 |
The VeriSign Security Review
|
February 2006
While early January was consumed by wmf fire fights, the later part
of the month was relatively quiet. A vaunted Blackmal.E virus popped
its head but has yet to cause mass-scale infection. February’s
RSA Conference will see a plethora of innovations on protecting consumers
and enterprise IT infrastructures. Among them, the VeriSign Identity
Protection Service brings the industry closer to a new paradigm of online
identity services.
In this issue:
Hot Topics
Standards and Regulations
News from VeriSign
Ask a VeriSign
Consultant
Security Events
Hot
Topics
VeriSign Introduces Identity
Protection Service
VeriSign announced the launch of VeriSign®
Identity Protection (VIP), a comprehensive solution that
will help provide identity protection for consumers who conduct business
online. VIP is supported by several leading online companies, including
PayPal, eBay and Yahoo!. In addition, technology partner SanDisk
has announced plans to support VIP by manufacturing and distributing
OATH compliant USB mass-storage and trusted flash devices, while Motorola
plans to lend its support in enabling this technology on consumer mobile
devices.
A modern approach to combating digital identity
theft targeted for both consumers and online services, VIP includes
VeriSign’s Shared Authentication Network, Multi-factor Authentication
capabilities, Fraud Detection, and Fraud Intelligence Network. Future
capabilities such as the VIP Portal will also be added in the summer.
“Online security is central to everything we do at eBay and PayPal,
so we are pleased to be working with VeriSign as one of the first members
of the VIP Network,” says Rob Chesnut, Senior Vice President of Trust
and Safety, eBay and PayPal.
Back
to Top
January Threat Summary
A flaw in the Microsoft Windows help system
could be exploited to run arbitrary code using target users’ access
privileges. The issue lies in the HTML Help Workshop, which helps developers
compress content and graphics into a compiled help file. Organizations
may use the Help Workshop to create custom help files for specific internal
issues. A buffer overflow in the workshop can be caused by creation
of a specially crafted .hhp file, allowing arbitrary code execution
with target user privileges. Proof-of-concept code is already available
for this moderately critical vulnerability, and Microsoft believes the
vulnerability is limited to those systems with Help Workshop installed.
More information is available at http://www.securityfocus.com/brief/131.
The Blackmal.E mass-mailing virus trickled
in on its intended date of attack and infected an estimated 470,000
to 950,000 computers. The virus, which is also called Nyxem.E and KamaSutra
and assigned CME-24 by the Common
Malware Enumeration (CME) Project, spread mainly to India,
Peru, Italy, Turkey and the United States. Computers that remain infected
will have eleven types of data deleted from the hard drive, including
any Word, Excel, PowerPoint and PDF documents.
US−CERT
released Technical Cyber Security Alert TA06−038A that concerns
multiple vulnerabilities in Mozilla Products. Affected products include
Mozilla Web browser, e−mail and newsgroup client; Mozilla SeaMonkey;
Firefox Web browser; and Thunderbird e−mail client. The most severe
impact of these vulnerabilities could allow a remote attacker to execute
arbitrary code with the privileges of targeted users. Other
impacts include a denial−of−service
or local information disclosure. Fixes are available through upgrading Mozilla
Firefox 1.5.0.1 or SeaMonkey
1.0.
A vulnerability in Cisco’s 3000 series VPN
concentrators running WebVPN appears to extend to all versions of the
product, according to a security researcher who has been following the
situation. Cisco acknowledged the problem and will issue an advisory
update. More information is available at Network
World.
Back
to Top
Identity Theft a Top Pick by
FTC and States
The FTC named identity theft its top consumer
protection concern. Identify theft also made the list of many state
attorney generals’ Top Ten consumer concerns. The Top Ten lists released
during National Consumer Protection Week revealed various related issues
to identity theft. New York’s top pick, for example, was the Internet,
while Michigan’s was credit and financial concerns. More information
is available at the Consumer Affairs site.
Back
to Top
Spyware Remains Rampant
A new study by the University of Washington
finds that one in 20 executable programs on the Internet contain spyware.
The study sampled more than 20 million Internet addresses and also found
other disturbing trends. Among them: one in 62 Internet domains contains
"drive-by download attacks" that force spyware onto the user's
computer without their knowledge. A copy
of the study (PDF) is available from the University.
