admini – Page 270 – CyberSecurity Institute

Browsers to get sturdier padlocks

Posted on December 12, 2005December 30, 2021 by admini

“We as an industry must look into trust threats,” said Melih Abdulhayoglu, chief executive of Comodo, a certification authority based in Jersey City, N.J., that set up the first CA Forum meeting.

The lock icon was designed to assure consumers that online transactions, such as banking and shopping, are protected. As such, it’s key to Web commerce, a big business: Forrester Research predicts online retail sales in the United States will grow from $172 billion this year to $329 billion in 2010. Initially, all certificate providers performed thorough checks of applicants before they issued a security certificate for a Web site.

Several years ago, however, some providers relaxed their background checks in order to offer cheaper certificates, and the rest of the market followed, industry members said. All sites with an SSL certificate get the same padlock display. “Web browsers have not been able to deal with the different kinds of certificates, which meant that it did not matter how strong the verification was by the certification authority, and some took advantage of that,” Gartner analyst John Pescatore said. That changed when some certification authorities started lowering their verification standards and discounting certificates, said Judy Shapiro, vice president of marketing at Comodo. “Browsers were unprepared to display high assurance and low assurance certificates in a different way.”

But that is set to change next year, with Microsoft planning to release Internet Explorer 7 and makers of other Web browsers also contemplating changes in the way their applications handle SSL certificates. The move by browser makers is partly why certification authorities such as VeriSign, Comodo, GeoTrust and Cybertrust are banding together in the CA Forum to come up with an industry wide agreement on a new, highly verified certificate. The certificate authorities are working to make the vetting process for the new high-assurance certificates objective and consistent across the industry.

Developers for Firefox, Opera and Konqueror are also considering adding new display mechanisms to the padlock to call out the strongly encrypted and strongly validated certificates.

http://news.com.com/2102-1029_3-5989633.html?tag=st.util.print

Gartner: Stop mission-critical BlackBerry use

Posted on December 7, 2005December 30, 2021 by admini

Analyst firm Gartner has advised its clients to halt all mission critical deployments of RIM’s BlackBerry email devices because of a legal battle that could see a judge effectively shut down the company’s US operations.

Patent-holding firm NTP contends that it owns the patents for the technology that powers the BlackBerry.

The research note advises enterprises to “stop or delay all mission-critical BlackBerry deployments and investments in the platform until RIM’s legal position is clarified” because “US BlackBerry users would lose messaging services…and international users would lose message service while travelling in the US”.

However, Gartner expects the two companies to reach a settlement within three weeks, because an agreement would be “in both companies’ interests”.

There is a possibility RIM could bypass the patent dispute by deploying a workaround but Gartner said this path could be “highly problematic”.

According to Gartner, enterprises should “not sign any agreements that could involve them in the RIM/NTP dispute” and “demand that RIM discloses its workaround plans”.

http://hardware.silicon.com/pdas/0,39024643,39154879,00.htm

Security threats soar in 2005

Posted on December 7, 2005December 30, 2021 by admini

The huge increase in the number of malware programs stems from the activities of criminal gangs intent on using trojans, worms and viruses to make a profit, according to a new report from anti-virus software firm Sophos, entitled the Security Threat Management Report 2005.

These gangs have been focusing their efforts on a smaller number of victims, who are targeted with customised malware, so that the creators of the virus can evade the attentions of anti-virus software vendors and security providers. “Internet criminals may be turning their back on large scale attacks not only because they do not wish to draw attention to their efforts, but also because they cannot practically handle the amount of stolen data they might receive if they infected hundreds of thousands of computers in one day,” the report noted.

A report published in November 2005 by Financial Insights, an IDC company, estimated that global financial institutions lost USD400 million in 2004 due to phishing schemes. Instead of going for the large financial institutions, cyber criminals are now engaging in what has been dubbed “puddle phishing”, where they target a smaller financial institution that may only have a few branches.

While all of the top ten threats are Windows-based worms, the number of Trojan horses written during 2005 outweighs worms by a ratio of two-to-one.

