- Google security under fire
- Brand hijackers ready for the holidays
- PCI Council launches payments apps standard
- What's the (next) deal with the DLP business?
- PCI and other breach laws under assault
- Microsoft adds Office for Mac to patch
- Hackers go Robin Hood?
- Enterprise Data Protection: The Importance of Account Ownership
- HP going big on security?
- PatchLink buying SecureWave
December 19, 2007 | Comments: (0)
Betting on the Web as a platform may be the chief gamble of our current computing era, one that requires a significant amount of hedging, most notably in terms of security surrounding services offered as cloudware; but when you are Google, betting on the Web is more than a business strategy: It is a never-ending font for rhetorical marketing hype.
"When Zoho adopted Gears, we cheered," said Vic Gundotra -- vice president of engineering at Google, and former general manager of platform evangelism at Microsoft -- at a dinner preceding the company's Campfire One announcement of OpenSocial, an intriguing albeit hustled-into-the-headlines response to Microsoft's bet on Facebook's social networking platform and API.
Here was not a story of Zoho pitting Google's technology against the search giant's hope of diminishing the functionality gap between its Google Apps online productivity suite and Zoho Office. Here instead was a story of The Web Company generating worthwhile waves for the little guys to ride for a time.
But are such instances truly a matter of rising tides, or are they the tell-tale signs of a bloating multinational just now suffering the spoils of competing interdepartmental agendas and internal communication problems?
Externally, Google's message will be clear in 2008: When the Web wins, Google wins. And you, Web user, should feel good about it.
But if the Web as font of all-solving creativity can be claimed by one company, what of the nefarious underbelly growing unabated alongside?
That, of course, will be the task ahead for Google's newly assembled "advocacy" team, a grassroots-vibe spin on the previous pulpit-and-oracle "evangelism" mission of the 90s, one that incorporates -- or implicates -- you in the overall understanding that, without a resilient Web generations hence, how can our children possibly survive?
And the advocacy team has its work cut out for it, as malware exploits will surely continue to thrive.
Witness the minor storm accreting around Google security the past few days, as bugs, flaws, and worms have made headlines against Gmail, Google Toolbar, and Orkut -- Google's social networking site.
Of course, the Gmail snafu, which allows hackers to hijack and access Gmail accounts, finds its seeds in Internet Explorer, the latest patch of which has produced its share of unrelated headaches as of late.
And the potential for Google Toolbar becoming a bank-busting platform for phishing scams is low, given the elaborate hoops users must step through to fall for phishing scam Toolbar button installations.
And as for the Orkut scrapbook worm who outside of India and Brazil and the Web 2.0 crowd has even heard of Orkut anyway?
Press like this can't help assuage ongoing business fears regarding Google service adoption beyond the SMB, nonprofit, departmental level -- an aspiration Google remains cagey about, if only to side-step questions regarding its ability to deliver the kind of service large organizations expect from software and systems investments.
InfoWorld security reporter Matt Hines visited Google recently in an effort to ascertain Google's security designs. The upshot is that Postini and GreenBorder will provide the foundation, and though Google has stated that recent Postini layoffs are part of a reallocation of resources, whether that effort and reallocation will bear fruit remains to be seen.
In the meantime, Google's ability to get businesses to bite on its future foray into security services may hinge on more than just shoring up the security of its consumer plays. It may depend as much on rejiggering its message away from the Web as brand.
Additional resources
Google revs up security play
Search giant lays plans to extend Postini security service into a multifaceted filtering system built to lock down business data and help manage compliance requirements
Thin vs. Fat: Google’s plan to kill Microsoft Office
Is the Redmond juggernaut running out of steam, just as Google revs up its suite of thin-client apps?
Orkut worm demonstrates vulnerability of service
IE, Gmail bugs allow hijacking of accounts on public PCs
Google Toolbar flaw opens door for phishers
Posted by Jason Snyder on December 19, 2007 12:33 PM
November 13, 2007 | Comments: (0)
Brand hijackers ready for the holidays
The holiday season doesn't officially begin until next week, but fear not -- just as your local big box retailers have been busy putting up their yuletide decorations ahead of Thanksgiving -- phishers and other online fraudsters have been similarly preparing to cash-in on the annual consumer shopping binge.
According to the latest "brandjacking" report issued by researchers at MarkMonitor, which tracks the manner in which criminals are trying to piggyback their efforts on the images of legitimate businesses (think eBay phishing scams), the fraudster set is ramping up in preparation for the glut of Web-surfing newbs who dip their toes into the e-commerce waters over the next two months.
Based on the firm's Autumn 2007 Brandjacking Index -- which is focused on data that was gathered from approximately 134 million public Web domains over the course of calendar Q3 -- phishing attacks carried out against retail brands jumped by 1,100 percent, compared to Q2 of this year.
In total, phishing campaigns involving retailers and online auction sites accounted for 39 percent of all attacks that MarkMonitor observed.
The United States continues to lead the world in the sheer volume of hosted phishing sites, at least as far as the researchers could tell, accounting for roughly 25 percent of the fraudulent URLs.
MarkMonitor researchers said that phishing techniques are also becoming more sophisticated, with increased use of so-called "rock phishing" tools used to manage multiple fraud sites. The criminals are also making their sites more resilient by using so-called fast flux networks -- which include botnets armies of infected computers -- to support their online operations.
Phishers also continue to serve as a hungry audience for botnets that are being made available for rent by their operators, the researchers said.
The company said that spam-based offers for retail gift cards are a favorite among phishers in 2007, with most trying to steal personal data of their targets.
It said that 33 percent of paid search listings it tested for major retail brands misdirected consumers to questionable Web sites that didn't appear to be genuine.
Cyber-squatting, or the practice of launching URLs that attempt to lure end users by utilizing a legitimate company's name, or a closely-derived iteration thereof, also continues to find favor among the cyber-criminal set.
According to the study, an average 484,251 accounts of online brand abuse were measured by the firm each week, including 342,512 instances of cyber-squatting, registration of unauthorized domain names containing a legitimate brand name, or which used marketing slogans or trademarks to which the site registrants had no discernable right.
MarkMonitor said that instances of cyber-squatting rose 19 percent during the quarter, compared to Q3 2006, and reported that the practice of "domain kiting" -- or using the 5 day grace period allowed to URL registrants by ICANN to test the viability of their sites, which phishers and other fraudsters have used to launch short-lived attacks -- rose by 48 percent during the third quarter.
In an interesting twist on the yearly holiday-phishing fiasco, MarkMonitor found that a relatively large number of unsavory individuals are also trying to sell toys via the Web that have recently been recalled by their manufacturers for issues related to the use of lead paint, and other defects.
The company estimates that 30 percent of online auctions for recalled toys continue to do business after the recalls have been announced, with 83 percent of all auctions for recalled toys coming from the U.S. -- more than all other countries combined (so much for blaming China for the lead paint problem).
Even worse -- from a consumer products industry perspective -- is that 8 percent of the B2B exchange sites MarkMonitor tracked that sell toys are still listing recalled item for sale.
"The toy recall and gift card findings vividly demonstrate the contrast between how brands are protected in the Internet world vs. the physical," Frederick Felman, chief marketing officer for MarkMonitor, noted in a report summary.
"Brand holders need to develop comprehensive and aggressive strategies to protect consumers who not only trust their names in stores, but in online venues as well; they also need to recognize the Internet has the potential to contaminate supply chains to brick and mortar vendors," he said. "If brand holders don't move aggressively, they put their customers, reputations and revenues at risk."
Posted by Matt Hines on November 13, 2007 09:18 AM
November 07, 2007 | Comments: (0)
PCI Council launches payments apps standard
While the National Retail Federation's call for the PCI Security Standards Council to lower the potential for data breaches by dropping businesses' cardholder data retention requirements has yet gone unanswered, the payment card industry group has launched a new effort aimed at helping companies eliminate libraries of customer information unnecessarily stored in some point-of-sale and transactional systems.
On Wednesday, the PCI Council announced its intention to create -- and eventually enforce -- a new regulation known as the Payment Application Data Security Standard (PA-DSS) which it claims will help developers of payment applications to do away with product features that may have led to superfluous storage of sensitive information in the tools.
