|
Internet Security News
Breaking news and updates in Internet security
Last Updated: August 7th, 2008 17:43:59 CDT -0500
From Traditional Anti-Virus to Security-as-a-Service
Over the past five years, the anti-virus market has experienced tremendous growth as many new technologies have emerged in response to current conditions.
What was once a market consisting of very few players has evolved into a multi-billion dollar enterprise consisting of dozens of companies with huge assortment of anti-virus products varying in focus and quality.
According to analysts, the global anti-virus market is forecasted to surpass $58 billion by 2010 with the introduction of new technologies in the areas of data loss prevention, virtualization security, security-as-a-service and many others.
Despite this growth, the technology behind anti-virus today is highly inefficient when it comes to protecting against modernized threats. This is fueled by the fact that vendors simply can't keep up with all of the new malware surfacing each and every day. The situation has created a breakdown in the quality and effectiveness of their underlying core technology. 1
This problem is evident in today's high-profile security incidents. According to the Identity Theft Resource Center (an organization that tracks incidents relating to exposure of confidential information), the number of recorded breaches more than doubled in the first quarter of 2008. 2
This problem is even more visible when you take into account the current application delivery model employed by various end-point technologies today.
This agent-based delivery model introduces several challenges, not only on the side of administration, management and ease of use, but to the degree necessary to provide an adequate level of protection against zero-day, zero-hour, and zero-minute threats.
This traditional model has the following characteristics:
· Upgrades require time and effort to implement, leaving a dangerous window of opportunity to become infected. This problem is amplified if the upgrade includes engine revisions to detect new strains of malware.
· Enterprise protection suites require deployment of a dedicated management infrastructure that in some cases will require additional hardware.
· Some end-point protection suites that use a policy driven system are particularly complex to manage and maintain, therefore the total cost of ownership will increase overtime.
· Anti-malware intelligence has traditionally resided on the end-point, thus, the trade-off between security and resource consumption has always been a challenge.
· The memory and CPU foot-print is directly proportional to the size of the signature file. Therefore, the growth of new threats will ultimately affect the user's experience.
· On average, the foot-print for leading products is anywhere from 100MB to 150MB, depending on the modules enabled (i.e. firewall, anti-virus, anti-spam, host intrusion prevention, etc).
· Most end-point products on the market today have a very narrow, short sighted view of the threat-landscape and do not provide protection for all malware currently in circulation and affecting users.
· Nodes do not share intelligence amongst themselves, thus, reducing the overall efficiency to detect and prevent against targeted attacks.
When we examine this security model further, the small and medium size business (SMB) market will be affected the most. The traditional anti-virus model introduces significant challenges for SMBs who have tight budgets for security. This is especially true as they often do not have the expertise or resources in-house to manage and administer complex anti-malware solutions.
The best alternative that an SMB can take when it comes to security is out-sourcing their services to a hosted infrastructure and/or adopting a Security-as-a-Service model. This helps reduce complexity and time to market when implementing new security technologies and will not require a high degree of skill to maintain the solution.
Security-as-Service revolves around the concept known as Software-as-Service or SaaS. SaaS changes the way that applications are currently delivered to customers by hosting them "in the cloud" and providing a web interface to interact with the applications. Previously, software had to be installed directly on the user's system and managed inside the business or manually remote controlled by an outside service provider.
Customers of an SaaS solution benefit from real-time up-to-the-minute content provided on a continuous basis through a subscription model making life a lot easier. This model allows companies, their IT consultants, managed service providers or value added resellers to more efficiently manage protection against malicious malware, freeing up valuable time and resources to stay focused on the business.
In conclusion, the SaaS model offers an alternative approach to the way that end-point security is delivered today. Since 2008 and 2009 will certainly focus on consolidation (anti-virus, data leakage prevention, end-point encryption, etc), it is essential that SaaS be adopted as an industry standard in end-point security protecting businesses from the SMB to the very large enterprise.
1 PandaLabs Research Study 2007:
http://research.pandasecurity.com/
archive/Think-you_2700_re-protected_3F00_-Think-again.aspx
2 http://www.idtheftcenter.org/artman2/publish/
m_press/Breach_List_2008_Q1.shtml
Don’t Overlook the Online Channel: Combating Multi-Channel Fraud at the Source
The latest threat to online banking accounts involves fraudsters using multi-step schemes that involve different interaction points with financial institutions.
