Amoroso, AT&T Bell Laboratories; Fred Cohen, Fred Cohen & Associates; Jon David, The Fortress; Bill Hancock, Exodus Communications; Ken Lindup, Consultant at Cylink; Dennis Longley, Queensland University of Technology; Tim Myers, Novell; Tom Mulhall; Padget Petterson, Martin Marietta; Eugene Schultz, Hightower; Eugene Spafford, Purdue University; Winn Schwartau, Inter.Pact Production Editor: Alan Stubley Subscription Information An annual subscription to Network Security includes 12 printed issues and online access for up to 5 users. Prices:
992 for all European countries & Iran US$1110 for all countries except Europe and Japan ¥131 700 for Japan (Prices valid until 31 December 2008) To subscribe send payment to the address above. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 E-mail: [email protected], or via www.networksecuritynewsletter.com Subscriptions run for 12 months, from the date payment is received. Periodicals postage is paid at Rahway, NJ 07065, USA. Postmaster send all USA address corrections to: Network Security, 365 Blair Road, Avenel, NJ 07001, USA Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 843830, fax: +44 1865 853333, e-mail: [email protected]. You may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; tel: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.

02158

2

Printed by Mayfield Press (Oxford) Limited

Network Security

The report doesn’t discuss how the web sites were hacked, but web application attacks have been a popular method of compromising websites, as operating systems and web server software have gradually become more secure. SQL injection attacks have recently become a popular method of compromising sites that use databases to dynamically generate content. At the start of January, at least 70 000 websites across a variety of private and public sector organisations were infected with malicious code. The code altered sites to deliver content from uc8010.com, a site hosted in China. The SANS Institute posted information about the gradual evolution of the SQL injection attack here: http://isc.sans.org/ diary.html?storyid=3823&rss. Other findings in the report included a focus on attacking web 2.0 applications using a mixture of techniques including mash-ups and unattended code injection. It also confirmed that the US, China, and Russia are the top three countries hosting phishing and crimeware sites.

Business worried about data loss - but probably not enough

B

usiness concerns over data loss have escalated considerably during the past year, according to a report issued by Symantec. In volume 2 of its its IT Risk Management Report, the company found survey respondents worried about the loss of data from security breaches.

“Data loss went from not even being an area of concern that warranted being in the survey last year, to being 46% of respondents expecting at least one serious incident per year,” said Jennie Grimes, senior director at Symantec’s IT risk management program office. However, that still leaves 54% of respondents expecting a data leakage incident only once every five years. Following a year of high-profile data losses in companies such as the TJX Group and in government organisations, 63% believe that a leak would have a serious impact on their business. A related issue, endpoint management, was also an area of serious concern, according

to the company. Over half of respondents to its survey expected to lose a laptop or other client within a year, but only a third of them have current configuration data for those laptops. “They only assess them annually in some cases,” said Grimes. The report sought to debunk what the company sees as four common misconceptions about IT risk. Risk in IT extends beyond security, encompassing areas such as availability, for example, said Symantec. IT risk management is also a continuing process rather than a discrete project. Technology alone is not enough to mitigate IT risk, added the report, arguing that well structured processes based on standards such as ITIL are a particularly important part of managing IT security risk. Technology alone is not enough to mitigate IT risk, added the report, arguing that well structured processes based on standards such as ITIL are a particularly important part of any IT risk management process. Unfortunately, the employee training and awareness that should accompany such processes is sadly lacking, said the firm. “The report implied where the respondents were generally weakest. One of the worst performing areas was training and awareness,” said Grimes. “And yet, we did research with IDC showing that if an organisation invests in training and awareness, they’ll get a 10% provable productivity gain. So you wonder why organisations aren’t looking at some of the less technology-bound answers?”

Ontario issues guidance on RFID use

O

ntario privacy commissioner Dr Ann Cavoukian has issued a set of guidelines for the use of RFID tags in the healthcare sector. The report, produced in conjunction with HP, highlights concerns over RFID privacy, but suggests that the benefits of the technology are great enough to make it worth navigating the security risks.

The report, RFID and Advocacy − Guidance for Healthcare Providers, separates the use of RFID tags into three broad applications. The first, tagging things, carries no significant privacy implications, it says. Continued on Page 20...

