Security News Curated from across the world
This isn’t the first time that phishers have used the FDIC as a disguise to trick consumers.
Earlier this month, the Anti-Phishing Working Group detected a less sophisticated scam that tried to get users to give up their credit card account numbers, Social Security numbers, and PINs.
http://www.securitypipeline.com/news/47902805;jsessionid=H4IZU5N52KWUCQSNDBCCKHY
Microsoft this week reiterated that it would keep the new version of Microsoft’s IE Web browser available only as part of the recently released Windows XP operating system, Service Pack 2.
That, say analysts, is a steep price to pay to secure a browser that swept the market as a free, standalone product. “It’s a problem that people should have to pay for a whole OS upgrade to get a safe browser,” said Michael Cherry, analyst with Directions on Microsoft. “We do not have plans to deliver Windows XP SP2 enhancements for Windows 2000 or other older versions of Windows,” the company said in a statement.
Three years have passed since Microsoft introduced its last new OS, and its upcoming release, code-named Longhorn, has been plagued by delays. Microsoft last month scaled back technical ambitions for Longhorn in order to meet a 2006 deadline.
Those ongoing security updates do not, as Microsoft points out, include the latest security fixes with Service Pack 2, released last month. Now it’s unclear whether even half the Windows world will have access to the shored up IE.
Of Microsoft’s approximately 390 million operating system installations around the world, Windows XP Pro constitutes 26.1 percent, Windows XP Home 24.7 percent, IDC said.
http://news.zdnet.co.uk/internet/security/0,39020375,39167607,00.htm
‘Extending enterprise networks overseas, as a result of increased outsourcing, can create new problems,’ managing vice president Victor Wheatman told delegates at the Gartner IT Security Summit in London this week.
Emerging technology such as web services and wireless personal devices will also expose new holes in IT security plans, he says. ‘Each new technology and way of doing business brings with it a whole range of new IT security concerns,’ he said. ‘And each new wave of technology obliterates the security architecture appropriate to its predecessor, opening the enterprise up to an ever increasing raft of security risks.’
Cybercriminals will be an increasing risk, developing ever-more sophisticated methods of making money using spyware, phishing and spam, says Wheatman.
Gartner says businesses should also put more pressure on vendors to remove security flaws before products are launched. The analyst predicts that a 50 per cent reduction in software vulnerabilities before shipping could remove 75 per cent of configuration management and incident response costs incurred by businesses.
The key to secure business is management improvement, with the most secure firms spending less than average, he says. The lowest-spending 20 per cent of firms are also the most efficient and will safely reduce security spending to only three to four per cent of their total IT budget, says Wheatman.
But to achieve this, investment must shift from product-based purchasing to implementing better-designed risk management processes. ‘We will constantly see new risks because technology and business processes don’t stand still,’ said Wheatman. ‘It’s about keeping the bad guys out, while letting the good guys in and keeping the wheels on.’
http://www.vnunet.com/news/1158271
Upcoming smart phone will feature a mobile version of F-Secure’s antivirus software.
Finnish mobile phone manufacturer Nokia will offer mobile antivirus software through F-Secure as one of the features in its new Nokia 6670 smart phone when it is released in October, the companies announced this week.
The Symbian OS smart phones will provide on-device protection, similar in fashion to antivirus protection programs for PCs, with automatic over-the-air antivirus updates for a monthly fee.
The software will not come loaded into the device, but can be downloaded from the F-Secure Web site, according to Nokia spokesperson Karoliina Lehmusvirta.
The Nokia 6670 will be the first mobile phone in its Series 60 line to offer the mobile virus protection, though users of other Series 60 mobile phones will also be able to purchase the antivirus protection software, “perhaps as early as October,” Lehmusvirta says.
F-Secure is also in talks with other handset manufacturers about offering similar antivirus protection, according to Matias Impivaara, business manager for mobile security services for F-Secure of Helsinki.
“This announcement is a starting point for us and we have been testing the service with a variety of handsets from different vendors and in several operator networks,” Impivaara says.
Nokia, based in Espoo, Finland, already offers antivirus software through F-Secure for its Communicator line of mobile devices, but Impivaara says the protection offered for the Nokia 6670 is a greatly improved version in terms of both features and pricing options.
“The first general offering for the mobile antivirus software came a couple of years ago, but this version has a whole new infrastructure,” Impivaara says.
“For example, it has a patented SMS [short message service] update mechanism and HTTPS [Hypertext Transport Protocol Secure] connections.
Lehmusvirta stresses that there is nothing about the Nokia 6670 that makes it particularly susceptible to viruses and that Nokia knows of no capabilities within any of its devices that a virus might exploit.
After a series of three malicious program targeting wireless devices were discovered in between June and August, security specialists stepped up their warnings of the pending possibility of serious attacks against mobile phones and PDAs.
