Internet Security Review

NEWS: HEADLINES


		Prof. Harry Lewis (Harvard Uni) writes about Cloud Computing in BusinessWeek "Nine questions to ask before trusting your company's data or computing tasks to an outside provider." A definitive must read!
		Secret EU report moots sharing personal data with US A secret report prepared by experts from six European Union member states suggests creating an anti-terrorist pact with Washington which would include sharing intelligence across the 27-strong bloc. The 53-page report drafted by the interior and justice ministers from Germany, France, Sweden, Portugal, Slovenia, and the Czech Republic - recent, current and future EU presidency countries - argues that the stronger link with the US is needed to boost the fight against terrorism, UK daily The Guardian reported. The new initiative is dubbed as "Euro-Atlantic area of cooperation" and it should involve the transfer of huge amounts of information on EU citizens and travelers to the US. Negotiations over such a pact have so far been unsuccessful due to privacy concerns in some European countries and institutions but the new report - handed over to all governments last month - suggests that it should be finalized by 2014 at the latest. "The EU should make up its mind with regard to the political objective of achieving a Euro-Atlantic area of cooperation with the United States in the field of freedom, security and justice," said the report. In addition, the document argues that anti-terrorist campaigns can only be effective if "maximum information flow between [EU] member states is guaranteed," adding "Relevant security-related information should be available to all security authorities in the member states." Among other proposals, the document suggests setting up "networks of anti-terrorist centres" as well as boosting powers of security-related European agencies and institutions, such as Europol [police body], Frontex [external frontiers body], and Sitcen [joint intelligence centre]. The document puts together ideas on how the EU's security policy should develop over the next five years. Its preparation was launched by Germany last year.
		Juniper adds router, switch coverage to security manager Juniper Networks has upgraded and renamed its centralized security platform to cover many of the company’s routers and switches, less than a year after introducing the product. When first released, Netscreen Security Manager (NSM) managed policies of Juniper’s security products, the Firewall/IP Sec, VPN and Intrusion Detection and Prevention (IDP) lines. As of this week the renamed Network Security Manager 2008.1 adds security management over Juniper’s J- and EX-series of routers and switches. Being able to centrally control more devices will help lower capital expenses, said Sanjay Agarwal, Juniper’s senior product line manager for network management. “What we’re trying to address is providing a unified app for simplified management of all these devices in the network infrastructure which helps customers reduce their cost of ownership.” The new NSM also links to Juniper’s Infranet Controller unified access control appliances to create a centralized security and infrastructure system covering switches, routers, VPNs and access control, he said. New features have been added to Infranet’s UAC 2.2 software, as well as two new members of the Infranet line, one of which scales up to 30,000 end users in a cluster. Many of these devices share Juniper’s Junos operating system, which is updated four times a year. With NSM these updates are automatically downloaded, managed and installed, said Agarwal. With NSM 2008.1, administrators can create role-based templates and configuration groups for making policy changes. For example, a global change on all of an organization’s DNS server settings can be accomplished quickly, Agarwal said. All devices managed by NSM 2008.1 are linked through the standards-based Device Management Interface (DMI). NSM handles common management features like configuration file management, configuration management, inventory management, device discovery and boostrap. In addition, there’s an XML/SOAP API for customers and partners who want to integrate it with applications they’ve created. NSM 2008.1 also compliments Juniper’s Security Threat Response Manager (STRM), Agarwal said, which collects log data on possible threats, by automatically acting on policies triggered by a threat threshold. However, NSM does not cover Juniper’s T-series routers. As before, customers have two purchase options: NSMXpress is an appliance for controlling up to 500 devices. For environments with more than that customers have to buy the server-based NSM Central software, which runs on Red Hat Linux 4.0 and up or Sun Solaris 10. Juniper also announced upgrades to the software that runs its Infranet unified access control appliances. UAC 2.2 has added support for Microsoft Windows Statement of Health (SOH) and its Embedded NAP agent, meaning Infranet Controllers can now be used to help manage upgrades to Windows XP Service Pack 3 and Windows Vista. It also adds support for those Juniper intrusion detection devices that have the company’s Co-ordinated Threat Control (CTC) system, devices not covered until now. CTC co-ordinates responses between authentication and intrusion protection. Now, if there’s a end user accidentally triggers an online threat, the intrusion detection can not only stop it but also signal the UAC to take action, such as temporarily disable the user’s session. Finally, the company announced additions to the Infranet Controller line. The IC 4500, for mid-sized companies, supports up to 5,000 simultaneous endpoint users. The IC 6500 supports up to 20,000 simultaneous endpoint devices per appliance or 30,000 simultaneous endpoint devices in a cluster. It includes dual, mirrored hot swappable SATA hard drives and dual, hot swappable fans. Dual hot swappable power supplies are an option. There was no pricing available at press time for the IC 4500, IC 6500.
