Internet Security Alliance Review for July 10

July 10, 2009 by ADMIN

Share |

June 26, SoftPedia – (International) Over 2.7 billion vulnerable programs installed on U.S. computers. Reputed Danish vulnerability intelligence provider Secunia has recently released version 1.5 of its free Personal Software Inspector (PSI) application. Statistics gathered by the software reveal frightening numbers, such as 2,720,800,000 vulnerable programs being installed on U.S. computers. Secunia PSI is a free application that scans the programs installed on a computer in order to determine if they are affected by any security vulnerabilities. In order to make this assessment, PSI queries the company’s database of security advisories, one of the most complete in the world. If an application is found to be vulnerable, PSI verifies if any update or newer version that might fix the issue is available and provides the user with a direct download link to it. The tool also tags programs that reached their end of life and are no longer supported by their developers, as a security risk. According to Secunia, there is an estimated number of 227 million Internet users in the United States, out of which about 400,000 have scanned their computers with PSI. The company notes that PSI users currently have an average of four unpatched programs installed, while the average U.S. Internet users have 12 such applications on their computers. “The fact that US based PC users have more than 2.7 billion vulnerable programs installed are shocking! And quite frankly I am very surprised, we had an idea it would be bad, but couldn’t imagine the enormous scope of this problem. And to make things even worse, the picture formed in the US is the same all over the world,” the manager of Secunia’s PSI Partner Program noted. Secunia’s statistics seem to be consistent with the malware distribution trends observed in recent times. Cyber-criminals have come to rely more and more on vulnerabilities in order to infect computers — and not just the ones affecting the Windows operating system itself, but other popular programs as well, such as Adobe Flash Player, Adobe Reader, Mozilla Firefox, Opera, Internet Explorer, PowerPoint, Word, and so on.

Source: http://news.softpedia.com/news/Over-2-7-Billion-Vulnerable-Programs-Installed-on-US-Computers-115129.shtml

June 26, PC World – (International) Security experts visualize botnets with an eye toward defense. Not all botnets are organized in the same way. That is the conclusion of a report from Damballa which seeks to categorize the dominate structures. It attempts to explain why certain types of blocking and filtering will work against some botnets, and not for others. “The ‘hybrid’ threat banner is often cast about,” says the vice president of Research, Damballa, an enterprise security company specializing in botnet mitigation, “But that label means nothing to teams tasked with defending the enterprise. By explaining the topologies (and their strengths and weaknesses) these teams can better visualize the threat.” The Star structure is the most basic and offers individual bots a direct communication with the Command and Control (CnC) server. It can be visualized in a star-like pattern. However, by providing direct communications with one CnC server the botnet creates a single point of failure. Take out the CnC server and the botnet expires. The vice president says the Zeus DIY botnet kit, out of the box, is a star pattern, but that botmasters often upgrade, making it multiserver. “In most cases, particular botnets can be classed as a member of just one CnC topology — but it is often down to the botnet master which one they choose.” Multi-Server is the logical extension of the Star structure using multiple CnC servers to feed instructions to the individual bots. This design, says the vice president, offers resiliency should any one CnC server go down. It also requires sophisticated planning in order to execute. Srizbi is a classic example of a multi-server CnC topology botnet.

Source: http://www.pcworld.com/businesscenter/blogs/bizfeed/167492/security_experts_visualize_botnets_with_an_eye_toward_defense.html

June 26, Baltimore Examiner – (International) Jackson, Fawcett spur Internet fraud. While most of the country mourns the deaths of two celebrities, fraudsters seek opportunity by tricking heartbroken followers. The United States Computer Emergency Readiness Team (US-CERT) issued an alert on June 26 warning of increased spam campaigns, phishing attacks and malicious code attacks surrounding the stars’ deaths. Some scams may result in identity theft. Fraudsters have taken advantage of other situations to swindle personal information and money following national and worldwide disasters such as Hurricane Katrina and the Asian Tsunami. In addition to phishing and malicious code attacks, there were many charity scams. Charity and fan paraphernalia scams are expected to be associated with the celebrity’s names. Some of these scams will claim to collect donations from unsuspecting consumers for charitable causes supported by the late stars. Some scams may collect credit card and bank account information as payment for charitable donations or for the purchase of celebrity memorabilia. There will be no donations or souvenirs, the financial account information handed over will be used by the fraudsters to commit existing account fraud, a form of identity theft.
Source: http://www.examiner.com/x-9215-Identity-Theft-Examiner~y2009m6d26-Jackson-Fawcett-spur-internet-fraud

