U.S. state dept. gets pwned A break-in targeting State Department computers worldwide last summer occurred after a department employee in Asia opened a mysterious e-mail that quietly allowed hackers inside the U.S. government’s network. [AP]
Not-so-compliant: CVS leaves credit-card, SSN and prescription info to dumpster divers
The same Texas Attorney General that is suing Radio Shack for dumping into the trash all sorts of customer info, is now also ready to sue pharmacy chain CVS for similar moves. CVS employees were apparently dumping customer records where any dumpster diver can get them, including all the expected info: name, address, phone number, social security number, credit cards and prescription data
Extending the outrage: Malware authors exploit Virginia Tech tragedy Camera phone footage ruse leads to Trojan depository. [TheReg]
Oracle patches 36 holes Oracle Corp. on Tuesday issued patches for 36 holes in the database management system, application server, E-Business Suite and JD Edwards and PeopleSoft software.
[SearchSecurity.com] Continued »
The IT industry’s trend towards consolidation continued yesterday as USinternetworking Inc. (USi) announced that it has acquired Daniel IT Services Inc., a Madison, Ala.-based consulting firm focusing on WebSphere Commerce suite implementation.
USi, an application service provider which was itself bought by AT&T last year, says the acquisition will allow it to complement its hosting with front-end consulting.
“Our service model has always been to create an outstanding managed service capability, and really through that capability and provide clients the ability to maximize their purchase of that application,” said Curtis Hampshire, USi’s general manager of eBusiness. “In terms of WebSphere [Commerce] knowledge, our clients have wanted us to have deeper knowledge with the application.”
Daniel IT will help complement USi’s services, the interesting point may be that the move is further evidence that the IT industry is consolidating, said Gartner vice president of research Michele Cantara.
“It certainly gives them a lot of feet on the street — or more feet on the street — when there’s really a talent shortage” in the industry, she said.
Wireless security puts IRS data at risk Internal Revenue Service offices across the nation that use wireless technology are still vulnerable to hackers, according to the latest assessment of the agency’s security policies released Tuesday. [AP]
Intel Announces Ultra Mobile PC 2007 Platform Intel Ultra Mobile PC 2007 platform to encompass both MIDs and UMPCs. [Dailytech.com]
I read in Ryan Naraine’s Zero Day blog that hackers are using Microsoft Security Response Center pre-patch advisories to create exploits prior to the patch release.
Microsoft claims that keeping users informed (and yet not disclosing too much information) is a balancing act, and it’s obvious that they don’t always get it right.
As a VAR or consultant, you can help your customers prepare for patches with our Patch Management Project Guide, but how can you really protect them from pre-patch exploits?
The answer might be host-based intrusion prevention systems (HIPS) and network access control (NAC). See Kevin Fogarty’s Channel Marker blog post for one vendor’s take.
If the hackers have Microsoft’s number, you can make sure that’s all they have. We’ve got your circus high wire balancing pole on SearchSecurityChannel.com, so keep checking our network access control and network intrusion management topic centers for the latest news and advice for resellers.
On April 29 the company plans to announce a Host-Based Intrusion Prevention System (HIPS) that will plug into the administration console and function as a part of its overall Security Suite.
The system relies on fairly heavy duty software that sits on each client machine, tracking the activity and requests of each piece of software on it.
The client software (which LANDesk refers to as the host) stores in a local database comprehensive data about the activity of the software on the machine – when it asked for Internet access and whether it had permission; what new applications showed up and what they did; what activities forbidden by security policy the software attempted.
IT administrators create the policies from a central console, assigning individual end users to either profile that defines the applications they can run and what those applications can do, or create a custom set of permissions for one or more users.
The client software itself identifies “normal” activity for each application by sitting on the machine for enough time (LANDesk recommends two weeks) to establish normal activity for each application.
