- Email: [email protected]
Spam whacking working in US says FTC
NEWS
Editorial office: Elsevier Advanced Technology PO Box 150 Kidlington, Oxford OX5 1AS, United Kingdom Tel:+44 (0)1865 843645 Fax: +44 (0)1865 853971 E-mail: [email protected] Website: www.compseconline.com Editor: Sarah Hilley Editorial Advisors: Peter Stephenson,US; Silvano Ongetta, Italy; Paul Sanderson, UK; Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P.Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Charles Cresson Wood, USA Bill J. Caelli, Australia Production/Design Controller: Colin Williams Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, e-mail: permissions@elsevier. com. You may also contact Global Rights directly through Elsevier’s home page (http:// www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (+1) (978) 7508400, fax: (+1) (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) (0) 20 7631 5555; fax: (+44) (0) 20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02065 Printed by: Mayfield Press (Oxford) LImited
2
Computer Fraud & Security
Forensic company forced to do self-analysis
G
uidance Software, a computer forensic company, is embarking on a computer investigation of its own corporate systems.
The company has been hacked and had 3,800 customer credit card details stolen. As a result one customer – Kessler International – has $20,000 worth of fraudulent transactions on its credit card according to the Washington Post. The Californian-based company notified all 9,500 customers by letter, which is mandatory under state law. Many Guidance customers are law enforcement, who buy its software to forensically analyse computers to investigate hacks, and other cases. The company has reportedly managed to block the intrusion. The hack took place in November but wasn’t discovered until 7 December. The US Secret Service is investigating the breach.
Microsoft breaks routine to put out exploit fire
A
zero day exploit for Windows has been unleashed forcing Microsoft to issue a hurried fix, that breaks its monthly patch cycle routine.
The update comes early “in response to strong customer sentiment that the release should be made available as soon as possible,” said a statement from the software giant. The company already issued a security advisory and workaround for the Microsoft Windows Metafile Format when it surfaced in late December. It included the patch with its monthly batch on 10 January. It recommends that the prematurely released patch be installed to quash the exploit immediately. The exploit allows a hacker to install spyware and take complete control of a computer to send spam.
Users become infected after downloading attachments or visiting sites containing malignant Microsoft .WMF image files. Security company, Websense, found thousands of websites that use the flaw to distribute software. When infected, users are asked to enter credit card details to install a fake “spyware cleaning” application. Microsoft said that the attacks “are being mitigated” by its closure of malicious websites and anti-virus signature updates. The vulnerability, which has been rated as critical, targets machines running Microsoft Windows XP with SP1 and SP2, and Microsoft Windows Server 2003.
Spam whacking working in US says FTC
T
he public are getting less spam because of better anti-spam technologies according to a report from a US regulator.
The Federal Trade Commission (FTC) said that the amount of spam reaching consumers' inboxes has decreased and emails contain less porn. America Online also ("AOL") reported that its members received 75 percent less spam in 2004 than in 2003. Cutting off zombies, which are used to distribute 60-80% of nuisance email makes a difference according to the FTC. The Anti-Spam Technical Alliance, which represents a number of ISPs, have blocked zombie access to port 25 making it difficult for them to send spam. American ISPs have implemented many other technologies according to the report. But the FTC warned that many ISPs around the world have not followed suit. The FTC also said that the Can-Spam Act has helped in the fight against spam. In a report commissioned to establish the effectiveness of the Can-Spam Act, the FTC said that the Act has given law enforcement a tool to prosecute spammers with. Fifty cases have been brought against spammers since the Act's introduction in
January 2006
NEWS 2004.The Act has also ensured that online marketeers toe the line with less invasive email marketing. The FTC said that customers have noticed the difference. "Consumers have begun to report decreased annoyance with spam." However, spammers have starte to send emails that contain malware, which can harm computers, in addition to advertising messages. They are also covering their tracks with more "complex multi-layered business arrangements" so police have to dig deeper to find out their identities. The FTC called for better technologies in domain-level authentication so spammers can't work anonymously. It also recommended the introduction of a new law - the US SAFE WEB Act - that would help trace foreign spammers.
