Broadcast Writer

Closed Caption Writing by Vicki Kipp

IT Networking Panel Addresses Computer Security Concerns

By Vicki W. Kipp
SBE CHAPTER 24 NEWSLETTER  
January 26, 2006

On January 26, 2006, Accelerate Madison presented a panel at the Fluno Center for Executive Education with the topic of “Security: Trends in Risk and Business Exposure.” Panelists informed the audience of IT professionals and students on security crimes, regulatory and financial drivers for security, consumer privacy, and tools for managing security risks. The panel was moderated by Joshua Heling, the Chief Technology Officer of Secure Pipe, Inc. Panelists were Kelly Fitzsimmons of Neohapsis, Chicago; David Meunier, Vice President and Chief Information Security Officer at CUNA Mutual Group; Steven Paulson, Special Agent with the Madison FBI office; and Craig Newman, Computer Forensics Instructor at Madison Area Technical College (MATC).

Joshua Heling kicked off the evening by presenting highlights of the biggest IT security attacks of 2005. Standout attacks included Choice Point, a company most people had never heard of, losing the personal information of 40 million people; Lexis-Nexis had 300,000 records compromised; A targeted attack on CardSystems, where the exploit code was planted 8 months before the attack resulted in the release of 40 million credit card numbers and personal accounts; A T-Mobile attack which publicized Paris Hilton’s cell phone number and other personal information; the Israeli Corporate Espionage incident; and Sober worm. Regarding the Israeli incident, three of the top private investigation firms in Israel were implicated in an attack to distribute a Trojan to top corporate networks. When the potential victims contacted the support address because they were unable to open the Trojan file, disguised as an investment opportunity PowerPoint show, the bold Panel Addresses Computer Security Concerns criminals mailed the soon-to-be victims a CD that contained the Trojan. The Sober worm virus was one of the largest email outbreaks in history. A new variant made a comeback on Thanksgiving Day 2005, doubling email volume for a time.

According to CIO magazine, cyber security incidents were up 22% in 2005 from 2004. The baseline cyber security threat is increasing. Each year the SANS Institute (SysAdmin, Audit, Network, Security) loads a computer with the Microsoft Windows operating system and places it on the Internet without protection. SANS then times how long it takes before the computer becomes compromised. In 2003, the average was 40 minutes. In 2005, it took just an average time of 20 minutes before the computer was compromised. According to Heling, computer crime is a business–not just a prank or a nuisance. The Internet favors the attacker by giving them a cloak of anonymity, the ability to victimize people from a distance, and the ability to scale large volume attacks at little cost to the attacker. Heling mused that security is analogous to analog electronics, as opposed to digital electronics; Security is not “all on” or “all off”. Security is context specific.

FBI Special Agent Steve Paulson reported findings from the 2005 FBI Cyber Computer Crime Survey. The main observation of the survey is that most people don’t report cybercrime. Cybercrime examples include viruses, Trojans, worms, spy ware, and a nonstop barrage of spam emails. The risk of internal and external network intrusion attempts is high. According to Paulson, most intrusion attempts originate in the United States or China.

David Meunier of CUNA Mutual explained that the attacks on and security vulnerabilities of computers is ever-changing. An evolving threat to on-site security is the camera-equipped cellular phone. In the past, companies could minimize the risk of having private data photographed by forbidding camera-equipped cellular phones on premises. Today, digital cameras in cellular phones have become so ubiquitous that it is no longer practical to forbid the potentially compromising technology. Meunier predicts that we’re not far from the day when virtually all cell phones will include a digital camera.

Craig Newman of MATC stressed that encryption is the only method that keeps personal data private. Newman thinks it is inevitable that networks will eventually be compromised. He explains, “If you keep throwing objects at a target, you’re eventually going to take it down.” Newman outlined his vision for the secure computer of the future. In Newman’s eyes, the computer will have two operating systems (OSs): one OS for user applications and a separate OS for security and encryption.

Kelly Fitzsimmons, CEO of Neohapsis, tests five new technologies in her lab each year for security vulnerabilities. In the past, a network was considered to have a solid secure perimeter if anti-virus software, a firewall, and a virtual private network (VPN) were in place. Now, that “secure” perimeter is shifting, and proving to be less stable than once thought.

Fitzsimmons suggests that organized crime is the main culprit of cybercrime. Information theft from financial clients is the most prevalent security problem today. In large businesses, attackers seek human resource records that contain a social security number, address, and a bank routing number. Such personal information would net $30 a victim on the illegal market. Laptop computer theft is a common “end user” attack.

Fitzsimmons laments that well intended government regulations and required paperwork slow down the fight against information crimes. She applauds the publication of “Best Practices” to manage and respond to information theft effectively.

When asked if the computer industry is winning or losing the battle against cybercrime, three of the four panelists voiced that we are losing the security battle. One expert, Newman, suggested that the computer industry is holding their own in the battle, but that a major storm is brewing. Newman suggests that some nation-states are gearing up for more severe cyber-attacks on the United States. In a moment of levity, one of the experts observed that circulating viruses are better at patching themselves against weaknesses than the commercial operating systems that we rely on. A Whole New Language Computers have added many words to our lexicon that didn’t exist a decade ago: phishing, pharming, biometrics, etc… (See Security Buzzwords)

Phishing, the new form of social engineering, is an automated cybercrime in which the perpetrators mine personal data by tricking the victims with a crisp, authoritative email pretending to represent a financial institution which the victim is affiliated with. The click-through success rate is 3 – 5 %. This is more successful than a typical legitimate direct mail campaign. The average phishing scam yields a thousand dollars per victim. While the typical phishing web site only stays up forty-eight hours, it takes investigators two weeks to track the origination of the site backwards through all of the routing hops. US investigators often track these scams to Eastern Europe, where local governments have little interest in prosecuting the perpetrators.