Back
to Top
Sharp Rises in Network Access
Control Cost
A new study by Infonetics forecasts sharp rises
in end-point security. The study predicts that in the coming years,
endpoint security will require a range of new types of software and
hardware to be effective, including endpoint-security appliances and
improved network-infrastructure equipment. Accordingly, the study forecasts
the overall network access control (NAC) enforcement market will grow
to $3.9 billion by 2008, up from just $323 million last year, a 1101
percent increase. More information is available from the IT
Compliance Institute.
Back
to Top
Standards and Regulations
ChoicePoint To Pay $15 Million
The Federal Trade Commission imposed a $10
million fine -- the largest civil penalty it ever levied -- on ChoicePoint
for its highly publicized security breach last year where financial
records of about 162,000 people were potentially compromised. The settlement
also includes a $5 million payment by ChoicePoint to help victims of
data theft.
The FTC charged that ChoicePoint failed to
comply with its data protection obligations under the Fair Credit Reporting
Act and made false and misleading statements about its data privacy
policies. ChoicePoint will set up the additional $5 million in a trust
fund to be administered by the FTC for victimized consumers as a result
of the security breach.
This is the first time the FTC has levied a
penalty in connection with a security breach which signals the agency’s
firm stance on consumer identity data breaches. And it isn't just companies
that suffer actual data breaches that need to be concerned. Businesses
unable to demonstrate due diligence on their information security practices
could also be targeted by the FTC.
Back
to Top
Feds Put To SOX-Like Test
Compliance officers who wished the federal
government would get a dose of its own financial-accountability medicine
will soon have their wish come true. The public-sector version of Sarbanes-Oxley
(SOX), called A-123, will be in effect in 2006.
Issued by the US Office of Management and Budget
(OMB), A-123 is almost identical to SOX, and it's sparking similar speculations
about how much compliance will cost. A-123 can be traced back to the
Federal Managers’ Financial Integrity Act of 1982. The latest revision
came out in December 2004 and became effective for the 2006 fiscal year.
Like SOX, A-123 requires federal agencies to document internal controls
over financial reporting and their assessment processes. Management
must test and attest to the strength of these controls. Federal managers
are evaluated on performance, and agencies must do what no public company
is required to: display their audit results on a centralized Web site,
where they can be easily viewed and compared. Management scorecards
are displayed for public inspection at http://www.results.gov.
Red, yellow, and green icons denote failures and successes.
Back
to Top
News from VeriSign
VeriSign Releases Internet
Security Intelligence Briefing
As Internet usage continues to grow at a rapid
rate, online threats and malicious attacks are far from slowing down.
In the upcoming release of the Internet Security Intelligence Briefing,
our rapid response team director Ken Dunham reviews the top threats
of 2005 and provides insight in to what 2006 might have in store. Phishers'
ever-increasing new inventions of social engineering tactics have led
enough security industry experts to reconsider the question of identity
protection and propose the new, user-centric Identity 2.0 platform.
Principle scientist Phillip Hallam-Baker explores the benefits and risks
of ID 2.0 as a means to combat phishing. Read the latest Internet
Security Intelligence Briefing.
Back
to Top
VeriSign Bolsters Identity
Protection Service with Fraud Detection
VeriSign announced the VeriSign Fraud Detection
Service, a new solution that forms part of VeriSign’s overall layered
authentication solution targeted at preventing online identity theft.
In support of this new service, VeriSign has also reached a definitive
agreement to acquire Israel-based Snapcentric, Inc, a provider of online
fraud detection solutions using advanced anomaly detection technology.
[This transaction is expected to “close” on 2/14. Before publishing
this security review, the status of the closing should be checked and
wording should be revised accordingly. Debbie: This is another thing
that is not yet finalized. The comment is from Legal. Please note this
one for potential changes] The newly acquired technology will be a key
addition to VeriSign’s suite of authentication solutions, providing
an invisible layer of protection against online fraud.
The VeriSign Fraud Detection Service will take
a self-learning approach to fraud detection, adapting to customer usage
habits unique to that individual. Using pattern recognition technology,
it flags potentially fraudulent activities based on known types of fraud
and behaviors not associated with the user. Because the service
is self-learning, it can adapt to changing criminal behavior without
manual intervention. VeriSign believes that this unique capability differentiates
the Snapcentric technology from all competitive solutions in the marketplace.