		Vendors to get sneak peek of Microsoft patches Microsoft plans to give security vendors a head start in what has become a monthly race against the hackers. Starting in October, the company will provide security vendors with early access to technical details of its monthly security patches before the software updates are actually released. This will give the companies that write attack-blocking code a bit of a cushion as they write and test their security software. Microsoft calls this initiative the Microsoft Active Protections Program (MAPP) and says that participating companies must sell commercial Windows security products and have a large customer base -- and no, sellers of attack-based penetration testing tools are not invited. Early participants include IBM, Juniper Networks, and 3Com's Tipping Point division, but other companies are expected to sign up. In the past few years the tools used by cyber criminals have advanced to the point where hackers can analyze the latest Microsoft patches and then turn out exploit code within a matter of hours, so Microsoft's plan to give the security industry an early look at technical information on the bugs could be a real help, said David Endler, senior director of security research for TippingPoint.
		Canada gets mad Canadian privacy and security experts assail US laptop seizure policy The lineup at U.S. Customs is likely to grow longer and privacy takes another hit as border guards receive new powers to search and seize electronic devices. Crossing the U.S. border with your laptop, cell phone, iPod or video camera? Better think twice. U.S. customs agents were recently given new powers to seize notebook computers and other electronic devices of Americans and travelers of other nationalities at the border as part of an anti-terrorism program. A recently released U.S. Department of Homeland Security (HDS) policy indicates that agents do not need suspicion of wrongdoing to confiscate the electronic devices and that data contained in the devices may be shared with other agencies for decryption or other purposes. The policy covers laptops, MP3 players, pagers, cell phones, PDAs, voice recorders, digital and video cameras. Customs and border agents have in fact been conducting the seizures for sometime, but it was only in July 16 that the policy regarding the searches was released amid pressure from civil liberties and business travel groups. "The Canadian government should take the appropriate legal avenues to pressure the U.S. to review these policies," says David Fewer, staff counsel for Canadian Internet Policy and Public Interest Clinic (CIPPIC), an Ottawa-based public advocacy group. Canadian travelers should let their local members of parliament know that they are strongly opposed to the practice, Fewer said. "This essentially constitutes a warrant less search and seizure." "Just because a traveler is crossing the U.S. border doesn't mean his of her privacy has to fly out the window," the lawyer said. The new guidelines will "needlessly" exacerbate long queues and delays at U.S.-Canada entry points for both business and leisure travelers, he added. The search is a "reactionary short-term move" which saddles Canadian businesses with additional burden and costs when conducting cross-border activities, according to David Senf, director of research for Canadian security and infrastructure software at IDC Canada. "I hope that this is just a tempest in a teapot...If this new set of powers is applied broadly, Canada and other nations should consider taking action to mitigate its application and negative impact."
