Pages

Sunday, March 16, 2008

The top five internal security threats

Research conducted by the US Computer Emergency Response Team (Cert) estimates that almost 40 percent of IT security breaches are perpetrated by people inside the company.

The top five internal security threats

Criminal attacks are particularly likely to happen from the inside: one recent study estimate

d that 90 percent of criminal computer crimes were committed by employees of the company attacked.

Smaller businesses are uniquely vulnerable to IT security breaches because they may lack the more sophisticated intrusion detection and monitoring systems used by large enterprises, according to Mark Murtagh, a technical director with Websense. "We definitely are seeing an increasing threat to SMEs, coupled with a lack of understanding of the threats posed," he says.

ZDNet.co.uk asked the experts: what are the top 10 security threats posed by workers in small and medium-sized enterprises?

1. Malicious cyberattacks
Research conducted by Cert has found the most likely perpetrators of cyberattacks are system administrators or other IT staff with privileged system access.

We definitely are seeing an increasing threat to SMEs, coupled with a lack of understanding of the threats posed

Mark Murtagh, Websense

Technically proficient employees can use their system access to open back doors into computer systems, or leave programs on the network to steal information or wreak havoc. In 2006, IT programmer Roger Duronio was found guilty of planting a type of malware known as Unix logic bombs in the network of investment bank UBS. The company claimed the resulting damage cost more than $3m (£1.5m).

Prosecutors argued that Duronio had launched the attack when he received a bonus he felt was unreasonably low. He complained and eventually resigned from his job, but not without leaving behind a memorable parting gift.

The best protection against this sort of attack is to monitor employees closely and be alert for disgruntled employees who might abuse their positions. In addition, experts advise immediately cancelling network access and passwords when employees leave the company, to avoid them using passwords to remotely access the network in future.

2. Social engineering
Perhaps one of the most common ways for attackers to gain access to a network is by exploiting the trusting nature of your employees. After all, why go to the trouble of creating a program to steal passwords from the network, if people will simply give out this information on the telephone?

"You can have the best technical systems in place, but they're not effective if people aren't educated about the risks," says Mike Maddison, head of security and privacy services at Deloitte UK. A recent survey conducted by Deloitte found three-quarters of companies have not trained staff in the risks of information leakage and social engineering.

"It's vital that people understand, for example, that they shouldn't provide their password over the telephone, or that they recognise a phishing email," says Toralv Dirro, a security strategist with McAfee. "These sorts of messages are becoming increasingly sophisticated, and we're now seeing very personalised, targeted phishing emails that may even refer to projects that people work on, or members of their team."

Read this

Feature
Special report: Anatomy of a hack attack

We recreate a typical attack on two large organisations


3. Downloading malicious internet content
Some reports suggest the average employee in a small business spends up to an hour a day surfing the web for personal use — perhaps looking at video or file-sharing websites, playing games or using social media websites such as Facebook.

It's not just time that this activity could cost you. Analyst reports show that the number of malware and virus threats is increasing by more than 50 percent each year, and many of these destructive payloads can be inadvertently introduced to the network by employees.

"It's very easy for a rootkit to be hidden in a game or a video clip, and a novice user may not notice anything out of the ordinary," warns Graham Titterington, a principal analyst with Ovum.

The best advice is to constantly update and patch your IT systems to ensure you are protected...


...against new threats as they emerge, advises Paul Vlissidis, a technical director with NCC Group. "Don't rely on monthly or quarterly security downloads," he says. "The time between vulnerabilities being discovered and then exploited is shrinking all the time, so it's important to update patches and antivirus software regularly, and ideally layer several antivirus products rather than using just one."

In addition, consider whether your antivirus software can filter, monitor and block video content: few products can do this today, but a video of someone falling over can provide a cover for downloading all sorts of content onto the network, says Bob Tarzey, a service director with analyst firm Quocirca.

Someone can walk away with up to 60GB of data on a USB stick, so it's not a trivial matter


4. Information leakage
There are now a staggering number of ways that information can be taken from your computer networks and released outside the organisation. Whether it's an MP3 player, a CD-ROM, a digital camera or USB data stick, today's employees could easily take a significant chunk of your customer database out of the door in their back pocket.

