Researchers at Harvard University have uncovered what could be a confounding problem facing the healthcare industry: Digitalizing healthcare records and deploying new technologies fails to provide cost benefits. For years, hardware and software vendors have been touting the return on investment (ROI) when enterprises, including healthcare facilities, streamline and eliminate inefficient, manual processes through technology deployments. But the new Harvard University research study shows that introducing technology into hospitals and doctor offices actually increases costs associated with configuration management, upgrading systems and deploying and maintaining healthcare IT security technologies. “Most of the systems are being sold principally to make sure the institution collects every penny it can,” said the report’s lead author Dr. David Himmelstein, an associate professor at Harvard Medical School. “The guts of the system are distorted by the need to make sure it’s a billing system at heart.” Himmelstein and his team reviewed about 4,000 hospitals from 2003 to 2007 and found that while many had digitialized patient records to eliminate paper, administrative costs actually rose, even among the most high-tech institutions. The hospital computing and costs study, published in The American Journal of Medicine , doesn’t point to specific costs such as security and configuration management, but it does find that ongoing IT administrative costs add to the bottom line once new systems are deployed. “Clearly there are some examples of quality of care being worse because of computers and some examples where it’s been better. But overall they’re not saving money,” Himmelstein said in an interview with SearchSecurity.com. “Introducing technology has a trivial effect.” The researchers analyzed hospital Medicare insurance program data and several other reports that compile government data on healthcare costs at patient facilities. They found administrative costs increased slightly from 24.4% in 2003 to 24.9% in 2007, with facilities with the fastest technology deployments seeing the highest cost increases. For systems to be beneficial and provide a true ROI, they need to focus on patient care and be deployed more slowly across an organization, Himmelstein said. The introduction of new technologies also introduces some uncertainties about healthcare privacy and security into an organization. Privacy and security are ongoing concerns that need to be addressed during all stages of a deployment. For example, some hospitals and patient care facilities may be investigating cloud computing in which data center management is outsourced to a third-party provider. “There are still significant issues about security and those issues need to be handled as part of clinical computing and any other setting where technology is introduced,” Himmelstein said. “At this point there are hundreds of hospitals and practices putting enormous amounts of patient data online, but we’ve yet to see the cost benefit or the benefit of patient care.” For now, healthcare facilities continue to modernize systems and eliminate manual processes, buoyed by financial incentives from technology vendors and the federal government’s push to modernize the healthcare system. The economic stimulus package approved by Congress earlier this year offers up to $19 billion in incentives to modernize healthcare systems. The goal is to prevent errors and allow greater coordination among caregivers and patients. Still, security spending in the healthcare industry remains sluggish at best, according to a recent survey. Despite the incentives, security accounts for 3% or less of overall IT spending in a substantial majority of healthcare organizations, virtually unchanged from last year. The survey indicated that healthcare organizations may be first focusing on converting paper records into electronic healthcare records. Himmelstein does have some optimism for future technology deployments if they are handled correctly. He lauded the way Indianapolis’ Ronald Reagan Institute of Emergency Medicine, Boston’s Brigham and Women’s Hospital and the Veterans Administration handled some of its technology investments in recent years, and said many of the organizations knee deep in new technology that use electronic health records, such as Kaiser Permanente and the Mayo Clinic, may deserve further study to understand the long term effects on cost. The Health Insurance Portability and Accountability Act (HIPAA) has also been recently strengthened and forced healthcare organizations to conduct data discovery in current systems and tighten access controls. Despite being online, patient records are protected by HIPAA rules, which make it difficult for some doctors to access patient health records online. Healthcare data security is a unique problem, said analyst Ramon Krikken of the Burton Group. “In this case you’re talking about people’s lives so you don’t want a system to lock out a doctor when the patient needs a life saving procedure,” Krikken said. “Security is very different because the fail-over must grant access when time is essential in a life or death decision.” More: Cost of security, IT management add up at healthcare facilities, study finds

Continue Reading

So, you like Netstumbler’s ability to pinpoint rogue wireless access points but you’re looking for a tool that works with Windows Vista and Windows 7? Then Vistumbler is for you. This month, Peter Giannoulis of TheAcademyHome.com and TheAcademyPro.com explains how to use the basic features of the free Vistumbler tool including how to find APs, set filters, sort and categorize findings and export them as a CSV file. For more demos of free security tools, visit searchsecurity.com/screencast . Read this article: Screencast: Find rogue wireless acess points with Vistumbler

Continue Reading

»   VIEW ALL POSTS Nov 24 2009   12:28AM GMT Posted by: Marcia Savage The Zeus Trojan continues to find new ways to trick users.  Recent spam campaigns trying to spread the malware have pretended to be messages from the FDIC, the IRS, and more recently , the Electronic Payments Association that oversees the Automated Clearing House (ACH) network (NACHA). On Monday, Zeus was turning up in a new spam surge, this time pretending to be messages from the U.S. Social Security Administration. The fraudulent emails try to trick recipients with warnings that their Social Security statement may contain errors. A Symantec researcher wrote in a blog post that the subject of the mail will be something like “review annual Social Security statement“ and the body of the message warns of a potential identity theft risk and asks recipients to review an annual statement by clicking on a link. The link opens to a fake Social Security Administration website with a box for the user to input a Social Security number.  If a number is provided, the page tells the user that their statement can be downloaded by clicking on a button; clicking on the button downloads a variant of the Zeus, or Zbot malware, according to Symantec. Zeus has been wreaking havoc in recent months by stealing online banking credentials, mainly of small and midsize businesses, which have been victimized by a surge in fraudulent ACH transactions. UK police last week announced the arrests of two people in connection with the malware, but didn’t provide details on the suspects’ involvement. Read more: New Zeus spam poses as Social Security statements

Continue Reading

»   VIEW ALL POSTS Nov 23 2009   2:12PM GMT Posted by: Robert Westervelt social networking flaws , social engineering , Facebook Worm Facebook worm uses a cross-site request forgery attack to spread via the victim’s wall posting. Israeli security researcher Gadi Evron and AVG researcher Nick Fitzgerald are reporting a new Facebook worm that uses a suggestive picture of a scantily clad woman to spread on the social network. The picture includes a button and the phrase “Click da’ button, baby!” Once a Facebook user clicks the malicious link they are brought to an attack website landing page which automatically updates and copies the victim’s Facebook wall with the malicious link. It also copies the wall. In blog posting Evron said he stumbled across the Facebook attack after he was tricked by a posting of the link on a friend’s Facebook wall. This shows that even experts can become complacent and trust systems when they really shouldn’t. It’s a good reminder for me to be more careful with social networks, which for some reason I have grown used to trusting more, without even noticing it happen! Fitzgerald wrote that the worm uses a cross-site request forgery (CSRF) attack “resulting in a form submission to Facebook “as if” the victim had submitted a URL for a wall post and clicked on the “Share” button to confirm the post.” Read more: New Facebook worm uses sexy model to get guys to click da’ button

Continue Reading

Symantec Corp. is warning of a new publicly available exploit code targeting an unpatched display vulnerability in Internet Explorer (IE) that could enable hackers to conduct drive-by attacks and spread malware on unsuspecting victim machines. The IE zero-day vulnerability affects the way the browser handles cascading style sheet (CSS) information used to lay out webpages. The vulnerability affects Internet Explorer versions 6 and 7. Symantec said the IE zero-day attack could infect users by using malicious JavaScript code. “The exploit currently exhibits signs of poor reliability, but we expect that a fully functional a reliable exploit will be available in the near future,” Symantec said in a blog posting on Saturday. “For an attacker to launch a successful attack, they must lure victims to their malicious webpage or a website they have compromised.” Cupertino, Calif.-based Symantec said the IE zero-day exploit code appeared Friday on the Bugtraq mailing list. Symantec and several other security vendors are providing antivirus and IPS signatures to protect against the attack. “Internet Explorer users should ensure their antivirus definitions are up to date, disable JavaScript and only visit websites they trust until fixes are available from Microsoft,” Symantec said. IT security research and alert vendor VUPEN Security also reported the vulnerability on Saturday, saying the flaw is a dangling pointer in the Microsoft HTML Viewer (mshtml.dll). Danish vulnerability clearinghouse Secunia gave the IE zero-day flaw a highly critical rating in an alert issued today. Secunia confirmed the vulnerability in IE6 on Windows XP SP2 and IE7 on Windows XP SP3A. Microsoft has not yet acknowledged the vulnerabilities. The software giant patched a serious Windows kernel flaw earlier this month, fixing a vulnerability that enabled attackers to set up a malicious website and target users of Internet Explorer using embedded OpenType font. Read more from the original source: Exploit code targets Internet Explorer zero-day display flaw

Continue Reading

An unknown person leaked more than a decade of e-mail messages and some data belonging to a noted climatologist last week, adding fuel to the heated debate over climate change. On Monday, the University of East Anglia in Norwich, U.K., acknowledged that one of its e-mail servers had been hacked and a large amount of e-mail messages belonging to at least one member of its Climate Research Unit taken by the intruder. The breach likely occurred sometime between Nov. 12, the date of the most recent e-mail messages, and Nov. 17, when the intruders attempted to send the files to a blog that reported on the breach. “Data, including personal information about individuals, appears to have been illegally taken from the university and elements published selectively on a number of websites,” the university said in a statement . “The volume of material published and its piecemeal nature makes it impossible to confirm what proportion is genuine. We took immediate action to remove the server in question from operation and have involved the police in what we consider to be a criminal investigation.” Climate skeptics posted a number of alleged snippets of the e-mail messages, including some that shed an unflattering light on the scientists’ methods of presenting data. In one snippet, the scientists discussed a “trick” of pasting recent temperature measurements onto estimated historical data. Posting to the RealClimate blog, which supports the prevailing view of human-caused global warming, an unidentified poster noted that a “trick” is often used to refer to a neat way of doing things. While climate skeptics argue for non-secretive peer review, the result of the e-mail server intrusion may be the opposite. “Clearly no-one would have gone to this trouble if the academic object of study was the mating habits of European butterflies — that community’s internal discussions are probably safe from the public eye,” the post to the RealClimate blog stated. “But it is important to remember that emails do seem to exist forever, and that there is always a chance that they will be inadvertently released. Most people do not act as if this is true, but they probably should.” The University of East Anglia has notified the FBI and defended the research group’s reputation. “CRU’s published research is, and has always been, fully peer-reviewed by the relevant journals, and is one strand of research underpinning the strong consensus that human activity is affecting the world’s climate in ways that are potentially dangerous,” the University of East Anglia said in a statement. If you have tips or insights on this topic, please contact SecurityFocus . Posted by: Robert Lemos Go here to see the original: Brief: Climatologists hot over e-mail hack