June 26, Enterprise Security Today – (Oregon) Pro-Iranian regime hackers invade U.S. computers. Hackers posted a caustic message telling the U.S. President to mind his own business and stop talking about the disputed Iranian election on a U.S. university home page on June 24. Attempts to access the Oregon University System’s Web site were automatically redirected to another page, where readers viewed a message said to be from Iran that asserted there was no cheating in the election. That message was up for 90 minutes before university system technicians intervened. The hackers apparently took advantage of third-party software that had not been properly updated on the university system, a spokeswoman said. Hackers frequently attack the system’s computers, but technicians usually beat back their efforts, she said. She said no one’s personal computers were attacked. Also, no malicious software, which could give hackers remote access to computer hard drives, was introduced. There was no immediate indication why the hackers targeted the system, which oversees Oregon’s seven public universities.
Source: http://www.enterprise-security-today.com/story.xhtml?story_id=67383

June 26, IDG News Service – (International) China remains spam haven due to ‘bulletproof’ hosting. An overwhelming majority of Web sites promoted through spam are hosted in China at service providers that many times choose to ignore complaints and allow illegal activity, according to research from the University of Alabama. The director of research in computer forensics in the university’s computer and information sciences department wrote on his blog that it is well past the time to declare a spam crisis in China. The university reviewed millions of spam messages seen throughout this year from its Spam Data Mine, which analyzes junk mail for threats. In those messages were links to hundreds of thousands of Web sites. A total of 69,117 unique domains hosted those Web sites. Seventy percent, or 48,552, hosted Web sites that ended in “.cn,” the country-code top level domain for China. Again, about 70 percent of Web sites were located on computers within China. “It is very normal that more than one-third of the domain names we see each day in spam messages come from China,” the director wrote. “When one also considers the many ‘.com’ and ‘.ru’ domain names which are also hosted in China, the problem is much worse.” Typically when suspicious Web sites are detected, security companies will send a complaint to a hosting company, which may also act as a registrar, or seller of domain names. The site is typically taken offline. However, some companies in China and elsewhere offer so-called “bulletproof” hosting, where Web sites are allowed to stay online or spam operations can continue unabated.
Source: http://www.pcworld.com/businesscenter/article/167452/china_remains_spam_haven_due_to_bulletproof_hosting.html

June 26, BBC News – (International) Web slows after Jackson’s death. The internet suffered a number of slowdowns as people the world over rushed to verify accounts of an extremely popular entertainer’s death. Search giant Google confirmed to the BBC that when the news first broke it feared it was under attack. Millions of people who Googled the star’s name were greeted with an error page rather than a list of results. It warned users “your query looks similar to automated requests from a computer virus or spyware application.” “It’s true that between approximately 2:40 p.m. Pacific and 3:15 p.m. Pacific, some Google News users experienced difficulty accessing search results for queries related to the entertainer and saw the error page,” said a Google spokesman. Google’s trends page showed that searches for the entertainer had reached such a volume that in its so called “hotness” gauge the topic was rated “volcanic.” Google was not the only company overwhelmed by the public’s clamor for information. The microblogging service Twitter crashed with the sheer volume of people using the service. According to initial data from Trendrr, a Web service that tracks activity on social media sites, the number of Twitter posts on June 25 containing the entertainer’s name totaled more than 100,000 per hour. Keynote Systems reported that its monitoring showed performance problems for the web sites of AOL, CBS, CNN, MSNBC and Yahoo.
Source: http://news.bbc.co.uk/2/hi/technology/8120324.stm