LANDesk execs, who emphasize that the company sells 100% of its products through the channel, said behavior-based analysis is a more reliable way to identify malicious code than by virus signatures that have to be updated frequently; they also said that storing the security profiles and analysis engine on laptops and PCs protects the machines even when they’re disconnected from the network, and doesn’t require a period of quarantine when they reconnect.
“Host-based protection is the last line of defense for the enterprise,” according to an estimation Dan Blum, a security analyst at The Burton Group, based in Midvale,
Utah provided to IT administrator site SearchWinIT.com.
LANDesk’s product will be released May 9; pricing was unavailable.
Symantec today launched a Software as a Service (SaaS) security platform that it will sell both directly and through the channel.
The platform, called the Symantec Protection Network, is designed for small- and medium-sized businesses (SMBs). The first offering is a browser-based data backup and restoration service, which debuted in a beta version today and will become available later this year.
Value-added resellers (VARs) will be able to customize the service and manage it for customers, while clients who buy direct from Symantec can manage it themselves online. Symantec developed that process with its channel partners over the course of the last year to show they will not be competing against each other, said Jeffrey Housman, the senior director of product management for managed and online services.
Symantec hopes its SaaS will afford SMBs the same “high levels of service reliability and data security” as enterprise businesses, said Arthur Wong, vice president of security response and managed security services, in a statement.
Microsoft has given the channel a reprieve: an extra year to switch to Windows Vista.
The company is ending its Windows XP availability to OEMs and retailers Jan. 31, 2008, but the channel will be able to buy that operating system through January 2009, according to Microsoft’s license availability roadmap.
Microsoft launched XP in late 2001. This year’s Vista launch marked the company’s longest gap between new operating systems.
IDC Channel Panel reports modest gains for first quarter of 2007 Most sectors of the channel business showed modest gains during the first quarter, according to IDC’s Channel Panel. Servers enjoyed the most notable gains, followed by storage software. Voice showed constant increases quarter over quarter; security and PC sales slightly improved, hardcopy, networking, and storage hardware experienced little change. [Tekrati]
Intel says new chips about 40% faster Intel Corp. said a new line of computer processors due out later this year will be about 40 percent faster than current chips when running computer games, videos and other heavy workloads. [Reuters]
Intel launches first quad-core storage server The chip maker says it plans to work exclusively through OEMs and channel partners to try to increase its presence in the SMB storage server market.[eWEEK] Continued »
You might think your customers would have to be living in a cave these days to avoid news of high-profile data breaches and privacy regulations. But do they understand the need for data security as a business issue that impacts their business? According to SearchSecurity.com contributors Craig Norris and Tom Cadle, data privacy laws are commonly ignored by private companies:
There is a huge misconception among information security professionals today that data privacy laws are not applicable to private companies, but are only designed for publicly traded companies, government organizations or financial institutions. This is not the case. Whether your company is public or private, large or small, today’s information privacy regulations may affect you and your organization on many different levels, not just financially and legally.
The article goes on to illustrate the value of private information and the laws that affect the use of this information — all valuable selling points when presenting a data protection strategy to your customer. You’ll also find a series of questions that you can ask to catalog their data collection practices.
As your customers’ trusted adviser, you play a key role in keeping them informed of security threats and how they apply to their business. It can be easy to tune out issues we like to think don’t apply to us. It’s your job to make your customers listen and understand why they should care.
Two interesting new tools for the enterprise are getting some press today. Big Blue’s OmniFind Yahoo edition enterprise search tool allows companies to search their stored information. From the sound of it, it seems like companies will be able to search their data portfolios to track down stored information. Not a bad idea for storage VARs who specialize in compliance to take a look at this. Instead of having to search file by file for old information that wasn’t properly tagged and archived, the tool allows for customizable searches that will reduce time spent tracking down information and allow VARs to devote more time to meeting regulatory compliance rules.
The other tool that caught my eye is a loss calculator that estimates the cost of lost data in an enterprise. This could be another useful tool for VARs who are trying to a professional service contract locking down data. Imagine the power of being able to put a dollar and cent value to a data breach. Seems like it could be a powerful sales tool.