Cyber-criminals commit this multi-channel fraud by first breaching an account via the online channel to steal valuable information such as account balances, check images, or signature blocks, in order to commit wire, check and other types of offline fraud that never gets linked to the original breach online.
Unfortunately, the online channel's role in these schemes is often overlooked. This is precisely what makes this kind of fraud so effective - and hard to catch. Financial institutions only register the final transaction fraud, and cannot account for the original breach, which often occurs in the online channel. Add this to the fact that consumers don't know it is happening, and the fraudsters have a perfect opportunity to continuously get away with this crime.
Case in point is what happened recently to a leading financial institution that serves tens of thousands of customers daily. Despite aggressive efforts to safeguard its online environment, fraudsters pulled off a startling multi-channel fraud scheme.
Here's how the fraud scheme worked:
1. The fraudster called the institution's customer service number and, using social engineering techniques, reset the online account password and contact phone number.
2. The fraudster accessed the online account, learned more about the customer's online activities, and downloaded check images containing the customer's signature.
3. The fraudster then called on a separate institution using the stolen information to open a new account in the victim's name.
4. A wire transfer was arranged to empty the victimized account and credit the new account at institution #2. Because the names on the accounts were the same and the fraudster had provided a phone number under his/her control and a valid signature, an offline verification of the transfer by phone, as a second means of identification, passed and was authorized.
5. The fraudster withdrew his loot piecemeal, visiting separate branches in a state different than the victim's.
Legacy Fraud Detection Methods Blind to Online Activity
When fraudsters use schemes involving multiple interactions with different touch-points across an institution, they aren't caught because the precursor online channel breach is often overlooked.
Common industry practice registers the final fraud transaction as the breach point, and case forensics employ limited resources to return insight that cannot trace the original breach to the online channel. When accessed only for reconnaissance, the online channel records no "transaction" for detection. This is precisely what makes multi-channel fraud so effective - and so hard to catch. Moreover, what kind of fraud is our previous example to be classified? Is such a loss wire fraud, check fraud, or simply "online account fraud"?
A next-generation approach to online fraud prevention is needed if we are to continue to inspire customer confidence in the online channel. According to Javelin Research's 2007 Identity Fraud Survey Report, it takes an average of 60 days for consumers to even detect that fraud has occurred. This leaves fraudsters with a perfect opportunity to commit successful multi-channel fraud crimes if financial services providers don't take pre-emptive steps to protect both their customers and their bottom line. New best practices and back-end technologies that focus on online behavior can better isolate and prevent multi-channel fraud at the source.
Modeling Individual Account Behavior Stops Fraud at Its Source
An emergent best practice is to employ predictive models of individual customer online behavior to detect when the "customer" logging in isn't who they say they are, even if they pass authentication. Beyond simple machine signature technology, user profiling technologies rely on trended analysis of behavior account by account. They start by understanding what "normal" behavior is for each individual customer - and admit that there is no single pattern of "normal" behavior to write an anti-fraud rule against.
Dynamic, model-based analysis of account activity "does the math" - piecing together what are by themselves may seem like weak indicators of fraud until a powerful pattern emerges. Behavior that deviates from what is expected becomes suspicious - the more the deviation, the deeper the suspicion. This comprehensive analysis allows for more granular risk scoring and better correlation with offline activity patterns. A byproduct of this behavioral analysis also allows for a rich history of online activity that aids investigation and forensics.
Using these techniques, institutions can identify the fraudster via the alerts to online activity outside the customer's predicted behavior. Deploying strong analytics at the source - the online channel - ensures that fraudsters' attacks are shut down before any damage is done.
Storm Botnet Subsides
Something new may be on tap to replace Storm as the big botnet pest, as its size decreased substantially in April.
Efforts to clean up the Storm botnet drove it down to 5 percent of its original size in April. This puts current estimates of Storm-botnetted machines at around 100,000 machines.
Security vendor MessageLabs said ongoing efforts associated with new Storm cleanup tools purged the malware from infected computers. Some estimates put Storm's botnet at 2 million machines before the big purge took place.
"April was a month of unpredictability, Mark Sunner, Chief Security Analyst at MessageLabs, said in a statement. Storm's decline happened while incidents of attacks escalated.
MessageLabs claimed to observe 70 targeted spam attacks with Trojans per day in April. The upcoming Beijing Olympics persists as a major factor in such spam, with Olympics-related subject lines common for those attacks.
