1
news device, the corporate goal would be to facilitate that access. If an attacker wanted to dis- rupt business and cause the bank to loose money, they could achieve this by targeting the customer. One way that this could be done is by sending an SMS message that reconfigured the customers mobile device to prevent them from accessing the account. Thus, the bank has been tar- geted by a denial-of-service attack, but has not been the ‘weakest link’ in the attack. Ebsworth’s way of looking at security takes some getting used to. He concedes that “Security is like insurance, you throw money at it, and never seem to get anything back.” But, Ebsworth concludes, in order to achieve successful risk management, you must have ownership within the business which is supported by the appropriate team: “the right people clued up with the right words”. ISPs found to give simplistic security advice to firms Recent research into the rela- tionship between SMEs and corporates and their ISPs indicates that ISPs are giving misleading advice about how to achieve security. And firms are listening. Over half of the respon- dents in a survey (54%) had security supplied by their ISP while 98% of these had implemented the ISPs rec- ommendations. “ISPs are misleading the market,” said Matt Tomlinson from MIS Corporate Defence Solutions, who commissioned the survey. Furthermore, of those with ISP security who were hit, many were most vulnerable to and fell foul of known, popu- lar exploits (see Box 1). Arguably, these are the kind of problems that those who have shelled out for security should not suffer from. It was discovered that a typi- cal security measure recom- mended by ISPs involved installing a firewall with default configuration. Other popular choices were AV and content and spam filtering systems. IDS, VPN, PKI and any sort of encryption were conspicuous by their absence. However, bespoke security planning was available to 12% of customers: presumably the ones who knew what they wanted to start with. Tomlinson explained, “SLAs that were being issued were mostly to protect ISPs and only 15% had a direct refer- ence to security [and this was] mostly for corporates, if they pushed, they tended to get [security]”. According to Tomlinson, the survey revealed that users are aware of a broad range of issues, but do not know where to turn. When businesses approach the ISP, they are presented with an easy solution and want to believe that they have ‘done security’ once they have followed the advice. Even though, “Users are sceptical…the majority of organizations are implement- ing the ISP recommenda- tions.” Tomlinson says that this is foolish because “An ISP is someone who provides band- width, not security. If you hurt your back, you don’t see a GP, you see a chiropractor.” Startup issues $1 million hacking challenge A Canadian security hard- ware start-up company, Saafnet, has offered a $1 mil- lion cash prize to anyone who can successfully breach its systems. Saafnet makes hardware ‘gap technology’ which can discon- nect always-on connections when not actually in use and thus reduce the window of opportunity for an Internet based attack. The firm says that its technology differs from other similar products in that it will be available for around $149 — significantly more affordable than compa- rable wares. Company founder Vikash Sami, 24, first threw down the virtual gauntlet in Canadian newspaper the Globe and Mail. The challenge relates to the company’s AlphaShield 2000 product and will take place during a five day period, yet to be confirmed, later this year to coincide with the product’s release. The move is brave indeed, particularly coming from a one year old fledgling firm with only 12 staff and only promises of venture capital injections. The company only has $2 million of assured private funding. Other organizations that have issued similar hacking challenges have faced public relations nightmares when they backfired. For example, in April, Argus Systems had to pay out $50 000 when PitBull, the hitherto impermeable intru- sion prevention technology, was compromised just hours into its challenge. The Secure Digital Music Initiative (SDMI) Public Challenge went horribly wrong last year when two groups of hackers claimed to have presented successful hacks of the MP3 watermark- ing technology in question. SDMI says that the techn- colgy was not breached and has threatened lawsuits should the hackers publicize their solutions. Leonardo Chiariglione from SDMI summed it up when he said in October that if the sys- tem is breached that, “no-one will remember we won the PR war”. For more on the Secure Digital Music Initiative see the October and November issues of “Network Security”. 4 The seven deadly exploits • BIND IIS 4/5 RPC Services WOO FTP Password theft • SNMP Open file sharing Box 1: The top seven exploits that firms secured by ISPs are vulnerable to. Source: MIS Corporate Defence Solutions.

Startup issues $1 million hacking challenge

  • View
    222

  • Download
    2

Embed Size (px)

Citation preview

Page 1: Startup issues $1 million hacking challenge

news

device, the corporate goalwould be to facilitate thataccess.

If an attacker wanted to dis-rupt business and cause thebank to loose money, theycould achieve this by targetingthe customer.

