|
NEWS:
HEADLINES |
|
|
|
|
|
|
|
|
|
|
Prof. Harry
Lewis (Harvard Uni) writes about Cloud Computing in
BusinessWeek "Nine questions to ask before trusting your
company's data or computing tasks to an outside provider."
A
definitive must read!
|
|
|
|
Secret EU
report moots sharing personal data with US
A secret report prepared by experts from six European Union member
states suggests creating an anti-terrorist pact with Washington
which would include sharing intelligence across the 27-strong bloc.
The 53-page report drafted by the interior and justice ministers
from Germany, France, Sweden, Portugal, Slovenia, and the Czech
Republic - recent, current and future EU presidency countries -
argues that the stronger link with the US is needed to boost the
fight against terrorism, UK daily The Guardian reported. The new
initiative is dubbed as "Euro-Atlantic area of cooperation" and it
should involve the transfer of huge amounts of information on EU
citizens and travelers to the US.
Negotiations over such a pact have so far been unsuccessful due to
privacy concerns in some European countries and institutions but the
new report - handed over to all governments last month - suggests
that it should be finalized by 2014 at the latest. "The EU should
make up its mind with regard to the political objective of achieving
a Euro-Atlantic area of cooperation with the United States in the
field of freedom, security and justice," said the report. In
addition, the document argues that anti-terrorist campaigns can only
be effective if "maximum information flow between [EU] member states
is guaranteed," adding "Relevant security-related information should
be available to all security authorities in the member states."
Among other proposals, the document suggests setting up "networks of
anti-terrorist centres" as well as boosting powers of
security-related European agencies and institutions, such as Europol
[police body], Frontex [external frontiers body], and
Sitcen [joint intelligence centre]. The document puts together
ideas on how the EU's security policy should develop over the next
five years. Its preparation was launched by Germany last year. |
|
|
|
Juniper adds
router, switch coverage to security manager
Juniper Networks has upgraded and renamed its centralized security
platform to cover many of the company’s routers and switches, less
than a year after introducing the product. When first released,
Netscreen Security Manager (NSM) managed policies of Juniper’s
security products, the Firewall/IP Sec, VPN and Intrusion Detection
and Prevention (IDP) lines. As of this week the renamed Network
Security Manager 2008.1 adds security management over Juniper’s J-
and EX-series of routers and switches. Being able to centrally
control more devices will help lower capital expenses, said Sanjay
Agarwal, Juniper’s senior product line manager for network
management. “What we’re trying to address is providing a unified app
for simplified management of all these devices in the network
infrastructure which helps customers reduce their cost of
ownership.” The new NSM also links to Juniper’s Infranet Controller
unified access control appliances to create a centralized security
and infrastructure system covering switches, routers, VPNs and
access control, he said. New features have been added to Infranet’s
UAC 2.2 software, as well as two new members of the Infranet line,
one of which scales up to 30,000 end users in a cluster.
Many of these devices share Juniper’s Junos operating system, which
is updated four times a year. With NSM these updates are
automatically downloaded, managed and installed, said Agarwal. With
NSM 2008.1, administrators can create role-based templates and
configuration groups for making policy changes. For example, a
global change on all of an organization’s DNS server settings can be
accomplished quickly, Agarwal said. All devices managed by NSM
2008.1 are linked through the standards-based Device Management
Interface (DMI). NSM handles common management features like
configuration file management, configuration management, inventory
management, device discovery and boostrap. In addition, there’s an
XML/SOAP API for customers and partners who want to integrate it
with applications they’ve created. NSM 2008.1 also compliments
Juniper’s Security Threat Response Manager (STRM), Agarwal said,
which collects log data on possible threats, by automatically acting
on policies triggered by a threat threshold. However, NSM does not
cover Juniper’s T-series routers. As before, customers have two
purchase options: NSMXpress is an appliance for controlling up to
500 devices. For environments with more than that customers have to
buy the server-based NSM Central software, which runs on Red Hat
Linux 4.0 and up or Sun Solaris 10. Juniper also announced upgrades
to the software that runs its Infranet unified access control
appliances. UAC 2.2 has added support for Microsoft Windows
Statement of Health (SOH) and its Embedded NAP agent, meaning
Infranet Controllers can now be used to help manage upgrades to
Windows XP Service Pack 3 and Windows Vista.
It also adds support for those Juniper intrusion detection devices
that have the company’s Co-ordinated Threat Control (CTC) system,
devices not covered until now. CTC co-ordinates responses between
authentication and intrusion protection. Now, if there’s a end user
accidentally triggers an online threat, the intrusion detection can
not only stop it but also signal the UAC to take action, such as
temporarily disable the user’s session. Finally, the company
announced additions to the Infranet Controller line. The IC 4500,
for mid-sized companies, supports up to 5,000 simultaneous endpoint
users. The IC 6500 supports up to 20,000 simultaneous endpoint
devices per appliance or 30,000 simultaneous endpoint devices in a
cluster. It includes dual, mirrored hot swappable SATA hard drives
and dual, hot swappable fans. Dual hot swappable power supplies are
an option. There was no pricing available at press time for the IC
4500, IC 6500.
