Exaprotect BlogManager

The FBI has warned of a recently reported spam e-mail purportedly from the Internal Revenue Service (IRS) which is actually an attempt to steal consumer information. The e-mail advises the recipient that direct deposit is the fastest and easiest way to receive their economic stimulus tax rebate.

The message contains a hyperlink to a fraudulent form which requests the recipient’s personally identifiable information, including bank account information. To convince consumers to reply, the e-mail warns that a failure to complete the form in a timely manner will delay the rebate check being issued.

One example of this IRS spam e-mail message is as follows:

“Over 130 million Americans will receive refunds as part of President Bush program to jumpstart the economy.

Our records indicate that you are qualified to receive the 2008 Economic Stimulus Refund.

The fastest and easiest way to receive your refund is by direct deposit to your checking/savings account.

Please follow the link and fill out the form and submit before May 10th, 2008 to ensure that your refund will be processed as soon as possible.

Submitting your form on May 10th, 2008 or later means that your refund will be delayed due to the volume of requests we anticipate for the Economic Stimulus Refund.

To access Economic Stimulus refund, please click here.”

The FBI has reiterated that the IRS does not request personal information via e-mail or ask taxpayers for the PIN numbers, passwords, or similar information for their credit cards or bank accounts. Anyone who has received such an e-mail is asked to file a complaint with the Internet Crime Complaint Center (IC3).

New research unveiled at Infosecurity 2008 in London reveals that three quarters of UK employees do not understand or even know their company’s business continuity plan in event of a disaster or disruption, whilst, equally worryingly, 21% of big businesses in the UK do not have detailed business continuity plans in place.

The research, commissioned by BT Global Services, clearly shows that whilst threats such as flooding, IT disasters and terrorism continue to dominate the news, there is a major oversight on the part of many large organizations in failing to fully understand the business risks associated with IT downtime.

At the same time, the study revealed that business continuity accountability, whilst still resting in to a large degree within IT (27% CEO, 63% CIO/IT Director/CTO), is rising up the corporate ladder. Indeed the overall leadership team within businesses are increasingly involved in the key economic decisions surrounding business continuity (49% CEO/ Board/Director, 36% CIO/IT Director/CTO).

A spokesperson said “The research shows that many business leadership teams are now taking notice of the business continuity issue. That is an important development because keeping the business running, come what may, has to be a key board-level concern not just one of IT. That said, the alignment between aspiration, accountability and decision making still requires significant attention in many organizations. Likewise organizations that do not possess detailed business continuity plans need to act now.”

A hacker who refers to himself as “Anonymous Coward” has posted the personal details of over six million residents of Chile on a technology blog called FayerWayer.com.

According to FayerWayer, the databases came from the Chilean Electoral Service, the Directorate of National Mobilisation (which manages national military service), the Ministry of Education and a business telephone directory for Santiago. The personal details leaked included names, addresses, telephone numbers, tax-identification numbers and educational history.

The hacker claimed in a note accompanying the links to have posted the information in order to draw attention to data protection problems. He said that personal data in Chile is poorly protected (a concern that he seems to have confirmed pretty conclusively!) and also provided information on how to access and download such data.

The losses resulting from crimes perpetrated over the Internet reached an all-time high during 2007, according to the Internet Crime Complaint Center (IC3). More than 206,000 complaints were received, with around 90,000 of these being subsequently referred to law enforcement agencies. The reported losses arising from these complaints amounted to nearly $240m, which is an increase of more than $40m on the 2006 figures.

The first global public-private initiative to fight cyber terrorism has been launched at the World Cyber Security Summit in Kuala Lumpur.

The International Multilateral Partnership Against Cyber-Terrorism (IMPACT) is dedicated to bringing together governments, industry leaders and cyber security experts to prevent and respond to cyber threats

The aim of the non-profit body will be to improve the ability of member states to mitigate the risks from the “upper end of cyber threats”, including attacks on critical national infrastructures, said IMPACT chairman and co-founder Mohd Amin.

Recognizing that most security skills are in the private and academic sectors, IMPACT has set up an infrastructure to reflect this. For example, the International Advisory Board includes respected figures such as: Dr Vinton Cerf, Chief Internet Evangelist of Google; Steve Chang, Founder and Chairman of Trend Micro; and John W Thompson, Chairman and CEO of Symantec.

