Security Bytes

November 7, 2007  1:14 PM

Social networking backlash

Marcia Savage Marcia Savage Profile: Marcia Savage

Social networking sites like Facebook and MySpace aren’t very popular in the corporate world, according to a study by Barracuda Networks.

Analyzing data from businesses using its Web filtering appliance, the company found that 44 percent block MySpace while 26 percent block Facebook. More than 50 percent block one of those sites or both.

“It was interesting to us to see such a significant backlash in the corporate environment, with 50 percent blocking the social networking sites. And that number will go higher,” Dean Drako, Barracuda president and CEO, said in an interview. “Customers that weren’t blocking but were monitoring social networking sites … a significant percentage expect they’ll be blocking those sites soon.”

Customers said they were concerned about the sites being a productivity drain, Drako said. They also were worried about offensive content on MySpace.

A separate survey of 228 IT professionals by Barracuda showed that the top reason businesses restrict employee Web surfing overall is to block viruses or spyware. Productivity was the second biggest reason.

November 6, 2007  11:19 AM

Microsoft privacy guru: Cyberspace needs CardSpace

Leigha Leigha Cardwell Profile: Leigha

It’s been awhile since I’ve heard anyone talk about Windows CardSpace, the Microsoft client software Bill Gates has pushed as the best way to do away with passwords. But at the CSI 2007 conference in Arlington, Va., Tuesday, attendees got an in-depth look at what CardSpace is about from none other than Kim Cameron, the software giant’s chief privacy guru.

Windows CardSpace allows users to provide their digital identity to online services in what Microsoft calls a “simple, secure and trusted way” and is what Cameron calls an identity selector.

The Microsoft Web page on CardSpace explains: “When a user needs to authenticate to a Web site or a Web service, CardSpace pops up a special security-hardened UI with a set of “information cards” for the user to choose from, he explained. Each card has some identity data associated with it — though this is not actually stored in the card — that has either been given to the user by an identity provider such as their bank, employer or government or created by the user themselves.”

Cameron offered CSI attendees a very detailed breakdown of the concept and ended by declaring, “We need an ID metasystem that’s open, inclusive and protects the user’s privacy.” CardSpace is the answer, he said.

The crowd seemed receptive to his argument and I’m not surprised. In all my reporting about identity and access management, the common complaint among IT administrators has been that passwords are a very weak link in the security chain.

The CardSpace concept is a solid one, most seem to agree, but those who have to manage the technology have expressed concern over Microsoft’s ultimate execution. My colleague Mike Mimoso captured that concern at the RSA conference back in February, writing that while some security managers accept the notion that, at a high level, Gates’ vision is solid, execution may be another matter.

“We’re seeing the need for everything he talked about, but executing and converting it all to reality; that’s the difficult part,” David Porubovic, security engineer with Marriott International, told Mimoso at the time. “It’s the right direction, provided that it can be implemented, it’s cost effective, transparent to the user and easy to manage. That’s the big headache.”

The pros and cons of CardSpace is something I plan to write more about in the next couple weeks, and I’m looking for some IT administrators to share their experiences on the matter. Offer some initial thoughts in the comment section of this blog and we can go from there.

November 5, 2007  5:10 PM

Cyber Jihad on Nov. 11? Um, probably not

Eric Parizo Eric Parizo Profile: Eric Parizo

Numerous reports have surfaced regarding what’s being described as an al-Qaeda plot to hatch a cyber jihad Nov. 11, directed at numerous Web sites. According to the initial report by the online publication DEBKAfile, the attack is expected to begin by targeting 15 western, Jewish, Israeli, Muslim apostate and Shiite Web sites, and expand from there.

Have no fear. Johannes Ullrich, Chief Research Officer of the SANS Internet Storm Center and one of this team’s most trusted sources, says there’s no need to cancel your Nov. 11 dinner plans. In a post today on the SANS ISC blog, Ullrich says it’s likely that the attack will never come to fruition, noting similar past claims that went nowhere and that the date Nov. 11 is often known for hoaxes.

“So in short: stay calm, focus on best practices and you don’t have to do anything special on November 11th,” Ullrich says. Well, that is, unless you were planning something special already.