"These types of devices are effectively very portable, very high-capacity hard drives," says Andy Kellett, a senior research analyst with Butler Group. "Someone can walk away with up to 60GB of data on a USB stick, so it's not a trivial matter."

Research conducted by Websense found that a quarter of UK workers who use PCs at work admit copying data onto mobile devices at least once a week. In addition, 40 percent say they use USB sticks to move data around, and a fifth have revealed their passwords to third parties.

Kellett advises companies to use software to specify policies on what devices can be connected to the corporate network, and what data can be downloaded. This should be enforced by the company — but workers should also be educated about why the policies are in place — or they will simply find a way to work around them. "It's not difficult to specify that the USB ports on desktop computers are disabled, or that CD-ROM drives are removed from computers where they aren't needed," Kellet says. "But you have to work with your employees to balance security and usability."

In addition, Kellett recommends considering whether to block access to web-based email and data-storage services, such as Gmail. "If someone can store confidential documents to an online storage site, that information is completely beyond your control," he says.

Finally, consider locking down networks to prevent wireless access using Bluetooth or Wi-Fi — except for authorised users with authorised devices. "Information loss over Bluetooth on an unsecured network is very difficult to detect indeed," says Kellett.

Read this

Feature
Special report: Countering corporate espionage

How can you mitigate the risks to your company?


5. Illegal activities
It's important to remember that, as an employer, you are responsible for pretty much anything your employees do using your computer network — unless you can show you have taken reasonable steps to prevent this. Famously, the US-based Citibank was sued for $2m (£1m) when employees downloaded pornography from the internet, and UK companies have dismissed workers for a range of misdeeds, from selling drugs using company email to distributing racially and sexually offensive material over corporate intranets.

To protect yourself, experts advice a two-pronged approach. First, use monitoring software to check email and internet traffic for certain keywords or file types. You might also choose to block certain websites and applications completely.

Second, devise an Acceptable Use Policy spelling out employees' responsibility for network security, ensure it's signed by everyone and that workers fully understand the risks and their responsibilities. According to software company Websense, one in five UK workers say they don't really understand their company's security policy.

Intel to launch high-capacity solid-state drives

Intel is planning to launch high-speed, high-capacity solid-state drives in the second quarter of this year.

According to ZDNet.co.uk's sister site CNET News.com, the chip giant will be pushing out 1.8- and 2.5-inch solid-state drives (SSDs) with capacities of between 80GB and 160GB. Intel already offers smaller-capacity solid-state chips, but this move will bring it into competition with companies like Toshiba and Samsung. Samsung plans to bring out a 128GB SSD later this year.

Troy Winslow, Intel's marketing manager for NAND products, told CNET News.com last week that Intel's Sata II SSDs would have "much better" speed performance than rival manufacturers' products, which have read speeds going up to around 100Mbps.

"When Intel launches its... products, you'll see that not all SSDs are created equal," Winslow said. "The way the SSDs are architected, the way the controller and firmware operates makes a huge difference. When you're putting all your critical applications and data into notebook or server [SSDs], who knows those markets better than the manufacturer that's supplying the world with CPUs?"

Winslow also suggested that SSD prices, which are currently very high when compared with traditional hard drives, would soon dramatically drop. "Price declines are historically 40 percent per year," he said. "And, in 2009, [there will be] a 50 percent reduction, then again in 2010." He also suggested that SSDs would play a big role as "performance accelerators" in the server market.

SSDs have recently started to find their way into laptops — notably the Asus Eee PC and other budget subnotebooks — albeit at a relatively low capacity. Intel had not confirmed pricing or exact release dates for its new SSDs at the time of writing.

Red Hat Linux 5.2 beta released

Red Hat has released new beta versions of its enterprise and desktop Linux products, with improvements including better virtualisation and clustering features, to make the operating system a more stable platform for server farms.

Red Hat Enterprise Linux (RHEL) 5.2 beta upgrades the core virtualisation hypervisor, Xen, to Xen 3.1.2, and allows support for up to 64 processors per system and up to 512GB of memory per server. The Numa (non-uniform memory access) interface has also been improved.