In 2005, the Zafi-D virus has topped the Sophos list as the most prevalent virus on the internet. The most prevalent virus in 2004, Netsky-P, has dropped to second place this year. Sober-Z – which was only unleashed in November 2005 – has already climbed to third place as it continues to disrupt and clog networks worldwide. The other viruses in the top 10 were Sober-N, Zafi-B, Mytob-BE, Mytob-AS, Netsky-D, Mytob-GH, Mytob-EP.

http://www.theregister.co.uk/2005/12/07/sophos_2005_security_survey/

Mobile Security for Global Businesses

Posted on December 6, 2005December 30, 2021 by admini

Workforces in enterprises today are increasingly becoming mobile. All this information seamlessly crosses the internal network boundaries to locomote the internet and come back into the network. This tight coupling, between the enterprise?s internal-network with the mobile user through the internet threatens the existing security initiatives in any enterprise.

The need of the hour is to provide a high level of security without reducing overall performance or increasing costs. This involves securing the entire tunnel of communication between the employee and application.

Previously vendors provided only mobile connectivity solutions containing simply an anti-virus as a security element in the entire mobile connectivity solution.

However, new generation solutions from mobile connectivity solution vendors include a suite of Internet protocol security (IPSec) virtual private network (VPN) based products/solutions for enterprises that need to secure remote access from a remote location by a mobile worker into the corporate networks via mobile devices.

According to Mr. Shende, Director Technology practice with Frost & Sullivan, “Securing mobile users by using secure mobile connectivity solutions helps an enterprise ensure secure connectivity for an employee in a remote location to access the vital information residing inside a company?s network and carry on the transactions just as if he/she was working on the local intranet when in office.

http://www.zdnetindia.com/zdnet2005/mediaturf/top_728x90_1.html

Computer security incidents cost NZ businesses millions

Posted on December 6, 2005December 30, 2021 by admini

“It’s disturbing that the number automatically updating their internet security systems has dropped,” Mr Peterson said, down from 90.3 per cent in 2004 down to 75.2 per cent in 2005.

“Though more businesses are allowing staff access to the internet at work – now up to 65 per cent – staff internet policies have not kept pace, while training on safe internet practices has dropped from 67.2 per cent in 2004 to 55.9 per cent in 2005.

Overall 88 per cent of respondents have installed antivirus software; 77 per cent have in place firewall software or appliance; and overall 63 per cent have spam filtering.

Fifty-one per cent of total respondents have been the target of a phishing expedition, the study showed and businesses are receiving an average of 98 spam emails per day.

This year, five per cent of the survey sample report getting 51-100 spam emails a day compared with 12 per cent reporting the same volume in the last survey.

http://www.nbr.co.nz/home/column_article.asp?id=13723

Eight steps for integrating security into application development

Posted on December 6, 2005December 30, 2021 by admini

Most organizations spend a tremendous amount of resources, time and money to protect their network perimeters from Internet-borne threats and hackers. But no matter how good a defense may be, it usually falls short in addressing the vulnerabilities inside the network at the application layer.

Recent research findings indicate that the application layer is one of the highest-risk areas and where the most potential damage can occur, either through insider targets or lack of protection. As a result, confidential company information can be exposed, resulting in harm to a company, its customers and its reputation. While many variables affect Web application security, improving security in a few key areas can help eliminate vulnerabilities.

It’s critical that security be included in the initial Web design and not retrofitted after the application is developed. While some experts argue over where and when security integration and testing should be applied in the development life cycle, no one would argue that it has become an essential ingredient.

The software industry is making headway in this area, with some providers offering incentives to development teams to integrate security during the application development process. Integrating security into the application development life cycle is not an all-or-nothing decision, but rather a process of negotiation within policy, risk and development requirements. Engaging security teams — in-house or outsourced — during the definition stage of application development determines the security areas necessary to satisfy policy and risk tolerance in the context of the organization.

http://www.computerworld.com/securitytopics/security/story/0,10801,106805,00.html