Category: Product

According to a report released this week by a team at Shandong University in China, the SHA-1 algorithm that supports the digital signatures used in popular SSL browser security and encryption can be successfully attacked. The same team helped break MD5, another commonly used cryptographic hash algorithm, in August 2004.

According to the company, all PGP products are architected to allow for rapid and non-disruptive migration of all encryption, hash, compression, and signature algorithms. PGP Corporation began planning the migration to more secure hash algorithms after MD5 was compromised last year.

Jon Callas, CTO & CSO of PGP Corporation addressed the company’s design philosophy in a September 2004 CTO Corner article entitled “Much ado about hash functions”. At the same time, PGP engineers began implementing a shift from SHA-1 to the stronger algorithms (SHA-256 and SHA-512) while preserving interoperability with existing software.

The upcoming releases of PGP Desktop and PGP Universal will allow users to select from a broader range of authentication options.

“The work done by the University of Shandong team is in the finest tradition of cryptoanalytic peer review,” said Callas. “The best minds continually review existing algorithms, identify issues that need to be addressed, and the entire community of vendors and users benefits.

We will continue to monitor the cryptographic integrity of the algorithms used in PGP products and upgrade them as required to provide our customers with the most secure information security solutions available.”

http://www.geekzone.co.nz/content.asp?contentid=4099

CEO John Chambers laid out the company’s seven-year network security plan on Wednesday during a keynote speech at RSA Conference 2005 here.

His comments built on Cisco’s Tuesday launch of its Adaptive Threat Defense effort, in which “intelligent” networks defend themselves against security attacks. “We will be acquiring aggressively, partnering aggressively and spending aggressively to build about two-thirds of our (security portfolio),” Chambers said.

A key part of Cisco’s security strategy has been to acquire start-ups for their technology and expertise, and many of its latest security updates have come from these buys. The company’s new Secure Sockets Layer (SSL) virtual private network (VPN) product uses technology picked up in its Twingo deal, for example. It’s also put a tool from Riverhead Networks into its Catalyst switches to help prevent denial-of-service attacks.

For more than a year, Cisco has touted its “self-defending” network initiative, which puts intelligence into devices so they can communicate with each other. That means security can be coordinated across the entire network, from the worker at a desk to the guts of the system.

In its related release of upgrades and new products at the RSA show, Cisco introduced intrusion-prevention software, a revamp of its PIX firewall and the overhauled SSL VPN product, which enables employees to remotely connect to the corporate network using a standard Web browser.

Chambers said that Cisco’s move to extend control over security defenses across the whole network came out of discussions with customers between 1999 and 2001. Clients wanted the ability to track network traffic, end points, applications and users, he said. Chambers warned that companies that build their security architecture based on the worms and malicious software of today will find a whole different set of terms and threats five years from now. As a result, he said, companies should instead be focusing on how to get their security architecture “right” and how the components all work together. “You have to think about where the industry will be in three, five and seven years out,” Chambers said. “And you have to think about security as an architecture…you can’t approach it as a pinpoint of products. We believe that security will evolve and be integrated throughout the network,” he added. “We believe they will tie together and move from a reactive mode to one where we can see an intrusion, know how to contain it and have a whole bunch of different products working together.”

Cisco has already partnered with several antivirus and security companies. In late 2003, it teamed up with three companies in an initiative, named Network Admission Control, that aimed to improve the security of networks accessed via mobile devices.

When all the pieces are in place, the NAC architecture will allow companies to set their network devices to refuse connections from mobile PCs or devices that fail to meet corporate security policies, such as not having the latest software patches and antivirus updates. Currently, Cisco supports the NAC framework on its IP routers, and it plans to introduce support on its Ethernet switches some time this year.

http://news.com.com/Cisco+set+on+security+spending+spree/2100-7347_3-5579566.html?part=rss&tag=5575731&subj=news.7347.5

“When you run a business and you worry only about what your competitors are doing, that’s not a long-term business proposition. You really need to be listening to your customers and that’s what we’re doing,” said Gytis Barzdukas, director of product management in Microsoft’s security business technology unit.