February 2008

NEWS / EVENTS ...continued from page 2 The second, tagging things attached to people, carries some moderate privacy issues, while the third, tagging people, is an area of extreme controversy. Guidance offered by the report includes asking questions during the system design and information stage. Such questions include whether personal information is stored on a tag, whether the tag will be close to compatible unauthorised readers, the length of time that records are retained in analytic or archival systems, and the ability of tags to be disabled after use. When discussing the tagging of individuals, the report recommends asking whether the tags will be part of an “open loop” system involving multiple organisations, and whether the data will be stored or controlled by outside third parties. Victor Garcia, CTO of HP Canada, argued that designing suitable entitlements and audit facilities into back-end systems using the RFID data was crucial. “Technology can help to enforce policy and legislation by design applications in such a way that things like role-based access control are built into the application,” he said. “It needs to be properly designed.” However, not all health care institutions in the province were ready for such a move. “It depends on the hospital and the facility,” said Dr Cavoukian. Many hospital CIOs in Toronto are very capable, she says. “Some of the smaller facilities in more rural areas – that’s something we’ll have to work on.” Rank

Threat Name

M

essagelabs has identified a new kind of search engine-based spamming technique designed to get past many companies’ anti-spam filters. In its January 2008 intelligence report, it details a technique that takes advantage of Google’s ‘INURL’ tags, and its ‘I feel lucky’ search facility, which takes surfers straight to the site of the most likely search result.

The spammer crafts a search URL using the INURL tag to focus the search only on their domain. By including a tag which invokes the ‘I feel lucky’ function, the search URL takes the user directly to a page on their own web site, cirvumventing Google’s pages while also avoiding any reference to the spammer’s own domain in the URL. This makes it hard for anti-phishing toolbars or anti-spam filters to identify the spam email based on the embedded link. The technique, now used in 17% of all spam mail according to the report, correlates with a rise in text or HTML-only spam, and a marked decline in image spam. Text spam now accounts for 60% of spam, compared to just 30% last summer, while 38% of all spam is now HTML-based, slightly down from 50% last summer. Image spam has dropped to just 2% of all spam, just a tenth of its volume when it was at its high point in summer last year. Spam mail that uses file formats like PDFs, XLS, and MP3s to carry its payload now account for less than 1% of spam, said the report. Another significant finding was that stock spam has slowed to a crawl. It now accounts for just 2% of spam, following the indictment of stock spam king Alan Ralsky. Threat Type

EVENTS CALENDAR 4−6 March

IDTrust 2008 7th Symposium on Identity Theft and Trust on the Internet Location: Gaithersburg, MD, USA Website: http://middleware.internet2. edu/idtrust/2008/

4−7 March The International Workshop on Digital Forensics Location: Barcelona, Spain Website: www.ares-conference. eu/conf/index.php?option=com_ content&task=view&id=45

10−12 March InfoSec World 2008 Location: Orlando, Florida, USA Website: www.misti.com/default.asp?pag e=65&Return=70&ProductID=5539

17−21 March

The 2nd Workshop on Web and Pervasive Security Location: Hong Kong Website: www.sersc.org/WPS2008

25−28 March

The IEEE 22nd International Conference on Advanced Information Networking and Applications Location: Ginowan, Okinawa, Japan Website: www.aina-conference.org/2008/

% of Detections

25−28 March

1

W32/Netsky!similar

Mass mailer

10.91

2

HTML/Iframe_CID!exploit

Exploit

7.91

3

W32/Small.FQS!tr.dldr

Trojan

5.87*

4

W32/Pushu.BYC!tr

Trojan

2.83*

5

W32/MyTob.FR@mm

Mass mailer

2.53

6

W32/Pushdo.DGH!tr

Trojan

2.53*

7

W32/MalFormedani.C

Exploit

2.49

26−28 March

8

Adware/Agent

Adware

2.47

CanSecWest 2008

9

W32/Bagle.DY@mm

Mass mailer

2.24

10

W32/MyTob.BH.fam@mm

Mass mailer

2.09

Location: Vancouver, British Columbia, Canada Website: www.cansecwest.com

Top ten threats in January 2008. (Source: Fortinet)

20

Spammers turn to search engines

Network Security

Blackhat Europe 2008 Briefings and Training Location: Amsterdam, The Netherlands Website: www.blackhat.com/html/bh-link/ briefings.html

February 2008