- Hollywood gets hacking right
- Microsoft awards high marks in Vista report card
- Congress questions security of backup tape sales
- Free CSI for your network
- Sophos may IPO in February
- Phishing toolkits rock on
- Coverity project outing open source flaws
- Zango strikes back over reported Facebook hack
- CES '08: Maxtor BlackArmor portable storage protects data at rest
- Vernier changes tack, more change ahead for NAC?
January 31, 2008 | Comments: (0)
Just like me, I assume that many other technically-informed viewers have found existing attempts to embed IT security plotlines into mainstream movies and television shows as somewhat pathetic and generally laughable.
In most cases -- whether it be in one of the seemingly dozens of crime investigation or cop shows, or bigger budget Hollywood productions -- the use of technology-oriented threats to scare or intrigue an audience has typically smacked of exaggeration, over-simplification or downright ignorance of the actual details of the security trends and attacks that many of us spend so much of our time talking about.
However, it sounds like the movie industry has finally gotten it right.
You've probably seen the current trailers at the movies and on TV for the new serial killer thriller "Untraceable," which opened at theaters this week. And while I've yet to make time to see it (despite the presence of the seemingly ageless Diane Lane in addition to the topical relevance with my job) at least one industry expert who already sat through the flick contends that the use of malware and hacking techniques employed in the storyline is truly on the mark and well researched.
David Perry, director of global education for anti-malware specialists Trend Micro, reports that upon seeing one of the first screenings of "Untraceable," he was impressed with the movie's displayed level of technical acumen.
Without ruining the story, and since I haven't even seen the film and have only a 10,000-foot view of its actual details, the plot revolves around a serial killer who is using a Web site to commit murder by using hits to the URL to deliver fatal blows to his victims. The idea is that the more people he can lure into peeking at his maniacal pages, the faster his prey is disposed of.
Diane Lane plays a Clarice Starling-like police investigator who tries to hunt down the operator of the "killwithme.com" operation who must navigate her way through all the technical trickery the murderer is using to hide his identity and keep his site from being taken offline.
Perry said that unlike other recent tech-driven thrillers, the details in "Untraceable" actually add up. Rather than filling the heads of less security-focused viewers with exaggerations and falsehoods, the movie may actually help aid people's understanding of some cutting-edge issues, he contends.
"Computer geeks (like me) get a real laugh out of movies about hacking and cyber-crime," Perry wrote in a review of the flick on Trend's blog site. "When a hacker movie opens you will find theaters in Silicon Valley or other computer tech havens full of people laughing at all the wrong things, and at all the things gotten wrong."
"To our amusement and dismay, these overblown, crazy overdramatic portrayals of hacking and cyber-crime are what set the public's understanding of all things cyber. People believe in the world described by these movies. It frequently makes them less safe behind the keyboard," he said.
"But not Untraceable, they got it all right," Perry writes. "The Web page was only used for a limited period of time, and was proxied and mirrored and botnetted all over the place, standard operation in cyber-crime. All in all, [it was] very very believable — well done to the screenwriters and researchers involved."
Mainstream movie critics appear to be giving the film mixed praise, but I'm definitely intrigued by this informed IT endorsement, so I'll likely cast off my preconception that "Untraceable" appeared to be sort of a thinly-veiled takeoff on "Silence of the Lambs" and get myself into a theater to see it.
I still think someone good like Steven Spielberg could turn Richard Clarke's "BreakPoint" into a compelling thriller on the potential of IT attacks to wreak absolute havoc if exploited in certain ways.
However, it appears that for now at least there's one tech thriller that did its homework on the types of whacked-out scenarios that could come to pass if people with the right hacking skills decided to try create them.
And, you know, this is Diane Lane that we're talking about.
Posted by Matt Hines on January 31, 2008 08:16 AM
January 24, 2008 | Comments: (0)
Microsoft awards high marks in Vista report card
Microsoft is giving itself straight As in its first year Vista security report card, at least when comparing the new operating system's initial track record to its Windows OS forbearers.
According to a blog post on the topic authored by Austin Wilson, director of Windows security at Microsoft, Vista is proving to be the most secure version of the OS released to date.
Wilson specifically credits the company's Security Development Lifecycle (SDL) program -- aimed at drumming flaws out of the OS during all of its design phases -- for lowering the sheer volume of security patches released for Vista thus far.
The expert also contends that all the security-oriented improvements resident in the software have made the total cost of running a Vista PC cheaper than previous Windows iterations.
"Our investments in the SDL and our defense in depth approach to building Windows Vista seem to be paying off," Wilson said in his blog. "Our job with security is never finished, but the focus we put on engineering for security and the defense in depth approach of Windows Vista are showing real-world benefits for customers."
Among the highlights of Wilson's report card:
Fewer months with Patch Tuesday updates. So far the Vista OS has had three months (December '06, January '07 and November '07) when Microsoft didn't issue any monthly security fixes.