Asked to explain the rationale for limiting IE 7.0 to XP SP2 users when the majority of businesses are still running Windows 2000, Barzdukas left the door open slightly. “We haven’t closed the door on potentially providing it to other platforms,” he said.

However, Barzdukas argued that it was much easier for a company to consider migration to a new operating system than testing and deploying significant product upgrades. “When we do all this engineering work, the architecture is changed significantly.”

Last year, when Microsoft rolled out XP SP2 and declined to offer the security enhancements to Windows 2000 users, analysts grumbled that the Redmond, Wash.-based software giant was using security as a carrot to get businesses to upgrade.

http://www.eweek.com/article2/0,1759,1765331,00.asp

At the RSA Conference in San Francisco, the company plans to announce the largest set of upgrades to its security products in three years, sources say.

The new enhancements should help the company catch up to leading vendors, focusing on such areas as secure socket layer virtual private networks and intrusion prevention. The upgrades should also help Cisco fulfill its promise of a “self-defending” network, beefing up security on IP telephony and other applications, while also extending network protection to the desktop.

And to help corporate customers keep track of new threats, sources say, Cisco is also improving its management products.

Cisco declined to comment on the specifics of its announcements next week, but has scheduled a press briefing at the security show.

Security is an important market for Cisco. It is one of six new areas Cisco has been focusing on to help expand its overall business. So far, security has been proven to be a good investment for the company. Last quarter, revenues from security products were up 30 percent from a year earlier. Cisco’s strength in security has come not from having the best products in every category, but from having a wide breadth of offerings, analysts say. Next week’s announcements should help level the playing field against the pure security vendors while cementing Cisco’s dominance as a network-level security provider, they add.

“Cisco isn’t known as a security company,” said Zeus Kerravala, an analyst with the Yankee Group. “They sell security as part of a network strategy. But it’s clear they are serious about providing more security in the network. They are definitely the security leader among networking vendors.”

Nitty gritty One of the more important upgrades to be announced next week is on Cisco’s SSL VPN product, sources say. SSL VPNs allow users to remotely connect to the corporate network using a standard Web browser. Such upgrades are an important addition to the product, since they will allow remote workers to use their Web browsers to connect to the corporate network rather than a difficult-to-manage IPsec client that must be pre-installed. SSL VPN competitors, such as Juniper Networks, through its Netscreen acquisition, and Aventail have been supporting non-Web applications in their products for some time.

Cisco has also beefed up its intrusion detection product by adding prevention software that can correlate possible symptoms of a worm or virus attack to determine whether certain traffic should be blocked. To give customers more choice with respect to how they deploy this technology, Cisco is updating its Internetwork Operating Software (IOS) so that many of these new security features can also run on its switches and routers, sources report. This software is a big component of Cisco’s Network Admission Control architecture, designed to prevent worms and viruses from entering the network. Cisco has supposedly enhanced this software by adding new anti-spyware protection meant to identify and remove malicious programs before they jump from a PC to the network.

Cisco also plans to introduce a new blade that fits into its Catalyst switches to help prevent denial-of-service attacks on Web servers.

Finally, Cisco will announce improvements to its network management tools using some technology that it recently acquired from Protego. This technology, acquired in December, aggregates and correlates information about security threats, so that network managers can detect attacks.

http://news.zdnet.com/2100-1009_22-5573255.html?part=rss&tag=feed&subj=zdnet

Sixty-five percent of businesses–big and small–surveyed by Forrester Research said they plan to put money into protecting their systems from malicious and prying software programs in 2005. Technology decision makers from 185 North American companies of all sizes participated in the survey.

While 69 percent of large enterprises said they would purchase anti-spyware tools this year, only 53 percent of small and medium businesses said they’d go for such protection, it found.