While the PCI Data Security Standard -- on which the new mandate was based -- orders that companies such as retailers shouldn't use point-of-sale systems that store information that it has specifically banned them from gathering -- including full magnetic card stripe identifiers, CVV2 (name and address) details and PIN data -- the reality is that many existing applications in use today still aggregate some of those specifics.
The PCI Council said that the new measure is based on payment application best practices (PABP) developed by Visa, one of its founding members, and that is has distributed preliminary draft of the regulation to its Board of Advisors for feedback.
Among those participating in the review process are the group's Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs). The PCI Council said that it will consider any feedback from those parties and then publish a final version of the PA-DSS sometime in the first quarter of 2008.
The group said that Visa initially created the best practices to aid software vendors and other developers in building payment applications that do not store prohibited data. For the record, proprietary applications developed by merchants themselves will not be made subject to the PA-DSS regulation, but they will still be required to meet the terms of the broader PCI Data Security Standard.
PCI Council claims that roughly 200 point-of-sale systems and transactional tools already in use by retailers and other companies have previously been validated against Visa's standard.
Payment applications adhering to the PA-DSS will "minimize the potential for security breaches and the resultant fraud," the group said in a statement.
"With the PA-DSS managed by the council, we will ensure that payment application providers and their products are subject to data security requirements consistent with the current PCI Data Security Standard," Bob Russo, general manager of the PCI Security Standards Council, said in an announcement.
"As criminals become more sophisticated and payment application vulnerabilities are realized by our membership, we must ensure that all components of the payments process are subject to rigorous standards that are supported by all of the global payment card brands with a single goal in mind: to protect cardholder data and combat fraud," Russo said.
The group is asking developers of payment system to join in its latest effort, and said that individual components of the PA-DSS program will be rolled out following the publication of the standard -- including the requirements and training programs for security assessors and a list of applications that have been validated under the measure.
In September, the PCI Council assumed responsibility for the PIN Entry Device (PED) Security Requirements that were previously administered by payment card giants JCB, MasterCard and Visa.
The PED Security Requirements were designed to help secure personal identification number (PIN)-based transactions, and apply to devices that accept PIN entry for transactions.
Meanwhile, the NRF and its members would clearly prefer it if the PCI backers would stop creating new rules that ask companies to improve their systems, and simply scale back the card issuers' requirements that force retailers and other payment card processors to retain customer data in the first place -- especially as the potential for fines and other penalties that will be levied against those responsible for breaches have grown.
But in the end, and most importantly, consumer privacy appears to be the big winner of these efforts, regardless of how all the inter-industry posturing plays out.
Posted by Matt Hines on November 7, 2007 11:12 AM
November 06, 2007 | Comments: (0)
What's the (next) deal with the DLP business?
Now that Symantec has finally announced its deal to acquire data leakage prevention (DLP) market darling Vontu, some security industry watchers have predicted that MNA-related interest in the remaining independent vendors in the space will wane.
However, others believe that the fun is only just getting started.
Including the recently-consummated marriages of Symantec and Vontu, EMC and Tablus, Raytheon and Oakley Networks, Trend Micro and Provilla, and WebSense and PortAuthority -- along with a number of smaller deals -- market analysts chart the amount of money already spent on DLP acquisitions at roughly $1.62 billion, and that's only counting deals carried out since mid-2006.
And with many observers questioning the long-term viability of remaining standalone DLP technology providers, of which there are roughly 35, it would seem an ideal environment for a continued, and rapid, roll-up of many of the independent players left standing.
Among the most visible DLP targets left for potential sale are (in alphabetical order) Credant, Code Green, ControlGuard, Eagle Eye, Fidelis, GTB Technologies, GuardianEdge, NextLabs, Orchestria, Reconnex, RedCannon, Safend, Verdasys, Vericept and Workshare.
Among the most likely buyers, according to some industry watchers, are names including 3Com's TippingPoint, AT&T, BT Counterpane, Check Point, Cisco, Fortinet, IBM, Juniper, Secure Computing, and VeriSign.
And some believe that Symantec and rival McAfee -- which recently purchased SafeBoot, a company with a mix of DLP and encryption strengths, and previously bought Onigma, a relatively small DLP vendor -- still have more buying plans ahead.
Symantec executives didn't rule out further buyouts. In a phone conversation on Tuesday, Ken Schneider, CTO of the company's Security and Data Management group, said the firm will continue to assess its needs to "build, buy or partner" in the DLP space.
Schneider said he also wouldn't be surprised to see McAfee make another move, or multiple MNA deals, as he doesn't believe that the SafeBoot acquisition gives his rival as significant of a footprint in DLP functionality as some have credited it with publicly.
Yet, others question which IT companies that haven't done so already truly need to jump into the DLP space, at least from a buying perspective.
Jon Oltsik, analyst with Enterprise Strategy Group, remains unconvinced that a large number of DLP acquisitions will be forthcoming.
"It's tough to think of who is left that might be very attractive, there are definitely more sellers than buyers, and it's difficult to guess who else might buy someone, and why," he said. "Before the Vontu deal it seemed like everyone who was still looking was bottom-fishing; someone relatively large like Check Point might still be looking, but they may also be planning to build something in-house."
The analyst said that some DLP firms may have been caught out playing "chicken" with potential buyers and missed out on their chance to get paid, in many cases because they were asking too high of a buying price.
"People were wondering if that was what happened to Vontu, because if you hold out too long and everyone makes their play, this is probably too narrow of a space to do an IPO," he said. "The venture capitalists will eventually want their money back; Vontu lucked out, but the heat is on everyone who is left."
One of the names that comes up frequently among analysts in terms of vendors who may have missed their chance for acquisition is Vericept, who was rumored to be a target of EMC before the Oakley deal was announced.
"I haven't seen any big customer wins, there's not a lot of traction there, and it seems that they were banking on being acquired by EMC," said one financial analyst who asked not to be named in print. "When the EMC acquisition was on the table it was for $150 million, and then Vericept talked about it and told everyone; EMC backed away and bought Tablus and got a comparable technology at one-third of the price."
Some other industry watchers believe that the DLP fire sale has only just begun to smolder.
Nick Selby, analyst with the 451 Group, said that all of the potential buyers named above -- and many more -- could be looking to add DLP to their products, ranging from desktop security suites to back-end storage architectures -- especially if their targets can be had at a discounted price.
Selby said he definitely expects McAfee to add more DLP, specifically by bringing onboard a network appliance-type product. Symantec is getting a package of DLP tools that already meshes well with its other technologies in Vontu, but it may also need additional pieces, he said.
Among the two DLP camps -- if one separates agent-based systems from network-based systems -- the expert believes that the agent-oriented companies, such as Code Green, Credant, Guardian Edge, Red Cannon, Safend and Verdasys, will sell first.
"People prefer to unify security agents, largely because they are expensive and tough to build from scratch," said Selby. "It's also easier to sell agent-based DLP than network-based; agents are most often judged by their potential to integrate with other proven agents, and that's an easier case to build than with network-based systems, which are harder to scale in the enterprise."
Among the network-based DLP vendors left standing, Selby said that Fidelis may be the most attractive MNA candidate.
"For one thing, IBM Global Services has partnered with Fidelis on the network and Verdasys on the agent; so those companies will be valued higher than some of their peers, that's obviously a big endorsement for them that could drive interest," he said.
Posted by Matt Hines on November 6, 2007 01:41 PM
October 05, 2007 | Comments: (0)
PCI and other breach laws under assault
The retailers are finally fighting back.
Yesterday the National Retail Federation publicly blasted the Payment Card Industry Data Security Standard, issuing a statement that pushes the responsibility for the storage of sensitive customer data back on the card issuers themselves, the very same authors and enforcers of the mandate.
For those of you unfamiliar with PCI, it's the data-handling regulation cooked-up by the financial institutions that issue credit and debit cards (AMEX, Visa and MasterCard for starters) that requires anyone who processes their plastic to get their IT security systems up-to-snuff to prevent more leakage incidents like the one experienced by TJX Companies.
"With this letter, we are officially putting the credit card industry on notice," said NRF CIO David Hogan in the missive. "Instead of making the industry jump through hoops to create an impenetrable fortress, retailers want to eliminate the incentive for hackers to break into their systems in the first place."
