Security

Today, a security threat can enter from anywhere, be it

through e-mail, a Web browser, or even an infected notebook pluging into your

network. It could also come from an unpatched machine or a disgruntled employee;

or from a seemingly innocent phone call, a technique more that comes under the

social engineering type of attack. We recall incidents of people having received

phone calls from people calling themselves ones from credit card companies, and

tried to wriggle out your credit card details. Besides social engineering, we

also saw lots of phishing and pharming scams this year, two techniques aimed at

fishing out a user's personal information. So security has definitely been on

the top of everyone's mind this year, and will continue to be that way next

year as well. As most of these attacks are aimed at stealing identities, we're

seeing a lot of action in the identity management solutions market. And as more

enterprise businesses moves online, they need better security measures. This saw

a rise in SSL based VPN solutions, and even a rise in integrated security

appliances applications.

Security appliances

 



A lot of vendors are entering the market with security

appliances and integrated appliances that have firewalls, anti-spam, antivirus,

and even end-to-end encryption. Also included in these appliances is the ability

to demarcate DMZs and support VPN over IPSec or PPTP with either 3DES or AES

(256-bit) encryption. The IDS features on these boxes range from detecting

various kinds of known attacks including flooding, IP spoofing, DoS, etc. Such a

box can also react in case of emergencies by dropping packets from the

attacker's address. Some appliances even have network anti-virus capability.

These need to be geared to meet enterprise-class performance requirements for

availability and speed. The iForce IDS appliance from Symantec for instance is

supposed to monitor networks at speeds of upto 2 Gbps on some models.

Vulnerability stats

 



The number of vulnerabilities reported this year is up

about 500 incidents from last year and stands at 4,268. This is about 25 times

more than ten years ago when a few hundred vulnerabilities used to be reported

each year. That trend was broken between 2000-02 when it rapidly doubled each

year and went upto 4,129 at the end of that period. This year's count so far

is more than that figure. The most frequent ports under attack were reported to

be FTP, SSH, DNS, HTTP/HTTPS, SunRPC, NetBIOS and SQL Server. Thankfully, most

of these could be mitigated by upgrading to newer versions of software or

changing port numbers. CERT sees the number of Trojans and self-propagating

worms as an area of concern.

Social engineering & ID theft

 



Social engineering attacks, like the one that happened with

a Delhi-based call center where one of the executives sold a Sun reporter

details of bank accounts, credit cards and driver's license of UK bank

customers for under $10 each. The call center worker also reportedly assured the

reporter that he could sell him 2 Lakh such account information a month. Earlier

this year, US customers of Citibank suffered thefts of $ 350,000 because of a

similar breach at another call center in



India



. The twin calamities of the Asian Tsunami and the earthquake also prompted

several websites of questionable intentions to spring up and seek donations on

behalf of the victims, only to disappear after they had collected a sizeable

fortune. This has led to the concern of managing identity securely. Two main

technologies leading ID management are devices like SecurID that have one-time

keys that you use at designated terminals or screens, and digital certificates.

With more financial and govt services going online, the need for effective

identity management only goes up.

Everything's cached

 



Nowadays, anything that's exposed to the Web has mostly

likely been stored away forever in some corner of the Internet. Internet

archival systems like The Wayback Machine and content replication systems that

provide mirroring services are but the tip of the ice-berg. To this add the

proliferation of community networks (blogs, et al) where something rumored to

have been said catches on like wild fire and gets endlessly replicated and

linked so anyone can find it with a simple keyword... only makes the problem

worse. What problem? What if your internal employee appraisal letters somehow

got onto Google? Recently, some of Papa John's-a Pizza house in



USA



-internal e-mail got onto Google accidentally (they're still there as we go

to press). The problem with the permanence of content on the Net is that even if

you act swiftly to protect your information with simple ways as password

protection or a change of URL, caching mechanisms will still preserve their own

copies for quite some time to come.

Disk space-full

 



Scientists postulate that about 23% of the Universe is

composed of dark matter. Stuff we cannot see, but their presence has direct

consequences on our Universe. Much the same is true for files and programs on

our hard disk. In order for so many things to happen when we just click onto a

Web page, our computer downloads and runs so many files and programs-large and

small. And all of it is on our computer's hard disk. Those that run may never,

in fact, leave our computer completely, no matter what tools we use. This in

fact, is the single biggest challenge for system administrators world-wide. Even

malware has its defenses, but 'dark files' have no known cure. The problem

is that most combative techniques use either black or white lists to eliminate

the unwanted. While most don't know the difference, they are more often than

not out-of-date and require constant administrative overheads to keep them

updated. Resurgent defenses now include system-wide policies that let users than

software vendors decide what's useful and what's not and discard the rest;

the term being 'gray-listing'.

Cracking for the public

 



Cracking passwords, it seems, has become commonly

accessible and fashionable to do. A site has sprung up powered by Zhu

Shuanglei's 'Rainbow Crack' engine (an open source download) that promises

to place online about 500 GB of rainbow tables (pre-computed password hashes)

readily usable by anyone who pays them for an account. RainbowCrack-Online.com

claims to be for cracking what Google is for search. A lusty claim sure, but

imagine how much more you need to protect your systems once such a database is

at the back and call of every cracker around the world! The price tag on it

should keep away most kiddie-crackers and is purportedly to be used only for

white-collar cracking for security auditing.

A turnaround?

 



Marcus Barnum (the inventor of the proxy firewall) would

have us believe that patching systems and doing security audits is the wrong way

to do things, since that means and ensures that things aren't 'secure by

default'. In his article-The Six Dumbest Ideas in Computer

Security-(http://www. ranum. com/security/computer_security /editorials/dumb/index.html),

he outlines what he thinks really needs to be done-which is basically to

disallow anything you do not know to be good, rather than attempt to create a

blacklist and block only known bad things. He also cautions his readers not to

fall into the age-old trap of implementing the 'latest' in the attempt to

stay ahead of the hacker, or trust in periodic reeducation of network users who

insist on opening attachments from strangers or believing email from banks they

don't have accounts with. Marcus agrees with Kevin (Kevin Mitnick, 'The Art

of Deception') in that security is a social as well as a technological

concern. But, contrary to Kevin's idea of user education, Marcus would like

enterprises get into proactively blocking unwanted people and software rather

than relying on users to do it.