Continue Reading

The flaw in IE 8 can be exploited to introduce XSS, or cross-site scripting, errors on webpages that are otherwise safe, according to two Register sources, who discussed the bug on the condition they not be identified. Microsoft was notified of the vulnerability a few months ago, they said. Ironically, the flaw resides in a protection added by Microsoft developers to IE 8 that’s designed to prevent XSS attacks against sites. The feature works by rewriting vulnerable pages using a technique known as output encoding so that harmful characters and values are replaced with safer ones. A Google spokesman confirmed there is a “significant flaw” in the IE 8 feature but declined to provide specifics. It’s not clear how the protections can cause XSS vulnerabilities in websites that are otherwise safe. Michael Coates – a senior application security engineer at Aspect Security who has closely studied the feature but was unaware of the vulnerability – speculates it may be possible to cause IE 8 to rewrite pages in such a way that the new values trigger an attack on a clean site. “If the attacker can figure out a flaw in the way IE 8 is actually doing that output encoding and then create a specific string the attacker will know will be transformed into an actual attack, they could use that to input a value … that actually results in an attack firing on the page,” he said. “This could be a way to introduce an attack into a page that didn’t have a vulnerability otherwise.” XSS attacks are a way of manipulating a site’s URL to inject malicious code or content into a trusted webpage. Many security watchers have come to view the IE 8 protections as Microsoft’s answer to NoScript , a popular extension that helps prevent XSS and other types of attacks against users of the Firefox browser. Late on Thursday afternoon, Microsoft told The Register : “Microsoft is investigating new public claims of a vulnerability in Internet Explorer. We’re currently unaware of any attacks trying to use the claimed vulnerability or of customer impact.” Once its investigation is finished, the company will “take appropriate action,” including issuing a patch or guidance on how users can protect themselves against exploits. When Microsoft introduced the protections, it also created a way for webmasters to override the feature (by adding the response header “X-XSS-Protection: 0″). A review of the top 50 most visited websites shows that only web properties owned by Google have actually opted to do so. The small number of sites blocking the protection calls into question how widespread the vulnerability is. Asked why Google was forgoing the protection, a company spokesman wrote in an email: “We’re aware of a significant flaw affecting the XSS Filter in IE8, and we’ve taken steps to help protect our users by disabling the mechanism on our properties until a fix has been released.” He didn’t elaborate. In addition to potentially introducing serious vulnerabilities into webpages, the XSS protections can bring other undesirable results. That’s because its engine frequently flags perfectly acceptable characters as potentially harmful. An example of such a false positive is here . David Ross, a senior software security engineer for Microsoft, has said developers designing the feature aimed to strike strike a pragmatic balance between protecting users and not breaking the web. “We needed to find a way to make the filtering automatic and painless and thus provide maximum benefit to users,” he wrote. “In summary, the XSS Filter will prove its worth by raising the bar and mitigating the types of XSS most commonly found across the web today, by default , for users of Internet Explorer 8.” Visit link: News: Major IE8 flaw makes ’safe’ sites unsafe

Continue Reading

LONDON (AP) — Computer hackers have broken into a server at a well-respected climate change research center in Britain and posted hundreds of private e-mails and documents online — stoking debate over whether some scientists have overstated the case for man-made climate change. The University of East Anglia, in eastern England, said in a statement Saturday that the hackers had entered the server and stolen data at its Climatic Research Unit, a leading global research center on climate change. The university said police are investigating the theft of the information, but could not confirm if all the materials posted online are genuine. More than a decade of correspondence between leading British and U.S. scientists is included in about 1,000 e-mails and 3,000 documents posted on Web sites following the security breach last week. Some climate change skeptics and bloggers claim the information shows scientists have overstated the case for global warming, and allege the documents contain proof that some researchers have attempted to manipulate data. The furor over the leaked data comes weeks before the U.N. climate conference in Copenhagen, when 192 nations will seek to reach a binding treaty to reduce emissions of carbon dioxide and other heat-trapping greenhouse gases worldwide. Many officials — including U.N. Secretary-General Ban Ki-moon — regard the prospects of a pact being sealed at the meeting as bleak. In one leaked e-mail, the research center’s director, Phil Jones, writes to colleagues about graphs showing climate statistics over the last millennium. He alludes to a technique used by a fellow scientist to “hide the decline” in recent global temperatures. Some evidence appears to show a halt in a rise of global temperatures from about 1960, but is contradicted by other evidence which appears to show a rise in temperatures is continuing. Jones wrote that, in compiling new data, he had “just completed Mike’s Nature trick of adding in the real temps to each series for the last 20 years (i.e., from 1981 onwards) and from 1961 for Keith’s to hide the decline,” according to a leaked e-mail, which the author confirmed was genuine. One of the colleague referred to by Jones — Michael Mann, a professor of meteorology at Pennsylvania State University — did not immediately respond to requests for comment via telephone and e-mail. The use of the word “trick” by Jones has been seized on by skeptics — who say his e-mail offers proof of collusion between scientists to distort evidence to support their assertion that human activity is influencing climate change. “Words fail me,” Stephen McIntyre — a blogger whose climateaudit.org Web site challenges popular thinking on climate change — wrote on the site following the leak of the messages. However, Jones denied manipulating evidence and insisted his comment had been taken out of context. “The word ‘trick’ was used here colloquially, as in a clever thing to do. It is ludicrous to suggest that it refers to anything untoward,” he said in a statement Saturday. Jones did not indicate who “Keith” was in his e-mail. Two other American scientists named in leaked e-mails — Gavin Schmidt of NASA’s Goddard Institute for Space Studies in New York, and Kevin Trenberth, of the U.S. National Center for Atmospheric Research, in Colorado — did not immediately return requests for comment. The University of East Anglica said that information published on the Internet had been selected deliberately to undermine “the strong consensus that human activity is affecting the world’s climate in ways that are potentially dangerous.” “The selective publication of some stolen e-mails and other papers taken out of context is mischievous and cannot be considered a genuine attempt to engage with this issue in a responsible way,” the university said in a statement. Associated Press Writer Meera Selva in London contributed to this report Read more: Hackers leak e-mails, stoke climate debate (AP)

Continue Reading

Apparently a “Global Climate Center” was hacked and the contents have been posted to the Internet.  A ZIP file exceeding 60MB and containing a huge number of emails and other documents has been posted worldwide. Original speculation as to whether the files posted were legitimate or some sort of spoof appears to now be confirmed as legitimate : “It was a hacker. We were aware of this about three or four days ago that someone had hacked into our system and taken and copied loads of data files and emails.” I have not had time to read all of the material yet (there are over a thousand files involved!) but what I have skimmed looks VERY damning.  Contained within the documents are what appear to be admissions of intentional tampering with data as well as intentional falsification of results to “show” man-made global warming. One of the emails says: “I’ve just completed Mike’s Nature trick of adding in the real temps to each series for the last 20 years (ie from 1981 onwards) and from 1961 for Keith’s to hide the decline.” That is, to hide a decline in global temperatures. It gets better.  Another message, this one allegedly from 2000: It was good to see you again yesterday – if briefly. One particular thing you said – and we agreed – was about the IPCC reports and the broader climate negotiations were working to the globalisation agenda driven by organisations like the WTO. So my first question is do you have anything written or published, or know of anything particularly on this subject, which talks about this in more detail? Oh, so it’s not about the planet getting warmer, but rather is a convenient means of advancing an agenda that has already been pre-determined? Then there’s this: In my (perhaps too > > harsh) > > view, there have been a number of dishonest presentations of model > > results by individual authors and by IPCC. This is why I still use > > results from MAGICC to compare with observed temperatures. At least > > here I can assess how sensitive matches are to sensitivity and > > forcing assumptions/uncertainties. (Pardon the formatting, it’s text-mode email ‘yanno.) Guess who that was addressed to?  Michael Mann.  You know, the (infamous and now discredited) “Mann Hockey Stick”? Guess where that email originated?  NASA . Yes, I have the file.  So do a few million other people. There’s enough evidence in there, in my opinion, of outrageously fraudulent conduct to make this the scandal of the 20th and 21st century. Sorry folks, there’s no science here – this is, from what I see, a massive and outrageous fraud, and now that the documents have been confirmed as authentic it is time to pull the curtain down on this crap and start locking up all of the proponents – starting with AL GORE. Here are some interesting “meta statistics” on the documents, and the number of times the words referenced appear: Just for starters. If you think that’s bad, you might like this – from the file “ipcc-tar-master.rtf”: General Comments The idea that climate without human intervention can only undergo “natural variability”, and that “climate change” can only result from human activity is false and fallacious. It is in conflict with all that we know of evolution and geology. It is simply wrong to assume that “ climate change” automatically implies human influence on the climate.   This fallacy is embraced by the Framework Convention on Climate Change, but the IPCC (Footnote to “Summary for Policymakers. Page 1) claim that they are prepared to accept “natural variability” as “climate change”. They are, however, unwilling to accept the truth, which is that climate can change without human intervention.   ….   47 out of 91 models listed in Chapter 9 assume that carbon dioxide in the atmosphere is increasing at the rate of 1% a year when the measured rate of increase, for the past 33 years, has been 0.4% a year. The assumption of false figures in models in order to boost future projections is   fraudulent. What other figures are falsely exaggerated in the same way? Update 12:58 – Oh oh…. From Phil Jones… and its recent : From: Phil Jones To: “Michael E. Mann” , “raymond s. bradley” Subject: A couple of things Date: Fri May  9 09:53:41 2008 Cc: “Caspar Ammann” ….  2. You can delete this attachment if you want. Keep this quiet also, but this is the person who is putting in FOI requests for all emails Keith and Tim have written and received re Ch 6 of AR4. We think we’ve found a way around this. And then there’s this… From: Phil Jones To: “Michael E. Mann” Subject: IPCC & FOI Date: Thu May 29 11:04:11 2008 Mike, Can you delete any emails you may have had with Keith re AR4? Keith will do likewise. He’s not in at the moment – minor family crisis. Can you also email Gene and get him to do the same?  I don’t have his new email address. We will be getting Caspar to do likewise. I see that CA claim they discovered the 1945 problem in the Nature paper!!     Cheers     Phil One has to wonder: was the “way around it” (the FOI) mentioned in the first correspondence to intentionally destroy the emails requested? Here is the original post: “Global Warming” SCAM – Hack/Leak FLASH

Continue Reading

TechTarget Corporate Web Site   |   Media Kits   |   Site Map All Rights Reserved, Copyright 2003 – 2009 , TechTarget |  Read our Privacy Policy See the original post here: Increase in Gumblar backdoors poses FTP credential problems

Continue Reading

Firms fail to secure mobile, cloud data Published: 2009-11-20 The failure of corporate chiefs to make security a priority and a reactive approach to data protection has left many companies vulnerable to attack, especially via emerging technologies such as smart phones and cloud computing, according to a survey of information technologists. published on Tuesday. The Worldwide State of the Endpoint 2010 study, conducted by the Ponemon Institute and funded by security firm Lumension, used data from more than 1,400 interviews of information-security practitioners and nearly 1,600 IT-operations professionals from the U.S., Germany, Australia, New Zealand and the UK. The report found that 56 percent of respondents said that mobile devices posed a significant security risk to their organization and 49 percent stated that the company’s CEO did not give strong support to security initiatives. “The (survey) provides still more evidence that companies are racing to adopt new technologies faster than they can understand their impacts on data security and develop effective use and integration policies,” Larry Ponemon, chairman and founder of the Ponemon Institute, said in a statement. “As a result, networks are growing more and more complex, making the task of securing sensitive data more and more difficult.” The survey also found that 60 percent of companies were using cloud computing in some manner, and seven out of 10 companies would increase their use of cloud technologies. The separation between security and operation also caused problems for network defenders. The information-security groups in nearly a third of companies fail to collaborate with their operational counterparts, the survey found. If you have tips or insights on this topic, please contact SecurityFocus . Posted by: Robert Lemos Read this article: Brief: Firms fail to secure mobile, cloud data

