 |
The VeriSign Security Review
|
February 2008
In This Issue
Peer-to-Peer, Without the Security
Compromises
In today's consumer-driven marketplace, you’ve got
to be able to offer a rich-media Internet experience. Peer-to-peer (P2P)
content delivery is increasingly necessary… but can be scary from a
security point of view.
If you’re a content owner, you’re probably discovering both challenges
and opportunities in delivering consumers a rich-media Internet experience.
Of course, you need efficient and cost-effective delivery of rights-protected
content, and this means you need peer-to-peer (P2P) as part of your
next-generation media delivery solutions… but you may be hesitating,
for good reason.
Peer-to-peer (P2P) file-sharing networks have proven
to be popular because of their efficiency in helping consumers discover
and obtain the large files they seek, but often, these networks are
used to illegally share copyrighted music, TV programming, movies, and
more. Additionally, file-sharing networks have been associated with
the spread of viruses, malware, and even identity theft. Most consumers
know that the track record for typical P2P file-sharing networks is
mixed:
- Consumers often
have no way of knowing who is providing the content and whether it is
coming from a legitimate provider.
- Copyright laws are
frequently broken as unauthorized publishing of media content can occur
from any peer on the network
- Malware, spyware,
and Trojans often masquerade as legitimate content, tricking consumers
into installing harmful software on their PCs.
- Content may become
infected by viruses as it passes from one consumer to the next.
So, as a branded content
provider, you’ll need to put these fears to rest with a commercial P2P
delivery solution that enables you to support legitimate rights of use
and addresses the consumer desire for access to content without worries
of identity theft, corrupt files, and viruses.
This means that when you’re evaluating commercial
P2P solution providers, you must specify end-to-end security as part
of the system’s basic functional requirements, to protect your security
and that of your consumers throughout the delivery process—during the
publishing of content, when consumers are requesting content, and while
content is being distributed via the Internet. You may want to provide
consumers a variety of different use license arrangements, and a good-quality
commercial P2P system should enable enforcement of these use licenses.
And finally, you need to be able to reassure consumers that the P2P
client they are being asked to install will not harm their systems through
the introduction of viruses or malware and will not interfere with other
priorities for use of their systems.
Also, when you’re evaluating P2P solution providers,
make sure that they offer training for your engineers and quality assurance
staff on secure design and implementation best practices. The provider
should also perform regular security reviews on the system, and use
leading vulnerability analysis software to evaluate the implementation’s
security. If all those are in place, then you’ve reached your goal:
a secure way to share your rich-media content with consumers.
Find out more about how your organization can safely
take advantage of the benefits of P2P solutions. Read the VeriSign white
paper, The
Power of Commercial Peer-to-Peer Delivery to learn how you
can ensure that your commercial P2P environment:
- Maintains security
and integrity of content
- Provides a high-quality
experience that enhances the relationship between consumers and content
owners
- Integrates with
essential business systems such as content management and rights management
- Efficiently manages
P2P network traffic to minimize the cost of distribution
- Scales in a seamless
and reliable manner.
Click
here to download the white paper today >>
Help Your Users Trust Your Site
Online channels are a key part of business strategies
today, so you need to offer a differentiated online experience. How
so? Focus first on the “difference” that matters most to consumers:
security.
They call it “digital migration,” and it’s affecting
businesses in all industries, including retail, financial services,
media and entertainment, health care, and government services. As consumers
look to interact with product and service suppliers online, organizations
gain the opportunity to develop a new, more cost effective, and more
personalized distribution channel, one that holds out a promise of increased
sales and lower operating costs.
But before you think about cool special features you
can offer to provide a differentiated online experience that drives
customer loyalty, make sure you’ve got the basics covered. Weak user
or consumer authentication has fueled the problems of Internet identity
theft, including phishing, and online financial fraud. As more consumers
do more online transactions, the risk of fraud and identity theft increases.
Consumers know this. According to a recent Gartner study, the online-security
concerns of 46% of U.S. adults led to over $2 billion in lost sales
in 2006.
So you can either let security concerns eat away at
your bottom line, or you can differentiate your organization, and stand
to gain significant revenue, by addressing the security and trust concerns
of your online consumer.
Strong authentication isn’t new technology; for years,
enterprises have used it to secure access to corporate networks and
applications. But what works for your employees might not work as well
for your business partners or your customers. In deciding which authentication
solution to use for each segment, you’ll need to balance inherent risk
for each user segment, solution cost, and the need to deliver different
types of user interaction.
The latest white paper from VeriSign charts out how
different authentication technologies can be mapped to the most appropriate
user segments. The chart also describes other key solution criteria
in selecting the authentication technology such as suitability to application,
security level, costs, and intangible factors.
