CyberSecurity Institute – Page 338 – Security News Curated from across the world

Show Time for Security

Posted on December 7, 2004December 30, 2021 by admini

“There is an element of appearances to security, and I don’t mean this in an unfavorable way,” says the famously unflappable de Becker, who has guarded his image as closely as the Hollywood stars he is hired to protect. “Precautions that are expected to deter often draw some of their effectiveness from appearing to be this or that.”

Once an assortment of stereotyped “geeks” and “guards” who’d been promoted up a few tax brackets, CSOs are now struggling to become—and be recognized as—businessmen and women who take a strategic view of risks across the enterprise.

On the first level are CSOs themselves—you—who are learning that to be taken seriously as executives, you have to act like your peers from other parts of the business. Just look at what eBay’s Howard Schmidt, one of the country’s most prominent CISOs, has done to his look over the years.

Closely tied with the CSO’s personal image is a second level: how other business executives and their staffs view the security department and its leader. Michael Assante, CSO of American Electric Power, is candid about the kind of forethought that goes into this transformation. “I knew that image was going to be an important part of being able to have success,” says Assante, who two years ago became the first person at AEP to have control over both corporate and information security.

“Image is 100 percent important,” says Schneier, author of Beyond Fear and a prominent observer of the security industry’s evolution. If you don’t deal with everything around the politics and socialization, you never get to the actual security.”

In other words, it’s not style over substance.

http://www.csoonline.com/read/120104/image_intro.html

Antispam campaign bites the dust

Posted on December 6, 2004December 30, 2021 by admini

In the statement, the company rapped the media, as well as Internet monitoring company Netcraft. “We are astonished by the enormous resonance generated by the “Make love not spam” campaign,” the statement read. “With this campaign we intended to raise a new impulse in the antispam discussion, and therefore create awareness for the big economic and societal problems caused by spam. The campaign has reached its goal and thus will be stopped.”

The company forcefully denied it launched any denial-of-service attacks on spammers and that it had taken two Chinese Web sites offline.

The statement continued: “In opposition to media reports to the contrary, we did not attempt any denial-of-service. We forcefully rebut a report by Netcraft referring to two spam servers having been disabled by our screensaver.” At the point of time of the Netcraft measurement on December 1st, 2004, both spam servers were not on the target list of the screensaver.

Also, the screensaver’s website has not been hacked as reported by F-Secure. “This has been acknowledged by F-Secure itself.”

This decision comes about a week after the “Make love not spam” screensaver was launched. The tool was taken offline on Friday, but at the time Lycos claimed that the tool would soon be back online. The downloadable screensaver uses the idle processing power of users’ computers to slow down bandwidth that connects to spammers’ Web sites.

“Things have changed,” said a Lycos UK representative on Monday. He said that the company had reviewed “Make love not spam” before deciding not to bring it back.

http://news.zdnet.com/2100-1009_22-5479582.html

Security Sells

Posted on December 6, 2004December 30, 2021 by admini

Translation: They advertise security or otherwise make it part of the message they present to customers and business partners.

Look closely, though, and you’ll find that these companies share a common goal: to create a sense of trust for their customers—while being careful not to overpromise.

In February 2003, Derek Bond, a 72-year-old retiree from Bristol, England, spent three weeks sleeping on the concrete floor of a South African jail after his name and passport number showed up on an FBI wanted list as he arrived in the country for a vacation. In vain, he protested that not only was he ignorant of any supposed crimes he’d committed in America, but he’d never even been to the country. Release didn’t come until the publicity surrounding his fate prompted an informant to point the FBI to the “Derek Bond” whom they did want to talk to—comfortably holed up in Las Vegas, after purloining the identity of the real Mr. Bond some 14 years before.

Bond’s misfortune illustrates—to the extreme—the menace of identity theft. Armed with just a few pieces of information—information readily available from trash or stolen documents—identity thieves can take advantage of lax security at financial institutions to enrich themselves.

Not if Citigroup can help it, says Ronni Burns, director of business practices for Citi Cards, the group’s credit card arm. In 1991, she says, Citi was among the first card issuers to offer its customers early warning of fraud, by programming computers to spot suspicious transactions. And in 1992, Citi followed this by being the first major card issuer to include customers’ photographs on cards. Most recently, Citi has bolstered its identity-theft prevention offerings with a personalized solution that involves trained counselors providing support to victims. In the event that a customer’s identity is stolen, explains Burns, a single Citi representative is assigned to the case to help customers identify the fraudulent transactions, fill in the various police forms, notify credit bureaus and generally get their lives back on track.

Microsoft Aims for Trustworthiness Curiously, one of the biggest developments in Microsoft’s history—and certainly one that is intended to have an enormous impact on its customers—isn’t being marketed yet. Or at least not in the direct manner that Citigroup is using.

While Microsoft does actively promote some security-related products (including through advertisements in CSO), “Trustworthy Computing,” as the company christens it, deliberately isn’t mentioned in the company’s advertising. “There is no advertising around Trustworthy Computing at all,” insists Microsoft spokeswoman Nicole Miller. The company does, of course, provide a website that explains the initiative, and a quick Google search will turn up plenty of Microsoft quotes discussing the initiative in the media.

But Trustworthy Computing itself is still a long way from victory. In fact, says Chief Security Strategist Scott Charney, who describes the initiative as “very much a work in progress,” Microsoft has had to apply strong-arm tactics to software vendors who have built Microsoft technologies into their products: They are not to make claims that aren’t yet matched by the reality that Gates wants to see.