Continue Reading

Attackers proved in 2009 that social networks could be used to spread malware and trick users into giving up their data, but in 2010, according to two senior Symantec researchers, cybercriminals will turn to more sophisticated methods, including using social network architectures for the backbone of their attacks. In an effort to sustain growth and pick up new users, more social networks are opening up their architecture to allow third-party applications. Cybercriminals can take advantage of this by developing applications out of the social network environment to target users. In addition, access to social network APIs gives attackers a roadmap to vulnerabilities in legitimate third-party applications and a way to tap into user accounts. “The bad guys can implant malicious code into the social network application and gain access to personal information and other data,” said Paul Wood, senior analyst at MessageLabs Intelligence at Cupertino, Calif.-based Symantec Corp. “As the applications themselves become quite enticing and they may in turn be generated with some other purpose in mind … there may be less reputable motives behind some of these applications.” Wood and Zulfikar Ramzan, technical director of Symantec Security Response, presented their predictions for 2010 during a presentation this week. Many of the data security risks will be more of the same, the two researchers said. Drive-by downloads will continue to target people who fail to fully patch Web browsers and third-party plug-ins; rogue antivirus programs will continue to trick victims into buying software they don’t need, and botnet operators will continue to control hordes of zombie machines to spread spam and harvest personal information. Ramzon said that while attackers will use much of the same tactics, they will learn to sharpen their methods to evade security technologies and enable cybercriminal gangs to pull in more money. Rogue security software, which was successful in 2009 with the spread of the Bredolab downloader could move into instances of computer hijacking, rendering them useless, he said. Researchers have seen changes in malware in 2009 with cybercriminals producing multiple variants to trick antivirus signatures. While 2010 malware will be similar, targeted or specialized malware will aim at embedded devices, predicts Wood. Attackers will target ATM vulnerabilities, errors in electronic voting systems and even holes in systems that provide premium pay-per-view content to get access to streaming movies. “It requires a significant degree of insider knowledge about the way these systems work and the ways they can be exploited,” Wood said. “Seeing attacks against vulnerabilities in systems like computer-aided designed tools are not going to be mass marketed, but they’re very useful for a targeted attack if you want to gain access to an organization.” Both researchers said instant messaging could represent a new way for attackers to spread malicious links. Many social networks are incorporating instant messaging features, and when combined with the high level of trust users have on social networks, they could create a lucrative environment for cybercriminals. Some attackers may combine URL shortening with spam techniques and instant messaging giving them a greater chance of success. “There’s a level of trust built up on these sites that if a user gets a message from someone on their buddy list, they’re more likely to click on a link,” Wood said. Wood said currently 1 in 400 instant messages contain some form of hyperlink and 1 in 78 of those hyperlinks are associated with a malicious website. That number is expected to increase to 1 in 12 as the adoption of instant messaging within trusted frameworks increases. Mac users are no longer immune As in any business, cybercriminals need a large audience to generate enough successful attacks to make the effort worth it. Until now, Mac users have been relatively immune to the onslaught of attacks targeting operating system flaws. Apple users can become a victim of the company’s success. As its marketshare increases in both Apple computer and smartphone sales, the opportunity for attack increases, Ramzon said. “In 2009 we saw Macs and smartphones targeted more than in the past, and we expect that trend to continue,” he said. Smartphone popularity is also resulting in renewed interest from hackers, Ramzon said. The

Continue Reading

Health Net Inc. announced Wednesday that it is investigating a healthcare data security breach that resulted in the loss of patient data, affecting 1.5 million customers. The Woodland Hills, Calif.-based managed healthcare provider said the lost files, a mixture of medical data, Social Security numbers and other personally identifiable information, were collected over the past seven years and contained on a portable external hard drive, which was lost six months ago. The company said the healthcare data was not encrypted, but was formatted as images and required a specific software application to be viewed. The hard drive contained data on 446,000 Connecticut patients. The company reported the breach Wednesday to State Attorneys Generals offices in Arizona, Connecticut, New Jersey and New York. Health Net said it was beginning the data security breach notification process of sending out letters to its customers. The company said it expects to send notification letters the week of Nov. 30. Connecticut Attorney General Richard Blumenthal said he was investigating the matter and why it took Health Net six months to report the healthcare breach. “My investigation will seek to establish what happened and why the company kept its customers and the state in the dark for so long,” Blumenthal said in a statement. “The company’s failure to safeguard such sensitive information and inform consumers of its loss — leaving them naked to identity theft — may have violated state and federal laws.” Blumenthal said the hard drive also contained financial data, including bank account numbers. He is seeking coverage for comprehensive, long-term identity theft protection for those customers affected by the breach. Health Net provides medical coverage for approximately 6.6 million people and its subsidiaries operate in all 50 states. In a statement, the company said the breach took place in its Connecticut office. So far there have not been any reports of fraud tied to the missing data.. “Health Net will provide credit monitoring for over two years – free of charge – to all impacted members who elect this service, and will provide assistance to any member who has experienced any suspicious activity, identity theft or health care fraud between May 2009 and their date of enrollment with our identity protection service,” the company said. It is the second time in a month that a healthcare provider lost customer data. Anthem Blue Cross and Blue Shield of Connecticut reported a stolen laptop was to blame for a breach compromising the personal information of 850,000 doctors, therapists and other healthcare professionals. Security experts have long been advocating that enterprises deploy encryption on laptops and other devices that contain sensitive data. Still, all the technology in the world won’t end employee mistakes and carelessness, said Mike Rothman an analyst with Security Incite. “You can do full disk encryption and all sorts of things to protect the device, but you are still fairly constrained by user sophistication,” Rothman said. “You have to start asking questions from a process standpoint relative to why this stuff was on an external drive in the first place.” In reality you could turn off all USB ports on your devices, but that could hinder employee productivity, Rothman said. Security always gets back to making sure you have the right processes and policies in place and the right training and awareness so that employees understand what those policies are and ways to audit those processes, he said. Experts say encryption should be used as a last resort when all other security policies and processes fail. While many enterprises have focused on encrypting laptops at the endpoint, encryption can be a bit trickier for portable hard drives and other removable media. If the drive is being shared between different systems people need to have some way to access the key, said Ramon Krikken, an analyst at the Burton Group. “A lot of these portable hard drives are older without built-in encryption and to the extent to which you can easily deploy encryption has been a challenge for enterprises,” Krikken said. Some USB makers market the devices with built-in encryption software. In 2008, Seate Technology extended full disk encryption technology to all its enterprise-class hard drives. The company also began pushing for standards for hard drive encryption in storage systems. Nagraj Seshadri, head of product marketing at Utimaco the encryption software division of Sophos Plc, said healthcare organizations need to be just as responsible as financial firms when it comes to protecting data. The Health Insurance Portability and Accountability Act earlier this year with the enactment of The Health Information Technology for Economic and Clinical Health Act (HITECH Act). It imposes notification requirements on healthcare businesses and includes fines for failing to notify potential victims of a breach. The Department of Health and Human Services also published preliminary guidance for encrypting health information. While encryption indeed be tricky in the datacenter where speed is more essential, many higher risk organizations are investing in endpoint encryption, Seshadri said. “Any responsible company would have done some kind of risk assessment and determined wherever healthcare information is stored there needs to be an information security plan, because that is fundamental step,” Seshadri said. “This incident seems to reflect that something has slipped through cracks.” See the article here: Health Net healthcare data breach affects1.5 million

Continue Reading

T-Mobile U.K. said Wednesday that an employee was to blame for stealing possibly millions of customer records and selling the data to competitors. T-Mobile informed Britain’s Information Commissioner’s Office (ICO) of the data security breach. The data included customers’ contract renewal information, including customers’ contract expiration dates. T-Mobile said the data was sold to “third parties.” “The number of records involved runs into the millions, and it appears that substantial amounts of money changed hands,” the government body said in a document submitted to the Ministry of Justice. The U.K. Data Protection Act prohibits the selling of data without prior permission from the customer. The ICO said in its report that it believes T-Mobile competitors used the information to call customers prior to the expiration of their contracts and offer them deals with a new operator. The T-Mobile U.K. data breach highlights the problem of insider security threats, especially during an uncertain global economy, which has resulted in layoffs and mergers. A recent survey of 1,900 senior executives conducted by Ernst & Young found that 75% of respondents were concerned with the possibility of reprisal from employees . But many are having a difficult time doing anything about insider security threats. Less than half (42%) were weighing the risks and only 26% were taking steps to address insider threats. “A lot of the focus has been on external hackers, but if you look at the data from organizations including Forrester Research Inc. and Gartner Inc., over 75% of data breaches are the result of insiders,” said Thomas VanHorn, vice president of global marketing at Application Security Inc, a database security vendor based in New York, N.Y.. “There are more fears out there in part because of the dire economy.” While focusing on improving hiring practices and monitoring employees could help guard against employee reprisals, security experts say companies can conduct regular entitlement reviews to ensure that only employees that need access to certain data get that access. Database activity monitoring and log management are also areas where companies can improve their security practices and guard against a breach, VanHorn said. “Typically we encounter companies that think they know where their sensitive data is, but when we go in companies often make the discovery of databases they never knew they had,” VanHorn said. “It could be at a remote office or a test database, but discovery is a real important first step.” After getting complaints from customers, T-Mobile said it immediately began investigating the breach. T-Mobile worked with the ICO to identify the source and said it and the ICO were collecting evidence and planned to prosecute those involved. “While it is deeply regrettable that customer information has been misappropriated in this way, we have proactively supported the ICO to help stamp out what is a problem for the whole industry,” T-Mobile said in a statement. Originally posted here: Massive T-Mobile UK security breach involves insiders

Continue Reading

A new security platform was launched today that uses a hardware-based architecture to separate endpoint PCs and devices from the network and isolate desktop software when in use. Security vendor startup InZero Systems hailed its new InZero hardware-based security gateway as a new approach to stop malware from accessing critical systems to steal data and communicate with cybercriminals. It is being met with some skepticism from security experts. The gateway uses read-only memory and currently supports Windows Vista and XP. The device, a small black box, acts as a hardware sandbox in between endpoint PCs and the Internet. All applications and device drivers needed to communicate with the outside world are controlled by the gateway. Any files downloaded by end users are encrypted or converted for safe viewing. The company has also produced a circuit board that can be installed by computer manufacturers in remote computers and laptops. In a press briefing that announced the new hardware on Tuesday, InZero CEO Louis Hughes said the idea is to stop trying to defeat malware with software that has vulnerabilities and limitations that could be bypassed by savvy hackers. Instead, the gateway tricks malware into believing it is at its target location. The gateway then traps it there and doesn’t let it penetrate the network. “Instead of spending a lot of time and resources on virus recognition, which is always a catch-up game, we assume up front that what is coming over your browser is very likely to be infected,” Hughes said. “The solution in the medical world would be to isolate you — to quarantine you, so to protect your PC we have created a safe isolation room.” Hughes said the company would sell the device using a Hardware as a Service subscription model to enterprises at a price of $50 to $80 per unit based on volume. He added that the device would not introduce network latency. End users should not notice any changes to applications or Web browsing. The security platform consists of an individual box that is installed at each client. It uses certificate-based authentication and gives an administrator the ability to revoke or grant access to a server protected with a gateway. An InZero Management Server handles policy and cryptography and maintains gateway configurations, VPN configurations and NAC permissions. Huges said the service is easy to install and configuration is minimal. Some enterprises may be required to set static IP address settings or personal key distribution. Several industry experts shared a certain degree of skepticism to InZero’s approach. Since the device forces end users to access applications within sandboxes on the InZero device, it may pose a problem from a usability standpoint, said Rich Mogull, founder of security consultancy Securosis LLC. “This seems like a solution that could significantly impact the user experience in a way that disrupts business processes,” Mogull said. “While it’s likely extremely secure, there is only a small subset of users willing to give up their desktop experience for this level of security.” Phil Zimmermann, a noted cryptographer and creator of the popular Pretty Good Privacy (PGP) email encryption program, was on hand during the InZero announcement unveiling the device Tuesday. Zimmermann said he was impressed by the new approach used to let end users continue to run software such as browsers and email clients in an isolated environment. The mechanisms that do the isolation are governed by yet another dedicated processor in the box that never executes any code, he said. “They made their own box and put strictly enforced hardware isolation mechanisms in this hardware enforced sandbox,” Zimmermann said. “They’ve really gone to extremes to protect against what we know has become an extreme problem and they’ve done it by breaking away from the device that we’ve been stuck with: the PC.” The device is manufactured in the United States using standard off-the-shelf components such as a Motorola Freescale CPU purchased from China and other countries. Technologies such as secure Web gateways use data that is out of date, such as a list of compromised websites, said Adam Hills, a security industry analyst at Gartner Inc. and consultant to InZero. Hackers have also found ways around firewalls to get information. “It’s no longer adequate to look at ports and protocols,” Hills said. “Signature dependency is always yesterday’s news. As soon as there is a signature there’s a signature variant and you are never completely up to date.” Read the original: InZero Systems launches hardware-based security gateway

