Upload
brian-mckenna
View
214
Download
0
Embed Size (px)
Citation preview
June 2005 Network Security
CIA CARRIES OUT 'WAR GAME' TO SIMULATE MASSIVE INTERNET ATTACKThe CIA has carried out a three-day cyber 'wargame' exercise to simulate a large-scale Internetassault against the USA. Set at a time five years inthe future, the exercise, named 'Silent Horizon',aimed to test government and private sectorresponse to Internet attacks over several months,launched by 'enemies of America' . Details havebeen kept secret, but it is known the exercise tookplace in Charlottesville, Virginia, and was run bymembers of the CIA's Information OperationsCenter, which evaluates foreign threats to UScomputer systems. The US Government hasconducted a series of attack simulations since 11September 2001.
COMPUTER CRIME MAKING LESS IMPACT INAUSTRALIA Computer crime and security incidents madeless of an impact in Australia over the past 12months than during the previous year, accord-ing to the Australian Computer Crime andSecurity Survey 2005. But the survey says thatthe fight against hackers and malware is farfrom won. More than one third of the 500 +organizations involved in the survey admittedthat the confidentiality, integrity or availabilityof their networks had been disrupted by attack -compared with around half of the respondentsin 2004.
18-YEAR-OLD PLEADS GUILTY TO ONLINESTORE ATTACKSA US teenager from Michigan has pleaded guiltyto carrying out several online attacks in the latterpart of 2004 against an online clothing storebased in Delran and other E-businesses. JasonSalah Arabo, 18, of Southfield, Michigan, wascharged with conspiracy to cause the transmis-sion of a program, information, code and com-mand, and intentionally 'to cause damage with-out authorization, to a protected computer'.
It is alleged that the attacks caused widespreadharm and disruption to Internet and computerservices beyond the online businesses that Arabotargeted. The Internet service providers (ISPs),which hosted the targeted websites also providedservices to several other businesses, which werealso said to have been harmed by the attacks.
FLAW IN CISCO IP PHONES FOUNDA software flaw in Cisco Systems' IP phonescould cause a crash - promoting the company toissue a patch. The flaw exposes the IP phone todenial-of-service attacks, and was reported by theUK's National Infrastructure Security Co-ordi-nation Centre. The Centre said the DomainName System (DNS) protocol vulnerability,which can affect other software warranted a'moderate risk' warning. The flaw involves CiscoIP phones running the DNS protocol, whichmanages the translation of domain names into IPaddresses. The vulnerability is caused by an errorthat occurs during the decompression of DNSmessages.
EXTORTION INSTANCE POINTS TO FRESH THREATThe San Diego-based firm, Websense, hasreported an extortion instance in which a corpo-rate customer had encrypted files containingdocuments, photographs and spreadsheetsinfected. A 'ransom note' was issued via an emailaddress, which the attacker used subsequently todemand $200 for the digital keys to unlock thefiles. A small sum maybe, but this incident hasattracted the attention of the FBI. It said the ploywas a new type of Internet extortion crime,unlike previous instances.
'WITTY' WORM PROBABLY AN 'INSIDE JOB'Researchers from the International ComputerScience Institute believe they have discoveredwhere the 'Witty' worm started, and that it couldhave been an 'inside job'. Last year the worm
infected more than 12,000 servers around theworld in around 75 minutes. Witty spread via aflaw in products from Internet Security Systems(ISS). Its payload corrupted information on harddrives and crashed about half the systems it gotinto. The researchers re-created how Wittyspread based on its code and the random num-ber generator it used to select victims. The mostlikely origin was thought to be a server in aEuropean ISP.
UK FRAUD LAW FOR PHISHINGBy revamping fraud laws, the UK Governmentwill make it an offence to launch phishingattacks. The offence can be committed either asfalse representation, abuse of position - such peo-ple in trusted positions using deceitful means fortheir own profit, and failing to disclose information.
SLOVENIA BANK: EMV SMART CARDAUTHENTICATION FOR ONLINE TRANSACTIONSThe Slovenian bank, Banka Koper, is introduc-ing online authentication of an account holderusing a standard EMV smart card-based on theMasterCard Chip Authentication Programme(CAP). Xiring will supply the bank with morethan ten thousand smart card readers. Retail cus-tomers will use the readers with their EMV bankcards for user authentication for accessing bank-ing services online.
M-COMMERCE APPS ENDANGER SITES Mobile phone applications are a conduit forattacks on normally secure web sites, says securi-ty consultancy SecureTest. Hackers can penetratemobile applications, alter code and then move inon the website. Source code for e.g. a bettingapplication on a smartphone can be modified,which can then be act as a means of accessing thewebsite to modify the content of the database -which may include live betting odds.
NEWS
Dorothy Denning oninfosec and physicalsecurityBrian McKenna
You currently work at the US Naval
Postgraduate School. Do you think
there is a lot that civilian information
security professionals can learn from
the military?Classified information standards are
much higher than is generally necessary, sothere is a limit. But I have, for example,
recently been working a lot in the area ofdeception. The military have been doingthat kind of thing to protect the securityof their information for a long time. Weare starting to see ideas from that cominginto computer security — with honey-pots, for example. I’ve written some thingsin that area.
In general, do you think infosec profes-sionals can learn things from the physicalsecurity world?
We have a different attitude in informa-tion security, which is that everything hasto be perfect. When you are in the virtualenvironment, if someone has an attack
tool and a lot of systems can be compro-mised. In the physical world you can’t goaround picking all the locks in the world.
So, in the physical world we accept thatthings cannot be full-proof. You don’twant to be locked out! But in the infosecworld we haven’t taken that view.
Another contrast is that locksmiths havea tradition of keeping the knowledge ofhow to pick lots rather secret, within theirown community. In the virtual world youget all this publishing of vulnerabilities.That raises a lot of difficult issues. You’vegot to stop at some point; you cannot fixall the vulnerabilities after all.
3
In brief