In my previous post "What's the potential of the IM security market? Symantec thinks big" I commented on various IM market security trends, namely Symantec's acquisition of IMLogic. It's also worth mentioning how a market leader security vendor was able to quickly capitalize on the growing IM market, and turn the acquisition into a valuable solution on the giant's portfolio of solutions. What's also worth mentioning is the military interest in instant communications in today's network centric warfare powered battlefield. Today I across an interesting recent development, namely that :
"The US Army, Navy, and Air Force have deployed protected interoperable instant messaging (IM) systems among the threebranches. Army Knowledge Online, Navy Knowledge Online, and theAir Force’s Knowledge Management Portal built the IM systems for 3.5 million users from Bantu's Inter-domain Messaging (IDM)gateway, a policy-driven with role-based access controls. The system will carry messages over sensitive and secret networks, and can populate a user's contact list with appropriate officials in the chain of command. Intelligence agencies will hook into the system to work with the military, and the Department of Homeland Security is also interested in the IM system."
Flexible military communications have always been of great importance, and flexibility here stands for securely communicating over insecure channels -- IP based communications. While you might have not heard of Bantu before, to me their real-time network for interagency communication sounds more like a security through obscurity approach -- temporary gain and possible long term disaster.
Could the instant communication finally solve the Intelligence Community's information sharing troubles?
In a relatively recent report I came across, "a survey was hosted on the Secret Internet Protocol Router Network (SIPRNET) so that personnel could respond to the survey from the convenience and privacy of their own workstations." in order to measure the communication requirements of various staff members, some of the findings worth mentioning :
MS Chat was used by at least 50% of all command groups
- 100% of Afloat Staffs, 86% of Carriers, 78% of Cruisers & Destroyers, 50% of Support
XIRCON was used by 28% - 50% of command groups
- 50% of Support, 41% of Carriers, 32% of Cruisers & Destroyers, 28% of Afloat Staffs
Lotus Sametime was used by 0 – 44% of command groups
- 44% of Afloat Staffs, 16% of Cruisers & Destroyers, 10% of Carriers, 0% of Support
mIRC was used by 13 – 33% of command groups
- 33% of Support, 23% of Carriers, 22% of Cruisers & Destroyers, 13% of Afloat Staffs
Lotus Sametime and mIRC seem to be only survirors, still the implications of using the above in respect to the powerful execution of various network centric warfare events, would definitely raise not just my eyebrows for sure. Two years ago, led by IMLogic a consortium on IM threats was established, the IM Threat Center, an indispensable early warning system for anything related to IM malware.
Would age-old IM threats re-introduce themselves on military networks like never before? Whatever the outcome, information overload wouldn't necessarily be solved through instant communications, but in a combination with powerful visualization concepts as well.
The post recently appeared at LinuxSecurity.com "IM me" a strike order"
Technorati tags:
Security, Military, IM, Technology, Symantec, Bantu
Wednesday, April 12, 2006
"IM me" a strike order
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Wednesday, April 05, 2006
Heading in the opposite direction
Just one day before April 1st 2006 I came across this article :
"German retail banker Postbank will begin using electronic signatures on e-mails to its customers to help protect them from phishing attacks."
Catching up with the phishers seems to be a very worrisome future strategy. Electronic Signatures by themselves are rarely checked by anyone, and many more attack vectors are making the idea of this totally irrelevant. Moreover, a great research "Why phishing works" was recently released and it basically outlines basic facts such as how end users doesn't pay attention to security checks, if there's a definition of such given the attack vectors phishers have started using recently. In some of my previous posts "Security threats to consider when doing E-Banking", and "Anti Phishing toolbars - can you trust them?" I mentioned many other problems related to this bigger than it seems problem, what you should also keep an eye on is the good old ATM scam I hope you are aware of.
Postbank is often targeted by phishers, still, the best protection is the level of security awareness stated in here :
"Phishing attacks have led 80% of Germans to distrust banking related e-mails, according to TNS Infratest." Moreover, "Postbank's electronic signature service isn't possible with web-based e-mail services provided by local Internet service providers such as GMX GmbH and Freenet.de AG, according to Ebert. One exception is Web.de"
Thankfully, but that's when you are going in exactly the opposite direction than your customers are, while trying to estalibish reputable bank2customer relationship over email. Listen your customers first, and follow the trends, and do not try to use the most popular dissemination vector as a future communication one.