According to NRF, credit card companies typically require retailers to store credit card numbers anywhere from one year to 18 months to satisfy 'card company retrieval requests."
If retailers were given the choice to end the process of storing such customer data, they could lower their own risk and ensure greater consumer security, according to Hogan.
Strong words, but one has to wonder why the NRF hasn't been making noise about PCI sooner.
After all, the deadline for retailers to become PCI DSS compliant was the end of last week, and the regulation has been out there for almost years. The PCI Security Standards Council has been working on the mandate since forming in late 2004.
And wasn't it just a few years ago -- before ChoicePoint, TJX and everyone else -- that we were reading about all the ways that retailers were going to use the details stored in their CRM systems to create detailed electronic profiles of us all?
It does seem like the data breach issue has forced a turnabout in perceptions of data gathering and mining -- PCI or not.
NRF says further that credit card companies and their banks should provide merchants with the option of keeping no more than authorization code data provided at the time of a transaction along with a "truncated receipt," versus storing the card info.
"If all merchants took advantage of this option, credit card companies and their member banks would be the only ones with large caches of data on hand, and could keep and protect their card numbers in whatever manner they wished," said Hogan. "The bottom line is that it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them."
Is it all too little too late? Lucky for NRF, it would appear that the ship hasn't truly sailed on PCI.
According to some experts, many retailers and card processors are still way behind in terms of getting in line with the regulation from a technological standpoint -- with some companies apparently willing to take a wait-and-see approach to dealing with potential audits and fines.
The issue of data-handling legislation is becoming decidedly more controversial nationwide. However, while a long list of related bills sits on Capitol Hill waiting to pass through various committees and in various states of progress, states continue to push forward.
As I noted in a blog two weeks ago, California is on the cusp of signing a far more aggressive piece of legislation into affect than the state's oft-referenced 1386 breach notification bill, which forced companies to begin reporting their data incidents publicly. Almost 40 other states have subsequently passed similar legislation.
The new bill, Calif. AB 779 -- which would require merchants who experience data incidents to pay back any expenses incurred by banks and card companies for re-issuing cards to affected customers -- has already passed through the state's legislature and is sitting on Gov. Schwarzenegger's desk awaiting approval -- which many have said it will receive.
Retailers in the state are predictably up in arms over the bill.
Benjamin Wright, author of several books on technology law, including "The Law of Electronic Commerce" and "Business Law and Computer Security," responded to my blog by pointing out that many retailers feel the language of 779 is ambiguous and will place to much of a burden on merchants.
Wright said in his own blog that the law would also make it nearly impossible for e-commerce companies to do business processing credit cards if it is translated in a certain manner.
"This scheme for imposing liability does not seem fair or rational," said Wright. "It requires perfection. Few organizations can be perfect in avoiding the data security transgressions identified by the legislatures. But many organizations might do a reasonably good job of avoiding those transagressions. Yet the legislatures offer no reward for being reasonably good. They only reward perfection."
On Capitol Hill, lobbyists say that interest in the dozen-odd data measures sitting in various committees continues to wax and wane.
"One month people show more interest, but then it lags again," said one Washington-based IT and security industry lobbyist who asked not to be named. "The committees seem to make progress but then they get distracted by other things. It's one of those things where a lot of these bills might get done this session, or maybe they won't get done at all."
The lobbyist said that there are a variety of sticking points for the individual pieces of legislature, from the wording of the measures, to debate over to what extent national laws need to pre-empt exiting state measures.
With a bill sitting in the Senate's Judiciary Committee that includes penalties including 5 years in jail for those who are responsible for failing to prevent breaches, it would seem the debate over credit card customer data is only just beginning to get interesting.
Stay tuned.
Posted by Matt Hines on October 5, 2007 09:34 AM
July 13, 2007 | Comments: (0)
Microsoft adds Office for Mac to patch
Heads up Apple users -- Microsoft has quietly added Office 2004 for the Mac to one of its latest security patches.
On June 12, Microsoft amended the list of affected products covered by its MS07-036 security update to add the Mac iteration of Office. The patch was originally released earlier in the week as part of the software maker's monthly Patch Tuesday bulletin distribution.
The Office for Mac bulletin is ranked as critical, Microsoft's most severe security update rating, and hackers could potentially use exploit the flaw to carry out remote code executions on affected PCs, the company warned.
The bug could specifically allow outsiders to use a specially-crafted Excel file to overwhelm an affected system's memory and take control of the device, according to Microsoft.
Microsoft reported that users whose Office systems are configured to have fewer administrative privileges are at less risk for malware exploitation than users who operate with broader rights. (shocker!)
MS07-036 aims to patch three vulnerabilities -- two of which were rated as critical, and one of which related to a known zero-day flaw. The bulletin repairs bugs in Excel 2000, 2002, 2003, and 2007.
On Tuesday the company issued six security updates for Windows, Office, and .Net Framework, patching a total of 11 vulnerabilities -- five of them rated critical.
The most serious of the batch is MS07-039, which patches a pair of bugs in Active Directory in Windows 2000 Server and Windows Server 2003, the two supported server editions of Microsoft's operating system.
The most dangerous of the two is a vulnerability in the way Active Directory validates an LDAP request. According to Microsoft's write-up, "an attacker who successfully exploited this vulnerability could take complete control of an affected system."
The Active Directory bug can be exploited without any user interaction, and on Windows 2000 Server, the older of the two operating systems, the company said.
Posted by Matt Hines on July 13, 2007 12:43 PM
July 06, 2007 | Comments: (0)
A new trend has appeared on the cybercrime landscape that makes it seem as if some fraudsters may have a conscience ... or none at all.
According to researchers at Symantec, the security company has observed a growing tendency among cybercriminals to test out their stolen credit card numbers by -- surprise of surprises -- using them to donate money to charities.
While it may seem like the identity thieves are engaging in an uncharacteristic show of kindness, Symantec concludes the obvious, that the criminals have actually identified the process of donating money as a useful test system for checking if their stolen accounts are still up and running, without drawing attention to themselves as quickly as if they used the swiped accounts in other settings.
"In the world of carding, where stolen credit card information is bought and sold, carders need to know if the credit cards they are buying or selling can actually be used," writes Yazan Gable, a researcher in Symantec's Security Response group, in a blog on the company's Web site. "It is sometimes difficult for them to verify this without raising any alarm bells and risking that their cards will be identified as stolen and disabled. As a consequence, a new trend is appearing."
In donating funds to charities online -- notably, the Red Cross -- cybercriminals can verify if their cards are working without raising the same hackles they might if they tried to buy something from an online retailer, as those companies are known to be working closer than ever with banks and card issuers to stop fraud as quickly as possible.
The method may also be useful in evading systems that employ behavior pattern modeling to battle fraud.
"Bank behavior monitors may be less likely to pick up on donations to charities," Gable said. "Legitimate charitable donations are not daily transactions for anyone with a credit card, so it would be difficult to determine if they are out of the norm."
It is unclear whether the charities would retain any of the funds -- which tend to be given over in relatively small amounts, according to Symantec -- once the crimes have been uncovered. One can imagine, however, that if the practice becomes widely used, card companies may want to get their money back rather than simply write it off as their own donation.
Gable said that Symantec researchers expect the problem to proliferate until something is done to prevent it.
"It wouldn't be too surprising to see this trend grow," said Gable. "I guess the one thing to note here, though, is that at least some of the stolen money is going to a good cause."
Posted by Matt Hines on July 6, 2007 02:25 PM
June 26, 2007 | Comments: (0)
Enterprise Data Protection: The Importance of Account Ownership
InfoWorld's blogging today from our Enterprise Data Protection (EDP) Forum in New York City. As InfoWorld has been reporting, companies have been struggling to protect their enterprise data from compromise by malicious (or sloppy) insiders, not to mention shadowy hackers. We've got some leading figures in enterprise security here sharing their thoughts, and offering some interesting opinions on the fast-evolving EDP space. One of the more interesting observations this morning came from keynote speaker Stephen Katz, president of Security Risk Solutions LLC and a former CISO of Citigroup, J.P. Morgan and Merill Lynch.
