Category: News

Their stated goal is to promote more consistent metrics for customers to evaluate products.

The situation, as these upstarts describe it, is a growing market for Web application security–which the Yankee Group tags at $2 billion over the next five years–and suspect claims from vendors about the capabilities of their products.

In a prepared statement, the foursome suggests that some vendors are selling security short. “We are united regarding the minimum criteria that any security product must meet to provide acceptable protection for mission-critical Web applications,” the companies state.

“It’s pretty remarkable that these companies have come together,” says James Slaby, an analyst with the Yankee Group.

http://www.informationweek.com/showArticle.jhtml;jsessionid=J3XAEQLVWKL4KQSNDBNCKHSCJUMEKJVN?articleID=52600320

“You’re talking about hundreds of thousands of people who need to be authenticated,” Andrew Nash said at the RSA Conference in Barcelona. “If we can’t adopt quickly enough, the Internet will become known as a very unsafe place. People won’t have confidence in it and (companies) will bail out, if not put their technology on hold.”

Nash said identity fraud, such as through phishing scams, was partly to blame, and that it was difficult to moderate online identities. How do you know who the end users are? Without having the guarantee of identities, there is a big block to having more e-commerce.”

Phishing, in which fraudsters fake their identity to lure victims into submitting their personal details, has played a large part in identity theft. Customers of many major banks and e-commerce sites, such as eBay, have been the targets of such scams.

Nash said the Liberty Alliance, a user-based security group with members such as AOL, MasterCard and American Express, was trying to push for an identity federation through which companies could share authentication methods, but retain a certain amount of authority.

RSA Security, an electronic security firm in Bedford, Mass., is an active member in the Alliance, and the company said that there were around 30 other organizations trying to solve identity problems on the Internet.

Nash added that organized crime gangs were already targeting businesses to build an e-crime network that fed on e-commerce. “I was at a demonstration recently where there was a lot of interest in Internet monitoring on behalf of law enforcement,” he said. “(It) showed there was a serious amount of organized criminals moving toward specific targets. They were building a system to defragment vendors and business in coordinated attacks.”

http://news.com.com/RSA+sees+looming+identity+crisis+online/2100-7348_3-5440974.html?part=rss&tag=5440974&subj=news.7348.5

The software giant said that it has rewritten Sender ID–a specification for verifying the authenticity of e-mail with Internet Protocol records–to address criticisms of the spec’s earlier incarnation.

Among other changes, Microsoft removed language in its pending patents for SenderID that could have included claims to Sender Permitted From, or SPF, a widely used system for e-mail authentication that was merged with Microsoft’s CallerID for Email to create Sender ID, according to Microsoft’s Ryan Hamlin.

“We wanted to complete what we started,” said Hamlin, general manager for Microsoft’s safety technology and strategy group.

Microsoft has resubmitted the specification to the Internet Engineering Task Force, a technical standards body.

Last month, the IETF shut down the working group that was charged with building consensus for Sender ID and turning it into an industry standard. Consensus became impossible after some people in the open-source community said Microsoft’s patent claims could enable the software company to eventually charge royalties. Others were critical of the system’s inability to work with previously published records in SPF. As a result, America Online and open-source groups pulled their support of Sender ID. And Meng Wong, the architect of SPF, said he would retrench on his technical specification alone.

Microsoft’s Hamlin said Monday that the company has revised Sender ID by making it backward-compatible with 100,000-plus SPF records already published. He also said Sender ID will give e-mail providers a choice to publish records in SPF, which verifies the “mail-from” address to prevent fraud, or in PRA–purported responsible address. PRA records let an e-mail provider check the “display address” of an e-mail in its headers against the numerical IP address of the sender. That process can prevent so-called phishing attacks by spammers who forge the display address. E-mail providers and senders now have the ability to publish in and check the authenticity of e-mail with both methods in Sender ID.

“We’ve been trying to make it as user-friendly as possible. We’ve got the spec to the point where you only have to publish one record for two purposes. I see that as a little victory,” said Wong.

Still, some people in the open-source community are concerned about Microsoft’s other pending patent over Sender ID, which prevents users of the specification from sublicensing it.

AOL said Monday that it has renewed support for Sender ID in its current form. The IETF has granted Sender ID “experimental” status so that the industry can test it, along with competing e-mail authentification proposals, and build consensus that way.

http://news.com.com/Microsoft+reworks+antispam+spec+to+silence+critics/2100-1032_3-5426045.html?part=rss&tag=5426045&subj=news.1032.5

The Liberty Alliance is a group of technology providers and corporations, such as Fidelity and American Express, that is developing a set of industry standards for verifying a person’s identity when he or she accesses Web sites. The consortium, which was founded by Sun Microsystems and others in 2001, has over 150 members now. IBM will also become a board member of Liberty and seek to find a common ground between the Liberty standards and an overlapping set of specifications that IBM backs, according to the company.

