Computerworld Philippines

Posts Tagged ‘ Security ’

Twitter to begin screening some links for phishing

By JM Tuazon on March 10, 2010

By Owen Fletcher
IDG News Service (Beijing Bureau)
March 10, 2010

BEIJING - Twitter launched a new link-screening service on Tuesday aimed at preventing phishing and other malicious attacks against users of the popular microblogging service.

Part of the new service is a new Twitter tool to shorten URLs, so users will see some links in e-mail notifications and direct messages from other users written as twt.tl, Twitter said in a blog post.

“By routing all links submitted to Twitter through this new service, we can detect, intercept, and prevent the spread of bad links,” the blog post said. “Even if a bad link is already sent out in an email notification and somebody clicks on it, we’ll be able keep that user safe,” it said without elaborating.

Phishing scams on Twitter usually involve attackers trying to obtain the login credentials of Twitter users, and then sending spam messages from the stolen accounts in a bid to make money, Twitter said on its blog last month. Twitter also fights phishing scams by watching for affected accounts and resetting passwords, it said.

Phishing attacks ballooned on Twitter last year as the service grew in popularity. Twitter’s new link-screening service comes after it last year started using Google’s Safe Browsing API to check for malicious content in links posted by users.

Possibly Related Posts:

Cloud security, cyberwar dominate RSA Conference

By JM Tuazon on March 5, 2010

By Tim Greene
Network World (US)
March 5, 2010

FRAMINGHAM - Cloud security loomed over the RSA Conference this week as a major concern of business, but worry about the threat of cyberwar was also strong, with officials from the White House and FBI weighing in to encourage private participation in government efforts to defend information and communications networks.

During the highest profile panel at the conference, a former technical director of the National Security Agency bluntly said he doesn’t trust cloud services. Speaking for himself and not the agency, Brian Snow said cloud infrastructure can deliver services that customers can access securely, but the shared nature of the cloud leaves doubts about attack channels through other users in the cloud. “You don’t know what else is cuddling up next to it,” he said.

In his keynote address, Art Coviello, the president of RSA, the security arm of EMC, agreed that customers need to be assured the cloud is safe. Coviello told the 4,000 attendees gathered for his talk that cloud services will inevitably be adopted widely because of the huge financial benefits they offer. “But you won’t want any part of that unless service providers can demonstrate their ability to effectively enforce policy, prove compliance and manage multi- tenancy,” he said.

The big problem is trust, he said. His own company announced at the show a partnership with Intel and VMware to improve trust by enabling measurement of cloud providers’ security. The effort would let customers of cloud infrastructure services weigh the security of the service and get metrics to deliver to auditors who are sent to determine whether businesses comply with government and industry security standards. “Service providers should be able to tell compliance officers and auditors just about anything they need to know — with verifiable metrics,” Coviello said.

But warnings about other cloud threats came through loud and clear. At the Cloud Security Alliance (CSA) Summit held earlier in the conference, for example, the CSA announced a report on its top concerns about cloud security, and they were major, including documented use of cloud infrastructure-as-a-platform to launch botnets.

CSA, an industry consortium of users and vendors, also highlighted vulnerabilities in the means given to cloud customers to access and manage the services they buy. These APIs are not necessarily secure and could offer attackers a chink through which they could infiltrate cloud networks and the corporate content entrusted to them. The answer: “Ensure strong authentication and access controls are implemented in concert with encrypted transmission,” CSA said. CSA’s report details 10 threats as well as fixes, but stands as a warning about embracing cloud services without carefully weighing the downsides.

While Coviello touted the ability to give auditors and compliance officials the data they need to assure businesses meet security regulations, the validity of such regulations was questioned by the top White House cybersecurity adviser during his keynote address. Cybersecurity coordinator Howard Schmidt told the conference that security compliance under the Federal Information Security Management Act is flawed. “You can be [Federal Information Security Management Act] compliant but still not be secure,” he said. “We agree that work needs to be done on that.”

He said the government is addressing it with recommendations from the federal budget watchdog agency, the Office of Management and the Budget, due out next month. Rather than meeting a set of regulations, agencies will have to meet performance metrics. “These new metrics begin to move us from a static compliance-based metrics program to a continuous monitoring capability,” Schmidt said.

Meanwhile, U.S. Secretary of Homeland Security Janet Napolitano came to the conference as a recruiter, using her keynote address to acknowledge that government talent alone cannot address the threats the country faces. She announced that her department is seeking to fill top cybersecurity posts with candidates from outside government. “In fact, we may be trying to recruit some of you for your talent right now,” she said. “We need it.”

Napolitano also tried to interest conference attendees in a contest to create a national cybersecurity-awareness program for educating the general public in cyber threats they face and how they can contribute to help improve security. She said she wants the programs to include social networking and to be as effective as past government campaigns to reduce smoking and litter.

Government can’t do the job itself because the vast majority of the U.S. cyber infrastructure is privately owned. “I ask you to redouble the efforts that you are making to increase security, to increase reliability and to increase the quality of the products that you have that enter the global supply chain,” Napolitano said.

She issued a call for automated security, and said that the government is working on an intrusion-prevention system (IPS) to protect U.S. agency networks. She said the government is upgrading its intrusion-detection platform, Einstein 2, to an IPS, called Einstein 3. Einstein 2 is deployed in nine federal agencies as well as in the networks of carriers AT&T, Qwest and Sprint. Verizon is on the list to get it, too.

But Einstein 3 would automatically detect malicious activity and disable attempted intrusions before they can do harm, Napolitano said. She didn’t give a timetable for when it will be deployable.

Meanwhil,e RSA Conference plowed ahead with its traditional business of educating attendees about threats and the means for countering them. For instance, Jeremiah Grossman, CTO of White Hat Security, warned about an undetectable browser exploit that bares corporate networks to attackers.

That topped his list of the most effective new attacks that have been devised by researchers over the past year. Called DNS rebinding, attackers turn victims’ browsers into Web proxies that do the attackers’ bidding, he said.

The attack works by tricking browsers into seeking internal servers on the victim’s network under the direction of the attacker, who can direct it to find and send corporate data, Grossman said. The browser exhibits no behavior out of the ordinary, so the attacks go unnoticed.

And the conference named Altor Networks as winner of its Innovation Sandbox competition for most innovative product from a vendor with less than $5 million per year in business. Altor makes a virtual firewall platform for protecting VMware virtual machines that includes firewall and intrusion detection. It operates from within the hypervisor and the virtual switch, enabling examination of packets between virtual machines on the same physical host. The software includes an API for automated provisioning.

Possibly Related Posts:

Microsoft to target other botnets with legal weapon

By Fei Lumbania on March 1, 2010

By Gregg Keizer
Computerworld (US)
March 1, 2010

FRAMINGHAM - Microsoft has several other botnets in its crosshairs, and believes it can use the same legal tactic against them that it deployed last week to strike at the Waledac botnet’s command-and-control centers.

But the company also admitted that it had not yet severed all communications between the controllers of Waledac and the thousands of compromised Windows computers used by hackers to pitch bogus security software and send a small amount of spam.

“This shows it can be done,” said Richard Boscovich, senior attorney with Microsoft’s Digital Crimes Unit. “Each botnet is different, of course, but this is another arrow in the quiver. This is not the last [effort]…. We have other operations on the drawing board.”

Last Wednesday, Microsoft announced that it had been granted a court order that yanked nearly 300 sites from the Internet. Those sites, Microsoft said, were a key link between hackers and the PCs that make up the Waledac botnet. The legal tactic, which garnered accolades from many security professionals as a precedent-setting move, resulted in what Microsoft called “a major botnet takedown” of Waledac, a fact that some researchers disputed.

The same method can and will be applied to other botnets, Boscovich said. He declined to say which zombie PC army is next on Microsoft’s hit list. “Of course this is scalable,” he said when asked whether the legal action against Waledac would work against other botnets, or was a one-off. “This is another tool we can now use, another mechanism that is available.”

In fact, when Microsoft officials sat down in early January to decide which botnet to target, they started with a list of six, then narrowed it to three, from which they selected Waledac. The remaining five unnamed botnets remain on Microsoft’s list.

“We wanted to challenge ourselves technically,” said Boscovich when asked why Waledac was chosen. “From the technical standpoint, it had a certain reputation.”

Waledac does have a reputation. The malware that infects victimized PCs was created by, and the botnet is maintained by, hackers who previously flooded the Internet with the Storm bot from early 2007 through mid-2008. Waledac’s makers “definitely know the ins and outs,” Joe Stewart, director of malware analysis at SecureWorks and a noted botnet researcher, said last Thursday.

Boscovich admitted that Waledac wasn’t the world’s biggest botnet, but said several things recommended it for the debut of Microsoft’s legal approach to bot smashing. Among them: The identified command-and-control domains were all registered with one domain registrar, VeriSign, which made it easier to coordinate the site shutdowns; and Microsoft had been in contact with several independent researchers who had dug deep into the malware’s code and the botnet’s behavior.

Even as Microsoft said it would again swing the legal sword, it also admitted it had not completely cut ties between the infected PCs and the hackers who control them.

“They were severely impacted [by the legal action], and we expect the severity of the impact to increase over the next several days,” said T.J. Campana, a senior program manager who works for Boscovich in the company’s Digital Crimes Unit. When asked whether communications between the Waledac hackers and the botnet’s PCs had been comprehensively severed, Campana answered, “By and large, the answer is no.”

Last week, Microsoft claimed it had grabbed control of more than 60,000 bots in the Waledac collection after the court order shuttered the 277 targeted domains. Several security researchers, however, questioned whether the tactic would cripple Waledac , or even disrupt its activities, since hackers have multiple mechanisms for passing commands to machines infected with Waledac.

As a fall-back, Waledac bots can communicate to their controllers “indefinitely” using IP (Internet Protocol) addresses that are hard-coded into the bot Trojan, SecureWorks’ Stewart said last week.

Campana acknowledged those alternate command-and-control links within Waledac, and said Microsoft is attacking those as well. He declined to provide details of what Microsoft was doing, or when — or even if — the Waledac bots would be unreachable by their makers. “In addition to the legal action against the domains, we have taken other technical measures,” said Campana. “At this point, we’re still working that angle and actively adapting our measures.”

Several message security and spam filtering companies and organizations, including Google ’s Postini and the U.K.-based SpamHaus, also disputed Microsoft’s claim last week that Waledac was a “major distributor of spam” and that crippling it would reduce spam.