Continue Reading

»   VIEW ALL POSTS Nov 17 2009   7:07PM GMT Posted by: Robert Westervelt Secure WiFi Photograph depicts password needed to use cafe WiFi. The Apple blog, Cult of Mac posted a picture of the day depicting the stark difference between a WiFi password needed for Apple laptops versus those using a Windows PC . The picture was taken at the Lure Restaurant in New York City. Read this article: New York cafe WiFi passwords show Mac versus PC reality

Continue Reading

TechTarget Corporate Web Site   |   Media Kits   |   Site Map All Rights Reserved, Copyright 2003 – 2009 , TechTarget |  Read our Privacy Policy More: Russian cybercriminals target H1N1 Swine Flu fears

Continue Reading

The sale of the Metasploit Project, and its highly respected pen-testing platform to vulnerability management vendor Rapid7 in October signals change for yet another major open-source project to a commercial company. In a wide-ranging interview, Metasploit founder H.D. Moore speaks about the evolution of the Metasploit Project, the threat environment it has grown in and what the acquisition means for the future of the project. Moore also talks about the latest Metasploit framework release (version 3.3), the project’s open source exploit development and penetration-testing platform. What kind of reaction has the Metasploit community had to the Rapid7 deal? What are your fans saying? H.D. Moore: For the most part, people who use the framework are happy about it. They key things are that the license doesn’t change and that our development methodology doesn’t change. We had a couple folks bring in some hard questions on the internal core development group, asking, ‘Why would I work to enrich Rapid7’s pockets?’ The result of all the discussion was, well it really wasn’t that much of a community project either. Going back to 2006, Metasploit was being run as an LLC. We had commercial training; we paid for a lot of our costs that way. And there really only were only a few core folks involved in the main development process. You’ve just released Metasploit Framework 3.3, a full year after 3.2. What’s new and improved? Moore: Nearly everything. We’ve added something like 120 new exploits, 100 new auxiliary modules, and almost every payload has been rewritten. The executable generator can now actually inject itself into existing binaries, so nearly all the antivirus signatures that previously blocked things like Metasploit-generated binaries no longer work. We now support Windows 7, Vista 64-bit, and 64-bit in general as both a target platform and as an attacking platform. We fixed tons and tons of bugs to make things more stable. We added a lot of new ways to embed payloads into a lot of different things. You can now put a payload into a Word document, into a Visual Basic script to make it persistent. Basically, we’re going after a lot of scenarios all at the same time. Talk about the evolution of Metasploit since the project was founded in 2003. How has the threat environment changed and how has Metasploit changed with it? Moore: If you look at the exploit coverage of Metasploit from 2003 moving forward, you’ll see a shift towards client-side exploits and, even more recently, going from client-side exploits to third-party, lesser known software packages. So, as Windows becomes slightly more secure, as Linux distributions are making defaults more secure, disabling services, folks have really had to stretch to find other ways in. And that means going after things like antivirus products, third-party backup services, things that would be overlooked in a pen test. The Rapid7 acquisition presents an opportunity to marry vulnerability assessment and pen testing. What’s the value of integrating these technologies? Moore: It depends on your audience. A lot of folks in enterprise IT want to do vulnerability assessment and that’s it. They don’t want to do exploits. A lot of folks on the pen-testing side don’t want to run a vulnerability scanner because it’s too noisy and they’re trying to come in quiet, stealthy when they’re doing a test. There is a middle ground. There are folks who want to do a full-blown vulnerability test, and then verify what’s exploitable. These are the folks who want to figure out which one of the vulnerability reports they’re looking at to work on first. So for vulnerability prioritization, I really see the combination of vulnerability assessment technology and pen-test tools as being the gold standard. What can we expect to see as a result of the acquisition a year from now? Moore: At some point we’ll try to do more integration between the vulnerability assessment and pen-testing products. In terms of whether there will be a commercial version of Metasploit, we’re still tossing that around. We’re pretty sure there will be some sort of commercial support soon. In terms of commercial products, we haven’t set anything in stone. The idea now is to keep everything we’re working on now free, keep under the BSD license, and that precludes a lot of commercial options. We’re really focused on where we can add value, where can we improve everything we have today. Link: H.D. Moore speaks about Metasploit Project deal, Release 3.3

Continue Reading

In 2007, a massive denial-of-service hit government and financial servers in Estonia. In 2008, as Russia invaded the former Soviet state of Georgia, attackers cut off communications to the outside world. In 2009, attacks on South Korea and U.S. targets caused consternation. Yet, none of these attacks rise to the level of cyberwarfare, security company McAfee stated in a report released on Tuesday. By looking at four characteristics — source, motivation, sophistication, and impact — the company found that none of the events passed the threshold for cyberwarfare. “We have gone back and looked at all the high-profile attacks, and we don’t believe that we have yet seen it,” said Dmitri Alperovitch, vice president of threat research at McAfee. Attacks that would constitute cyberwarfare would be conducted by a nation state, have a political — not financial — motivation, use highly custom and sophisticated software, and have a significant impact on the target, the company stated. The closest thing to cyberwarfare — the attack on Georgia — falls short of the definition. While the attack appeared to have been directed by Russian government sources and was motivated by national aims — cutting off Georgia’s ability to get out its side of the story — the sophistication and actual impact of the attack fell short, McAfee said. The report also highlighted the five countries that are the most advanced in the cyberwarfare arena: The United States, China, Russia, Israel, and France. Each nation has significant cyber espionage capabilities and active cyber programs, McAfee stated. “We are at point where the cyber arms race is the reality, with those five countries in the race,” Alperovitch said. “But today it is mostly classified discussions behind closed doors between government officials.” If you have tips or insights on this topic, please contact SecurityFocus . Posted by: Robert Lemos Here is the original post: Brief: No cyberwar yet, but soon, says firm

Continue Reading

Microsoft issued an advisory Friday warning users of a serious denial-of-service (DOS) vulnerability in the protocol used by its newest operating system Windows 7, which handles messages between devices on a network. The Server Message Block (SMB) flaw could be exploited by an attacker to crash a Windows 7 machine. The Windows 7 DOS vulnerability could be exploited by an attacker if a victim browsers to a malicious website. “While we are not currently aware of active attacks, we continue to recommend customers review the mitigations and workarounds detailed in the Security Advisory to protect themselves as we work to develop a comprehensive security update,” wrote Mike Reavey, group manager at the Microsoft Security Response Center in the MSRC blog. Reavey said Microsoft engineers are working on an update to correct the Windows 7 DOS error. Disabling SMBv2 would not be an effective workaround , according to a report issued by the SANS Institute. The flaw affects both SMBv1 and SMBv2. The Microsoft security advisory urges customers to halt all SMB communications to and from the Internet by blocking TCP ports 139 and 445 at the firewall. The Windows 7 DOS workaround could cause some applications and services to fail, Microsoft said, but it would block any Web-based attacks from taking place. To exploit the flaw, Microsoft said an attacker could force an SMB connection to an SMB server controlled by the attacker. The connection would then send a malicious SMB response to the victim’s machine causing the Windows 7 system to freeze. A Web-based attack can be carried out if the victim is using any standard browser. The DOS vulnerability affects Windows 7 32-bit and 64-based systems as well as Windows Server 2008 R2 on 64-based and Itanium-based systems. The United States Computer Emergency Readiness Team warned users and administrators Monday to review the Microsoft security and enable the workaround. It is the second security flaw to affect the fully released version of Windows 7. Microsoft issued a security update in October addressing ActiveX control issues in Windows 7 as a result of components built using a flawed version of Microsoft Active Template Library. Read the original post: Windows 7 DOS flaw allows hackers to freeze Microsoft’s newest OS

Continue Reading

Economic conditions are forcing IT to postpone new projects and delay infrastructure upgrades, but studies have found that the sales force is usually the first to rebound in high-tech companies looking for a direct path to revenue. Now is the time for security teams to start planning and budgeting on new approaches to secure the corporation’s digital assets as the dynamics of the workforce shrinks or grows with the economy in 2010. Security teams in high-tech organizations can plan for increases in the number of remote sales users before the company adds new office workers and upgrades facilities. There are a few technologies that security should be investigating for gradual deployments in the coming year to help mitigate the heightened risk of business disruption and data loss from a larger workforce of remote and mobile users in 2010. Plan to ride the investments in new employee laptops to put Microsoft Windows 7 to the test. The shift from Windows XP to Windows 7 is inevitable for IT, so the organization may as well enlist the support of remote users to gain experience with Windows 7 security features. Windows 7 appears to provide a significantly stronger platform for applications than XP that may result in reducing the security burden. Understand the security features of Windows 7, trial secure configurations with remote workers and be prepared to use the knowledge gained to transition the rest of the workforce off XP when economic conditions allow. Remote user virtual workspaces will protect browsers and VPN agents from malware on home computers and less secure public networks, such as those found in hotels and cafes . The sharp uptick in recognized attack volume reported in threat reports is significantly driven by malware disguised in browser active code, browser plug-ins and browser toolbar plug-ins. The best protection against these attacks is to isolate the business access software from the underlying operating system and applications. Enhancing the security of remote connectivity software should yield fewer calls to the IT service desk and fewer chances to lose regulated data. A compromise solution would be to re-examine Microsoft IE 8, which has some nice security enhancements for remote users. Unified communications and collaboration (UCC) technology over the Web can keep a distributed team in touch while also shaving travel and telephone bill expenses . Security capabilities exist to assure that UCC communications are held with strongly authenticated users, conducted over secure sessions, and audited for compliance with security policies. Showing the corporation how UCC can be secured can lead to cost savings and improved responsiveness to remote users. The demands on corporate security are going to increase as businesses come out of the economic doldrums, and the demands will start with remote users. Strong authentication, transparent data encryption and secure communications to corporate applications are the basics of securing a distributed workforce. Security teams should also be using this planning time to prepare for Windows 7 migrations and also perhaps enhance operations for remote users with virtual workspaces and UCC capability. Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to eric@ogrengroup.com . Link: Secure your remote users in 2010