Katz was talking about the changing role of the CISO and about the need for CISO's to be security evangelists for their company and promoting security awareness among the rank and file.
Why? you might ask -- because improving the security IQ of ordinary employees can do a lot more to raise the security posture of a company than any mere security technology purchase. As an example, Katz noted that when Citigroup had some customer accounts compromised by a hacker in the 1990s, the compromise only came to light after a couple account reconciliation clerks noticed a pattern of funny transactions in accounts they managed. "They said 'Our clients don't do business this way. They don't do these kinds of transactions," Katz recalled.
Through the efforts of the clerks, the issue was escalated within Citigroup and, eventually, the underlying hack was exposed.
The moral: CISO's need to make even rank and file employees understand why security is important to them and their customers, Katz said.
More coverage of the EDP forum to come...!
Posted by Paul Roberts on June 26, 2007 08:35 AM
June 19, 2007 | Comments: (0)
A quick poll of industry analysts taken in the wake of HP's SPI Dynamics acquisition finds mixed perceptions over the notion of HP staking a serious claim in the security industry in the coming months and years -- at least in the same mold that rivals such as EMC, IBM and Microsoft have jumped in with both feet via their own aggressive MNA strategies.
On one hand, some believe that HP has merely made a very strategic move in adding Web applications and software vulnerability assessment tools in the form of SPI to its portfolio of software development assets (much in the same way IBM added code scanning tools via its buyout of Watchfire earlier this month).
On the other hand, some believe that HP will begin to take steps in rounding out its security product and service portfolio in the same manner that EMC did via its buyout of RSA, IBM via its buyouts of ISS and Watchfire, and Microsoft via its long string of acquisitions of smaller security vendors including FrontBridge Technologies, Giant Software, GeCad, Whale and Sybari, among others.
(It's also worth noting Google's step into the security game, most notably via its recent acquisition of GreenBorder.)
For its part, HP denied having a broader security acquisitions strategy in place on its conference call with reporters and analysts today.
"We've done three acquisitions in the ID management space, since then this is our first security-related acquisition," said Sandeep Johri, vice president of strategy and business planning for the Software Business Unit at HP. "We are not setting out to become a security vendor as in a prevention vendor from a firewall or thoroughbred security perspective."
Johri also offered a monosyllabic answer of "no" when I asked him if HP harbored security platform plans like its rivals, and he said that HP had been courting SPI for a year-and-a-half, and that the deal was not a reaction to IBM's Watchfire buyout.
A roundup of analyst quotes on the topic at hand:
-Chenxi Wang, Forrester Research:
"HP is definitely trailing product and service-wise in security, [SPI] will give them a much-needed boost, and I think there will be other areas of investment. I wouldn't be surprised to see them strengthen in the security services area much as IBM has done with ISS."
(It's worth noting that Dr. Wang worked previously as an independent consultant with HP's Labs group, though on utility computing projects, not pure security issues.)
-Jon Oltsik, Enterprise strategy Group:
"If you're doing big deals these days you need some security expertise, either through partnering with others or doing it yourself, but if you're doing business process outsourcing or building a development environment, as HP is, security has to be part of it.
There have been rumors of HP getting into the security space, and if they do it makes sense to jump in with both feet. There is the rumor that HP would try something big like a buyout of Symantec, but I think that's a stretch at this point. HP has OpenView and ProCurve and professional services in its portfolio, and they can cherry-pick smaller, high-value startups like SPI and build on that portfolio.
Symantec would be a big pill to swallow, and I'm not sure the smoke from HP-Compaq has ever cleared completely, so, that is a deal that would surprise me. But, there is McAfee, Secure Computing and CheckPoint, and a lot of companies in the multi-$100 million revenue range that could certainly fit into HP's plans."
-Joseph Feiman, Gartner:
"HP won't try to become a network security provider; the most probable concentration point for security in the company is becoming part of the security testing team, as with the SPI deal.
Some customers do see a panacea from their security problems in a single vendor that provides everything in one, and from that viewpoint, HP, with penetration into enterprises, has added another piece on the applications testing side, as with IBM-Watchfire."
-Chris Christiansen, IDC:
"HP is very interested in the security space, especially in some of the more high-growth areas. As a purveyor of servers and systems management, storage management, and networking management solutions, it makes sense that they would have a greater presence in the security market and look to profit more highly from security.
They seemed to be open to more acquisitions in the space when I spoke with them. Likely areas could include security-enabled compliance, e-discovery, NAC, messaging security, and content filtering and control around data leakage and information protection and control."
Posted by Matt Hines on June 19, 2007 02:14 PM
June 18, 2007 | Comments: (0)
As predicted by industry watchers, the security sector continues to experience significant consolidation in 2007, with PatchLink becoming the latest buyer in announcing a deal to acquire endpoint security specialists SecureWave on June 18.
Under the terms of the deal, proposed as an all stock transaction for which additional financial figures were not released, SecureWave shareholders will have the next several weeks to decide whether or not they want to accept the PatchLink bid.
As part of the agreement, the companies reported that venture backers Mangrove Capital Partners, the primary shareholders in SecureWave -- which is based in Luxembourg -- will be given a seat on the PatchLink board of directors if the deal is approved.
Company officials pitched the deal as a marriage of complimentary security tools.
SecureWave's flagship Sanctuary product line offers unified policy enforcement for management and monitoring of endpoint device and applications use, to protect against data leakage and malware attacks.
Combined with Scottsdale, Ariz.-based PatchLink's vulnerability management solutions -- which offer to automate security update and vulnerability remediation tasks -- company leaders said that the firm would be able to sell itself as an integrated provider of "policy-based enterprise security solutions."
In practical terms, the merger should give the combined company the ability to position itself as an integrated endpoint security provider, covering everything from software patch updates to data leakage prevention.
"The technical and geographic synergies between the two companies made this a logical next step in moving towards unified protection and control that cuts across multiple departments within an enterprise," Bob Johnson, CEO of SecureWave, said in a statement. "This combination provides our customers and our partners with a best-of-breed product portfolio based on the positive security model that consolidates infrastructure, unifies management and administration, lowers cost of ownership and provides end-to-end risk reduction."
The march among vendors to pull together security applications into integrated packages with centralized management capabilities continues at a dizzying rate, with such deals and the launch of products including market-leader Symantec's Endpoint Protection 11.0 -- introduced June 13 and due out this Fall -- moving the idea of such blended technologies from the conceptual stage into real world deployments.
PatchLink officials labeled the combination of its technologies with those of SecureWave as a "comprehensive security platform for unified protection and control of all enterprise servers and endpoints."
The company significantly broadened its ability to provide vulnerability management tools with the acquisition of Harris STAT in Feb. 2007. At that time, PatchLink officials also hinted that the firm could be considering a name change to reflect its extended set of security skills, as it has moved far beyond simple patch remediation.
"Through significant organic growth and strategic acquisitions, PatchLink is evolving into a global provider of security solutions for the world's largest and most demanding IT environments," Pat Clawson, the firm's chairman and CEO, said in a statement. "We believe PatchLink is now poised to capitalize on a significant market opportunity as the de facto provider of policy-based enterprise security solutions."
In the same note, IDC analyst Charles Kolodgy appeared to give his blessing to the proposed merger.
"Reactive security drives a maddening environment of ad hoc and emergency updates to signatures, patches and security policies. However, organizations realize that proactive security measures are the best way to maintain a consistent level of security risk management." Kolodgy writes. "This emphasis on fixing problems before they occur will create a significant market for integrated security policy and remediation management. A proactive stance will also reduce security risk across the enterprise. PatchLink's acquisition of SecureWave provides solutions to reduce risk."
Posted by Matt Hines on June 18, 2007 08:57 AM
June 07, 2007 | Comments: (0)
Microsoft officials remain mum on the schedule and details for an initial service pack update for the company's new Vista operating system, but the software maker has begun openly referencing the planned release in documentation on its Web site.
While Microsoft watchers have been predicting the arrival of an SP1 release for Vista since prior to the launch of the OS in late 2006, Redmond is offering very little guidance on what its plans for the update might be.
However, the company has gone so far as to start preparing its partners for the eventual arrival of Vista SP1.