Less frequent malware exploitation. Microsoft claims that it tracked 60 percent fewer malware infections aimed at Vista during the first six months of 2007, and 2.8 percent less unwanted software, compared to Windows XP SP2 systems.
Fewer vulnerabilities. The company claims that Vista had only 36 vulnerabilities patched in its first year, along with 30 that have yet to be addressed, compared to 68 patched flaws for XP, and another 54 that remain open, during the same timeframe.
In terms of onboard security features, Microsoft touted the efficacy of its User Account Control model -- aimed at thwarting the ability of malware programs to tap into administrator-level control of machines -- and its IE Protected Mode -- which runs the browser in what is believed to be its safest possible configuration -- as keys to stemming attacks against Vista systems.
As a result of the security improvements, along with others, the Microsoft expert pointed to a report filed by GCR Custom Research which contends that of the $251 in savings per year spent to maintain a Vista machine, compared to an XP box, $55 of the savings could be attributed to its improved security and onboard protection features.
Despite the improvements researchers have found some fairly serious flaws in the OS over the last year. Among the most significant (via InfoWorld sister site PC World):
- A flaw in animated cursor code used by Windows 2000 SP4 through Vista. With a poisoned .ani, .cur, or .ico file, remote attackers can create a buffer overflow, overwhelming a program with more data than it can handle and allowing takeover of a victim's PC. The issue was fixed with Microsoft's critical MS07-017 patch.
-Malware Protection Engine: A critical vulnerability in all versions of Windows using the Microsoft Malware Protection Engine, built into Vista's baked-in Windows Defender anti-spyware and the Microsoft OneCare antivirus program. The flaw can force the engine to execute attack code when it scans a hacked PDF file. This issue was fixed in Microsoft's critical MS07-010 patch.
-CSRSS privilege escalation: A vulnerability in the Windows Client/Server Runtime Server Subsystem's (CSRSS) error handling could allow an attacker to make an end run around Vista's UAC (User Account Control) protections. This issue was fixed in Microsoft's critical MS07-021 patch.
Posted by Matt Hines on January 24, 2008 09:48 AM
January 23, 2008 | Comments: (0)
Congress questions security of backup tape sales
Congresswoman Betty McCollum (D-Minn.) has reopened an interesting can of worms on Capitol Hill by sending a letter to the Government Accountability Office requesting an investigation into the potential security implications of a program under which federal agencies are reselling used magnetic data tapes to the public.
According to McCollum's letter, an unofficial test recently conducted on a handful of tapes sold via the program found a wealth of sensitive data still resident on the storage media, including bank account numbers, personal information of government employees, travel expense reports and a range of other financial documents.
The forensic test of the tapes, which are supposed to be wiped clean before re-sale, was conducted by officials at Imation, a maker of removable storage technologies.
McCollum maintains in her plea that the sensitive data mined from the tapes was unearthed using "readily available equipment and information," implying that anyone else with such knowledge could easily replicate the feat.
The Congresswoman directly questioned a previous 2007 GAO review -- launched at the request of the Dept. of Homeland Security based on similar security concerns -- that found that the tapes were indeed wiped of any information before they were made available for sale.
The GAO said that its tests found that the tapes were sufficiently wiped clean of any data, and that they should pose only a low security risk as long as the involved agencies followed established guidelines for erasing any data on the devices.
McCollum claims that the Imation test took only one-and-a-half business days to find the sensitive data, and that it was conducted using only a standard PC and well-known forensics techniques.
"If federal agencies are selling used magnetic storage tapes on the open market with this level of recoverable sensitive data available to anyone with minimal technical skills or equipment, we should all be alarmed and demanding greater accountability," McCollum said. "Federal agencies could be under the impression that the sale of these used tapes is secure, while the fact remains that substantial amounts of highly-sensitive government [data] may be circulating in the open market."
The Congresswoman is "strongly urging" the GAO to launch a broader investigation to ensure that tapes sold by agencies including the Federal Reserve and U.S. Air Force do not contain valuable or sensitive information.
Among the issues that McCollum has asked the GAO to review are which agencies should be allowed to resell their tapes, what processes are used to erase any data on the devices, and how the tapes are reviewed to ensure that they have been wiped before sale.
McCollum is asking other members of Congress to help push the GAO for a second review. Among the politicians copied on her letter were Sen. Joseph Lieberman, chair of the Senate Committee on Homeland Security and Government Affairs, and Sen. Susan Collins, a ranking member on the Senate Committee on Homeland Security and Government Affairs, who had requested the initial 2007 review.
Posted by Matt Hines on January 23, 2008 09:17 AM
January 22, 2008 | Comments: (0)
When it comes to network security, you can't say that nothing in life is free.
At least nothing that's been ported into a free trial version.