Symantec’s MessageLabs also weighed in on the impact issue, and like other vendors, downplayed Waledac’s significance. “There’s been no real noticeable effect of the takedown,” Matt Sergeant, a senior anti-spam technologist with MessageLabs, said in an e-mail. “It’s one of the smallest botnets out there, and the court order appears to have had very little effect on its output.”

Microsoft countered, saying it’s too early to gauge its anti-Waledac moves. “We’re still looking at the impact this has had,” said Campana, referring specifically to the monitoring Microsoft’s doing of the volume of spam addressed to Windows Live Hotmail accounts. “It’s somewhat premature to say ‘yay or nay’ yet.” The next one or two weeks will tell the tale, Campana agreed.

But Boscovich would not promise that Microsoft would make Hotmail spam data public. “We’ll look at that [decision] fairly soon,” he said.

It isn’t the first time that Microsoft has said it has crippled a botnet built by this group of hackers. In April 2008, the company took credit for crushing the Storm botnet — Waledac’s predecessor — saying that the malware search-and-destroy tool it distributes to Windows users every month disinfected so many bots that the hackers threw in the towel .

As with the Waledac take-down, researchers at the time disputed Microsoft’s claim that it had beaten Storm into submission.

Campana urged Windows users to run the Microsoft-made Malicious Software Removal Tool (MSRT) to scrub Waledac from infected systems, and up-to-date anti-virus software to keep it off still-clean machines. “This is definitely a preventable issue,” he said.

Possibly Related Posts:

VMWare aims arrow at desktop management

By JM Tuazon on February 26, 2010

Computerworld Philippines Staff
February 23, 2010

noname Virtualization firm VMWare is taking a stab at simplifying the way CIOs and IT administrators manage desktop clients through the release of VMWare View, a desktop virtualization software.

VMWare view hopes to answer the complexities surrounding managing multiple layers of desktop components—from the operating system, applications, hardware, and data—by simplifying its deployment to every thin client, the company said.

Through virtualization, IT managers can dynamically assemble and deliver desktops and applications to users, with a personalized view of individual desktops.

This setup promotes agility and improves the response time for queries, the vendor added. It allows managers to quickly provision desktops and applications to new users through a central management system.

And because the desktop virtualization system uses thin clients instead of full-blown PC systems, users can benefit from less footprint and energy usage as well. Security, meanwhile, is reinforced because all processes are handled within the company firewall. Coupled with SSL encryption, security features that come with VMWare View are proven to be robust.

All these features enable the company to not only save on space and headaches, but on costs as well, with over 50% savings from the usual desktop computing setups. – John Mark V. Tuazon

Possibly Related Posts:

Iomega’s portable drives keep data secure—inside and out

By JM Tuazon on February 19, 2010

Computerworld Philippines Staff
February 19, 2010

The increasing mobility of the global workforce is changing the way people carry and use their data, spurring the adoption of portable hard drives that keep data with users who are always on the go.

Data security on portable drives, however, is not always consistent and robust. This is the thrust of Iomega Prestige Portable hard drives, which come with a DropShock feature that protect the device from tough travel and working environments.

Data stored on these drives, meanwhile, are kept secure by the Iomega Protection Suite, which includes 12 months free subscription to Trend Micro Internet Security, EMC Retrospect Express Backup, Iomega QuickProtect, and free two gigabytes’ worth of storage space from MozyHome Online Backup service.

Iomega’s Prestige Portable drives come in 320GB (P3,790) and 500GB (P5,470) capacities. – John Mark V. Tuazon

Possibly Related Posts:

Comcast offers online backup, sharing through Mozy

By JM Tuazon on February 19, 2010

By Stephen Lawson
IDG News Service (San Francisco Bureau)
February 18, 2010

SAN FRANCISCO - Comcast will bundle online storage capacity from EMC’s Mozy division with its broadband service and let residential subscribers share the content they store with friends — or with the entire Internet.

With the new Secure Backup & Share feature, users of Comcast high-speed Internet automatically get 2GB of space in Mozy’s data centers for backing up any data from their home computers. They can also buy 50GB for US$4.99 per month or $49.99 per year, or 200GB for $9.99 per month or $99.99 per year, the companies announced Thursday. The feature is available now.

Mozy has been offering cloud-based backup capacity to consumers and businesses for several years. Consumers can buy unlimited storage for $4.95 per month. But the new offering with Comcast marks the first time Mozy has let users share the data they have backed up, according to Vance Checketts, Mozy vice president of operations at EMC. The company hopes to extend this capability to its own service as well as to the Mozy-based backup services already offered by Vodafone and China Telecom.

For many consumers, a service such as Secure Backup & Share could be an obvious way to start protecting their data from disasters and hardware failures for the first time, said Charles King, an analyst at Pund-IT.

“For most people, backup is something that they plan to get around to, like losing weight or eating right,” King said. However, it’s more critical than those users may think, he added. “Tens of thousands of hard drives crash on a weekly basis,” he said. Ideally, consumers should also back up their data to a hard drive they own, both to have another copy for safety and because downloading 200GB of remotely backed-up content over a home broadband connection would take a long time, he added.

With the sharing feature, users could make any or all of the files they back up available to family, friends or the public. Theoretically, a user could copy 200GB of files onto Mozy and make them all searchable and available on the Internet, Mozy’s Checketts said. In reality, users may designate some content as public but share the rest through invitations to specific authorized users, he said. Sharing is a natural extension to Mozy’s backup service, and the business issues of adding it would be more significant than the technical ones, Checketts said.

However, it could be a big undertaking just for Mozy to support the Comcast service. If all of Comcast’s roughly 15.9 million high-speed Internet subscribers simply took advantage of the 2GB of free storage, Mozy would need 30 petabytes of storage to accommodate them. Mozy already has more than 25 petabytes of data under management. The company beefed up its data centers in advance of the Comcast offering and can rapidly expand its capacity if needed through contracts with suppliers of bandwidth, storage space and other components, Checketts said.

Comcast subscribers can use Secure Backup & Share to back up data from an unlimited number of computers and can designate six other users, such as family members, to share the capacity. To start, they need to download a Windows software client — Mac support is coming later this year, the company said. Through a personal Web site called Comcast Vault, users can allocate capacity to different computers, designate what files to back up and set up future incremental backups. Certain types of data, such as .exe files, can’t be backed up with the service. Once the content has been uploaded to Mozy, it can be reached via any Web browser, including those on smartphones.

Mozy already offers backup services through Vodafone in Portugal, Germany, the U.K. and the Netherlands, and has scheduled rollouts in eight or nine more countries over the next several months, Checketts said. The Vodafone service can operate over the carrier’s wireline broadband connections or its 3G (third-generation) wireless modems. China Telecom began offering a Mozy-based backup service to its wireline broadband subscribers last September.

Possibly Related Posts:

Twitter forces some users to reset passwords after phishing attack

By JM Tuazon on February 3, 2010

By Jon Brodkin
Network World (US)
February 3, 2010

FRAMINGHAM - Twitter has apparently forced some users to reset their passwords after a phishing attack, and urged users to choose hard-to-guess passwords and be on the lookout for suspicious third-party activity.

Scottish blogger Andrew Girdwood was among those who reported receiving a message that states “Due to concern that your account may have been compromised in a phishing attack that took place off-Twitter, your password was reset. Please create a new password by opening this link in your browser. … Remember to choose a strong password that is a combination of letters, numbers, and symbols. Do not reuse your old password.”

Twitter acknowledged the password reset, describing it as a “precautionary step,” but did not say how many users were affected or describe the nature of the phishing attack.

Twitter’s official “safety” account issued a tweet saying “Got an email from us saying we’ve reset your password? A small # of accts seemed possibly affected offsite & we took a precautionary step.” Previous tweets from this account offer advice for avoiding attacks, such as “Giving out your username & password to a 3rd party site promising you more followers: not a good idea AND a violation of the Twitter Rules.”

Twitter’s message to users urged them to remove any updates they did not post themselves; scan their computers for viruses and malware; and check the Twitter connections page and revoke access privileges for any third-party applications they do not recognize.

Twitter has become a magnet for computer hackers because of its increasing popularity, with reports of malware and spam on social networks rising 70% in the last 12 months.

Possibly Related Posts:

Remove Annoying Messages From Your Facebook Page

By Fei Lumbania on January 29, 2010

By Rick Broida
PC World (US)
January 29, 2010

SAN FRANCISCO - Like several bazillion other users, I like using Facebook to keep tabs on what my friends are up to. What I don’t like is the endless stream of “so-and-so took this quiz” and “Joe became friends with Jane” messages and “What Kind of Jedi Are You?” come-ons.

That’s why I just became a fan of Facebook Purity, a browser add-on that removes
those annoying quiz and application notifications from your Facebook home page. The effects are subtle–don’t expect a major makeover–but definitely worthwhile.
Facebook Purity is actually a script that requires the Greasemonkey add-on for Firefox. Once you’ve installed that and restarted Firefox, just install the FP script, restart Firefox again, and fire up Facebook. You may not notice any immediate changes, but you should see a FB Purity hid header.

The tally refers to the number of Facebook apps and “extras” found and hidden from your home page. If you’re curious to see what they are, just click Show for either category.

If you want to edit the list of apps and extras Facebook Purity blocks, see the developer’s FAQ page. Speaking of which, the script is donationware, meaning it doesn’t cost anything to use, but the developer sure would appreciate a few bucks if you find it useful. (Click the Donate button on his page to make a contribution via PayPal.)
By the way, Facebook Purity is compatible with Google Chrome, Opera, and Safari, but using Greasemonkey scripts with those browsers is a bit more complicated. Again, see the FAQ page for details.

Personally, I’m loving this add-on. Anything that cuts down Facebook clutter is a winner in my book.

Possibly Related Posts:

Cloud Security: Ten Questions to Ask Before You Jump In

By JM Tuazon on January 27, 2010

By Tim Brown
CIO.com
January 27, 2010

FRAMINGHAM - The hype around cloud computing would make you think mass adoption will happen tomorrow. But recent studies by a number of sources have shown that security is the biggest barrier to cloud adoption. The reality is cloud computing is simply another step in technology evolution following the path of mainframe, client server and Web applications, all of which had — and still have — their own security issues.

Security concerns did not stop those technologies from being deployed and they will not stop the adoption of cloud applications that solve real business needs. To secure the cloud, it needs to be treated as the next evolution in technology not a revolution that requires broad based changes to your security model. Security policies and procedures need to be adapted to include cloud models in order to prepare for the adoption of cloud-based services. Like other technologies, we’re seeing early adopters take the lead and instill confidence in the cloud model by deploying private clouds or by experimenting with less-critical information in public clouds.