An old spam standby received a bit of a makeover, MessageLabs noted. Criminals are creating fake profiles on business networking sites like LinkedIn to lend credence to the typical 419 scam. They direct recipients to check out their "credentials" on the site to assure them they are dealing with a real person and not some common criminal.
eBay Has Its Romanian Hacker
An arrest in Budapest turned up one Vlad Constantin Duiculescu, aka Vladuz, a thorn in the side of the online marketplace.
A business deal turned out to be a sting, and Vladuz took a deep wound from it. His time roaming around eBay's forums using pilfered credentials and generally making a nuisance of himself to the company has been at least interrupted for now.
The Register cited Romanian news reports that Vladuz ended up wearing handcuffs after his attempt to sell a software application to interested buyers instead brought police to his door. EBay has been chasing Vladuz for over a year.
His exploits reached eBay's forums, where he managed to pose as an official eBay representative. He and eBay disputed how far he was able to get in to their systems; Vladuz claimed extensive access, while eBay denied that.
If eBay's account is accurate, they believe Vladuz caused about a million dollars in damages from his exploits. For now, Vladuz will enjoy jail cuisine for a 29-day period. Further details about the 20-year-old's fate have not been revealed.
Google Builds Tools To Fight Child Porn
An ongoing effort with the National Center for Missing and Exploited Children (NCMEC) by Google produced video tools for use in finding exploitative images and videos.
Google research scientist Shumeet Baluja described the search giant's work on the company blog in developing these tools. Through 2007, Baluja and co-workers crafted tools to help NCMEC find child predators.
"The tools we provided will aid in organizing and indexing NCMEC's information so that analysts can both deal with new images and videos more efficiently and also reference historical material more effectively," said Baluja.
NCMEC said in a statement the group and law enforcement agent partners have reviewed over 13 million images and videos to help rescue victims and identify criminals.
"Criminals are using cutting edge technology to commit their crimes of child sexual exploitation, and in fighting to solve those crimes and keep children safe, we must do the same," said Ernie Allen, president and CEO of NCMEC.
The tools come from Google's ongoing work in video and image search. This research-stage technology helped NCMEC handle the multitude of such content arriving at their CyberTipline and from police agencies.
"We hope the tools we've built for NCMEC will help its analysts make the important and often time-sensitive work of investigating child predators faster and more efficient," Baluja said.
PayPal Calls For Partnerships Against Phishing
One of the most popular phishing targets on the Internet wants to thwart criminals, but needs a lot of help to do so.
Stamping out phishing won't happen with one company pushing for a fix. Payment processor and eBay component PayPal needs cooperation to accomplish this.
"We know we're always going to be an attractive target for criminals. But what I don't want is PayPal to be protected and the rest of the industry not. Phishing could be solved, there's no need for it to happen," PayPal chief info security officer said at a security conference recently.
Phishing for PayPal details happens on an immense scale. A report at Silicon.com said Yahoo's efforts to block PayPal-related messages alone kept 50 million phishes out of Yahoo Mail since last fall.
That happened thanks to digital signatures appended to PayPal's legitimate messages. When a phish lacking that signature hits Yahoo, the message gets tossed.
Microsoft received some credit from Barrett, as the company's Internet Explorer 7 browser may be helping stop people from going to phishing sites thanks to its anti-phishing technologies. (Firefox and Opera also carry phishing protection in their browsers.)
Phishing persists as a standby for criminals. Through the use of botnets, phishers send out millions of messages. It doesn't take many to make the crime profitable, as the distributed nature of spamming this way costs the phishers little.
Couple that with how the phishing types tend to be hiding out in countries where effective prosecution against computer crime is a pipe dream for security pros at best, and one can see where Barrett is coming from with his call for more partnerships against phishing activities.
Online Criminals Outsource Their Work
A study by security vendor Finjan suggested a trend in criminal behavior has them farming work out to established rings with a technology infrastructure in place.
Among the trends cited by Finjan in its Web Security Trends Report, the company found criminals with sufficient capital opting to engage in a business practice normally associated with legitimate businesses: outsourcing.
Botnet creators have been known to let spammers pay for access to compromised servers, which are then used to crank out millions of messages to inboxes all over the world.
Finjan dubbed the next iteration of this practice, "crimeware." It isn't only about botnet rental, or even using pre-made kits to create exploits, as Finjan observed:
After maturing into a full-fledged market driven by economical forces, we are now seeing a trend for cybercriminals to deploy the B2B model (business to business, or more accurately Criminal to Criminal, C2C). Owners of malicious sites share their victims with other site owners in order to leverage the strength of one site and provide business to the other.