In the past, rival Novell has criticised Red Hat's slow implementation of Xen, the open-source hypervisor that both Novell and Red Hard have contributed to, and Red Hat has apparently toyed with the idea of moving to the alternative KVM hypervisor, which it supports in its Fedora operating system, according to remarks made at a launch of virtualisation features in November.

Red Hat has also improved clustering, with applications failover improved, and has increased support for IPv6, with the inclusion of DHCP 6, for better LAN and WAN support.

Read this

Comment
Comment: An open approach to virtualisation management

Nick Carr, product director at Red Hat, discusses the open-source alternatives to the virtualisation- management tools touted by Microsoft and others


The desktop has been spruced up with the newest versions of all the major open-source applications, including Firefox, Evolution, OpenOffice and Thunderbird, along with improved support for laptop suspend and better graphic drivers. "Red Hat is getting ready to 're-base' its desktop applications," said eWeek's Steven Vaughn-Nichols, who noted the company's desktop plans, including support for Microsoft proprietary media formats, "seem to have hit a dead end."

The RHEL beta is available in the plain form as well as the "advanced platform" version for AMD, Intel 64 and Itanium, and for IBM's S/390 mainframes, System p and System z platforms. Meanwhile the RHEL desktop beta is available for x86 and AMD64 and Intel 64. More details can be found at the Red Hat site.

Red Hat said it welcomes users downloading the beta for their test systems but warned that RHEL 5.2 should not be considered suitable for production systems yet.

SQL Slammer worm wreaks havoc on Internet

A worm that attacks Microsoft's database software spread through the Internet over the weekend, causing cash machines to stop issuing money, taking most of South Korea offline, and slowing down the Internet.

The worm, known as SQL Slammer, takes advantage of a bug that was discovered last July in Microsoft's SQL Server database software. Although a patch has been available since then, many system administrators have failed to install the patch, leaving their computers vulnerable.

The result: chaos.

Bank of America said 13,000 of its ATMs refused to dispense cash. In South Korea, the country's largest ISP KT Corp said all almost all its customers lost their connections during the attack. Chinese computer users saw sites freeze and a dramatic slowdown in download speeds, as the worm's effects hit the Internet's nameservers -- the computers that translate Web addresses into numerical Internet Protocol addresses. And all this in just 376 bytes of code, meaning the entire SQL Slammer worm code is about half the length of this paragraph.

Antivirus firm F-Secure said the effects were so marked because the worm generates massive amounts of network packets, overloading servers and routers and slowing down network traffic. "As many as five of the 13 Internet root nameservers have been downed because of the outbreak," said the company in an alert.

SQL Slammer's code instructs the Microsoft SQL Server to go into an endless loop, continually sending out data to other computers, in effect performing a denial of service attack, F-Secure said, comparing the slowdown to the impact of the Code Red virus, which brought internet traffic to a halt in the summer of 2001.

The worm has been rated as critical by Microsoft and by antivirus companies because of the damage it has caused, although it is not thought to damage data on infected machines. It does not spread through email and will not affect most home users' computers directly, said experts, although PCs that use the Microsoft SQL Server 2000 Desktop Engine, such as Visual Studio .Net and Office XP Developer Edition, are also vulnerable, according to Microsoft chief security strategist Scott Charney.

The first reported attacks of SQLSlammer were recorded around 05:30 GMT on Saturday morning, and it has been subsequently reported in many countries across the globe, said antivirus firm Messagelabs. Unlike mass-mailing worms, SQL Slammer does not write files to a computer's hard disk, but resides in memory. While this makes it easy to remove -- a computer simply has to be rebooted -- it also makes it difficult for antivirus software to detect it, said Messagelabs. And as soon as a rebooted computer is reconnected to the Internet, it will be vulnerable to reinfection unless it has first been patched.

Microsoft said it became aware several hours later at 00:30 Pacific time "of an Internet attack causing a dramatic increase in network traffic worldwide." Calling the release of the worm a criminal act, Microsoft said it was "working around the clock to ensure our affected customers are protected."