The study exposed several cracks in firms’ anti-spyware strategy.

Almost 40 percent of respondents failed to put a number to the total number of their machines that have been infected. According to the rest, about 17 percent of their systems had already suffered from spyware, a number Forrester expects to climb to 25 percent within 12 months.

The survey also showed that although 80 percent of the companies already have anti-spyware tools, they were “introduced in an ad-hoc manner over the past two years to fix infected PCs,” Forrester said. Only a very few firms had any idea how many support calls are related to the spyware invasion. The 44 percent of respondents able to guess estimated it to be 7 percent. PC maker Dell, on the other hand, blamed 20 percent of support calls from its customers on spyware.

The most popular anti-spyware software tools in market are McAfee and LavaSoft’s Ad-Aware, with 42 percent and 36 percent respondents using them respectively.

Forrester says the market is yet ready for consolidation, even though giants such as Microsoft and Computer Associates have gone for early acquisitions. In addition to buying out Giant Company Software, Microsoft recently released a beta version of its anti-spyware software.

Security holds its spot among the top IT initiatives at number three, increasingly paying more attention to spyware.

http://news.zdnet.com/2100-1009_22-5572950.html?part=rss&tag=feed&subj=zdnet

Its browser-based LiquidCredit Bank2Business, for example, is a hosted service for small business loans used by over 150 U.S. banks. About two years ago, “we first went out and looked into the market for a reverse proxy solution,” says Eric Beasley, Baker Hill’s senior network administrator. The company has a three-tiered architecture, all based on Microsoft products.

“We have Microsoft IIS for our Web component, of course our middle tier uses COM/DCOM objects, and our third tier is Microsoft SQL Server 2000.” “Because of [our] reliance on Microsoft, we had some of the larger clients that we were pursuing at the time balk,” Beasley says. “They did not feel comfortable with a purely Microsoft environment, and especially two years ago, when there were so many reported Microsoft IIS vulnerabilities.”

Beasley began investigating ways of making these potential customers happy. “Some of these clients even went to the extreme of saying we will not do business with you unless you put something out in front of this environment to mitigate the fact that it’s all Microsoft.” While the approach “did a good job of getting in between our client and the Web servers,” he says, it didn’t guard against “SQL injection, forceful browsing, and the like.”

So Baker Hill shifted its focus to Web-application firewalls, a relatively new class of products two years ago, now available from such manufacturers as Imperva, Kavado, Sanctum, and Teros (then known as Stratum8). Baker Hill created a test environment, tested products from Kavado, Sanctum, and Teros, and selected the Teros Gateway.

“The Web application firewall learns what is acceptable use of our Web application, and then by default, it will deny all traffic that does not meet the behaviors it’s learned.” Since this approach doesn’t rely on signatures, he says, it helps eliminate zero-day exploits, an especial concern in his Microsoft environment.

One benefit of this technology isn’t just to stop help block attacks, but to give IT more time to test patches before implementing them. In essence, the firewall acts as like a virtual patch.

Gartner estimates that 70 to 80 percent of all attacks today focus on the application layer; Web applications are at risk.

“Virtual patching is designed to address that window.”

Some firewalls, such as Kavado’s InterDo, can also integrate with Web application scanners—in this case, Kavado’s ScanDo—to build a profile of the application in the test or audit environment.

“From a patch standpoint, we no longer feel the need to deploy the Microsoft patches immediately after they’ve been released,” says Beasley. “The reason that I feel a lot more comfortable in not pursuing a strategy like that is there is no 100-percent guarantee that the patch is going to leave your application in a working state,” he says. Without a Web-application firewall, Beasley says he’d have to perfect some other plan for patching, one that takes into account the fact that some Microsoft patches—even if they don’t work—are not meant to be uninstalled. “Then you really have to look at what kind of strategy are you going to use to create some kind of snapshot or backup of that server prior to the patch being applied,” he says.

http://www.esj.com/news/article.aspx?EditorialsID=1273