Security

Swine flu begets spam

How appropriate. The swine flu hysteria is generating new email spam.  If Monty Python’s Flying Circus was still in business, they’d put together a wonderful skit about this. (Spaaaaam, oh wonderful Spam!)

Cisco IronPort reports that messages about swine flu now make up 4% of global spam messages.

Here are some of the subject lines you will be seeing in your inboxes soon:

• Swine flu worldwide
• Swine flu in the USA
• Swine flu fears
• First US swine flu victims
• Swine flu in Hollywood
• Salma Hayek caught swine flu
• Madonna caught swine flu

Those last two subject lines are particularly devastating to anyone who is a fan of bad 1990s comedies co-starring Matthew Perry or mediocre 1980s pop music.

Conficker worm to strike April 1

Although Microsoft Conficker/Downadup infections were not a major threat a couple months ago, sources ranging from Brink to The New York Times (Computer Experts Unite to Hunt Worm) say that on April 1, 2009, the worm will be  programmed to run a mystery doomsday attack.

For those unfamiliar with the threat, it has been considered the biggest botnet ever. According to Microsoft’s Malware Protection Center, on March 4, 2009, a peer-to-peer (P2P) mechanism has been added to the latest iteration of the worm — making this the fourth evolution (Conficker A/B/C and now D) since October of 2008.

No one knows exactly what the worm will do on April Fool’s Day, as much Conficker disaster speculation abounds. While some guess it will bring down the Internet, such a feat would run contrary to the very nature of botnets. A network of viral computers usually send out spam — swindling victims out of money. If the Internet were down, whoever started the threat wouldn’t make money. However, using the zombie computers to ping a site at the same time to create a denial of service (DoS) attack would be much more likely. This would enable the creator to steal confidential corporate data (Source: ABC news “Conficker Computer Worm Threatens Chaos“).

The good news is that if you haven’t been infected by Conficker already, there’s a pretty good chance you won’t. Computers on your network that have legal licenses of Windows and up-to-date anti-virus software won’t be subjected to the threat (Conficker, Downadup worm hype?). Take SearchSecurity.com contributor Eric Ogdren’s Microsoft Conficker worm offers attack prevention lesson if you’re worried.

If you’re still worried, let’s just hope then that the Internet Corporation for Assigned Names and Numbers (ICAAN)-bird gets the worm.

PCI Compliance: Not easy, but not optional

While working on a story about how updates to PCI compliance rules will phase out WEP for retailers who process credit cards, I came across one of the more interesting takes on PCI compliance, by Anton Chuvakin, whose written or contributed to a number of books on the subject and now works at compliance solutions company Qualys.

As Anton sees it, there are two camps in the compliance world:

1. “Please, please make PCI easier by letting us skip the requirements; or, better, just let us ‘SAY YES ON THE SAQ!’” camp.
2. “We know that our security program makes us PCI –compliant; please make it easier for us to prove it!” camp.

For the former, Anton recommends ScanlessPCI*, a simple, quick banner that shows your customers you are PCI compliant — while actually proving, and doing, nothing.

The latter camp, in which I hope (pray?) most of our readers fall, might be better served by investigating tools and techniques to help prove that their security passes muster, which is exactly the advice Petco’s vice president of network and store systems J. Smith gave me.

“All vendors are definitely not created equal,” he said. “And all you have to do is ask your vendor where they stand in terms of upcoming compliance.”

If you’re looking for some more insight into how you can make sure you’re headed down the right path, you’re in luck, because TechTarget has just launched a brand new IT Compliance Advisor Blog, and SearchCompliance.com is launching tomorrow for all your PCI — and other — compliance needs (a sneak preview is up today in case you can’t wait).

But the takeaway message? Even as everything else in the world seems to be getting cut back, the cost of PCI violation fines or, worse, an actual intrusion, is too great to risk. Trying to go the ScanlessPCI route is as deluded as thinking you’ll get money for nothing …

*NB: ScanlessPCI is, of course, a joke service, legitimate as the page may look. Don’t expect your compliance officer to be pleased if you try and pass it off!

What’s 007 in binary?

If you ever find your networking career a little too pedestrian, always know that your IT skills can land you a much more exciting gig if you’re willing to take the risk:

Ali Ashtari, 43, a computer and hi-tech equipment buyer for Iran’s defence industry and nuclear programme, was hanged after admitting he worked for Israel. It is the first known conviction of an alleged Israeli agent in Iran for almost 10 years. …

Behind their backs he allowed the software he bought to be subtly doctored by Israeli computer engineers before it was imported to Iran. Ashtari confessed: “Mossad’s goal was to sell specialised computer equipment through me to Iranian intelligence organisations.”