Continue Reading

Survey: Majority of Web sites vulnerable Published: 2009-11-16 Nearly two-thirds of Web sites have at least one serious security issue that would allow someone to remotely attack the site, WhiteHat Security said this week, citing a recent survey of its clients. According to the Web security firm’s data, two-thirds of sites had cross-site scripting (XSS) flaws, nearly half had information disclosure issues and 31 percent were vulnerable to content spoofing. The volume of vulnerabilities, however, was dominated by cross-site scripting flaws, which accounted for 63 percent of the total flaws found by WhiteHat. Vulnerable sites and secured sites had similar technology profiles: It made little different in what language the Web application was written or on what type of server the site ran. The companies’ approaches to security mattered the most, said Jeremiah Grossman, CTO of WhiteHat. “It is extremely interesting to see that all the Web sites that are no longer vulnerable are so similar characteristically in technology and site format to those that have vulnerabilities,” Grossman said in a statement . “The big difference right now seems to be that these organizations set an internal mandate to actively fix their flaws and reduce the potential for damage to their Web site, reputation and customers.” The average Web site studied by WhiteHat had nearly 250 possible inputs, which the company equated with the relative attack surface of the Web application. The typical Web site failed to fix security issues in a little more than 2 percent of the inputs. Three out of ten Web sites had an Urgent vulnerability — WhiteHat Security’s most serious classification for security bugs. Another 71 percent had Critical flaws, while 64 percent had vulnerabilities rated High, the lowest of the three severity rankings that WhiteHat included in their report. If you have tips or insights on this topic, please contact SecurityFocus . Posted by: Robert Lemos Originally posted here: Brief: Survey: Majority of Web sites vulnerable

Continue Reading

The exploit by Anil Kurmus is significant because it successfully targeted the so-called SSL renegotiation bug to steal Twitter login credentials that passed through encrypted data streams. When the flaw surfaced last week, many researchers dismissed it as an esoteric curiosity with little practical effect. For one thing, the critics said, the protocol bug was hard to exploit. And for another, they said, even when it could be targeted, it achieved extremely limited results. The skepticism was understandable: While attackers could inject a small amount of text at the beginning of an authenticated SSL session, they were unable to read encrypted data that flowed between the two parties. Despite those limitations, Kurmus was able to exploit the bug to steal Twitter usernames and passwords as they passed between client applications and Twitter’s servers, even though they were encrypted. He did it by injecting text that instructed Twitter’s application protocol interface to dump the contents of the web request into a Twitter message after they had been decrypted. “My point is I think that it’s not so hard to make it work,” said Kurmus, who lives in Zurich and recently completed his masters thesis at the Eurecom Institute . “Maybe some other people did the same thing and did not make it public, so this is why I think it’s important that people would take this bug more seriously.” Twitter proved an ideal platform to carry out the attack for several reasons. First, every request sent over the microblogging site includes the account holder’s username and password. Second, the site’s API made it easy to post the contents of the intercepted data stream into a message that an attacker could then retrieve. Finally, many Twitter users send and receive messages using third-party applications. Many of those programs ignore error pages like those that would have resulted from Kurmus’s attack, preventing victims from knowing anything was amiss. Twitter’s security team closed the hole earlier this week. The flaw in the transport layer security protocol was discovered by a researcher from PhoneFactor, a provider of two-factor authentication services. It allows man-in-the-middle attackers to insert text at the beginning of an SSL stream each time a session is negotiated. The vulnerability stems from the ability for either party in an SSL transaction to renegotiate the session, usually so one can refresh its cryptographic keys. Members of an industry-wide consortium had been meeting in secret since late September to hash out a fix that will be rolled into thousands of individual pieces of hardware and software that implement the TLS protocol. The bug became public when it was disclosed by a researcher not involved in the project. So far, OpenSSL is the only provider that is close to releasing a patch, according to this status page . In the interim, websites that want to protect themselves can simply follow Twitter’s example and disable renegotiation. To be sure, Kurmus’s attack only worked because Twitter’s API allowed him to post the captured data steam to a tweet that he was then able to retrieve. But it’s not a stretch that variations on that attack that steal authentication cookies would work on webmail services and other websites that transmit messages, researchers said. “It’s likely that other websites would still be vulnerable,” said Ivan Ristic, a London-based security expert who specializes in SSL . “Any site that allows people to publish messages or posts or send email or any sort of information can potentially be abused in this way.” This story was updated to correct Kurmus’s nationality. Read more: News: Researcher busts into Twitter via SSL reneg hole

Continue Reading

Mozilla Firefox accounted for 44% of browser-based vulnerabilities in the first half of 2009, more than any other browser, according to a new report from Cenzic Inc. Apple’s Safari browser came in second, with 35% of all browser-based flaws, followed by Internet Explorer (15%). The Santa Clara, Calif.-based penetration testing vendor said the Safari vulnerabilities were due to issues discovered in the Apple iPhone-based browser. Cenzic said browser vulnerabilities accounted for 8% of the total Web vulnerabilities. The browsers were ranked by the number of bugs in a study reviewing Web-based vulnerability data collected by Cenzic in the first half of 2009. The firm said that78% of the 3,100 reported vulnerabilities it identified were Web-based. Experts caution that the number of vulnerabilities addressed by a browser maker doesn’t necessarily mean a particular browser is less secure. For example, Mozilla may be more proactively reporting and repairing vulnerabilities than other browser makers. Johnathan Nightingale, Mozilla’s security and usability expert called bug counting a waste of time. Nightingale said it ignores the fact that Mozilla can get a patch out to 90% of its user base in less than five or six days, a feat unmatched by many other browser makers. “What would certainly help make a better assessment is if everyone was open about all the bugs they fixed and if every security fix was well documented,” Nightingale said. “There are vendors out there not doing that or bundling several patches together to keep the numbers low and they are going to show up well in these reports.” More important is the fact that many users have outdated third-party browser components, a favorite target of attackers, Nightingale said. Mozillla launched a tool in October that scans Firefox to detect outdated plugins . The number of Web application vulnerabilities increased more than 10% from the second half of 2008. The flaws were contained in Web servers, applications, Web browsers. plug-ins and ActiveX controls. Information leakage, cross-site-scripting (XSS) errors and improper authentication bugs were among the biggest issues found in many Web applications, Cenzic said. “Of the published vulnerabilities in commercial off-the-shelf applications, SQL injection, and XSS were once again the most common, which is why it is no coincidence that most of the attacks in the first half [of the year] exploited these two vulnerabilities,” the Cenzic report noted. Information leakage errors accounted for 87% of vulnerabilities discovered by Cenzic tests. Web applications that reveal sensitive user data or HTML comments left by developers could be used by hackers to gather data and attempt to penetrate a company’s defenses, Cenzic said. XSS errors accounted for 73% of vulnerabilities discovered. The flaws enable an attacker to inject malicious code into the application to spoof content or hijack legitimate websites to target visitors. Authentication flaws also increased, accounting for 56% of vulnerabilities encountered by Cenzic. The errors allows users to login without supplying correct credentials. Sometimes the errors can reveal valid usernames and passwords, allowing an attacker to easily gain access to systems, Cenzic said. The firm also cited a number of different high-profile attacks carried out by hackers exploiting common Web-based vulnerabilities. Hackers carried out XSS attacks against HSBC and Barclays banking websites in June. Turkish hackers gained access to low-level U.S. Army Web servers in May by exploiting SQL injection vulnerabilities, redirecting a website to a webpage protesting climate change. “It’s evident from some of the highly visible attacks in the last couple of years that many attacks go unnoticed for months and years before they are caught, and even those are by accident,” the report noted. “We believe that for every attack that’s reported, there are a hundred more that have gone unnoticed, as most companies don’t know when they are being hacked.” Read the original here: Web security firm ranks Firefox, Safari browsers as flaw prone

Continue Reading

NEW YORK (Money) — Question: I’ve got many investing options in my 401(k) — small caps, large stocks, emerging markets, fixed-income, etc. What would be the ideal portfolio for me considering that I’m 51 and plan to retire at 65? –D.D., Anaheim, Calif. Answer: While it may be theoretically possible to create an ideal investment portfolio, it ain’t gonna happen in the real world. More than 50 years ago, Nobel Laureate economist Harry Markowitz created a technique known as mean-variance optimization , which investing firms use today to create “optimizer” software designed to pick your ideal portfolio. You get a combination of investments that will generate the best possible return for whatever level of volatility you’re willing to accept. But the problem is that the portfolio you get is designed to excel under a very specific scenario — the exact volatility, correlations and returns you stipulate. If your predictions about those things don’t pan out — which is invariably the case — the portfolio’s performance may not only be less than optimal, but downright abysmal. It’s sort of like designing a bike to maximize performance in the Tour de France but then finding out the race will be held not on paved roads, but on a rutted dirt track. So if the ideal portfolio isn’t achievable, I’d say you should aim to create a reasonable portfolio, or one that has a decent chance of delivering solid returns under a variety conditions. Clearly, what’s reasonable will vary depending on your financial situation, how comfortable you are with seeing the value of your 401(k) account dip when the market goes down and how willing you are to possibly fall short of having a large enough nest egg. So I can’t just tell you how to divvy up your money among the various options in your plan. But I can recommend a process that you can go through so that you end up with a portfolio that should work reasonably well for you. Stocks vs. bonds Start by coming up with an overall mix of stocks and bonds that appears appropriate for you. You’ve got a pretty long investing time horizon — 14 more years until you retire, plus another 20 to 30 in retirement. So you need capital growth to build the value of your 401(k) between now and retirement and to help maintain purchasing power during retirement. That argues for putting a sizeable percentage of your 401(k) in stocks since over very long periods stocks generally outperform bonds. That said, we also know that stocks can get whacked for losses of 30% or more occasionally. And at your age you can’t afford to lose too big a chunk of your 401(k) balance. You may not have enough time to recoup the loss. So that argues for not going overboard with stocks. There’s no single correct mix for 51-year-olds (or anyone else). But I’d say a blend of 65% to 70% stocks and 30% to 35% bonds is a sensible range for someone your age. You could scale back your stock holdings from that level if you want to play it safer heading into retirement. Or you could bump up your stock holdings a bit if you’re comfortable about taking on more risk for the possibility of more gains. Whatever mix you settle on, you would gradually shift it more toward bonds as you age. What type of stocks? If you could foretell the returns of, say, large-cap, small-cap and foreign stocks as well as how they’ll move around compared with each other, you could put together an ideal blend. But you can’t. Which is why for the domestic stock holdings in your portfolio, I think you should take your cues from the way investors overall divvy up their money between different types of stocks. To do that, plug the ticker symbol (VTSMX) for Vanguard Total Stock Market Index fund ( VTSMX ), which tracks the entire U.S. stock market, into Morningstar’s Instant X-Ray tool . You’ll immediately see how U.S. stock investors allocate their investing dollars by stock size (small, medium and large) and style (value, growth and blend). Unless you think you know something your fellow investors don’t, I wouldn’t stray too far from those allocations. It’s not a bad idea to diversify your portfolio a bit more by adding some foreign stocks , assuming they’re available in your plan. How much foreign exposure? I’d say 10% to 20% of your overall stock holdings in broadly diversified foreign funds ought to do it. You could also consider branching out into emerging market foreign funds. But don’t be unduly swayed by their recent boffo returns . These funds are the investing world’s versions of manic depressives, flying high one year, crashing the next. So if you dabble in them at all, they should represent only a small portion of your foreign holdings. What type of bonds? Again, I think broad diversification is the key. I recommend that investors consider making a total bond market index fund the core of their bond portfolio . If you want to diversify beyond that into foreign bonds, high-yield and TIPs for a bit of inflation protection, fine. But these options combined probably shouldn’t account for more than 10% to 20% of your bond portfolio. When you’ve got a lot of investment options, there’s an inclination to think you should be using as many as you can. Problem is, the more investments you own, the more complicated it gets to choose, monitor and maintain them in a coherent portfolio. How many funds do I need? So I think you’re generally better off keeping things simple. To my mind, there’s a lot to be said for a portfolio of just three funds — a total U.S. stock market index fund, a total U.S. bond market index fund and a broadly diversified foreign stock index fund — that you rebalance periodically . That combo would give you large and small shares, growth and value and international exposure. You can get fancier and add more types of funds. But before you do, be sure you’re adding them as part of a long-term strategy that you’ve carefully considered, not just because a particular fund or asset class is the talk of the TV investment shows. And if you end up deciding that you’re not really comfortable putting together your own portfolio, ideal or otherwise, you might consider a target-date retirement fund , which divvies up your assets for you based on your projected retirement date. Be careful, though. Not all target-date funds are the same. So make sure you know how the fund allocates its assets today and that you understand the fund’s “glide path,” or how that allocation changes over time. Bottom line: The process I’ve outlined won’t lead you to an ideal portfolio. But if you follow it and apply some common sense, you should be able to come away with a portfolio that can get the job done.  Send feedback to Money Magazine Go here to see the original: How to invest your 401(k)