On June 7, Microsoft posted documentation for a Windows Automated Installation Kit on its Download Center portal that applies to both the company's much-awaited Windows Server software -- code named "Longhorn," as well as a product dubbed Windows Vista SP1 Beta 3.
The Windows Automated Installation Kit (Windows AIK) is designed to help OEMs, system builders, and corporate IT departments deploy the OS onto new hardware, Microsoft said.
As part of the announcement, Microsoft posted a document which indicates that Vista SP1 has been under development since at least Feb. 2007, the date amended to the file which provides an informational overview of the download.
Some German researchers were also recently able to snag a screen shot from a presentation at the Windows Hardware Engineering Conference (WinHEC) in Los Angeles in mid-May that references Vista SP1 (picture here with German text.)
Microsoft officials didn't immediately respond to calls seeking comment on the details of Vista SP1.
When SP2 for Microsoft Windows XP first arrived in Aug. 2004 it set off a wave of discontent as many businesses had problems installing the update.
However, it is widely perceived that the release significantly benefited Windows users once it could be swallowed, particularly in the area of improving security.
Some Microsoft partners have also alluded to the update publicly.
On April 19, Intel CEO Paul Otellini was asked how Vista sales would impact his company's 2007 sales projections on a conference call, and he replied that "[Vista] deployment [in enterprises] will actually happen when the Service Pack gets released in the fourth quarter time frame, probably the October-November time frame."
In early April, a software patch blog posted over 100 fixes it said are expected to be included in Windows Vista SP1.
According to this story by our own IDG News Service, sources close to Microsoft have confirmed that the company is currently testing SP1.
The blog poster, former Microsoft employee Ethan Allen, owner of the The Hotfix blog and Web site is predicting that SP1 will include device driver and software compatibility technology that many users had hoped would be available in the OS from the start.
Among them could be support for third-party USB and Firewire devices such as digital cameras, in particular products from Sony Corp. that have been having compatibility problems with Vista, Allen said.
There also will be patches to improve the TV playback and other Media Center capabilities in Vista, as well as to repair inconsistencies with the power management functions such as sleep and hibernation modes, he said.
Allen claims that Vista SP1 will not include a heavy dose of security updates.
Posted by Matt Hines on June 7, 2007 11:11 AM
June 06, 2007 | Comments: (0)
Security derails USB drives for soldiers
Sometimes even those people with the best intentions run afoul today's maddeningly pervasive security landscape -- as evidenced by a recently-launched program aimed at helping United States servicemen serving abroad stay in touch with family members back home.
When the Pentagon ordered its IT administrators to block access to social networking sites including YouTube, MySpace and iFilm on DoD networks in mid-May, it cut off some of the most commonly-used formats employed by soldiers to share photos, videos, and audio recordings with family and friends back home, critics have said, hurting morale and leaving some troops feeling cut off.
As a result, at least one company -- Tacoma, Wash.-based Topia Technology -- decided it would try to provide an alternative to the banned sites, which were blocked primarily because the DoD saw use of the URLs hogging up too much of its bandwidth.
A secondary concern with the 11 banned sites was that sensitive information could potentially leak out in some of the videos, blogs and recordings being posted to the public URLs -- such as information on troop movements in Iraq.
Topia's idea was to hand out USB devices, under a program dubbed TroopSkoot, that would allow servicemen to create a two-way encrypted channel with people at home, through which they could transfer documents, files and other content.
The company had even gone so far as to donate 5,000 of the devices -- which claim to hold the equivalent of up to 10 feature-length films' worth of data -- to soldiers and their families based out of Fort Lewis Army Base outside Tacoma.
(This news video from KOMO-TV in Seattle demonstrates how the USB devices work.)
However, based on the fact that the TroopSkoot USBs employ Secure Sockets Layer (SSL) encryption and decryption to allow soldiers to establish a "virtual family network" with loved ones, a communications channel that even the DoD cannot access, it appears that the devices won't be allowed.
Janine Terrano, founder and CEO of Topia, admitted that the SSL technology used in the devices would prevent the government from monitoring the content being passed through its system -- which is supported over a Web-based interface.
Terrano said that her company's focus was base firmly in helping soldiers stay in touch with home, without consideration of possible misuse.
The idea that troops could potentially communicate with unknown outsiders in private using the devices likely would have raised questions when servicemen began attempting to use the gizmos, but existing military policies will keep the USB gadgets from being used with DoD equipment, according to Pentagon spokesmen.
"Longstanding DoD policy prohibits individuals from introducing unauthorized software, firmware or hardware on the DoD information system," said Major Patrick Ryder, a U.S. Air Force officer serving as a spokesman with the Office of the Assistant Secretary of Defense. "Because this particular hardware and software are currently unapproved, this policy prohibits their use on DoD computers."
Further, while Topia's press release describing the TroopSkoot program includes ringing endorsements of the technology from representatives of the USO and a former deputy commander of the U.S. troops during Desert Storm, spokesmen at Ft. Lewis said that the base has given no official approval for the USBs' usage.
Some of the servicemen given the devices have already been deployed overseas.
"There has been no official Army or Ft. Lewis endorsement of these devices, we only just heard about it and found out that they have been made available to some soldiers as well as their families," said Joseph Piek, a spokesman for Ft. Lewis. "We're trying to find out if there was unit-level participation in some form prior to deployment."
Piek said that obviously, if the technology allows soldiers and their families to stay in communication while not violating DoD policies, then it would be "a great product for morale," but it would appear that the gig is already up for TroopSkoot, based n the Pentagon's take.
Some members of Congress are already leaning on the DoD to loosen up its social networking restrictions.
Meanwhile, servicemen will apparently have to wait a bit longer to find a new way to keep in touch with their loved ones.
Posted by Matt Hines on June 6, 2007 01:50 PM
June 04, 2007 | Comments: (0)
Study - Database security needs work
A new survey conducted by Ponemon Institute and sponsored by database security software maker Application Security finds that while businesses are devoting more time and money to protecting their information stores, much work remains to be done in the area.
According to the study -- which involved a survey of 649 IT workers in the United States, Europe, the Middle East, and Asia -- security professionals understand the growing impetus behind protecting databases from both internal and external misuse, however, many companies lack the strategy, technology and funding necessary to lock down even their most important assets.
The report specifically contends that companies remain largely unprotected from many forms of insider attacks, often cited by security researchers as the leading source of data leakage from organizations, large and small.
Some 57 percent of those surveyed said they do not believe that their organizations have taken adequate measures to protect against insider threats, with 55 percent of respondents indicating that their organizations are not doing enough to stop data loss in general.
The study also found that companies are doing a far more rigorous job today of protecting their customer data than they are working to protect employee information.
Roughly 40 percent of those surveyed said their organizations do not have necessary tools in place to guard their databases, or were unaware of whether their companies' databases are monitored for suspicious activity at all.
More than 95 percent of those interviewed said that they would value technologies that helped them to understand and prioritize database security needs within their organization more effectively.
"This shortfall can be attributed to the massive scale of corporate data stores and the lack of IT resources," Ponemon said.
Some 88 percent of those surveyed for the study reported that they manage greater than 100 databases and a majority of respondents said that they oversee in excess of 500 databases.
Meanwhile, 54 percent of the IT workers surveyed said their companies planned zero, or only slight staff increases during 2007.
Surprisingly, despite the growing mountain of data protection and compliance regulations affecting businesses, some 40 percent of respondents admitted that adjusting their operations to meet changes in such guidelines is not on their agenda this year, with another 15 percent ranking such efforts a "low priority."
The Ponemon study also found that smaller organizations with an annual IT budget below $30 million spend a smaller percentage of their overall allowance on security, including database protections.
Posted by Matt Hines on June 4, 2007 02:42 PM
May 22, 2007 | Comments: (0)
Symantec-eBay piracy suit settled
Just a few days after filing suit against a pack of suspicious resellers charged with selling pirated copies of its security software online, Symantec has seen a legal claim brought against yet another accused counterfeiter of its products settled.
According to the Washington-based Software & Information Industry Association (SIIA), which had been working on behalf of Symantec in a handful of suits charging individuals with illegal distribution of its software over eBay, one of the accused parties has agreed to pay damages back to the firm.