Organizations are asking many questions and weighing the pros and cons of utilizing cloud solutions. Security, availability and management all need to be considered. As part of that process, here are 10 security-related questions organizations should consider to help them determine if a cloud deployment is right for them, and if so, which cloud model — private, public or hybrid.

1. How does a cloud deployment change my risk profile?
A cloud computing deployment — whether private or public — means you are no longer in complete control of the environment, the data, or the people. A change in control creates a change in risk — sometimes an increase in risk and in some cases a decrease in risk. Some cloud applications give you full transparency, advanced reporting, and integration with your existing systems. This can help lower your risk. Other cloud applications may be unable to modify their security profiles, they may not fit with your existing security measures, and may increase your risk. Ultimately the data and its sensitivity level will dictate what type of cloud is used or if a cloud model makes sense at all.

2. What do I need to do to ensure my existing security policy accommodates the cloud model?
A shift to a cloud paradigm is an opportunity to improve your overall security posture and your security policies. Early adopters of cloud applications will have influence and can help drive the security models implemented by the cloud providers. You should not create a new security policy for the cloud, but instead extend you existing security policies to accommodate this additional platform. To modify your policies for cloud, you need to consider similar factors: where the data is stored, how the data is protected, who has access to the data, compliance with regulations, and service level agreements.

3. Will a cloud deployment compromise my ability to meet regulatory mandates?
Cloud deployments shift your risk profile and could affect your ability to meet various regulations. This requires evaluation of compliance requirements as they relate to the cloud deployment you are considering. Some cloud applications give you strong reporting and are tailored to meet specific regulatory requirements, while others are more generic and cannot or will not meet detailed compliance requirements. For example, if you are bound by a regulation that says your data cannot be stored outside the country, some cloud providers may not be able to accommodate this regulation based on data center locations.

4. Are the cloud providers using any security standards or best practices (SAML, WS-Trust, ISO or otherwise)?
Standards play a very important role in cloud computing as interoperability among services will be critical to ensure the cloud does not go down the path of proprietary security silos. A number of organizations have been created and extended to support cloud initiatives. The Cloud-standards.org wiki lists most of the standards organizations involved in the cloud, including those associated with security.

5. What happens if a breach occurs? How are incidents handled?
As you plan for security in the cloud you need to have appropriate plans in place for breaches and loss of data. This is a critical component to your overall agreement with the cloud service provider and must be handled on an individual basis. The cloud provider (as a service provider), and you as a company, most likely have breach notification policies or regulations you must meet. You must ensure that a cloud provider can support your notification requirements should the need arise.

6. Who is liable or will be viewed as the responsible entity for securing my data?
The reality is security responsibility will be shared. However, in the court of public perception, — at least today — it’s the company collecting the data, not the cloud provider, who is viewed as ultimately responsible for information security. In well-negotiated contracts you may be able to limit your responsibility and your liability for data loss so that it is shared with the cloud provider, but from your customers’ perspectives, you still may be viewed as responsible.

7. How do I ensure only appropriate data is moved into the cloud?
Understanding what data is sensitive and building an appropriate security model based on data and applications is critical to understanding what data could be moved to the cloud. This process should begin long before ever considering a cloud deployment as it is a critical part of good security practices. Many companies use data leakage protection technology to classify and tag data.

8. How do I ensure only authorized employees, partners and customers can access data and applications?
Identity and access management is an existing security challenge that is amplified by cloud deployments. Technical capabilities such as federation, securing virtualized systems, and provisioning all play a role in cloud security, as they play a role in today’s IT platforms. Extending and supplementing your existing environments to support the cloud can help solve this challenge.

9. How are my data and applications hosted, and what security technologies are in place?
Cloud providers should provide this information as it can directly affect an organization’s ability to comply with certain regulations. Transparency is critical and necessary for you to make informed decisions.

10. What are the factors that tell me I can trust this provider?
A number of factors come in to play when evaluating the level of trust to assign to a provider. They include many of the same dynamics you consider for any outsourced project, such as: the maturity of service and the provider; the type of contracts, SLA’s, vulnerability procedures, and security policies; their track record; and their forward-looking strategy, to name a few.

Moving to a new computing platform is not something to jump into without careful consideration. The answers to these questions are complex and often lead to more questions. We’ve merely scratched the surface at a high level on some of the security questions to think about when considering a cloud platform.

However, enterprises should also understand they have the power to drive the security technologies used in the cloud — whether it’s a private, public or hybrid cloud. Understanding that cloud consumers can, should, and are expected to take responsibility for security measures can lead to the cloud being a secure platform that delivers cost savings and improved productivity.

Possibly Related Posts:

80% of government Web sites miss DNS security deadline

By JM Tuazon on January 22, 2010

By Carolyn Duffy Marsan
Network World (US)
January 22, 2010

FRAMINGHAM - Most U.S. federal agencies — including the Department of Homeland Security — have failed to comply with a Dec. 31, 2009, deadline to deploy new authentication mechanisms on their Web sites that would prevent hackers from hijacking Web traffic and redirecting it to bogus sites.

Agencies were required to roll out an extra layer of security on their .gov Web sites under an Office of Management and Budget mandate issued in August 2008, although at least one expert calls that yearend deadline “a little aggressive.”

Aggressive or not, independent monitoring indicates that only 20% of agencies show signs of deploying this new security mechanism, which is called DNS Security Extensions, or DNSSEC for short.

DNSSEC is an Internet standard that prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.
Secure64, a DNS vendor, researched 360 federal agencies to see how many of their Web sites showed signs of digital signatures on their .gov domains.

“We found about 20% of agencies had signatures as of last week,” says Mark Beckett, vice president of marketing for Secure64. “Eighty percent don’t have any signatures up there. One can speculate about why that is. They may be working on it but haven’t pushed the signatures into production yet. All you can tell from the outside looking in is that there’s no evidence of progress on the DNSSEC mandate.”

“The 20% number is completely believable,” says Paul Hoffman, Director of the VPN Consortium and an active participant in DNSSEC standardization efforts at the Internet Engineering Task Force. “NIST has been working on DNSSEC, but the individual agency IT departments aren’t doing anything. DNSSEC is not a priority.”

The Obama Administration’s failure to meet this critical cybersecurity deadline comes at a time when dozens of U.S. companies including Google, Yahoo and Adobe have reported cyberattacks by Chinese hackers.
OMB officials declined to say why the agency hasn’t enforced the DNSSEC deadline for executive branch departments.

“With specific regard to the encryption of DNS databases, the government is committed to data protection and integrity. The steps taken to date by departments and agencies are being evaluated for their effectiveness,” OMB spokesman Tom Gavin said in a statement.

Not everyone sees cause for concern in missed deadline.

“The OMB deadline was a little aggressive,” says Steve Crocker, an Internet pioneer who is CEO of Shinkuro, an R&D company engaged in DNSSEC-related work. “I would take it as a very positive sign that there was any movement at all. What I’m hearing is that of the many, many things that all the federal CIOs are forced to pay attention to, DNSSEC is one that is likely to get attention in 2010.”

Crocker says it’s realistic for the majority of federal agencies to support DNSSC in their .gov subdomains by the end of 2010.

“Missing the mark by one year is pretty good news in this business,” Corcker says. “There is a gradual tightening of security going on up and down the Internet protocol stack. DNSSEC isn’t the be-all-and-end-all, but it’s an important piece. The technical community has been working on DNSSEC for 20 years. The top part of .gov is signed, and now we’re seeing the other pieces coming along.”

OMB’s DNSSEC mandate applies to executive branch departments and agencies that run .gov Web sites. (The Defense Department’s .mil Web sites are exempt.) OMB required that .gov would be cryptographically signed at the top level by Jan. 31, 2009, and that milestone was reached a month later in February 2009.
Individual agencies were required to support DNSSEC in all of their subdomains such as www.irs.gov by Dec. 31, 2009. Agencies that appear to have met this deadline include the Commerce and Interior Departments, while the Treasury Department and the Department of Homeland Security have not.

Once it’s fully deployed, DNSSEC will have a broad impact on the U.S. public. That’s because it will ensure that citizens who think they are visiting federal Web sites are not redirected elsewhere. For example, citizens who file their taxes online, want to be sure that when they type www.irs.gov into their browsers, they go to a Web site operated by the Internal Revenue Service and not a scam artist trying to steal their social security numbers.

DNSSEC is a hierarchical system, and it requires authentication at every step in the process of matching a domain name with the corresponding IP address. In order for a user to receive an authenticated response from a government Web site like www.irs.gov, DNSSEC needs to be deployed on the Internet’s root servers, the .gov domain servers and the subdomain servers operated by the IRS.

“If everything was DNSSEC enabled, it would make it extremely difficult to forge a DNS response,” says Ken Silva, CTO of VeriSign, which is deploying DNSSEC on the Internet’s root servers as well as the .com and .net domains. “Having said that, it truly needs to be DNSSEC from end-to-end in order to have an impact.”

Hoffman points out that there is marginal value for agencies to deploy DNSSEC until the DNS root is signed, which will happen this summer.

“It’s a shame more agencies aren’t ready for DNSSEC,” Hoffman says. “After the root is signed, those agencies that are ready will be coming up to speed much more quickly than those that are not.”

Despite the promise of DNSSEC to improve the trustworthiness of the government’s online services, many agencies haven’t devoted money or personnel to the DNSSEC mandate, experts say.

Other agencies have run into technical glitches as they’ve deployed DNSSEC.

“When we go to deploy DNSSEC, sometimes there are networking issues where some part of the network might be getting in the way of the digital signatures or sometimes there are firewall issues,” Beckett says, adding that these are normal debugging issues rather than major technical hurdles to DNSSEC deployment.

VeriSign says it has run into some difficulties deploying DNSSEC across the root, .com and .net servers, but nothing worse than it expected.

“We’ve found some technical roadblocks around network equipment including firewalls and load balancers,” Silva says. “We’ve had some versions of those devices act funny with a packet if it’s larger than it was normally expecting to be….That’s why it’s so important to test your own systems and make sure that DNSSEC is not going to cause any problems.”

Beckett says agencies had plenty of time to get all of the testing done and to meet the OMB mandate.

“We had a federal customer who signed those domains in a pilot project in three days,” Beckett says. “Agencies can deploy this very quickly.”

Many other countries — ncluding Sweden, Puerto Rico, Bulgaria and Brazil — have already deployed DNSSEC on their country code domains.

