Friday, June 22, 2007

India gets BPO cybercrime watchdog

ZDNet Asia
18/06/2007
http://www.zdnetasia.com/news/security/0,39044215,62019658,00.htm

India is to finally get a data privacy watchdog to oversee the country's IT and business process outsourcing (BPO) offshore outsourcing industry and to address international concerns about the security of customer records and data.

India does not have any data protection law equivalent to that in the United Kingdom but has been under increasing international pressure to address this in recent years due to a spate of high-profile security breaches.

The new body, which will be called the Data Security Council of India (DSCI), is a self-regulatory member organization and is being set up by Indian IT industry group National Association of Software and Service Companies (Nasscom).

Shyamal Ghosh, chairman of the DSCI, said the board and structure of the organization should be in place by the end of next month.

He told ZDNet Asia's sister site Silicon.com: "The industry felt it is better to have self-regulation because it moves so fast. It will be an independent organization at arm's length from Nasscom."

The DSCI will develop common minimum standards for privacy and security policies, offer certification, enforce a code of ethics and best practice, and punish any breaches by Indian IT and BPO companies--which could include expelling members or calling in police.

Nandkumar Saravade, director cyber-security and compliance for Nasscom, said the DSCI will help improve security standards across the vast number of companies below the big top-tier outsourcers such as Infosys, Tata Consultancy Services and Wipro.

He said: "The aim is to lift the floor of the Indian IT and BPO companies because the top companies already have best practices."

The data security body is just one of Nasscom's initiatives to address international concerns about India's reputation for data security. Another key strand is the National Skills Registry (NSR), which is a centralized database of third-party verified personal and professional details of IT and BPO employees that allows employers to vet staff they are recruiting.

Nasscom said the NSR is used by 40 of India's IT companies and now has 100,000 employees registered on it, with half of those verified and their biometric details recorded.

Nasscom has also helped with the setting up of local cybercrime police labs in five of India's tech hotspots.

Nasty malware toolkit making the rounds

June 21, 2007
http://weblog.infoworld.com/zeroday/archives/2007/06/nasty_malware_t.html

Security researchers at VeriSign are tracking the emergence of a dangerous malware development kit being sold on the Russian underground that is being used to level many different types of threats at unprotected computers.

Dubbed MPack, the kit -- which is trading hands for roughly $1,000 -- is empowering stealthy malware attacks on Web browser vulnerabilities, and claiming roughly a 50 percent success rate, according to Ken Dunham, senior engineer and director of the Rapid Response Team in VeriSign's iDefense security unit.

Dunham said in an e-mail that MPack is using multiple exploits "in a very controlled manner" to infect vulnerable computers.

Among the specific exploits that the MPack kit is using to assault end user machines are those that attack the Windows animated cursor (ANI) flaw, WinZip ActiveX overflow problem, and issues in QuickTime multimedia framework -- which was originally authored by Apple. The malware package is also being used to assault a range of additional security vulnerabilities already identified and patched by Microsoft.

Dunham said that VeriSign has observed the MPack kit being sold by an individual operating on the Russian malware scene known as "$ash" who has also been offering a so-called "loader" version of the code -- used to deliver executable files -- for $300. In his marketing materials, $ash is claiming that attacks using the kit are 45-50 percent successful.

VeriSign reports that threats derived from MPack -- which has also been coined by researchers as WebAttacker II -- date back as far as Oct. 2006 and have accounted for as much as 10 percent of all recent Web-based exploits.

The company contends that over 10,000 Web domains were utilized for referral in a recent MPack attack that was aimed largely at users in Italy and affected as many as 80,000 unique IP addresses.

"It is likely that cPanel exploitation took place on host provider leading to injected iFrames on domains hosted on the server," Dunham writes. "When a legitimate page with a hostile iFrame is loaded the tool silently redirects the victim in an iFrame to an exploit page crafted by MPack. This exploit page, in a very controlled manner, executes exploits until exploitation is successful, and then installs malicious code of the attacker's choice."

The VeriSign security researcher said that MPack attacks have indeed been very successful, according to the log files the company has reviewed. The threats recently victimized over 2,000 new machines in a period of only several hours according to its analysis of a command and control (CNC) Web site associated with the threats, Dunham said.

MPack uses a CNC Web site interface for reporting of MPack success back to hackers, the researcher said.

One of the payloads being served up in MPack-driven attacks is the Torpig spyware program. VeriSign associates that threat with a hacker group known as the Russian Business Network (RBN), which Dunham labeled as "one of the most notorious criminal groups on the Internet today."

The company has observed MPack attacks installing Torpig malware code that was hosted on what it has identified as an RBN-controlled server.

"RBN is closely tied to multiple attacks including Step57.info cPanel exploitation, VML, phishing, child pornography, Torpig, Rustock, and many other criminal attacks to date," Dunham writes. "Nothing good ever comes out of the Russian Business Network net block."

Based out of Saint Petersburg, Russia, the researcher said that RBN represents "a virtual safe house for attacks," and indicated that the group is also responsible for distribution of phishing attacks and child pornography.

Pentagon email hacked

http://www.australianit.news.com.au/story/0,24897,21948818-5013044,00.html

A HACKER has penetrated an unclassified Pentagon email system, prompting authorities to take as many 1500 accounts offline, US defence officials said.

"Elements of the OSD (Office of the Secretary of Defence) unclassified email system were taken offline yesterday afternoon due to a detected penetration," US Defence Secretary Robert Gates said.

"A variety of precautionary measures are being taken. We expect the system to be online again very soon," Mr Gates said.

Between 1000 and 1500 users of the system were taken offline, a defence official said.

On Wednesday, a congressional panel disclosed that hackers had also succeeded in penetrating computers at the Department of Homeland Security, the lead government agency in providing security against cyber attack.

"What does this mean? It means terrorists or nation states could be hacking Department of Homeland Security databases, changing or altering names to allow them access to this country, and we wouldn't even know they were doing it," Representative James Langevin said.

The Pentagon email system carries "routine email" involving administrative matters but not classified information related to military operations, Pentagon spokesman Colonel Gary Keck said.

Mr Gates said the Defence Department computers were under constant attack, but he could not say why this attack, unlike others, forced authorities to take down part of the system.

Pentagon officials would not comment on the source of the attack, or whether the hacker was able to read email sent over the system.

"We obviously have redundant systems in place, and there's no anticipated adverse impact on ongoing operations," Mr Gates said. "There will be some administrative disruptions and personal inconveniences."

"It will come as no surprise that we aggressively monitor intrusions and have appropriate procedures to address events of this kind. But, as I say, we get perhaps hundreds of attacks a day," he said.