The invisible layer of protection afforded
by the VeriSign Fraud Detection Service lets financial institutions
authenticate users for low risk transactions without changing the online
experience. For high risk transactions, the VeriSign Unified Authentication
Service provides a wide range of two-factor authentication devices to
verify a user’s identity. In combination, these services provide a comprehensive
approach to address online banking and e-commerce authentication needs.
Back
to Top
VeriSign and
Microsoft Collaborate on Consumer Protection
At the RSA2006 Conference, VeriSign and Microsoft
unveiled collaborative strategies for protecting consumer identity.
VeriSign’s announcement centered around mutual authentication, where
both the user and the destination site present stronger authentication
credentials to establish mutual trust. Mutual authentication solutions
will take advantage of InfoCard, a Microsoft technology that simplifies
and improves the safety of sharing personal information on the Internet,
as well as VeriSign Identity Protection (VIP) services and VeriSign
Secured Sockets Layer (SSL) certificates.
InfoCard represents a key component of Microsoft’s
implementation of an identity metasystem. With InfoCard, consumers can
download credentials from trusted identity providers such as their bank,
employer, government agency, or membership organization, or create their
own self-issued cards. Identity protection services such as VIP from
VeriSign can help consumers securely store and manage all their credentials
and meet strong authentication requirements. Finally, VeriSign SSL certificates
give consumers higher confidence by confirming that the destination
site has been through rigorous validation processes. This is especially
helpful in Internet Explorer 7 where sites with enhanced validation
will be displayed as such.
Back
to Top
Ask a VeriSign Consultant
Securing the Mobile Workforce
Q: We issued smart phone to many employees, and they can now
have access to corporate resources remotely. How do we go about securing
this new user base?
A: You are not alone. Securing the mobile workforce is a growing
concern for many companies. Mitigation of mobile security risk starts
with the deployment of an information security policy that provides
guidance on proper use and handling of any edge device, such as a Pocket
PC or Smart Phone. In most cases, it is just an extension of your
existing desktop policies where the best approach is a layered defense.
In addressing the various security needs of a mobile user base, the
revision of your security policy should at a minimum take into consideration
the following:
Physical Security and Password Use
- Provide device storage
guidelines such as placement within a carrying case or locked drawer
when not in use.
- Require the use
of a power-on or OS level password for initial device access and enforce
password minimum length and format requirements.
Data Security
- Perform AES or 3DES
encryption of data stored within the device RAM as well as on applicable
storage cards.
- Enable data deletion
capabilities of lost or stolen devices through issuance of remote commands
or based upon certain actions such as excessive log-in attempts or lack
of a timely hot-sync.
Network Security
- Require authentication
of end users when accessing authorized services such as through the
use of an X.509 digital certificate.
- Perform encryption
of the data transmission from end-to-end via SSL or VPN connectivity.
- Disable or limit
functionality of Infrared, Bluetooth, or WiFi capabilities so as to
limit exposure to potentially compromising devices or services.
As shown in the following
diagram, the best approach should be capable of addressing several mobile
user security needs such as through the use of a one time password,
soft digital certificate, or even SIM based authentication.
As the mobile device technology
evolves to include richer feature sets, vectors of attack will evolve
and grow accordingly. Future security consideration should include the
use of anti-virus software and personal firewalls. Finally, one
should remember that security should be viewed as an enabler and not
inhibitor of business. Advanced planning and integration of multi-platform
supporting tools will go a long way toward increasing productivity and
profitability.
Tim Sills is a Regional Consulting Manager for
VeriSign. He has extensive experience in personal identity security
for enterprise operations. Mr. Sills provides services to Fortune 500
and Global 1000 companies focusing on regulatory compliance. He holds
a Bachelor’s degree in Electronic Engineering Technology from DeVry
Institute of Technology and an MBA from Loyola Marymount University.
Mr. Sills also holds CISSP, CISA, CISM, and GSEC certificates.
Back
to Top
Security Events
February 22-23, 2006
Unified
Compliance Summit
Las Vegas, NV
March 5-7, 2006
ComputerWorld
Premier 100
Palm Desert, CA
Back
to Top
|
Worldwide Sites
