Sûnnet Beskerming Pty. Ltd. occasionally produces small reports that are for free (gratis) distribution. The free content may cover any area that Sûnnet Beskerming operates in. Examples may include generic security advice, specific security warnings, development practices, and application tuning. The only caveat on reuse of information from this site is in accordance with the following paragraph.
Use and reuse of information from this site requires written acknowledgement of the source for printed materials, and a hyperlink to the parent Sûnnet Beskerming page for online reproduction. Content from this page can not be reused in a commercial context without negotiating an appropriate licence with the site owner. Personal and educational use is granted without additional restriction beyond an amount in accordance with the principle of "fair use". Fair judgement is encouraged from site users as to what amounts to "fair use". Please contact us if you reuse our content, so that we may be able to provide more specific advice when necessary to improve your reproduction.
If you are interested in any of our other services, information about them is available from the parent site - Sûnnet Beskerming - Information Security Specialists. Readers may especially be interested in our mailing list which provides advanced coverage of issues covered here in the column, and important Information Security threats that don't get reported anywhere else, or in the training courses and speaking engagementts that Sûnnet Beskerming are available for.
It's That Time of the Week - Where's My Column? - 10 April 2006
Previously regular readers would note that the regular column for this week has not appeared. This is because we have changed our approach to publishing and have started producing content on a more frequent basis. The second most frequent content that does not appear in our mailing list or on our new IT Toolbox blog, is posted here on Skiifwrald.com. If readers would like their additional fix, or more of what we write about, take a look at some of our other content that is available:
- Our IT Toolbox blog http://blogs.ittoolbox.com/security/edge/
- Free security mailing list http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com
- Hands on Information Security training and speaking engagements in Australia http://www.beskerming.com/training
Microsoft 'Surprised' by 0.1% Infection Rate
Microsoft have been collecting information from their Malicious Software Removal Tool (MSRT) and their Windows Defender initiative and a recent statistic has 'surprised' them. After adding support for some malware that had been circulating since the middle of last year (a six month delay in recognition), they discovered that 250,000 systems out of the 250 million that had the MSRT installed were infected. While 0.1% does not appear to be a large amount, the raw figures are large. This goes to show that a piece of malicious software does not need to hit a large percentage of vulnerable systems to be numerically successful. Of more interest is the news that CME-24 (Blackmal) is still causing enough infections for 40,000 systems to require cleaning by the tool.
Sadmin Revisited - It's OK, the NSA Should Have a Copy - 09 April 2006
Following on from speculation in the 'Exploits Ahoy!' post, timely reporting on the discovery of a cross-platform Proof of Concept (PoC) virus has rattled a few cages amongst the security community. In its current form, the PoC demonstrates that Linux ELF binaries and Windows .exe files can be potentially infected by the same source. Although only targeting Windows and Linux systems at the moment, the move to Intel hardware by Apple could see an evolution of the PoC targeting OS X systems as well.
Historically, a worm dubbed 'sadmin' is one of the few pieces of malware to actually target multiple platforms, specifically Windows and Solaris. Internet worms (PHP and Perl focussed) are generally regarded as being different again. This new PoC has been dubbed 'Bi' by a number of antivirus companies and is expected to eventually carry a malicious payload designed to cause havoc on affected systems.
ClamAV has issues
Cross platform anti-virus tools are likely to be updated in a timely manner, but there have been a range of vulnerabilities discovered with the Open-Source ClamAV anti-virus solution, including integer overflows, format string handling and out of bounds memory access. Possible effects range from denial of service, through to arbitrary code execution. These issues are considered critical and concerned users should update as soon as possible to address potential risks to their systems. NSA loves AT&T
In court documents filed by the Electronic Frontier Federation (an online and electronic rights advocacy group), claims have been made that US telecommunications giant, AT&T, has been forwarding all Internet traffic that passes through their network to the National Security Agency (NSA) for undetermined uses (go on, take a wild guess what they might use it for). The practical application of filtering terabytes (exabytes?) of transitory data is probably not all that difficult to an organisation that is said (humorously or otherwise) to measure computing power in terms of square miles. Perhaps this traffic handoff is part of ongoing communications intercepts and processing, and could serve to help refine the effectiveness of those programs, such as the now largely abandoned Carnivore.
