Upload
brian-mckenna
View
214
Download
1
Embed Size (px)
Citation preview
ne
ws
8In
fosecu
rity Tod
ayM
arch/April 2006
The University of Oxford is
running two IT security
courses this year.
Platforms for Security (PLA),
runs from 27-31 March.This five-
day course looks at system plat-
forms,with an emphasis put on
practical and repeatable means
of implementing these securely.
Topics covered include:buffer
overflows,cryptographic li-
braries, sand-boxing,code sign-
ing, and code correctness.
Design for Security (DES),
runs from 16-20 October.This
five-day course explores how
cost-effective solutions to se-
curity needs can be achieved
following architectural prac-
tices and security principles.
Central to these considera-
tions is the need to make use
of well-established solutions,
while striking a balance be-
tween security and other sys-
tem requirements.Topics in-
clude: managing security, secu-
rity requirements, security
evaluation and assurance, and
security design patterns
Course fee: �1,880 per
course.
News In Brief
Designing for security at theUniversity of Oxford
Small, targetted botnetsemerge as threatBrian McKenna
Botnet herders using zero
day malcode to target small
numbers of victims is emerging
as a major threat du jour,
Mikko Hyppönnen, chief re-
search officer at F-Secure told
delegates to the recent Websec,
in London.
Anti-virus companies, such as
his own,are more and more run-
ning into the difficulty of un-
known malware.Historically,AV
vendors have been able to ana-
lyze malicious code samples from
masses of affected customers.But
now, for-profit malcode is being
deployed stealthily,under the
radar of the AV experts.And it is
being used against small numbers
of well chosen targets.
Hyppönnen instanced an at-
tack which targeted members
of the British Houses of
Parliament earlier this year, us-
ing the WMF vulnerability.This
was stopped before reaching its
intended recipients, but F-
Secure analyzed its Trojan pay-
load — opening a back door
entered from mainland China.
As another example, he cited
a spammed email seemingly
from the Washington Post, and
sent towards the end of 2005.
This targeted recipients with
.mil, .gov, and .hk addresses. It
featured a Word attachment
with an title intriguingly refer-
ring to intellectual property
rights in China.Again, the point
of ingress to the targeted com-
puters was in mainland China.
“Botnets are actually going
down in size, in order to be
used in under the radar at-
tacks”, he confirmed.
Hyppönnen also warned del-
egates to be aware of:
• competitive DDoS attacks (by
one company on another)
• ransom Trojans (demanding,
say $20 to get files encrypted
by criminals back)
• man in the middle attacks
against one time password
systems
• and mobile phone viruses
“For profit mobile phone
viruses, such as the RedBrowser
Trojan, are a wave of the fu-
ture”, he said.And, unlike com-
puters, mobile phones have a
built in billing system.
“The main thing is that, since
January 2003, the enemy has
changed. It’s no longer hobby-
ists, who have not totally disap-
peared, but for-profit criminals”.
The European Union will
hold a series of meet-
ings and an online consulta-
tion on the use of Radio
Frequency Identification
(RFID) chips.
Viviane Reding, information
society commissioner, told the
March CeBit show in Hanover,
Germany: “The marriage be-
tween RFID and databases can
indeed lead to micro-monitor-
ing and widespread tracking of
people’s daily lives.
“The European
Commission shares con-
cerns about a future of ubiq-
uitous surveillance, identity
theft and low trust. User trust
and confidence is a crucial el-
ement for the take-up of
RFID.”
Reding added that, along
with privacy issues, the EU
will examine interoperability
of RFID technology and allo-
cation of radio spectrum.
The public meetings will
take place between March
and June in Brussels, with
the online consultation start-
ing in June or July.
More information:
http://europa.eu.int/informa-
tion_society/policy/rfid/
© SA Mathieson 2006.
Problem PINs down NorthAmericansSA Mathieson
Avulnerability on bank
card personal identifica-
tion numbers, which led to
Citibank blocking PIN trans-
actions for its American cus-
tomers in the UK, Canada
and Russia, does not apply to
countries which have adopt-
ed ‘Chip and PIN’ bank
cards, according to the UK
payment association Apacs.
Apacs, whose 31 members
deal with 97% of UK pay-
ments, said that under the
Chip and PIN system, which
became compulsory in many
UK shops on 14 February
this year, the PIN acts as a
‘handshake’.This means it is
transmitted for authorization
rather than stored in retail-
ers’ equipment – the appar-
ent source of the problem af-
fecting Citibank customers.
Apacs added that most
countries have adopted Chip
and PIN, but that the US and
Canada still depend on mag-
netic stripe cards.
In a research note, US-
based Gartner analyst Avivah
Litan wrote that the banking
industry was ‘less than half-
way through’ solving the
problem of “PIN block” card
fraud, and many more bank
customers will be affected.
PIN blocks are versions of
the PIN encrypted by a re-
tailer’s terminal, but if this
data and the encryption key
are stolen from a terminal
along with the card number,
criminals can produce
cloned cards for use in cash
machines.
© SA Mathieson 2006
Commissioner tells CeBit that privacy is RFID concernSA Mathieson
News In Brief