		Two Apple security sessions axed Two Apple-related security sessions have been canceled at this week's Black Hat conference due to confidentiality and marketing issues, according to a Washington Post article. The first talk, which was supposed to see Charles Edge discuss FileVault and its flawed encryption scheme, was axed after he signed an agreement to keep quiet with the Cupertino company. It seems as though this is strictly a case of not biting the hand that feeds you, as Edge states that Apple is his largest client. You can't blame him for pulling out, but as the Post article points out, this will probably just further pique the interest of the hacker community, resulting in the issue being discovered and outed regardless of any agreement. The second session, which Computerworld has more information on, was supposed to be given by an Apple engineering team, but was canceled after he company's marketing department got wind of what the team was about to do: "Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval."
		Black Hat Puts Spotlight on Security Research The Black Hat conference will bring with it a crowd of IT security pros ready to hear about the latest research into malware, rootkits and hacker tricks. Attendees will hear about attacks on Cisco routers and from researchers from such vendors as Hewlett-Packard. IT security pros, analysts and researchers are coming together for the meeting of the minds that is Black Hat 2008. The popular security conference officially kicked off Aug. 2 in Las Vegas with a series of training sessions that wrap up Aug. 5. However, the real buzz for many attendees will be the technical briefings Aug. 6-7 at Caesars Palace.
		ICANN Plans for Disaster VeriSign and the other companies that operate the top-level domains on the Internet are critical infrastructure. At least some of them are. What if one of them was to fail somehow? This is the question ICANN is asking with its proposed gTLD Registry Failover Plan. eWeek's Larry Seltzer explains what ICANN plans to do in case a Registry fails.
		DOJ, Secret Service Move Against International Hacker, ID Theft Ring The U.S. Attorney and Secret Service claim an international crime syndicate was behind the identity theft of more than 40 million credit and debit card numbers from TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. The Department of Justice and Secret Service allege that the hackers used wardriving to hack networks and sniffer programs to capture card numbers and customer data. In what is believed to the largest hacking and identity theft case ever prosecuted, the Department of Justice said Aug. 5 it has indicted 11 people for the theft and sale of more than 40 million credit and debit card numbers. Let's not forget that this deals with a hacker, not an international terrorist.
		U.S. Government Won't Cede Control Over DNS Root Zone In a letter to ICANN Board Chairman Peter Dengate Thrush, Meredith A. Baker, the acting assistant secretary for communications and information in the Commerce Department's National Telecommunications and Information Administration, has declared that the U.S. government has no plans to yield the control it now has over changes to the Internet's DNS root zone file. ICANN manages the DNS root zone, but according to terms of an agreement with the NTIA. The distribution of changes in the zone file to the various root servers around the world is performed by VeriSign. The authority of the Internet Corporation for Assigned Names and Numbers to administer various aspects of the Internet Domain Name System derives from agreements with the Commerce Department. The current agreement for that authority, the Joint Project Agreement, is set to expire in September 2009. ICANN has been gearing up for what comes next with preparations for taking more complete control. The Baker letter pulls the rug out from under some of those plans. What a ridiculous thought: The US rules the Internet and the World. Must have been conceived by Gore. But wait... wasn't he from the other party?
		Newly found hybrid attack embeds Java applet in GIF file Researchers at NGSSoftware have developed a hybrid attack capable of hiding itself within an image and intend to present details on the exploit at the Black Hat security conference next week. New and esoteric attacks are part and parcel of what Black Hat is about, but this particular vector could target web sites with a particularly vulnerable population: MySpace and Facebook. Social networking web sites tend to attract younger users, and while this particular attack can be used in a variety of ways, embedding the hook in profile photos that are then seeded and targeted at the teen crowd could be a very effective tactic.
		Brazilian hackers stalk Twitter Social websites like Facebook and MySpace have attracted a great deal of attention as targets of opportunity for phishing scams, but they are scarcely the only two social networking sites. New information suggests that hackers have tuned in to the newfound popularity of microblogging, and are at the very least evaluating Twitter as a potential target. In a blog post at Kaspersky Labs' Viruslist, Dmitry Bestuzhev describes the attack and how it functions. The Twitter profile itself was created specifically for the attack; profile information is posted in Portuguese. There's nothing on the page but a link to a video promising hot girl action, actually clicking on the file redirects the browser and instructs the user to download a new version of Adobe Flash that's supposedly required to watch the "film." ARS TECHNICA
		Hap-snap McAfee snaps up Reconnex to add deeper data loss prevention capabilities. The move, which follows several acquisitions in the DLP space by Symantec, EMC and others in 2007, is part of a broader data protection strategy for McAfee.
