HOME SERVICES COMPANY
What's Headfry?
About this site
Services
Company
Press
Contact
Security week in review
FUD
Hot topics
Tip of the week
Home users
Security in the movies
Email a friend Print this page

Stories from last time

Failure is not an option- Mary's last Globe & Mail column about failed IT projects, and why they are costing taxpayers billions. And whether anything can be done about it

No easy way for banks to secure e-banking

The Twenty Most Critical Internet Security Vulnerabilities

Nasty spammer gets six years

MS releases 'free'- for now- beta of anti-virus product

Mary's year end wrap up column for the Globe & Mail- A year of living dangerously- focus on cyber-terrorism, or lack thereof

2005- Headfry Security Year in Review

Many dedicated technology news media sites will provide you with the minutiae for 2005 - the number of viruses; the creep of spyware; the wealth of ever more sophisticated phishing attacks; details about the alliances between the spammers, the malware writers, hackers and cyber-vagrants. And so on. 

We won’t be doing that here.

If you have read the Headfry news throughout 2005, you will already have the drift.

Here at Headfry, we believe that the main threats that emerged in 2005 were terror, keyloggers/spyware, and phishing attacks.

Terror

The horrific events in the London Underground made it very clear, that no-one is safe from fanatics of very stripe, who would do us harm. Remote electronic detonation devices are nothing new. What is new is that there are people- EU citizens no less- who are prepared to die to kill and terrorize us. The unthinkable has become our new reality.

It is no longer a hazy and distant problem, that can be written off by right- minded folk as ‘Middle Eastern madness’. It is in our back yards. These people live amongst us.   

In many ways, that frightful realization changes everything. How we respond as an open, democratic society will determine our fate. 

Malware

Virus numbers may be down, but they are more targeted and stealthy, as they chase the weakest link- broadband rich home users with little protection, and smaller financial institutions. Spyware has become a real nuisance, and the fact the vendors and advertisers cannot even agree what constitutes spyware (rather than the less invasive and/or potentially harmful ‘adware’) doesn’t help matters.

Microsoft’s long awaited move into the commercial security space- with beta virus and spyware products now available to US consumers- at no charge (for now)- may have an impact in 2006, as they bring their collective might and presence on virtually every desktop to bear on the problem. It will also, hopefully, shake up the old boys club that has constituted the security industry for far too many years.

Keyloggers are proving to be highly effective, pesky little devils- finding their way onto Sumitoma Bank PCs in London, as part of a scam to move millions out of the bank to Israeli co-conspirators. Keyloggers were also involved in the mightily colourful Israeli competitive intelligence scandal that rocked that country, and was read with glee most everywhere else.

Keyloggers are hard to spot. If cheap hardware versions are used, you often have to take keyboards apart to even know they are there. Think of the huge potential for a determined bank insider- in league with tech savvy outsiders? Coupled with USB memory cards that can hold the contents of a hard drive, and mirror it in a blink of an eye. Minute camera phones that can take screen shots. It boggles the mind.

Phishing sets banks quaking

And the devious, social engineering enhanced phishing attacks are spooking the banks like nothing ever before. So much so, that the US banking regulators did the unthinkable in 2005, and issued two highly important edicts to US member backs; they mandated reporting of security breaches to customers - in defined circumstances- as of 'right now'- and ‘no later than year- end 2006’, they mandated that US banks that offer ‘Internet-based financial services’ must use ‘enhanced authentication methods- that bank examiners will review in ‘upcoming examinations’.

Terrifying, heady stuff to banks- heavily resource- dependent and expensive. And awful tidings to their already over-burdened security departments, creaking under the weight of regulations they already face. But at least the US regulators are on the ball. They also know that they cannot go it alone- that their ability to influence global events is finite. 

The phishing attacks skilfully exploit the inherent weaknesses in the Internet infrastructure- the marked lack of authentication built into the model. Did you ever try re-engineering something you built? From the ground up? That nearly a billion people are using on a daily basis?   It’s a tall order, and it may never happen.

Progress is very slow, as the various stakeholders, such as the vendors, security providers, ISPs, and telecos, cannot agree on much. Representatives of the main Web browsers gathered at an informal meeting in Toronto on November 17, 2005, to discuss security and standards. All they could agree on- and this was widely touted as major progress- was where to put the ‘padlock icon’. It will be moved to the address bar in all four browsers to make it more obvious.

Eureka.

They also chewed the cud around the need for better browser cryptography- after the various revelations in 2005 that the cryptography used in SSL – the code that sits behind the secure connection you get online to send your credit card details to Amazon- is breakable. There was reportedly much talk about the need for ‘common interfaces’ and 'working together' for the  'common good'. But don’t hold your breath.

In 2006, Internet Explorer 7 will have a colour coded warning in the address bar as to ‘whether a site is known or suspected of phishing’. All the browser reps in Toronto were reported to have agreed that phishing is "a threat to the entire Internet" – and that the domain registrars, browser vendors and certificate authorities need to work together to stop it.

Gee whiz.