DNSSEC also is operational on the .org domain, and it will be supported in the .com and .net domains by the end of the year.
“It would be really sad if the U.S. government lagged on DNSSEC, if they didn’t believe they had to follow the OMB mandate,” Hoffman says. “Our allies are already signing their [country code top level domains.] It would be sad if we fell behind.”

Industry observers say the Obama administration’s failure to meet the DNSSEC deadline is the result of not focusing enough on cybersecurity issues. As evidence they point to the fact that the president didn’t announce the selection of Howard Schmidt as White House cybersecurity coordinator until December 2009.
“There’s a lack of leadership throughout the government on cybersecurity,” Hoffman says. “It’s not just that they haven’t had the cybersecurity position filled. It’s not clear that the cybersecurity position is going to have any power…And none of the agencies are rapidly moving ahead on their own.”

OMB denies this criticism.

“Cybersecurity is a top priority for the Administration,” Gavin said in a statement. He added that “agencies are aggressively adopting new tools and technologies to ensure the safety of government information.”

The OMB DNSSEC mandate was published after a high-profile flaw in the Internet’s Domain Name System — commonly known as the Kaminsky Bug — was revealed. DNSSEC is the only long-term fix for preventing Kaminsky-style attacks.

Possibly Related Posts:

Users still make hacking easy with weak passwords

By JM Tuazon on January 22, 2010

By Jaikumar Vijayan
Computerworld (US)
January 22, 2010

FRAMINGHAM - In a report likely to make IT administrators tear out their hair, most users still rely on easy passwords, some as simple as “123456,” to access their accounts.

A report released today by database security vendor Imperva Inc. serves as another reminder of why IT administrators need to enforce strong password policies on enterprise applications and systems.
Imperva’s report is based on an analysis of 32 million passwords that were exposed in a recent database intrusion at RockYou Inc. a developer of several popular Facebook applications. The passwords belonged to users who had registered with RockYou and had been stored by the company in clear text on the compromised database. The hacker responsible for the intrusion later posted the entire list of 32 million passwords on the Internet.

An analysis of that list provides the latest confirmation that a majority of users still don’t care about the strength of their passwords if they are left to choose on their own.

According to Imperva, about 30% of the passwords in the hacked list were six characters or smaller, while 60% were passwords created from a limited set of alpha-numeric characters. Nearly 50% of the users had used easily guessable names, common slang words, adjacent keyboard keys and consecutive digits as their passwords.

In fact the most common password among RockYou users was “123456″ followed by “12345″ and “123456789.” The other passwords rounding out the top five were “password” and “iloveyou.”

Many of the top 5,000 passwords in the list were identical to those found in password dictionaries, which are used by hackers to brute force their way into accounts, said Amichai Shulman, chief technology officer at Imperva. On average, a malicious attacker using such a password dictionary would have been able to break into a RockYou account at the rate of roughly one every second using an automated password guessing tool, he said.

Imperva’s report is by far not the first to highlight the tendency by many to use easily hackable passwords for online accounts. What sets it apart, however, is the sheer size of the sample that was analyzed for the report. Though the passwords in this case only controlled access to a relatively low-value user account, previous studies have shown that users tend to use the same password for multiple accounts, including corporate and financial accounts.

The Imperva report comes at a time when malicious attackers are increasingly going after user credentials to break into enterprise networks.
Last November, for instance, the FBI’s Internet Crime Complaint Center noted that cybercrooks had attempted to steal approximately $100 million from U.S. banks using stolen log-in credentials. On average, the FBI is seeing several new cases opened each week, the complaint center said. In most instances, the crooks used sophisticated keystroke-logging Trojan horse programs to steal login credentials from company employees authorized to initiate funds transfers on behalf of the business, the FBI noted.

Such attacks are highlighting the need for stronger access control and user authentication measures. For IT administrators, the main takeaway is the need for them to enforce a strong password policy over applications that they own, Shulman said. “If you let the user choose at their convenience, they will choose weak passwords,” he said.

Companies should also consider implementing controls for slowing down brute-force attacks, in which attackers try breaking into an account by trying to guess the password using an automated tool. Putting obstacles such as CAPTCHAs (Completely Automated Public Turing Test to Tell Computers and Humans Apart) in the way of a brute-force attacker are a good way to slow them down, the Imperva report noted.

Administrators also need to enforce a periodic password change policy and encourage users to create harder-to-crack passphrases instead of passwords, the report said.

Possibly Related Posts:

iPass gives IT more control of mobile access

By JM Tuazon on January 20, 2010

By Stephen Lawson
IDG News Service (San Francisco Bureau)
January 20, 2010

SAN FRANCISCO - Mobile connectivity provider iPass, which for many years has consolidated network accounts for workers on the go, is now shifting its focus to helping enterprises manage mobile data use.

With a set of cloud-based services announced on Tuesday, iPass will be able to handle authentication and network access rights for employees based on an enterprise’s own policies, spanning Internet use in offices, at home and on the road.

The traditional business of iPass has been giving enterprises — and, for a short period, traveling consumers — access to a multitude of networks around the world with just one account. iPass did the dirty work of making deals with providers of dial-up and wired and wireless broadband so companies and traveling employees didn’t have to. The iPass software client presented road warriors with locally available network services, sometimes several of them.

Now iPass is focusing on that client software, and on a cloud-based system for managing it, to make Internet access easy whether travelers are using an iPass-provided network or not. With the cloud-based services, controlled via a Web browser, enterprises can define each employee’s access rights according to policies, monitor workers’ network use and add any service provider the enterprise works with, said Piero DePaoli, senior director of product marketing.

This is designed to give the enterprise and its workers more control over their available connections. Employers can add carriers with which iPass doesn’t have contracts, and individual employees can register their own home Wi-Fi systems as preferred networks. An enterprise can control the client software so workers are only presented with the name of its own preferred network in a given location.

IPass still offers its network of more than 140,000 access points around the world. But the dial-up access on which iPass built its business is mostly a thing of the past, and travelers can now get usable data speeds in many places just by signing up for a single mobile operator’s 3G service. At the same time, some of those carriers have already built Wi-Fi hotspots into their service deals. Still, some enterprises want to pick and choose which networks their employees use in various locations. The new iPass services give them more control.

Extending the idea of a consistent connection experience to all types of networks and letting enterprises take the lead on governing it are logical steps, industry analysts said.

“It’s a natural evolution of where they are,” said Burton Group analyst Michael DiSabato. “They’re just adapting to go along with how this is evolving.”

With the new services, iPass can serve enterprises that know exactly what they want, said analyst Craig Mathias of Farpoint Group. That could significantly expand the company’s potential market, he said.

Customers of the new services will enforce their own access policies for cost, security and compliance using the iPass Mobile Control service. The iPass Mobile Insight service will deliver reports and analysis of mobile network use by all types of devices. iPass Mobile Connect will orchestrate policy-based access for the iPass Open Mobile Client software.

The new service isn’t replacing the traditional iPass service, DiPaoli said. At least for the time being, both will be offered and customers will be able to choose. The new service currently is available with a Windows client but soon will be available for all the platforms supported by the existing service, including BlackBerry, iPhone, Nokia and all major PC OSes. For a typical customer, iPass software costs between US$2 and $4 per user, per month, and access to iPass’ network of connections costs between $20 and $40 per user, per month, depending on the number of users, the company said.

Possibly Related Posts:

Online shoppers urged to protect against online scams

By JM Tuazon on January 15, 2010

By Carrie-Ann Skinner
PC Advisor (UK)
January 15, 2010

LONDON - Web users are being urged to stay safe when shopping online by Nominet, following they internet body’s part in an operation that helped take down 1,219 scam websites in the run up to Christmas.

Nominet, which os responsible for domain name registration, worked with the Metropolitan Police’s Central e-Crime Unit (PCeU) on Operation Papworth, which focused on websites selling counterfeit designer goods - from Tiffany Jewellery to GHD hair straighteners.
“Those who shop on the web need to remain careful so they do not get ripped off with scams or fake or non-existent goods,” said Lesley Cowley, chief executive of Nominet.

Cowley added that while Nominet is committed to making the internet a safe place, there are some basic steps that web users can take to protect themselves when buying goods online.

Nominet suggests researching a company before commitTing to buying goods from a website.

“Look for a telephone number for the company. Ring it and check it works if you have any concerns,” said Cowley, while also reminding web users to uses sites beginning with the prefix ‘https://’ and that display a padlock symbol on the page where credit card details or personal information need to be entered - as this indicates the site is secure.

“Take a few minutes to search for the company on the internet and check their reputation. Trust your common sense and if necessary buy elsewhere.”

Cowley also warned users not to assume a company is based in the UK because it has a .uk web address.

“Visit the Nominet WHOIS site to check where the website is registered. If the company is based outside the UK you might have to pay import tax on any goods you purchase,” she said.
Likewise, just because a website claims it is an official reseller of brand name goods, it may not be. Users should visit the brand’s website to check the reseller is legitimate.

Cowley cited GHD, a company that manufacturers hair straighteners, as a good example.

“GHD has a dedicated section on its official web site outlining fake GHD web sites. Goods should not be purchased from any of the sites on that list.”
Nominet also urged online shoppers to share their knowledge of both reputable websites and duds with friends and family to minimise the risk of other getting scammed, as well as having a dedicated credit card for online shopping as “it is easier to claim money back using a credit card than a debit card”.

Finally, Cowley advised web users that had been scammed to report the incident immediately.

“Call your local trading standards office, report the incident and ask for their best advice on how to deal with the situation.”

Possibly Related Posts:

Study: back-to-basics security strategy the way to go

By Fei Lumbania on January 11, 2010

By John Mark V. Tuazon
Computerworld Philippines
January 11, 2010

Protecting business information—the most basic element in any business—should be the priority of firms in ensuring security and managing risks in their organizations, data from a global information security survey conducted by Ernst & Young revealed recently.

“The conventional way of handling security issues doesn’t work anymore,” asserted Gerry Chng, Far East Area information security champion, Ernst & Young. Chng said focusing on infrastructure, keeping the bad guys out, point-in-time security posturing, and focusing on compliance are just some of the security measures that don’t apply anymore, considering the emergence of new technology.

The call for focusing on the information itself stemmed from various incidents last year when massive data was stolen from companies due to lax security. “Businesses need to protect the information themselves, not just the laptops, or the network,” Chng stressed. “They need to focus on the information, and not just the hardware or the software because they are mere enablers to protect business information.”

The survey, conducted from June 1 to July 31 in 2009 with 1,865 organizations polled in 61 countries, likewise found that emerging technologies are not only drastically changing the way businesses do their work, but how security is handled as well.