F-Secure claims its mobile antivirus software service is the first commercially available product for protecting Symbian OS smart phones but IDC analyst Paolo Pescatore says similar programs can be expected in the very near future.
http://www.pcworld.com/news/article/0,aid,117904,pg,1,RSS,RSS,00.asp
The company, which has built a server device that runs several identity protocols at once, announced earlier this week that it has hired Robert Thomas, NetScreen’s former CEO, as its own chief executive.
While at NetScreen, Thomas grew the company from a development-stage start-up with 31 employees to a flourishing public company with 950 employees. He also helped bring the company to a successful initial public offering in 2001. In February 2004, he helped sell the company to Juniper Networks in a deal worth $4 billion. Now Thomas is looking to do it all over again. “I was very fortunate that we were successful at NetScreen,” he said. “I learned lots of lessons that I hope to apply here.”
Infoblox, founded in 1999, has developed a server device that allows companies to run several identity protocols such as DNS, DHCP, Radius and LDAP at once, instead of running them on separate platforms like most companies do today.
Thomas argued that the old approach adds complexity and expense to the network. These standard protocols, some of which have been around for nearly a decade, are used to help large companies and service providers apply security policies to their networks.
Domain Name Service, or DNS, is used in the public Internet and private intranets to translate names of host computers into IP addresses.
Dynamic Host Configuration Protocol, or DHCP, allows computers to get temporary or permanent IP addresses from central servers.
Remote Authentication Dial In User Service, or Radius, is the de facto standard for authenticating users accessing networks remotely.
And finally, Lightweight Directory Access Protocol, or LDAP, is the standard protocol for clients accessing directory servers.
These protocols have become even more important to networking, because companies are now using them as part of an end-to-end security architecture. For example, Cisco and Microsoft plan to use Radius in their architectures, allowing networking devices to check the health of end points before they connect to the network.
Thomas compared today’s identity server market to that of the security market before NetScreen came on the scene. Like the identity market, companies bought point products for every security function, such as firewalls and virtual private networks.
NetScreen was one of the first companies to introduce a product that allowed customers to buy a single device that offered several security functions. Over the past couple of years, sales of these products have risen considerably.
“It’s a natural product evolution in product development to collapse functionality onto a single device to make it easier and simpler to use,” Thomas said. Although he believes Infoblox has an excellent strategy and product, Thomas acknowledged that one can’t build a company hoping that it will simply be acquired.
http://news.com.com/Ex-NetScreen+CEO+takes+on+new+start-up/2100-1033_3-5379059.html?part=rss&tag=5379059&subj=news.1033.5
E&Y contacted 1,233 organizations representing 51 countries for its “Global Information Security Survey 2004,” a report meant to gauge enterprise perceptions of security. “Perhaps the remarkable thing is how little attitudes, practices, and actions have changed since 1993 — during a period when threats have increased significantly,” the report states.
The survey found that only 28 percent of global respondents noted “raising employee information security training or awareness” as a top 2004 initiative, despite the fact that a “lack of security awareness by users” was their top IT security obstacle.
Sixty-seven percent of the organizations surveyed view information security as being an important part of achieving their organizations’ overall business goals and objectives.
Employee misconduct involving information security was noted by 60 percent of respondents as being a high-level concern for organizations over the next 12 months. They were noted by 68 percent of respondents as being responsible for an unexpected or unscheduled outage of a critical business system.
In contrast to the incidents reported from those external threats, incidents originating from former or current employee misconduct were noted by only 24 percent of respondents.
In 2003, 21 percent said the spending would increase significantly while 40 percent said it would increase slightly.
Earlier this year, research firm IDC reported 59 percent of its survey base indicated that IT security spending would increase.
Company chiefs are aware of the threats of information security breaches posed by their employees, but are failing to safeguard their assets against insider attack. Keeping control of security will only get more difficult as organisations move toward increasingly decentralised business models through outsourcing and other external partnerships, Ernst & Young’s 2004 Information Security Survey warns.
“Companies can outsource their work, but they can’t outsource responsibility for its security,” Edwin Bennett, global director of Ernst & Young’s technology and security risk services, said.
“Fewer than one-third of those companies conduct a regular assessment of their IT providers to monitor compliance with information security policies – they are simply relying on trust.
Organisations have to demand higher levels of security from their business partners.”
The Ernst & Young survey found that organisations remain focused on external threats such as viruses, while internal threats are consistently under-emphasised. Companies will readily commit to technology purchases such as firewalls and virus protection, but are hesitant to assign priority to human capital. And that leads to “damage from insiders’ misconduct, omissions, oversights, or an organizational culture that violates existing standards”.
More than 70 per cent of the 1,233 organizations questioned by Ernst & Young failed to list training and raising employee awareness of information security issues as a top initiative.
That’s just not good enough, it says. “More could and should be done to transform the skills and awareness of their people, who often present the greatest opportunity for vulnerabilities – and convert them into its strongest layer of defence,” Ernst & Young’s Bennett concludes.
http://www.internetnews.com/stats/article.php/3412331
http://www.theregister.co.uk/2004/09/23/insider_risk/