But even as some Microsoft executives urged companies to download patches, others admitted that this was not as easy as it sounded. Microsoft spokesman Rick Miller was quoted in USA Today as confirming that Internet congestion was interfering with administrators trying to download the patch. "The same congestion also completely prevented consumers from contacting Microsoft over the Internet to unlock the anti-piracy features of its latest products, including the Windows XP and Office XP software packages," said the paper.

System administrators who are unable to download the patch should block UDP port 1434, said experts. This will prevent external attacks from exploiting the vulnerability. UDP port 1434 is used by the SQL Server Resolution Service, which provides a way for clients to find a particular instance of SQL Server on a machine.

It is this Resolution Service that contains the flaw exploited by SQL Slammer. SQL uses a keep-alive mechanism to distinguish between active and passive instances, but the flaw means that if a particular data packet is sent to the SQL Server 2000 keep-alive function, it will reply to the sender with an identical packet. Under normal circumstances this is not a problem, according to Microsoft, but by spoofing the source address of such a packet, it would be possible to cause two SQL Server 2000 systems to start an endless cycle of packet exchanges.

This is how SQL Slammer operates. In its original description of the flaw, Microsoft explained the sequence of events:

"Suppose there were two SQL Servers with the vulnerability, Server 1 and Server 2. Now suppose the attacker created the needed keep-alive packet and modified the source address so that it contained Server 1's address, then sent the packet to Server 2. This would initiate the exchange, because Server 2 would reply to Server 1, which would reply to Server 2, ad infinitum."

However, system administrators do appear to have acted quickly -- at last. By late Saturday, the worm appeared to have passed its peak, said antivirus firms.

Charney said the widespread effects of SQL Slammer could have been avoided. "The unfortunate thing about this is when you know that this was a problem and they (customers) hadn't updated," Charney said, "That's a bit frustrating."

"It was a vulnerability. We knew about it, but someone is exploiting it. We want our customers to be as secure as possible and install the patches."

ATM fraud - it's not just on the cards

Changes in the technology used in cash machines has increased their theoretical vulnerability to attack. However, research shows that fraud by other means is still more likely.

Over the years, cash machines (ATMs) have migrated to increasingly insecure platforms, and recent research has thrown up some unexpected potential avenues of attack. However, it is important to consider how significant these are in the card transaction threat landscape as a whole.

When introduced in the early sixties, ATMs ran on proprietary systems and communicated over dedicated leased lines directly with transaction processors such as VISA. However, from the late eighties ATM vendors progressively migrated to commercial off the shelf (COTS) systems: first IBM's OS/2, and then primarily Windows. OS/2 implementations retained the use of private lines and the OS has always been considered much more resistant to malware than Windows. The migration to Windows was also accompanied by replacement of the expensive dedicated point to point connections between ATMs and transaction processors with a new internet-based architecture interposing card issuers – the banks – between the ATMs and the transaction processors. These changes substantially increased the theoretical attack surface. Nevertheless the move was greeted enthusiastically by the industry. As recently as 2003, a representative of NCR stated "You get a consistent look and feel, expanded transactions across all channels and new solutions. Those are well worth the inconvenience you might get from a PC virus."

There has been only one reported instance of malware directly infecting ATMs. In August 2003 the Nachi worm was found on two Diebold ATMs running Windows XP embedded, and the problem was recognised by network intrusion detectors and contained before any damage ensued. But earlier that year the Slammer worm locked out 13,000 ATMs when it infected SQL Server at the Bank of America, which were on the same network as the ATMs and must have been accessible from the internet for the servers in order to get infected.