As you weigh up the information in the chart, though,
consider that having the right credential to suit the user is only half
the battle in achieving consumer acceptance of strong authentication
technologies. Users don’t want to have to manage or deal with multiple
“second factors” for different web sites – whether they are traditional
tokens (i.e. the “token necklace” problem) or “soft” tokens in browsers
or on mobile devices.
The white paper describes this difficulty, and proposes
credential sharing for second factor authentication. Find out more about
the characteristics and benefits of this approach to creating a secure
online experience for your constituents.
Read the white paper, “A
Guide to Providing Proactive Protection to Consumer Online Transactions”.
Hacking Event First to Cause
Physical Harm
A Polish teenager has been arrested for gaining control
over the city's tram system and causing the derailment of four of its
cars. The event now stands as a "proof of concept" that affirms
information security experts' more dire speculations that IT or industrial
command and control systems can be exploited and used to hurt people.
The boy, a 14-year-old whose name police will not
release, has already admitted to causing three unexpected track switches,
the last of which resulted in a car jumping the tracks to collide with
the side of a passing train. Other trams were forced to make emergency
stops during which some passengers were injured, making this perhaps
the first true example of a hacking incident that led to direct physical
harm to people.
Teachers described the boy as an exceptional student
and a "genius" with electronics. Indeed, the boy needed this
technical gift and creative programming skills to gain control over
the tram system. He had to undertake computer research and even trespassing
at tram stations to learn about the system and equipment necessary to
achieve the takeover. He also had to build hardware similar to a TV
remote control to cause switches at any point in the tram system. The
boy even researched the train system's layout to determine the best
places to execute switches.
This incident comes on the heels of two similar incidents.
Hackers gained access to the New York City transportation authority's
website through hacking a terminal in a taxi. In another incident, the
same type of attack was used against the internal system of a Boeing
787.
Government moves to secure critical infrastructure
against cyber attack
The attacks highlighted the timeliness of the Federal
Energy Regulatory Commission’s (FERC) approval of eight new reliability
standards designed to protect the nation’s critical infrastructure systems
against cyber attack.
The FERC is an independent agency that regulates the
interstate transmission of electricity, natural gas, and oil. It also
reviews proposals to build liquefied natural gas (LNG) terminals and
interstate natural gas pipelines and licensing hydropower projects.
Its eight new critical infrastructure protection (CIP) standards address
the following topics:
- Critical cyber asset identification
- Security management
controls
- Personnel and training
- Electronic security
perimeters
- Physical security
of critical cyber assets
- Systems security
management
- Incident reporting
and response planning
- Recovery plans for
critical cyber assets.
“Today we achieve a milestone
by adopting the first mandatory and enforceable reliability standards
that address cyber security concerns on the bulk power system in the
United States,” FERC Chairman Joseph T. Kelliher said. “The electric
industry now can move on to the implementation of the standards in conjunction
with improvement of these standards in order to increase the security
and reliability of the bulk power system.”
Graeme Baker reports on this further in: “Trams
Derailed after Teen 'Genius' Hacks into System,” The Vancouver
Sun, Jan. 12, 2008.
For further information,
please see: “FERC approves new reliability standards for cyber security,” www.ferc.gov, http://www.ferc.gov/news/news-releases/2008/2008-1/01-17-08-E-2.asp
Cross-Region Vulnerability
Discovered in Skype
Researchers recently discovered a vulnerability within
the popular VoIP service Skype. This vulnerability allows attackers
to inject script code into any of the Internet Explorer windows opened
by the service.
Skype opens Internet Explorer when rendering internal
and external HTML pages. Examples of such pages include PayPal payment
pages and options such as “add video to chat.”
The vulnerability, identified by Miroslav Lucinskij
and posted to the Full Disclosure mailing list, lies in the fact that
Skype controls the Internet Explorer pages in its local zone, specifically
in the “unlock” mode. Such functionality could be employed by an attacker
to execute code on the victim’s computer or when a victim accesses a
pre-infected site via Skype.
Petko D. Petkov (a.k.a “pdp”), founder of the GNUCITIZEN
group, highlighted a further risk on the group’s blog. The unlocked
Internet Explorer controller displays Skype’s ads, all of which are
sent over an unencrypted channel. Using tools such as Airpwn or Karma,
an attacker could hijack the ads and replace them with those containing
malicious code, which would execute within the unrestricted Internet
Explorer controller upon rendering.
Skype is very popular, with more than 246 million
individual user accounts as of Sept. 30, 2007, and 10,140,836 concurrent
users online as of Oct. 30, 2007. These numbers suggest that a high
number of users are open to such an attack.
For more information, please see PDP, Vulnerabilities
in Skype, GNUCITIZEN, Jan. 17, 2008.
inCode, a VeriSign Company, announces top
10 wireless predictions for 2008
The predictions cover major trends in the industry,
ranging from who will win the communication standard wars, what role
Google will play in the wireless world after January’s spectrum auction
and whether or not consumers will finally open up to digital content
and mobile advertising.