The computing giant’s Tivoli Access Manager security software already complies with Liberty. IBM added the support earlier this year. Until then, IBM had stayed clear of Liberty.

The company last year was a co-author of another technical specification, called WS-Federation, which was designed for many of the same tasks as the Liberty standards, such as verifying a network ID across several Web sites at once. However, in July, IBM signed a $50 million deal to build a single sign-on network for Orange, the mobile service provider of France Telecom, which is using Liberty-based software to offer network services to customers. The system will allow users of the Orange cellular network to sign on to the system using either a mobile phone or a personal computer.

With a single ID, the subscriber will be able to access services offered by France Telecom and its partners. The service will allow users to automatically retrieve passwords in a secure manner.

IBM said that it will continue to develop WS-Federation and related Web services security specifications, notably WS-Security. IBM said that it ultimately favors a single standardized method for so-called federated identity management.

Microsoft, too, has its own authentication service, called Passport.

But industry support for that service has never caught on widely and is used only in a limited way by Microsoft and its close partners.

http://news.zdnet.com/2100-9588_22-5420814.html?tag=adnews

A plan is under way in the ever-evolving National Cyber Security Division of the DHS to extend the tenure of Andy Purdy, the group’s interim chief, and augment the position with a part-time outside consultant with direct ties to the private sector. The move, observers say, would enable the division to tackle head-on such prevalent issues as security vulnerability.

The effort is the result of a power vacuum created when Amit Yoran resigned last month as NCSD director. Subsequently, Purdy, one of Yoran’s deputies, was appointed interim director of the NCSD. It now appears that top DHS officials are content to leave him in that position for now and, contrary to early reports, are in no hurry to find a permanent replacement for Yoran.

Purdy, a longtime veteran of federal government service, is known for his ability to work inside the Beltway and get things done—a skill vital to moving the National Strategy to Secure Cyberspace forward, insiders say.

“That is a solid move,” said Alan Paller, director of research at The SANS Institute, based in Bethesda, Md. “They wouldn’t have done that if they were going to bring in someone else right away.”

But Purdy will not be going it alone. Howard Schmidt, former chairman of the now-defunct President’s Critical Infrastructure Protection Board and now chief security officer at eBay Inc., is working with US-CERT as a consultant to the DHS and will be advising Purdy and others.

Schmidt, who also served as Microsoft Corp.’s chief security officer and is a former federal agent, is among the more respected members of the security community, both inside Washington and in the private sector. His involvement with the DHS will be indirect and on a part-time basis, but his presence gives the department a trusted conduit into the private sector, a necessity to implement its strategy.

One area where cooperation with the private sector is key is in the effort to reduce vulnerabilities.

http://www.eweek.com/article2/0,1759,1677370,00.asp?kc=EWRSS03119TX1K0000594

“Enterprises are more exposed than a year ago.The hackers have won!” said Eli Barkat, managing director of venture capital firm BRM Capital, who has been involved in investing in security firms. Barkat cited a lack of innovation in the security industry as why the situation has not improved.

Mike Dalton, president of McAfee in Europe, the Middle East, and Africa, agreed that the security situation is dire, but said that innovation was not necessarily the roadblock. A major problem is a lack of integration in security products, he said.

And while all the experts predicted further consolidations among security companies, that will not necessarily lead to more comprehensive, integrated products, they said. “Today the security business is very diverse and very complex,” said Phillip Dunkelberger, president and CEO of encryption company PGP. “You have four or five different point solutions and they don’t all work together.”

Yanki Margalit, president and CEO of digital rights management provider Aladdin Knowledge Systems, agreed that enterprises are more exposed than ever, but did not put the blame squarely on security companies’ shoulders. There are so many threats,” Margalit said. Part of the remedy would be widely available tools that help developers check the security of the applications they are building, commented Barkat, adding that he hopes Microsoft takes a leading role.

On the subject of the software giant, the experts were divided on the work the company is presently doing on the security front. “Microsoft is clearly not doing a good job at security. Most people in this room who work in security have their jobs because of Microsoft,” Dalton said. They did a horrible, terrible job (in the past) but now they are serious. I believe that they will be a very strong security player and force the rest of the industry to be niche players,” Margalit said.

While the speakers gave no clear direction on the path the industry needs to take to truly alleviate companies’ security woes, they did have some words of advice.

Invest in integrated security products and avoid security appliances whose architecture changes after a few years, Barkat said.

Forget about white lists, which normally refers to a list of e-mail address from which you agree to get mail, thinking they are safe.

You will fail if you try to define everything you can do, Margalit said.

“We need to get out of the defense mode and allow companies to go on the offensive,” Dunkelberger said.

Despite the various opinions, on one point at least everyone seemed to agree. “The existing security situation sucks,” Barkat said, to resounding nods from attendees.

http://www.nwfusion.com/news/2004/1012etreent.html