June 30, National Business Review – (International) Xero taken offline by massive U.S. data center failure. One of the drawbacks of cloud computing was dramatically illustrated on June 30 as Rackspace, one of the world’s largest Web hosts, went offline for 45 minutes. New Zealand’s Xero was one of many SaaS (software-as-a-service) providers knocked out by the failure, with glitches continuing for hours. The accounting software provider went offline around 8:30 a.m. as Rackspace, which hosts all of Xero’s data, was hit by a still-unexplained, catastrophic failure. All Xero servers were back up and running by 9:10 a.m., the chief operations officer told NBR. Some customers were still reporting problems logging on through the morning and early afternoon, as recorded on Xero’s blog. The chief operations officer says these were cookie and DNS (domain name server) issues, which were resolved by asking customers to restart. The fault was caused by a power failure at the U.S. company’s giant data center in Dallas. But with Rackspace maintaining server farms around nine locations in the United States, United Kingdom, and Hong Kong, it is not clear why a failure at one facility took its systems completely offline. The power fault also took out Rackspace’s own Web site and help center, adding to the confusion. It was left to the company’s Twitter account to relay the disaster to the outside world. When Rackspace came back online, it was running on a mix of utility and backup power, the chief operations officer notes. He speculates that “there must have been some pretty significant component failure possibly at the point where maintenance work was being done.” He said the company could look at a second cloud host. Rackspace hosts sites and services for more than 62,000 companies.
Source: http://www.nbr.co.nz/article/xero-taken-offline-massive-us-data-centre-failure-104349

June 29, The Register – (International) Mitnick site targeted in DNS attack on Web host. A Web site belonging to a security expert was compromised after hackers managed to access a domain name server maintained by the site’s Web host and redirect visitors to pages that displayed pornographic images. It was the second time in the past few years that a security lapse at hostedhere.net has allowed hackers to redirect the site, the security expert told The Register. At time of writing, domain name system records for Mitnick Security have been restored, but some users continue to see the fraudulent Web site because many DNS caches still show the incorrect information. The security expert said, “My site was redirected and now this webhosting provider has to rebuild all their customer boxes.” The attackers never gained access to the server hosting the security expert’s site, and in any event, the site did not contain customer lists or other sensitive information, said the security expert.
Source: http://www.theregister.co.uk/2009/06/29/mitnick_website_targeted/

June 30, InformationWeek – (International) Zeus Trojan variant steals FTP login details. A new Trojan malware has been detected harvesting FTP account information from compromised computers. The number of affected accounts identified by Prevx, a maker of computer security software, rose from 66,000 on June 24 to 74,000 two days later. According to the director of research at Prevx, the Trojan is highly infectious. “We rate this infection as critical,” he said in a blog post on June 28. “The infection has a ‘China Syndrome’ potential. It includes a cyclic infection which leverages infected PCs to programmatically modify hi-volume Web sites to infect additional users who become part of the cycle. More users leads to more discovery of Web site admin credentials which in turn leads to more Web sites being modified to serve the infection which leads to more infected users.” The malware infects visitors to compromised Web sites using malicious JavaScript code. The malicious script redirects visitors to Web sites hosting exploit kits, which test visitors’ computers to find vulnerabilities in installed operating systems and applications to exploit. If a vulnerability is found and successfully exploited, malware is installed, a variant of the Zeus family. It scans compromised machines for FTP credentials and then posts those credentials to a Web server in the Cayman Islands. It also enlists the victim’s computer to further spread the infection. Source: http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=218102149