Of concern to many is what could happen to the data outside of that scope. There have been cases where the US Government has been accused of using communication intercept data to engage in industrial espionage on behalf of US companies, in particular a case where Airbus accused Boeing of being supplied confidential Airbus pricing estimates on projects that both consortia were bidding for. This data originated from intercepts captured by various US Government communication intercept efforts.
The information before the court is currently sealed, and AT&T has five days to provide justification why their internal documents relating to the matter should not be made public. Pessimists are conjecturing that the US Government will take an active interest and suppress release of the data on 'National Security' grounds.
Just how deep is the rabbit hole?
Analysts who have linked this to illegal wiretapping efforts that the current US President supported suggest that AT&T isn't the only company to have supplied this data, they claim that all ISPs may have supplied equivalent data to the NSA. When it is considered just how far the AT&T network reaches, nearly all Internet users in the United States are likely to have been impacted by this program.
For example, AT&T are part owners of the trans-Atlantic data communications cables, and their networks are likely to make up at least some of the hops between a user and the website they are trying to reach. Recent mergers amongst the 'Baby Bells' that were created following the breakup of the original AT&T have also raised concerns that the telecommunications giant is going to reestablish itself, stronger than before.
It is doubtful that the complete story behind the current claims will ever be known, as conspiracy theorists and the paranoid have a field day, claiming that the truth will be suppressed by PSYOPS operatives either by not publishing it or by releasing disinformation, but there are enough cases in history to suggest that it is possibly true.
Fuzzy Wuzzy Was a Bear - 08 April 2006
What is Fuzzing, and why do I need to know?
Fuzzing is the latest vulnerability discovery method to attract widespread attention from researchers and hackers alike. It is essentially the process of forcing an application or software function to accept input that may not be valid, in order to discover vulnerabilities related to input validation. Poor input validation can lead to a number of failures, from simple application crashes through to complete control of vulnerable systems.
One reason why it has attracted increased attention is that it is a fairly simple process to undertake. Increasing numbers of automated tools make vulnerability disclosure a point and click operation. This ease of operation means that some researchers look down on those who appear to do nothing else than point and click their way to vulnerability disclosure (and temporary InfoSec fame). Others have humorously opined that you aren't a real Information Security researcher unless you write your own fuzzing tool.
The rapid rise in web application development and usage, many of which are poorly coded, and increasing levels of networked / multi-user software which has not been designed with security in mind has seen an almost infinite number of opportunities for fuzzing researchers to find holes in critical applications. Tying sensitive personal and financial data to outward facing (Internet-facing) systems is even more incentive for attackers and researchers to find more holes.
Should be a part of testing
A case could be made that a rigorous testing protocol for new code sections should include tests for handling of invalid and semi-valid input, to allow problems to be solved at development time. While standalone sections of code are relatively easy to test for input handling issues, when complex sections of code are linked together, strange input can come from unexpected places. What may pass as valid input for one section of the code might cause handling issues in code that is subsequently passed that input.
Development-time fuzzing helps to make for more secure code, though testing and Quality Assurance are the processes most likely to be overlooked in the march towards code release.
While it is fairly simple to truncate input of excessive length (one case of invalid input), it is harder to develop a whitelist of accepted character input, especially when support for international character sets and punctuation is required. For example, the humble apostrophe is one of the most dangerous characters when it comes to SQL injection opportunities. Content that the user supplies is not the only input that has to be considered - the validity of file data that is supplied should also be considered. If all it takes to wipe a server is a change to a single data file, then someone will find a way to do it.
As long as software is developed which handles input validation poorly, there will continue to be a need for fuzzing tools.
Exploits Ahoy! - 08 April 2006
Long-suffering Internet browser, Internet Explorer, has had another vulnerability disclosed. Initially announced for Internet Explorer 6.x and 7 Beta, similar vulnerabilities are also said to affect Firefox and Opera browsers. While a successful exploitation of the Opera vulnerability can lead to arbitrary code execution, the IE and Firefox vulnerability relates to allowing spoofing of the URL address bar (i.e. badguysrus.com will show as goodguysrus.com). All vulnerabilities are related to browser handling of Flash and Shockwave internet plugins.
Disabling Active Scripting is said to prevent any exploitation of the vulnerability from happening.
Other problem vulnerabilities have been disclosed for a range of Cisco devices, ranging from Denial of Service issues through to possible arbitrary code execution on the Cisco Transport Controller workstation. Cisco have released information regarding the issues and it is recommended that users of the devices apply the fixes as soon as possible.
