Businesses lack spyware protection

Posted on by admini

In a US survey of IT managers and executives, 70 percent expressed growing concern over spyware, yet less than 10 percent have installed anti-spyware software, according to a statement issued by Webroot, the Boulder, Colorado, security software company that commissioned the survey. The survey was conducted by Equation Research.

The disconnect appears to come from slow realisation of the problem and the need to put out fires before trying a comprehensive approach, said Richard Stiennon, vice-president of threat research for Webroot. “Spyware is insidious and has been installing itself for the last two or three years,” Stiennon said. “But now it’s at a flash point, where IT managers are finding computer systems are crashing, or it takes forever for systems to boot up. And when they investigate the problem, they’re finding it’s spyware.

The first response is to use the first tool you can as a point solution…but because a one-to-one [software] solution is too costly over time, they’re beginning to look at pushing out solutions to every desktop.”

The vast majority of executives and IT managers surveyed, 96 percent, feel that their existing antivirus and firewall software protect them from outside threats, according to the study. “They’re thinking that spyware is not a threat to their security but just a threat to their productivity,” Stiennon said. “That’s how they felt about spam in the beginning, too.”

However, 82 percent of those surveyed said their desktops are currently infected with spyware. A third of respondents said that spyware has been on the rise in the past six months.

Last year, the National Cyber Security Alliance said that 91 percent of 120 individuals participating in a study had spyware loaded on their computers. And virtually none of the participants realised spyware could be transmitted and installed via file-sharing programs.

http://news.zdnet.co.uk/internet/security/0,39020375,39171738,00.htm

Read more

Sourcefire touts ‘smart’ network defence

Posted on by admini

The real time network analysis offered by its Sourcefire 3D system can place security events in context and thereby help reduce the frequency on false alarms by up to 90 per cent, Sourcefire claims. Users can use the technology to enforce policies based on the correlation of detected threat with network vulnerability and asset data.

Sourcefire said its Real-time Network Awareness (RNA) Sensors score over vulnerability scanners because they provide constant feedback through passive detection of network activity rather than the snap shot offered by the “potentially disruptive” scanner approach.

In response the industry has moved towards intrusion prevention systems (IPS) which automatically block a subset of well-understood attacks.

Martin Roesch, founder and CTO of Sourcefire and creator of Snort, said that intrusion prevention and firewall technologies would converge. Firewalls alone can’t deal with problems like Nimda-style worms spreading across internal networks and stand-alone intrusion prevention technology fails to defend against anything other than well-known attacks, Roesch argued. “Intrusion prevention is a partial solution because the technology is purely signature based or, in the case of defending against DDoS attacks, rate based. Use of the technology can also creates a bottleneck on the network,” Roesch told El Reg.

He contrasted the intrusion prevention technology with Sourcefire 3D’s learn, block and correct approach. “Users could put our sensors inline if they wanted to. We can deliver intrusion prevention by other means,” he said.

Firewalls were traditionally designed to guard against network-level attacks – such as IP spoofing and port/network scans – but as more sophisticated application-layer attacks, such as worms and exploits of known software vulnerabilities, have become increasingly common a need has arisen to rejig corporate defences. That much is common ground between Sourcefire and intrusion prevention systems (IPS) vendors.

Leading IPS vendors, such as Top Layer, argue that rather than loading extra application-aware intelligence into firewalls better performance can be obtained by using standalone intrusion detection and prevention, such as its Attack Mitigator IPS 5500. It would argue its hardware-based technology is superior at automatically blocking attacks.

Sourcefire 3D, released in the US earlier this quarter, is available in Europe from today (28 October).

http://www.theregister.co.uk/2004/10/28/sourcefire_3d/

Read more

A Snapshot of Security Project Plans, the Security Market and Vendor Mindshare

Posted on by admini

From the perspective of corporate security projects:
– The fastest growing project space is Authentication, Encryption and Intrusion;
– Security management is still just the leader but the trends show it deminishing over time;
– Wireless security is growing slowly as a priority item.

