CyberSecurity Institute – Page 355 – Security News Curated from across the world

Passwords Fail To Defend Enterprises

Posted on September 27, 2004December 30, 2021 by admini

According to the Meta Group, passwords aren’t cutting the mustard because of both organizational and user failings, as well as a lack of cost-effective alternatives.

“Enterprises are pretty frustrated with passwords,” said Earl Perkins, vice president with the firm’s security and risk strategies group. On the organizational level, Perkins said that passwords’ failings range from enterprises wasting time creating convoluted policies to spending too little time protecting crucial applications.

On the end-user front, meanwhile, passwords are ineffective when people have too many to maintain. But the issue with password protection isn’t just numbers, said Perkins.

“From a cultural standpoint, many individuals don’t believe the value of the password reflects the value of the assets it protects.

The solution that enterprises are looking for is a low-cost way to add strong authentication to identity management. Among the possible additions or alternatives to passwords are such concepts as tokens, smart cards, and PKI-style services. “But it’s going to take someone willing to drive down the price of, say, tokens to create a low-cost solution,” he added.

There are hints that that might happen as early as the end of 2004 or the beginning of 2005, Perkins said, if only because rivals of RSA, the dominant player in the identity management market with its SecureID, want to break its grip. “If a competitor can shake that tree, things will loosen up.

One of Meta Group’s clients, for instance, wanted to deploy a token-based authentication to its entire 60,000+ employee workforce, but the price tag was simply too high.

Instead, companies tend to apply the higher-cost, but more secure, authentication to higher-value assets, such as servers, and leave passwords, as ineffective as they are, to defend other assets, like desktops.

http://www.techweb.com/wire/security/47900125

Linux firms join forces on security

Posted on September 24, 2004December 30, 2021 by admini

Mandrakesoft, joined by Bertin Technologies, Surlog, Jaluna and Oppida, will boost Linux so it meets the Evaluation Assurance Level 5 (EAL5) of an internationally used security certification called Common Criteria, the companies said onThursday. The certification is particularly important among military and government customers; the French Ministry of Defence is funding the project.

The EAL5 certification level is significantly higher than what current versions of Linux have attained. Red Hat reached EAL2 in April and EAL3+ in August, while Novell’s SuSE Linux reached EAL3+ in January. Those companies, which dominate the commercial market for the open-source operating system, are working on higher certifications in conjunction with IBM and Oracle.

Mandrakesoft will release the fruits of the work as open-source software when the project is done, the company said.

Microsoft’s Windows, Sun Microsystems’ Solaris, Hewlett-Packard’s HP-UX and IBM’s AIX all have EAL4 certification.

EAL5 certification is rarer; one company to attain it is IBM, with the technology that lets its z900 and z990 mainframes be divided into independent, isolated partitions.

http://news.zdnet.co.uk/0,39020330,39167716,00.htm

Phishers Fake FDIC Web Site

Posted on September 24, 2004December 30, 2021 by admini

This isn’t the first time that phishers have used the FDIC as a disguise to trick consumers.

Earlier this month, the Anti-Phishing Working Group detected a less sophisticated scam that tried to get users to give up their credit card account numbers, Social Security numbers, and PINs.

http://www.securitypipeline.com/news/47902805;jsessionid=H4IZU5N52KWUCQSNDBCCKHY

Only XP SP2 Secure Internet Explorer

Posted on September 23, 2004December 30, 2021 by admini

Microsoft this week reiterated that it would keep the new version of Microsoft’s IE Web browser available only as part of the recently released Windows XP operating system, Service Pack 2.

That, say analysts, is a steep price to pay to secure a browser that swept the market as a free, standalone product. “It’s a problem that people should have to pay for a whole OS upgrade to get a safe browser,” said Michael Cherry, analyst with Directions on Microsoft. “We do not have plans to deliver Windows XP SP2 enhancements for Windows 2000 or other older versions of Windows,” the company said in a statement.

Three years have passed since Microsoft introduced its last new OS, and its upcoming release, code-named Longhorn, has been plagued by delays. Microsoft last month scaled back technical ambitions for Longhorn in order to meet a 2006 deadline.