Black Tuesday to bring 5 patches
Microsoft's monthly Security patch release program is scheduled to provide five patches for Windows users. One of the patches will address issues with Microsoft Office components (rumoured to be Excel), while the other four address core components of the Operating System. The cumulative Internet Explorer patch which is one of these remaining patches is reported to resolve the currently exploited 'CreateTextRange()' 0-day vulnerability. At least one patch is rated critical, which is Microsoft's highest threat rating.
Even insiders do bad things
News was being reported of two regrettable cases involving individuals who were responsible for important US Government IT and Security roles who have been arrested for charges of possessing illegal pornography and for solicitation of sex from a minor. A high ranking US DOD IT official, who was responsible for managing IPv6 within the organisation, was arrested and indicted for possessing child pornography, while a spokesman for the Department of Homeland Security was arrested for soliciting sex from what he thought was a 14 year old girl (undercover cop) through Instant Messaging. To make matters worse, it was suspected that he might have released sensitive department information in his attempt to solicit sex.
Two bank employees in Louisville (Citigroup and National City bank) have been charged with hacking into customer accounts, and in one case embezzling more than $200,000 USD.
The NSW police were left red-faced when information about how to extract the login and password (in the clear) details for subscribers to Police news releases were published in the leading NSW newspaper, The Sydney Morning Herald. Although the information had been removed from public view, Google had already crawled and cached all the data, which meant that it was a simple matter of a set of Google searches to extract the information. The big risk is that the information could be used as authentication information on other systems / platforms by users who apply poor password management.
Finally, an employee (now former employee) of Progressive Casualty Insurance used her company access to customer accounts to discover details on property foreclosures which she was interested in purchasing. Unfortunately for customers, this information included sensitive personal and financial data. Rather than any actual hacking, the access was a breach of ethical guidelines.
Winny won't let go
The list of sensitive information breaches related to worms plaguing the Japanese Winny file trading network continue to make headlines. In the latest case, internal Trend Micro reports were leaked onto the network as a result of a worm that attacked his system. Ironically, it was his failure to apply Trend Micro's own tools which left the system vulnerable.
Apple Computer's release of their Beta 'Bootcamp' software, which allows for dual booting of OS X and Windows XP (SP2) on Intel-based Macintosh machines has been covered widely already, but one question which does not appear to have been addressed very well at this stage is what sort of impact Windows malware is going to have on an OS X data partition (HFS+ or equivalent). As time goes on, more details are going to become available about the interaction between the two systems, and this issue will be experienced.
This Government's Security Brought to you by Microsoft - 05 April 2006
Who don't you want to get in, today?
The Australian IT section has reported on the imminent announcement by the Australian Attorney General's Department that they have extended a 2003 agreement with Microsoft (the shared source agreement) to cover information security. The extended agreement claims to "help Australia tackle threats to 'national security, economic strength and public safety'",is similar to agreements held by the USA, Canada, Norway and Chile and will allow Microsoft staff to examine attacks against Australian government networks.
It will be interesting to see how the proposed data sharing works out, especially as Government agencies can be quite restrictive about sharing sensitive information with external bodies. The proposed advanced notice by Microsoft of upcoming updates and vulnerabilities being tracked (to allow the Government to plan and implement a response) introduces the dichotomy of all intelligence products - the more you share, the less useful it becomes.
Microsoft have been improving their security response timelines, but have still been hit with two 0-day exploit vectors in the last four months which this service would have done nothing to protect against (not many companies were placed for an immediate response, but some were), and which affected almost all Windows-based systems - the WMF vulnerability affected all the systems from Windows 95 through to Vista - all the systems which could connect to the Internet.
The addition of community security awareness training is a good sign for some of the native Information Security companies, such as Sûnnet Beskerming (regarded by Microsoft as 'Security Experts'), that are likely to play some part in the eventual implementation of such training based on historical involvement with Microsoft Security events.
What about the non Microsoft systems?
There is no indication as to the support or protective services that will be extended to non-Microsoft products. This could be a concern in the future as it is likely that there are still Government departments which have pockets of unsupported systems (i.e. Windows NT) connected to various networks, and other agencies of the Government have recently announced moves to centralise on non-Microsoft software.