Since then, considerable research has gone into analysing possible attack vectors on ATMs. A 2006 report by Redspin Inc. analyses the communication protocol between the ATM and the transaction processor in detail. It emerges that the only data element intrinsically encrypted is the cardholder's PIN. All the other transaction data is in plain text, relying entirely for confidentiality and integrity on the encryption provided by the VPN tunnel over which the connection is made. The authors point out that the protocol itself is very transparent, and it would be possible to tamper with transactions if the raw data stream could be tapped. They very pertinently suggest that the easiest place to do this would be on the card issuer's local network, which may well have connections to the internet. It wouldn't therefore be strictly necessary to have direct access to the ATM itself. Although it is possible that ATMs hosted by small retailers might communicate over insecure local networks, Link, one of the major ATM connectivity providers, did not respond to heise online's query about how small retailer ATMs connect to the Link secure infrastructure.

A recent paper by Network Box, IP-ATM Security, highlights the threats specific to ATMs connected to IP networks and suggests that some of the solutions proposed so far fall short of the mark. The researchers established that the data passed in plain text were enough to create cloned cards for offline or "card not present" use. They also suggest the feasibility of denial of service attacks has been demonstrated by the Slammer incident, and that complete protection would require total dissociation of the ATM system from the internet. The Diebold/Nachi incident apparently prompted the vendor to install a personal firewall on all subsequently delivered ATMs. However the Network Box researchers consider that solution inadequate. They point out that personal firewalls are vulnerable to bypass by virtue of residing on the platform they protect, and that they are designed for completely different traffic patterns and system use from those found on an ATM. Network Box do not comment on the effective denial of service that also resulted from Nachi infecting the Diebold ATMs: the network intrusion system closed them down when the worm was detected.

Spammers sued for $1bn

An American company has sued an as yet unidentified group of spammers for a cool billion US dollars in the hope that the legal action may lead them to find out who the actual spammers are. The move was initiated by the anti-spam organization Unspam Technologies and its spam monitoring project, Project Honey Pot.

Project Honey Pot has tens of thousands of members in some one hundred countries. These numbers highlight the fact that spam has become a truly global problem in recent years.

According to the complaint lodged at a Virginia court last April, spam now constitutes up to 90% of all email traffic. The organization that lodged the unprecedented case in Virginia believes spammers, even though they may be harvesting users' email addresses from open online sources, are contravening US anti-spam legislation and have hidden their identity to "avoid detection".

Interestingly, the complaint is directed against "John Doe" spam merchants rather than any particular spamming group. Unspam hopes that this court action could help them pinpoint actual perpetrators, who will be brought to light through the legal process. The group has collected a lot of data since the launch of Project Honey Pot in 2004; it hopes the data can now be used to track those responsible for the flood of spam in users' mailboxes. The court will also be asked to permit the examination of ISP records. This would provide crucial links to spammers, making it possible to find concrete suspects in what has already been termed a landmark case for the anti-spam world.

Credit card fraudsters jailed in UK

The UK’s largest ever credit card fraud gang has been dismantled in London. The fraudsters, who could have netted an estimated £17m, received jail sentences from a judge who called their offences “very serious. A total of five people, all from Eastern Europe, were involved in the scam.

Gang leader Roman Zykin, an illegal immigrant from Russia, was jailed for five and a half years and recommended for deportation at the end of serving his sentence. Two Polish men were also jailed for three and four years respectively, while Estonian “link man” Hannes Pajasalu will serve two years. At a previous hearing Zykin’s wife, Malgorzata, received a six month sentence. The investigation into the gang’s activities lasted for 18 months and spanned several continents, as the FBI, Europol, Estonian police and other authorities and banking bodies, aided UK police in the task of bringing the five to justice. The search for the five culprits was hampered by the gang using sophisticated encryption techniques to hide their electronic traces. Interestingly, the investigation was triggered by a routine stop and search of Roman Zykin by an anti-terrorist patrol at Victoria Station in London, when dozens of mobile phone top-up cards were found in his possession.

The authorities believe the group, which was highly organized and skilled, had access to tens of thousands of stolen credit card numbers, which were held on their state-of-the-art computer systems. According to the police, these numbers were mainly sourced from the US, where hackers stole them in a major attack on a database. Prosecutors have so far tracked some £150,000 in criminal transactions but expect the losses to be much higher, as these fraudsters could afford a lavish life in Britain and abroad, staying in £900,000 mansions and going on five-star holidays abroad. However, for the next few years these cybercriminals will have to holiday in jail.