Chng emphasized the emergence of cloud computing as a prime example of the survey’s point, saying it brings new challenges especially because the data doesn’t reside within the firms’ premises. “Cloud computing is heavily reliant on the Internet, so business continuity needs to be re-thought if ever connectivity goes down,” he pointed out. “There will also be an increased demand for mobility from users, although it is expected that they would still want information residing on their physical machines.”

The issue of compliance, on the other hand, is a rather tricky subject, according to Chng, especially if it becomes the primary driver for information security. “Security compliance is expensive, but can be very helpful. It, however, is not sustainable,” he admitted, emphasizing that the best strategy is to understand the intent behind careful requirements, with compliance being a by-product of good security practices.

“Compliance doesn’t necessarily result in good security,” the security champion noted, sharing the example of Heartland Payment Systems, which experienced a security breach leaking 130 million contact records of its customers despite being security compliant.

“A good information security strategy should incorporate four things: proactive security management rather than point-in-time compliance; cost-effective security initiatives to meet regulatory requirements; within the bounds of operational challenges; and capacity to address risks from emerging technologies,” Chng said.

Possibly Related Posts:

Smartphone attacks, rogue antivirus, cloud breaches top 2010 security concerns

By JM Tuazon on December 25, 2009

By Ellen Messmer
Network World (US)
December 25, 2009

FRAMINGHAM - The rise of the Conficker worm and Heartland Payment Systems’ enormous data breach were two defining security events in 2009. What’s in store for 2010?

“It’s going to get worse,” says Patrik Runald, senior manager of security and research at Websense, who argues there has not yet been a year when things got better in terms of security and the wider Internet. Criminals have been mastering botnets, phishing scams and fake antivirus software sales, and 2010 will bring new waves of attacks that exploit fresh targets. Specifically, smartphones such as the Apple iPhone and those based on Google’s Android operating system will be in attackers’ line of sight for 2010, Runald says.

While a handful of malware attacks have surfaced of late against “jailbroken” iPhones (ones whose owners have deliberately disabled Apple controls), it’s only the beginning.

People are jailbreaking their phones to “get out of what they see as a stranglehold by Apple so they can install what they want,” Runald says, but one effect is that “they’re opening themselves to greater risk.”

As attackers accelerate malware attacks against jailbroken phones, the dilemma, Runald says, is that vendors “cannot develop an antivirus application for the iPhone” because of the way Apple engineered it to preclude low-level access. “There’s no way you can intercept file transactions,” Runald says. Though security vendors might eye writing antivirus software for iPhones, “no one will do it” because of the nature of the iPhone’s underlying design.

Khoi Nguyen, group product manager at Symantec, also says the current iPhone SDK doesn’t allow third-party vendors to conduct the background processes for malware prevention that involve deep scans and checks for file protection. “We’re hoping Apple will open up its SDK,” Nguyen says.

Smartphones based on Google’s Android present a different situation. Google has not made itself the gatekeeper of applications, but malware disguised as helpful applications could end up on Google application stores and people could end up downloading malicious code, unaware of the consequences.

Another accelerating security trend is the wave of criminals selling rogue antivirus software. Fake antivirus software is often called “scareware,” since frightening the PC owner is often part of the scam. Rogue antivirus, which Symantec counts as a top threat going into 2010, is not only thriving, but criminals selling it are starting to display new tricks.

“They’re selling and re-branding copies of software that could have been downloaded for free elsewhere,” says Zulfikar Ramzan, technical director at Symantec Security Response, which has tracked several hundred distinct rogue antivirus software products and 43 million attempts to download it in the latter part of 2009. Social networking sites are becoming a way to disseminate it.

An emerging security concern in 2010 is the potential for cyber-criminals to abuse cloud computing, says Tom Cross, X-Force advanced research manager at IBM. It’s already starting to happen, he says, though incidents aren’t yet getting much publicity.

Cross says cybercriminals are using stolen credit cards to pay cloud service providers to host virtual machines, exploiting these cloud services to operate command-and-control and attack components of a botnet to carry out denial-of-service attacks, network intrusions and more.

They might get a month’s free ride with a phony credit card, and then move on. “We’re seeing this happen,” Cross says. The issue for legitimate companies is how their cloud service provider plans to handle such incidents — especially since legit customers might end up sharing a physical server with a criminal in a virtualized environment, Cross points out.

“As a policy, people should insist that cloud computing vendors have a lot of knowledge about their customers,” Cross says. Legit customers could find themselves impacted if they share the same server as a criminal.

Trend Micro also says cloud computing is a priority spot to watch in 2010. In particular, there are potential security issues associated with doing business on Amazon that businesses should be aware of, says Andy Dancer, Trend Micro’s CTO for encryption.

“The move to the cloud is the next big architecture change we see, so the question is, what are the new threats that come along with that platform?” Dancer asks.

“Amazon is definitely out there at the forefront right now with their EC2 services,” says Dancer, so it’s worth examining Amazon and its customers as a target of attack. One specific type of attack against Amazon and its customers could involve the Amazon set of APIs used for data-sharing, which are public. Used by customers for uploading, downloading, or rebooting machines among other purposes, the Amazon APIs could be used by an attacker to commit a data breach and take machines offline, for instance. Although Amazon uses a good public-private key mechanism for security with its APIs, the point of attack would more likely be subversion through manipulation of reset processes, for instance, rather than trying to break keys, Dancer notes.

In general, cloud computing allows virtual machines to sit side by side, Dancer points out, “and you have to put a perimeter around your virtual machine because the guy trying to break into you may be sitting right next to you.”

One cloud-computing effort announced in November that’s certain to be watched in 2010 is that of Cisco and EMC, which together with VMware announced the Virtual Computing Environment coalition to offer fully integrated “infrastructure packages” that combine virtualization, networking, computing, storage, security and management technologies. They also announced Acadia, a joint venture to foster build-outs of private cloud infrastructures for service providers and large enterprise customers.
But will encryption services be part of it?

“Encryption services in the cloud? I just don’t think it will be here in 2010,” says Sam Curry, vice president of product management at RSA, the security division of EMC (which also owns about an 85% share in VMware). “This has to be done in proportion to customer demand, and being ahead of the market is as bad as missing it,” Curry says.

Ted DeZaballa, national managing partner for security and privacy at the Deloitte US consultancy, says he doesn’t think there will be widespread adoption of cloud computing in 2010 based on feedback Deloitte gets from its client base. One reason is security concerns that potential cloud adopters have.

But to DeZaballa, the biggest threat in 2010 is organized crime that stealthily moves to exploit an individual’s computer in order to infiltrate the larger enterprise. Organizations “simply don’t understand how exposed they are,” he says.

And non-Windows users won’t be spared security headaches in 2010, many agree. Although Microsoft Windows-based machines have been the main targets of attacks such as drive-by downloads that exploit unpatched software, many believe that 2010 is going to be a time when other systems, including Mac and Linux-based computers, get more attention from attackers.

“Most of the attacks have been built around the Windows environment,” DeZaballa says. “But the trend in 2010 will be more attention to others, such as Linux and Mac.”

Macs in the enterprise appear to be on the upswing, “and the Apple Mac sees tons of vulnerabilities that could be used for malicious downloads,” Runald says. “Today there are no drive-by attacks on Macs but next year it’s coming.”

Possibly Related Posts:

Virtualization security remains a work in progress

By JM Tuazon on December 23, 2009

By Ellen Messmer
Network World (US)
December 23, 2009

FRAMINGHAM - While adoption of server virtualization is proceeding at a gallop, the effort to refine virtualization security reached only a slow trot in 2009.

Roughly 18% of server workloads have been virtualized, and research firm Gartner expects that number to climb to 28% in 2010 and almost 50% by 2012. But adapting traditional firewall, intrusion detection, antimalware and other types of security and monitoring software to run optimally in this radically changed hypervisor-based architecture is still very much a work in progress.

One development that occurred this year is the release of VMware’s security APIs.

After talking up the idea since February 2008, VMware in April 2009 finally released its VMsafe APIs intended to help security vendors build products to work with its platform. But some vendors say these APIs present performance issues.

“We’re not using the VMware APIs today due to performance,” says Richard Park, senior product manager at Sourcefire, which in early December shipped its first virtualized sensor and management console for VMware ESX and vSphere4.

Sourcefire’s traditional physical appliances are network sensors that can do both intrusion-detection monitoring and intrusion-prevention blocking. But at this point, the Virtual 3D Sensor and Virtual Defense Center will only provide monitoring visibility into VMware’s ESX hosts, not blocking of attacks.

“The only way to block traffic today is to put the sensor between two VMware switches,” Park says. Sourcefire is still examining exactly how to fully support that. For customers today with VMware-based virtualized servers, “the demand is for monitoring,” Park claims.

Park says Sourcefire is eager to see a robust set of VMware VMsafe APIs and that VMware has recognized there are performance issues and is revising its APIs.

At the Gartner ITExpo in October, Gartner Vice President Neil MacDonald publicly excoriated some security vendors for not moving more rapidly to come up with software-based virtual appliances, insinuating they would rather stick to their old ways of selling expensive hardware boxes. (See related story, Gartner on cloud security: “Our nightmare scenario is here now”.)

Enterprise customers are rapidly virtualizing their IT environments and often unwittingly creating less-secure results even as they reap the many benefits of virtualization, MacDonald says. Roping off virtualized servers with virtual LANs alone — a common practice — “is not sufficient for security separation,” MacDonald says. “It’s become the default because it’s built into VMware with its virtual switch. Our position is it isn’t strong enough.”

MacDonald says virtualization is causing some “business-model disruption” in security and praised the efforts of some vendors, including Trend Micro, to leap in with new offerings to take on the virtualization challenge. Using the VMware VMSafe APIs is one approach which is still new, he noted.

Trend Micro’s Core Protection for Virtual Machines, antimalware software that was designed for use with VMware, was released in the third quarter. Trend’s Deep Security 7 for firewall, intrusion detection/prevention, integrity monitoring and log management for VMware ESX shipped in November.

According to Bill McGee, senior director of product marketing at Trend Micro, both products make some use of tools in VMsafe. But he adds that while VMsafe is an important step, it needs to be improved.

“VMware is making improvements in the area of performance for bandwidth and significant workloads,” McGee says, especially by changing the approach they use for “sending packets around in the system.”

Virtualization is bringing change and “we’re seeing the pressure, and the opportunity, for security vendors to optimize security,” McGee says. VMware has been among the most aggressive of the virtualization software vendors to open up their technology to optimize security functions, he says, while so far the actions of Citrix and Microsoft seem “more limited” in this area.

