Category: News

The technology, which won’t be available until the software giant releases Windows Server 2003 R2 in the second half of 2005, will interoperate with other companies’ identity management software, said Michael Stephenson, lead program manager for Windows Server 2003. “Federated identity lets companies securely extend their applications to suppliers and external users,” he said.

Though the software the company plans to show off won’t be available anytime soon, Stephenson wanted to underscore that Microsoft is playing well with others: “We have been working closely with others in the industry on interoperability.” Microsoft’s interoperability demonstration is the latest move in the software giant’s plans to push for the ubiquitous use of identity management and Web services.

Along with IBM, the company has been a cheerleader for the adoption of the Web Services standard by the Organization for the Advancement of Structured Information Standards, or OASIS.

WS-Security, which includes many of the federated identity specifications, passed muster in April. The Web Services framework competes to some extent with the E-Business Extensible Markup Language (ebXML), which has also been adopted by OASIS.

Both sets of services aim to allow Web sites to offer services to other e-commerce sites.

However, to share identity between sites on the Web and between servers inside a company only three options currently exist: the security assertion markup language (SAML) 1.1, the WS-Security standard or the Liberty Alliance’s standard, which has become the base for the next version of SAML, 2.0. Such identity services promise to allow partners to share secure access to services by letting a person who signs in to one server access any other partner’s server without having to sign in.

Originally, Microsoft had hoped that its Passport service would be the single-stop place for people to store their information on the Web. However, businesses and consumers did not agree, and so the software giant started to work on federated services. While Microsoft played well with its partners, the software giant and the Liberty Alliance are still at odds. Microsoft and the Liberty Alliance have still not committed to supporting each others’ standards. Stephenson said he is “very hopeful” that the two will work together.

The Liberty Alliance boasted on Monday that it offers the most mature method for sharing identity information. “The WS family of specifications in general, with the exception of WS-Security, are not in any usable standards form,” said Michael Barrett, vice president of privacy and security for American Express and president of Liberty Alliance’s management board.

More info: http://news.com.com/Microsoft+to+show+off+ID+federation/2100-7347_3-5219584.html?part=rss&tag=feed&subj=news

As the adoption of wireless technology continues to grow among businesses and home users, two key improvements in the security and performance quality of Wi-Fi devices are set to reach wireless network users later this year.

The 802.11i standard is the complete version of the preliminary WPA (Wi-Fi Protected Access) security standard introduced last year, while 802.11e is a new standard that will improve the quality of wireless networks that transmit voice and video.

Security has been one of the biggest obstacles to the growth of wireless networking. Last year, WPA replaced the flawed WEP (Wired Equivalent Privacy) protocol to shore up wireless security before the full 802.11i standard could be ratified. WPA uses a dynamic encryption key as opposed to the static key used by WEP, and it also improves the user authentication process.

The 802.11i standard adds Advanced Encryption Standard technology, a stronger level of security than that used in WPA.

Enterprises and governments, which need the highest level of security available, may have to replace some of their networking equipment in order to support the AES standard.

Newer networking equipment released within the last three months will probably have enough computational power to handle the increased performance requirements of AES security, Hanzlik said. Network managers with older wireless devices should check with their vendors to see if that equipment will support a software download of the full 802.11i standard, he said. Companies with older networking equipment must decide whether the data traveling over their wireless networks is critical enough to warrant a significant upgrade, said Aaron Vance, a senior analyst at Synergy Research Inc. in Scottsdale, Ariz. In many cases, third-party products that can secure a wireless network when combined with the WPA standard are available, he said.

http://www.computerworld.com/mobiletopics/mobile/wifi/story/0,10801,92906,00.html

The consortium, which includes the Big Four accounting firms and insurance giant AIG international, aims to agree a cyber-risk model that can be used by companies in all industries.

Auditors and insurers could also use the “risk preparedness index” to help decide whether a company has adequate IT security arrangements.

Although details of the framework have yet to be finalised, security experts believe it will focus on an organisation’s IT security safeguards, such as its firewalls and anti-virus software, and compare this against the security threats it faces.

“IT infrastructure risk management is of critical importance to the industry and Barclays broadly welcomes the principles behind this initiative,” said Barclays group chief technology officer Kevin Lloyd. “We will continue to monitor the development of this framework with interest and potentially inclusion in the shaping of the framework.”

Nick Leake, director of operations and infrastructure at ITV, said, “I think the real value of this approach is in sorting out the companies with dreadful levels of non compliance/operation from those with high levels – it won’t be much use in distinguishing the better of two already very compliant operations. And as with all these things, it will have to be kept up to date.”

Industry experts said that an accepted model for measuring security risk would be a breakthrough if widely adopted and would also help IT departments justify security spending.

“The new security standard looks promising, although a lot of the devil will be in the detail,” said Graham Titterington, principal analyst at Ovum. “It will make it easier for people to justify spending on IT security because of the backers of the standard are blue chip companies, which gives it credibility with the board.”

Neil Barrett, technical director of security consultancy information risk management, said the proposed security standard would allow IT directors to measure their organisation’s security arrangements against a benchmark.

http://www.computerweekly.com/articles/article.asp?liArticleID=129789&liArticleTypeID=1&liCategoryID=2&liChannelID=22&liFlavourID=1&sSearch=&nPage=1

Peter Wood, partner and chief of operations at First Base Technologies, said that because developers are not security professionals, their application development stresses functionality, not security, and there is a lack of awareness of security issues.

Application vulnerabilities occur, said Wood, because common coding techniques do not necessarily include security; input is assumed to be valid, but untested; and inappropriate file calls can reveal source code and system files.

To bring security to the development environment, said Wood, it is necessary to create and enforce secure coding practices, self-assess code during development, implement security checks into the quality assurance cycle and consider security during change control.

The challenge of achieving this in global organisations was addressed by Andy MacGovern, global security awareness manager at Reuters.

He said that security is often seen as a “hold up” in the product development lifecycle, where products have to be delivered faster in a climate of increased customer expectations, more complex products, reduced budgets, fewer resources and a tougher legislative environment.

Similarly, you should identify and adopt an appropriate security framework and develop policies appropriate to the organisation, said MacGovern.

Reuters has developed an extended practice that takes into account limited security resources, and aims to have two “streams”: replication of security consulting resources, and the development of so-called “security evangelists” – people who understand the need for security.

In his presentation, Stuart King, security consultant at Reed Elsevier, highlighted the most common vulnerabilities in corporate IT infrastructure: buffer overflow, web servers, database servers, cookie poisoning, parameter tampering, SQL injection and cross-site scripting.

http://www.microscope.co.uk/articles/article.asp?liArticleID=129648&liArticleTypeID=20&liCategoryID=2&liChannelID=22&liFlavourID=2&sSearch=&nPage=1

The federal government should set goals for reducing flaws in computer software that allow attacks by hackers, and other regulations might be necessary to better protect cyberspace, an industry task force said yesterday. Despite rising incidents of worms, viruses and identity fraud that have cost businesses and consumers as much…

The Open Source Vulnerability Database (OSVDB) has launched a free Web site that catalogues security flaws in Internet-related software. It will, say its creators, promote more open collaboration between companies and individuals “and reduce expenses inherent with the development and maintenance of in-house vulnerability databases”. There are various specialist mailing…