One expert advised businesses to customize their security solution for each environment. There is no longer a single “silver bullet” approach to security. For example, web sites may choose to no longer offer to store credit card information as a convenience to returning customers because the burden of doing so is too great.

Newman observed that past good practices would dictate sending a password through an entirely different channel than the related data was traveling on. However, that may no longer be possible since people are shifting to Voice Over IP (VoIP) services. With voice over IP, a phone call is no longer out-of-band with data communication. The phone call revealing a password now travels down the same wire as the password protected traffic. When asked how to encourage users to adapt more secure practices, Newman conceded that it’s very difficult to limit the actions of minors on computers. Adults, however, do a better job of minding their security practices because they face the consequence of having their credit card number in the hands of criminals if they are careless with security.

The Dreaded Letter

Before the “California Privacy Act” passed, most people would never realize that their personal data had been unintentionally released. California passed a law that fines companies who allow their users personal data to be revealed and required that victims be notified of the breach in a letter. 

Other states soon followed California’s lead in passing privacy legislation. Unfortunately, the legislation passed in all the other states tends to be duplicative and places a cumbersome burden of compliance on companies.

Fitzsimmons expressed that all the state laws are practically the same, but politicians in each state want to pass their own version in order to have their name connected with it. Consumers would be better served by a unified national law. Fitzsimmons suggests that the Wisconsin Privacy Act is harmful to consumers because it requires companies to notify “information release” victims, even if the lost data was encrypted. She feels that this indiscriminate requirement creates a disincentive for companies to encrypt personal data. Fitzsimmons claims that market forces alone don’t result in secure practices. She sites thoughtful policy as the only real solution.

Avoidance Strategies

Some institutions have community education events. Companies can fight fraud by reporting phishing attacks on their web site. Other companies communicate that they won’t ask personal questions in email. Another approach is to allow each user to customize their login to a corporate web site with personal graphics to help the user authenticate that they are at the proper web site.

While the Internet is the source of most security threats, it also provides some support after a person has been attacked. At the Internet Crime Complaint Center (IC3), users will find a clearing house for cybercrime reporting. This site receives postings of Internet auction fraud, phishing, and pharming.

Biometrics Not So Secure

While biometrics was once thought to be a security silver bullet, real-life experience has demonstrated otherwise. Several panelists implied that fingerprint reading technology seems to be easily defeated. One expert claimed that a clay hand with warm saline circulating through it can be used for fingerprint spoofing. Even a gummy bear can be used to emulate a fingerprint.

One panelist reported that Trojan biometric keyboards were mixed in with a massive supply of legitimate biometric keyboards manufactured in Australia. It has proved impossible to identify and weed out the compromised keyboards. A weakness of biometric security is that a person’s logon and password (based on a scan of the human body) remain the same for a lifetime. Once security is compromised, the person has no way to change their biometric output.

Extreme Encryption

There was consensus among the panelists that encryption is the golden standard for security. Newman predicts that either we will abandon personal privacy altogether or we will adapt extreme encryption which is used for every last communication.

Conclusion

No matter what approach individuals and companies use to guard against information crime, there will be breaches. Unfortunately, security against cybercrime and the consequences of cybercrime have a tangible effect on all consumers and shareholders. The expense of maintaining security and losses from failed security are passed on to the legitimate stakeholders.

____________________________________________________________

SECURITY BUZZWORDS

Biometrics – Measurable human physical characteristics are automatically checked for authentication. These characteristics include face, fingerprint, hand geometry, retina, iris, signature, vein, and voice.

Encryption – Data is translated into a secret code that requires access to a key or password in order to decrypt it. Encrypted data is called cipher text and unencrypted data is known as plain text.

Phishing – A false email is sent to a user claiming to be a legitimate business, directing the user to a web site where they are prompted to update personal information that the established organization already has. The sole purpose of this web site is to steal personal information for identity theft.

Spear Phishing – This phishing attack targets a single user or department of an organization. An email that appears to come from a company employee in a position of trust requests usernames or passwords or asks employees to click on a link (which deploys data theft spyware). Hackers use login information to access company networks.

Pharming – Pharming is similar to phishing, but it seeks private information through domain spoofing rather than with malicious links in email requests. Pharming hijacks a Domain Name System (DNS) server by redirecting users from a legitimate site to a dangerous site by injecting a DNS server with false data. Pharming is difficult to detect because a browser will continue to indicate to the user that they are at the correct web site.

Shadownet – An Internet service provider for phishing and pharming web sites.  

, ,

Posted by:

Vicki Kipp

Leave a Reply

About Me

Hello there! My name is Vicki Kipp, and I am a closed caption maker. Making closed captions is time consuming and complicated, so this blog is a collection of all of the knowledge and experiences I have gained. I hope my collection of tips and tricks might help you with your closed caption work the way it has helped me!

Recent Posts

Discover more from Broadcast Writer

Subscribe now to keep reading and get access to the full archive.

Continue reading