Month: October 2004

“Enterprises are more exposed than a year ago.The hackers have won!” said Eli Barkat, managing director of venture capital firm BRM Capital, who has been involved in investing in security firms. Barkat cited a lack of innovation in the security industry as why the situation has not improved.

Mike Dalton, president of McAfee in Europe, the Middle East, and Africa, agreed that the security situation is dire, but said that innovation was not necessarily the roadblock. A major problem is a lack of integration in security products, he said.

And while all the experts predicted further consolidations among security companies, that will not necessarily lead to more comprehensive, integrated products, they said. “Today the security business is very diverse and very complex,” said Phillip Dunkelberger, president and CEO of encryption company PGP. “You have four or five different point solutions and they don’t all work together.”

Yanki Margalit, president and CEO of digital rights management provider Aladdin Knowledge Systems, agreed that enterprises are more exposed than ever, but did not put the blame squarely on security companies’ shoulders. There are so many threats,” Margalit said. Part of the remedy would be widely available tools that help developers check the security of the applications they are building, commented Barkat, adding that he hopes Microsoft takes a leading role.

On the subject of the software giant, the experts were divided on the work the company is presently doing on the security front. “Microsoft is clearly not doing a good job at security. Most people in this room who work in security have their jobs because of Microsoft,” Dalton said. They did a horrible, terrible job (in the past) but now they are serious. I believe that they will be a very strong security player and force the rest of the industry to be niche players,” Margalit said.

While the speakers gave no clear direction on the path the industry needs to take to truly alleviate companies’ security woes, they did have some words of advice.

Invest in integrated security products and avoid security appliances whose architecture changes after a few years, Barkat said.

Forget about white lists, which normally refers to a list of e-mail address from which you agree to get mail, thinking they are safe.

You will fail if you try to define everything you can do, Margalit said.

“We need to get out of the defense mode and allow companies to go on the offensive,” Dunkelberger said.

Despite the various opinions, on one point at least everyone seemed to agree. “The existing security situation sucks,” Barkat said, to resounding nods from attendees.

http://www.nwfusion.com/news/2004/1012etreent.html

Among the more than 20 patches that Microsoft released Tuesday, none were for the aged operating system, which saw its security fix support end June 30, 2004.

Microsoft will only release free fixes for OSes like NTW4 when a vulnerability is actively exploited on the Internet.

“Microsoft is being shortsighted in not publicly releasing fixes for critical holes in NTW4,” wrote Gartner analysts Michael Silver and Neil MacDonald in an advisory published. “[It] risks a public-relations nightmare if an attack based on the unpatched vulnerability shuts down a major corporation or government agency.”

The pair urged that Microsoft “set a higher standard for the security support of older products” by extending fixes to NTW4. That’s doable, they added, since such fixes are already available.

Companies that have signed $200,000 custom support contracts with Microsoft receive security patches on older, non-supported operating systems. “Microsoft has already developed NTW4 patches for customers that have paid for custom support,” Silver and MacDonald wrote.

“But [it] says it does not want to give users a false sense of security by breaking its policy and releasing these fixes publicly.”

Microsoft should rethink that policy, the pair concluded.

http://www.techweb.com/wire/security/50500146

The bulletins aim to patch a total of 22 newly discovered vulnerabilities — a new record for the software maker’s monthly Patch Tuesday program, according to a Microsoft spokesperson.

Experts said IT managers should act fairly rapidly in getting the patches tested and deployed, because any number of the vulnerabilities — especially those that affect Internet-facing systems — could be quickly exploited by newly created or updated network intruders.

Mark Loveless, lead security researcher at the BindView Corp., a Houston-based security and patch management vendor, said he’s not trying to be an alarmist when he suggests that admins act fast in deploying the patches. It’s just that the time it takes from the discovery of a bug to the introduction of a virus or worm that exploits that bug has narrowed considerably in recent years.

Patch Tuesday — or Black Tuesday, as many administrators have taken to calling it — is the second Tuesday of each month, when Microsoft releases the newest fixes for its Windows operating system and related software.

The bulletins released on the most recent patch cycle affect Windows NT, XP and Server 2003, as well as the Excel and Internet Explorer applications. Microsoft on Tuesday also re-issued patch MS04-028 from last month, outlining critical vulnerabilities in the way some applications read and display .jpg picture files.

Loveless explained that the vulnerabilities most likely to be exploited are those that affect public or Internet-facing systems. These include, but are not limited to, the newly discovered vulnerability within the Network News Transfer Protocol (NNTP), a potential exploit within the Windows Server 2003 SMTP (Simple Mail Transfer Protocol) component, and a flaw in NetDDE, which allows different applications to share documents across computers.

They suggest that IT managers take the commonly recommended steps of prioritizing, conducting a risk assessment and testing out all of their non-Microsoft applications for compatibility with the new patches prior to mass deployment.

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1015690,00.html

The two countries reached the agreement at the end of a two-day conference Wednesday of the main information technology industry organizations of India and the United States.

“The United States is willing to begin cooperation with appropriate government entities, including in India,” said Michele Markoff, the senior coordinator for international critical infrastructure protection in the U.S. State Department.

Markoff said that only a few months ago, the United States set up a 24-hour, seven-day-a-week monitoring system to watch for hacking or destructive computer and software viruses. But she said monitoring is more effective if done across the globe, with every nation setting up a system to protect its own data and networks and quickly sharing information on attacks.

Just how it would work will be discussed in November when the Information Technology Association of America hosts its Indian counterpart, the National Association of Software and Service Companies, or NASSCOM, the two groups that met in New Delhi this week. While governments are concerned about protecting networks against attacks by terrorist hackers, industry leaders also want to tackle data theft by employees or commercial hackers, computer viruses and unwanted e-mail — or “spam” — that hurts productivity.

http://www.siliconvalley.com/mld/siliconvalley/news/editorial/9909428.htm