|
|
|
|
Vendors to get
sneak peek of Microsoft patches
Microsoft plans to give security vendors a head start in what has
become a monthly race against the hackers. Starting in October, the
company will provide security vendors with early access to technical
details of its monthly security patches before the software updates
are actually released. This will give the companies that write
attack-blocking code a bit of a cushion as they write and test their
security software. Microsoft calls this initiative the Microsoft
Active Protections Program (MAPP) and says that participating
companies must sell commercial Windows security products and have a
large customer base -- and no, sellers of attack-based penetration
testing tools are not invited. Early participants include IBM,
Juniper Networks, and 3Com's Tipping Point division, but other
companies are expected to sign up. In the past few years the tools
used by cyber criminals have advanced to the point where hackers can
analyze the latest Microsoft patches and then turn out exploit code
within a matter of hours, so Microsoft's plan to give the security
industry an early look at technical information on the bugs could be
a real help, said David Endler, senior director of security research
for TippingPoint.
|
|
|
|
Canada gets
mad
Canadian privacy and security experts assail US laptop seizure
policy The lineup at U.S. Customs is likely to grow longer and
privacy takes another hit as border guards receive new powers to
search and seize electronic devices. Crossing the U.S. border with
your laptop, cell phone, iPod or video camera? Better think twice.
U.S. customs agents were recently given new powers to seize notebook
computers and other electronic devices of Americans and travelers of
other nationalities at the border as part of an anti-terrorism
program. A recently released U.S. Department of Homeland Security (HDS)
policy indicates that agents do not need suspicion of wrongdoing to
confiscate the electronic devices and that data contained in the
devices may be shared with other agencies for decryption or other
purposes. The policy covers laptops, MP3 players, pagers, cell
phones, PDAs, voice recorders, digital and video cameras.
Customs and border agents have in fact been conducting the seizures
for sometime, but it was only in July 16 that the policy regarding
the searches was released amid pressure from civil liberties and
business travel groups. "The Canadian government should take the
appropriate legal avenues to pressure the U.S. to review these
policies," says David Fewer, staff counsel for Canadian Internet
Policy and Public Interest Clinic (CIPPIC), an Ottawa-based public
advocacy group. Canadian travelers should let their local
members of parliament know that they are strongly opposed to the
practice, Fewer said. "This essentially constitutes a warrant less
search and seizure." "Just because a traveler is crossing the U.S.
border doesn't mean his of her privacy has to fly out the window,"
the lawyer said. The new guidelines will "needlessly" exacerbate
long queues and delays at U.S.-Canada entry points for both business
and leisure travelers, he added. The search is a "reactionary
short-term move" which saddles Canadian businesses with additional
burden and costs when conducting cross-border activities, according
to David Senf, director of research for Canadian security and
infrastructure software at IDC Canada. "I hope that this is just a
tempest in a teapot...If this new set of powers is applied broadly,
Canada and other nations should consider taking action to mitigate
its application and negative impact."
|
|
|
|
Two Apple
security sessions axed
Two Apple-related security sessions have been canceled at this
week's Black Hat conference due to confidentiality and marketing
issues, according to a Washington Post article. The first talk,
which was supposed to see Charles Edge discuss FileVault and its
flawed encryption scheme, was axed after he signed an agreement to
keep quiet with the Cupertino company. It seems as though this is
strictly a case of not biting the hand that feeds you, as Edge
states that Apple is his largest client. You can't blame him for
pulling out, but as the Post article points out, this will probably
just further pique the interest of the hacker community, resulting
in the issue being discovered and outed regardless of any agreement.
The second session, which Computerworld has more information on, was
supposed to be given by an Apple engineering team, but was canceled
after he company's marketing department got wind of what the team
was about to do: "Marketing got wind of it, and nobody at Apple is
ever allowed to speak publicly about anything without marketing
approval."
|
|
|
|
Black Hat Puts
Spotlight on Security Research
The Black Hat conference will bring with it a crowd of IT security
pros ready to hear about the latest research into malware, rootkits
and hacker tricks. Attendees will hear about attacks on Cisco
routers and from researchers from such vendors as Hewlett-Packard.
IT security pros, analysts and researchers are coming together for
the meeting of the minds that is Black Hat 2008. The popular
security conference officially kicked off Aug. 2 in Las Vegas with a
series of training sessions that wrap up Aug. 5. However, the real
buzz for many attendees will be the technical briefings Aug. 6-7 at
Caesars Palace.
|
|
|
|
ICANN Plans for Disaster
VeriSign and the other companies that operate the top-level domains
on the Internet are critical infrastructure. At least some of them
are. What if one of them was to fail somehow? This is the question
ICANN is asking with its proposed gTLD Registry Failover Plan.
eWeek's Larry Seltzer explains what ICANN plans to do in case a
Registry fails.
|
|
|
|
DOJ, Secret
Service Move Against International Hacker, ID Theft Ring
The U.S. Attorney and Secret Service claim an international crime
syndicate was behind the identity theft of more than 40 million
credit and debit card numbers from TJX Companies, BJ's Wholesale
Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority,
Forever 21 and DSW. The Department of Justice and Secret Service
allege that the hackers used wardriving to hack networks and sniffer
programs to capture card numbers and customer data. In what is
believed to the largest hacking and identity theft case ever
prosecuted, the Department of Justice said Aug. 5 it has indicted 11
people for the theft and sale of more than 40 million credit and
debit card numbers. Let's not forget that this deals with a
hacker, not an international terrorist.
|
|
|
|
U.S.