Continue Reading

Results from a new survey suggest IT professionals must be constantly vigilant in watching for employee reprisals against company systems, thanks to the uncertain economy and, in some cases, multiple rounds of layoffs. The 12th annual Ernst & Young Global Information Security Survey of nearly 1,900 senior executives found that 75% of respondents were concerned with the possibility of reprisal from employees who have left their organizations. While many of those surveyed were concerned about malicious former employees, far fewer were doing anything about it. Less than half (42%) were weighing the risks and only 26% were taking steps to address insider threats. The report, issued Tuesday, is the result of a survey conducted among senior IT professionals between June and August 2009. Ernst & Young conducted field interviews with executives in 60 countries. The report supports earlier industry surveys warning how the sluggish economy could result in increased threats, reduced budgets and delays on IT security projects at many enterprises. Senior IT executives indicated they were under pressure to cut costs, relied on current security systems and struggled to attract and maintain skilled and trained information security talent. They said finding adequate budget for security initiatives will be a major challenge for the coming year. “These are clear indicators that information security is not immune to external economic forces and must find ways to improve efficiency and effectiveness while keeping spending to a minimum,” according to the report. The result is a renewed focus on understanding potential threats and addressing them over time with a minimal investment in technology. Fifty percent of survey respondents indicated that they planned to spend more on security risk management , and 39% planned to spend relatively the same amount on this initiative over the next year. Meanwhile, regulatory compliance is taking a back seat, with 60% indicating spending would remain the same. For those spending on new technologies, data leakage prevention (DLP) software and appliances seem to be the top choice. About 90% of those surveyed said they would spend either the same or more on DLP related technologies. DLP also ranked as the second-highest priority of organizations during the next 12 months, behind regulatory compliance activities. DLP focuses on employee behavior as it relates to data changes and movement in the environment. Companies can use the technology to detect policy violations by monitoring traffic. Some firms have found it to be an effective way to enforce security policies and user awareness programs. Despite an increase in virtualization technology deployments as a result of the cost savings associated with pooling resources, senior IT executives didn’t see it as a major security concern, according to the survey. Seventy-eight percent of respondents indicated they implemented virtualization, but only 19% said virtualization was a security priority. “Clearly, our survey respondents do not recognize the same level of risk with virtualization as would be expected with such a significant and extensive change effort,” the report stated. “More alarming is the fact that virtualization security should be a concern, but the majority of organizations and security leaders are ignoring its implications.” One recent survey by Nemertes Research indicated that companies are avoiding spending on virtualization security technologies until the market matures. The survey also found senior IT executives perceived an increase in external and internal threats. Forty-one percent of respondents noted an increase in external attacks and 25% of respondents said they witnessed an increase in internal attacks. The concerns ranged from phishing and website attacks to employee privilege abuse and theft of proprietary data. A number of security studies have documented a rise in Web-based attacks , fueled by an increase in employee use of social networks, blogs and Web applications. Others have documented the need for a greater emphasis on maintaining updated patches on employee productivity tools such as PDF viewers, media players and browser components, which include Flash and Java-based tools. Compliance remained the top priority of enterprises. When asked about the importance of specific security activities, 46% of respondents indicated that complying with regulations was very important, with an additional 31% considering it important. The report also found that compliance costs continue to rise; 55% of those surveyed indicated moderate to significant increases in compliance-related costs as part of overall security costs. “This may be an indication that organizations are spending too much of their security budgets on demonstrating point-in-time compliance as opposed to implementing a comprehensive information security program where compliance is a by-product and not the primary driver,” the report stated. View original post here: Layoffs prompt insider threat fears, cybersecurity survey finds

Continue Reading

Security firm chokes sprawling spam botnet Dan Goodin , The Register 2009-11-11 A botnet that was once responsible for an estimated third of the world’s spam has been knocked out of commission thanks to researchers from security firm FireEye. After carefully analyzing the machinations of the massive botnet, alternately known as Mega-D and Ozdok, the FireEye employees last week launched a coordinated blitz on dozens of its command and control channels. The channels were used to send new spamming instructions to the legions of zombie machines that make up the network. Almost immediately, the spam stopped, according to M86 Security blog. Last year, the email security firm estimated the botnet was the leading source of spam until some of its servers were disabled. The body blow is good news to ISPs that are forced to choke on the torrent of spam sent out by the pesky botnet. But because many email servers already deployed blacklists that filtered emails sent from IP addresses known to be used by Ozdok, end users may not notice much of a change, said Jamie Tomasello, an abuse operations manager at antispam firm Cloudmark. The takedown effort is significant because it shows that a relatively small company can defeat a for-profit network that took extraordinary measures to ensure it remained operational. Not only did Ozdok reserve a long list of domain names as command and control channels, it also used hard-coded DNS servers. When all else failed, its software was able to dynamically generate new domain names on the fly. With head chopped off of Ozdok, more than 264,000 IP addresses were found reporting to sinkholes under FireEye’s control, an indication of the massive number of zombies believed to have belonged to the botnet. FireEye researchers plan to work with the ISPs to identify the owners of the orphaned bots so their owners can clean up the mess. FireEye researchers said the key to dismantling the giant ring was a coordinated effort that worked in multiple directions all at once so that bot herders didn’t have a chance to counteract. “As it turns out, no matter how many fallback mechanisms are in place, if they aren’t all implemented properly, the botnet is vulnerable,” they wrote. Continued here: News: Security firm chokes sprawling spam botnet

Continue Reading

Microsoft fixes kernel, Office flaws Published: 2009-11-11 Microsoft released six updates for its software on its regularly scheduled patch day on Tuesday, fixing at least 15 security holes, including three vulnerabilities in the Windows kernel. The update patches severe issues in the License Logging service and the Web Serivces on Devices API, as well as critical vulnerabilities in the Win32k kernel. The most severe issue, caused by the incorrect handling of font data, is rated Critical for Windows 2000, Windows XP and Windows 2003. “The vulnerability allows for remote code execution, and the attack code can be embedded inside MS Office files or be hosted on Web sites,” Andrew Storms, director of security operations for network protection firm nCircle, said in a statement. “Simply browsing an infected Web site will compromise unsuspecting users … A lot of people will try to be the first to publicly post exploit code.” Microsoft also patched nine vulnerabilities in Microsoft Office and a single vulnerability in Active Directory, the company’s identity-management and credentialing server. Six of the vulnerabilities were considered to likely lead to functional exploit code in the next month, according to Microsoft’s exploitability ratings. The company predicted that eight of the issues might lead to unreliable exploit code, while a single flaw would be unlikely to be exploited. If you have tips or insights on this topic, please contact SecurityFocus . Posted by: Robert Lemos Read this article: Brief: Microsoft fixes kernel, Office flaws

Continue Reading

Microsoft repaired several serious Windows kernel flaws that could be exploited by an attacker to gain complete control of a system. Kernel flaws are among the most serious, experts warn, because they are in a deep layer of Microsoft Windows architecture and if successfully exploited by an attacker it gives them open access to completely control a system. Despite the seriousness of the kernel vulnerabilities, November represented a light month for Microsoft administrators following a record breaking 34 vulnerabilities patched by the software giant in October. Microsoft issued six bulletins Tuesday, three critical, repairing 15 vulnerabilities, including a Web services flaw, and flaws in its License Logging Server, Active Directory, and Office products. “The patches for these vulnerabilities are not too difficult to apply so you could say it’s a relatively light month,” said Amol Sarwate, the manager of vulnerability research lab at Qualys Inc. “On the other hand, half of the bulletins have listening ports open and whenever you have listening ports open there could be network based exploits for it so it’s something you have to keep an eye on.” The most critical Windows kernel flaws, addressed in Bulletin MS08-065 was an error in the way Windows handles OpenType (EOT) font. It’s relatively easy to exploit and proof-of-concept code is readily available. An attacker could set up a malicious website to exploit the flaw targeting users of Internet Explorer using embedded OpenType font, said Jason Avery, manager of TippingPoint’s Digital Vaccine group. “If you compromise the kernel you get complete control over everything so a hacker can really do some damage,” Avery said. The bulletin also addresses two other kernel-level flaws that affect the way Windows handles system level calls and validates data passed from the user to the Windows graphical device interface. The vulnerabilities are critical for users Windows 2000 and Windows XP and Important for Vista users and those running Windows Server 2008. Microsoft also addressed a remote code execution vulnerability in its License Logging Server. Bulletin MS09-064 only affects users of Windows 2000. Enterprises use the License Logging Server to validate Microsoft licenses and ensure that machines carry appropriate Windows software licenses. The vulnerability discovered by TippingPoint researchers is a classic buffer overflow attack, Avery said. The vulnerability was discovered in May and wasn’t likely a high priority since it only affects Windows 2000 users. Still, many security vendors continue to detect legacy systems running Windows 2000 and the License Logging Server is enabled by default making it a possible threat. “The vulnerability exposes an RPC interface where you would communicate over RPC protocol, pass malformed data to open up a shell and conduct remote code execution on a server,” Avery said. The last critical bulletin, MS09-063 affects a Web services vulnerability on Windows Device API. The API in question is used to validate Windows Mobile devices and Microsoft Zune media players so they can be viewed on a network. It can only be exploited by users of the local network. As a best practice, most enterprises have disabled the Windows Device API. In addition, Microsoft repaired several Microsoft Office vulnerabilities that affect both Windows and Mac users. Microsoft Excel vulnerabilities are addressed in Bulletin MS09-067 and a Microsoft Word flaw is fixed in Bulletin MS09-068 . Both bulletins are rated Important and affect Microsoft Office Excel and Word 2002, 2003, 2007, Microsoft Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; and all supported versions of Microsoft Office Excel and Word Viewer and Microsoft Office Compatibility Pack. The remote code execution vulnerabilities could be exploited by an attacker to install programs and take complete control of a computer. Microsoft also addressed a denial-of-service vulnerability in Active Directory service. Bulletin MS09-066 is rated important and affects users of Windows 2000 Server, Windows XP, Windows Server 2003, and Windows Server 2008. Continued here: Microsoft patches serious Windows kernel flaws

