Technorati Tags: Industry+consolidation, security+consolidation, security+vendors,]]>
So it seems like Google is on the right track, but it’s still unclear to me exactly what the company’s intentions are in regards to security. Will they be releasing Web security tools for users and webmasters to implement? Or will the security folks just be working behind the scenes on in-house projects? It’s probably too early to tell, but if the recent past has taught us anything about Google, it’s that the company doesn’t do anything halfway or without a lot of forethought. That might portend more sleepless nights for security vendors who already have to worry about Microsoft encroaching on their turf and now have the considerable shadow of the Googleplex hanging over them.
Technorati Tags: Google, Google+security, Symantec, McAfee]]>
Sun is a global enterprise and its development and sales forces operate on campuses around the world. Sun Ray virtual desktop Java thin clients will remain standard issue, she says, but the need for mobility means a prevalence of Macintosh and Windows-based notebooks and devices. This is unavoidable and necessitates some flexibility and admittedly some security tradeoffs, says Lambert, who carries a Sony P910 mobile phone.
“Sun is an environment where we have not permitted a lot of Windows desktops. We’re shifting there,” Lambert says. “With our [employees] working from home or various campuses, the need to put more mobile devices for productivity is a reality. We’ll have to now focus on higher levels of data protection.”
Lambert says Sun employees can expect a ramp-up of awareness programs and security tools on those devices including antivirus, firewall and network access control that authenticates and audits mobile devices before they connect to the Sun network. In addition, depending on the categorization of data on the device and job responsibilities, hardware encryption may soon be part and parcel of laptops; all will have encryption software installed.
“Sun has been in a position to be able to create so much unique intellectual property to offer to the industry,” Lambert says. “Our collection of IP is who we are; protecting that is important.”
Technorati Tags: Sun, Java, identity+management, access+controls, intellectual+property, Leslie+Lambert]]>
The Mozilla Developer Center blog outlined the plan:
“On Wednesday, May 30, we expect to begin distributing Firefox 126.96.36.199 and Firefox 188.8.131.52 via automatic updates. These are standard stability and security updates for the browser to ensure a fast and secure online experience for our users. We expect this is the final stability and security release for the version 1.5 product series. Firefox 184.108.40.206 includes an auto-update mechanism that offers users the ability to migrate to Firefox 2. The upgrade offer will be enabled within in a few weeks. We strongly encourage everyone to download Firefox 2 now at www.getfirefox.com to benefit from features that make search, communication and online security more effective.”
Technorati Tags: Mozilla, Firefox, Firefox+update]]>
“The BBB name continues to be used in phishing scams,” the organization said. “Fraudulent emails containing malicious links and viruses have been sent to businesses and consumers around the country claiming to contain information on a complaint filed with the Better Business Bureau. None of the BBB’s computer and email systems are involved in this hoax. The BBB and authorities are working together to stop these continued attacks.”
Here’s some more from the Web site posting:
THE EMAIL YOU RECEIVED MAY BE FRAUDULENT IF:
You have received a complaint in regards to your business services .The complaint was filled By [Complainant's Name] on 24/05/2007/Complaint Case Number: 363619942
Complaint made By Consumer – [Complainant's Name]
Complaint registered against : – [Company Name]
Targeted execs are advised to steer clear of such links and attachments, and to aid the investigation by forwarding the email and its headers to email@example.com.
Technorati Tags: Phishing, Pfishing+attacks]]>
According to the report, China’s military has amassed first-strike capabilities that include units tasked with writing malware that can be hurled at enemy computer networks.
“The PLA (People’s Liberation Army) has established information warfare units to develop viruses to attack enemy computer systems and networks, and tactics and measures to protect friendly computer systems and networks,” the report says. “”In 2005, the PLA began to incorporate offensive CNO (computer network operations) into its exercises, primarily in first strikes against enemy networks.”
Fears over state-sponsored cyberattacks grew recently when the Baltic country of Estonia suffered a series of blistering distributed denial-of-service attacks. Experts initially feared the attack was sponsored by Russia, but researchers ultimately determined the onslaught was the handiwork of ragtag groups in command of botnets.
Technorati Tags: Chinese+botnets, botnets, chinese+military, cybercrime]]>
The new president and chief executive is William A. Roper Jr., who has been a director of VeriSign since November 2003. He was most recently executive VP of Science Applications International Corporation.
The company isn’t offering a specific reason for Sclavos’ exit, though the Dow Jones Market Watch site says the board of directors determined it had “reached a point in its evolution where it can benefit from new leadership.” However, the board did say in a statement that a “review of the company’s historical stock option grant practices by an ad hoc group of independent members of VeriSign’s board of directors … did not find intentional wrongdoing by any current member of senior management, including Sclavos.”
Sclavos said in the statement: “I want to thank the people of VeriSign for their support and contributions over the past 12 years. I am proud of my role in building VeriSign into the great company it has become, and wish all of my associates the very best in the coming years.”
The company has postponed its June 6 analyst meeting until a later date.
Technorati Tags: VeriSign, William+Roper, iDefense+Labs]]>
Writing about her recent experiences speaking at several security conferences, security researcher Joanna Rutkowska, said in her Invisible Things blog recently that she was shocked at the level of understanding many CIOs and CISOs had about basic security concepts.
Rutkowska keynoted at the InfoSecurity conference in Hong Kong. Her central message was that “technology is just as flawed as the so called ‘human factor,’ understood here as a user’s unawareness and administrator’s incompetence.” Rutkowska said that although it was the least technical presentation she’s ever given in her life, it was still perceived as too technical by the audience.