Compliance points way to risk management
R
ecent and current pressures on IT security managers in publicly quoted companies to tick regulation boxes have about five more years to run. NetIQ security strategist Chris Pick believes that the discipline of risk management, taking companies beyond mere compliance, is "not there yet” as a driver of IT security spending, but that it will be soon.
The company’s VP of security management product strategy was speaking around the recent launch of its ‘Risk and Compliance Center’ product, which offers a regulation-by-regulation view of security incident data. “It represents a single not multiple effort in terms of understanding security information flows, and gives executives visibility into their enterprises’ security postures. And it automates your compliance efforts so that cost savings are possible from year to year”, he said. So far the product has three major enterprise customers: a Scottish bank, a Swiss financial services company, and a US grocery chain. Pick confirmed that in each case the Chief Information Security Officer drove and signed off purchase.
January 2006
In brief CALIFORNIA DISTRUSTS ELECTRONIC VOTING An electronic voting system from Diebold Systems has been refused certification by Californian election moderators because of security concerns. The problem lies in the memory card of the system, according to reports. An election official — Caren Daniels-Meade, called for the source code of the memory card program to be examined by independent testing authorities. Diebold’s Vice President of Operations said that the company is willing to participate in the testing “to show that our voting systems are up to task.”
TROJAN TARGETS GOOGLE ADS A Trojan horse program that pretends to be Google ads has been created by hackers. The Trojan spews up marketing for pornography in place of real authentic advertisements from Google AdSense.
ADOBE ADOPTS MONTHLY PATCHES Adobe plans to manage the release of software patches every month. Adobe is going down the same route as Microsoft’s monthly patch distribution despite having far fewer patches. It will start the new release schedule within six months, according to IDG reports.
FRANCE COULD BE BEST PLACE TO DOWNLOAD MUSIC Downloading copyrighted music from peer-2peer networks could become legal in France. The French Parliament has voted an initial majority in favour of an amendment to support the policy.
US ID CARD STANDARDS AGREED The US National Institute of Standards and Technology (NIST) has announced standards for government biometric ID cards. The agency has released a standard for storing minutia-based fingerprint biometrics. Instead of capturing an entire image of a fingerprint on a card, the biometric will contain certain ridge patterns in the fingerprint.
MARRIOTT LOST BACKUP TAPES Marriott International, the hotel giant, has lost backup computer tapes in Orlando containing data on more than 200,000 people. The hotel chain is notifiying the record holders, which include customers, employees and timeshare owners. The records included social security numbers and bank and credit card numbers.
EXTORTIONISTS MOVE IN ON ROLE PLAYERS Hackers stole customer details from a roleplaying games maker causing the company to shut down its online shop for four days. White Wolf Publishing received a threat from extortionists to pay up or else customer data would be posted on the Internet according to reports. The company did not pay and the hackers emailed the affected customers offering them their stolen data back for $10. STORAGE TAPE ENCRYPTION STANDARD COMING The Institute of Electrical and Electronics Engineers (IEEE) is developing standards for encrypting data on backup tapes. The Security in Storage Working Group is creating the IEEE P1619 and P1619.1 Standard Architecture for Encrypted Shared Storage Media. The standards will specify three encryption algorithms and key management. SPYWARE MASQUERADES AS SOFTWARE FIX Creators of spyware are trying to dupe users into downloading malicious code by giving false warnings that the potential victim’s computer is infected. According to security company, Websense the spyware emails often claim to fix the security infection in return for payment. SOBER MADE MAN REPORT TO POLICE The Sober worm has tricked a German man into giving himself up to the authorities for a crime he didn’t commit. The worm sent a message to the man telling him he was under investigation for possession of child pornography according to Security Focus. NATO SELECTS JUNIPER IDS THE North Atlantic Treaty Organization (NATO) has selected Juniper’s Intrusion Detection & Prevention (IDP) product to secure NATO’s bases throughout its member states worldwide. The deployment has been undertaken by Telindus Belgium, which is the prime contractor of the project signed with NC3A (NATO C3 Agency).
IPSEC DEAD BY 2008, SAYS GARTNER The analyst firm has predicted that the IPsec protocol is dying. In a new report, it says that by 2008, the use of IPsec will have been eclipsed by SSL, for much of the market. By that year, two-thirds of teleworking remote access employees — and 90% of casual access users — will have adopted SSL.