June 30, Federal Computer Week – (National) Cyber command in urgent need of strategy, military leaders say. Military leaders from the Army, Navy, Air Force and Marine Corps expect the Defense Department’s new unified Cyber Command to rationalize military cybersecurity efforts. However, at the same time, the increasing complexity of cyberspace and ongoing workforce issues remain pressing challenges, adding urgency, they said, for the new command to articulate its strategy soon. “We made conscious decision a year ago, knowing Cybercomm was coming, to [ensure the Army’s] direction was in sync with expected plans — and wait for the guidance,” said the Army’s assistant deputy chief of staff. “Now that [the Cyber Command] is here, my sense is now is the right time to move forward,” the assistant deputy added. But he cautioned it will be important to “get guidance from Cyber Command” soon, in terms of “what are the definitions, what are the forces and the structure, and not get ahead of that and create more confusion.” The assistant deputy, speaking at a cybersecurity conference held in Washington by the D.C. chapter of the Armed Forces Communications and Electronics Association June 25, noted that cyberspace has become a complex operating environment that requires increasingly sophisticated skills.
Source: http://fcw.com/articles/2009/06/30/military-leaders-cyber-command-strategy.aspx

June 30, DarkReading – (International) ‘Mafiaboy’: cloud computing will cause Internet security meltdown. A reformed black-hat hacker, better known as the 15-year-old “mafiaboy” who, in 2000, took down Websites CNN, Yahoo, E*Trade, Dell, Amazon, and eBay, says widespread adoption of cloud computing is going to make the Internet only more of a hacker haven. “It will be the fall of the Internet as we know it,” the hacker said on June 30 during a Lumension Security-sponsored Webcast event. “You’re basically putting everything in one little sandbox…it’s going to be a lot more easy to access,” he added, noting that cloud computing will be “extremely dangerous. This is not the last you’re going to hear of this,” he said. A security and forensics expert for Lumension says cloud computing, indeed, will open up new avenues of risk. “We haven’t even handled the fundamentals of [securing it] in our existing environments,” the expert said during an interview after the Webcast. “Now we’re going to push it up to the cloud?” “Aside from the fact that the fundamental protocols are easily manipulated…social networking and dumpster diving have been going on a long time and are still extremely effective. The scariest aspect for business owners is their own employees compromising [them],” the hacker said. “Dumpster diving, social networking, and internal corporate sabotage will be the No. 1 threat. It’s imperative that corporations take a closer look at their employees.”
Source: http://www.darkreading.com/securityservices/security/attacks/showArticle.jhtml?articleID=218102139

July 1, The Register – (International) Torrentreactor breach serves potent exploit cocktail. Torrentreactor has long been regarded as one of the top bit torrent search engines, and with the demise of The Pirate Bay, it is likely bigger than ever. Now, it has been breached and is serving a potent cocktail of exploits to people browsing the site, Websense Security Labs says. Attackers have managed to inject an iframe into the site that scours Torrentreactor visitors’ computers from a long list of vulnerable applications, including Adobe’s Reader and Shockwave programs and Microsoft’s Internet Explorer and Office Snapshot Viewer. When it finds one, it downloads and runs a malicious file. According to Websense, the malware has an extremely low detection rate, with just two of 32 anti-virus engines identifying the threat. Once executed, it installs a rootkit on victims’ machines. This is not the first time that security researchers have reported Torrentreactor is foisting malware on its users. In March 2008, the site suffered a similar iframe attack. The malicious file in the latest compromise communicates with a server at 78.109.29.116, an IP address that Web searches suggest has ties to the Russian Business Network.
Source: http://www.theregister.co.uk/2009/07/01/torrentreactor_breach/

July 2, IDG News Service – (International) Apple patching serious SMS vulnerability on iPhone. Apple is working to fix an iPhone vulnerability that could allow an attacker to remotely install and run unsigned software code with root access to the phone. The attack in question exploits a weakness in the way iPhones handle text messages received via SMS (Short Message Service), said a security researcher, during a presentation at the SyScan conference in Singapore on July 2. He did not provide a detailed description of the SMS vulnerability, citing an agreement with Apple. The SMS vulnerability allows an attacker to run software code on the phone that is sent by SMS over a mobile operator’s network. The malicious code could include commands to monitor the location of the phone using GPS, turn on the phone’s microphone to eavesdrop on conversations, or make the phone join a distributed denial of service attack or a botnet, the researcher said. Apple is working to patch the vulnerability and expects to have a fix ready later this month, before the researcher discusses the attack in greater detail during a planned presentation at the Black Hat USA conference in Las Vegas. Source: http://www.pcworld.com/article/167758/apple_patching_serious_sms_vulnerability_on_iphone.html