The predictions, first created in 2003 by inCode,
a global business and technology consultancy acquired by VeriSign in
November 2006, are designed to help wireless industry players, partners
and consumers better plan for the coming year.
“The coming year is going to be incredibly important
for the wireless industry as new business models begin to take shape,”
said Jorge Fuenzalida, vice president of communications consulting for
inCode, a VeriSign company. “Beginning with the spectrum auction in
January, to the continuing battle between fourth-generation (4G) technologies
LTE and WiMAX, to what it’s going to take to make converged wireless
a reality, wireless will look significantly different in several critical
ways one year from today.”
Here are the highlights of the predictions:
- The WiMAX/LTE
wars will end with a whimper. The long-awaited "take-off-the-gloves"
battle between next-generation wireless technologies LTE, HSPA and WiMAX
will not occur since they are in different stages of maturity, with
HSPA already enjoying widespread adoption and a flourishing device market.
- A new wholesale carrier will emerge. The 700MHz spectrum auction
presents a large opportunity for the emergence of a new wholesale carrier
(i.e., no retail operations or direct customer) that focuses on being
the most cost-effective player in the market and avoids the retail game. The
wholesale carrier model will be driven by companies such as Google –
but the question remains: How much control will Google be able to garner?
- Peer-to-peer (P2P) technology will go mainstream. Long used
for pirating files, US distributors will follow the UK's lead and begin
to utilize next-generation, secure and DRM-protected P2P for mobile
content distribution.
- For the eighth year in a row, mobile service quality will continue to deteriorate. The
combination of new technology (3G), multi-band, multi-access technology,
advanced and complex handsets, least-cost routing and under-investments
in network coverage continue to make mobile services less reliable than
they were before the introduction of 3G.
Don’t stop here. Read
the predictions in full.
Avoiding Payment Card Industry
(PCI) Audit Failure
For merchants, service providers, banks, credit card
processing systems, and other entities entrusted with customers’ credit
card data, the PCI data security standards are not new. However, many
such organizations continue to pay the price for non-compliance. Such
costs are not simply the result of fines, but can also include the revocation
of card issuance and payment processing capabilities. In addition, since
PCI standards are designed to protect consumers’ information, noncompliance
can result in exposure to major data security breaches, incurring far
worse financial costs that include litigation and the loss of consumer
confidence.
PCI Compliance: Not a One-Time Event
Some organizations suffer from noncompliance simply
because they have successfully achieved full compliance recently. However,
maintaining compliance should not be a one-time event but a regular
one; cyber criminals are becoming increasingly sophisticated in their
attempts to apprehend personal data, and yesterday’s approach will not
be effective against today’s attack.
The Right Approach
The most effective approach is to view PCI compliance
as a program.
Ideally, such a program would not be geared simply on passing a particular
review on a particular day, but on maintaining compliance for any possible
review on any possible day, as a way to achieve ongoing, viable security
that strengthens an organization’s reputation and inspires confidence
in users and partners.
Such a program would not
begin by itemizing areas of noncompliance. Rather, it would begin with
an assessment preparation, which might include a request for documentation
and onsite interviews and evaluation. Such a program might then perform
vulnerability scans of internal systems and analyze the company’s standard
procedures for storing and accessing card data. Only then would the
program perform a gap analysis to determine areas of non-compliance
and suggest remediation. The program would also work with the company
to determine the most effective schedule for ongoing assessment.
A Trusted Partner
The VeriSign® Global Security Consulting team has
performed hundreds of PCI assessments since the program’s inception,
and VeriSign protects some of the world’s leading retail companies and
financial institutions. For tips on maintaining compliance with PCI
standards, please download our free white paper entitled “More
Lessons Learned—Practical Tips for Avoiding Payment Card Industry (PCI)
Audit Failure.”
DateBook
Mobile World Congress,
February 11-14, 2008, Barcelona, Spain
The GSMA Mobile World Congress features the most prominent CEO and board-level
speakers from mobile operators, content owners and vendors from across
the globe.
Financial Services
Technology Summit, February 25-27, 2008, Laguna Beach,
CA,
This exciting, informative two-and-a-half-day event brings together
C-level technology executives from the financial services industry.
CTIA Wireless,
April 1-3, 2008, Las Vegas, NV
This tradeshow is the convergence of more than 1,200 exhibiting companies,
dozens of industries, and over 40,000 professionals from 125 countries
all working toward the common goal of revolutionizing wireless.
RSA Conference
2008, April 8-11, 2008, San Francisco, CA
Join us for the most comprehensive forum in information security. Jim
Bidzos of VeriSign will be giving a keynote presentation, so come learn
about the latest trends and technologies, get access to new best practices,
and gain insight into the practical and pragmatic perspectives on the
most business critical issues facing you today.
|
Worldwide Sites