Something else in respect to recent phishing statistics is the key summary points of the recently released, AntiPhishingGroup's Report for January, 2006 report :
• Number of unique phishing reports received in January: 17,877
• Number of unique phishing sites received in January: 9715
• Number of brands hijacked by phishing campaigns in January: 101
• Number of brands comprising the top 80% of phishing campaigns in January: 6
• Country hosting the most phishing websites in January: United States
• Contain some form of target name in URL: 45 %
• No hostname just IP address: 30 %
• Percentage of sites not using port 80: 8 %
• Average time online for site: 5.0 days
• Longest time online for site: 31 days
I feel there's a lot more to expect than trying to re-establish the communication over a broken channel, as far as E-banking is concerned.
More resources you might be interested in taking a look at are :
Vulnerability of First-Generation Digital Certificates and Potential for Phishing Attacks
Netcraft: More than 450 Phishing Attacks Used SSL in 2005
SSL's Credibility as Phishing Defense Is Tested
Rootkit Pharming
The future of Phishing
Something is Phishy here...
Phishing Site Using Valid SSL Certificates
Thoughts on Using SSL/TLS Certificates as the Solution to Phishing
Technotati tags:
Security, Phishing, Scam, Banking
"German retail banker Postbank will begin using electronic signatures on e-mails to its customers to help protect them from phishing attacks."
Catching up with the phishers seems to be a very worrisome future strategy. Electronic Signatures by themselves are rarely checked by anyone, and many more attack vectors are making the idea of this totally irrelevant. Moreover, a great research "Why phishing works" was recently released and it basically outlines basic facts such as how end users doesn't pay attention to security checks, if there's a definition of such given the attack vectors phishers have started using recently. In some of my previous posts "Security threats to consider when doing E-Banking", and "Anti Phishing toolbars - can you trust them?" I mentioned many other problems related to this bigger than it seems problem, what you should also keep an eye on is the good old ATM scam I hope you are aware of.
Postbank is often targeted by phishers, still, the best protection is the level of security awareness stated in here :
"Phishing attacks have led 80% of Germans to distrust banking related e-mails, according to TNS Infratest." Moreover, "Postbank's electronic signature service isn't possible with web-based e-mail services provided by local Internet service providers such as GMX GmbH and Freenet.de AG, according to Ebert. One exception is Web.de"
Thankfully, but that's when you are going in exactly the opposite direction than your customers are, while trying to estalibish reputable bank2customer relationship over email. Listen your customers first, and follow the trends, and do not try to use the most popular dissemination vector as a future communication one.
Something else in respect to recent phishing statistics is the key summary points of the recently released, AntiPhishingGroup's Report for January, 2006 report :
• Number of unique phishing reports received in January: 17,877
• Number of unique phishing sites received in January: 9715
• Number of brands hijacked by phishing campaigns in January: 101
• Number of brands comprising the top 80% of phishing campaigns in January: 6
• Country hosting the most phishing websites in January: United States
• Contain some form of target name in URL: 45 %
• No hostname just IP address: 30 %
• Percentage of sites not using port 80: 8 %
• Average time online for site: 5.0 days
• Longest time online for site: 31 days
I feel there's a lot more to expect than trying to re-establish the communication over a broken channel, as far as E-banking is concerned.
More resources you might be interested in taking a look at are :
Vulnerability of First-Generation Digital Certificates and Potential for Phishing Attacks
Netcraft: More than 450 Phishing Attacks Used SSL in 2005
SSL's Credibility as Phishing Defense Is Tested
Rootkit Pharming
The future of Phishing
Something is Phishy here...
Phishing Site Using Valid SSL Certificates
Thoughts on Using SSL/TLS Certificates as the Solution to Phishing
Technotati tags:
Security, Phishing, Scam, Banking
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Securing political investments through censorship
I try to extensively blog on various privacy and Internet censorship related issues affecting different parts of the world, or provide comments on the big picture they way I see it.
Spending millions -- 6 million euro here, and I guess you also wouldn't let someone spread the word whether the cover is fancy enough for a vote or not -- on political campaigns to directly or indirectly influence the outcome of an election, is a common practice these days. Whereas, trying to build a wall around a government's practices is like having a tidal wave of comments smashing it. I recently came across the following article : "
"Singapore has reminded its citizens that web users who post commentary on upcoming elections could face prosecution. Election commentary is tightly controlled under Singaporean law; independent bloggers may comment on the election, but must register their site with the Media Development Authority (MDA)."