July 5, Florida Times-Union – (Florida) Jacksonville data center’s security as advanced as its technology. When Barnett Banks Inc. built its 120,000-square-foot operations center on Jacksonville’s Southside in 1971, it built a facility that accommodates state-of-the-art technology and can withstand a Category 5 hurricane. As of three months ago, Colo5 now occupies the building and is a data center operator that offers colocation services to businesses — that is, it offers them a secure facility to store and maintain their information technology systems. The building is technologically advanced, but what stands out are its security features. It starts with 17-inch-thick concrete walls and windows covered by steel mesh screens that can withstand a 200-mile-per-hour projectile. The glass doorways are equipped with roll-down steel doors that can cover the glass in an emergency. The facility was actually built above ground and has a series of pumps underneath to keep water out. The building has three large diesel generators that will ensure a continuous power supply in case of a power outage. Colo5 is currently installing freezers and refrigerators for food storage, as well as an artesian well to supply water. Colo5 offers office space to its clients and some do have staff permanently stationed at the building to maintain their information technology systems. The building is also equipped to house workers if a hurricane approaches. Source: http://www.jacksonville.com/business/2009-07-05/story/jacksonville_data_centers_security_as_advanced_as_its_technology

July 6, PC Advisor – (International) Adobe to patch ColdFusion bug next week. Adobe Systems will have a patch ready next week for a flaw in its ColdFusion web development software that other security authorities say could result in a hacked system. The problem lies in the FCKEditor rich text editor, which is installed with ColdFusion 8, Adobe said on its security blog. Adobe also listed in its warning three steps that could in the meantime mitigate an attack. FCKEditor is an open-source application that handles file uploads and file management, but the feature is supposed to be disabled in the version embedded on a ColdFusion server, wrote a ColdFusion consultant who writes a blog called CodFusion. In some cases, the connector that enables the feature is left on. “If left on, this means a hacker might be able to directly call the file manager system to upload files and take control of the server,” he wrote. “FCKEditor has had some history on being exploited by this type of attack.” The SANS Internet Storm Center said it had seen a “high number” of websites running ColdFusion that had been compromised.
Source: http://www.pcadvisor.co.uk/news/index.cfm?newsid=118633

July 6, V3.co.uk – (International) McAfee glitch causes havoc for IT admins. A recent VirusScan update from McAfee caused mayhem for some IT administrators over the weekend, after it falsely reported that a range of critical system files were infected with a Trojan. The problem became apparent when users began posting to the company’s forums, complaining of false positives and even some cases of the dreaded blue screen of death. The issue seems to affect only those users running an outdated version of the VirusScan engine, but some running the latest version also reported false positives, although not with critical system files. McAfee has acknowledged a problem, and has released another update which corrects it. However, it appears that machines affected by the glitch will have to be repaired manually, as the quarantined files cannot easily be returned to their original locations. “Last Friday, McAfee was made aware of some incorrect identification when using no longer supported versions of the software,” explained a McAfee spokesman. “Customers reporting this issue have been confirmed to be running VirusScan Enterprise 7.1 or 8.0i specifically with the 5100 scanning engine that has not been supported for 18 months.” “Customers running 5200 or a newer scanning engine version have not been impacted. Current versions are VSE8.7 and scanning engine 5301. The incorrect identification was resolved in the daily release on Friday July 3rd.” The company has created an entry in its KnowledgeBase detailing the issue and offering potential fixes for those affected.
Source: http://www.v3.co.uk/v3/news/2245491/mcafee-update-glitch-causes