The SIIA reported on May 22 that it has reached a settlement with Grace Chan of San Jose, Calif., in its piracy case pending in the Central District of California. The defendant will pay Symantec $205,000, as well as agree to other confidential terms for sales of unauthorized software over eBay, the industry group said.
In bringing the suit, Symantec found an unlikely partner in rival McAfee, with the two leading anti-virus firms filing a handful of claims against individuals accused with selling pirated or otherwise unauthorized versions of their products over eBay roughly one year ago.
Four more of the cases remain open, but officials with SIIA highlighted the Chan settlement as proof that it can stop counterfeiters.
The lawsuit was filed under SIIA's Auction Litigation Program, which is specifically aimed at halting illegal sales of counterfeit products on sites such as eBay, as well as stopping auctions of products not meant for re-sale, such as applications distributed freely to school systems.
SIIA said that the program involves monitoring popular online auction sites, identifying individuals or groups selling pirated software, and suing on behalf of its members.
"The sale of pirated software through online auctions is a growing problem that hurts buyers, sellers and the auction sites themselves," Keith Kupferschmid, senior vice president of SIIA's Software Anti-Piracy Division, said in a statement. "Consumers are getting duped, legitimate businesses are losing money and the credibility of eBay and other sites is under attack. With existing auction site tools doing little to curb the problem, SIIA has stepped up its efforts to aggressively pursue software pirates."
SIIA officials said they also hold eBay and other auction sites responsible for failing to do a better job of policing user activity. While eBay has policies in place to try to stop illegal and counterfeit products sales, it needs to improve its efforts, the group maintains.
The industry group said that the Chan settlement "demonstrates both the ease of circumventing eBay’s current fraud prevention protocols and the many traps for unwary consumers buying online."
"Infringers often are able to use multiple user identities, and multiple ‘storefronts’ to continue their activities for long periods of time," Scott Bain, SIIA Litigation Counsel, said in a statement. "We are working to identify and pursue these individuals and their sources distributing all varieties of pirated software – whether counterfeit copies or illegal OEM, educational, and unbundled products."
SIIA specifically said it was forced to launch the Auction Litigation Program when the process of taking down suspicious auctions via eBay's Verified Rights Owner (VeRO) program failed to "adequately remedy" the problem.
Through the program, SIIA filed three lawsuits in May 2006 and two more in Nov. 2006. The group said that it plans to file more of the suits over the coming weeks and months.
Posted by Matt Hines on May 22, 2007 08:43 AM
May 21, 2007 | Comments: (0)
IronPort -- also known as Cisco's latest acquisition -- has launched an updated version of its SenderBase.org traffic monitoring site, which serves as a free online malware and spam resource for IT administrators.
Along with a new user interface that claims to make it much easier for people to analyze trends in e-mail, virus outbreaks and spyware patterns, the e-mail distributor reputation service promises a list of upgrades including:
-New reputation scores that are meant to help people figure out if their network is being used by spammers and botnets. After entering their IP address, a user recieves a score of poor, neutral or good, depending on the results.
-More detailed summary reports for spam and viruses including geographical data about spam sources (linked with Google Maps), as well as information on the types of malware and volumes emanating from individual sources.
-Detailed reports about individual threat sources and formats, including the IP address, volume and domain associated with each threat, along with historical data. Users can also create their own customized reports.
Industry watchers said that SenderBase has already proven itself to be a valuable resource to the IT community.
"Breadth of data is key to making accurate decisions about security threats," Brian Burke, research manager for IDC's Security Products service, said in a statement. "IronPort's SenderBase Network provides an unprecedented real-time view into security threats from around the world. The new SenderBase graphical interface, enhanced reporting tools, and the ease of use provides comprehensive data that ISPs and companies can use to help them make critical security decisions."
SenderBase already claims to process over 25 percent of the world's e-mail traffic for threats, with information taken from 75,000 participating organizations and totaling more than 5 billion queries per day.
According to the site's latest results, only 12.4 percent of all e-mail traffic is legitimate, while some 78.3 percent of the world's e-mail traffic is generated from IP addresses identified by the company as suspicious.
A number of security software makers have launched so-called reputation services in the last year which promise to take information drawn from SenderBase and other similar resources to track malware and spam patterns.
"Reputation is based on data and the breadth of data is the key in making accurate decisions about security threats," Tom Gillis, senior vice president of marketing at IronPort Systems said. "When we first launched SenderBase four years ago we knew that that it had the power to change the way organizations ranging from small businesses to the Global 2000 waged war against spam. Today, the IronPort SenderBase Network is building on that success to provide even more accurate and unrivaled insight into not just spam patterns, but also into Web-based threats."
Posted by Matt Hines on May 21, 2007 10:41 AM
May 18, 2007 | Comments: (0)
Putting an end to an interesting case of attempted corporate espionage, the United States District Attorney for Connecticut, Kevin J. O'Connor, announced on May 18 that a former employee of battery maker Duracell who attempted to sell company secrets to its rivals has been sentenced to probation.
On May 17, U.S. District Judge Janet C. Hall sentenced Edward R. Grande, 49, to five years of probation for stealing trade secrets from Duracell, which has its headquarters in Bethel, Conn.
Hall, who presides over the Bridgeport District Court, also ordered Grande to pay a $7500 fine and perform 200 hours of community service.
According to the state's case, between March and June 2006, Grande -- who was employed as a cell development technologist at Duracell -- copied and downloaded sensitive research about the company's AA batteries to his computer.
He then e-mailed the documents to his home computer and carried hard copies of the materials home from Duracell's offices.
Grande, who pled guilty to the charges in Feb. 2007, then forwarded the stolen intellectual property to two Duracell competitors in an attempt to damage the firm.
In a seemingly-impressive example of corporate responsibility, the companies who were sent the information by Grande returned it to the battery maker, which is owned by consumer products giant Procter & Gamble, revealing the employee's scheme to Duracell executives.
The company was then aided by the Federal Bureau of Investigation (FBI) in its inquiry into who exactly was responsible for the plot.
Duracell estimates that it generates over $1 billion dollars in revenue from the sale of its AA batteries each year.
The case is reminiscent of a scheme that unraveled roughly one year ago between soft drink giants Coca-Cola and Pepsi.
In July 2006, three individuals were arrested in Coke's home town of Atlanta for attempting to sell trade secrets stolen by an employee of the company to Pepsi.
After lifting important information on future product recipes from Coke's files, Joya Williams, an executive assistant at the company, and two accomplices attempted to sell the documents and a liquid product sample to Pepsi for cash.
The three individuals were subsequently charged with wire fraud and unlawfully stealing trade secrets by federal authorities after Pepsi alerted Coke officials and law enforcement that it had been offered the stolen materials.
Of course, no one will ever know if people at Pepsi and the two Duracell rivals looked at the materials before returning them to their rightful owners. But, since they behaved honestly in returning the stolen IP, we can give them the benefit of the doubt.
Posted by Matt Hines on May 18, 2007 01:52 PM
May 16, 2007 | Comments: (0)
Microsoft shifts Patch Tuesday procedures
Microsoft is tweaking some elements of its security update process in an attempt to respond to customer demands for more comprehensive information regarding software patches before and after they are released.
Beginning in June, officials with the Microsoft Security Response Center (MSRC) said the company will start offering more detailed descriptions about its upcoming Patch Tuesday security updates in its Advance Notification Service (ANS), which is issued the first Thursday of every month, prior to the official bulletin release.
In a blog posted to the MSRC site, Microsoft said it will specifically provide additional information including vulnerability severity ratings, any potential impact of the reported flaws, and the affected software products affected by each security bulletin, in hopes of appeasing its customers.
The company has been widely criticized in the past for giving its users far too vague notices of what they should expect to arrive each Patch Tuesday. The problem has become particularly acute as hackers utilize so-called zero day vulnerabilities to exploit Microsoft products, leaving customers waiting for specific updates to close the software holes that are being attacked.
In addition, Microsoft reported that the new ANS format will be publish on the company's monthly security bulletin summary page as a subset of the report, and then updated with complete details once the security bulletins are released.
In the past the company's Web site has often forced users to click through multiple pages and summaries to get to the specifics of a particular vulnerability. ANS will also move to a new URL starting on June 7.