“And I didn’t even mention any specific research I’ve done – just some standard stuff about exploits etc…,” Rutkowska wrote.
In a discussion panel after the keynote, Rutkowska observed that some CIOs and CISOs were naïve to many basic security concepts.
I’m sure some upper level IT pros go to security conferences to gain a higher level of understanding of security technologies. But if you’re going to be a presenter or taking part in a panel discussion, you should probably have a basic level of IT security knowledge. Do CIOs and CISOs have an agenda when they take part in a security conference or are they really there to give attendees insight on ongoing IT projects?
Technorati Tags: CIO, CISO, Joanna+Rutkowska,]]>
Google launches its own security blog
We’ve written plenty about Google-based threats of late, but the search giant has just made a big gesture to show it takes security seriously — It has launched a blog all about Google security.
online security is an important issue for Google, its users and anyone who uses the Internet.say in the blog’s inaugural posting that
“Thus, we’ve started this blog where we hope to periodically provide updates on recent trends, interesting findings, and efforts related to online security,” they wrote. “Among the issues we’ll tackle is malware.”
They note that Google started an anti-malware effort about a year ago. “As a result, we can warn you in our search results if we know of a site to be harmful and even prevent exploits from loading with Google Desktop Search,” they said.
Still shopping after the data breach
In the Emergent Chaos blog, Adam Shostack asks why customers don’t take their business elsewhere after a company acknowledges a data breach. He offers two theories: people may simply not know about the breaches, or they are so overwhelmed with notices that they can fail to grasp the significance of a data breach notification letter.
“The trouble is, I haven’t met anyone who says that they’ve gotten so many notices they just ignore them now,” he wrote. “Absent data, “I’m leaning toward the first explanation.”
One of his readers responded that his or her parents continued shopping at TJ Maxx even after TJX disclosed the breach that exposed at least 45.7 million credit and debit card holders to identity fraud. This, the respondent said, is because they didn’t understand what it means to have that information stolen, and that’s probably what has happened in many instances.
Shostack is looking for more feedback, so here’s my two cents: People have a tendency to ignore a problem until they personally suffer some consequences. I doubt identity theft victims who have traced their woes back to the TJX breach are still shopping there.
From phishing to vishing
Gunter Ollmann over at IBM ISS has an entry in the Frequency X blog this week about the increasing threat to VoIP users. He points to a white paper on what has become known as “vishing” — phishing attacks directed at VoIP users. Given the explosion of VoIP usage in the last couple years, it makes sense that attackers would use the technology to dupe users with the same social engineering tricks that seem to work so well for them everywhere else. Here’s a bit from Ollmann’s posting:
“Phishing has increasingly developed into a broader category of threats that rely on social engineering to cause a message recipient to perform auxiliary activities that enable the phisher to conduct the second phase of the attack. Phishers rely on numerous Internet messaging systems to propagate their attacks. As such, many similar-sounding threats have been named based on the messaging system being used—each with its own nuances and target audiences.”
Hence the term “vishing,” for phishing attacks aimed at VoIP users.
Update on Mary Ann Davidson blog
I recently took Oracle CSO Mary Ann Davidson to task for not updating her blog more often. Out of fairness, I’m back to report that after a gap of nearly four months, the Mary Ann Davidson blog has a fresh entry connecting her travels in the Holy Land with some lessons about security in the age of Web 2.0.
I’ll leave it to readers to visit her blog for the full details. My purpose here is to restate my opinion that blogs should be updated regularly, especially when the blogger is focusing on current events.
My gripe with Mary Ann’s blog was that she hadn’t updated a Jan. 29 posting in which she touted what was at the time an upcoming keynote address at the RSA security conference from Oracle CEO Larry Ellison. As RSA attendees know, it’s a keynote Ellison canceled at the 11th hour.
It’s understandable when a blogger is kept from filing regular updates due to business travel and other reasons. But when facts that were true at the time of posting change, the blogger has a responsibility to correct the record, at least out of respect to customers who are visiting the blog for guidance on what the company is up to.
As I said in that previous column, Oracle has caught plenty of flak for not being on top of its security game. To be fair, the company has taken some encouraging steps in recent months to improve the patching process for DBAs, including its decision to streamline the quarterly patch bulletin, offer more details about its security holes and even offer advance notice on upcoming fixes.
But when the database giant’s main security voice stays silent for long periods of time and leaves her blog out of date, it doesn’t help to bolster the company’s image.
About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at firstname.lastname@example.org.
Scrapping Patch Tuesday a bad idea, say bloggers
Bloggers not for easing PCI DSS
Are hacking contests good or evil?
Technorati Tags: Google, antimalware, data+breach, VoIP+Security]]>
The IT department discovered May 12 that the worm entered the server through a flaw in its Symantec antivirus software. That flaw had not been properly patched by Arts and Sciences Advising Center IT staff, the university admitted. Investigators don’t believe the hacker sought personal data, but was instead attempting to take control of the machine to allow it to infiltrate other computers both on and off the Boulder campus.
“The server’s security settings were not properly configured and its sensitive data had not been fully protected,” Bobby Schnabel, CU-Boulder vice provost for technology, said in the statement. “Through a combination of human and technical errors, these personal data were exposed, although we have no evidence that they were extracted.”
Todd Gleeson, dean of CU-Boulder’s College of Arts and Sciences, said he would request that all Arts and Sciences Advising Center IT operations be placed under the direct central control of CU’s Information Technology Services department.
Technorati Tags: Symantec, data+breach, identity+theft]]>