November 5, 2007  2:00 PM

Destroying that disk isn’t always enough

Leigha Leigha Cardwell Profile: Leigha

This morning at the CSI 2007 security conference in Arlington, Va., attendees got some insight into the future of criminal investigations in the cyber world from Jim Christy, director of futures exploration at the Defense Cyber Crime Center (DC3).

Specifically, he was there to discuss the “power and real-world challenges of digital forensics and e-discovery today.” He also spent some time talking about the National Repository for Digital Forensics, which DC3 is developing with Oklahoma State University.

But what seemed to interest the audience most was his tale about how, during a murder investigation, he and his partners were able to extract damning evidence from the pieces of a shredded disk that they managed to piece back together with tape. The data outlined how a man had upped his wife’s insurance policy and then had her murdered.

But as he told his tale, I couldn’t help but think of the advice we’ve heard about how one way to keep sensitive data out of malicious hands is to destroy the disks and other storage devices where its kept. Misplacing or forgetting about storage tools that are no longer needed by their owners is one way the bad guys have come across data they could sell on the black market or commit other kinds of fraud.

Destroy the disk and the crook can’t extract the data, the advice goes.

But as Christy’s tale points out, sometimes juicy data can be extracted even if the storage device housing it has been shredded, smashed or crushed.

Granted, Christy’s team had to go through an enormous amount of trouble to retrieve the information and they were motivated by the need to catch a killer. But with so much money to be made off stolen data these days, I think it’s plausible that organized criminal outfits will resort to hiring hotshots capable of similar data retrieval tactics.

November 2, 2007  10:08 AM and the debate over SaaS security, email confidentiality

Leigha Leigha Cardwell Profile: Leigha

Bill BrennerSoftware as a Service (SaaS) is growing in popularity, and along with it comes the inevitable debate over the security implications.

Driving the debate is recent news about a security breach affecting clients of SaaS vendor, including Automatic Data Processing Inc. (ADP) — one of the nation’s biggest payroll and tax services providers — and SunTrust. Security Blog Log

The Washington Post had an item on the incident a couple weeks ago, reporting that a database of email addresses and names for SunTrust and ADP employees was pilfered from The data was apparently exploited for a phishing scheme urging would-be victims to download a .pdf in reference to an identity theft claim. Thousands of email addressed were reportedly compromised, and about 500 people apparently received phishing emails.

Arieanna Schweber writes in the Absolute Software Laptop Security blog that the issue at hand is not phishing, since it’s a fairly universal problem now, but whether or not people should be notified if their email address is compromised.

That said, I want to use this week’s column to solicit feedback not only on the question of whether compromised email addresses should be treated like compromised credit card and Social Security numbers, but on the issue of SaaS security in general.

First, a little background on SaaS, courtesy of my friends at and Software as a Service (SaaS) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet. SaaS is becoming an increasingly prevalent delivery model as underlying technologies that support Web services and service-oriented architecture (SOA) mature and new developmental approaches, such as Ajax, become popular. Meanwhile, broadband service has become increasingly available to support user access from more areas around the world. SaaS is closely related to the ASP (application service provider) and On Demand Computing software delivery models. IDC predicted SaaS would make up 30% of the software market this year and will be worth $10.7 billion by 2009.

Benefits of the SaaS model include:

  • Easier administration
  • Automatic updates and patch management
  • Compatibility: All users will have the same version of software.
  • Easier collaboration, for the same reason
  • Global accessibility.

The question for some is whether or not a SaaS vendor can secure those Web applications better than its clients could on their own.

Rational Survivability blogger Christofer Hoff believes in SaaS in general, but isn’t so sure using it means better security.

“I believe in SaaS [and] encourage its use if it makes good business sense,” he writes. “I don’t, however, agree that you will automatically be more secure.”

Hoff wisely notes that as SaaS adoption grows, driven by compliance, outsourcing, or efficiencies of a leveraged business model, we’re going to have to pay more attention to what it means to have our data spread out beyond the supposedly ironclad perimeter companies have spent so much time and money on.

“It means making sure your policies extend and are applicable outside the castle,” he writes. “It means potentially engaging a third party to test the assertions the company makes about their posture.”