July 6, ZDNet – (International) June malware report – something’s phishy. June marked an increase in malware and the “highest rate of phishing attacks to date” on the Web, Fortinet’s latest report on online threats found. The threat management vendor released on July 6 its latest monthly report, which highlighted the current reign of Trojan horses and “disappointing” anti-spam campaigns. Of the overall 108 newly-reported vulnerabilities in June, 62 were active exploits, indicating an “all-time high” of 57.4 percent, Fortinet said. Fortinet said the majority of overall activity came from the United States, which contributed 22 percent of all reported exploits. A significant proportion of the attacks were traced back to Asia — specifically, Singapore, Japan and Korea, which ranked second, third and fourth place, respectively. Some 13.57 percent of all attacks originated in Singapore. Online games sites hosted the most number of Trojans, followed by Zbot variants W32/Zbot.M and W32/Zbot.V, which climbed to second and third place, respectively. The Zbot malware spreads keylogging and data-siphoning Trojans through e-cards sent via e-mail, directing users to malicious sites. Another commonly used malware redirecting visitors to infected sites was the JS/PackRedir.A, which moved up 36 positions on the list to fifth position, said Fortinet.
Source: http://news.zdnet.com/2100-9595_22-318200.html

July 7, IT-ISAC – Multiple Microsoft Video Control ActiveX Remote Code Execution Vulnerabilities. Multiple vulnerabilities were discovered in the Microsoft Video Controller ActiveX Library, MSVidCtl, which can result in reliable remote code execution. These vulnerabilities pertain to both buffer overflows and memory corruption. CVE-2008-0015 is presently being exploited in the wild.
More Info: https://www.it-isac.org/postings/cyber/alertdetail.php?id=4641

July 8, ZDNet – (International) Apple plugs dangerous Safari security holes. Apple has released Safari 4.0.2 to fix a pair of security flaws that could lead to cross-site scripting or remote code execution attacks. The vulnerabilities affect Safari for Windows (XP and Vista) and Mac OS X. The patch solves an issue in WebKit’s handling of the parent and top objects may result in a cross-site scripting attack when visiting a maliciously crafted website. This update addresses the issue through improved handling of parent and top objects. The patch also takes care of a memory corruption issue exists in WebKit’s handling of numeric character references. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of numeric character references.
Source: http://blogs.zdnet.com/security/?p=3720

July 9, Associated Press – (International) Official says 7 SKorean Web sites attacked again. South Korean Web sites were attacked again on July 9 after a wave of Web site outages in the United States and South Korea that several officials suspect North Korea was behind. Seven sites, one belonging to the government and the others to private entities, were attacked in the third round of cyber assaults, said an official from the state-run Korea Communications Commission. Earlier in the day, the country’s leading computer security company, AhnLab, had warned of a new attack after analyzing a virus program that sent a flood of Internet traffic to paralyze Web sites in both South Korea and the United States. About two hours after the latest assault, all but one shopping site were working normally. The Yonhap news agency had earlier reported that the Web site of the leading Kookmin Bank was down for about 30 minutes. The South’s intelligence agency said in a statement Thursday that it was strengthening cyber security measures for government computer networks, citing a possible new wave of attacks that could target national infrastructure operators like energy, telecommunications, and media companies. So far, there were no immediate reports of financial damage or leaking of confidential national information, according to the Korea Information Security Agency. The attacks appeared aimed only at paralyzing Web sites. According to Reuters, cybersecurity analysts raised doubts on July 8 that the North Korean state launched the attacks on U.S. government and South Korean Web sites, saying industrial spies or pranksters could be the villains. More than two dozen Web sites in the United States and South Korea, including that of the U.S. State Department, were attacked in recent days. South Korea’s spy agency has said North Korea may be behind the attacks, while the U.S. government has said it is too soon to make such claims, and Internet security experts agree.
Source:http://www.google.com/hostednews/ap/article/ALeqM5jvH8X8qojQgzc1R8X_5PceTd1nWQD99AVG3O0
See also: http://www.reuters.com/article/topNews/idUSTRE5680CC20090709

