Site Network: Beskerming.com | Skiifwrald.com | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

A Week to Stay Under the Blankets

To support the implementation of the Data Protection Act (1998), the UK has established a small body which is designed to audit and prosecute companies with respect to their compliance with the Act. The Data Protection Act was initially established to ensure that customers of UK businesses could maintain a level of trust in terms of how their privacy related information was being handled. The new agency is called the Regulatory Action Division, which is a part of the Information Commissioner's Office. It is said that the reason why the body was established was due to the rapid increase in companies that held privacy related information.

Further news and reporting on the NISCC alert that was initially mentioned in last week's column has come to hand. It appears that the attacks have been underway for quite a number of months. There have been at least 1,000 attacks that are claimed to have been as a result of this activity, with more than 50 countries being affected. Because of the significant concerns that the attacks are the result of high powered organised crime interests, or even state sponsored, the NISCC released the advisory to warn others, and to confirm the rumours which had been spreading of the attacks, and as confirmation of an online crime wave that has intensified recently, with more groups participating in similar attacks.

The mechanism of the attacks apparently relies on the information that other worms and viruses leak once they have infected a system. This information is then used to create an approach that is customised to the intended target. Information such as internal workplace structures and personnel positions can be used to make the targeted infections look more like legitimate work mail, and is a common practice from people engaged in social engineering cons. What makes this approach different is the apparent central coordination and directed attacks from a determined criminal element, and the willingness to chase after military and government systems that are usually avoided due to the expected greater scrutiny and security of the systems (and pursuit of breaches).

In information released by the NISCC, they believe that there are no more than 12 people involved with the primary attacks that they have been tracking, and these people are able to turn an attack around (move to another target) within two hours. The NISCC further goes on to detail that the attacks started in March 2004, and have been continuing at the rate of 10 to 20 per week since then. MessageLabs, which has been helping with the investigation and analysis, advise that the infecting trojan applications are being changed with each attack to try and slip past system monitoring tools. Other sources indicated that the attacks are not as focussed as initially reported.

It also appears that the companies being targeted are those that have previously been infected, and thus leaked the information being used in the current attacks, leading some observers to consider these attacks as a second round of related infections. For investigators, the lack of an apparent short term financial return raises doubts that the attacks are being coordinated by criminal concerns. The NISCC stated that one of the reasons why they released the advisory was to discover the scope of the attacks within other organisations, and whether they extend to infrastructure other than that which the NISCC is responsible for monitoring. A Home Office spokesperson was on record stating that the NISCC, in conjunction with local agencies, was close to turning off the source of the attacks. For observers of these trends, these attacks are not a surprise, and many have been seing similar attacks for quite a while.

A recent virus infection in Japan has seen confidential information relating to Japanese nuclear power plants leaked to the virus authors. Almost 40 megabytes of information that dealt with safety inspections that were carried out on numerous power plants were leaked. Apparently, the leak was the result of a virus, referred to as the 'disclosure virus', which infected installations of the Winny Peer to Peer application, a very popular Japanese Peer to Peer application. An employee of an affiliate of Mitsubishi Electric that was responsible for conducting nuclear plant inspections was identified as the source of the breach. As allowed by the company policy, the employee was using his personal computer for work purposes, and it was some of this data which was exposed. Plants that were affected included nuclear power stations at Tomari, Sendai, Tsuruga, and Mihama, and the information that was lost included imagery of plants during inspection, team names, and locations where personnel were staying during the inspections, and copies of reports on regular inspections.

Vulnerabilities associated with the Winny Peer to Peer application have also been responsible for other Japanese information breaches:

Plans announced by the US Military to maintain records of all high school and college students have raised concerns about the safety of the databases that will be developed to hold the records. As reported, the databases are going to be a collation of commercial data, and information already available to the US DOD, and will be managed to highlight students who meet the required standards for military service. This gives military recruiters an impressive edge, being able to target students and being backed up with an incredible supply of highly specific personal information. For students it does not appear that there is any opportunity for avoiding the databases, even those who opt out will have their information maintained in separate databases which will be checked against the primary databases to ensure no pollution of the live data. Even with the higher standards of data integrity that the military specifies, there is an enormous risk for compromise of data and abuse of the contained information, especially as it places the data in a single framework. Privacy advocates are enraged at the planned system, with some believing that it effectively allows the US Government to bypass laws that restrict it from collating data on US citizens, by handing off to commercial firms. The US military already has a level of access to the US schooling system as a result of the No Child Left Behind Act of 2002, which can restrict the amount of federal funding available to a school if it restricts access to certain personal information.