As long as there is no (easy) way to definitively confirm that X site is what it purports to be, and /or that the user/emailer is whom they claim to be, we will be between a rock and a hard place on the phishing front, and wily fraudsters will exploit our credulity, willingness to trust, and need to get on with our lives, without having to get a Ph.d in engineering to do so.

So we must use the Net at our peril. The real issue will be who pays when we screw up? Should the bank reimburse you if you lose 10K to a phishing site while trying to do Internet banking? Should you be on the hook if you weren’t careful enough- try to define that today when even the experts get fooled?

Canada- A Year of Living Dangerously

In Canada, as always, nothing much happened in 2005.

Not that Canadians weren’t defrauded, phished, or skimmed on their debit cards. They can expect more of the same, as online debit comes on stream- with no federal, or even province wide identity theft laws in sight, and little pressure on politicians to pony up in that respect. The banks do their own thing, largely unhindered by the regulator, and the consumer remains in the dark.

The plight of Canadians in the data security world has largely been left, by implication and default, to the already over burdened privacy commissioners, who do a brave and feisty job fighting the battle on that particular front- with little support from legislation, that is largely devoid of enforcement power, or even ' name and shame' provisions.

In 2004, the Federal Privacy Commissioner reports that a mere 5.5% of the complaints that office received, concerned the PIPEDA (federal privacy act) ‘safeguards’ provisions (security related). It is hard to know what to make of that statistic.  

In any event, the Canadian approach is indeed very Canadian: well-mannered, not overly aggressive (i.e. American)- jolly-hockey stick kind of stuff.

Trouble is- our adversaries don’t play by these rules, and they often sit in jurisdictions far out of our reach.  As Canadians were reminded in 2005 by the Federal Privacy Commissioner in her annual reports- Canadian data is being outsourced by the Feds and the private sector to the US, where law enforcement- and God knows who else- can mine and store it.

And we seem to have thrown in the towel as to whether we can do anything about it. 

Secure code anyone?

Maybe, just maybe, we will see less buggy products in 2006.

2005 made it very clear that when it comes to security, even the big boys are relative novices.

The security vendors sell us products riddled with holes. Microsoft and Oracle, and a raft of other big names, continue to struggle with writing decent code, and the patch burden continues unabated. The fact many of them have lost source code to attackers, wily insiders or targeted viruses- or a combination of all of the above- remains a concern- as the black market demand for such information is hot and heavy.

They also continue to fight ‘researchers’ and others who would expose flaws in their products, on the often times dubious premise that ‘Mother knows best’- that only they are qualified to do that particular show and tell.

As a result, Cisco looked defensive, guilty and tyrannical in trying to prevent the bad news leaking that their core router technology is possibly as leaky as an aul sieve. And eBay faced down an irate Microsoft as the business of selling information about flaws in software (i.e. theirs, in one particular instance) made it onto the ultimate global marketspace- only to be rapidly taken down.

But every school kid, of average intelligence, knows you can’t put the genie back in the bottle. But they will keep on trying.

Microsoft will continue to fret in 2006 about the march of open software, and its deadly fascination for global government entities, desperate to save money and resources. It will continue to walk and talk a softer talk- discussing opening up proprietary code for external standards based review, and broader community approbation, and hedging its bets. It may also – possibly fatally down the line-miss the threat posed by Yahoo- as a company wide Google Dread infests the MS hive.    

MS will continue to battle the EU- now threatening to fine them daily hefty sums, for non- compliance with existing court orders. Steve Ballmer will continue flying to Munich, and various EU hotspots to try to stem the tide of adoptions of open-source products, with goodie bags, discounts, and assurances on hand.

And as always, global governments will keep a watchful and weary eye on private sector efforts to secure cyberspace, as they jockey to evade legislation, and talk of making them liable. And they will come down on them like a ton of bricks if anything unforseen occurs- especially to critical infrastructure sectors.

Mark our words.

 
 

So what's headfry?

Headfry is a common, much used and loved expression in Ireland, the UK and Australia. read more...

 
 

Week of Oct 11, 04

Week of Oct 24, 04

Week of Nov 1, 04

Week of Nov 8, 04

Week of Nov 26,04

Week of Dec 31, 04

Week of Jan 4, 05

Week of Jan 14, 05

Week of Feb 21, 05

Week of Feb 28,05

Week of March 12,05

Week of March 22 05

Week of April 4, 05

Week of May 10, 05

Week of May 16,05

Week of May 22, 05

Week of June 29, 05

Week of July 9, 05

Week of July 19, 05

Week of August 2, 05

Week of August 21, 05

Week of August 29, 05

Week of Sept. 19, 05

Week of Sept. 28,05

Week of Oct. 27, 05

Week of Nov. 22, 05

 
Home |  Security Week in Review |  FUD |  Hot Topics |  Tip of the Week Home Users |  Security in the Movies

What's Headfry? |  About this site |  Services |  Company |  Press/Media |  Contact 		Disclaimer
Copyright © Headfry Inc. 2005-2006