The need for a united industry in combating malware

ISSN 1361-3723/09 © 2009 Elsevier Ltd. All rights reservedThis journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use:PhotocopyingSingle photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.

NEWSUsers feel safe with smartphones 1Hackers target social networking 1First conviction over encryption keys 3Employers afraid of social networking 3Financial fraud booming 20Facebook apps designed for phishing 20

FEATURESUniting industry to combat malware

The Common Computing Security Standards Forum is bringing together anti-malware, OS and browser vendors in the hope that sharing informa-tion will more effectively combat malware. Melih Abdulhayoglu of Comodo explains its aims. 5

Security rewards of being green

Making your business more energy efficient and eco-friendly doesn’t just offer cost ben-efits. There are security advantages, too – not least in reducing the attack surface you present to potential miscreants. Scott Nursten of NG Bailey explains. 8

Security with a Michelin-star service

There is now a bewildering array of security solu-tions and services available. How do you select what you need and ensure you get the right level of service? Paul Judd of Fortinet has some ideas. 10

The changing face of malware

Hacker attack vectors are evolving quickly. Steve Gold examines how the attackers are changing tactics and now see all program code as ‘open source’. 12

From compliance to risk-based security

Just ticking the boxes to keep regulators happy about your security efforts isn’t going to keep you safe, argues Peta Bunbury of Advent IM. That’s just the start: you need to analyse the real risks to your business and address those. 14

Never say never

Dario Forte describes a case of social engi-neering in which computers played only a very minor role, but which has lessons we can all learn about information security. 17

REGULARSEditorial 2News in brief 4Events 20

Contents

computerFRAUD & SECURITYISSN 1361-3723 September 2009 www.computerfraudandsecurity.com

Smartphone users are fairly com-placent about web-based threats

and phishing attacks, even though comparatively few of them are run-ning anti-malware software.

This is the conclusion of a survey by Trend Micro of 1,000 smartphone and iPhone users in the US. It found that near-ly half (44%) of users questioned believed that surfing the web with a smartphone was at least as safe – if not safer – than doing the same with a PC. And yet only 23% of them were making use of the secu-rity software that was already installed on their devices. Twenty per cent believed that such security wasn’t necessary because surf-ing the web via smartphone was ‘safe’.

Generally, these are not ignorant peo-ple. All the surveyed users were adults; 80% of them knew about phishing and 20% said they had encountered it. Nearly half had received spam on their smart-phones in the past three months, with 17% noticing an increase in the amount of spam. Yet half of the respondents had opened email attachments and 40% clicked on URLs in emails.

The survey found that Apple iPhone users were more likely than other smart-phone users to surf the web, visit audio/video-sharing sites, online shops, blogs and social networking sites, send and receive email, open email attachments and click URLs in emails.

Featured this month:

Believing that net users deserve better than the prevailing no

man’s land of internet security, Melih Abdulhayoglu of Comodo has found-ed a forum where interested parties worldwide can come together to discuss security issues and problems within the industry.

Called the Common Computing Security Standards Forum (CCSS), partic-ipants such as security software vendors, operating systems vendors and browser vendors are all invited and membership is

free of charge. Via teleconferencing and listserve, members can discuss solutions for issues such as malware and phishing. This summer, the organisation published its first list of legitimate anti-virus software packages.

The Forum hopes to play a key role in developing standards for malware detec-tion, provide a communications channel between vendors, and also offer a link between the IT security world and other industries.

Turn to page 5…

Users feel safe with smartphones, but are running risks

Hacking attacks target social networking

Nearly a fifth of web hacking inci-dents occur on social network-

ing sites, according to a new study. Conducted by Breach Security as part of its work on the Web Hacking Incident Database (WHID), the report

says that online attacks in the first half of 2009 were up by 30% com-pared to the same period in 2008 and that 19% of them targeted the social networking world.

Continued on page 3...

...Continued from page 1

Other popular targets include media websites (16%) followed by sites focus-ing on retail, technology, the internet and government/politics, each attracting 12% of the hacking activity.

“Too many websites have insufficient web application logging mechanisms. As a result, they find it difficult or impossible to carry out prop-er incident response, either to identify who attacked them and how or – more worry-ingly – to fix the problem”

SQL injection remains the most popu-lar method (at 19%) followed by the exploitation of insufficient authentica-tion (11%). Cross-Site Request Forgery (CSRF) is only the fifth most frequent method, but it’s on the rise, warns the report. This is the first year in which CSRF has become a “mainstream hack-ing tool” it says. Breach adds that it has also noticed a significant increase in the use of automation, such as brute-force password cracking through to bypassing the wait queue in reservation systems and opinion poll skewing.

The report also lists 11% of attack vectors as ‘unknown’. This, it says, is because too many websites have insuf-ficient web application logging mecha-nisms. As a result, they find it difficult or impossible to carry out proper inci-

dent response, either to identify who attacked them and how or – more wor-ryingly – to fix the problem.

The most frequent outcome is what Breach categorises as ‘defacement’ (28% of incidents). However, this clas-sification includes not just the planting of images or alteration of text but also the insertion of malware on the site, which clearly has far more serious con-sequences.

The leaking of sensitive information is the second most common outcome (26%) and so-called ‘disinformation’ is third (19%) – the latter being aimed mainly at celebrities. The report is here (PDF): <http://bit.ly/4y4ULw>

First RIPA convictions over disclosure of encryption keys

The first convictions have been made under Section 49 of the UK’s

Regulation of Investigatory Powers Act 2000 (RIPA). The controversial Part III of the Act – the last to come into force – includes measures to force the disclosure of encryption keys.

Sir Christopher Rose, the Government’s Chief Surveillance Commissioner, referred to the convic-tions in his recent annual report, but gave no specifics about who the two peo-ple were or what they had done. It is not necessary for someone to be a suspect in a case for them to fall foul of Section 49. Some 15 people have been served

with Section 49 notices in the past year – compelling them to comply with investigations. According to the annual report, these were cases of “counter ter-rorism, child indecency and domestic extremism”.

In fact, only four people actually complied with the notices; of the other 11, seven were charged but only two (so far) convicted. Possible penalties include up to two years in jail (five years if it’s a national security investiga-tion) plus fines.

Section 49 notices are granted to police forces by the National Technical Assistance Centre (NTAC), based at GCHQ in Cheltenham. A total of 26 have been issued in the past two years. The police must then obtain permis-sion from a judge to serve the notices. This permission was granted in all 17 cases where it was sought.

RIPA III has been broadly con-demned, not just by civil liberties advocates worried by its effect on the right to privacy, but also by various sectors of industry. Banks, for example, have been concerned over the potential for security systems to be undermined by the disclosure of encryption keys.

Employers more afraid of social networking than weapons

When it comes to which web-sites to block, social net-

working tops employers’ hit lists. ScanSafe has reported that 76% of employers that use its web filtering services now block access to services like Facebook.

That’s slightly ahead of the number (75%) who bar websites about weap-ons and significantly ahead of those who ban alcohol (64%), webmail (58%), shopping (52%), sports (51%) and banking (47%) sites.

On the whole, employers are getting tougher about which sites their staff can surf from the office. In the past six months, around an additional quarter of companies blocked access to sites for travel, restaurants and bars, sports and

Continued on back cover...

NEWS

September 2009 Computer Fraud & Security3

Vulnerabilities used by hackers to attack websites. Source: Breach Security.