One way that this could bedone is by sending an SMSmessage that reconfigured thecustomers mobile device toprevent them from accessingthe account.

Thus, the bank has been tar-geted by a denial-of-serviceattack, but has not been the‘weakest link’ in the attack.

Ebsworth’s way of looking atsecurity takes some gettingused to.

He concedes that “Securityis like insurance, you throwmoney at it, and never seem toget anything back.”

But, Ebsworth concludes, inorder to achieve successful riskmanagement, you must haveownership within the businesswhich is supported by theappropriate team: “the rightpeople clued up with the rightwords”.

ISPs found to give simplistic securityadvice to firms

Recent research into the rela-tionship between SMEs andcorporates and their ISPsindicates that ISPs are givingmisleading advice about howto achieve security. And firmsare listening.

Over half of the respon-dents in a survey (54%) hadsecurity supplied by theirISP while 98% of these hadimplemented the ISPs rec-ommendations.

“ISPs are misleading themarket,” said Matt Tomlinsonfrom MIS Corporate DefenceSolutions, who commissionedthe survey.

Furthermore, of those withISP security who were hit,many were most vulnerable toand fell foul of known, popu-lar exploits (see Box 1).Arguably, these are the kind ofproblems that those who haveshelled out for security shouldnot suffer from.

It was discovered that a typi-cal security measure recom-mended by ISPs involvedinstalling a firewall withdefault configuration. Otherpopular choices were AV andcontent and spam filtering systems.

IDS, VPN, PKI and any sort of encryption were conspicuous by theirabsence.

However, bespoke securityplanning was available to 12%of customers: presumably theones who knew what theywanted to start with.

Tomlinson explained, “SLAsthat were being issued weremostly to protect ISPs andonly 15% had a direct refer-ence to security [and this was]mostly for corporates, if they

pushed, they tended to get[security]”.

According to Tomlinson,the survey revealed that usersare aware of a broad range ofissues, but do not know whereto turn.

When businesses approachthe ISP, they are presentedwith an easy solution andwant to believe that they have‘done security’ once they havefollowed the advice.

Even though, “Users aresceptical…the majority oforganizations are implement-ing the ISP recommenda-tions.”

Tomlinson says that this isfoolish because “An ISP issomeone who provides band-width, not security. If you hurtyour back, you don’t see a GP,you see a chiropractor.”

Startup issues $1 million hacking challengeA Canadian security hard-ware start-up company,Saafnet, has offered a $1 mil-lion cash prize to anyone whocan successfully breach itssystems.

Saafnet makes hardware ‘gaptechnology’ which can discon-nect always-on connectionswhen not actually in use andthus reduce the window ofopportunity for an Internetbased attack.

The firm says that its technology differs fromother similar products inthat it will be available foraround $149 — significantlymore affordable than compa-rable wares.

Company founder VikashSami, 24, first threw down the

virtual gauntlet in Canadiannewspaper the Globe andMail.

The challenge relates to thecompany’s AlphaShield 2000product and will take placeduring a five day period, yet tobe confirmed, later this year tocoincide with the product’srelease.

The move is brave indeed,particularly coming from aone year old fledgling firmwith only 12 staff and onlypromises of venture capitalinjections.

The company only has $2million of assured privatefunding.

Other organizations thathave issued similar hackingchallenges have faced publicrelations nightmares whenthey backfired.

For example, in April, ArgusSystems had to pay out $50 000 when PitBull, thehitherto impermeable intru-sion prevention technology,was compromised just hoursinto its challenge.

The Secure Digital MusicInitiative (SDMI) PublicChallenge went horriblywrong last year when twogroups of hackers claimed tohave presented successfulhacks of the MP3 watermark-ing technology in question.

SDMI says that the techn-colgy was not breached and has threatened lawsuits shouldthe hackers publicize theirsolutions.

Leonardo Chiariglione fromSDMI summed it up when hesaid in October that if the sys-tem is breached that, “no-onewill remember we won the PRwar”.

For more on the SecureDigital Music Initiative see theOctober and November issues of“Network Security”.

4

The seven deadlyexploits

• BIND• IIS 4/5 • RPC Services• WOO FTP• Password theft• SNMP• Open file sharing

Box 1: The top seven exploitsthat firms secured by ISPs arevulnerable to. Source: MISCorporate Defence Solutions.