In particular, the National Archives announced five days ago that it will standardise on OpenOffice.org 2.0 (OO.o 2.0) as its primary office file preservation format and that the OpenDocument Format will be the primary format used for archiving of electronic data (text, spreadsheets, charts and graphical documents).
Most of the government systems and interfaces that have successful attacks launched against them, and are known about, have been based on Microsoft technologies, which adds value to the extended agreement. The non-Microsoft based systems which have been successfully attacked may be left out in the cold as a result of this agreement.
Major data stores that rely upon Oracle, DB2 or other database platform (not MS SQL) could be overlooked even though they carry significant risk and recent history is suggesting that these are becoming the more valuable targets to attackers. For example, there are a number of serious Oracle issues that are evolving and have evolved recently almost on a par with MS SQL's historical 'sa' account.
It can not be realistically expected of Microsoft to provide security support and advice for these other systems and products. However, the reporting on the agreement makes it appear that they are supplying a 'Whole of Government' solution.
An Alert for Australian Admins - 04 April 2006
Growing political angst between Australia and Indonesia is starting to be played out online. Tit-for-tat political cartoons were printed over the last week following the Australian decision to temporarily accept a number of West Papuans as refugees and the political situation has been described as 'difficult' by the Indonesian President.
Online, things are starting to warm up with an increase in the number of attacks against Australian sites from groups claiming to be Indonesian, or Indonesian affiliated. In amongst the normal attacks against state and federal government sites, targeting of politicians and attacks on e-commerce sites there is an increasing number of Indonesian-aligned groups claiming the hacks.
What has been hit
Indonesian hackers have claimed defacements of sites for an Australian Senator, a South Australian government site and a number of commercial sites. Leaving political messages, threats, and general abuse, the attackers appear to be nationalists with a number of the attacks leaving an extract from the Indonesian anthem 'Hiduplah Indonesia Raya' (Long live Indonesia the Great).
Most of the attacks appear to be simple defacements but there is some concern a number of the sites compromised have had sensitive information stolen and the attackers continue to have unrestricted access to these sites.
At this stage there do not appear to be any return attacks against Indonesian sites by Australian groups or sympathisers. The only recent attacks against Indonesian domains appear to be by well known groups from outside the region.
Site administrators contacted in response to these attacks have yet to acknowledge the attacks.
Different Looks & April Fools - 03 April 2006
Regular readers will note a different look for this column - formatting and posting frequency has changed. We have decided to provide readers a quicker turnaround on some of the stories and threats that we are tracking, and have moved from a primary weekly post, to a post probably once every 1-2 days - depending on news story frequency and importance. Our comment and analysis will lag what our paying clients receive by a couple of days but still represent an improved service over what was previously available.
Though many sites vary in their observance of April Fool's Day, it does make it more difficult to filter the legitimate from the irrelevant in terms of Information Security research. News stories such as China purchasing Google, US President George Bush installing himself for a third term, and Duke Nukem: Forever is available for review are simple enough to pick out as being fake. However, there are many reports every day of the year which are difficult to interpret unless you are a subject matter expert on that particular technology, and even then there is no guarantee that you will be able to determine whether or not a claim is legitimate.
This has the unfortunate side effect that people readily dismiss what they do not know and prefer to remain ignorant of the real threats because they are unable to work out how something is happening - basically a return to the 'black box' method of operations. Most worrying is when this trend extends to companies that people rely upon for security or protection of their sensitive financial and personal data.
In research which has been correlated by Zone-h, the global authority on website defacement / digital attacks, Sûnnet Beskerming has observed that more than 80% of system administrators and webmasters tend to ignore reports of damage / attacks against sites that they are responsible for. Whether this is because the reports get eaten by spam filters or the administrators merely do not reply to notification is not known.
The more worrying statistic is that the next greatest percentage of administrator responses is to threaten and accuse those who report the damage of being responsible for the hack / defacement. Finally, there is a very small percentage (almost statistically insignificant) of administrators that respond positively to defacement notification.
Aussie ISPs Breached
A similar situation was observed in the last week when two Australian ISPs were affected by problems with their primary web presence. In the first case, a Sydney based ISP was affected when a customer discovered that it was possible to view billing and call details for any customer by changing some parameters in one of the forms on the 'LiveBilling' area of the ISP's site. It was also demonstrated that it was possible for non-customers to gain access to the data.
