ne

ws

8In

fosecu

rity Tod

ayM

arch/April 2006

The University of Oxford is

running two IT security

courses this year.

Platforms for Security (PLA),

runs from 27-31 March.This five-

day course looks at system plat-

forms,with an emphasis put on

practical and repeatable means

of implementing these securely.

Topics covered include:buffer

overflows,cryptographic li-

braries, sand-boxing,code sign-

ing, and code correctness.

Design for Security (DES),

runs from 16-20 October.This

five-day course explores how

cost-effective solutions to se-

curity needs can be achieved

following architectural prac-

tices and security principles.

Central to these considera-

tions is the need to make use

of well-established solutions,

while striking a balance be-

tween security and other sys-

tem requirements.Topics in-

clude: managing security, secu-

rity requirements, security

evaluation and assurance, and

security design patterns

Course fee: �1,880 per

course.

News In Brief

Designing for security at theUniversity of Oxford

Small, targetted botnetsemerge as threatBrian McKenna

Botnet herders using zero

day malcode to target small

numbers of victims is emerging

as a major threat du jour,

Mikko Hyppönnen, chief re-

search officer at F-Secure told

delegates to the recent Websec,

in London.

Anti-virus companies, such as

his own,are more and more run-

ning into the difficulty of un-

known malware.Historically,AV

vendors have been able to ana-

lyze malicious code samples from

masses of affected customers.But

now, for-profit malcode is being

deployed stealthily,under the

radar of the AV experts.And it is

being used against small numbers

of well chosen targets.

Hyppönnen instanced an at-

tack which targeted members

of the British Houses of

Parliament earlier this year, us-

ing the WMF vulnerability.This

was stopped before reaching its

intended recipients, but F-

Secure analyzed its Trojan pay-

load — opening a back door

entered from mainland China.

As another example, he cited

a spammed email seemingly

from the Washington Post, and

sent towards the end of 2005.

This targeted recipients with

.mil, .gov, and .hk addresses. It

featured a Word attachment

with an title intriguingly refer-

ring to intellectual property

rights in China.Again, the point

of ingress to the targeted com-

puters was in mainland China.

“Botnets are actually going

down in size, in order to be

used in under the radar at-

tacks”, he confirmed.

Hyppönnen also warned del-

egates to be aware of:

• competitive DDoS attacks (by

one company on another)

• ransom Trojans (demanding,

say $20 to get files encrypted

by criminals back)

• man in the middle attacks

against one time password

systems

• and mobile phone viruses

“For profit mobile phone

viruses, such as the RedBrowser

Trojan, are a wave of the fu-

ture”, he said.And, unlike com-

puters, mobile phones have a

built in billing system.

“The main thing is that, since

January 2003, the enemy has

changed. It’s no longer hobby-

ists, who have not totally disap-

peared, but for-profit criminals”.

The European Union will

hold a series of meet-

ings and an online consulta-

tion on the use of Radio

Frequency Identification

(RFID) chips.

Viviane Reding, information

society commissioner, told the

March CeBit show in Hanover,

Germany: “The marriage be-

tween RFID and databases can

indeed lead to micro-monitor-

ing and widespread tracking of

people’s daily lives.

“The European

Commission shares con-

cerns about a future of ubiq-

uitous surveillance, identity

theft and low trust. User trust

and confidence is a crucial el-

ement for the take-up of

RFID.”

Reding added that, along

with privacy issues, the EU

will examine interoperability

of RFID technology and allo-

cation of radio spectrum.

The public meetings will

take place between March

and June in Brussels, with

the online consultation start-

ing in June or July.

More information:

http://europa.eu.int/informa-

tion_society/policy/rfid/

© SA Mathieson 2006.

Problem PINs down NorthAmericansSA Mathieson

Avulnerability on bank

card personal identifica-

tion numbers, which led to

Citibank blocking PIN trans-

actions for its American cus-

tomers in the UK, Canada

and Russia, does not apply to

countries which have adopt-

ed ‘Chip and PIN’ bank

cards, according to the UK

payment association Apacs.

Apacs, whose 31 members

deal with 97% of UK pay-

ments, said that under the

Chip and PIN system, which

became compulsory in many

UK shops on 14 February

this year, the PIN acts as a

‘handshake’.This means it is

transmitted for authorization

rather than stored in retail-

ers’ equipment – the appar-

ent source of the problem af-

fecting Citibank customers.

Apacs added that most

countries have adopted Chip

and PIN, but that the US and

Canada still depend on mag-

netic stripe cards.

In a research note, US-

based Gartner analyst Avivah

Litan wrote that the banking

industry was ‘less than half-

way through’ solving the

problem of “PIN block” card

fraud, and many more bank

customers will be affected.

PIN blocks are versions of

the PIN encrypted by a re-

tailer’s terminal, but if this

data and the encryption key

are stolen from a terminal

along with the card number,

criminals can produce

cloned cards for use in cash

machines.

© SA Mathieson 2006

Commissioner tells CeBit that privacy is RFID concernSA Mathieson

News In Brief