Category: News

Responding to an email security survey carried out by MessageLabs a further 40 per cent said they feel ‘worried’ by the current email security threat to their business, with only 29 per cent feeling ‘optimistic’. The survey shows that few (15 per cent) think email will remain the same application over the next decade, while two thirds think it will merge with other messaging applications, such as wireless and instant messaging. But only 14 per cent of respondents think it will become completely obsolete.

Over 20 per cent of firms responding to the research indicated that online fraud such as phishing and identity theft will be the greatest threat.

Viruses achieved a similar rating (21 per cent).

The leakage of confidential or sensitive information was rated by 18 per cent as the main issue, with 15 per cent stating that it would be the potential for industrial espionage. The survey reveals continued concern over levels of spam, with over 40 per cent of respondents predicting that levels of junk email will more than double over the next 10 years, and a further 24 per cent expecting it to rise by more than 50 per cent. Only four per cent think it will be non-existent.

Mark Sunner, chief technology officer at MessageLabs, said in a statement: “These results clearly show that concern about email security continues to run high, to the extent that if the situation does not improve the status of email will be under threat. “The convergence of the various email attack methods has led to a more damaging and complex breed of email security threat, meaning that everyone’s favourite ‘killer app’ is also capable of mortal damage to the business.”

http://www.vnunet.com/news/1156684

Microsoft’s Windows Update Services (WUS), the product formerly known as Software Update Services (SUS) 2.0, is now due to ship by mid-2005, rather than mid-2004. And the new Microsoft Update (MU) Service, a new patching system designed to provide fixes to not only Windows, but also Office, SQL Server, Exchange Server and other core Microsoft products, also is now due out by mid-2005, a year later than anticipated.

Microsoft officials said at the partner show that SP2 will be released to manufacturing in August, and be available to consumers over the course of the next few weeks and months via download, CD and preload on new PCs.

Nash said Microsoft is not planning to phase out any of these mechanisms any time soon. Microsoft’s patching systems/services are crucial to its customers.

In addition to delivering Microsoft’s monthly bundle of patches/fixes to users, they also are the vehicle via which Microsoft rolls out impromptu patches for viruses, worms and other malware.

http://www.microsoft-watch.com/article2/0,1995,1622941,00.asp?kc=MWRSS02129TX1K0000535

The stats, based on a database of security advisories for more than 3,500 products during 2003 and 2004 sheds light on the real security of enterprise applications and operating systems, according to the firm.

One thing the hard figures have shown is that OS X’s reputation as a relatively secure operating system is unwarranted, Secunia said.

This year and last year Secunia tallied 36 advisories on security issues with the software, many of them allowing attackers to remotely take over the system — comparable to figures on operating systems such as Windows XP Professional and Red Hat Enterprise Server.

“Secunia is now displaying security statistics that will open many eyes, and for some it might be very disturbing news,” said Secunia chief executive Niels Henrik Rasmussen.

A few other organizations maintain comparable lists, including the Open Source Vulnerability Database (OSVDB) and the Common Vulnerabilities and Exposures (CVE) database, which provides common names for publicly known vulnerabilities.

Windows XP Professional saw 46 advisories in 2003-2004, with 48 percent of vulnerabilities allowing remote attacks and 46 percent enabling system access, Secunia said.

Suse Linux Enterprise Server (SLES) 8 had 48 advisories in the same period, with 58 percent of the holes exploitable remotely and 37 percent enabling system access.

A recent Forrester Research Inc. study comparing Windows and Linux vendor response times on security flaws was heavily criticized for its conclusion that Linux vendors took longer to release patches.

http://www.computerworld.com.au/index.php/id;1870365808;fp;16;fpid;0

Proponents of the standard said that the 802.11i specification could have an immediate impact on VPN infrastructure, which could be relegated to a lesser role inside a corporate network.

The standard was ratified on 24th June at an IEEE standards committee meeting in Piscataway, N.J. The 802.11i standard adds a needed layer of security to Wi-Fi, which has become widespread both in the consumer and corporate spaces.