Following publication of the issue by a major news agency, the affected area of the site was taken offline with the only reason being given as difficulty with 'security locks'. Even though a number of customers had contacted the ISP about the issue with little response from the ISP, it took massive publicity for it to begin being addressed. While no financial data was exposed, there was still a lot of privacy information readily available.
The second case affected a Queensland based ISP rated as one of Australia's best, which had its web site compromised by foreign hackers. Rather than defacing the main page (which would have led to a rapid repair and investigation), the defacement was out of the way and unlikely to have ever been found through normal web surfing. While this case has not received any publicity, it is likely that the attackers have gained access to sensitive databases and customer information.
Given the earlier statistic about the responses by system / site administrators, the chances are not good for customers of this second ISP for a resolution soon. If any readers of this column are customers of an ISP based in southern Queensland, it would be prudent to check your financial and other personal details.
The same problem is affecting everyday users with the improvement phishers are demonstrating in improving the effectiveness of their attacks. The improvement of the attacks is getting to the point that most of the advice being given to users in how to detect and avoid being suckered by a phish attempt is becoming irrelevant. The last several days saw reports of banks having their websites compromised, redirecting requests for the legitimate site to locations that the attackers controlled.
Although the reported cases were fixed quickly, Sûnnet Beskerming has found and reported cases where financial institutions have had their sites (including intranets that were improperly configured) exposed to the outside world and which had been under the surreptitious control of attackers for some time.
Careful, Your Bias is Showing - 03 April 2006
Online flamefests, arguments, and other disagreements don't need much to start them off, especially if their root division goes back many years. A poor quote from an source, that was repeated in a Washington Post blog, started a mini flamewar over the relative security of OS X, Linux and Windows systems. It was in response to a comment by an Information Security company that they had observed OS X and Linux systems as part of some botnets that they were tracking. This implied that there was some vulnerability that was being exploited to add these systems to the botnet and it started readers scrambling to uncover what the exploit was. Not only is an OS X or a Linux exploit that can be remotely controlled rare, one that extends across all platforms is even more rare. The lack of corroborating evidence from elsewhere in the column and elsewhere on the Internet only added fuel to the eventual flamefest.
The backlash against the Washington Post blogger was such that he had to produce a new column to address the vitriol that his earlier entry had prompted. More investigation showed that the worm / vulnerability was exploiting known historical vulnerabilities in various PHP applications which could pass control of vulnerable systems to the remote attacker. Based on a flaw which gained publicity in July 2005 after first being found in 2003, and which had public exploit code issued in November 2005, it had been known for some time that a worm was targeting Linux and equivalent systems, looking to control them in a botnet. It had even been previously dubbed a Linux specific worm.
Where these claims and reports had gone wrong was in their bias, intentional or otherwise. Whether it was due to a rush to report, not knowing the technology behind what they were reporting, or some other reason, the readiness to pin a cross platform worm onto one or two platforms failed to recognize that all platforms were equally at risk - that the worm exploited software that behaved the same on all platforms.
Supporters of OS X and some of the other non-Windows platforms pointed out that the Operating System they were defending was not vulnerable to this issue in its default configuration (i.e. no web server running, no PHP support even if it was running, or some combination thereof), and that specific actions had to be taken by the victim to even become vulnerable to this worm.
A Second OS X Issue
This was not the only mini flame-war to erupt about purported vulnerabilities with OS X. An independent security researcher publicly posted an example of an image which causes a crash of any application which was using specific ImageIO functionality to display it. This list includes Safari, Preview, Finder, and other default inclusions in the OS X 10.4 install. Unfortunately for OS X 10.4 users, the technical description of what the issue is is contained on the same page that holds the image (although other sites now hold the news). At this stage the issue only affects Tiger (10.4), leaving users of OS X 10.3.9 safe. A number of other sites picked up on the news and there were the expected arguments about OS X vs Windows and Linux and Safari vs Firefox and Internet Explorer. Users are hoping that it is only a matter of time until Apple can resolve the issue.
News You Might Have Missed - 03 April 2006
A wrapup of some of the news stories from the last several days that you might have missed, or which grabbed our attention.
