An EU-funded think tank has delivered a warning against the adoption of biometric ID cards and passports. The FIDIS (Future of Identity in the Information Society) project states that the current biometric designs of travel ID will drastically reduce security and privacy, while increasing the risk of identity theft.
"Data can be remotely read or eavesdropped from distances of up to 10 meters," the society warned. "This is compounded by access control, which is susceptible to circumvention or hacking. The result is a risk of ubiquitous, unobserved access to machine-readable travel document data by unauthorised third parties and enables tracking of people carrying a passport."
FIDIS also enumerated further critical problems such as the lack of any method of revoking biometrics and the ease of cloning RFID tags.
The UK Government is set on introducing ID cards via a National Identity register from 2008, although this is likely to be delayed until 2009 at the earliest.
The key information security challenge for 2007 is likely to be privacy and personal data protection, according to a top analyst firm. Ernst & Young says consumer fears over personal data breaches will force businesses to sit up and take notice in 2007. The company also believes that IT security functions will increasingly be spread throughout the business, and will take on more strategic importance.
"I think IT security will become much more involved in strategic decisions, and in growing the business, rather than a backroom operation," said Richard Brown, head of technology and security risk services at Ernst & Young. "The main challenge for IT security professionals will be managing these new demands on their time."
The company also believes that security outsourcing will continue to grow, but warns that care is required. Brown said: "Outsourcing will continue to rise, but the risk to confidentiality etc must be managed competently. In-house standards of operation must be applied strictly to out-of-house suppliers, and these standards must be made clear from the start. Additionally, contingency plans must be made and adhered to - accidents do happen."
The findings are published in the Ernst & Young Global Information Security survey of 1,200 public and private sector organisations in 48 countries.
Mobile security has seen a flurry of product launches. Both Trend Micro and F-Secure launched anti-virus and firewall products for Windows CE and Symbian S60 smartphones in November, while PointSec announced a managed encryption service for mobile devices.
Security professionals have often tipped mobile devices as a hot new attack vector. Their predictions are based on the increasing number of businesses that rely on the tools, the amount of vital data being stored on and accessed through them, and the many wireless broadband technologies offered by the latest models.
Researchers in California reported recently that they have developed proof-of-concept code for a Symbian OS worm, along with a remote code execution exploit, which they claim to be the first such exploit shown to function across the mobile phone network. Symbian has now shipped 100 million smart phones. Nokia smartphones use the Symbian platform, and recent research from comScore found that the majority of UK mobile web users (39%) are using Nokia products.
Internet service providers are coming under increasing pressure to prevent malicious traffic on their networks, following BT's adoption of filtering technology last month. The telecoms giant announced the deployment of the Content Forensics system, from StreamShield Networks, which should scan all email traffic on BT's network, alerting users to any malicious traffic. Ultimately, the plan is to hunt down botnet herders via their IRC command structure.
Andy McKewan, IT security director, Panda Software, believes that other ISPs will follow BT's example. "It'll eventually come down to the level of service they're willing to provide to their customers," he said.
The argument that ISPs should take more responsibility for the traffic on their networks is not a new one, but one that is gaining support. Email and web traffic filtering can, in theory, be far more aggressive at the "cloud" level, as malicious traffic often originates from the same IP addresses. Experts claim that blocking the worst repeat offenders would drastically cut malicious traffic.
"ISPs have to clean up their act, and I think Government agencies will soon force them to do so," said Raimund Genes, CTO for anti-malware at Trend Micro (pictured). "However, you have to remember the innocent home users - how will they be dealt with? Many will not know how to respond to a warning that their PC is infected, and others will simply not care."
In other wireless news, Broadcom WLAN users should be checking their laptops, after a potentially serious vulnerability was announced in the wireless device driver. The attack is only viable for hackers within radio range, such as by others using the same hotspot, rather than over the internet, but the flaw is likely to affect a slew of users - the driver is bundled with new PCs from Dell, Gateway and HP among others.
The issue only affects the wireless driver, and concerns the handling of 802.11 probe responses containing a long SSID field. The end result is that systems using the Broadcom BCMWL5.SYS wireless device driver are left open to buffer overflow attacks. Broadcom has released a new version of the driver.
WHY SANTA IS DANGEROUS
'Tis the season to be ripped off, as spyware has increased in the run-up to Christmas. In October, spyware and adware rose 15 per cent, and experts believe the timing is no coincidence. "We saw a similar upward trend coming up to the holiday season last year," said Dan Nadir, vice-president of product strategy at ScanSafe.
In 2005, online shoppers spent around £5 billion during the holiday season, 24 per cent up on the previous year. The threat is being taken seriously: UK banking organisation APACS ran a webchat earlier this month to pass on security advice to consumers.
"Our target is 30 per cent growth in the US next year. The word on the street is that people over there are not in love with their current anti-virus vendor."
Steve Munford, chief executive, Sophos, page 26
GLOBAL SNAPSHOTS: MP3 cashpoint bugger jailed; FBI nails phishing gang; Trojan for mobiles
US: The Federal Trade Commission (FTC) has brought a case against alleged spyware operation Media Motor, ordering the company and its affiliates to cease business. The Nevada court heard Media Motor's spyware often posed as a media viewing application, but, when installed, downloaded and executed a variety of malicious software, including Trojans and keyloggers.
Chile: Police have arrested four men on charges of hacking government websites. The group is accused of infiltrating more than 8,000 sites, including some owned by the US and Turkish governments. Leonardo Hernandez, 23, was identified as the Chilean hackers' leader. Known in cyberspace as Nettoxic, he is wanted in several countries.
UK: A Manchester man who bugged freestanding cash machines with MP3 players has been jailed for 32 months. Maxwell Parsons' gang made clone cards with the details, which were used in a £200,000 spending spree. The gang recorded customers' data as it was transmitted down the telephone line to banks. Technology from the Ukraine was used to decode the tones.
Germany: SecurStar, a German security company, claims to have developed a Trojan virus that would allow hackers to intercept mobile phone calls and texts. The virus, RexSpy, is spread by sending a "simple SMS" to infect the phone. "What's so alarming is that any programmer can develop a similar Trojan horse application without any great effort," the company said.
Poland: The FBI has made a series of arrests in a crackdown on phishing gangs. Four people are being held in the US, 13 in Poland, with more arrests thought likely in Romania. Officials believe that the gang based in Poland may have stolen more than 100,000 credit card numbers, using trojans and spoofed websites, as well as hacking into databases.
Spain: Four people have been arrested in Alicante and Madrid in connection with malware writing, data theft and credit card fraud. Two 17-year-olds apprehended in Alicante were charged with creating a Trojan horse used to obtain blackmail data. Two adults also arrested are accused of hiring the teens to obtain data for the purposes of credit card fraud.
Russia: Hackers in the former USSR are being blamed for a recent surge in pump-and-dump and pharmacy spam. Security experts claim to have traced the unwanted mail to a hacking gang controlling a 70,000-strong peer-to-peer botnet seeded with the SpamThru Trojan. The Trojan's unusual command structure makes it harder to trace.
South Korea: Police have raided two phone sex firms over allegations that they hacked into competitors' databases and stole client details. Local reports claim the group got away with personal data on 8 million customers, then sent them more than 100 million saucy text messages, generating $2.7 million in the process. Six people were arrested.