It gets worse for security pros:
Currently, we see the rise of the Crimeware-as-a-Service (CaaS) model in the Crimeware-toolkit market.
It enables such a toolkit to gather the data from the victims and sort it according to some rough criteria for the users, since all the data and networking is already built-in and available for the criminals and attackers.
This development will further distant the criminals from the techies - a trend that we have seen evolving over the past couple of years. This trend will get a further boost with the catching on of the CaaS model.
The bad guys are becoming more organized and sophisticated year after year. This isn't an Internet crisis anymore, it's a global crisis, and one that probably can't be solved. The profit potential is so high that we doubt anything short of turning the planet into a cold, lifeless cinder will put a stop to it.
Sports, Politics Ride Latest Spam Wave
The Summer Olympics, the NFL, and the ongoing Presidential campaigns all present ripe content for spammers and the malware they try to deliver to victims.
 | | Sports, Politics Ride Latest Spam Wave |  |
Getting malware onto a machine depends on how well the criminal can deceive the recipient into clicking a link or otherwise taking some action. Social engineering to engender trust in spam regularly taps popular culture and current events in an effort to encourage people to make the wrong choice.
Security vendors noted the latest tries by criminals to grab machines for their purposes. MX Logic said a spike in spam in July reversed a four-month downward trend.
They expect the increase to continue through August, even though political spam has been at an unusual low point by MX Logic's reckoning. The company expects that to change, as spammers send out links to purported videos that bring in malware instead.
In 2007, NFL-related spam brought along malware disguised as a real-time scoreboard. MX Logic noted that compromised machines and added them to a Storm botnet; they expect football spam to rise as the preseason gets underway.
McAfee said Internet users should be aware of the likelihood of malicious intent behind some Olympic-themed content. Offers of free downloads of Olympic-related software, as well as spam containing links or attachments on the Olympic theme, should be viewed with suspicion.
The goal of the criminals behind these attacks remains a financial one. They want whatever information they can steal from others to sell or use themselves. A little skepticism will help defeat these attempts, along with an up to date security package too.
Lost TSA Data Laptop Found In Its Office
A laptop containing details on 33,000 people allowed to bypass security checkpoints at airports turned up after being missing for more than a week.
 | | Lost TSA Data Laptop Found In Its Office | |
Despite the reappearance of the missing laptop over a week after it apparently vanished from San Francisco International Airport, the Transportation Security Administration still plans to keep new applicants from joining the Clear program.
The San Francisco Chronicle said the missing machine contained names and addresses, but not Social Security or credit card numbers, on travelers enrolled in Clear. A company called Verified Identity owns the laptop and operates the Clear program under contract with TSA.
However, it seems the laptop never should have contained the information it has in the first place. Someone downloaded traveler details from a separate server onto the laptop, which according to early reports had not been compromised.
That could have happened as the data was not encrypted per TSA requirements. A couple of passwords protected the contents of the now-returned laptop, but Verified Identity won't be signing up any new travelers until TSA wraps up an investigation and a process audit of the company.
The movement of data from a server to a laptop, especially information as sensitive as this, never should have been allowed to go unnoticed in the first place, as evidently happened with Verified Identity.
We expect our inbox to be besieged with companies stating how they can provide services to detect this kind of data access. We've mildly considered forwarding all those pitches along to Verified Identity.
Countrywide Insider Stole Data For Two Years
Major mortgage lender Countrywide has more problems than those presented by the abysmal housing market: an employee pilfered data on nearly 2 million customers over a two-year period.
 | | Countrywide Insider Stole Data For Two Years | |
Working off hours on Sundays with USB drives on hand, Rene Rebollo Jr. grabbed personal information week after week and sold it to Wahid Siddiqi, netting about $70,000 in the process.
Rebollo worked as a senior financial analyst for Countrywide's Full Spectrum Lending, a division that specialized in subprime lending. The Mercury News said he has been accused of grabbing 20,000 records each week, and selling the data to Siddiqi for $500 each time.
Such data included Social Security numbers, and exposed each victim to potential identity fraud. Countrywide has contacted about 19,000 customers to date with offers of free credit monitoring services for two years to help mitigate that risk.
The crime highlighted the risk of failing to impose and monitor data access controls at Countrywide. Though solutions exist to alert security professionals of such activity, and to restrict the usage of portable storage devices, not enough companies utilize those services.
|
