Category: News

Those feeble grades federal agencies have received recently–one report card had an average grade of a D+–means the government will continue to spend heavily on cybersecurity-related IT.

A study by government IT market-intelligence firm Input projects federal IT cybersecurity spending will grow 27% over the next five years. “The effects of 9/11 have changed the way federal agencies approach cybersecurity,” Marcus Fedeli, Input manager of federal opportunity products, said in a statement accompanying the report. “Continued fear over potential terrorist attacks has caused an almost desperate need for improvement of current standards and levels of security. New requirements will cause federal IT security spending to grow steadily this year.”

Among the shortfalls in IT security in federal agencies cited by Input were insecure VPN connections, faulty firewall protection, and the need for customized systems. These vulnerabilities open IT systems to potential fraud, sabotage, and destruction.

Nearly 20%, or the $1.6 billion, of the money that federal agencies are spending this fiscal year on developing, modernizing, and enhancing IT is earmarked for cybersecurity.

“These agencies [will likely] rely heavily on outside contractors to provide the products and services necessary to secure IT systems governmentwide.

http://www.informationweek.com/showArticle.jhtml;jsessionid=ASHSOZUL0AZH0QSNDBNSKH0CJUMEKJVN?articleID=159902278

The Federal Bureau of Investigation plans to work with the National Retail Federation to use technology to fight organized retail theft. The recognition came at a hearing on organized retail theft held recently by the House Judiciary Committee’s Subcommittee on Crime, Terrorism, and Homeland Security.

The FBI’s first step in launching a formal Organized Retail Theft Initiative was the formation in 2004 of the National Retail Federation/FBI Intelligence Network, Swecker said. The network is meant to increase collaboration among the FBI, state and local law enforcement, and retail corporate security to share intelligence, discuss trends, and identify and target potential problems related to theft. “Organized retail theft isn’t petty shoplifting–it’s organized crime, and it has to be stopped.”

Also testifying at Thursday’s hearing was Chris Nelson, director of assets protection at Target Corp. NRF is a member of the Coalition Against Organized Retail Theft and arranged for Nelson to testify on behalf of the coalition.

Organized theft accounts for $30 billion in annual store-level losses, according to FBI numbers, and Nelson said items targeted for theft range from low-cost goods such as razor blades and batteries to high-end consumer electronics and designer clothing.

http://www.informationweek.com/showArticle.jhtml;jsessionid=ASHSOZUL0AZH0QSNDBNSKH0CJUMEKJVN?articleID=159902300

Inspectors posing as technicians from the agency’s help desk called 100 IRS employees and managers and said that a network problem required them to provide their network log-in usernames. The bogus techs also asked the users to change their passwords to one they suggested. 35% of the IRS workers took the bait.

“With an employee’s user account name and password, a hacker could gain access to that employee’s access privileges,” the report said. “Even more significant, a disgruntled employee could use the same social engineering tactics and obtain another employee’s username and password.”

The same phishing-style scam was run by auditors in 2001, when 71 percent of the workers cooperated and changed their passwords.

http://www.techweb.com/wire/security/159901562

Microsoft described how its forthcoming anti-spyware software classifies potentially harmful software and the actions it will let users take to prevent spyware and other malicious software from damaging PCs.

The Windows AntiSpyware security software, current in beta testing, uses a library of more than 100,000 threats to identify potential problems and make recommendations to users as to whether the questionable software should be ignored, quarantined, or removed.

Microsoft’s security software has been highly anticipated because its Windows operating system and applications have been the main target of viruses, worms, spyware, and other forms of malicious software that infect the Internet and servers and PCs.

“With the exception of malicious behaviors, many of the behaviors [of spyware] could have legitimate purposes,” the paper notes. Their solution look for software that practices deceptive behavior, which could mean problems involving providing notice of what’s running on the user’s machine or problems over control of actions taken by the software. They also look for software that collects, uses, and communicates personal information without explicit consent, that circumvents or disables security software, and that slows or damages a computer’s performance, reduces productivity, or corrupts the operating system.

http://www.informationweek.com/showArticle.jhtml;jsessionid=0FCUBMGWHQ3TSQSNDBNSKH0CJUMEKJVN?articleID=159901026

Classified information could not be processed on insecure computers, classified documents had to be stored in locked safes, and so on. The procedures were extreme because the assumed adversary was highly motivated, well-funded and technically adept: the Soviet Union. You might argue with the government’s decision to classify this and not that, or with the length of time that information remained classified. But if you assume the information needed to remain secret, the procedures made sense.