Continue Reading

Most network administrators are well-versed in preparing for software application or operating system upgrades. But what about hardware upgrades? The spread of 64-bit technologies and the eventual shift to IPv6 will result in a major network infrastructure upgrade for most enterprises sometime in the not-too-distant future. Separately, there’s always the danger of an unplanned or forced migration when a vendor goes bust or is taken over by a rival — take the recent takeover of Nortel Networks Corp. by Avaya Inc., for example. So, in this tip, let’s look at some of the issues you’ll need to have covered to ensure security isn’t compromised during a major network hardware changeover. Once the choice to begin a network hardware upgrade has been made, the key to success will be open and honest communication and cooperation. The networking, security, financial and management teams, as well as the network’s users, must all be involved and kept in the loop. Issues such as required changes to procedures and processes, test dates and any expected downtime need to be flagged as soon as possible to all affected. Vendors and specialists in both internal and external applications should take part in the process, too. Differences over whether the right decision has been taken need to be put to one side to ensure the approved plan is implemented well. To help this process, the security team should highlight any concerns early on in the planning stage so that mitigating solutions can be agreed on. I would also recommend that a consistent vocabulary and terminology is established to avoid any confusion when discussing new technologies and equipment. Network preparations The challenge for the IT department will be to provide 24/7 availability while merging and integrating new equipment. Determining the complexity of a migration requires identifying and understanding the network’s key functions and what devices and applications support the current environment, inventorying all hardware and software assets. This is an ideal time to audit current firewall and perimeter defense rule bases and highlight any risks that need to be mitigated. There are various rule-base analysis packages such as SecureTrack , Skybox and FireMon , which let you clean and apply your rule base to new devices. An open source option is FWDoc , which can produce an HTML summary of network and service objects, users, firewall rules and settings. Once a new device is hardened and ready, it can be brought online as a secondary device to ensure it’s functioning correctly. To ensure application components can still communicate with each other, connectivity and operability testing should focus on components, such as firewalls, servers and monitoring devices like IDSs, which could potentially be affected by the change. These tests are best performed using a script run before and after the upgrade to provide consistency. Gear like the ActiveSocket Network Communication Toolkit from Activexperts Software B.V. is ideal for this task. Logging should be set to “Log All” to help identify whether rules are still in use and to which applications they are relevant. Stakeholders of applications that may be affected should ensure support staff is available in the event of any problems and should provide feedback during tests. Testing should cover at least a full month so that all processes, such as month-end payroll, are tested prior to the change over. It will be absolutely essential to test any encryption used within the system. Network protocols generally follow the big-endian format, but processor and hardware architectures use both so you may have to re-encrypt your data. If problems arise as a result of the upgrade that cannot be quickly resolved within the scheduled cutover time, you can activate your back out strategy by taking the new device off line for further investigation. On the successful conclusion of the test period, the new device can be switched to be the active primary device, followed by post go-live testing and monitoring. You will have to ensure data isn’t exposed during this process and that any controls mandated by regulation or accreditation, such as ISO 27001 , are still relevant and effective. Document all of your security configuration settings so that you can provide assurance to your auditors that the appropriate controls are still in place. Take the time to test A migration plan must build in overhead so that milestones are realistic and testing time doesn’t have to be compromised when problems arise, which they undoubtedly will. Testing is a critical aspect of any upgrade, and unfortunately there aren’t any shortcuts. Don’t assume anything. You cannot batch-test several changes at once; if testing produces an unsatisfactory result, the root cause of the problem must be identified before going any further. This is much harder if you have installed several new pieces of hardware at once. Certainly, prior to any migration, it is necessary to verify that adequate backups exist and that backup and restore functions are working properly. These considerations and how to respond to them should be part of your contingency plan covering a worst-case scenario, such as a mission-critical application not working correctly after the new equipment is up and running. To that end, when installing new equipment, there are plenty of integration questions. A useful source of help and guidance can be the relevant Internet discussion groups, where you’ll find out others’ experiences with a particular product. If you use open source software, this may be your only source of support if you encounter a major problem getting the software to function on the new network. That’s why, where possible, the initial rollout should begin with less critical systems and if they perform as expected, you can continue with the rollout until all systems are updated. This approach adds a further safeguard to the whole process. In the U.K., for example, the switch to digital TV is being done over a period of three years with little unexpected disruption. This is in contrast to the U.S. experience when the entire system was changed almost overnight. Work together with your vendor Most vendors offer tools, resources and planning materials to help with a migration or network hardware upgrade, often free of charge. You should certainly take advantage of any proof-of-concept offers whereby you can set up a proposed new system alongside the existing environment. Post-rollout vendor support is also an important factor; the need for go-live support should never be underestimated. If you’re moving from a mainframe to a server farm, for example, do your administrators have the skills to manage and maintain the new equipment? One of the main advantages of mainframes is their reliability; will your server farm require more hands-on, 24

The Melissa worm, one of the most prolific email viruses in history, earned its notoriety by forwarding itself to the first 50 people found in a victim’s Microsoft Outlook address book. Security researchers celebrated its 10th anniversary earlier this year, and in the decade since Melissa, the world has seen a boom in viruses, Trojans, SQL injection, spam, phishing and drive-by downloads. There’s no shortage of security threat reports from vendors in the antimalware business highlighting that boom. The latest, published by McAfee Inc. and Symantec Corp.’s MessageLabs, as well as Microsoft’s Security Intelligence Report , shed light on malicious activity. But while each of these reports summarizes observed attack activity — profiles of the types of attacks and geographic profiles — in my opinion, only Microsoft provides meaningful strategies, mitigations and countermeasures for IT on protecting computing resources. If security products worked well, we wouldn’t need these reports; however, they provide interesting analysis even if they are not always actionable. For instance, we are conditioned to believe parts of Asia and Eastern Europe are relatively lawless when it comes to cybersecurity, but McAfee’s research reminds us that the United States hosts 45% of the world’s Web servers with malicious reputations and 46% of the world’s discovered phishing sites, so there is Web security work remaining. Also interesting is Symantec illustrating the dynamic attack processes by reporting that one-third of websites it blocks are less than a month old, and Microsoft reports that the Windows Vista SP1 infection rate is 62% less than Windows XP SP3, which may be a reflection of Microsoft’s SDLC program effectiveness. Security professionals should read the threat reports with caution. They are vendor marketing documents designed to position vendor research teams as industry experts that bring the vendor a competitive advantage. The reports’ findings only represent what the vendor is looking for along with a natural bias towards the vendor’s business. Security pros can do better by examining multiple vendor threat reports to get a more complete picture and map the threat classes to the business. For instance, a workforce using Windows isolated at home requires different security mechanisms than a workforce using shared devices on an office LAN. The reports can be used for your user education series. Symantec reminds us that spam and phishing attacks increase with special events, such as Halloween, Christmas, tax filing and celebrity health issues. Pull timely examples and statistics from the threat reports in a continuous series to educate users on how to recognize human engineered cybersecurity threats. Technology cannot catch all attacks, but an alert user can help thwart an attack with a user interface that breaks through security filters. IT can also use the reports to substantiate budget requests for malware protection and also for vulnerability management and virtualization projects. The threat reports are designed to create demand for vendor offerings for an increasingly dangerous Internet. For example, Microsoft reports that application-level attacks against Microsoft Office leverage vulnerabilities that could have been patched over 3 years ago. IT can use this information to highlight the need for application-level patching and vulnerability management and also to negotiate for help from service providers for home computers or work with a cross-functional team to evaluate IT-controlled virtual desktops. While there’s no shortage in Web-based threats since the Melissa virus a decade ago, let’s hope that at some point, the vendor-sponsored threat reports will show classes of attacks subsiding, because security software has done the job it was hired to do. At a minimum, more vendors need to include recommendations on protective actions while the security industry concocts an antidote. For now, every major vendor is producing a threat report that can best be used to evaluate IT security policies and educate the company. Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to eric@ogrengroup.com . Original post: How to use Internet security threat reports

Continue Reading

According to a new survey of IT executives, IT security spending in the healthcare industry remains low, despite federal incentives to convert patient information to electronic healthcare records (EHR), and the security provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH). Security still accounts for 3% or less of overall IT spending in a substantial majority of healthcare organizations, virtually unchanged from last year, according to a survey conducted by the Healthcare Information and Management Systems Society (HIMSS). More than one-fifth of the 196 respondents (mostly CIOs and CSOs) of the “2009 HIMSS Security Survey” said security accounted for less than 1% of their budget. “The IT spend in healthcare tends to be lower than in most other industries,” said David Finn, health IT officer for Cupertino, Cailf.-based Symantec Corp., who sponsored the survey. The HITECH Act has earmarked $19.2 billion of the $787 billion federal economic stimulus package in incentives to encourage EHR conversions. In addition, organizations are required to notify individuals and the Department of Health and Human Services of security breaches of patient health information — and the media if more than 500 residents of the same state are affected. Finn said he was surprised at the continued low level of security spending. He said the weak economy may be one factor, but another is that healthcare organizations are putting more money and IT resources into their EHR conversion rather than security. “The pressure is to get EMR in place and electronic data exchanges running so you will be eligible for the financial incentives,” he said, “knowing you will have to wrestle with the privacy and security issues at some point.” The report concluded that despite the regulatory pressures and growing security risks, healthcare organizations have made relatively little change between 2008 and 2009 in a number of important security policy, process and technology areas. Nevertheless — and the low spending rates notwithstanding — the survey shows evidence that many organizations are implementing good security practices. For example, almost all the respondents collect and analyze audit logs. More than 80% of these review firewall logs, and more than two-thirds monitor IDS and application logs. In addition, more than half of the organizations conduct a formal risk analysis at least once a year. A large majority use these analyses to determine where they need to shore up security controls and monitor the success of the controls that are in place. On the negative side, while almost all said they investigate security incidents, only about half have an incident response plan in place. The survey showed some investment in various forms of security technologies beyond firewalls and user access controls. Use of various forms of encryption ranged from mobile device encryption (35%) to data in transmission encryption (67%). Two-thirds of the healthcare organizations are using intrusion detection/prevention, and about a quarter have some form of data leak prevention in place. Read the original post: Healthcare security spending remains sluggish, report shows

Continue Reading

»   VIEW ALL POSTS Nov 9 2009   2:15PM GMT Posted by: Robert Westervelt iPhone security , malware Security researchers warn iPhone users of the ikee worm, which uses SSH default passwords to hack the smartphone and change the wallpaper to a Rick Astlee photo. A hacker from Wollongong, New South Wales is claiming responsibility for the new ikee worm, which started to infect jailbroken iPhones in Australia and is a possible threat for iPhone users in other countries. The worm, which the SANS Institute Storm Center calls very simple, scans certain IP addresses and uses Cydia – a replacement packaging and repository manger for jailbroken iPhones – to try to login to the IP address as root. It’s easy to determine if your jailbroken phone has been infected. The end result is a wallpaper image of 80s pop singer, Rick Astley. The worm’s author, who goes by the name Ash/ikex, said he was bored and wanted to shed light on iPhone users running SSH without changing the default password . Go here to see the original: iPhone worm Rickrolls jailbroken phones