Jokes aside, the security community is being offered a chance to kick the tires on an intriguing new product this week, as start-up Packet Analytics has launched a free trial of its Network Forensic Search Engine (Net/FSE) -- a tool used to collect and perform analysis of network alert data.
Launched out of Los Alamos Labs, the startup is hoping to help companies make sense of all the information being gathered by their existing intrusion detection systems, security event management tools, firewalls and network gateways.
Even though many large customers have invested lots of hard-earned cash in deploying such devices, most still struggle to make sense of all the incident data being aggregated by the systems, and to weed-out real attacks from the noise of everyday traffic and false positives, officials with the company claim.
According to the Packet Analytics' founders -- several of whom worked at the federal research facility -- the core technology behind Net/FSE has been has been in production use for more than five years at Los Alamos where it has been keeping an eye out for suspicious activity trying to tunnel its way in over the installation's external defenses.
Another existing user is Los Alamos National Bank, which scanning its event logs with the system to help protect its 1.2 billion online financial records, according to Packet Analytics executives.
Promised to be "built by network security analysts for network security analysts" Net/FSE utilizes proprietary indexing and search algorithms that promise to deliver speedy results and offer "real-time situational awareness" of forensics data, allowing organizations using the tool to become far more proactive about handling critical incidents, company officials said.
According to the firm's marketing pitch, the system actually uses a two-phase search technology that alters the manner in which multi-terabyte datasets can be analyzed to gather context about security-oriented events.
Net/FSE also promises to function as both a network data collector and a systems log server, thereby allowing for tight integration of data fed into the tool from multiple sources, the company maintains.
The system also boasts a high level of available customization to allow users to design unique agents to stream data to the server, or provide search capabilities over existing log repositories. That feature is crucial in cases where organizations already have a centralized logging infrastructure and merely desire to add new search capabilities over that data, officials said.
The search engine can also be delivered as a totally Web-based architecture, as it is in the trial version, although companies hoping to create their own models for the engine will need to run an agent in-house.
Working under a license to market the technology commercially -- and $100,000 in seed money -- from Los Alamos, company officials said they believe the engine could become a hit with organizations that have found their networks getting compromised with attacks even after making significant investments in existing logging and alert tools.
"People at Los Alamos found that they were spending too much time analyzing these logs, so the idea was to design something that could perform a deep dive on what the events actually mean within the security context," said Andy Alsop, president and chief executive of Packet Analytics.
"The most significant value we bring is to give people more detailed information as an event is still happening, but it's also about giving the whole picture, how something small that happened a month beforehand actually led to a much larger incident, and that's what traditional data collection tools cannot do," he said.
Future plans to expand Net/FSE will include the addition of compliance reporting capabilities, along with added network behavior analysis features and even broader event correlation, the company said.
Posted by Matt Hines on January 22, 2008 09:48 AM
January 17, 2008 | Comments: (0)
Anti-malware vendor Sophos has not abandoned its long-rumored plans to launch an initial public offering of its stock, and the company may move forward with the transaction as soon as mid-February, according to industry sources.
The U.K.-based security provider had recently been rumored to have shelved its long-rumored IPO aspirations based on the volatility of international stock markets and lingering questions over the ability of technology providers to launch successful offerings in the current economic environment.
However, sources close to the company confirmed to InfoWorld on Thursday that Sophos is still seriously considering a launch of its stock on the U.K. exchange, and that it may execute its IPO as soon as mid-February, before the timeframe for its current regulatory filings to launch such an offering expire.
Sophos filed its "intent to float" IPO paperwork in the U.K. in December 2007, and the window of time allotted by those documents will run out before the end of next month. Alternately, the company could still decide to re-file for an IPO at a later date, sources said.
According to some industry estimates, if the company is successful in undertaking the stock offering it could generate a market capitalization of $900 million or more.
Sophos has long been considered a second-tier provider of anti-virus applications and other malware and spam-fighting tools, competing with peers such as Kaspersky Lab and Panda Software to steal business away from larger rivals including Symantec, McAfee and Trend Micro.
But company officials -- and market watchers including IDC (owned by InfoWorld parent IDG) -- maintain that the firm is now the world's largest privately-held security vendor, positioning it somewhere between those two groups in terms of its overall size.
By producing smaller packages of electronic virus signature updates and delivering them to customers faster than its rivals -- and integrating newer security tools such as network access control into its flagship endpoint protection products -- the company has been able to grow its business rapidly over the last several years, Sophos officials maintain.
Company officials have said publicly that the firm experienced revenue growth of approximately 23 percent for its last fiscal year, which ended in March 2007, and enjoyed 30 percent growth during the first six months of its current fiscal calendar.
Industry analysts Gartner have also placed Sophos alongside its larger competitors as a leader in its latest "Magic Quadrant" market reports covering the security market.