The case echoes the FBI’s warning not too long ago about Cisco knockoffs as potential Trojan horses, but this time, the threat was apparently real — or at least real enough for Iran to take action.

Corporate espionage is a very real threat, as Intel found out recently, but people aren’t generally executed for it.

As for me? I’ll stick with the IT spying antics of Chuck — a little less realistic, perhaps, but fewer people end up getting killed. In this clip, Chuck and company use social engineering techniques — one of network security’s weakest points — to infiltrate the opposition.

Further Reading:

• IT expert executed in Iran: More commentary at Zero Day.
• SearchNetworking.com’s Security homepage: For all your security needs.
• OSI: Securing the Stack, Layer 8 — Social engineering and security policy: More on social engineering security from our all-in-one guide.

If MIT students ride your subway system, you’d better beef up network security

Shocking news: The RFID fare card system that the Massachusetts Bay Transportation Authority (MBTA) uses on its buses and subway is totally hackable.

This past weekend, three Massachusetts Institute of Technology (MIT) students (Alessandro Chiesa, RJ Ryan, and Zack Anderson) were supposed to deliver a presentation at Defcon, a hacker conference in Las Vegas, about how they hacked the MBTA’s “Charlie Card” fare card system. They created software that allowed them to create clones of the RFID cards that could allow them to ride for free on the transit system forever.

They made one mistake. Before delivering their presentation, they met with MBTA officials to warn them about the transit system’s insecurity and to offer tips on how to protect it. The MBTA responded by seeking and winning a court injunction, preventing the students from presenting their findings.

However, the injunction didn’t come through until after the students had already distributed copies of their PowerPoint presentation to all Defcon attendees. Those slides are now available online via The Tech, MIT’s student newspaper.

The slides reveal some very disturbing but unsurprising pieces of information. For instance, the turnstile control boxes in Boston’s subway stations are often unlocked and wide open. High-tech surveillance stations are often left unattended (I’ve seen this myself many times at the Back Bay T station.). Official MBTA materials, such as MBTA inspector coat patches, MBTA hats and MBTA license plates are available on eBay. The students were even able to find an unlocked room where the network switches that connect fare card vending machines to the MBTA’s internal network are located.

Was the MBTA trying to get hacked? Look at the photographs and see for yourself.

This should come as no surprise. After all, this is an organization that is running a $75 million deficit, despite a 27% fare increase in January 2007 and a 6.1% increase in ridership during the last fiscal year. Does anyone expect them to run a tight ship?

Any organization in Boston should be on its toes at all times. MIT is known for its hacking hijinx. Just look at the school’s own website, where you can find a gallery of Interesting Hacks to Fascinate People.

Open mobile devices get the most market penetration

To be a player in the mobile device or network appliance game, having an open platform is a must, according to MLB.com CEO Robert Bowman at the Mobile & Wireless World conference keynote last week.

In a closed device platform, content providers have to go through a carrier to get to the pipe to get to their consumers. In an open device platform, the content providers go straight to the pipe which goes to their consumers — and this eliminates the middle man.

Take the two most popular enterprise and consumer devices right now: the BlackBerry and the iPhone. It’s not a mistake that they’re popular. Bowman explained that the “iPhone and BlackBerry are considered the most open devices,” and that plays a factor in which devices will live longer.

In addition to a longer shelf-life, these devices also have the potential for greater market penetration in coming years. According to Bowman, by 2013, 3G phone penetration will rise from 9% to 27% in the U.S.

Along with this, average revenue per user (ARPU) for data will rise 21% to 75% in the next five years — so after your kid graduates high school, you’ll no longer be talking on your device; texting will take over the majority of your communication.

As mobile devices grow stronger in their coverage and market share, they’ll grow proportionately in the stronghold of our lives.

“How many times do you think you will look at this device?” Bowman asked, holding up a gleaming BlackBerry to his audience. It’s shiny; it’s aesthetically pleasing…

“It’s like your watch,” he explains: It will catch your eye, so you’ll look down at it. You’ll be bored, so you’ll look down at it. When someone asks you what time it is, you’ll have to look back down at it even though you’ve just looked at it because you didn’t think to read it…and this is how it will be with your BlackBerry he says.

The BlackBerry will be something you will look at 500 times a day,” Bowman calculated.

Think of all that face value time you’ll have with your device! I can only imagine what Craig Raine (author of “A Martian Sends A Postcard Home“) would have to say about our phones now:

“In homes [briefcases?], a haunted apparatus sleeps,
that snores [lights up??] when you pick it up.

If the ghost cries, they carry it
to their lips and soothe it to sleep

with sounds. And yet, they wake it up
deliberately, by tickling with a finger. “