Computer Fraud & Security
3
Editorial office: Elsevier Advanced Technology PO Box 150 Kidlington, Oxford OX5 1AS, United Kingdom Tel:+44 (0)1865 843645 Fax: +44 (0)1865 853971 E-mail: [email protected] Website: www.compseconline.com Editor: Sarah Hilley Editorial Advisors: Peter Stephenson,US; Silvano Ongetta, Italy; Paul Sanderson, UK; Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P.Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Charles Cresson Wood, USA Bill J. Caelli, Australia Production/Design Controller: Colin Williams Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, e-mail: permissions@elsevier. com. You may also contact Global Rights directly through Elsevier’s home page (http:// www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (+1) (978) 7508400, fax: (+1) (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) (0) 20 7631 5555; fax: (+44) (0) 20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02065 Printed by: Mayfield Press (Oxford) LImited
2
Computer Fraud & Security
Forensic company forced to do self-analysis
G
uidance Software, a computer forensic company, is embarking on a computer investigation of its own corporate systems.
The company has been hacked and had 3,800 customer credit card details stolen. As a result one customer – Kessler International – has $20,000 worth of fraudulent transactions on its credit card according to the Washington Post. The Californian-based company notified all 9,500 customers by letter, which is mandatory under state law. Many Guidance customers are law enforcement, who buy its software to forensically analyse computers to investigate hacks, and other cases. The company has reportedly managed to block the intrusion. The hack took place in November but wasn’t discovered until 7 December. The US Secret Service is investigating the breach.
Microsoft breaks routine to put out exploit fire
A
zero day exploit for Windows has been unleashed forcing Microsoft to issue a hurried fix, that breaks its monthly patch cycle routine.
The update comes early “in response to strong customer sentiment that the release should be made available as soon as possible,” said a statement from the software giant. The company already issued a security advisory and workaround for the Microsoft Windows Metafile Format when it surfaced in late December. It included the patch with its monthly batch on 10 January. It recommends that the prematurely released patch be installed to quash the exploit immediately. The exploit allows a hacker to install spyware and take complete control of a computer to send spam.
Users become infected after downloading attachments or visiting sites containing malignant Microsoft .WMF image files. Security company, Websense, found thousands of websites that use the flaw to distribute software. When infected, users are asked to enter credit card details to install a fake “spyware cleaning” application. Microsoft said that the attacks “are being mitigated” by its closure of malicious websites and anti-virus signature updates. The vulnerability, which has been rated as critical, targets machines running Microsoft Windows XP with SP1 and SP2, and Microsoft Windows Server 2003.
Spam whacking working in US says FTC
T
he public are getting less spam because of better anti-spam technologies according to a report from a US regulator.
The Federal Trade Commission (FTC) said that the amount of spam reaching consumers' inboxes has decreased and emails contain less porn. America Online also ("AOL") reported that its members received 75 percent less spam in 2004 than in 2003. Cutting off zombies, which are used to distribute 60-80% of nuisance email makes a difference according to the FTC. The Anti-Spam Technical Alliance, which represents a number of ISPs, have blocked zombie access to port 25 making it difficult for them to send spam. American ISPs have implemented many other technologies according to the report. But the FTC warned that many ISPs around the world have not followed suit. The FTC also said that the Can-Spam Act has helped in the fight against spam. In a report commissioned to establish the effectiveness of the Can-Spam Act, the FTC said that the Act has given law enforcement a tool to prosecute spammers with. Fifty cases have been brought against spammers since the Act's introduction in
January 2006
NEWS 2004.The Act has also ensured that online marketeers toe the line with less invasive email marketing. The FTC said that customers have noticed the difference. "Consumers have begun to report decreased annoyance with spam." However, spammers have starte to send emails that contain malware, which can harm computers, in addition to advertising messages. They are also covering their tracks with more "complex multi-layered business arrangements" so police have to dig deeper to find out their identities. The FTC called for better technologies in domain-level authentication so spammers can't work anonymously. It also recommended the introduction of a new law - the US SAFE WEB Act - that would help trace foreign spammers.
Compliance points way to risk management
R
ecent and current pressures on IT security managers in publicly quoted companies to tick regulation boxes have about five more years to run. NetIQ security strategist Chris Pick believes that the discipline of risk management, taking companies beyond mere compliance, is "not there yet” as a driver of IT security spending, but that it will be soon.
