From phishing to zombies and back to the future

Last week`s RSA Conference in San Jos'e generated considerable activity across the news wires, with vendors pulling out all the stops to make sure they get a slice of the security limelight.

By far the most sobering stat that made the headlines last week, however, was that a quarter of a million new zombie PCs come online every day, according to e-mail security firm CipherTrust.

That`s a staggering number, but if the log of a firewall connected to almost any ISP`s network is examined, this statistic gets a whole lot more believable. All day long, that firewall will be hit by port scans and pings, some harmless, but most representing an infected PC elsewhere on the network trying to propagate its infection.

It`s no surprise then to hear an unprotected PC on the public Internet is likely to pick up its first virus or Trojan infection within seconds.

At the RSA Conference, Microsoft`s Bill Gates touted Infocards as the future of online authentication and promised security without passwords, while Cisco punted body-like network security as the way to go.

A quarter of a million new zombie PCs come online every day, according to e-mail security firm CipherTrust.

Mariette Du Plessis, events programme director, ITWeb

According to Gates, the next release of Internet Explorer will support the Infocard technology, which is Microsoft`s next-generation online authentication system and part of the WinFX programming model.

Gates also made bold statements, like claiming 90% of computer users say that spam is no longer a major problem.

The future according to Cisco is somewhat different, with CEO John Chambers predicting the end of pin-point security applications. Security, according to Chambers, has to be integrated through the network and cooperate to effectively defeat online threats.

He even went so far as to claim that security by individual products would fail to keep up with future network developments as devices, users, companies and networks become ever more tightly integrated.

Cisco earlier in the week unveiled the Content Security and Control security services module and an updated Cisco Security Management Suite. The products will allow enterprises to tag attacks exploiting unpatched flaws by analysing network traffic and looking for abnormality patterns.

Panellists at the RSA Conference lashed out at banks and financial institutions for failing to use best security practices. Banks, for instance, fail to encrypt all the pages on their corporate Web sites, which causes users to stop looking for the padlock that indicates that a site is using encryption, the panellists said. Banks also tend to use confusing domain names, which again creates complacency when users reach a site with an awkward domain name.

So RSA and Sun promptly came to the rescue with new authentication and encryption tools and solutions to aid secure online transactions.

RSA plans to engage in a series of new partnerships to push its two-factor authentication capabilities into a broad range of devices including mobile phones, USB devices and PCs.

This is quite a major change in RSA` strategy and signals a move away from its traditional token-based approach, but it did launch a transaction signing token (the SID900), which will give Internet users the ability to digitally "sign" online transactions, thus preventing man-in-the-middle and phishing attacks.

Sun meanwhile announced its Java System Web Server 7.0 will support Elliptic Curve Cryptography (ECC) which will reduce the time it takes to complete secure transactions. Sun also released the Crypto Accelerator 6000 - an ECC-enabled tool designed to handle simultaneous transactions for secure online networks.

Another change in tactics came from Sophos, which announced it would be moving into hardware, offering firms a software suite bundled on a plug-and-play appliance.

The ES-4000 appliance, already available, protects between 1 000 and 5 000 users, said the company. The appliance has dual 146GB hard disks and dual power supplies, since these are the parts that fail most often, according to Sophos.

In other news from the RSA conference, it seems there`s no letting up on phishing attacks this year, as January sets a new record for the number of sites that were detected.

The Anti-Phishing Working Group spotted about 9 000 phishing Web sites in January, up from last December`s record number of 7 197.

An interesting stat released was the average phishing Web site only stays online for eight hours and on average catches 15 to 20 victims for every million e-mails sent.

The latest development, according to the group, is the rise of corporate phishing, where attackers aim to steal confidential information or gain access to corporate networks. Attackers there are often using instant messaging to contact their victims, as many businesses use messaging networks internally.

Even more concerning is phishing scams are becoming more and more sophisticated. The latest scams, according to the SANS Institute, are using valid looking SSL certificates to fool people into believing they are using a legitimate secure site. The SANS Institute says the scam uses a carefully crafted e-mail, with links to reasonably convincing domains and text that contains part of customers` credit card number.

Not surprisingly then that new research, released by the Business Software Alliance at the conference, shows decision makers have grown more concerned about security in the past two years.

The survey of 410 IT decision makers, carried out by analyst firm Forrester last month, found nearly three-quarters of respondents said IT security has become critical to their business planning, with 81% reporting concerns about financial losses due to downtime.

In line with this, Symantec CEO John Thompson warned that the lacking online security is starting to hurt businesses throughout the economy as consumers are starting to lose confidence in computer networks.

Thompson cited research studies that found 41% of consumers are less likely to make online purchases because of security concerns. In another study, 32% of respondents indicated they believe their financial information will soon get stolen.

The US government`s Cyber Storm world hack was quite successful, it seems. The exercise simulated a sophisticated cyber attack through a series of scenarios directed against critical infrastructures, which involved 115 public, private and international agencies, organisations and companies.

One of the scenarios simulated an incident where a utility company`s computer system was breached, causing numerous disruptions to the power grid. But, the government was quick to point out that, while the exercise was based on a hypothetical situation, it was not intended as a forecast of future terrorist threats.

Maybe SA government will not be as brave, but best SA starts thinking ahead to 2010 when the country will take centre stage with the Soccer World Cup.

Apparently police were investigating a would-be hacker last week, after threatening to attack the internal computer network of the Torino Olympics organising committee. Given that we can`t even get the Gautrain project to start on time, what are the chances that SA will be able to fend off a global hacker attack by 2010?

I`d suppose only time would tell.

Sources used: ITWeek, ZDNet, The Register.