The Month: News, debate, analysis and data from the world of information security

An EU-funded think tank has delivered a warning against the adoption of biometric ID cards and passports. The FIDIS (Future of Identity in the Information Society) project states that the current biometric designs of travel ID will drastically reduce security and privacy, while increasing the risk of identity theft.

"Data can be remotely read or eavesdropped from distances of up to 10meters," the society warned. "This is compounded by access control, whichis susceptible to circumvention or hacking. The result is a risk ofubiquitous, unobserved access to machine-readable travel document data byunauthorised third parties and enables tracking of people carrying apassport."

FIDIS also enumerated further critical problems such as the lack of anymethod of revoking biometrics and the ease of cloning RFID tags.

The UK Government is set on introducing ID cards via a National Identityregister from 2008, although this is likely to be delayed until 2009 atthe earliest.

The key information security challenge for 2007 is likely to be privacyand personal data protection, according to a top analyst firm. Ernst &Young says consumer fears over personal data breaches will forcebusinesses to sit up and take notice in 2007. The company also believesthat IT security functions will increasingly be spread throughout thebusiness, and will take on more strategic importance.

"I think IT security will become much more involved in strategicdecisions, and in growing the business, rather than a backroom operation,"said Richard Brown, head of technology and security risk services at Ernst& Young. "The main challenge for IT security professionals will bemanaging these new demands on their time."

The company also believes that security outsourcing will continue togrow, but warns that care is required. Brown said: "Outsourcing willcontinue to rise, but the risk to confidentiality etc must be managedcompetently.In-house standards of operation must be applied strictly toout-of-house suppliers, and these standards must be made clear from thestart. Additionally, contingency plans must be made and adhered to -accidents do happen."

The findings are published in the Ernst & Young Global InformationSecurity survey of 1,200 public and private sector organisations in 48countries.

Mobile security has seen a flurry of product launches. Both Trend Microand F-Secure launched anti-virus and firewall products for Windows CE andSymbian S60 smartphones in November, while PointSec announced a managedencryption service for mobile devices.

Security professionals have often tipped mobile devices as a hot newattack vector. Their predictions are based on the increasing number ofbusinesses that rely on the tools, the amount of vital data being storedon and accessed through them, and the many wireless broadband technologiesoffered by the latest models.

Researchers in California reported recently that they have developedproof-of-concept code for a Symbian OS worm, along with a remote codeexecution exploit, which they claim to be the first such exploit shown tofunction across the mobile phone network. Symbian has now shipped 100million smart phones. Nokia smartphones use the Symbian platform, andrecent research from comScore found that the majority of UK mobile webusers (39%) are using Nokia products.

Internet service providers are coming under increasing pressure to preventmalicious traffic on their networks, following BT's adoption of filteringtechnology last month. The telecoms giant announced the deployment of theContent Forensics system, from StreamShield Networks, which should scanall email traffic on BT's network, alerting users to any malicioustraffic. Ultimately, the plan is to hunt down botnet herders via their IRCcommand structure.

Andy McKewan, IT security director, Panda Software, believes that otherISPs will follow BT's example. "It'll eventually come down to the level ofservice they're willing to provide to their customers," he said.

The argument that ISPs should take more responsibility for the traffic ontheir networks is not a new one, but one that is gaining support. Emailand web traffic filtering can, in theory, be far more aggressive at the"cloud" level, as malicious traffic often originates from the same IPaddresses. Experts claim that blocking the worst repeat offenders woulddrastically cut malicious traffic.

"ISPs have to clean up their act, and I think Government agencies willsoon force them to do so," said Raimund Genes, CTO for anti-malware atTrend Micro (pictured). "However, you have to remember the innocent homeusers - how will they be dealt with? Many will not know how to respond toa warning that their PC is infected, and others will simply not care."

In other wireless news, Broadcom WLAN users should be checking theirlaptops, after a potentially serious vulnerability was announced in thewireless device driver. The attack is only viable for hackers within radiorange, such as by others using the same hotspot, rather than over theinternet, but the flaw is likely to affect a slew of users - the driver isbundled with new PCs from Dell, Gateway and HP among others.

The issue only affects the wireless driver, and concerns the handling of802.11 probe responses containing a long SSID field. The end result isthat systems using the Broadcom BCMWL5.SYS wireless device driver areleft open to buffer overflow attacks. Broadcom has released a newversion of the driver.


'Tis the season to be ripped off, as spyware has increased in the run-upto Christmas. In October, spyware and adware rose 15 per cent, and expertsbelieve the timing is no coincidence. "We saw a similar upward trendcoming up to the holiday season last year," said Dan Nadir, vice-presidentof product strategy at ScanSafe.

In 2005, online shoppers spent around £5 billion during the holidayseason, 24 per cent up on the previous year. The threat is being takenseriously: UK banking organisation APACS ran a webchat earlier this monthto pass on security advice to consumers.


"Our target is 30 per cent growth in the US next year. The word on thestreet is that people over there are not in love with their currentanti-virus vendor."

Steve Munford, chief executive, Sophos, page 26

GLOBAL SNAPSHOTS: MP3 cashpoint bugger jailed; FBI nails phishing gang;Trojan for mobiles

US: The Federal Trade Commission (FTC) has brought a case againstalleged spyware operation Media Motor, ordering the company and itsaffiliates to cease business. The Nevada court heard Media Motor'sspyware often posed as a media viewing application, but, wheninstalled, downloaded and executed a variety of malicious software,including Trojans and keyloggers.

Chile: Police have arrested four men on charges of hacking governmentwebsites. The group is accused of infiltrating more than 8,000 sites,including some owned by the US and Turkish governments. LeonardoHernandez, 23, was identified as the Chilean hackers' leader. Known incyberspace as Nettoxic, he is wanted in several countries.

UK: A Manchester man who bugged freestanding cash machines with MP3players has been jailed for 32 months. Maxwell Parsons' gang made clonecards with the details, which were used in a £200,000 spendingspree. The gang recorded customers' data as it was transmitted down thetelephone line to banks. Technology from the Ukraine was used to decodethe tones.

Germany: SecurStar, a German security company, claims to have developeda Trojan virus that would allow hackers to intercept mobile phone callsand texts. The virus, RexSpy, is spread by sending a "simple SMS" toinfect the phone. "What's so alarming is that any programmer candevelop a similar Trojan horse application without any great effort,"the company said.

Poland: The FBI has made a series of arrests in a crackdown on phishinggangs. Four people are being held in the US, 13 in Poland, with morearrests thought likely in Romania. Officials believe that the gangbased in Poland may have stolen more than 100,000 credit card numbers,using trojans and spoofed websites, as well as hacking intodatabases.

Spain: Four people have been arrested in Alicante and Madrid inconnection with malware writing, data theft and credit card fraud. Two17-year-olds apprehended in Alicante were charged with creating aTrojan horse used to obtain blackmail data. Two adults also arrestedare accused of hiring the teens to obtain data for the purposes ofcredit card fraud.

Russia: Hackers in the former USSR are being blamed for a recent surgein pump-and-dump and pharmacy spam. Security experts claim to havetraced the unwanted mail to a hacking gang controlling a 70,000-strongpeer-to-peer botnet seeded with the SpamThru Trojan. The Trojan'sunusual command structure makes it harder to trace.

South Korea: Police have raided two phone sex firms over allegationsthat they hacked into competitors' databases and stole client details.Local reports claim the group got away with personal data on 8 millioncustomers, then sent them more than 100 million saucy text messages,generating $2.7 million in the process. Six people werearrested.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.