For entreprise software:
1. Directory Services with 30% percent of respondents consistenly stating that this has been their number 1 priority for the past 12 months.
2. ERP, which has taken over from CRM.
3. CRM
4. Groupware
5. Vertical industries
6. Document Management

For Web Technologies:
1. Web Service, showing very strong upward trending over the past 12 months.
2. Other
3. Site Development
4. Portals
5. E-Commerce
6. Content Management

Other charts showing the top ten security vendors and the October 2004 priorities.

Research comes from IDC and ZDNET.

http://news.zdnet.com/2100-9596_22-5429425.html?part=rss&tag=feed&subj=zdnet

Read more

Trends in Web Application Security

Posted on by admini

This article highlights both technical and business trends in web application security.

Traditionally, vulnerability analysis (and its management) has been focused at the network or operating system level. Trends are leaning towards merging the ability to scan for network vulnerabilities and application-level vulnerabilities together. The goal in this merging of network and application vulnerability analysis is the ability to use data found from one level and drive a more focused approach for the other level.

Another key area where we will see more integration is in the area of network management consoles. Currently, most consoles are geared towards soliciting network device information (e.g. firewalls). On the network side, consoles can be set up to attach patch management solutions to notifications of problem detection. However, many web applications are proprietary and thus unique to a particular customer or department within a large corporation.

Mercury Interactive, a major player in automated testing tools, recently announced partnerships with some leading application security testing companies that provide an integrated solution between Mercury’s testing products and the vendors’ application vulnerability detection tools. Some vendors have created development tools for enhancing code security, but to date, sales of these tools have been relatively poor. In addition, most of these code scanning tools are unable to provide complete application awareness and can only focus on a specific module of code.

This has started to prompt some awareness in the developer community. However, it is still too early for application tools to incorporate sophisticated integration, as web application security analysis still lies primarily in the hands of security professionals such as penetration testers, QA engineers, and auditors.

While no formal direction has yet been established, industry trade groups, such as the Information Technology Association of America (ITAA), are anticipated to start providing guidelines for web application security for offshore code.

With the rise of cross-site scripting (XSS) attacks, tools are still only focused on inline detection (the ability to attack and detect success in the same process). Complexities yet to be tackled include performance (as large amounts of data from the web application and user input need to be stored and referenced with each new interaction) and accuracy (by reducing false positives). For example, some large financial organizations have recently had issues with cross-frame scripting (XFS), a particular type of phishing attack that poisons a single frame in a page. While web services has been very slow in mass adoption, some users have sites and online applications that depend on web services, and therefore have an urgent need to test for web services vulnerabilities.

For the most part, vendors in this space have focused on simple detection techniques such as XML (malformed) schema based attacks and applying known web application vulnerabilities in non-XML applications to XML applications. This generally involves the ability to write scripts to address new and cutting-edge vulnerabilities. Vendors have been using scripts that use languages ranging from ones that look like Visual Basic to JavaScript and Nessus’ NASL language.

For the immediate future, most well-defined tools will choose multiple script languages to incorporate open source tools as well as proprietary methods.

Another area poised for substantial increases in effectiveness is the ability to handle testing of client-side technology for web applications.

Some of the more prominent standards include the Application Vulnerability Description Language (AVDL) and Web Application Security (WAS), which are both XML-based standards.

http://www.securityfocus.com/infocus/1809

Read more

For some drivers, smart cars do connect

Posted on by admini

“The car is an island, isolating its user,” said Claudio San Pedro, senior vice president of the Fiat Business Line, Fiat Auto, in Italy. “To change that, we are aligning our cars with technology as used in homes and offices.” Owners of Fiat’s Stilo model, a moderately priced hatchback, can use the optional Connect service to make phone calls and either listen to a voice recite their e-mail messages or read them directly on a screen. “Even while driving, you can also look at the Web, but we do not recommend it,” San Pedro said.

That option and other features available in Europe and Japan make auto executives in the United States shudder. They say they must worry about lawsuits rather than whether their customers can order from Amazon while driving. “In the United States, driver distraction is a bigger thing than in Europe,” said Norbert Seitner, head of product planning for Audi North America. “People in America tend to sue companies very easily,” he added, if something goes wrong with the technology.

