MySpace Worm Uses Fast-Flux to Dodge Detection

A new attack on MySpace users in June was turning their sites into bots to serve phishing scams and viruses. This new technique (called fast-flux) was used to hide malicious sites behind constantly changing network of proxy servers that make it almost impossible to track down the malicious sites
http://www.eweek.com/article2/0%2C1895%2C2163609%2C00.asp

[Editor's note (Valle): This technique is similar to anti-forensic methods use by cybercriminals to hide their true origins. The main difference is that fast-flux has a larger and more rapidly changing number of proxy servers to hide behind.]

Research Reveals Compliance Problem

Ponemon Institute issued a report that brings up the most common inadequancies of ensuring proper access to systems and date.
http://www.darkreading.com/document.asp?doc_id=131038
Some report findings:

1) Reliance on Manual Processes – Audit and compliance (A&E) staff monitor and test controls by depending almost exclusively on reports generated by others rather than software tools

2) Lack of Centralized Control – No clear ownership of compliance oversight or processes around reporting on and monitoring user access as well as fragmentation of data and distribution of responsibility are issues.

3) Poor Communication and Collaboration – A&E staff do not collaborate with departments that share IT compliance responsibility. Other departments have a poor understanding of risk management and compliance.

4) Inattention to Business Risk – Most organizations do not focus their compliance resources or efforts on risk and most say they do not have the necessary information to quantify risk

Security Digest for July 30th – Aug 3rd

Computer Security Videos at Security-Freak.com
http://www.security-freak.net/videos.html
A series of good primer videos for network security engineers

Google TechTalk Video “What every engineer needs to know about security”
http://www.net-security.org/secworld.php?id=5401
Interesting talk at Google

Make Mashups secure
http://www.infoworld.com/article/07/08/06/32FEmashsec_1.html
Important techniques to make your mashup more secure

Consumer Reports: Malware Costs US Consumer $7 Billion Over Two Years
http://www.darkreading.com/document.asp?doc_id=131056

Super All-in-one network security test system
http://www.eweek.com/article2/0,1759,2165270,00.asp?kc=EWRSS03129TX1K0000614
A start-up using HD Moore’s Metasploit technology and where he is the Director of Security Research is launching the mother of all network security test systems.

California moves to lock down e-voting systems

Secretary of State Debra Bowen has mandated new security standards for California’s e-voting systems
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9029038&source
=rss_topic17

[Editor's Note (Valle): Another example of how difficult it is to write secure code and why security needs to be a top priority when creating new software. To this end the SANS Institute has recently created the GIAC Secure Software Programmer Certification (GSSP) which will be the first exam of its kind to test a developer's secure coding skills. http://www.sans-ssi.org/ ]