For its part, VMware says it’s glad to see a number of vendors, including Altor Networks, Reflex, ISS IBM and Trend Micro, adopting the VMsafe technology.

While not speaking to specific comments about performance, VMware’s director of alliances Jitesh Chanchani says, “VMsafe is an integral part of our security strategy. In terms of improvements, this is an ongoing investment for us.”

The APIs are a positive development, he points out, because they “provide fine-grained visibility into virtual-machine resources,” such as the introspection ability to examine what’s going on the VMware platform.

Meanwhile, industry watchers continue to address the question of whether adopting a virtualization platform brings more risk.

According to Forrester Research, adding hypervisor technology (Citrix Xen, VMware vSphere and Microsoft Hyper-V) “does add some marginal risk to IT environments, because it layers additional software on top of existing operating systems. All software, no matter how thin, contains hidden design mistakes and inadvertent coding flaws.”

Mistakes are going to be made and there will be attacks against virtual servers, the firm states in a report titled “Fear of a Hijacked Planet.” These can include an attacker who successfully compromises a virtual machine going after hosts, subversion of hypervisors, and live migration impersonation.

“On the user side, enterprises are collectively a bit confused. IT security staffs, in particular, have more questions than answers,” says Forrester analyst Andrew Jacquith. IT teams are asking questions such as “Is the hypervisor secure? Is the IT ops team doing something they shouldn’t? What visibility do we have to the virtual machines?”

According to Jacquith, one disappointment remains VMware’s Live Migration feature for configuring VMs so that they automatically migrate from one farm host to another, for purposes of fault tolerance and business continuity. “That’s all good, except that the VM itself moves over the network in the clear, which makes a man-in-the-middle attack possible,” Jacquith notes. But he’s optimistic improvements are coming in that arena, too.

On the plus side, Jacquith points out, the VMsafe program, along with more options from vendors for offline patching and update capabilities, means there’s been progress in security virtualization this year.

Possibly Related Posts:

Cloud Security Alliance issues new guidelines

By JM Tuazon on December 18, 2009

By Chris Kanaracus
IDG News Service (Boston Bureau)
December 18, 2009

BOSTON - The Cloud Security Alliance published the second edition of its guidelines for secure cloud computing on Thursday, delivering a voluminous document that sets out an architectural framework and makes a host of recommendations around cloud security.

It also seeks to provide a firm definition on cloud computing, which has been the subject of much hype in recent years. According to the CSA, cloud computing environments feature on-demand, self-service consumption; allow broad access via networks; draw from a pool of shared computing resources; can be quickly scaled up or down depending on demand; and involve some type of metering to track usage.

Cloud computing has its benefits, such as economies of scale and standardization, but they in turn raise security challenges, the CSA said.

“To bring these efficiencies to bear, cloud providers have to provide services that are flexible enough to serve the largest customer base possible, maximizing their addressable market. Unfortunately, integrating security into these solutions is often perceived as making them more rigid,” the document states.

“This rigidity often manifests in the inability to gain parity in security control deployment in cloud environments compared to traditional IT,” it adds. “This stems mostly from the abstraction of infrastructure, and the lack of visibility and capability to integrate many familiar security controls — especially at the network layer.”

The CSA’s report tackles cloud security on 13 different fronts, from governance issues like e-discovery, compliance and audits to operational concerns such as disaster recovery, application security and identity management. It updates an original edition released in April.

Also Thursday, Sun Microsystems announced a set of new open-source technologies that target some of the challenges highlighted in the CSA’s report.

The new tools include:

– OpenSolaris VPC Gateway, which lets users create a secure channel to a virtual private cloud on Amazon’s EC2 (Elastic Compute Cloud) service, without special networking hardware.

– Immutable Service Containers, for creating virtual machines with stronger security and monitoring functionality.

– A series of Security Enhanced Virtual Machine Images (VMIs) for EC2. They include images for Sun’s OpenSolaris operating system as well as software stacks, such as the open-source Drupal content management system.

– A tool called Cloud Safety Box, which helps users manage the compression, encryption and division of information stored on cloud services. It includes support for Solaris, OpenSolaris, Linux and Mac OS X.

Possibly Related Posts:

SMBs get added protection with new Cyberoam appliances

By JM Tuazon on December 10, 2009

Computerworld Philippines Staff
December 10, 2009

With the increasing number of threats posing real-time consequences on companies, small and medium businesses are bent on keeping critical information and business operations secure. This mounting concern for SMBs aims to be addressed by Cyberoam’s latest extension of its “Accelerator Series” appliances, the CR25ia and CR35ia.

With 2 to 4.5 times greater firewall throughput, and 1.5 to 2 times the IPS, anti-virus and UTM throughput values, the expanded Cyberoam Accelerator Series can handle the entire spectrum of existing and emerging threats, meeting its promise of comprehensive security.

“Cyberoam addresses the three issues of price, performance and security expectations of our customers with the CR25ia and CR35ia, meeting the requirements of both small & medium office as well as branch office segments,” said Abhilash Sonwane, vice president, product management, Cyberoam. “We are happy to introduce this enhancement to our line of “Accelerator Series” appliances, offering best-in-class UTM throughputs even when the appliances are fully loaded, that is, when all the security features are running.”

Aside from a robust protection system, the new appliances come with a host of security features, including a Stateful Inspection Firewall, VPN (SSL VPN & IPSec), Gateway Anti-Virus and Anti-Spyware, Gateway Anti-Spam, IPS, Content Filtering, Bandwidth Management, Multiple Link Management, which can be independently managed using the Cyberoam Central Console.

SMBs who are wont to save money can benefit from the new appliances, which the company claims is cost-effective and can deliver business value when needed the most. – John Mark V. Tuazon

Possibly Related Posts:

Social network and banking scams are on the rise, says Cisco

By JM Tuazon on December 9, 2009

By Robert McMillan
IDG News Service (San Francisco Bureau)
December 9, 2009

SAN FRANCISCO - What do phishing, instant messaging malware, DDoS attacks and 419 scams have in common? According to Cisco Systems, they’re all has-been cybercrimes that were supplanted by slicker, more menacing forms of cybercrime over the past year.

In its 2009 Annual Security Report, due to be released Tuesday, Cisco says that the smart cyber-criminals are moving on.

“Social media and the data-theft Trojans are the things that are really in their ascent,” said Patrick Peterson, a Cisco researcher. “You can see them replacing a lot of the old-school things.”

Peterson is talking about attacks such as the Koobface worm, which spreads via Facebook and Twitter. Koobface asks victims to look at a fake YouTube video, which ultimately leads to a malicious download. Cisco estimates that Koobface has now infected more than 3 million computers, and security vendors such as Symantec expect social network attacks to be a major problem in 2010.

Another sneaky attack: the Zeus password-stealing Trojan. According to Cisco, Zeus variants infected almost 4 million computers in 2009. Eastern European gangs use Zeus to hack into bank accounts. They then use their networks of money mules to wire stolen funds out of the U.S. They have been linked to about $100 million in bank losses, some of which have been recovered, the U.S. Federal Bureau of Investigation said last month.

With that kind of success, older types of attacks such as instant messaging worms and phishing are now on the decline, Peterson said.

Traditional phishing is becoming harder as consumers become wary of suspicious banking sites and the banks themselves are now adept at getting these sites taken off the Internet.

Those factors make password stealing Trojans like Zeus even more popular, Peterson said. “They’re focusing on other ways to basically accomplish the same thing.”

One scourge that’s not slowing down, however, is spam. Cisco expects spam volume to rise between 30 and 40 percent next year, even though countries such as the U.S. have knocked some spammers offline. In fact, U.S. spam dropped 20 percent in 2009, and the U.S. lost its traditional position as the world’s number-one source of spam. More spam now comes from Brazil, Cisco says.

Possibly Related Posts:

Cybercriminals now exploiting everyday Internet behaviors: Sophos

By JM Tuazon on November 26, 2009

By John Mark V. Tuazon
Computerworld Philippines
November 26, 2009

Cybercriminals are getting more and more creative every day.
In their efforts to deceive Internet users to unwittingly spread malware, cybercriminals, said Paul Ducklin, head of technology for Asia Pacific, Sophos, are getting a lot more inventive in trying to hide their cunning deeds in plain sight.

Increasingly, Ducklin noted, cyber crooks are using the powers of social networking sites and URL shortening services in their efforts to spread malware around. “And we’re starting to trust [URL shortening services] because most social networking sites such as Twitter are using them,” he added.

URL shortening services are Web tools that substitute long URLs using shorter domain names, and forward the address to the original long URL. Ducklin said the problem with these services—though initially beneficial—are their ability to mask the original URLs in the status bar, even when the user hovers over the link.

“Originally, hovering over the anchor link would reveal the address in the status bar,” he demonstrated. “But with shortened URLs, you will also get the shortened link when you hover. The tendency is you wouldn’t care where it goes.”

With shortened URLs, Ducklin said users have lost one way of verifying the legitimacy of a website, which is often determined through its domain name. This allows cybercriminals to easily fool users into clicking links.

But even “legitimate” websites are not free from the shrewdness of modern-day online crooks, according to the Sophos expert. “Legitimate websites that seemingly pose no threat to users are also being utilized by malware offenders, using Web tools such as iframe codes,” he elaborated.

Ducklin said cyber felons embed into legitimate-looking websites one-by-one pixel iframes that pull content from another source. At first glance, they may not look harmful, but he said these sites eventually force browsers to crash and force it to download content that will supposedly “fix” the error.

“These hacked websites appear safe at first, but their side effects can be disastrous, because they suck in content from a third party site,” Ducklin clarified. “That is why right now, accessing websites is a much bigger leap of faith than it used to be.”

Possibly Related Posts:

25% of office workers would steal company data

By JM Tuazon on November 25, 2009

By Carrie-Ann Skinner
PC Advisor (UK)
November 25, 2009

LONDON - A quarter of office workers would steal sensitive company data if they thought it would help a friend or family member secure a job, says Cyber-Ark Software.
Research by the data security firm also revealed that four out of ten office workers claimed they had already taken sensitive company data while USB flash memory drives were the media of choice for transporting data from the office.

Cyber-Ark also said that 26 percent of those surveyed would be willing to steal company data if they were fired, while 24 percent would take data if they heard rumours that their job was at risk. Furthermore, of those that said they would steal data, 28 percent said they would use it to negotiate their new position.

Nearly a quarter said customer contact details would be the data they would steal. Eleven percent said they would take passwords.