Perth based company, Clarity 1, is the first company to be prosecuted under the Australian Spam Act which was implemented in April 2004. The company managing director claims that his business operations are legal, and is willing to defend his company's operations in court, although there are a lot of people who regard him to be quite a significant spammer. Although Clarity 1 is not the first company contacted by the Australian Communications Authority, it is the first that is to be prosecuted, and was accused of sending 56 million spam messages since April 2004. This is good news, but don't expect your incoming spam levels to drop off at all. In the survival of the fittest that the Internet encourages, this is just removing the weakest of the spammers - those that establish themselves in countries with anti-spam laws.

News broke on Thursday of an Indian call centre employee that was caught selling details of customers from various UK banking institutions. The UK tabloid, The Sun, sent an undercover reporter to purchase personal details, credit card numbers and logon details for UK banking customers. A total of 1,000 individuals had their details sold for ?4250 GBP. The call centre employee indicated that he could sell up to 200,000 account details per month. The sale of this information is likely to be in breach of the UK Data Protection Act, 1998, which was enacted to protect the information of UK citizens that is held by companies and government agencies.

Sticking with identity theft related news, and reports surfaced towards the end of last week detailing an under-reported side of identity theft cases. It appears that filing false unemployment claims with stolen identity data is more profitable than pursuing credit card companies, with the use of as little as 100 accounts over 26 weeks being able to obtain over $1 million US dollars. The drawback to this approach is the requirement to collect these payments in person in many instances, which limits the maximum number of fraudulent accounts, and increases the risk of exposure. In addition to being an added burden on Government coffers, in some cases, where there are fixed funds available for distribution, it may actually empty them ahead of legitimate claimants or make it more difficult for legitimate claimants to make claims. The other downside to this is that it actually may not be happening. There has been no further reporting to support the claims in the article, there are no specific sources beyond unnamed people, and the author of the linked piece appears to have a vested interest in placing this concern in front of people, as they represent a firm involved with payroll software.

It was announced recently that Microsoft's Webmail service, Hotmail, would soon (from November) be refusing to deliver any mail that did not have a valid Sender-ID. A Sender-ID is an extra check applied to an email message which ensures that the domain (e.g. skiifwrald.com) that an email was sent from matches that which is claimed to be in the actual email message itself. While this added check will not stop very much spam, it will make it more difficult for phishers to send out emails claiming to be from accounts@paypal.com, or some other financial institution, and it will effectively stop 'joe-jobs' from being effective against hotmail.com addresses. A 'joe-job' is where somebody sends out email claiming to be someone else, including modifying the Reply-To and From email headers to identify as the person they are claiming to be. There are concerns that this extra step will actually make it more difficult to communicate with people who utilise hotmail.com email addresses, frustrating the legitimate user but not the spammer. This means that if your ISP, or mail sending domain, does not add a Sender-ID to outgoing messages, your messages sent to hotmail.com accounts will not arrive. Even though hotmail.com accounts have a 'trusted sender' type of capability, the filtering of messages will apparently take place prior to the checking of trusted sender status, which means that even if you have added someone as a trusted sender, their messages may still be deleted prior to delivery. It is also indicated that the use of message forwarding results in an incorrect Sender-ID to be applied to the email message.

Sender-ID technology is Microsoft developed, and has just recently gained approval, along with Sender Policy Framework (SPF) from the IETF to enter the Experimental phase of the long road to being an Internet standard (which it currently is not on track to be), but some bodies are refusing to deal with it due to onerous licencing restrictions. For those who did not follow the previous link, it basically outlines that the Apache Software Foundation will refuse to support the Sender-ID through any of their products, which include the web's most popular webserver (Apache), Struts, Jakarta, Ant and a number of other key Internet technologies. Both Sender-ID and SPF will help mitigate impersonation as far as the From and Reply To parts of email are concerned, but their actual implementation has caused significant problems for a number of users who have followed the specifications completely, such as undeliverable mail.

Following on from the earlier reported incident where the existence of encryption software on a system could possibly be used to help establish criminal intent, a case has surfaced in the US where the viewing of Internet content may be classed as possession in certain circumstances. In this particular case a suspect was caught with illegal imagery in his browser cache, and the prosecution is trying to get this taken into account as equivalent to possession of the illegal imagery.

A scrutiny of software from various security software providers found that, combined, they had more reported serious vulnerabilities than Microsoft Windows, for a given time period. The reporting was designed to highlight that applications being used for protection of systems and data are not infallible, and can cause or contribute to major problems with systems (such as incorrect virus definitions files, or firewalls targeted to spread worms).

In a recent analysis published by consulting firm Gartner, they claim that users are reducing their use of online commerce due to concerns over online security. The reported figures indicated that more than a quarter of those surveyed were reducing their online banking levels, and of those concerned with their online banking, four percent have stopped banking online completely, and 14 percent have stopped paying bills online. One of the Gartner analysts is even calling this year a watershed year for commerce, security and the Internet.

27 June 2005

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.