(http://www.microsoft.com/technet/security/Bulletin/ms07-jun.mspx)
Microsoft said that it is also editing the layout of its security bulletins to help customers more easily determine the severity of a bulletin and how they might be affected.
Among the formatting changes are the transition of vulnerability response advice to the top of the ANS page, new tables listing affected products with links to the specific download location of related updates, and a move to new section titles considered by the software maker to be more representative of the content they address.
A sample version of the new report layout is available here.
"This was implemented based on customer feedback that more time and information was needed to plan for testing and deployment," said MSRC Director Mark Miller in his blog. "We've received positive feedback on the ANS, but customers have also told us that additional information would be even more helpful. Based on that, we are incorporating additional detail about the upcoming security updates."
Microsoft has been talking about becoming more forthcoming with divulging vulnerability details for some time, making it bulletins more accessible and to-the-point would certainly seem to be an important step in that direction.
Posted by Matt Hines on May 16, 2007 11:08 AM
May 14, 2007 | Comments: (0)
DoD cites security in YouTube, MySpace crackdown
Serving abroad in the military can be a real hardship. Even if you're not in daily danger of losing life and limb, there are the months away from home, separation from family and loved ones and the monotony of military life.
In recent years, of course, the Internet has made that a bit easier -- with everything from Skype to social networking sites making it easier to communicate with your friends and family, and let the world know what you're doing, even from thousands of miles away.
But now it looks like the U.S. Department of Defense is going to make that a bit harder for soldiers: blocking DoD access to popular media, content sharing and social networking sites. In a memo sent out to US forces in Korea, U.S. Army General B.B. Bell said that the DoD has a "growing concern" about its unclassfied network, known as NIPRNET and that military personnel's use of "recreational Internet sites" is limiting DoD network bandwidth and "posing a significant operational security challenge."
Accordingly, DoD is limitng access to a grab bag of popular sites including social networking behemouth myspace.com, video sharing site youtube.com and ifilm.com, Internet radio stations pandora.com, live365.com and 1.fm, as well as mtv.com, photo sharing site photobucket.com and more.
The ban is effective beginning Monday, May 14. However, members of the military will still be allowed to use the sites from home computers and over non-DoD ISPs.
Security seems to be the primary motivation for the crackdown. U.S. military members are reminded to be careful about forwarding links or files from personal - to DoD computers and to be mindful of threats like identity theft on the sites.
Of course, sites like MySpace are a sword that cuts both ways for the military. The Marines, among others, have found MySpace a fruitful recruiting tool. However, the Military, like the rest of the U.S. Government, has also faced criticism from Congress over lax cybersecurity practices that have led to whopper breaches of unclassified networks.
Posted by Paul Roberts on May 14, 2007 09:15 AM
May 04, 2007 | Comments: (0)
The Cyber Security Industry Alliance -- an industry consortium which includes security vendors including CA, F-Secure, ISS, Qualys, RSA, SurfControl and Symantec -- is officially backing the re-introduction of a federal data breach act in Congress.
Representative Tom Davis (R-VA), the ranking member of the House Oversight and Government Reform Committee, re-introduced the Federal Agency Data Breach Protection Act on May 3.
Like previous attempts to establish a uniform set of requirements for government agencies who experience data incidents through which sensitive information is exposed, the latest stab at legislation outlines policies, procedures, and standards for federal bureaus to follow in the event of a problem.
"Over the past two years, there have been a number of unfortunate data breaches at federal agencies, most notably at the Department of Veterans Affairs," Davis said in introducing the bill. "While some agencies have improved their overall security posture, there is still much more work to be done to ensure that sensitive data is better protected. Enactment of this legislation will make the U.S. government more accountable to its citizens through a stronger notification system that reduces the possibility of further loss of sensitive personal information."
The latest version of the bill also proposes to arm federal sector CIOs and CISOs with the authority to enforce the regulations under the Federal Information Security Management Act (FISMA). The bill also attempts to cover protection and tracking of government-owned hardware containing sensitive data. Davis also introduced the legislation in the 109th Congress last year.
"CSIA believes that protecting personal information, reducing identity theft, and securing sensitive data are all critical issues that directly impact economic growth," Tim Bennett, president of the CSIA, said in a statement. "We strongly support the passage of [this] bill which gives agency CIOs and CISOs the much-needed authority to enforce data breach notification requirements."
"Whether held by either the government or a private sector entity, citizens absolutely have the right to know when their sensitive personal information has been compromised, so that they can take the necessary steps to prevent further damage," Bennett said. "This reiterates the need for Congress to enact a comprehensive national law that secures sensitive personal information no matter where it is held, either by the government or private sector, and prevents further data breaches and address leaks once they occur."
CSIA officials pledged to help Congress move the legislation forward over the next several weeks.
Many federal security experts agree that the government must start doing a better job of protecting its IT assets if it is to begin establishing similar laws that govern private-sector companies' handling of sensitive data, just as many individual states already have.
"Our primary role in improving the data security issue is to clean up our own house, and we're aggressively engaged in that work; I'm proud of effort underway, which haasn't necessarily surfaced publicly," said Robert C. Cresanti, the chief privacy officer and undersecretary of Commerce for Technology. "We need an aggressive review of all the data the government keeps and collects, and to question the need for use of personal identifiable information that may have been used out of convenience before."
"We're reforming the way we look at managing identity, and what the essential elements of that process are," Cresanti told InfoWorld in a recent interview. "We're looking more closely at what we're collecting, how it is stored, why we need it, and what we're doing to protect it, and I think we're doing a lot better job on those fronts already."
Posted by Matt Hines on May 4, 2007 01:06 PM
April 30, 2007 | Comments: (0)
Deaths knell for DoS extortion?
I'm always reluctant to believe arguments that some type of IT attack is dead. Remember those e-mails from two years ago about "spam is dead," or a year ago bout "no more worms?"
However, Symantec Security Response Engineer Yazan Gable posted a new blog on the company's Web site that offers some very intriguing conclusions about so-called denial-of-service extortion attacks and why they might be going away.
The simple fact is that the DoS threats (pay us money or we'll take down your network) are no longer as profitable as other alternatives, according to Gable, specifically because they put a big target on both the parties carrying out the attacks and their botnets, which could be used to carry out more profitable, and stealthy, schemes.
Putting yourself and your botnet at direct risk by specifically targeting some organization who will likely hire someone to fight you or track you down just isn't worth the effort, it would seem, when you could do something as crafty as bid up malware-laden ads on Google to distribute spyware, for instance, while keeping a much lower profile.
Gable writes:
"The thing is that DoS attacks are loud and risky. Whenever a bot-network owner carries out a denial-of-service attack they run the risk of losing some of their bots. This could happen either because an attacking computer is identified and disinfected, or if it is simply blocked by its ISP from accessing the network.
Furthermore, if the bot-network owner isn't careful they could lose their entire bot network if their command and control server is identified. Since a DoS extortionist has to carry out at least one successful DoS attack before they can even demand their pay, they run some serious overhead risks."
The DoS extortion model itself also commands a lot of foot work that other attacks don't require -- namely -- following through on your threats if you don't get paid. Gable said that nonpayment is one of the biggest issues for hackers, just like it is for legitimate billers.
"For a DoS extortionist this is the worst scenario because they have to risk their bot network for nothing at all. Since the target has refused to pay, it is likely that they will never pay. As a consequence, the attacker has to spend time and resources on a lost cause."
As a result, the researcher predicts that more hackers will move back to… Spam!
Well, it's a good thing spam is dead!
Posted by Matt Hines on April 30, 2007 09:51 AM
April 27, 2007 | Comments: (0)
UK Dept. of Health admits data incident
The United Kingdom's Department of Health is apologizing publicly for an IT misstep that resulted in the exposure of hundreds of doctors' personal information online.
According to reports in the nation, including IDG's Computerworld UK affiliate, the British DHS mistakenly published an Excel spreadsheet bearing the affected individuals' details -- including their addresses, phone numbers, sexual orientation and previous convictions (yikes!) -- on an unsecured section of its Web site for several hours yesterday.
The incident comes just a month after the nation's DHS was forced to offer interviews to a number of doctors whose online submissions to the organization's Medical Training Application Service (MTAS) were mistakenly rejected.