Early attempts at security, such as WEP (Wired Equivalent Privacy), provided some basic security but were derided as too easy to crack.

“Intel is ecstatic,” said Robin Ritch, director of security industry marketing for Intel Corp. in Santa Clara, Calif., who said all of the company’s Centrino chip sets, including the older models, are compliant with the specification.

As expected, vendors are already rolling out firmware enabling 802.11-compliant security protocols, although the software won’t officially be pushed to customers until September, when the Wi-Fi Alliance is expected to begin interoperability testing to make sure devices can talk to one another, Ritch said. Devices compliant with the 802.11i spec will likely be certified as compliant with WPA2, the second generation of Wi-Fi Protected Access, she said.

802.11i’s encryption protocols are based on the AES (Advanced Encryption Standard) and meet the limited encryption requirements for the Federal Information Processing Standard 140-2 specification for the protection of sensitive information.

The new standard will add Layer 2 security to a Wi-Fi card, sufficient for wireless access inside a corporate network, Ritch said.

In the early days of Wi-Fi, Intel recommended users connect to a VPN while roaming wirelessly, even when inside their corporate network.

The security provided by 802.11i is sufficient enough that IT managers can eliminate VPNs except when workers are connecting remotely, such as at a hotel, Ritch said.

Intel’s own IT staff plans to relax its security restrictions, she said, eliminating the use of internal VPNs while employees are inside their own network.

Chris Bolinger, manager of the Field and Partner Marketing team in the Wireless Networking Business Unit of Cisco Systems, Inc., Santa Clara, Calif., said it is natural that some customers will want to migrate away from VPNs to standards-based solutions such as 802.11i. However, many customers will also stay with WPA unless they’re given a compelling reason to move to AES, he said. “We’ve always tried to provide solutions to meet customer demand in the wireless LAN space,” Bolinger said.

The performance penalty users will pay for turning on the additional 802.11i functionality is unknown. In tests of Intel’s Grantsdale/Intel 915 chip set, for example, turning on high-definition audio features integrated into the chip set required a significant amount of CPU power, according to a recent ExtremeTech review. Intel spokesman Mark Miller said Intel had not tested the effects of the new 802.11i firmware on battery life to his knowledge, but he estimated that the effects would be “negligible” on the battery life of a Centrino-based notebook.

http://www.eweek.com/article2/0,1759,1616979,00.asp

Symbiot Security says its new Intelligent Security Infrastructure Management Systems not only defends networks but lets them fight back, too.

Though the notion of striking back against “bad guys” may satisfy primal urges, most security experts question whether retaliation will actually halt cyberattacks. Ideas about going on the offensive against Internet attackers “have been bounced around for a while,” said senior analyst Jesse Dougherty of the security firm Sophos. Hackers, worms and data attacks are costing companies dearly, and open the door to identity theft and the loss of intellectual property.

The offering, known as iSIMS, comes amid growing frustration over computer intruders. In documents on the Austin, Texas, company’s Web site, Symbiot advocates a gradual escalation of action based on the best information available and the customer’s preference. A position paper attributed to Symbiot’s executives and posted on its Web site broadly outlines the counter-strike philosophy.

“On the Rules of Engagement for Information Warfare” says computer intrusions deserve a response in kind – including “asymmetric” countermeasures that can include flooding the attacking computers with data, rendering them Internet-blind, and other measures to neutralize the problem.

The responses mirrored the content of Symbiot’s Web site, which describes the 18-employee company as “emerging as a leader” in security infrastructure management. For instance, if a hacker takes advantage of vulnerabilities on multiple PCs to relay the assault through them, then the victim can trace it by exploiting the same vulnerabilities as the initial act.

In the past, some attempts to fight fire with fire have misfired. “We’ve seen worms that have had major impact like causing delays in airline schedules, shutting down ATM machines, 911 systems and so on,” said Dorothy Denning, a professor of defense analysis at the Naval Postgraduate School.

More info: http://www.crn.com/showArticle.jhtml?articleID=22101131

From_the_desk_of_Paul_-_06152004.pdf