That is why many car navigation systems in the United States display terms and conditions on the screen before they can be used, a requirement not found in other markets.

Safety first Besides nervousness over lawsuits, the American auto market has also been more cautious in offering features like television or karaoke, which are widely available in other countries. Some features will probably not be available here for years, if ever.

Executives contend that most American drivers are more interested in advanced safety systems than in entertainment options.

In Europe, TV fanatics do not have to worry about missing their favorite shows. In many Audi models sold there, drivers can use the same screen that powers the navigation system to watch broadcast television. Yet even with a feature that shuts off the video once a car moves faster than three miles an hour, Audi has no intention of offering it here.

Fear of legal action has also stopped Toyota from offering its Intelligent Parking Assist feature, which is now available on the hybrid gas-electric Prius model sold in Japan. This device automatically parks the car, maneuvering the Prius backward and into the space. To activate it, the driver first pulls alongside the forward vehicle, then drags a picture of a flag marker and parking triangle on the car’s touch-screen display, until they are positioned where the vehicle should wind up. But the system cannot respond to changing conditions, like the vehicle in front suddenly backing into the space the Prius is about to enter. Nor can the system respond to unexpected road obstacles–a soccer ball rolling into the gutter or a child running in the way.

While the system seems ideal for congested streets like New York’s, “we have no plans for the U.S.,” said Jon Bucci, corporate manager for advanced technology at Toyota Motor Sales.

It is not just fear of lawsuits that prompts different gear for different markets. Terrorism has also created a switch in what consumers deem to be necessary equipment as they drive. It is the ability to communicate, not to be entertained, that seems to matter most to Americans, some industry officials have concluded.

“Safety and security are our winning features,” said Terry Sullivan, vice president of communications for OnStar, the communications system owned by General Motors and available on 50 of its models as well as those of other manufacturers. “While customers can hear their e-mail using OnStar’s Virtual Advisor service, the number that do is minuscule, in the low thousands,” Sullivan said. “More telling is that 80 percent of its 2.7 million customers buy the air-bag notification system, which sends a signal to a central office when a car’s air bag is deployed, to dispatch emergency services.

http://news.zdnet.com/2100-1040_22-5428711.html?part=rss&tag=feed&subj=zdnet

Read more

Cisco upgrades IP telephony security

Posted on by admini

The company announced that it has added new privacy features to its CallManager product, which maps phone numbers to IP addresses and keeps track of phone calls. Specifically, CallManager 4.1 extends encryption support to include its new and already installed 7940G and 7960G IP phones. Cisco also enhanced support for a protocol that will help customers link their existing telephone systems to its IP telephony products.

Security is a significant issue with any IP application. Like other packet-based applications, voice networks can suffer from denial-of-service attacks, which are caused when a hacker floods a network with packets until the switches and routers directing traffic throughout the network are frozen. Hackers also could tap into IP telephony calls to eavesdrop on conversations or break into corporate voice mails. As a result, some companies have hesitated in replacing their existing phone networks with one based on IP.

Cisco hopes that the new enhancements to CallManager can ease security concerns. By encrypting the voice traffic starting from the actual telephones, Cisco can help ensure that conversations are kept private and that no one is able to tamper with telephone signalling packets. Previously, Cisco only offered encryption on its high-end phones. Now the company is extending support to include its less expensive phones, too.

Customers will be able to take advantage of the new encryption features through a free software upgrade.

In addition, Cisco enhanced its Cisco Unity unified messaging product to provide better security to voice mail messages. The company also extended the interoperability of a protocol called Q.SIG, which is used to communicate between private branch exchanges from different vendors. The enhancement should help Cisco customers connect more securely between their new IP telephony network and their existing telephone infrastructure.

IP telephony is an important emerging market for Cisco.

The secure voice-messaging feature in Cisco Unity 4.04 comes at no additional cost and can be upgraded on existing products for free.

http://news.zdnet.co.uk/communications/networks/0,39020345,39171359,00.htm

Read more