Those ongoing security updates do not, as Microsoft points out, include the latest security fixes with Service Pack 2, released last month. Now it’s unclear whether even half the Windows world will have access to the shored up IE.

Of Microsoft’s approximately 390 million operating system installations around the world, Windows XP Pro constitutes 26.1 percent, Windows XP Home 24.7 percent, IDC said.

http://news.zdnet.co.uk/internet/security/0,39020375,39167607,00.htm

New technology increases threats

Posted on September 23, 2004December 30, 2021 by admini

‘Extending enterprise networks overseas, as a result of increased outsourcing, can create new problems,’ managing vice president Victor Wheatman told delegates at the Gartner IT Security Summit in London this week.

Emerging technology such as web services and wireless personal devices will also expose new holes in IT security plans, he says. ‘Each new technology and way of doing business brings with it a whole range of new IT security concerns,’ he said. ‘And each new wave of technology obliterates the security architecture appropriate to its predecessor, opening the enterprise up to an ever increasing raft of security risks.’

Cybercriminals will be an increasing risk, developing ever-more sophisticated methods of making money using spyware, phishing and spam, says Wheatman.

Gartner says businesses should also put more pressure on vendors to remove security flaws before products are launched. The analyst predicts that a 50 per cent reduction in software vulnerabilities before shipping could remove 75 per cent of configuration management and incident response costs incurred by businesses.

The key to secure business is management improvement, with the most secure firms spending less than average, he says. The lowest-spending 20 per cent of firms are also the most efficient and will safely reduce security spending to only three to four per cent of their total IT budget, says Wheatman.

But to achieve this, investment must shift from product-based purchasing to implementing better-designed risk management processes. ‘We will constantly see new risks because technology and business processes don’t stand still,’ said Wheatman. ‘It’s about keeping the bad guys out, while letting the good guys in and keeping the wheels on.’

http://www.vnunet.com/news/1158271

Nokia Phone Adds Virus Protection

Posted on September 23, 2004December 30, 2021 by admini

Upcoming smart phone will feature a mobile version of F-Secure’s antivirus software.

Finnish mobile phone manufacturer Nokia will offer mobile antivirus software through F-Secure as one of the features in its new Nokia 6670 smart phone when it is released in October, the companies announced this week.

The Symbian OS smart phones will provide on-device protection, similar in fashion to antivirus protection programs for PCs, with automatic over-the-air antivirus updates for a monthly fee.

The software will not come loaded into the device, but can be downloaded from the F-Secure Web site, according to Nokia spokesperson Karoliina Lehmusvirta.

The Nokia 6670 will be the first mobile phone in its Series 60 line to offer the mobile virus protection, though users of other Series 60 mobile phones will also be able to purchase the antivirus protection software, “perhaps as early as October,” Lehmusvirta says.

F-Secure is also in talks with other handset manufacturers about offering similar antivirus protection, according to Matias Impivaara, business manager for mobile security services for F-Secure of Helsinki.

“This announcement is a starting point for us and we have been testing the service with a variety of handsets from different vendors and in several operator networks,” Impivaara says.

Nokia, based in Espoo, Finland, already offers antivirus software through F-Secure for its Communicator line of mobile devices, but Impivaara says the protection offered for the Nokia 6670 is a greatly improved version in terms of both features and pricing options.

“The first general offering for the mobile antivirus software came a couple of years ago, but this version has a whole new infrastructure,” Impivaara says.

“For example, it has a patented SMS [short message service] update mechanism and HTTPS [Hypertext Transport Protocol Secure] connections.

Lehmusvirta stresses that there is nothing about the Nokia 6670 that makes it particularly susceptible to viruses and that Nokia knows of no capabilities within any of its devices that a virus might exploit.

After a series of three malicious program targeting wireless devices were discovered in between June and August, security specialists stepped up their warnings of the pending possibility of serious attacks against mobile phones and PDAs.

F-Secure claims its mobile antivirus software service is the first commercially available product for protecting Symbian OS smart phones but IDC analyst Paolo Pescatore says similar programs can be expected in the very near future.

http://www.pcworld.com/news/article/0,aid,117904,pg,1,RSS,RSS,00.asp