April 2005 Network Security

Microsoft talks up security After 25 years of complaints about the poor security of its products, Microsoft has published a 19-page booklet, TheTrustworthy Computing Security Develop-ment Lifecycle, that outlines the "cradle tograve" procedures for a mandatory "SecurityDevelopment Lifecycle" for all its Internet-facing products.

The new process "significantly reduces" thenumber and lethality of security vulnerabili-ties, it says. The new approach comes fromBill Gates and Steve Ballmer, Microsoft'schairman and chief executive. So far softwareproduced using the SDL framework includesWindows Server 2003, SQL Server 2000Service Pack 3 and Exchange 2000 ServerService Pack 3.

Windows Server gets extra protectionWindows Server 2003's new Service Pack 1 allows Windows servers to turn on theirfirewalls as soon as they're deployed, and to block inbound Internet traffic untilWindows downloads Microsoft's latest securi-ty patches.

A new security configuration wizard detectsa server's role as a file server, Web server, ordatabase host, for example, and then disablethe software and ports not associated with thatrole. It also makes DCOM, Microsoft's tech-nology for distributed objects, less prone toattack, the firm says.

VoIP vulnerabilities addressedSecurity worries are holding up adoption of VoIP. Even so, research from In-Stat/MDR suggests penetration will reach 34%among mid-sized businesses, and 43% in largeenterprises.

To increase adoption rates, the new Voiceover IP Security Alliance (VOIPSA) has creat-ed a committee to define security standards forInternet telephony networks.

In large networks, the bandwidth and timeassociated with routing traffic and spam createsa latency problem for VoIP traffic through thefirewall. Other topics include security technol-ogy components, architecture and networkdesign, network management, and end-pointaccess and authentication, infrastructure weak-nesses, vulnerabilities and emerging applicationattacks.

Warp speed, Mr PlodThe British government has set up six Warps(warning advice and reporting points) to allowbusinesses to share confidential informationabout risks, security breaches and successfulcountermeasures, and to receive tailored secu-rity alerts.

The government also promised a Warp toshow home computer users how to improvePC security and lower the risk of thembecoming staging posts for hackers attackingbusinesses. The US and Holland are consider-ing creating similar programmes, says theNational Infrastructure Security Co-ordina-tion Centre (NISCC), which is co-ordinatingthe scheme.

Don't trust hardwareHardware devices are as insecure as any IT sys-tem, Joe Grand, CEO of Grand Idea told del-egates at the Amsterdam Black Hat confer-ence. Attacks include eavesdropping, disrupt-ing a hardware security product, using undoc-umented features and invasive tampering.

Network appliances, mobile devices, RFIDtokens and access control devices are all poten-tially at risk. The storage of biometric charac-teristics on back-end systems also sets upavenues of attack, and physical characteristicsare often easily stolen or reproduced.

Researchers recently showed how to exploitcryptographic weaknesses to attack RFID tagsused in vehicle immobilisers and the MobilSpeedPass payment system. SSL cryptographicaccelerators are also potentially hackable, asdemonstrated by a recently documented attackagainst Intel's NetStructure 7110 devices.Wireless Access Points based on Vlinux, suchas the Dell TrueMobile 1184, can also behacked.

Security through obscurity is still widelypracticed in hardware design but hiding some-thing does not solve the problem, Blackhat del-egates were told.

IM creates instant havocSecurity threats from Instant Messages haveincreased 250% this year, according to areport from IMlogic Threat Center. Theresearch tracks viruses, worms, spam andphishing attacks sent over public IM net-works. It found reported incidents of new IMthreats grew 271% so far. More than half theincidents happened at work via free IM ser-vices such as AOL Instant Messenger, MSNMessenger, Windows Messenger, and YahooMessenger.

Israel jails colonel for losing PCThe Israeli army jailed the commander of anelite Israel Defense Forces unit for two weeksfor losing a laptop computer containing clas-sified military information. The laptopshould have been locked away, but was appar-ently stolen while he was on a field trip withhis soldiers.

NEWS

Russian hackers areworld class Brian McKenna

Russian hackers are “the best in theworld” Lt. General Boris

Miroshnikov told the eCrimes Congressin London on 5 April. “I will tell themof your applause”, he told the clappingaudience at the start of a speechreporting on cyber crime developmentsin the region.

Boroshnikov is head of Department K,established within Russian law enforce-ment to deal with computer crime in1998. His department has worked close-ly with the UK's National Hi-TechCrime Unit.

Countries, like Russia, he said, thatcame late to the internet exhibit itsproblems more dramatically. From2001-3, computer crime in Russia doubled year on year, he confirmed.“Only in 2004 did we hold back thegrowth”.

"It used to be naughty boys who com-mitted these crimes”, he said, “but nowthey have grown up”. It now needs theco-operation of telecoms companies,ISPs, the legal profession, and lawenforcement to tackle the problem, hesaid.

Alan Jebson, group COO at HSBCholdings, echoed the Russian’s rueful‘boast’. "We are up against the best”, he said at the same event. “Some ofthese Russian hackers have day jobsdesigning highly secure encryptiontechnologies”.

"We must have comparable laws andsanctions. We need to agree what is acomputer crime”.

He reported that when Department Kwas in its infancy “80% of computercrime was out of sight. We are now get-ting better because the victims knowwho to come to and we have had noleaks of victim identity”.

He concluded that there is a strongneed in Russia for state standards thatwill keep out the “charlatans of comput-er security”.

3

In brief