Category: News

“Each NAC product works a little differently, but in every case, we found the means to bypass it,” says Ofir Arkin, CTO and co-founder of Insightix. For example, most NAC technology assumes that users will be granted access to the network via Dynamic Host Control Protocol (DHCP), which keeps IP addresses in a pool and hands them out as each user is authenticated. Through DHCP, NAC systems can restrict user access and recognize unauthorized attempts to gain entry to sensitive information. However, an insider with access to the corporate network often has the option to configure his PC with a static IP address, Arkin observes.
“That means if you can find the address of the router, which is contained in TCP/IP settings on most PCs, you can link directly to the router and enter the network undetected,” Arkin says.

NAC systems are also at risk because they normally work entirely through IP addresses, without collecting information on where devices are located or how they are connected to the network, Arkin states. NAC systems generally cannot detect activity between nodes on the same subnet, particularly if the client avoids broadcast transmissions.

Users could also gain access through unauthorized devices or old, forgotten systems and connections that don’t show up in a standard DHCP address discovery.

http://www.darkreading.com/document.asp?doc_id=98626&WT.svl=news1_2

The survey, of 100 IT directors, commissioned by enterprise software firm Compuware, found ignorance about data protection legislation was rife among IT directors.

This can have severe repercussions on customer confidence and company reputation, and ultimately affect the bottom line,” Compuware worldwide enterprise solutions director Ian Clarke said.

http://www.theregister.co.uk/2006/07/04/data_abuse_survey/

Chairman David Goodman declared on day one that the role of identity-related trust – at both a personal and corporate level – was dramatically changing Internet-based transactions.

In the first keynote address, Stijn Bijnens, SVP of Identity Management at Cybertrust, stated that the main drivers of identity are security, integration of physical and logical access control, flexibility, productivity, compliance and customer satisfaction. On the drivers behind national identity programmes, Bijnens also recognised the need for more efficient e-government, both regionally and across-borders, as well as new applications such as e-tickets on public transport and physical access to public buildings.

During the morning’s panel debate, Chief Security Officer at Corestreet, Bob Dulude, echoed Bijnens’ sentiments, claiming that e-ID cards must be technically interoperable to support multiple applications, with the caveat that security and privacy could be more easily compromised when there is a vast amount of data on a single smartcard. “It united senior IT, marketing and management personnel from some of the biggest players in the industry to share their valued opinions.”

http://www.it-observer.com/news/6564/identity_become_key_technology_focus/

http://www.viruslist.com/en/news?id=189487870

However, while 7 percent of those surveyed for the report said they hope to eliminate the need for stand-alone security products altogether by using on such tools, only 16 percent said they actually plan to buy fewer products, with 22 percent holding out for price concessions from vendors before making additional purchases.

“[The] key will be for vendors to anticipate new security needs with extended or newer offerings.”

However, the report said some types of security applications, such as anti-virus software, firewalls and VPNs, will become increasingly commoditized, putting pressure on stand-alone vendors of the technologies as demand decreases. Bob Egner, vice president of product management at Pointsec Mobile Technologies, which markets software used to encrypt data on desktops, laptops and mobile devices, said demand for the company’s applications is not slowing, but rather becoming more consistent.

http://www.eweek.com/article2/0,1759,1979225,00.asp?kc=EWRSS03119TX1K0000594

“These are what you would consider, in the IT world, critical enterprise applications,” Peterson said.

LiveData maintains that the flaw is a software bug, not a security vulnerability, pointing out that it only affects how the LiveData ICCP Server handles a non-secure implementation of the communications protocol–typically used only in environments not connected to a public network.

“In general SCADA networks are run as very private networks,” said Jeff Robbins, CEO of LiveData.

The incident has touched off a heated debate among a small collection of vulnerability researchers, critical infrastructure security experts and the typically staid real-time process control systems industry. The controversy mirrors the long-standing dispute between independent researchers and software vendors over disclosing vulnerabilities in enterprise and consumer applications.

Last week at the Process Control System Forum (PCSF), a conference on infrastructure management systems funded by the U.S. Department of Homeland Security, a similar debate played itself out. Perhaps three dozen industry representatives and security researchers met during a breakout session to hash out the issues involving disclosure. The tone became, at times, contentious, said Matt Franz, the moderator at conference panel on the topic and a SCADA security researcher with Digital Bond. “‘It puts people and infrastructure in danger,’ they said.”

Moreover, many vendors did not appreciate the involvement of the U.S. Computer Emergency Readiness Team (US-CERT), the nation’s response group tasked with managing the process of vulnerability remediation for critical infrastructure, Franz said.

The debate over how disclosure should be handled underscores both the intense focus on SCADA and DCS systems as potential targets of cyberattacks and the position of many companies in the real-time process control systems industry that vulnerabilities in such systems require special treatment.

For between 5 and 10 percent of the networks audited by PlantData, a single ping attack or a data flood aimed at a SCADA system could shut down most of the managed devices, Pollet said.

http://www.securityfocus.com/news/11396