“While there is no excuse for employees who are willing to compromise their ethics to save their job, much of the responsibility for protecting sensitive proprietary data falls on the employer,” said Adam Bosnian, vice president of products and strategy, Cyber-Ark Software.

“Organisations must be willing to make improvements to how they monitor and control access to databases, networks and systems - even by those privileged users who have legitimate rights.”

Possibly Related Posts:

Businesses slow to adapt to changing security environment

By JM Tuazon on November 20, 2009

By Leo King
Computerworld UK
November 20, 2009

LONDON - Businesses are slow to adapt to the changing security environment, according to a major report.

Six in 10 firms lost sensitive data in the last 12 months as a result of the actions of negligent employees, the Ponemon Institute found. It surveyed 3,000 IT operations and security professionals in the UK, Germany, US and Australia.

Three in ten firms have had data stolen by employees, according to the Worldwide State of the Endpoint Survey.

In spite of these issues, three quarters of firms said their employees could email data outside the company without any trace, and 70 percent said staff could download their data onto a USB memory stick without detection.

Half of businesses cited the lack of skilled security personnel for their failings. And four in ten struggled with the integration of different security systems.

Standard problems also remained prevalent. Eighty-four percent of firms were hit with viruses and malware intrusions, and 55 percent had lost laptops, desktops and other devices. But businesses were better protected against these threats, with over three quarters having anti-malware and anti-virus systems in place.

Alan Bentley, international senior VP at security software supplier Lumension, which commissioned the survey, said: “Businesses need to manage multiple security technologies to prevent sensitive data from walking out the door and malware from coming in.

“This dual threat is proving difficult for most organisations, which are struggling with a lack of skills, budgetary constraints and the growing complexity of endpoint technologies that they need to run in order to reduce their risk at the endpoint.”

He recommended businesses bring their different security systems onto endpoint platforms, in order to have “a clear view on where their data lives and is accessed and what threats they are being subjected to”. This needed to be backed up with the right people, process, and policies, he said.

Larry Ponemon, chairman and founder of the Ponemon Institute, added that companies are “racing to adopt” new technology “faster than they can understand” the impact on data security. Three quarters of firms allow their staff to access social networking sites, 61 percent have moved their data into the cloud and 57 percent are utilising virtualisation.

Possibly Related Posts:

DNS problem linked to DDoS attacks gets worse

By JM Tuazon on November 16, 2009

By Robert McMillan
IDG News Service (San Francisco Bureau)
November 16, 2009

SAN FRANCISCO - Internet security experts say that misconfigured DSL and cable modems are worsening a well-known problem with the Internet’s DNS (domain name system), making it easier for hackers to launch distributed denial-of-service (DDoS) attacks against their victims.

According to research set to be released in the next few days, part of the problem is blamed on the growing number of consumer devices on the Internet that are configured to accept DNS queries from anywhere, what networking experts call an “open recursive” or “open resolver” system. As more consumers demand broadband Internet, service providers are rolling out modems configured this way to their customers said Cricket Liu, vice president of architecture with Infoblox, the DNS appliance company that sponsored the research. “The two leading culprits we found were Telefonica and France Telecom,” he said.

In fact, the percentage of DNS systems on the Internet that are configured this way has jumped from around 50 percent in 2007, to nearly 80 percent this year, according to Liu.

Though he hasn’t seen the Infoblox data, Georgia Tech Researcher David Dagon agreed that open recursive systems are on the rise, in part because of “the increase in home network appliances that allow multiple computers on the Internet.”

“Almost all ISPs distribute a home DSL/cable device,” he said in an e-mail interview. “Many of the devices have built-in DNS servers. These can sometimes ship in ‘open by default’ states.”

Because modems configured as open recursive servers will answer DNS queries from anyone on the Internet, they can be used in what’s known as a DNS amplification attack.

In this attack, hackers send spoofed DNS query messages to the recursive server, tricking it into replying to a victim’s computer. If the bad guys know what they’re doing, they can send a small 50 byte message to a system that will respond by sending the victim as much as 4 kilobytes of data. By barraging several DNS servers with these spoofed queries, attackers can overwhelm their victims and effectively knock them offline.

DNS experts have known about the open recursive configuration problem for years, so it’s surprising that the numbers are jumping up.

However, according to Dagon, a more important issue is the fact that many of these devices do not include patches for a widely publicized DNS flaw discovered by researcher Dan Kaminsky last year. That flaw could be used to trick the owners of these devices into using Internet servers controlled by hackers without ever realizing that they’ve been duped.

Infoblox estimates that 10 percent of the open recursive servers on the Internet have not been patched.

The Infoblox survey was conducted by The Measurement Factory, which gets its data by scanning about 5 percent of the IP addresses on the Internet. The data will be posted here in the next few days.

According to Measurement Factory President Duane Wessels, DNS amplification attacks do occur, but they’re not the most common form of DDoS attack. “Those of us that track these and are aware of it tend to be a little bit surprised that we don’t see more attacks that use open resolvers,” he said. “It’s kind of a puzzle.”

Wessels believes that the move toward the next-generation IPv6 standard may be inadvertently contributing to the problem. Some of the modems are configured to use DNS server software called Trick or Tread Daemon (TOTd) — which converts addresses between IPv4 and IPv6 formats. Often this software is configured as an open resolver, Wessels said.

Possibly Related Posts:

Amazon called out over cloud security, secrecy

By JM Tuazon on November 16, 2009

By Jon Brodkin
Network World (US)
November 16, 2009

FRAMINGHAM - Amazon’s cloud computing service should not be used for applications that require advanced security and availability, the Burton Group analyst firm says in a report accusing Amazon of secrecy regarding its cloud data centers.

Amazon has helped define the cloud computing market with its Elastic Compute Cloud (EC2), a service offering access to virtual server capacity over the Web. There are many things to like about EC2 and related platforms such as Amazon’s Simple Storage Service (S3), but there are also numerous unanswered questions about Amazon’s cloud infrastructure, according to the Burton Group.

Amazon seems to do a good job of network and physical security, but overall Burton Group gives the company “low marks for enterprise availability and security” because of a lack of transparency.

“Amazon maintains a strict ‘will not discuss’ policy regarding specific data center details. In Burton Group’s opinion, this position is unacceptable because it prevents organizations from assessing the risk posed by placing enterprise applications in EC2,” states a report titled “Amazon EC2: Is it ready for the enterprise?” written by Burton Group analyst Drue Reeves.

Amazon says its data centers meet Tier 4 specifications, with fully redundant power, backup power, networking and HVAC systems.

“However, no outside firm has inspected or audited Amazon’s data centers to verify these claims,” Reeves writes. “Due to lack of available information and audited inspection regarding Amazon’s data centers, Burton Group cannot verify Amazon’s availability claims.”

Specifically, Burton Group says Amazon customers have no way of determining the “physical redundancy level and data protection” of physical components such as servers, storage devices, network and power infrastructure. Burton Group also faulted Amazon for replication rates in its Simple Storage Service and a lack of failover between data center regions.

Amazon spokeswoman Kay Kinton said the Burton Group report contains inaccurate statements. For example, the report says Amazon lacks SAS 70 security certification, when in fact Amazon does have that certification, Kinton writes in an e-mail to Network World.

“In terms of reliability, we often hear from our customers that AWS [Amazon Web Services] can achieve higher degrees of performance than they’ve been able to achieve on their own,” Kinton writes. “Additionally, AWS gives users a great deal of control and visibility into a user’s environment. Users can choose where to place their data, they can run their applications and back up to multiple availability zones and in the event of any service interruptions, they have access to a service health dashboard that gives regular updates on the service health. We also have features that provide monitoring, Auto Scaling and Elastic Load Balancing for even greater resilience in building applications. One of the main reasons customers use our services is the reliability that we’re able to provide.”

Kinton also noted that Amazon recently launched the Amazon Virtual Private Cloud (VPC), which connects a customer’s existing infrastructure to a set of isolated cloud computing resources with a VPN connection.

“Amazon VPC enables enterprises to extend their existing management capabilities such as security services, firewalls, and intrusion detection systems to include their AWS resources,” Kinton writes.

The Burton Group did give Amazon high marks for scalability and said it offers adequate performance. EC2’s core strength is the ability to easily provision and load-balance virtual machine images, and compute-intensive applications that have small data sets and are built for parallelism will work well in the service, the analyst firm says.

However, Burton Group also says Amazon’s management tools do not integrate adequately with the management tools used by enterprises today. EC2 is often a good fit when organizations need to defer large capital expenses, but Burton Group says the service is still not suitable for applications that store sensitive information, require identity management, high degrees of availability and high rates of I/O transactions.

In the Burton Group’s opinion, the bottom line is that “Today, EC2 is a good fit for stateless, parallel, transient, scale-out applications. But gaps in EC2’s security and availability, poor enterprise management integration, vendor lock-in potential, and input/output (I/O) costs prevent organizations from using EC2 for applications that process vast numbers of transactions, house highly sensitive data, have low recovery point objectives, and require system failover to save application state.”

Possibly Related Posts:

Hundreds of Facebook groups ‘hijacked’

By JM Tuazon on November 11, 2009

By Eric Lai
Computerworld (US)
November 11, 2009

FRAMINGHAM - An anonymous group calling itself “Control Your Info” has taken over hundreds of Facebook groups to highlight what it claims is a major security weakness on the social networking site.

Facebook downplayed the incident and said no hacking or confidential information was involved.

As of this morning, more than 200 Facebook groups were hijacked and renamed “Control Your Info” . Pasted on each group’s Wall was a message announcing that it had been “hijacked” and reminding members to be careful about controlling personal information on social networking sites.

“This means we control a certain part of the information about you on Facebook. If we wanted we could make you appear in a bad way which could damage your image,” the message said.

“For example we could rename your group and call it something very inappropriate and nasty, like “I support pedophile’s rights,” the message said while going on to assure group members that the group wouldn’t do that. The message also promised to restore each hijacked group’s name by the “end of next week” and promised not to “mess anything up.”

A separate Web site set up by Control Your Info claimed that the group’s action did not constitute hacking, but was a demonstration of how a legitimately available feature on Facebook can be used to easily hijack Facebook groups.

According to Control Your Info, when the administrator of a Facebook group leaves, anyone can register as a new administrator for that group. To take control of a Facebook group, a user only has to do a quick search on Google to identify public groups with no administrators.

Once someone signs up as a group administrator, that person then can do “anything” with the group, including changing its name, sending e-mails to members and editing information on it.

“This is just one example that really shows the vulnerabilities of social media. If you chose to express yourself on the internet, make sure the expressions are your own,” the group urged.