In the past twelve months, the security company has won several high-profile deals with major U.S. customers, including an agreement to supply software to protect 350,000 users at industrial giant GE, and a 100,000 seat contract with the Miami-Dade County Public Schools -- where it reportedly replaced McAfee products.
Company officials have cited growth of Sophos' business in the U.S. as one of the firm's top priorities over the last several years.
According to a recent report filed by industry analyst firm The 451 Group, based on Sophos' published fiscal 2006 numbers and statements about the company's fiscal 2007 performance, if the company's IPO is successful it could net a market capitalization as high as $1 billion.
"That's still a far cry from its next nearest competitor, Trend Micro, but is a nice kitty with which to fuel its growth and product development all the same," the 451 Group analysts wrote in the report.
The experts suggested that Sophos could use any cash gained through its offering to grow its sales and marketing efforts and to acquire other companies – possibly in the data leakage prevention (DLP) space, where many other security vendors including McAfee, Symantec, Trend Micro and RSA have made acquisitions over the last year.
Getting into DLP, the analysts said, could serve to ease concerns of some large enterprise customers who are already doing business with the firm, or considering deployments of its products.
If the company decides not to push forward with its IPO, it may seek to be acquired by one of its larger rivals or by a major IT platform provider, in the same manner as e-mail scanning specialist Postini had been rumored to seek a stock offering before it was snapped up by search giant Google during 2007.
Among the potential suitors for the company could be Microsoft, according to the report.
Reached for comment on Thursday, Paul Roberts, one of the 451 Group analysts (and a former InfoWorld reporter) who authored the report, said that a strong IPO could help the firm establish an even larger presence on the security market, in particular with enterprise customers.
"Sophos' decision to move forward with an IPO sums up the confident attitude of a range of smaller anti-malware players that are prospering from the continued proliferation of online threats and from vendor fatigue with the 'big two' IT security firms: Symantec and McAfee," Roberts said.
"A publicly traded Sophos will still be much smaller than its nearest publicly traded rival, Trend Micro. But an IPO helps Sophos in a number of other ways," the analyst said in an e-mail. "It gives the company the resources it needs to fuel sales and marketing growth and to pursue development of technologies like [DLP] and [hosted security services] at the same time. Sophos also gets the credibility that comes with being a publicly traded firm, which could help it win some larger accounts."
However, even if Sophos does have a successful IPO, Roberts noted in his report, that would not guarantee that its stock would continue to perform well.
The analyst pointed out that one security company that launched a successful IPO in 2007, intrusion detection specialists Sourcefire, has seen its share value fall by nearly 50 percent since its stock hit the market at $15 per share last March.
Posted by Matt Hines on January 17, 2008 01:36 PM
January 16, 2008 | Comments: (0)
It seems that more creeps than ever before are hanging up their "gone phishing" signs and getting down to the business of setting out their electronic lures -- especially in the Philippines.
According to the latest research published by RSA, based on its observations during the month of December '07, a larger number of phishing attacks are showing up that appear to have been built using toolkits, the virtual "do it yourself" model for designing the threats.
Like the infamous "rock phishing" toolkit that first established the genre in 2005, RSA said that current users of the model are adopting some of the same methods used in the original, such the use of a single Web site with multiple DNS names to host blocks of different attacks aimed at customers of different businesses -- primarily banks.
However, the attacks have not crossed over the same networks that once accounted for rock phish activity, nor have they involved the use of the same signatures, illustrating that the efforts are likely being backed by an entirely different group of toolkit developers.
The threats themselves do not appear to be as virulent or effective as the original rock phishing-derived campaigns, but, the larger trend is that new toolkits are likely being developed and sold to a broader audience, RSA said.
Another rock phishing-like tactic being employed by the new crop of attackers is the use of proxy servers that serve as intermediaries between the scumbags and their prey. Used to deliver infections to people without establishing a direct line of communication between the attackers and their victims, the technique has traditionally proven useful for helping the phishers remain hidden.
But, unlike the original rock phishers, the newer iterations do not appear to have caught onto the use of so-called "fast flux" networks, RSA noted, saying that the groups have also yet begin utilizing botnets of hijacked proxy servers.
In an interesting geographic twist, the Philippines appear to have become a new hotspot for phishing activity. Overall, the number of U.S.-based phishing attacks has once again dropped -- despite accounting for the vast majority of the threats -- accounting for only 44 percent of the attacks during September.
Hong Kong (16 percent) and China (12 percent) remain in the number two and three spots respectively, but the Philippines accounted for 8 percent of the campaigns tracked by RSA during the month after never before appearing on the list. Much of the attacks emanating from the region also appear to have been developed using the new toolkits, the company said.
In terms of the brands that are being targeted by the phishing threats, U.S.-based financial services institutions -- accounting for a whopping 62 percent of the attacks -- topped the list, as they have for several years. U.K.-based companies (11 percent) stuck in the second spot for the 11th consecutive month. Spain (7 percent), which has moved up and down among the top countries whose brands are being attacked, occupied the third spot, followed by Italy, Australia and Canada (tied at 5 percent).
