Security

Social engineering and pharming attacks rose this year, and VoIP based spam showed possibility of occurrence in the future. Next year will see more action in information security and identity management solutions

Sunday, December 18, 2005

Today, a security threat can enter from anywhere, be it through e-mail, a Web browser, or even an infected notebook pluging into your network. It could also come from an unpatched machine or a disgruntled employee; or from a seemingly innocent phone call, a technique more that comes under the social engineering type of attack. We recall incidents of people having received phone calls from people calling themselves ones from credit card companies, and tried to wriggle out your credit card details. Besides social engineering, we also saw lots of phishing and pharming scams this year, two techniques aimed at fishing out a user's personal information. So security has definitely been on the top of everyone's mind this year, and will continue to be that way next year as well. As most of these attacks are aimed at stealing identities, we're seeing a lot of action in the identity management solutions market. And as more enterprise businesses moves online, they need better security measures. This saw a rise in SSL based VPN solutions, and even a rise in integrated security appliances applications.

Security appliances  
A lot of vendors are entering the market with security appliances and integrated appliances that have firewalls, anti-spam, antivirus, and even end-to-end encryption. Also included in these appliances is the ability to demarcate DMZs and support VPN over IPSec or PPTP with either 3DES or AES (256-bit) encryption. The IDS features on these boxes range from detecting various kinds of known attacks including flooding, IP spoofing, DoS, etc. Such a box can also react in case of emergencies by dropping packets from the attacker's address. Some appliances even have network anti-virus capability. These need to be geared to meet enterprise-class performance requirements for availability and speed. The iForce IDS appliance from Symantec for instance is supposed to monitor networks at speeds of upto 2 Gbps on some models.

Vulnerability stats  
The number of vulnerabilities reported this year is up about 500 incidents from last year and stands at 4,268. This is about 25 times more than ten years ago when a few hundred vulnerabilities used to be reported each year. That trend was broken between 2000-02 when it rapidly doubled each year and went upto 4,129 at the end of that period. This year's count so far is more than that figure. The most frequent ports under attack were reported to be FTP, SSH, DNS, HTTP/HTTPS, SunRPC, NetBIOS and SQL Server. Thankfully, most of these could be mitigated by upgrading to newer versions of software or changing port numbers. CERT sees the number of Trojans and self-propagating worms as an area of concern.

Social engineering & ID theft  
Social engineering attacks, like the one that happened with a Delhi-based call center where one of the executives sold a Sun reporter details of bank accounts, credit cards and driver's license of UK bank customers for under $10 each. The call center worker also reportedly assured the reporter that he could sell him 2 Lakh such account information a month. Earlier this year, US customers of Citibank suffered thefts of $ 350,000 because of a similar breach at another call center in India . The twin calamities of the Asian Tsunami and the earthquake also prompted several websites of questionable intentions to spring up and seek donations on behalf of the victims, only to disappear after they had collected a sizeable fortune. This has led to the concern of managing identity securely. Two main technologies leading ID management are devices like SecurID that have one-time keys that you use at designated terminals or screens, and digital certificates. With more financial and govt services going online, the need for effective identity management only goes up.

Everything's cached  
Nowadays, anything that's exposed to the Web has mostly likely been stored away forever in some corner of the Internet. Internet archival systems like The Wayback Machine and content replication systems that provide mirroring services are but the tip of the ice-berg. To this add the proliferation of community networks (blogs, et al) where something rumored to have been said catches on like wild fire and gets endlessly replicated and linked so anyone can find it with a simple keyword... only makes the problem worse. What problem? What if your internal employee appraisal letters somehow got onto Google? Recently, some of Papa John's-a Pizza house in USA -internal e-mail got onto Google accidentally (they're still there as we go to press). The problem with the permanence of content on the Net is that even if you act swiftly to protect your information with simple ways as password protection or a change of URL, caching mechanisms will still preserve their own copies for quite some time to come.

Disk space-full  
Scientists postulate that about 23% of the Universe is composed of dark matter. Stuff we cannot see, but their presence has direct consequences on our Universe. Much the same is true for files and programs on our hard disk. In order for so many things to happen when we just click onto a Web page, our computer downloads and runs so many files and programs-large and small. And all of it is on our computer's hard disk. Those that run may never, in fact, leave our computer completely, no matter what tools we use. This in fact, is the single biggest challenge for system administrators world-wide. Even malware has its defenses, but 'dark files' have no known cure. The problem is that most combative techniques use either black or white lists to eliminate the unwanted. While most don't know the difference, they are more often than not out-of-date and require constant administrative overheads to keep them updated. Resurgent defenses now include system-wide policies that let users than software vendors decide what's useful and what's not and discard the rest; the term being 'gray-listing'.

Cracking for the public  
Cracking passwords, it seems, has become commonly accessible and fashionable to do. A site has sprung up powered by Zhu Shuanglei's 'Rainbow Crack' engine (an open source download) that promises to place online about 500 GB of rainbow tables (pre-computed password hashes) readily usable by anyone who pays them for an account. RainbowCrack-Online.com claims to be for cracking what Google is for search. A lusty claim sure, but imagine how much more you need to protect your systems once such a database is at the back and call of every cracker around the world! The price tag on it should keep away most kiddie-crackers and is purportedly to be used only for white-collar cracking for security auditing.

A turnaround?  
Marcus Barnum (the inventor of the proxy firewall) would have us believe that patching systems and doing security audits is the wrong way to do things, since that means and ensures that things aren't 'secure by default'. In his article-The Six Dumbest Ideas in Computer Security-(http://www. ranum. com/security/computer_security /editorials/dumb/index.html), he outlines what he thinks really needs to be done-which is basically to disallow anything you do not know to be good, rather than attempt to create a blacklist and block only known bad things. He also cautions his readers not to fall into the age-old trap of implementing the 'latest' in the attempt to stay ahead of the hacker, or trust in periodic reeducation of network users who insist on opening attachments from strangers or believing email from banks they don't have accounts with. Marcus agrees with Kevin (Kevin Mitnick, 'The Art of Deception') in that security is a social as well as a technological concern. But, contrary to Kevin's idea of user education, Marcus would like enterprises get into proactively blocking unwanted people and software rather than relying on users to do it.

Page(s)   1