The work of IMPACT will be based around the following four core areas:

• Global Response — using an emergency response centre to facilitate swift identification and sharing of available resources, including a database of international experts from the world’s leading ICT companies and academia who can be called into service at short notice.
• Policy, Regulatory Framework and International Cooperation — working in collaboration with partners such as Interpol, EU, ITU and other such agencies, to formulate new policies and harmonize national laws to tackle a variety of issues relating to cyber threats.
• Training and Skills Development — collaborating with leading global ICT companies to conduct highly specialized training and seminars that will provide governments with an insight into the latest trends, potential threats and emerging technologies related to cyber security.
• Security Certification, Research and Development — consulting with member governments and leading ICT companies in order to formulate a checklist of global best practices, with the intention of creating an international benchmark.

With so many staff working at home one or two days a week, and everyone wanting connectivity from anywhere in the world, laptops have become very important tools.
Pretty much every organization now has a VPN to give staff remote access across the Internet, yet only a tiny minority understand how much at risk they are from laptops. If an attacker were able to gain control of a lost or stolen laptop, they would have access to all the information stored on it plus the opportunity to connect to the corporate network via the VPN.

Gartner’s recently published report Magic Quadrant for Security Information and Event Management indicates that SIEM is one of the fastest-growing security markets, with a growth rate of more than 50% in 2006, 30% in 2007 and estimated revenue reaching more than $800m in 2007.

The report states that the SIEM market is growing as a result of three factors:

• The emergence of user and resource access monitoring as the primary customer problem to be solved;
• The demand for the technology from a broad set of customers;
• The availability of the technology from large vendors that also sell related products or services.

Meanwhile, the actual adoption of SIEM technology is driven by compliance and security needs, with growing use in areas such as application activity monitoring.

Research company IDC has predicted that spending on IT security will increase in Western Europe during 2008 despite the uncertainty created by the unsettled economic conditions.

The results of its research indicate that the spending on the various components of IT security, hardware, software and services will increase to €12.5bn during 2008. This is an increase of more than 17% on the 2007 figure of €10.6bn.

A major factor is the increasing deployment of laptops and the associated requirement to provide secure remote connections to corporate networks, together with the increasing desire to encrypt the data held on such devices.

Other areas driving up the levels of spending include the growing adoption of unified threat management devices and increased spending associated with online banking security as more countries implement new regulations.

The research covered Austria, Belgium, Denmark, Finland, France, Greece, Germany, Italy, Luxembourg, the Netherlands, Norway, Portugal, Spain, Sweden, Switzerland and the UK.

The importance of high quality security skills has been highlighted in a new survey commissioned by the Computing Technology Industry Association (CompTIA). Security tops the list of the technology skills that are most important to organizations today, but the survey also reveals that there is a significant gap between the skills that are required and those that are actually available.

More than 3,500 technology professionals were surveyed in North America, Europe and Asia. Of the respondents in nine countries with established IT industries (Australia, Canada, France, Germany, Italy, Japan, the Netherlands, the United Kingdom and the United States), 73% identified security, firewalls and data privacy as the IT skills most important to their organization today. But worryingly just 57% said their IT employees are proficient in these security skills.

There is a similar gap in five countries where the emergence of a strong IT industry is relatively recent (China, India, Poland, Russia and South Africa). Among respondents in these countries, 76% identified security as the top skill their organization needed, whilst again only 57% said their current staff were proficient in security.

However, concerns over the lack of security skills might be short-lived, as around 55% of respondents said that they expected mobile, wireless and RFID skills to become more important than all others within five years.

A new report has highlighted the dangers of organizations outsourcing the coding of their critical applications, yet failing to mandate that security must be built into these applications.

The report, produced by the European information technology analysis group Quocirca, is based on a survey of 250 IT directors, senior IT managers and C-level executives in Germany, the UK and the US. Of those organizations that admitted to being frequently hacked, all of them outsourced at least some of their coding practice, with nine out of ten organizations outsourcing more than 40%.

The potential problem lies in the fact that most hackers are accessing critical data via the software application layer. According to NIST (the National Institute of Standards and Technology), 92% of vulnerabilities affecting computer networks are contained in software applications. As organizations increasingly look to outsource application development, more components of software applications are being developed outside of their direct control.

An organization that has not developed the code itself can never be absolutely certain that it is secure. However strong a relationship with a third-party developer, or watertight the service-level agreements in place, a rogue developer can place vulnerabilities in the code that they develop – for example, by placing a backdoor in software that can be used to infiltrate a network in the future.

Fran Howarth, Principal Analyst at Quocirca and author of the report, commented: “The findings of this report indicate that not enough is being done by organizations to build security into the applications on which their businesses rely. Not only that, but they are entrusting large parts of their application development needs to third parties. This creates an even greater onus for organizations to thoroughly test all code generated for applications – without which they could be playing into the hands of hackers.”