Overall, however, the sheer number of brands that are being assailed by phishers worldwide rose dramatically during the last month of 2007, perhaps related to attempts to cash in on increased consumer activity online. Of the 186 different financial institutions that RSA observed under attack during the month, 20 represented companies that the firm had not seen previously targeted.
In another new trend, the company said that customers of credit unions are being attacked on a more frequent basis, while campaigns aimed at customers of national banks have dropped.
While attacks on credit unions accounted for 45 percent of all monthly activity tracked by RSA, up from 33 percent in the previous month, phishing lures set for customers of national banks decreased significantly, falling from 44 percent in November '07 to only 26 percent during December.
"Online fraud is evolving. Phishing and pharming continue to serve as a major part of the innovative and technological crime wave faced by online businesses," RSA researchers wrote in their research note. "And with new, sophisticated tools at their disposal, fraudsters can adapt more rapidly than ever."
Posted by Matt Hines on January 16, 2008 09:24 AM
January 09, 2008 | Comments: (0)
Coverity project outing open source flaws
Static source code analysis specialists Coverity reported this week that its ongoing work to find flaws in open source projects, being carried out under a contract from the U.S. Department of Homeland Security, is having a significant impact.
According to company officials, Coverity has helped fix more than 7,800 software defects since launching its effort in March of 2006.
Under the project, the company has unearthed issues in 11 major open source projects specifically, those being: Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL.
The project has also addressed security vulnerabilities in popular mainstream open source applications such as the Firefox Web browser produced by Mozilla, the Linux OS and Apache server software. Other high-profile projects scanned by the company include
As part of the effort the company has used its "Scan" site as a clearinghouse to share results of its work and for people to submit additional projects that they would like for the company to look into.
DHS got involved in the process and awarded the contract under the idea that the work to secure major open source platforms would improve the overall security of businesses and organizations using the involved programs -- including the U.S. government. The initiative was funded under the fed's broader Open Source Code Hardening Project.
Based on its existing results, Coverity announced this week that it would advance the 11 major projects to "rung 2" of its open source "security ladder," where they will be put under further scrutiny. The process will specifically involve use of Coverity's "application of Boolean satisfiability" in static analysis. (FTR satisfiability is not a real word, yet.)
Static analysis is a set of processes for finding source code flaws without executing the program, providing test datasets or test cases (as defined by Coverity).
The company promises that the new capabilities "creates a bit-accurate representation of a software system, where every relevant software operation is translated into Boolean values (true and false) and Boolean operators (such as and, not, or)."
David Maxwell, Coverity's open source strategist, who is responsible for Scan and other open source efforts at the company, said that his team has put its tools to work on a total of 116 open source projects thus far.
The company is currently finding new defects on a near-hourly basis, he said.
Maxwell said that one of the obstacles that the effort needs to overcome is the reality that its work continues to move forward with plans for continued expansion.
"Some people don't seem to understand that this is still an ongoing effort, that we are scanning projects on nightly basis," he said. "We're looking at anything new in the code [of the projects it is working on] and examining new features and functions to try and catch defects before they get released."
Maxwell said that Coverity plans to stay focused on testing the most widely-used open source projects worldwide, and that its short term plans involve upgrading the project to use the firm's latest Prevent SQS 3.6 release of its scanning software.
One of the greatest benefits of that move will be the ability to tap into the product's updated analysis engine, he said.
"Even though we're still looking for the same types of defects, we've identified hundreds of new defects that the old analysis engine wasn't able to find," said Maxwell. "In many cases these were problems that were always in the code that developers couldn't resolve. Our hope is that we can also waste less of developers' time spent chasing false positives, or helping them in situations where they don't realize that a certain code path is possible, where they might fail to identify problems."
Overall, Maxwell believes that the security of most open source projects is improving, and he contends that centralized projects such as Coverity's will be key to continued gains.
"These projects have large code bases, spread across developers at different companies, and most often there is no lead architect to drive this security work," he said. "That's why it's really useful to have one way of examining code; not every programmer is well-versed in secure coding, so, it's good to have tool to look at all different rules about writing good code, and a lot more issues should be eliminated."
Posted by Matt Hines on January 9, 2008 10:41 AM
January 08, 2008 | Comments: (0)
Zango strikes back over reported Facebook hack
Officials with Zango, a maker of Web-based advertising software, are aggressively refuting last week's report from security device maker Fortinet which claimed that the adware firm's programs were being secretly passed along to end users by an application made available on Facebook.
Tabbed by Fortinet as the first major malware/greyware/badware hack to find itself onto the social networking portal, Zango leaders said in a statement released late Monday that claims of its involvement with a Facebook widget dubbed Secret Crush are "blatantly untrue."
