Security Bullet In
Communiques from the security front, sir
Friday 30 March 2007, 4:50 PM
Litchfield: ID database ethical, not technical problem
David Litchfield, who has in the past dramatically exposed various vulnerabilities in Oracle, has told ZDNet UK at the Black Hat security conference in Amsterdam that the UK ID data base is an ethical, not technical problem.
"The problems aren't technical, but ethical -- in terms of privacy. But they don't have a technical problem -- the databases can be secured as needs be."
Researchers from Ernst and Young may be able to challenge this. Billy K. Rios and Raghav Dube, senior security researchers, are currently working on methods to use compromised web browsers to access sensitive company management consoles -- and they're working on a method to circumvent those consoles to access a back-end database. The scary thing is, using a web session slips the hacker in right underneath any encryption and firewall.
Litchfield said that the threat from insiders to government databases was also great.
"They shouldn't have a database open to abuse by privileged users," said Litchfield.
Thursday 29 March 2007, 1:14 PM
Paypal: Web hosting services are not tackling phishing
Online payments service Paypal has lashed out at web-hosting services providers, which the company claims "need to do a better job" at tackling phishing.
Speaking at the 2007 e-crime congress on Tuesday, Paypal's associate general counsel, Joseph E. Sullivan said:
"Web-hosting services need to do a better job of taking down phishing websites. Some of the most well known hosting services are some of the slowest," said Sullivan. "If the sites were taken down more quickly, fewer people would be taken in."
Sullivan said that Paypal is pushing for European legislation similar to the "good samaritan" laws in the US which allow web hosts to take action against phishers without making the web hosts liable.
Speaking to ZDNet UK after the event, Sullivan said that the question is what role web-hosting services perform. Paypal was reluctant to name and shame the culprits, preferring to work with them out of the public gaze.
"We did consider putting together a hall of shame, but decided that would be counterproductive" said Sullivan. "When we do see a phishing site on a hosting service we contact them behind the scenes."
For Paypal, a measure of efficacy is the amount of time it takes a web-host to take down a phishing site. Often phishers put sites up on a Friday night (for the hosts) when the host's technical staff have gone home for the weekend.
Sullivan added that Paypal would like to see better record keeping at domain registration services.
According to Symantec, 46 percent of phishing sites are hosted in the US, and 11 percent in Germany. In both cases the large number of smaller hosting sites complicate matters for law enforcement. Three percent of phishing sites are hosted in the UK.
William Beer, Symantec's European director of security practice, said that technology cannot solve the problem of phishing, but that user awareness and communication were key.
Wednesday 14 March 2007, 4:50 PM
Vodafone launches 'fastest' wireless data service
Communications giant Vodafone will launch a wireless mobile data transmission service with speeds of up to 7.2 MBits/s in Germany on Thursday.
The company announced the high speed wi-fi download capability at the CeBIT technology fair in Hannover on Wednesday. The technology will allow high speed mobile transmission of large data volumes for Vodafone's German customers.
Based on HSDPA technology, the company claims the upload speed of up to 1.45 MBits/second tops fixed DSL lines. The technology works over the existing 3G network in Germany according to a Vodafone.de spokeswoman, and will be rolled out tomorrow in all of the major German cities.
Currently the fastest wi-fi mobile broadband download speed available in the UK is 1.8Mbits/second using HSDPA. Vodafone UK could not comment at the time of writing whether there would be a UK rollout of the technology.
Monday 12 March 2007, 6:17 PM
Al-Qaeda internet plot reports are 'scare-mongering'
According to a senior government security advisor, reports that there was an Al-Qaeda plot to take down the UK's internet access by sabotaging Telehouse Europe are 'scare-mongering'.
Reports stated that a plot to sabotage the colocation company had been foiled by MI5, and that had the plot succeeded, the UK would have been denied the internet for an unspecified amount of time.
The security advisor told ZDNet UK this simply could not happen as described. The internet is designed to be resilient, and that many points of contact are linked to many other points of contact, making internet access more difficult to stifle than that.