OnStar Sells Peace of Mind If you’re going to set up in business as a guardian angel, you’d better be a guardian angel that people trust. When you’re lost, for example, two critical pieces of information are (1) where you are and (2) the directions for getting back on course. Minutes can be lost while the emergency services try to locate you—which in the event of a serious accident can literally make the difference between life and death.

“Key to the promise of the brand is that a real, live person will share your problem and help resolve it,” says Andrew Young, director of marketing at Detroit-based OnStar, who’s been with the business since its inception in 1996. “They’ll make connections, find information and help you. The help depends on the nature of the problem. OnStar is careful to avoid overpromising, says Young, and tries hard to make sure that subscribers understand the limitations of the service. “We’ve tried to be very honest in how we market the service and build the brand,” he says.

For the past two years, OnStar has been running a radio advertisement campaign featuring the voices of real callers.

http://www.csoonline.com/read/120104/sells.html

New Threats Ahead

Posted on December 5, 2004December 30, 2021 by admini

Web services and ubiquitous wireless access will continue to add new security threats.

“Businesses battened down their network years ago and hackers moved up to applications,” says John Pescatore, a security analyst with research firm Gartner. “As certain areas of security improve and technology grows, hackers will move to new weaknesses.” To confront the threats more effectively, antivirus and firewall software will become more commonplace for smart devices, as will Web-services firewalls.

Embedded-chip maker Phoenix Technologies Ltd. has built device authentication with public key infrastructure and secure crypto-key storage into its hardware so companies can identify trusted systems before they’re allowed to log on to their networks.

“The large [software vendors] got caught with their pants down, and they’re now putting more money into their development processes,” says Lloyd Hession, chief security officer at Radianz, a provider of financial-services networks.

“My worst fear is someone is going to whack our customers, and I do everything to avoid that,” says Mary Ann Davidson, chief security officer at Oracle. Software quality “is a systemic industry problem,” she says. Oracle conducts secure coding training and has 100 pages of formal design specifications its developers use to engineer reliability and safety into applications.

IBM Tivoli continuously improves software development by conducting design-code reviews, and it has stepped up the number of applications it runs through the Common Criteria certification process, an international security evaluation standard, says Bob Blakley, chief scientist of security and privacy. “If there’s a perception out there that software is more fragile, that’s because it’s subject to more hostile attacks today than in the past. It’s fair to say that software quality is improving but that the threat environment is worsening.”

And that’s one trend business-technologists can expect will continue for some time to come.

Government surveillance helps keep us secure, and better corporate information makes the economy more productive.

http://www.securitypipeline.com/news/54202035;jsessionid=XF2C5R4SIDHHWQSNDBCSKH0CJUMEKJVN

Guarding the Grid

Posted on December 1, 2004December 30, 2021 by admini

As a result, companies that are implementing grid technologies need to pay special attention to issues such as user authentication, authorization and access control, as well as auditing and data integrity — both when data is in storage and while it’s in transit.

Ensuring that adequate measures are in place for responding to the effects of worms and viruses, which can be amplified in a grid setup, is also crucial in grid computing, IT managers say.

Most of the problems that users have to deal with in a grid environment are similar to the ones they face in nongrid environments, says John Hurley, senior manager for distributed software and systems integration at The Boeing Co.’s mathematics and computing technology group in Seattle.

A grid installation harnesses the combined power of numerous servers and PCs to run applications and services as one large system.

The potential severity of grid-related security problems depends largely on the context in which grids are being used, says Dane Skow, deputy computer security executive at the Fermi National Accelerator Laboratory in Batavia, Ill.

“When you talk to people about grids, they have different scenarios in mind — everything from clusters in the same room run by the same infrastructure team to global power-grid-like infrastructures,” says Skow.

Research grids, for instance, typically provide access to users from multiple organizations and security domains. User access, authentication and authorization in such an environment can be a big challenge, given the fact that there’s no single identity authority, says Skow, who is also part of the security group at the Global Grid Forum, a Lemont, Ill.-based organization with members from more than 400 vendors and user companies.

In contrast, a grid being run by a private-sector company typically uses internal resources and is accessed by users whose identities are already stored in an internal directory. As a result, it’s easier to get a grip on identity management in a company grid than it is with grids in a research setting, Skow says.

Companies that are deploying grids also must protect data during transmission on the network via encryption, says Jikku Venkat, chief technology officer at United Devices Inc., an Austin-based vendor of technologies for aggregating computing resources into clusters and grids.

Addressing grid security may not involve new technologies, but because of the increased potential vulnerability, protective measures become more urgent.

http://www.computerworld.com/securitytopics/security/story/0,10801,97815,00.html

CIOs and IT Managers prefer Linux for e-mail

Posted on December 1, 2004December 30, 2021 by admini

The research also revealed that 21 percent of executives would prefer Linux for their entire email infrastructure if they could scrap their current email infrastructure, and over 40 percent said they would replace their backend messaging infrastructure for one with better performance and lower costs.

“The survey shows that Linux is a key platform for messaging and its market share is increasing,” said Michael Osterman, head of Osterman Research.

The study is part of Linux related research reports, which were published in a whitepaper entitled “”Linux and eMail Infrastructure: A Business and Technology Perspective”. The whitepaper was released by Scalix, a Linux email software company, to help IT managers extend the technology benefits of Linux to their email infrastructure.

http://www.ebcvg.com/articles.php?id=427