Continue Reading

iPhone worm spreads via default password Published: 2009-11-09 An iPhone worm has started jumping between jailbroken devices, taking advantage of users who have replaced the phone’s software but failed to create a new root password, security firm F-Secure stated on Monday. The worm, dubbed “Ikee,” replaces the phone’s wallpaper with a picture of Rick Astley, the singer whose song “Never Gonna Give You Up” has become infamous as the punchline in the Internet prank known as “rickrolling.” Once on a phone, the program scans a limited number of IP addresses belonging to networks mainly in Australia, according to F-Secure. “The creator of the worm has released full source code of the four existing variants of this worm,” Mikko Hyppönen, chief research officer for F-Secure, stated in a blog post . “This means that there will quickly be more variants, and they might have nastier payload than just changing your wallpaper or might try password cracking to gain access to devices where the default password has been changed.” Since the iPhone’s debut in 2007, security researchers have focused on hacking the popular device. Last summer, consultant Charlie Miller and student Collin Mulliner discovered a way to exploit the phone using the common short message service (SMS). The bug was short-lived; Apple fixed the issue a month after it was announced. The Ikee worm does not affect iPhones that have not had their operating systems’ overwritten, a process known as jailbreaking that allows users to install non-Apple-approved software and programs. If you have tips or insights on this topic, please contact SecurityFocus . Posted by: Robert Lemos Read more: Brief: iPhone worm spreads via default password

Continue Reading

Point-and-click forensics tool leaks to Net Published: 2009-11-09 Microsoft’s point-and-click forensics tool, normally only available to law enforcement agencies, has leaked to the Internet and is available to download on some peer-to-peer networks, according to reports. The tool, known as the Computer Online Forensic Evidence Extractor, or COFEE, allows non-technical police officers to collect digital evidence by merely inserting a USB device into a computer. The leak follows Microsoft’s announcement last month that it was making the tool available to U.S. law enforcement. The company had previously offered it only to international law enforcement agencies. Several security researchers reported that they had been able to download a program from sources on the Internet that claimed to be the forensics software. The program first appeared on what.cd, according to news reports . COFEE is a technology that is currently being jointly developed by INTERPOL, Florida State University and University College at Dublin. The device allows investigators to collect volatile information, such as active process information and network data, that might otherwise be lost, if the target computer was shut down, Microsoft says on its Web site. Microsoft first announced it would be giving away the tool in 2008, but only to international law enforcement agencies. Last month, the company announced it would also provide U.S. law enforcement with the technology for free. The company announced the initiative in October as part of its Digital Crimes Consortium, a conference aimed at airing current issues in cybercrime and online investigations. If you have tips or insights on this topic, please contact SecurityFocus . Posted by: Robert Lemos See the article here: Brief: Point-and-click forensics tool leaks to Net

Continue Reading

COLOMBO (AFP) – Sri Lanka’s central bank on Saturday said it has been buying gold to diversify its reserves amid volatile currency markets, days after India announced it had purchased 200 tonnes of the precious metal. Sri Lanka buying gold ‘to diversify reserves’ is a post from: Investor Central – centralized penny stock, pink sheet and OTC BB news. Link: Sri Lanka buying gold ‘to diversify reserves’

Continue Reading

ORLANDO – Enrique Salem wants Symantec Corp.’s VARs to know that not only is the security giant recommitting itself to the channel, but also that a key part of that effort will involve helping channel customers use technology to secure sensitive data. Salem this week delivered his first keynote at Symantec’s annual Partner Engage conference as the vendor’s president and chief executive officer, a position he assumed in April following the retirement of long-time Symantec CEO John Thompson. The theme of the conference focused around what Symantec called “The Four R’s:” revenue, readiness, relevance and reputation. These four ideas were infused through all of the executives’ presentations for the approximately 380 VARs in attendance. Without significant, recurring revenue, Symantec will be unable to reach its goals as a company, said Randy Cochran, vice president of American channel sales at Symantec. Cochran also stressed that Symantec must invest in tools that will make partners as effective as possible, a sentiment that he described as “readiness.” He went on to explain that with a product landscape as broad as Symantec’s, partners must work to stay familiar with all the latest offerings. If partners cannot express the value of these products to customers, they will surely not be relevant, no matter how effective the products may be. Reputation, which Cochran listed as the most important idea, is a concept that the Symantec executives believe to be a combination of three things: partners’ reputations, Symantec’s reputation, and the reputations of their customers. In order to best protect partners’ investments, all three must be taken into consideration. Salem, who made an effort to be a visible presence throughout the event, stressed the important role that VARs play in Symantec’s No. 1 goal, which is to become not only the largest security vendor in the world, but also the best. He also advised the partners that their jobs were to simplify security for their customers, while stressing the major role that data loss prevention (DLP) would play in that effort. “We will have DLP everywhere,” Salem said. “We’ll put DLP in everything our customers do.” Salem also predicted that for every year that he is at the helm, the Mountain View, Calif.-based company’s channel will continue to grow. In order to back up this prediction, Symantec unveiled some new additions to its partner program geared toward helping its VARs increase business and productivity. Symantec partner program announcements Foremost among those channel program enhancements is the launch of SymDemo, a virtual tool that allows VARs to demonstrate how Symantec’s products work. Rather than needing a VPN connection to their own environments or the actual equipment to show customers the value of certain products, all partners need is a laptop and an Internet connection. Running on a platform based in the cloud, the tool consists of 30 demos and over 80 virtual machine images. SymDemo provides partners with training as well as the opportunity to explore products and tools intended to help customers make a more educated investment. “This will drive more revenue, I promise you that,” Cochran said. The tool is expected to save partners time and money when presenting new products to customers. “It’s very useful, because in the past, we’ve had to have powerful notebooks to run these demo machines, and that demands a lot of money,” said Silvio Eberardo, a Symantec partner based in Brazil. Another addition that received positive reviews from partners is an enhanced authorized renewals program. This initiative rewards incumbency by giving partners more incentive to resign and in turn develop new opportunities with existing customers. “Renewals are in many cases opportunities to have a conversation with the customer about what else we can do,” Salem said. This program is available for gold and platinum Symantec partners in the U.S., and silver, gold and platinum partners in Canada. A new specialization was unveiled at the conference as well, focusing on enterprise partners. The specialization consists of training and certifications that will better prepare partners to work with enterprise customers. It was spawned after its SMB specialization counterpart performed well for the company and for partners. Partners will need to acquire accreditations in the Symantec Protection Suite Enterprise Edition. In exchange for the accreditations, partners will receive more incentives. Cochran believes this specialization is a step in the right direction as far as customers are concerned. He believes that customers want solution providers to assume the trusted advisor role, but also to have an in-depth knowledge of the market segment on which they focus. The specialization will launch with more details in late 2009. Symantec Connect, the company’s online community, has added a partner-specific aspect. This addition to the community will allow partners to collaborate and learn from their peers. It will also serve as a way for Symantec to communicate more directly with partners. Big Yellow also announced a services offering called the “Sell With” program. Currently in pilot mode, it will give partners closing new deals in the enterprise, midmarket or SMB space the opportunity to also deliver whatever services can be attached to the deal, with no competition from Symantec’s internal service team. “The program aligns our goals with Symantec’s, and it really drives a very strong relationship at the field level,” said Feris Rifai, CEO and founder of Bay Dynamics, a San Francisco-based partner. “It eliminates any conflict that Symantec Services would’ve had with its partners.” Partners seemed enthusiastic and encouraged by Symantec’s announcements. While they, for the most part, were impressed by the announcements and presentations, some thought it was still too early to judge exactly how effective the new programs and incentives will be. “We’re cautiously optimistic about where Symantec is headed,” said William H. Santos, general manager of services development for SHI International Corp., an IT products and services company based in Piscataway, N.J. “We’d like to see more than a few paragraphs on some of these programs, but if there’s content behind the announcements, then we’re very excited.” See the original post here: Partner Engage 2009: Symantec unveils new programs, incentives for VARs

Continue Reading

»   VIEW ALL POSTS Nov 6 2009   2:18PM GMT Posted by: Robert Westervelt cyberespionage , spyware Data stealing malware helped Israeli spies reap data from official’s laptop. Sophos security guru Graham Cluley writes today about the Mossad, Israel’s intelligence gathering operation and how spies there gained access to a Syrian official’s laptop and uploaded a Trojan to collect data . According to German magazine Der Spiegel, the data collected using the malware helped Israeli officials plan a bombing run against a suspected Syrian nuclear facility in 2007. According to Der Spiegel story on the Syria bombing : The hard drive contained construction plans, letters and hundreds of photos. The photos, which were particularly revealing, showed the Al Kibar complex at various stages in its development. At the beginning — probably in 2002, although the material was undated — the construction site looked like a treehouse on stilts, complete with suspicious-looking pipes leading to a pumping station at the Euphrates. As Clueley puts it, the Israeli operation is an example of how cyberespionage is very much happening around the world. Reports seem to trickle out a few times a year about how malware was found on government computers in the United States and abroad. Spyware has evolved to the point where many variants remain undetectable by antivirus programs. And no doubt intelligence gathering operations around the world are using it on any systems connected to the Internet. Visit link: Israeli Mossad add Trojan Horse to Syrian laptop

Continue Reading

»   VIEW ALL POSTS Nov 6 2009   2:00PM GMT Posted by: Robert Westervelt attack toolkits , exploit toolkits The $800 attack toolkit comes with a self-destruct mechanism after a certain time period Security researchers at Symantec are closely monitoring the Fragus exploit pack , an $800 package of tools developed by cybercriminals to enable users to set up attack websites. Their latest findings have identified an effort by the toolset writers to clamp down on how the toolpack is used – an effort, no doubt, to keep the revenue stream open long after someone plunks down the hefty chunk of change needed to buy Fragus. The blog entry, written by Peter Coogan with help from researcher Cathal Mullaney includes several screenshots of the exploit kit the researchers found in use on a specific domain. The toolkit they found was in use in September and October and targeted users in Spain and Germany. Symantec said the toolkit is one of the most popular, but we’ll have to see how the author’s clampdown affect its popularity. The authors restrict files to run on specific IP addresses and servers meaning that if an owner of the kit wants to make a change they have to go back and get a software update to do so. The toolkit also contains a self-destruct mechanism, expiring files after a certain time period. Despite the limitations, the toolkit’s popularity must mean that it is a big – real big – money maker for cybercriminals. A person willing to give up $800 is willing to accept a lot of risk and much like the stock market, the more risk you take on, the bigger the rewards. Link: Fragus exploit pack’s pricy business model locks users in

Continue Reading

Microsoft on Thursday said it plans to release six bulletins next week, including three critical bulletins, addressing flaws in Windows and Microsoft Office products. The announcement was part of Microsoft’s Advance Notification to customers. The security updates will be released Nov. 10 as part of the software maker’s monthly Patch Tuesday cycle. The three critical bulletins could allow remote code execution, Microsoft said. The security updates affect Microsoft Windows 2000, XP, Vista and Windows Server 2008. The updates affecting Microsoft Office components are identified as important and affect Microsoft Excel and Word viewer. The update also affects Microsoft Office 2004 and 2008 for Mac. Security experts said one of the bulletins, which addresses flaws that could result in a denial-of-service condition, applies to nearly all Windows versions and may be the most serious. HD Moore, chief security officer and chief architect of Metasploit, said the flaw could be to a common API such as a graphics display interface (GDI). Last month Microsoft issued 13 bulletins , patching a record 34 vulnerabilities across its product line. One of the October bulletins, MS09-054, which addressed four flaws in Internet Explorer, was reissued by Microsoft this week to repair a problem with the patch. The update caused IE to render webpages improperly by miscalculating objects on the page. Microsoft’s October bulletins also contained the first security update for Windows 7, addressing ActiveX control issues as a result of components built using a flawed version of Microsoft Active Template Library. See the original post: Microsoft to address flaws in Windows, Office for Mac

Continue Reading