As reported in my original story, and based on my interview with Guillaume Lovet, a regional manager of Fortinet's Threat Response Team, the initial claim made by the security company appeared to be that the Secret Crush program -- marketed to Facebook users under the guise of a tool that allowed them to find out about other members who found them attractive -- secretly installed Zango adware.
Upon further review, that appears at least in part to have been a mistake in interpretation of the bulletin and Mr. Lovet's observations on my part.
In the end, Fortinet is charging that Secret Crush merely "directed [users] to an external Web site inviting them to download applications such as [Zango's], which allows for pop-up advertising," to quote the folks over at ZDNet.
Chris Boyd, aka PaperGhost, a well-known adware research expert, also blogged on the confusion last night.
To that end, Zango representatives said that once a user was sent to the aforementioned Web site after downloading Secret Crush, they were presented with a legitimate end user licensing agreement that informed them of all of the intricacies of its adware programs.
According to Zango:
"What the Fortinet report writer saw was simply an ad for a Zango application after the widget was added to a Facebook profile – an ad not connected to the widget and not unlike any other ad on the Internet that might appear on a Web page. The Zango advertisement, seen by Fortinet's researcher but not by Zango's security team at any point during the subsequent investigation, was just one in a series of rotating advertisements that a user might see after installing the Secret Crush application. If clicked on, the ad led users to Zango's standard notice and consent process."
The party that could really shed light on his whole confusing situation is Facebook itself, but they've yet to return any of my calls or e-mails on the matter. Social networking they appear to do well, PR, not so well.
Meanwhile, Fortinet is sticking to its original report:
"After additional investigation, Fortinet confirms that our research related to the 'Secret Crush' (Facebook Widget) was accurate as of posting our advisory on January 2, 2008," the company said in a statement on Tuesday. "The behavior shown in our screen shots simply showcases the observations the FortiGuard Global Security Research Team made on that date. We stand behind our original research."
So, it's a classic game of he said, she said, but, as with PaperGhost's assessments (and he has doggedly pursued Zango for its questionable practices in the past), it does seem based on the reported details that Zango at least served up its EULA before allowing end users to click through and grab its programs, which is all it is required to do really.
I still think that Facebook should do a better job of policing the apps that get loaded onto its site, and that Zango needs to be as transparent as possible if it is serious about changing its image from a shady adware firm to a legitimate ethical business, as its media representatives claim that it has.
But, we in the security community who picked up on this story so eagerly should also be reminded to look into all the details of any security bulletin before we report on it.
Sorry for any confusion.
Facebook finally got back to me on Wednesday, and while they can't dig up anyone to talk about this whole issue of security and social networking (which is pretty surprising since it's a huge question mark before they launch Facebook Enterprise) here's the boilerplate statement they passed along:
"Facebook is committed to user safety and security and, to that end, its terms of service for developers explicitly state that applications should not use adware and spyware. Users should employ the same precautions while downloading software from Facebook applications that they use when downloading software on their desktop. We have contacted the developers and have disabled the Secret Crush application for violating Facebook Platform Terms of Service."
So, despite Zango's claims, it would seem that Facebook agreed with Fortinet that there was an element of adware involved that they felt violated their rules.
Posted by Matt Hines on January 8, 2008 02:23 PM
January 08, 2008 | Comments: (0)
CES '08: Maxtor BlackArmor portable storage protects data at rest
Being a security guy at CES I'm keeping my eyes open for cool stuff that will relieve enterprise IT headaches. While looking around I did come across a pretty cool data at rest portable security storage solution from Maxtor called BlackArmor.
In a nutshell, the BlackArmor is a small (a little larger than my Treo 755p) USB 2.0 attached 160Gig drive that has hardware based 128-bit AES encryption. The drive uses single factor authentication (a 6 to 32 character password) to unlock the data on the unit.
So, drive gets stolen along with VP's bag from a hotel containing merger secrets - no problem. Drive forgotten in the back of a cab with company financials - no big deal. Someone forgets password for drive, just a tiny problem in that the entire drive is now a useless brick with the enclosed data locked up tight.
Real-time, full disk, hardware based encryption means that there's no delay on this drive for read and write access like other drives that have bolt on hardware handling encryption or using an encryption software package. So this is good. What I don't like is that there is only a password protecting the data. I'm told that this a first gen product and future products will be addressing this issue with multi-factor authentication.
I've got a podcast with a Seagate executive that I'll be posting about the unit and should get one to test out in a bit. The unit should be out to the public Q2 '08 with a pricepoint @ $149 retail for 160Gigs of storage. The BlackArmor also comes with backup and multi-computer synchronization software.
BTW, I didn't see any other drive manufacturer here announcing a secure portable drive like the BlackArmor.
Posted by Victor R. Garza on January 8, 2008 12:38 PM
January 07, 2008 | Comments: (0)
Vernier changes tack, more change ahead for NAC?