July 9, V3.co.uk – (International) McAfee warns of new Mac malware attack. Researchers at McAfee Avert Labs have warned that a new malware attack for Mac OS X systems has been spotted in the wild. Known informally as ‘Puper’, the Trojan disguises itself as a video program for OS X systems called ‘MacCinema’. The attack appears as a disk image which launches an installer application for the fictional MacCinema software. Once the installer completes its task, the user becomes infected with a script file named ‘AdobeFlash’. The malicious script then launches itself every five hours, and attempts to download and launch other malware on the infected system. This latest attack is similar to others which have targeted OS X users in recent months, often enticing the user to download and install the malware by posing as a video player or ‘codec’ plug-in required to view movie files.
Source: http://www.v3.co.uk/v3/news/2245704/mac-malware-attack-spotted

Learn More About ISAlliance HERE

This Week at the ISAlliance…

Monday, July 13: Cross Sector Cyber Security Working Group (CSCSWG) meeting at 1. Managing cyber risk is an issue that cuts across all of the nation’s critical infrastructures and key resources, and across-sector perspective will ensure effective coordination to address cyber security in a collaborative manner with all of the sectors. To meet this need, the Department of Homeland Security’s Assistant Secretary for Cyber Security and Communications, Greg Garcia, proposed to establish the CSCSWG under the auspices of the Critical Infrastructure Partnership Advisory Council (CIPAC). The CSCSWG serves as a forum to bring government and the private sector together to address common cyber security challenges and opportunities across the CI/KR sectors.

Monday, July 13 – FSTC & BITS Webinar sponsored by DHS at 1. Software Security Engineering: How to Get Started by Nancy Mead, a senior member of the technical staff in the CERT Program at the Software Engineering Institute (SEI).

Abstract: Software is essential to the operation of the nation’s critical infrastructure. Vulnerabilities in software can jeopardize intellectual property, consumer trust, and business operations and services. A broad spectrum of critical applications and infrastructure, from process control systems to commercial application products, depend on secure, reliable software. It is estimated that 90 percent of reported security incidents result from exploits against defects in the design or code of software. Therefore, ensuring the integrity of software is key to protecting the infrastructure from threats and vulnerabilities and reducing overall risk to cyber attacks. In order to ensure system reliability, integrity, and safety, it is critical to include provisions for built-in security of the enabling software.

This talk focuses on the DHS-sponsored Build Security In (BSI) website (https://buildsecurityin.us-cert.gov/daisy/bsi/home.html), developed and maintained under the leadership of CERT, and a book that is largely based on the BSI website, Software Security Engineering: A Guide for Project Managers. BSI is organized to convey fundamental security knowledge, security best practices, and security tool evaluation techniques to a large population of software developers, system administrators, and acquisition organizations. The BSI website structures this material in terms of system development life cycle touchpoints for ease of use. A major objective in the website’s development is to engage the security community in active participation and contribution of new content. The BSI work also provides support and linkage to the DHS Software Assurance initiative. Software Security Engineering: A Guide for Project Managers has been written by a group of BSI authors and published by Addison Wesley (http://www.softwaresecurityengineering.com/).

Tuesday, July 14: Communications Sector Coordinating Council (CSCC) Measurement working group meeting at 9. The Measurement working group will first develop the C-SCC’s “plan of the plan” related to the sector’s metrics. Then, this committee will put together the plan that outlines the specific metrics and how the C-SCC will measure these metrics and provide data to DHS.

Thursday, July 16: ISAlliance/Aerospace Industries Association webinar - Legal Framework for Securing Unified Communications by Jeffrey Ritter, Esq., CEO of Waters Edge Consulting.

Abstract: New internet technologies continue to offer efficiencies for business; however, they also create security risks and potential legal concerns. ISAlliance has funded a new research project on the legal framework for securing unified communications (“UC”). “UC solutions create enormous flexibility for businesses, allowing content traditionally sent through one medium and in a single format (such as a telephone call) to be sent through the Internet and converted into multiple format options (such as converting a voice mail into a text message). To properly secure their networks and systems, companies must build, acquire and install security tools that 20th century legal rules did not possibly imagine. This webinar will present an inventory of existing UC solutions, known security risks and available security controls. In addition, the presentation will identify any potential tensions between using those controls and existing laws governing telephone services, privacy and other topics. This presentation will provide valuable guidance to security professionals and attorneys asked to consider and navigate those legal tensions and offer recommended commercial practices for how to move ahead implementing security for UC solutions within existing legal rules. ISAlliance members should contact bfoer@isalliance.org to register.