In an e-mailed statement, a Facebook spokesman downplayed the incident and said there had been no hacking and no confidential information was at risk.

“The groups in question have been abandoned by their previous owners, which means any group member has the option to make themselves an administrator in order to continue communication to the group,” the spokesman said.

The spokesman further stated that Facebook group administrators have no access to confidential information. Administrators can edit a group name, moderate discussions or send a message to members only in the case of small groups, the spokesman said. “The names of large groups cannot be changed, nor can anyone message all members,” he said. In cases where Facebook finds that a group name has been changed inappropriately, it will disable those groups, which is what it plans on doing in this case, he said.

Possibly Related Posts:

Online users becoming less anxious over security, privacy

By JM Tuazon on November 11, 2009

By Ellen Messmer
Network World (US)
November 11, 2009

FRAMINGHAM - While surveys about security usually end up telling us about how bad people feel, a global survey released Tuesday indicates there’s substantially less anxiety about Internet security, personal safety and national security than there was six months ago.

Concerns over security in everything from online shopping and banking to safety from computer viruses, as well as national security along with personal and financial security, were significantly down over what was recorded half a year ago for populations in the United States, the United Kingdom, Germany, Belgium, Brazil, Netherlands, Spain, Australia and New Zealand. More than 8,000 people were surveyed.

The change over six months ago represents about a 15% improvement in the levels of anxiety that people feel, according to the scoring system used in the “Unisys Security Index: Global Summary,” which covers the March to September timeframe. The reason for less anxiety all around is probably that there’s the sense the global economic crisis might be easing, making people less tense, a Unisys spokesman says.

However, when it comes to Internet and personal security, people in the countries where the bi-annual survey was done showed the most worry over bank cards and identity theft, and the highest level of concern about that was evident in Brazil, the United States and Germany. In contrast, those in the Netherlands and Belgium were not particularly concerned at all.

On the question of whether individuals had confidence in the ability of financial services providers or local governments to protect personal information, respondents in Spain were the most concerned, while those in Belgium and the Netherlands were largely unconcerned.

A separate set of questions asked individuals whether they were ready to accept biometric forms of authentication in lieu of passwords to protect online information. According to the survey, a slight majority globally are willing, with Australia the highest at 66%, while the lowest levels of biometrics acceptance were in Germany at 50% and the United States at 58%. The survey said that was a bit of a “paradox” since adults in those countries are among the most concerned globally about online shopping and identity theft.

Possibly Related Posts:

Web application security efforts fall short, report shows

By JM Tuazon on November 11, 2009

By Jaikumar Vijayan
Computerworld (US)
November 11, 2009

FRAMINGHAM - The number of security flaws being found in Web applications continues to grow and will likely dominate the security agenda for years to come, according to a report by application security vendor Cenzic Inc.

Almost 80% of more than 3,000 software security flaws publicly reported so far this year have been in Web technologies such as Web servers, applications, plugins and Web browsers . That number is about 10% higher than the number of flaws reported in the same period last year — and nine out of 10 of the flaws were found in commercial code.

Similar numbers have been reported by others. A mid-year trend and risk report released by IBM showed that Web application threats have become the No. 1 source of security pain for enterprises. Attacks targeting these flaws have also risen sharply, in some cases doubling in less than a year.

The numbers suggest that vendors and Web application owners need to address Web application security issues, said Cenzic CTO Lars Ewe. “We are still stuck in the same situation we have been for a long time,” Ewe said.

The kind of “significant muscle” the industry put into dealing with network and perimeter-based software vulnerabilities has been missing when it comes to application security, he said. “This is going to be long-winded process.”

Security flaws in the Web application layer can allow attackers to steal data, plant malicious code or break into other internal systems. Some of the most common vulnerabilities include SQL injection and cross-site scripting flaws and authorization and authentication errors. The massive data thefts at Heartland Payment Systems and several retailers recently resulted from SQL injection errors that allowed intruders to insert malicious code into their enterprise networks.

Though the security risks posed by such vulnerabilities have been well understood for years, a large and growing number of companies continue to be exposed to them.

At least part of the growth in vulnerabilities is tied to the rising number of Web applications and Web sites that spring up each year, said Chenxi Wang, a researcher with Forrester Research in Cambridge, Mass.

But buggy Web software products and sloppy in-house development processes continue to be huge issues, too.

Roughly 90% of the vulnerabilities analyzed by Cenzic for its report, which was released yesterday, existed in commercial, off-the-shelf software from both big and small vendors. Much of it appears to be the result of a continued emphasis on time-to-market at the expense of secure coding practices, Ewe said. “Engineering organizations are being measured on how fast they can respond to market pressures as opposed to how secure a system they can build,” he said.

The same factors have made security an afterthought with most internally developed Web applications, as well, he said. Cenzic’s analysis found numerous vulnerabilities in proprietary products outsourced to programming firms in India, China, Russia and other countries.

Adding to the problem is the growing complexity of Web application environments, especially since most of them are designed to receive and process input from external sources, such as customers and business partners. Large Web applications can have hundreds of places where users input data, each of which offers an opportunity for an attacker to inject malicious code into the system.

Finding such vulnerabilities isn’t easy, Wang said. And fixing them can be even harder because of the highly interconnected nature of Web applications. For example, fixing a code-injection error in a shopping cart function in an e-commerce application could require several tweaks to the entire application, she said.

Automated tools are available today to scan Web application code for errors and for penetration tests. While Web application firewalls, intrusion detection systems and data encryption measures can mitigate some of the risks, companies running Web applications still need to ensure that the underlying code is as clean as possible, according to analysts.

Possibly Related Posts:

Survey: Security Certifications Hot Among IT Pros

By JM Tuazon on November 6, 2009

By Joan Goodchild
CSO (US)
November 6, 2009

FRAMINGHAM - Security certifications are the most sought-after area of specialty among information technology professionals, according to a new study from Computing Technology Industry Association (CompTIA). (Check out CSO’s certification directory to see certification options.)

The survey of more than 1,500 IT workers found that 37 percent intend to pursue a security certification over the next five years. Another 18 percent of IT workers said they will seek ethical hacking certifications during the same time period, while 13 percent identified forensics as their next certification target. The results are included in the CompTIA study ‘IT Training and Certification: Insights and Opportunities.’

“Given the growing reach of security, with threats becoming more pervasive and dangerous and with no business or industry immune to those threats, it makes sense that many IT professionals view this as a must-have for career advancement,” said Terry Erdle, senior vice president, skills certifications, CompTIA.

The results fall in line with a survey conducted by the same organization earlier this year that found more companies are requiring IT security certification. In that research, the number of organizations where IT security certification is required has increased by half and is continuing to grow; 32 percent of employees were required to have certifications in 2008, compared to 20 percent in 2006. Other technology areas where survey respondents said they will seek new certifications over the next five years include green IT, healthcare IT, mobile and software-as-a-service.

Economic advancement and personal growth are key drivers for seeking IT certifications, the CompTIA study also reveals. Eighty-eight percent of certification holders indicated they pursue a certification to enhance their resume. An identical 88 percent said personal growth is a major or minor reason in their decision to pursue a certification.

Possibly Related Posts:

High shipping costs top concern of US online shoppers, survey says

By JM Tuazon on November 4, 2009

Computerworld Philippines Staff
November 4, 2009

High shipping costs emerged as the top reason US online buyers abandon their shopping carts, recent research from payment gateway Paypal revealed.

A significant 40% of shoppers, however, said they would’ve completed their purchases had the shipping costs been displayed upfront, prompting the gateway company to launch a new service called Express Checkout which integrates a Paypal Instant Update API, enabling merchants to show order details earlier in the purchase.

“To get shoppers to complete their purchases, it is critical that merchants make the checkout experience easy and costs transparent,” said Mario Shiliashki, general manager of PayPal Southeast Asia and India . “Our new PayPal Instant Update API will help merchants get customers the information they need upfront to drive sales.”

Filipino merchants with customers in the USA may also find it relevant that security concerns and lack of convenience came up as the next two reasons buyers abandon their carts, which, according to Paypal, costs suppliers an average of $109.

“Besides the cost factor, merchants who aim to sell to a global audience need to remember that online shopping needs to be a hassle-free and safe experience for the buyer,” added Shiliashki. “Integration with shopping cart vendors, hosting vendors and efficient methods of payment like PayPal makes the shopping journey more seamless for the buyer. Sweetening the deal with free shipping, coupons and special discounts is also a great way to encourage online shoppers to complete their purchases – especially with the upcoming Holiday season.”

Aside from the abovementioned factors, cost still reigns as a major hindrance for customers looking to buy products online. “More than one-third of respondents abandoned checkout because they didn’t plan for all of the expenses; while more than 25 percent left the site to search for a coupon. However, one-third of shoppers later returned to the same site to buy. 20 percent of those surveyed eventually went on to purchase the items at a physical store or at a competitor’s website,” the survey revealed. – John Mark V. Tuazon

Possibly Related Posts:

Next Entries »

Posts Tagged ‘ Security ’

Twitter to begin screening some links for phishing

Cloud security, cyberwar dominate RSA Conference

Microsoft to target other botnets with legal weapon

VMWare aims arrow at desktop management

Iomega’s portable drives keep data secure—inside and out

Professional hacker discusses security

Comcast offers online backup, sharing through Mozy

Twitter forces some users to reset passwords after phishing attack

Remove Annoying Messages From Your Facebook Page

Cloud Security: Ten Questions to Ask Before You Jump In

80% of government Web sites miss DNS security deadline

Users still make hacking easy with weak passwords

iPass gives IT more control of mobile access

Online shoppers urged to protect against online scams

Study: back-to-basics security strategy the way to go

Smartphone attacks, rogue antivirus, cloud breaches top 2010 security concerns

Virtualization security remains a work in progress

Cloud Security Alliance issues new guidelines

SMBs get added protection with new Cyberoam appliances

Social network and banking scams are on the rise, says Cisco

Cybercriminals now exploiting everyday Internet behaviors: Sophos

25% of office workers would steal company data

Businesses slow to adapt to changing security environment

DNS problem linked to DDoS attacks gets worse

Amazon called out over cloud security, secrecy

Hundreds of Facebook groups ‘hijacked’

Online users becoming less anxious over security, privacy

Web application security efforts fall short, report shows

Survey: Security Certifications Hot Among IT Pros

High shipping costs top concern of US online shoppers, survey says

MENU

KNOWLEDGE CENTER

MARCH 2010 EDITION

QUICK POLL

Web Stats

POPULAR TAGS