Count Vernier Networks among the newest casualties of the NAC market's continued maturation.
While offering few additional details, company officials have confirmed industry reports that the firm has renamed itself and plans to re-focus its operations.
While the NAC appliance maker's Web site remains the same, the vendor has changed its phone messages to reflect the fact that it will henceforth be known as Autonomic Networks.
Industry sources maintain that the firm -- founded in 2001 -- is attempting to take its NAC products and expand them into a broader platform for role-based access control for both networks and other IT systems, including software applications.
According to a report filed late last week by my former InfoWorld and eWeek colleague -- and current 451 Group analyst, Paul Roberts -- Vernier's inline NAC appliance technology itself may also be up for sale.
Roberts contends that some other smaller NAC vendors may also be considering similar moves, and that some of the larger players, including Cisco, Symantec and Microsoft, may be looking to add to their existing product sets.
ConSentry and Nevvis Networks -- both direct rivals of Vernier -- could be among the other NAC providers looking to be sold, or under consideration for a buyout from the bigger fish, he said.
According to the 451 Group report, Vernier has taken on as much as $100 million in venture funding and other debt in the past, and is now rolling its existing financing into a new series A round to back Autonomic. Allegis Capital and Doll Capital Management are cited as leading investors.
In addition, Bruce Smith has replaced Simon Khalaf as Autonomic's CEO. Other top officials with the company, including its VP of engineering, Sohail Parekh, and its CFO, Bhupi Singh, have also reportedly departed, with Parekh moving to rival security appliance maker Infoblox.
The company has reportedly downsized significantly over the last several years, falling from almost 100 employees to its estimated current total of 50.
According to Roberts, Autonomic is positioning itself as a provider of "individually virtualized infrastructure" a new twist on identity or role-based access control that will utilize some of Vernier's legacy intellectual property.
It would seem that Vernier wasn't ever able to make the big splash that it once hoped to in the NAC space, which saw a rush of vendor activity over the last three years as compliance regulations and data breaches drove businesses to invest in new controls for handing out access to their networks -- and perhaps more importantly, to protect their broader IT infrastructure from the threat of infected laptops coming back into the workplace.
However, some industry pundits, including StillSecure's Alan Shimel, have long predicted that many firms that rushed into the space were merely trying to repurpose "failed business models," such as hard-to-sell intrusion prevention tools, to hop on the NAC bandwagon.
The big picture trend here would appear to be that smaller vendors dependent on demand for NAC point products to hit their numbers are going to begin looking for exit strategies.
While some smaller vendors have been able to make it this far, the NAC game would appear to be heading in the direction of favoring large companies like Cisco and Juniper to provide the network-based element of the systems in their infrastructure gear, with the endpoint piece coming from well-established desktop security companies like Symantec, McAfee, Sophos and even Microsoft.
In my recent interviews with the CEOs of Symantec and McAfee, both executives cited NAC as a growing area of interest -- and Cisco and Microsoft have continued to push forward their own respective strategies and products.
Some smaller vendors, such as FireEye -- which has repositioned itself as an anti-botnet specialist over the last two years -- and now Vernier, appear to have seen the writing on the wall and moved to get ahead of the crowd before some sort of NAC diaspora begins.
According to Roberts, 2008 may be the year when the NAC market both thins out and finally begins to hit its stride among buyers.
"Next year is do or die for network access control startups, as enterprises with budgets for NAC decide which vendors they will go with," he said in the report. "It seems to be Vernier's day of reckoning: all signs point to a shakeout. Should Vernier decide to spin out its NAC product line, we're more sanguine that it would find a buyer, as more than one diversified security vendor tells us it is considering a NAC appliance play."
Posted by Matt Hines on January 7, 2008 09:00 AM
January 06, 2008 | Comments: (0)
It seems that I'm back in Las Vegas early this year. Why am I out here? Well, what self respecting geek wouldn't want to be surrounded by some of the newest gadgets on the planet? Of course, while I'm walking around I'm thinking about the vulnerabilities in these devices and technologies. When I hear about wirelessly connecting a new HDTV projector to its source (DirectTV, Cable, whatever) I think about how a hacker is going to take advantage of weak security to grab free content off the air. Thinking weak implementation and worst case scenarios keeps us on our toes, right?
I actually decided to come out here about two days ago, and I'm only here for a few days. I'm thinking I'll catch up on new VoIP equipment, SANs, Firewalls, and other network devices. Most of the devices here are for consumers, but Tom Yager points out why he's here:
Why would a publication of InfoWorld's orientation dispatch someone to CES? Don't let the word "consumer" fool you; CES isn't a city-sized Circuit City. It's chipmakers and manufacturers selling to manufacturers and importers, importers selling to distributors, and America making a rare appearance as a global peer player on its own stage. It's a chance to see technology and strategy in the making, as well as products that are already well entrenched in Asia and Europe but haven't yet caught the slow boat to the States.