The company’s VP of security management product strategy was speaking around the recent launch of its ‘Risk and Compliance Center’ product, which offers a regulation-by-regulation view of security incident data. “It represents a single not multiple effort in terms of understanding security information flows, and gives executives visibility into their enterprises’ security postures. And it automates your compliance efforts so that cost savings are possible from year to year”, he said. So far the product has three major enterprise customers: a Scottish bank, a Swiss financial services company, and a US grocery chain. Pick confirmed that in each case the Chief Information Security Officer drove and signed off purchase.
January 2006
In brief CALIFORNIA DISTRUSTS ELECTRONIC VOTING An electronic voting system from Diebold Systems has been refused certification by Californian election moderators because of security concerns. The problem lies in the memory card of the system, according to reports. An election official — Caren Daniels-Meade, called for the source code of the memory card program to be examined by independent testing authorities. Diebold’s Vice President of Operations said that the company is willing to participate in the testing “to show that our voting systems are up to task.”
TROJAN TARGETS GOOGLE ADS A Trojan horse program that pretends to be Google ads has been created by hackers. The Trojan spews up marketing for pornography in place of real authentic advertisements from Google AdSense.
ADOBE ADOPTS MONTHLY PATCHES Adobe plans to manage the release of software patches every month. Adobe is going down the same route as Microsoft’s monthly patch distribution despite having far fewer patches. It will start the new release schedule within six months, according to IDG reports.
FRANCE COULD BE BEST PLACE TO DOWNLOAD MUSIC Downloading copyrighted music from peer-2peer networks could become legal in France. The French Parliament has voted an initial majority in favour of an amendment to support the policy.
US ID CARD STANDARDS AGREED The US National Institute of Standards and Technology (NIST) has announced standards for government biometric ID cards. The agency has released a standard for storing minutia-based fingerprint biometrics. Instead of capturing an entire image of a fingerprint on a card, the biometric will contain certain ridge patterns in the fingerprint.
MARRIOTT LOST BACKUP TAPES Marriott International, the hotel giant, has lost backup computer tapes in Orlando containing data on more than 200,000 people. The hotel chain is notifiying the record holders, which include customers, employees and timeshare owners. The records included social security numbers and bank and credit card numbers.
EXTORTIONISTS MOVE IN ON ROLE PLAYERS Hackers stole customer details from a roleplaying games maker causing the company to shut down its online shop for four days. White Wolf Publishing received a threat from extortionists to pay up or else customer data would be posted on the Internet according to reports. The company did not pay and the hackers emailed the affected customers offering them their stolen data back for $10. STORAGE TAPE ENCRYPTION STANDARD COMING The Institute of Electrical and Electronics Engineers (IEEE) is developing standards for encrypting data on backup tapes. The Security in Storage Working Group is creating the IEEE P1619 and P1619.1 Standard Architecture for Encrypted Shared Storage Media. The standards will specify three encryption algorithms and key management. SPYWARE MASQUERADES AS SOFTWARE FIX Creators of spyware are trying to dupe users into downloading malicious code by giving false warnings that the potential victim’s computer is infected. According to security company, Websense the spyware emails often claim to fix the security infection in return for payment. SOBER MADE MAN REPORT TO POLICE The Sober worm has tricked a German man into giving himself up to the authorities for a crime he didn’t commit. The worm sent a message to the man telling him he was under investigation for possession of child pornography according to Security Focus. NATO SELECTS JUNIPER IDS THE North Atlantic Treaty Organization (NATO) has selected Juniper’s Intrusion Detection & Prevention (IDP) product to secure NATO’s bases throughout its member states worldwide. The deployment has been undertaken by Telindus Belgium, which is the prime contractor of the project signed with NC3A (NATO C3 Agency).
IPSEC DEAD BY 2008, SAYS GARTNER The analyst firm has predicted that the IPsec protocol is dying. In a new report, it says that by 2008, the use of IPsec will have been eclipsed by SSL, for much of the market. By that year, two-thirds of teleworking remote access employees — and 90% of casual access users — will have adopted SSL.
Computer Fraud & Security
3