Friday, July 17: Communications Sector Coordinating Council (CSCC) Executive Committee meeting at 2. The broad purpose of a Sector Coordinating Council is to foster and facilitate the coordination of sector-wide activities and initiatives designed to improve physical and cyber security of the critical infrastructures and related information flow within the sector, cross-sector and with DHS. Through the CSCC, private-sector owners, operators and suppliers can efficiently engage DHS and other federal agencies, collaborating to: Identify, prioritize, and coordinate policy issues related to the protection of critical infrastructure and key resources; Facilitate sharing of information related to physical and cyber threats, vulnerabilities, incidents, potential protective measures, and best practices; Facilitate policy issues related to response and recovery activities and communication following an incident or event. The Executive Committee manages the affairs of the CSCC in the same way that a board of directors would manage the affairs of a “for profit” company.

Speaking Opportunity for ISAlliance members: The Illinois Institute of Technology’s Center for Professional Development will be hosting the 5th Annual VoIP Conference and Expo Wednesday and Thursday October 28 and 29, 2009. This two-day conference, where industry and academia meet, will bring together technical professionals and executives from the data and telecommunications industry, standards bodies, government agencies, as well as the business community. ISAlliance members interested in participating as a panelist discussing the practical side of VoIP Security, how IT security is being practiced today to protect VoIP and what important new steps need to be taken in the near future should contact bfoer@isalliance.org.

Adapting the SAFETY Act to Cyber Security - ISAlliance Member Assistance Program: Following the 911 catastrophe Congress passed a new law, the SAFETY Act, which provided market incentives for technologies to fight terrorism, most of which dealt with physical attacks. The SAFETY Act office approached ISA for assistance in getting cyber technologies designated or certified as SAFETY Act compliant. Designation brings with it various market advantages including liability protection and marketing benefits. ISA is arranging for individual members to receive attention for their technologies with the SAFETY Act office. Please contact bfoer@isalliance.org to discuss ISAlliance assistance and review which of your technologies are eligible under this program.

Introducing the ISAlliance Information Security Resources News Feed
In our continued effort to provide membership with access to the latest developments and relevant issues being addressed by compliance, IT and security professionals today, the ISAlliance would like to introduce the addition of the Information Security Resources News Feed to our website selections.

Information Security Resources strives to bring together security thought leaders by providing a forum for security issues across all sectors and industries. ISR’s concern is centered around the failure of organizations to adequately protect regulated systems and data, with a focus is on the exposure of private info and sensitive systems during the financial meltdown, including identity theft, privacy breach, info stolen, credit card fraud, and other enormous liabilities. In addition to the obvious threat to market stability, the financial debacle has the added element of national and global security concerns. ISR’s editors and contributors strongly believe that system integrity is the next major national security, shareholder derivative, D&O liability, regulatory, consumer product safety, and class-action issue our nation will face. ISR is led by Kevin M. Nixon, MSA, CISSP®, CISM®, CGEIT®, who is a former ISalliance Board member, and managed by Anthony M. Freed.

The link for the news feed in located at the top of the “Business Services” column on any ISAlliance website page. Enjoy!

ISAlliance Web Portal Information

ISAlliance US-CERT Portal: https://portal.us-cert.gov/member/index.cfm

ISAlliance/CyLab Portal: www.cylab.cmu.edu/

Download a complete copy of The Cyber Secuirty Social Contract: Policy Recommendations for the Obama Administration and 111th Congress.

Learn More About ISAlliance HERE

The Internet Security Alliance (ISAlliance) was created to provide a forum for information sharing and thought leadership on information security issues. The ISAlliance represents corporate security interests before legislators and regulators, in so doing the alliance aims to identify and standardize best practices in Internet security and network survivability, while creating a collaborative environment to develop and implement information security solutions.

* * *

Stay Informed With ISR News Feeds and Email Alerts Here:

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.