The security breach is a good example of why this is necessary, Hoff says. There’s a secondary market for stolen data and once the information is loose, the lost trust can mean lost business, he notes.

The other question, of course, is whether email addresses should be treated as confidential data.

Schweber presented both sides of the argument in her blog entry: Some would argue that email addresses are available in the public sphere, she says, but others would argue that some remain private and that access to emails in list form increases the risk for phishing scams and potential identity theft incidents.

Jack Dunning, keeper of The Dunning Letter blog, writes that email addresses are just like Social Security numbers — everywhere and fairly easy to access.

“The big difference,” he says, “is the connection between the address and a company which lends it the necessary credibility, and that is why we need to begin to secure this medium before this newest hoax gets out of hand.”

What do you think? Can SaaS vendors provide their clients with better security? Should emails be treated as confidential data?

I ask the readers to opine.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at

November 1, 2007  7:14 PM

Cisco snaps up Securent

Marcia Savage Marcia Savage Profile: Marcia Savage

Cisco Systems on Thursday said it agreed to buy security software maker Securent for about $100 million.

Cisco described Securent’s policy management software as allowing enterprises to administer, enforce, and audit access to data, communications, and applications in heterogenous IT environments.

“As enterprises shift to service-oriented architectures and adopt technologies such as unified communications and Web 2.0 based collaboration, there is a rising need for control over access to distributed enterprise resources,” Don Proctor, senior vice president of Cisco’s collaboration software group, said in a prepared statement.

Mountain View, Calif.-based Securent was founded in 2004 and has 57 employees with development operations in India. The deal is expected to close in the second quarter of Cisco’s fiscal year 2008.

Scott Crawford, research director at analyst and consulting firm Enterprise Management Associates, wrote in a recent report that the need to more closely manage resource access for more effective governance and risk management is spurring innovation in the identity management market.

He added that “the elaboration of XACML, the XML Access Control Markup Language, has factored centrally in the emergence of Securent’s distinctive entitlements management offering.”

November 1, 2007  4:10 PM

Bit9 releases top 10 vulnerable apps for 2007

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

The folks at endpoint security vendor Bit9 Inc. of Cambridge, Mass., released their list of top vulnerable applications for 2007. Most of the apps on the list can be downloaded by users and many have updates making them more secure. We’ll probably see a number of security vendors come out with lists like this in the next couple of months.

  1. Yahoo! Messenger and earlier
  2. Apple QuickTime 7.2
  3. Mozilla Firefox
  4. Microsoft Windows Live (MSN) Messenger 7.0, 8.0
  5. EMC VMware Player (and other products) 2.0, 1.0.4
  6. Apple iTunes 7.3.2
  7. Intuit QuickBooks Online Edition 9 and earlier
  8. Sun Java Runtime 1.6.0_X
  9. Yahoo! Widgets 4.0.5 and previous
  10. Toolbar and previous

October 30, 2007  4:55 PM

McAfee buys ScanAlert

Marcia Savage Marcia Savage Profile: Marcia Savage

On the heels of its acquisition of SafeBoot, McAfee on Tuesday said it’s buying ScanAlert, a supplier of Web site security certifications, for $51 million.

Napa, Calif.-based ScanAlert audits and certifies the security of more than 75,000 Web sites. Its Hacker Safe certification is displayed by big-name brands like Guess and Petco. McAfee will integrate ScanAlert’s service into its SiteAdvisor Web rating system, which warns users about malware-infested or otherwise risky Web sites.

If certain performance targets are met, the deal will cost McAfee another $24 million. The acqusition is expected to close in the first quarter of 2008. McAfee will integrate ScanAlert into its Web Security Group.

Earlier this month, McAfee acquired data encryption and access control vendor SafeBoot for $350 million to boost its endpoint security product offerings. In a report, Andrew Braunberg of CurrentAnalysis wrote that the deal made sense from a product development direction but added that the price tag seemed steep.

Interestingly, while McAfee continues in an acquisitive mode, Braunberg recommended in a separate report that the vendor should seriously consider any offers to be acquired.