I'm so not into politics -- and try not to -- but threatening with prosecution on commentary, registering users, while not first "introducing yourself" as "During the November 2001 elections, Singapore's political parties limited their use of the Internet to posting schedules and candidate backgrounds." isn't the smartest long-term political strategy ever, don't you think?
More resources on the state of censorship in Singapore worth checking out are :
Internet Filtering in Singapore in 2004- 2005: A Country Study
EFF "Censorship - Singapore" Archive
Censorship in Singapore
To Net or Not to Net: Singapore’s Regulation of the Internet
Censorship Review Committee 2002/2003
The Internet and Political Control in Singapore
Technorati tags:
Censorship, Politics
Spending millions -- 6 million euro here, and I guess you also wouldn't let someone spread the word whether the cover is fancy enough for a vote or not -- on political campaigns to directly or indirectly influence the outcome of an election, is a common practice these days. Whereas, trying to build a wall around a government's practices is like having a tidal wave of comments smashing it. I recently came across the following article : "
"Singapore has reminded its citizens that web users who post commentary on upcoming elections could face prosecution. Election commentary is tightly controlled under Singaporean law; independent bloggers may comment on the election, but must register their site with the Media Development Authority (MDA)."
I'm so not into politics -- and try not to -- but threatening with prosecution on commentary, registering users, while not first "introducing yourself" as "During the November 2001 elections, Singapore's political parties limited their use of the Internet to posting schedules and candidate backgrounds." isn't the smartest long-term political strategy ever, don't you think?
More resources on the state of censorship in Singapore worth checking out are :
Internet Filtering in Singapore in 2004- 2005: A Country Study
EFF "Censorship - Singapore" Archive
Censorship in Singapore
To Net or Not to Net: Singapore’s Regulation of the Internet
Censorship Review Committee 2002/2003
The Internet and Political Control in Singapore
Technorati tags:
Censorship, Politics
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Insider fined $870
Insiders still remain an unresolved issue, where the biggest trade-off is the loss of productivity and trust in the organizational culture. According to the Sydney Morning Herald :
"A court in Guangzhou, capital of the southern Chinese province of Guangdong, has upheld a lower court's guilty verdict against Yan Yifan for selling stolen passwords and virtual goods related to the online game "Da Xihua Xiyou.The court upheld a $870 US fine, arguing that victimized players had spent time, energy, and money to obtain the digital items Yan sold. Yan stole the players' information while an employee for NetEase.com, the company behind the game."
So, it's not just 0days, Ebay/PayPal accounts, and spyware market entry positions for sale -- but virtual world goods as well.
While it's not a top espionage case, or one compared to the recent arrest of "two men, identified as Lee and Chang, on charges of industrial espionage for downloading advanced mobile phone designs from employer Samsung for sale to a major telecommunications firm in Kazakhstan", insiders still represent a growing trend that according to the most recent FBI's 2005 Computer Crime Survey, cost businesess $6,856,450.
Then again, failing to adequatly quantify the costs may either fail to assess the situation, or twist the results based on unmateliazed, but expected sales, as according to the company, "Samsung could have suffered losses of $1.3 billion US had the sale been completed." Trust is vital, and so is the confidence in Samsung's business case.
Technorati tags:
Security, Insider, Espionage
"A court in Guangzhou, capital of the southern Chinese province of Guangdong, has upheld a lower court's guilty verdict against Yan Yifan for selling stolen passwords and virtual goods related to the online game "Da Xihua Xiyou.The court upheld a $870 US fine, arguing that victimized players had spent time, energy, and money to obtain the digital items Yan sold. Yan stole the players' information while an employee for NetEase.com, the company behind the game."
So, it's not just 0days, Ebay/PayPal accounts, and spyware market entry positions for sale -- but virtual world goods as well.
While it's not a top espionage case, or one compared to the recent arrest of "two men, identified as Lee and Chang, on charges of industrial espionage for downloading advanced mobile phone designs from employer Samsung for sale to a major telecommunications firm in Kazakhstan", insiders still represent a growing trend that according to the most recent FBI's 2005 Computer Crime Survey, cost businesess $6,856,450.
Then again, failing to adequatly quantify the costs may either fail to assess the situation, or twist the results based on unmateliazed, but expected sales, as according to the company, "Samsung could have suffered losses of $1.3 billion US had the sale been completed." Trust is vital, and so is the confidence in Samsung's business case.
Technorati tags:
Security, Insider, Espionage
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Comments (Atom)