Social Engineering Improving
Numerous sites have reported on the increasing use of extracts from real news stories as attempts to attract victims to websites where they are infected with a range of malware. Currently using a range of BBC news stories, the emails lure victims to sites that appear to be clones of the BBC (at least for that particular story), but which download malware in the background, compromising their systems. As the attacks improve in their ability to avoid detection, more victims are likely to be infected without their knowledge (and may even contribute to spreading the attack if the news story is relevant enough).
Internet Explorer Exploit Expands?
As the users and administrators of systems using Internet Explorer wait anxiously for Microsoft to release an official patch to address the three vulnerabilities disclosed a couple of weeks ago, independent companies are releasing their own patches (eEye and Determina), and news is spreading of email being a potential exploit vector (despite Microsoft claims otherwise).
Latest Privacy Losses Update
An earlier reported data loss of records related to HP employees has been pegged at 196,000 individuals affected, higher than the previous highest estimate. Elsewhere in the United States, the state of Florida had payroll and HR data for State employees (January 2003 to June 2004) send to an Indian firm after a contractor mistakenly forwarded the data by mistake. Up to 180,000 individuals are believed to be affected.
More than 500,000 members of the Georgia state pension plan could be at risk after a hacker gained access to a Georgia Technology Authority database which held confidential information on the pension holders. This is more than the 450,000 affected last year when an employee took home confidential information belonging to members of a state health plan. In Los Angeles, 40,000 county residents had their confidential personal data left next to a recycling bin in a parking garage and Nokia's US staff apparently have also been affected by the recent spate of Ernst & Young laptop losses.
MPAA Accused of Improper Action
Following last year's US Supreme Court decision in what is commonly known as the 'Grokster' case various media groups and associations took the decision as free licence to continue to pressure downloaders and torrent search sites, citing the court case as legal justification. One site has decided to bite back. The TorrentSpy bittorrent search site has filed court documents to have the MPAA's attempt to shut them down dismissed. Torrentspy have pointed out that they host no infringing content and act as a search tool, providing no direct links to any infringing content. In the court filing, Torrentspy have accused the MPAA of 'attempting to steamroller defendants by means of an improper pleading', essentially meaning that they are taking an unrelated legal precedent and claiming that it has relevance in this particular case.
Russian MP3 Sites Unsafe?
Wild claims were recently made on a music industry linked site which implied that numerous Russian MP3 retail sites are engaging in massive credit card fraud. The claim is that the sites are in the control of the Russian mafia (a reasonable claim) who are selecting cards at random from their databases to extract extra funds from ($1,000 to more than $3,000 USD per card). With no other news site backing up the claim and the original article appearing unsubstantiated, it is likely to have been an underhand attempt to get people to buy from authorised music industry sites. Even the technical data provided in the article is based on speculation and rumour. Subsequent discussion on message boards seems to substantiate the point of view that the claims of the article are untrustworthy.
Trouble Ahead for UK High-Tech Crime Investigation?
First picked up by the UK focussed Spy Blog, it appears that the UK National High Tech Crime Unit (NHTCU) has been subsumed into a larger organisation, the newly formed Serious Organised Crime Agency (SOCA). Unfortunately, the public presence for SOCA doesn't acknowledge any focus on high tech crime, fails to mention computer, and the NHTCU website directs visitors to address their queries to SOCA. As a result, questions have been asked as to the long term importance of electronic crime investigation to the UK.
Middle East on a Knife Edge
Some might ask what the relevance of middle-east politics to a technology blog, but bear with us. Iran recently test-fired a multi-warhead missile capable of reaching Israel, a test firing which went unnoticed by Israeli and US monitoring systems. To add concern, some Israelis have admitted that their anti-missile defence systems have little answer for this multi-warhead missile. The UK Telegraph is said to have claimed a US-led strike against Iran is inevitable and is due to be discussed in the coming week.
Now for the technology relevance. If there is a strike against Iran, many believe the country to be unstable enough to strike at Israel in an opening move. With multi-warhead missiles capable of reaching all of Israel, the many High-Technology companies with an Israeli base or heavy presence (Intel, Check Point, others) could face outages, supply issues or even be destroyed in that region.
The more pressing issue is the likely impact to the price of oil. With attacks in Saudi Arabia by internal groups, attacks in Iraq, and possible attacks in Iran - the higher the price of oil goes the more likely that companies will support telecommuting as commute costs skyrocket. Telecommuting introduces specific security risks and concerns which need to be considered as part of the planning phase.