“With the recent acquisitions of RSA and ISS, the security market has entered a new phase of consolidation and appreciation by the larger IT infrastructure vendor community,” he wrote. “McAfee would be a smart acquisition for any number of players including identity management, systems management, or network management vendors. Again, while the possibilities are many, two examples are HP and Novell.”

October 30, 2007  8:31 AM

FTC: Beware of phishing attempts

Leigha Leigha Cardwell Profile: Leigha

Phishers are sending out fake messages from the Federal Trade Commission that drop malware onto the machines of users who click the malicious attachment.

In response, the FTC has issued a public warning to consumers not to open fraudulent emails made to look as though they come from its fraud department. The email says it’s from “” and has the FTC seal. Click on the attachment and you’ll download malware designed to steal passwords and account numbers, the agency warned.

“It’s a treasure trove for identity theft,” David Torok of the FTC’s Bureau of Consumer Protection told the Reuters news service. “We’re concerned. The virus that’s attached to the email is particularly virulent.”

The agency doesn’t know how many people found the email in their inboxes, but Torok confirmed the agency has received hundreds if not thousands of calls and complaints.

Recipients of the email are advised to forward it to, an FTC spam database used in its online fraud investigations.

October 29, 2007  7:47 AM

TJX court documents confirm earlier suspicions

Leigha Leigha Cardwell Profile: Leigha

I’m not surprised by court documents claiming that TJX blew it on nine of the 12 requirements of the PCI Data Security Standard (PCI DSS), which of course allowed hackers to break into its network and steal the credit card information of more than 94 million customers. PCI DSS auditors have been suggesting for months that TJX had failed on some of the core elements of the standard.

Several banking groups are suing the retail giant for all the money they were forced to spend re-issuing credit cards compromised in the security breach, and last week the plaintiffs filed a new batch of documents in Boston federal court claiming that, among other things, TJX violated PCI DSS by failing to properly secure its wireless network; failing to wall off parts of the network where sensitive data was stored from other parts of the network (popularly referred to as segmentation); and storing data that shouldn’t have been kept around in the first place.

That the latter issue was a factor in the breach is something PCI DSS auditors have been saying for some time.

Way back in March, Roger Nebel, director of strategic security for Washington D.C.-based FTI Consulting, said the breach offers some clear examples of the wrong way to treat sensitive data under the PCI DSS. At the very least, TJX violated the PCI DSS by storing unencrypted cardholder data, agreed James DeLuccia, an independent auditor based in Atlanta, Ga.

“Credit and debit card data is something the PCI Security Standards Council will be concerned about,” he predicted around the same time. “You’re not supposed to store that kind of data, and [TJX] had it online and unencrypted.”

The court documents also confirm another prediction the PCI DSS auditors made — that Visa and/or MasterCard would probably pelt TJX and its card processor with fines. According to one report on the court filings, Visa has already fined TJX’s card processor $880,000 and plans to collect more in the future.

When I interviewed the PCI DSS auditors for that March report, I got plenty of good advice on how retailers could avoid the same mistakes. The best advice, in my opinion, came from Joseph Krause, senior security engineer for Chicago-based AmbironTrustWave.

He said companies first have to get a fix on where customer data is on the network, where it travels and whether or not it’s encrypted.

“Understanding where the data is and where it goes is a challenge for some, but it’s a very important part of PCI DSS,” he said. “If you don’t know where your data is traveling and where it is stored, you can’t secure it.”

Krause also said companies also have to be sticklers for network monitoring. “Usually when we see an environment for the first time, we find they are deficient in this area,” he said. “Just being able to help them understand which logs they need to have a close eye on, on a daily basis,” is a lot of work.

Finally, companies need to understand that there’s no single product or service that can alleviate an enterprise’s PCI DSS compliance woes. Every business and every network is different, and PCI DSS controls must be tailored to an organization’s particular make-up.

“I tell clients it’s not an easy process and it is an educational experience,” he said. “The requirements for every company on the path to PCI compliance are quite different. There’s no one-size-fits-all approach.”

For more advice on how best to respond when your company is hit by data thieves, check out this story from last week’s data breach roundtable discussion at the Harvard Club in Boston.

And keep an eye on this week for another analysis we’re putting together on lessons from the TJX data breach.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: