The Guardian newspaper has reported that an employee with Ealing Council in London plugged a USB device infected with the Conficker-D worm into a work computer. The repercussions were devastating as the virus spread throughout the council’s computer system resulting in 1,838 parking tickets being cancelled at a total cost of £90,000 as they were unable to be processed, libraries losing £25,000 in fines and booking fees, council property rent going uncollected, and £14,000 being spent on clearing housing benefit claims.

Overall the local authority estimated that it lost more than £500,000 during the period of a week when its systems were compromised. This figure included the costs associated with urgent work to recover computer systems and prevent the virus from spreading.

A council report has subsequently confirmed that the incident was caused by an employee in the housing department using a USB stick contaminated by Conficker-D. The worm exploited a Windows Autorun security weakness in Windows 2000 machines used by the council to upload itself and spread throughout the authority’s IT infrastructure

The incident highlights the requirement for organizations to have clear security policies in place for the use of USB devices by employees, and to ensure that virus protection is extended to cover such devices.

It is one of the first major arrests involving the e-Crime Unit which was launched with much fanfare earlier this year. Funded by the UK government, its remit is to tackle cybercrime and clamp down on Internet fraud. As part of this it provides specialist officer training and co-ordinates cross-force initiatives to crack down on online offences.

The arrest follows an investigation that began in June after an e-crime attack was reported on HMRC’s systems. The attack is believed to have been on HMRC’s self-assessment system and was part of a tax repayment claim fraud.

.

The 32-year-old’s home in east London was raided late last week and he was then taken to a local police station on suspicion of fraud and money laundering.

The study, undertaken by PC Tools, questioned 4,500 web users in various European countries and Australia in order to establish how security aware they were in their online activities.

The results show that, in fact, three quarters of the respondents really weren’t that aware at all of the potential security threats - 74% were not clear about the need for behavior-based protection, whilst 20% did not understand the nature of zero-day security threats.

However, it is the difference in the security approaches of different categories of users that really catches the eye. For example, of those most likely to use the same password across all sites, the French were the worst with 56% of respondents being guilty of this. In the Benelux countries 45% used one password, whilst the figure was 35% in the UK and 31% in Australia. The clear winner in this section was Germany, where the figure plummeted to 16%. 

When it comes to updating security software, the UK fared the worst with a third saying they never undertake updates. In France, only 7% admitted to this, whilst in Germany and the Benelux countries the figure was as low as 5%.

The UK also came out worst in terms of using security protection when they surf the net with almost 10% failing to do so. This compared with 5% for France, 4% for Germany and just 1% for Benelux.

And apparently gender can also make a difference in the approach taken to security. For example, the results show that 47% of men use a single password across multiple sites, compared to just 26% of women, who are also significantly more cautious with e-mail links. However, this is countered by the fact that men are generally more savvy in terms of where risks can come from, with 44% of women unaware that links on social networking sites can be dangerous.

IBM’s latest semi-annual ‘Internet Security Systems 2009 Mid-Year Trend and Risk Report’ reveals that in the first half of this year 55% of the new malware seen was Trojans, an increase of 9% over the previous year. Meanwhile, phishing, especially financial phishing, has dramatically declined in the first half of this year. All of which points to the fact that financial phishers may well have found more lucrative ways to harvest banking log-in information, primarily through the use of malware.

IBM’s Frequency X blog points out that a key difference between the two types of attack is the level of preparatory effort required by the hacker. For a phishing attack the scam website and associated e-mail have to be crafted to a level of quality that will fool the potential victim. By contrast, the Trojan attack is based upon simply convincing a user to click on one single link that serves up a malicious exploit which silently compromises their computer through an unpatched vulnerability. Once compromised, a Trojan can be installed which does the rest.

A key element in this type of attack is the use of obfuscation by the hacker to cover their tracks and hide from protections on the users’ computers. And indeed the report claims that new obfuscation tricks are constantly evolving and nearly doubled in the first quarter of 2009. Using obfuscation, attackers attempt to evade intrusion prevention (IPS) and anti-virus (AV) by taking advantage of lapses in patching or getting around simple pattern-matching protection by scrambling code.

Overall, the number of malicious web links used to trick users into downloading malware or visiting dangerous sites has increased by a staggering 508% in the first half of 2009 compared to the same period in the previous year. The US is the top country where such malicious web links can be found, accounting for 36% of such links, with China closely following in second place.

The Home Office’s newly released Resource Accounts for 2008-2009 show that the unencrypted USB device actually held the records of over 377,000 prisoners and serious offenders in England and Wales. Originally the department claimed that the stick held just 127,000 records.

The device was lost by a third party contractor, PA Consulting, and resulted in the government canceling their £1.5 million contract. The information that was lost had originally been encrypted but was actually decoded by the contractor prior to being placed on the memory stick!

PA Consulting subsequently accepted responsibility for the incident, saying that although they had a comprehensive system of security procedures and practices in place, the loss of data was caused by human failure, with a single employee being in breach of their information security processes.

Somewhat belatedly, the new Home Office documents stress that the department “will continue to monitor and assess its information risk in the light of these events, in order to identify and address any weaknesses and ensure continuous improvement of its systems.”

The research, undertaken by IDC on behalf of RSA, revealed that the majority of respondents were unclear on the sources and intentions of internal risk and struggled to quantify the potential financial consequences and workflow impact. Of the organizations surveyed, 52% characterized their insider threat incidents as predominately accidental, only 19% believed the threats were deliberate, 26% believed they were an equal combination, while the remaining 3% were unsure.

So, whilst most companies typically make malicious insider attacks a top priority, the reality is that it is the unintentional risks that are frequently overlooked which actually pose the most serious threat to business.

The research covered over 400 firms from the US, UK, France and Germany across a variety of sectors including the financial industry, healthcare, telecommunications and technology. One particularly interesting highlight is the scale and type of insider security incidents. In the previous 12 months, 400 respondents admitted to 6,244 incidents of unintentional data loss, 5,830 malware/spyware attacks from within the enterprise, and 5,794 incidents of risks created by excessive privilege and access control rights. In total, the number of internal security incidents from the respondents came out at 57,485.

The report also concluded that, in the last year, the greatest source of insider threat came from contractors and temporary employees. This vividly illustrates the fact that the complex internal user mix of employees, consultants, partners and outsourcers make addressing the risks posed by its internal users the biggest security challenge that an organization currently faces, whether or not the risk is intentional.

The intention of the ICSG is to improve collaboration between technology companies and other interested organizations and to encourage agreement and common practice in the tackling of security issues.

The IEEE believes that attackers have now shifted away from mass distribution of a small number of threats to micro distribution of millions of distinct threats. The ICSG has been formed, therefore, as a result of many in the security industry wishing to pool their experience and resources in response to the systematic and rapid rise in new malware being introduced to the market.

There have been examples of individual working groups that have focused on specific aspects of security intelligence, incident response, testing, best practices and policies (e.g. Anti-Phishing Intelligence & Best Practices and Anti-Spyware Intelligence and Best Practices). However, this co-operation has not been standardized or documented in a format that lends itself to systematic improvement in operational efficiency, or visibility and review by people outside the vertical industries.

In response to this, the ICSG has announced a Malware Working Group, which it envisages will the first of a number of such groups. This first group has the aim of solving some of the malware-related issues that the industry faces today. The initial focus has been to establish more intelligent ways of sharing malware samples and the information associated with them in a way that makes the computer security industry more effective.

ICSG is an entity based group and is open to companies and organizations, but not individuals (though some individual subject experts may be invited to participate in the working groups). You will be required from January 1, 2010 to be an advanced entity member of IEEE-SA in order to be eligible for ICSG membership. Once involved, members can take part in discussions on security protection, whilst also contributing to the development of standards and best practices.

The quarterly Global Threat Report from ScanSafe, indicates that the rate of data theft Trojan encounters increased by 37% in the second quarter of 2009 compared to the first quarter of the year. The involved Trojans can be remotely custom-configured by attackers and thus the exact data targeted and/or the specific action taken on the system can vary depending on the specifics of the victim. Many of these data theft Trojans also include the ability to intercept and tamper with http and network traffic.

Five of the top ten Web malware threats encountered in the second quarter of 2009 were data theft Trojans. The sharp increase in their numbers graphically illustrates that stolen data is in high demand and cyber criminals are developing increasingly sophisticated tactics to obtain it.

The monthly ‘State of Phishing’ report from Symantec indicates that 63% of phishing URLs were generated using such toolkits in the last month. During this period the number of toolkit attacks increased by a staggering 150%.

In another worrying development fraudsters have targeted the users of major brands by compromising web servers with SSL certificates so that the fraudulent web pages can display the familiar padlock icon, thereby offering a false sense of security to the victims.

A single compromised web server with an SSL certificate can be used to host a broad range of phishing sites, and can have a higher success rate in tricking users who believe that the sites are genuine and can be trusted.

The report notes that end users would only notice the deception if they reviewed the certificate or had other visual indicators, such as whether or not the site was secured with an extended validation SSL certificate.

The brands that phishing sites actually spoofed were also investigated. It was found that the top countries of brands attacked in July were the USA, UK and Italy. Overall there were 30 countries where specific brands were attacked. Recent developments include the targeting of banking, e-commerce and information services sectors in German brands, whilst in China, the e-commerce sector has been a primary target.

Richard Hunter, vice president at Gartner, said that the growth and scale of criminal hacking networks aimed at governmental and industry targets, as well as recent statements by representatives of the U.S. and U.K governments, indicate that the state of IT security is now viewed as unacceptably dangerous.

In addition, the rise of social networks such as Facebook, MySpace and Twitter have generated increased concern over the extent to which personal data and the safety of minors are threatened by criminals using these networks to gain access to potential victims.

“All these events are taking place within a global climate that is shifting towards regulation on many fronts,” said Mr. Hunter. “As a result of the economic crisis, the social environment is considerably less trusting and secure. The public is wary of cascading risks and would seem to be supportive of legislation and litigation aimed at reducing those risks, including those posed by IT.”

He added that software vendors need to be aware that increased liability will drive generic software out of the market, and they should prepare for transparency and product/price differentiation based on quality and certified fitness for purpose. IT service providers should do the same and mitigate risks by incorporating strong documentation, audit right provisions and legal compliance terminology into outsourcing deals.

However, there are concerns that many vendors and most enterprise IT organizations are unprepared to meet the requirements that regulated IT is likely impose on their processes and procedures.