Now is InfoWorld picking up my travel tab to take a look at cool gear? Nope. But hopefully I'll catch up with Tom. I've already seen Oliver Rist, who's running from meeting to meeting for PC Magazine.
Tonight I'll be going to a preview press show where I'll (hopefully) look at some interesting gadgets. I'll ask people if they've thought about security when developing their products - probably not - but you never know.
After all, today's new CES gadget is tomorrow's VP toy that has to work on your enterprise network...
Posted by Victor R. Garza on January 6, 2008 02:50 PM
January 03, 2008 | Comments: (0)
IM-based threats still lurking
Over the last several years the malware research community has seen the dramatic shift away from attacks sent to end users via e-mail attachment or instant messages toward greater use of compromised Web sites to distribute nefarious code -- but, beware, the IM channel is still harboring plenty of threats.
Many of the IM-based threats are also being used to trick people into visiting said malware-laden Web sites, of course.
According to Akonix Systems, its researchers tracked some 18 new malware attacks being delivered via IM during the month of December '07, bringing the total volume of IM-based threats that it uncovered to 346 for the entire year of 2007.
Considering that Symantec researchers observed some 212,101 new malware attacks during the first half of 2007 alone, the number hardly jumps off the page, but, one can imagine that as cyber-criminals begin running into more defense mechanisms used to stop their cross-site scripting threats, for instance, they may turn their attention back to IM channels.
For proof of that notion, just look at the revolving door of spam models that we're seeing in use today, with the people responsible for those attacks increasingly moving back to traditional methods for text inclusion when their higher-tech image files or obfuscation techniques get parried by security vendors.
Sometimes the oldest tricks in the book still work, it would seem.
Some of the newest IM worms identified by Akonix in December include Cargar, Etest and YMWorm. The researchers said that Etest, Mytob and Sohana were the most common attacks that it found, with two variants in circulation apiece.
More disturbing, Akonix reports attacks on P2P networks, such as Kazaa and eDonkey, increased 125 percent in December, compared to November, accounting for 27 attacks. If you buy into what most researchers are predicting for 2008, an increasing number of such Web 2.0 security threats are sure to follow.
Like other types of threats, the company said that IM-based attacks are becoming more sophisticated. Hackers have also begun targeting users of unified communications more directly, with IM threats mixed into their bag of tricks, according to the research report.
"2007 marked an increase in the complexity and harmful design of IM trojans and viruses; we're continuing to see hackers use this popular medium to steal private data from which they can profit," Don Montgomery, VP of marketing at Akonix, said in a research summary.
"In addition, the increasing adoption of unified communications in 2008 will introduce new corporate vulnerabilities and liabilities, including the number of entry points that can be compromised," said the expert.
Thankfully, at least one individual using the tried and true IM channel to proliferate their botnet attack got busted and charged by authorities in late 2007.
Highlighted by the prosecuting United States Attorney's Office for the Central District of California as the "first prosecution of its kind in the nation," John Schiefer, 26, of Los Angeles (aka "Acidstorm"), agreed to plead guilty to four felony counts related to his use of IM-driven botnets to steal information and carry out identity fraud.
Schiefer was charged specifically by the Golden State with accessing protected computers to conduct fraud, disclosing illegally intercepted electronic communications, wire fraud and bank fraud in November.
Once convicted, Scheifer faces a maximum prison sentence of 60 years and a $1.75 million fine for operating a botnet of around 250,000 infected computers, installing password-sniffing software on roughly half of them, and then using stolen PayPal credentials to pay for hosting and other resources to help spread his botnet.
The suspect was caught as part of the FBI's Bot Roast II project.
60 years! Wow. I wonder who he'll IM from jail.
Posted by Matt Hines on January 3, 2008 08:46 AM
| ZERO DAY PODCAST |
| Listen to the latest podcast: |
MP3
•
•
•
Archive
•
![[VoiceIndigo Mobilize - Listen to podcasts on your mobile phone]](http://www.voiceindigo.com/ht/images/mobilize_logo_sm.gif){kind=logo}
|
TOP STORIES
WiMax OK for commercial useAgile mgmnt for small teams
Why developers avoid Vista
CBS to buy CNET Networks
Icahn's letter to Roy Bostock
Yahoo opens up Search Monkey
AT&T limits iPhone purchases
Silverlight gets put on Linux
Intel to develop PC with Alibaba
Cybercriminals can rent a botnet
ADDITIONAL RESOURCES
- Virtualization: A Step by Step Approach to Success
- Dialing up Agility with Business Transformation
- 5 Things You Need to Know About Storage Virtualization
- Is your smaller organization ready for High Availability?
- Is system maintenance doing more harm than good?
- Virtual Test Lab Automation: Manage development infrastructure
