Cybercops and zero day vulns

[InfoSec News <isn () c4i org>]

http://www.theregister.co.uk/2006/04/24/infosec_blog_three/

By John Leyden
24th April 2006

Infosec blog - The start of the Infosec conference tomorrow will
witness one of the first public appearances of the new Serious and
Organised Crime Agency (SOCA). Dubbed the UK's FBI by Britain's
tabloids, SOCA will tackle drug trafficking, immigration crime, money
laundering and identity fraud by developing intelligence on organised
crime and pursuing key suspects while disrupting criminal activity.

The agency will bring together more than 4,000 police, customs and
immigration experts to create Britain's first non-police
law-enforcement authority. Officers from the National High Tech Crime
Unit (NHTCU) joined these ranks when the agency launched earlier this
month. The Home Office has said that drug and people trafficking,
fraud, and identity theft will be among SOCA's top priorities.

Despite its assigned role as a leading agency in fighting identity
theft, critics are questioning how much of SOCA's resources will put
into the fight against cybercrime. Spyblog, for example, said the
launch of the agency signals a very low priority for computer crime.

Like any police agency in the UK, SOCA is ultimately accountable to
the public, whose needs and concerns help shape its priorities.  
Divisional bosses from Greater Manchester Police or the Metropolitan
Police, for example, regularly meet the general public. The frequent
result of these meetings is that increased resources are put into
combating burglaries or antisocial behavior, for example, in
particular areas. Because resources are finite, this has the
undesirable effect of reducing the number of officers assigned to
combat other problems.

In the case of SOCA, it's easy to see how similar pressures might
affect its mandate. Combating organised child abuse, a role it will
share with other agencies, will always be a priority, but how much
resource will be placed towards fighting computer hacking and virus
writing?

Perhaps a question to this answer will come when Tony Neate, a former
officer of the NHTCU and current e-crime liaison officer at SOCA,
chairs a debate E-Crime: Who Got Caught Out Last Year?.


The Mirapoint cracked

It won't come as a surprise for you to hear that Register staffers
receive huge volumes of junk mail. I myself get about 300 to 400 spam
messages per day against up to 100 pieces of legitimate mail, many of
them press releases.

Over the last three years I've tried several approaches to anti-spam
filtering. The best results have come with SpamBayes, largely because
it allows users to train the product on what they see as spam and,
crucially, what they see as legitimate emails (ham). The only
disadvantage with the product is that you have to download every
message before filtering takes place. Using SpamBayes in conjunction
with an email filtering service from Avecho, set to remove only
transparently bad emails, proved to be an effective approach.

Since the demise of Avecho I've been obliged to rely on the native
email filtering service provided by El Reg's ISP Telstra. The service,
which is underpinned by technology from security appliance vendor
Mirapoint, is the bane of my working life. The filter is perhaps 80
per cent to 90 per cent effective in identifying and junking spam
messages. That's worse than other products I've tried, but still not
terrible. What really let's the service down is the quantity and
importance of messages it flags as spam.

Most ecommerce transactions - for example travel confirmations from
Opodo and thetrainline.com and kit purchases from Dabs.com - get
flagged as spam. Direct person to person queries also often get
junked, as do press releases, unless the sender is white listed.  
Because of this, I have to manually go through my inbox. Using the
service is, for me, like driving a car that never starts in the
morning. Other Reg staffers have also experienced frustrations with
the service.

I first complained about the service's shortcomings to Mirapoint a
year ago, since when the false positive issue has become more
noticeable. In conversation with Mirapoint on Monday, representatives
of the firm said it products were "demonstrably capable". If so, why
is Telstra's service binning ecommerce receipts, we asked? Mirapoint
responded by saying all it could do was recommend how its technology
was set up and that ultimately it relies on its service providers.  
Telstra is one of a dozen ISPs that provide hosted email security
services based on Mirapoint's technology.

Mirapoint said it hadn't received feedback about excessive false
positives from Telstra, or any of its other service providers.  
Nonetheless, it conceded that its reputation might be tarnished via
its association with Telstra's indifferent service. It said it would
make inquiries, but warned there might be "no quick fix".


Security disclosure

Let me make a small bet that VoIP security, along with how to respond
to so-called zero day vulnerabilities, will be a hot topic at this
year's Infosec. The latter was heavily discussed last month when two
security vendors, including eEye, released security patches to defend
against an unpatched vulnerability in Microsoft's Internet Explorer
web browser.

Last week, security tools firm ISS warned that using third-party
patches could violate the license agreements for software installed on
their systems. Organisations can feel pushed into believing that, on
balance, applying an unofficial patch is safer than remaining exposed
to attack. But ISS warns that such fixes have not gone through
rigorous testing. "The reason why a vendor like Microsoft takes some
time to release a hotfix is because they have to ensure quality and
system integrity across multiple combinations of Windows service
packs, international editions, and supported hardware platforms. The
unofficial patches being developed by these third-party organisations
are opportunistic PR efforts rather than serious security fixes," ISS
X-Force director Gunter Ollmann said.

That's fighting talk.

eEye chief hacking officer Marc Maiffret argued that ISS's warning is
little more than a pitch for its virtual patch technology. "This is
funny considering their press release attempts to say that third party
security companies are only creating these free patches for marketing
purposes. The only difference between them and the third party
companies in that case is that ISS has not done anything to provide
the community a free work around for the problem, you have to buy
their product," Maiffret told El Reg.

"ISS's products, like most of the third party patches, go about
modifying/patching code in order to divert attacks. So, if ISS really
believes its statements, then it should probably do a follow up press
release which tells people they could/might/who really knows be
violating their EULA by using ISS security products," he added.

Ouch. ®



_________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org