		China listens in on 'foreign devils' It's almost 8.8.2008! And China is listening. And blocking, by the way. Smart phones, blackberries and laptop computers will offer up sensitive personal and business information to officials who monitor China's state-controlled telecommunications carriers. China's Public Security Bureau is making overtime. China's security policies clashed with Olympic norms on Thursday, when IOC officials said they were embarrassed by last-minute disclosures by the Chinese government that media covering the August 8-24 Olympics would not have unfettered access to the Internet. On Tuesday, U.S. Sen. Sam Brownback, a Kansas Republican, said China had installed Internet-spying equipment in all the major hotel chains serving the Olympics. Citing hotel documents he received, Brownback said journalists, athletes' families and others attending the Olympics next month "will be subjected to invasive intelligence-gathering" by China's Public Security Bureau.
		U.S. Agents Can Seize Laptops (and listens in on domestic devils as well) Notebooks and other devices can be seized without reason and held indefinitely. U.S. federal agents have been given new powers to seize travelers' laptops and other electronic devices at the border and hold them for unspecified periods the Washington Post reported on Friday. Under recently disclosed Department of Homeland Security policies, such seizures may be carried out without suspicion of wrongdoing, the newspaper said, quoting policies issued on July 16 by two DHS agencies. Agents are empowered to share the contents of seized computers with other agencies and private entities for data decryption and other reasons, the newspaper said. DHS officials said the policies applied to anyone entering the country, including U.S. citizens, and were needed to prevent terrorism. The measures have long been in place but were only disclosed in July, under pressure from civil liberties and business travel groups acting on reports that increasing numbers of international travelers had had their laptops, cellphones and other digital devices removed and examined. The policies cover hard drives, flash drives, cell phones, iPods, pagers, beepers, and video and audio tapes -- as well as books, pamphlets and other written materials, the report said. The policies require federal agents to take measures to protect business information and attorney-client privileged material. They stipulate that any copies of the data must be destroyed when a review is completed and no probable cause exists to keep the information.
		OSS voices must be heard in national security debate At the OSCON open-source software convention last week, the Foresight Institute's Christine Peterson—the individual credited with conceiving the term "open source"—urged technology enthusiasts to help redefine the way that society responds to security threats. The stakes are high, she claims, and the cost of failing to act could be enormous. She began her presentation by discussing the multitude of serious problems that have emerged from the adoption of electronic voting machines in the United States. Although electronic voting was originally devised to simplify elections and increase the accuracy of ballot tabulation, the voting machines in use today are disastrously unreliable and insecure. The hardware failures and demonstrable susceptibility to tampering exhibited by these devices is undermining the transparency and credibility of American democracy. Resistance, however, is not enough. In order to overcome such challenges, technology enthusiasts must find better ways to address the underlying problems that seemingly necessitate the faulty solutions. According to Peterson, the area where there is the greatest need for action is in national security. The federal government's controversial use of secret surveillance raises serious questions and poses a very real threat to privacy. She believes that the government has adopted this risky top-down approach to security because it lacks the tools it needs to address the problem in a more responsible way. Instead of using secret spying, "we need to track the problem, not the people." The best way to combat the problem is to redefine the solution space. The answer is to drive innovation and deliver new technologies that can guarantee both privacy and security. Tools must be built that can detect security threats while also imposing verifiable limitations on government intrusion. In order to prevent abuse, these tools must be utterly transparent and perpetually subjected to the highest level of public scrutiny. Her mantra is "no secret software for public sensing data." The people who will build such tools, she insists, need to have a deep understanding of security, privacy, functionality, and freedom. She is completely convinced that the open-source software community has the values and expertise needed to lead the way.