In 1993, the U.S. government created a new classification of information–Sensitive Security Information–that was exempt from the Freedom of Information Act. The information under this category, as defined by a Washington, D.C., court, was limited to information related to the safety of air passengers. This was greatly expanded in 2002, when Congress deleted two words–“air” and “passengers”–and changed “safety” to “security.”

Currently, there’s a lot of information covered under this umbrella. The rules for SSI information are much more relaxed than the rules for traditional classified information.

Before someone can have access to classified information, he must get government clearance.

Before someone can have access to SSI, he simply must sign a nondisclosure agreement, or NDA.

If someone discloses classified information, he faces criminal penalties.

If someone discloses SSI, he faces civil penalties.

SSI can be sent unencrypted in e-mail; a simple password-protected file is enough.

A person can take SSI home with him, read it on an airplane, and talk about it in public places.

People entrusted with SSI information shouldn’t disclose it to those unauthorized to know it, but it’s really up to the individual to make sure that doesn’t happen.

It’s really more like confidential corporate information than government military secrets.

The U.S. government really had no choice but to establish this classification level, given the kind of information it needed to work with. For example, the terrorist watch list is SSI. If the list falls into the wrong hands, it would be bad for national security. But think about the number of people who need access to the list. The U.S. government really had no choice but to establish this classification level, given the kind of information it needed to work with. My guess is that more than 10,000 people have access to this list, and there’s no possible way to give all of them a security clearance.

Either the U.S. government relaxes the rules about who can have access to the list, or the list doesn’t get used in the way the government wants. On the other hand, the threat is completely different. Military classification levels and procedures were developed during the Cold War and reflected the Soviet threat. The terrorist adversary is much more diffuse, much less well-funded and much less technologically advanced.

SSI rules really make more sense in dealing with this kind of adversary than the military rules. I’m impressed with the U.S. government’s SSI rules. You can always argue about whether a particular piece of information needs to be kept secret, and how classifications like SSI can be used to conduct government in secret. But if you take secrecy as an assumption, SSI defines a reasonable set of secrecy rules against a new threat.

http://news.com.com/Common+sense+on+security/2010-7348_3-5616209.html?part=rss&tag=5616209&subj=news

The three largest computer makers–Dell, Hewlett-Packard and IBM–have started selling desktops and notebooks with so-called trusted computing hardware, which allows security-sensitive applications to lock down data to a specific PC. But Microsoft’s plans to take advantage of the technology have been delayed, meaning the software heavyweight likely won’t get behind it until the release of Longhorn, the Windows update scheduled for next year.

That leaves hardware makers in a rare position: They are leading Microsoft, rather than working to support one of the software giant’s initiatives.

“Our success is not dependent on Microsoft,” said Brian Berger, executive vice president at security company Wave Systems and the marketing chair for the Trusted Computing Group. “When Microsoft comes on board with some of what they have talked about, it will be that much better, but this is not a Microsoft-centric activity.”

The Trusted Computing Group, the industry consortium that sets specifications for the specialized hardware, has had to rely on other software makers to demonstrate the benefits of running a trusted PC. Largely a footnote in 2004, the technology is set to take off this year, with the top three PC makers shipping laptops and desktops equipped with hardware security.

Dell, the last holdout, announced that it had added the security technology to its latest line of notebooks on Feb. 1.

In 2005, more than 20 million computers will ship with the trusted platform module, up from 8 million in 2004, according to estimates from research firm IDC.

The technology locks specialized encryption keys in a data vault–essentially a chip on the computer’s motherboard. Computers with the feature can wall off data, secure communications and identify systems belonging to the company or to business partners. That means companies can improve the security of access to corporate data, even when the PC is not connected to a network.

Microsoft is a significant proponent of trusted computing. When it first publicized plans in 2002 to create a security technology known as Palladium, it said that its software component might be released as early as the end of 2004. At the time, digital-rights advocates raised concerns that the technology could be used by software makers and media companies to control people’s PCs, putting Microsoft on the defensive.

What’s new: The top three PC makers have started selling models with encryption hardware, even though Microsoft’s software for the technology has hit delays.
Bottom line: That leaves hardware makers in a rare position: They are leading Microsoft, rather than working to support one of the software giant’s initiatives.

http://news.com.com/Hardware+security+sneaks+into+PCs/2100-7355_3-5619035.html?part=rss&tag=5619035&subj=news