DHS officials said that they were uncertain exactly how long the detail-laden Web site, first reported by the UK's Channel 4 News, was up-and-running online, but estimated that it was live for at least several hours.
One can only imagine what types of identity fraud schemes people could cook up with such targeted data. Not only do any potential identity thieves know quite a bit about their targets in general, but they also know that the medical professionals likely make enough money to have something worth stealing.
The DHS issued an apology statement that reads:
"We apologize to any applicants whose details have been improperly accessed. This is a very serious matter and is under investigation."
"This URL was made available to a strictly limited number of people making checks as part of the employment process. This information was never publicly available through the MTAS Web site and was only accessible for only a short period of time after details of the URL were leaked."
"The MTAS team fixed the problem as soon as it was brought to their attention."
Posted by Matt Hines on April 27, 2007 09:04 AM
April 24, 2007 | Comments: (0)
Microsoft to ship client security products in May
Microsoft is preparing to ship the final version of its Forefront Client Security package, its most aggressive entry yet into the anti-malware and desktop security space.
In a meeting with customers in The Netherlands on Monday, Microsoft CEO Steve Ballmer revealed that the much-awaited product will likely arrive sometime in May.
Redmond, Wash.-based Microsoft has had a test version of the software -- meant to ward off advanced malware threats such as spyware and root kits -- available since Nov. 2006.
Ballmer said that the package will comprise an integrated suite of desktop security tools whose functions range from testing device security posture to fending off viruses.
"Our client product is shipping in the next month or so and it really does do hygiene, security and anti-virus all the way down to the client level," Ballmer said.
Video of the event is available at IDG Nederland site Webwereld.
Microsoft is hosting a similar session to detail its security plans with U.S. customers and partners at The Beverly Hilton in Beverly Hills, Calif. on May 2.
Ballmer pointed out that the client security piece joins Microsoft's existing Forefront security tools for its SharePoint and Exchange platforms, along with its ISA Server software, to round out the company's burgeoning entrée to the market.
He said that Microsoft has "very robust plans to enhance and update" its product lines, and that it will also soon launch a new product that offers firewall services at an applications level, and another product that handles acceleration, caching and security services "at the edge of the network."
Since Microsoft announced that it would be joining the security applications sector and taking on longtime partners including Symantec, McAfee, Trend Micro and Cisco Systems to carve out a niche, many detractors have pointed out that large businesses won't trust Microsoft to defend its own products, vulnerabilities in which remain the most pressing IT security issue today.
Ballmer broached the topic and said that Microsoft can play an important role while retaining tight relationships with those firms.
"Some of our customers viewed this [move into offering security products] a little controversially and asked if we could solve these problems at a root level, why is there a need for extra products," Ballmer said "But we also live in a world where the bad guys are getting smarter all the time and it is important to lock down core infrastructure and protect around it in a way that is more dynamic."
"Despite our entry into the security business, we will continue to work well with companies like Symantec, McAfee, CA and IBM that have their own lines of security product," he said. "We will be the best and earn it, but many others will want a heterogeneous environment and we will continue to work with those vendors."
"This is a major investment for us, it's a very serious investment for us, we know that if you choose to adopt these products they instantaneously become mission critical in your environment," Ballmer said. "So, we're very focused on doing a very good job not only in launching these products but in providing appropriate services so that you can be successful with them."
Posted by Matt Hines on April 24, 2007 09:56 AM
April 19, 2007 | Comments: (0)
Tech firm kickback scandal could claim many victims
The Department of Justice threw its weight behind three whistle blower lawsuits that contend some of the nation's leading IT firms have been overcharging the U.S. Government for services and supplies, by way of a large scale "alliance" between companies that provided kickbacks and discounts that the government never saw.
As Grant Gross of the IDG News Service reports, the DOJ is backing three cases filed in 2004 by Accenture employee Norman Rille in U.S. District Court for the Eastern District of Arkansas. Rille alleges that three companies: HP, Sun and Accenture submitted false claims to the U.S. government on "numerous" government contracts since the late 1990s.
But the list of companies who may have had their hand in the government's till is much longer -- almost three dozen companies that reads like a who's who of the tech sector: Cisco Systems Inc., Microsoft Corp., IBM Corp., Dell Inc. and Oracle Corp. and on and on.
Fishy business deals between and among IT firms doing business with the government are no secret, says Alan Paller of the SANS Institute, an IT Professional association.
IT professionals who worked within the beltway have long known about what was often referred to as "SPIFF," a business term that typically refers to small, immediate bonuses paid to salespeople for selling a particular product. In the world of government IT contracts, it was often used to refer incentives and extras paid to companies that resold to the government, Paller said. The end result was that the cost of services and products sold to the government got inflated, he said.
"This could be the equivalent of the backdating of options scandal," said Alan Paller of The SANS Institute, an IT professional association. "It's the equivalent not just because it will bring some of these companies into ill repute and their officials into jail, but also because it's something that was very widespread --so widespread that people thought it was OK," he said.
While Paller isn't critical of government IT purchasing per se, he thinks that paying inflated costs for basic goods and services leaves less money available to tackle important tasks -- like IT security.
If found guilty, the firms named could be forced to pay triple the amount of losses in addition to civil penalties. While its not clear how much the DOJ reckons it has lost as a result of the alliance kickbacks, the numbers involved are likely to be quite large.
Accenture reported that its Government operating group reported revenue of $655 million and profits of around $93 million in the quarter ending February 28, and profits of $120 million on $1.2 billion in revenue in the last two quarters.
Posted by Paul Roberts on April 19, 2007 01:35 PM
April 18, 2007 | Comments: (0)
Universities scramble for notification technology
In the wake of the horrific mass shooting at Virginia Tech on Monday, colleges and universities in the U.S. are scrambling to buy notification technology that will allow them to connect with wired college students via cell phone, e-mail or SMS.
Ken Dixon, vice president of sales and marketing at MIR3 of San Diego, which makes emergency notification and disaster recovery software, says his company has been deluged with calls and e-mail since the shootings.
"We've heard from the University of Michigan, the University of San Diego, the University of Chicago, the ivys, a bunch of Big 10 schools," said Dixon.
The company has not spoken with anyone from Virginia Tech, he said.
Administrators at colleges and universities may be shaken by criticism of Virginia Tech's handling of the April 16 shooting, during which two hours passed between two fatal shootings by disgruntled student Cho Seung-Hui is a fatal dorm shooting, during which time many students went to classes, unaware that anything was amiss.
The university's decision to send an e-mail to students warning them of the violence has been criticized as too passive, with many students complaining that they did not check their email account before heading out of their dorms.
University officials have been quoted in reports saying that there was no easy way to contact Virginia Tech's tens of thousands of on and off campus students, employees and faculty. But Dixon, of MIR3, said that his company's technology does allow customers to quickly and automatically reach out to tens of thousands of people using a variety of modes -- from phone calls, to SMS text messages, to e-mail.
The technology, which costs organizations around $100,000 a year to license, is mostly used by businesses and municipalities for IT alerting and business continuity planning, Dixon said.
The company counts Shell, Visa and Bank of America as customers, as well as local governments in Florida and other states. In recent days, though, it's been universities who are clamoring for the MIR3 technology.
"The phone has been ringing constantly," he said. "They're in reactive mode now. Asking 'how do we fix this system?'"
Customers can specify multiple modes of communications, and collect responses from recipients. They can also automate a hierarchy of communications, starting with phone calls or e-mail, then switching to SMS, pages and the like for individuals who don't respond, he said.
Being able to reach students via cell phone is particularly important these days, said Dixon. "Every student is tethered to their cell. Your communication has got to be through that device," he said.
MIT (The Massachusetts Institute of Technology) also uses the product to notify IT personnel of events, but may expand it to communicate with students as well, Dixon said. (MIT hasn't yet responded to a request for comment on its plans. )
But emergency notification technology is no easy fix, said David Escalante, CSO of Boston College in Chestnut Hill, Massachusetts.
"Anytime something like this happens, there's an interplay between the people who are concerned about mitigating the situation and the difficulty of doing the things necessary to mitigate it," he said.
BC is in t