Government Won't Cede Control Over DNS Root Zone
In a letter to ICANN Board Chairman Peter Dengate Thrush, Meredith
A. Baker, the acting assistant secretary for communications and
information in the Commerce Department's National Telecommunications
and Information Administration, has declared that the U.S.
government has no plans to yield the control it now has over changes
to the Internet's DNS root zone file. ICANN manages the DNS root
zone, but according to terms of an agreement with the NTIA. The
distribution of changes in the zone file to the various root servers
around the world is performed by VeriSign. The authority of the
Internet Corporation for Assigned Names and Numbers to administer
various aspects of the Internet Domain Name System derives from
agreements with the Commerce Department. The current agreement for
that authority, the Joint Project Agreement, is set to expire in
September 2009. ICANN has been gearing up for what comes next with
preparations for taking more complete control. The Baker letter
pulls the rug out from under some of those plans. What a
ridiculous thought: The US rules the Internet and the World. Must
have been conceived by Gore. But wait... wasn't he from the other
party?
|
|
|
|
Newly found
hybrid attack embeds Java applet in GIF file
Researchers at NGSSoftware have developed a hybrid attack capable of
hiding itself within an image and intend to present details on the
exploit at the Black Hat security conference next week. New and
esoteric attacks are part and parcel of what Black Hat is about, but
this particular vector could target web sites with a particularly
vulnerable population: MySpace and Facebook. Social networking web
sites tend to attract younger users, and while this particular
attack can be used in a variety of ways, embedding the hook in
profile photos that are then seeded and targeted at the teen crowd
could be a very effective tactic.
|
|
|
|
Brazilian
hackers stalk Twitter
Social
websites like Facebook and MySpace have attracted a great deal of
attention as targets of opportunity for phishing scams, but they are
scarcely the only two social networking sites. New information
suggests that hackers have tuned in to the newfound popularity of
microblogging, and are at the very least evaluating Twitter as a
potential target. In a blog post at Kaspersky Labs' Viruslist,
Dmitry Bestuzhev describes the attack and how it functions. The
Twitter profile itself was created specifically for the attack;
profile information is posted in Portuguese. There's nothing on the
page but a link to a video promising hot girl action, actually
clicking on the file redirects the browser and instructs the user to
download a new version of Adobe Flash that's supposedly required to
watch the "film."
ARS TECHNICA
|
|
|
|
Hap-snap
McAfee snaps up Reconnex to add deeper data loss
prevention capabilities. The move, which follows several
acquisitions in the DLP space by Symantec, EMC and others in 2007,
is part of a broader data protection strategy for McAfee.
|
|
|
|
China listens
in on 'foreign devils'
It's almost 8.8.2008! And China is listening. And blocking, by the
way. Smart phones, blackberries and laptop computers will offer up
sensitive personal and business information to officials who monitor
China's state-controlled telecommunications carriers. China's Public
Security Bureau is making overtime. China's security policies
clashed with Olympic norms on Thursday, when IOC officials said they
were embarrassed by last-minute disclosures by the Chinese
government that media covering the August 8-24 Olympics would not
have unfettered access to the Internet. On Tuesday, U.S. Sen. Sam
Brownback, a Kansas Republican, said China had installed
Internet-spying equipment in all the major hotel chains serving the
Olympics. Citing hotel documents he received, Brownback said
journalists, athletes' families and others attending the Olympics
next month "will be subjected to invasive intelligence-gathering" by
China's Public Security Bureau.
|
|
|
|
U.S. Agents
Can Seize Laptops (and listens in on domestic devils as well)
Notebooks and other devices can be seized without reason and held
indefinitely.
U.S. federal agents have been given new powers to seize travelers'
laptops and other electronic devices at the border and hold them for
unspecified periods the Washington Post reported on Friday. Under
recently disclosed Department of Homeland Security policies, such
seizures may be carried out without suspicion of wrongdoing, the
newspaper said, quoting policies issued on July 16 by two DHS
agencies. Agents are empowered to share the contents of seized
computers with other agencies and private entities for data
decryption and other reasons, the newspaper said. DHS officials said
the policies applied to anyone entering the country, including U.S.
citizens, and were needed to prevent terrorism. The measures have
long been in place but were only disclosed in July, under pressure
from civil liberties and business travel groups acting on reports
that increasing numbers of international travelers had had their
laptops, cellphones and other digital devices removed and examined.
The policies cover hard drives, flash drives, cell phones, iPods,
pagers, beepers, and video and audio tapes -- as well as books,
pamphlets and other written materials, the report said. The policies
require federal agents to take measures to protect business
information and attorney-client privileged material. They stipulate
that any copies of the data must be destroyed when a review is
completed and no probable cause exists to keep the information.
|
|
|
|
OSS voices
must be heard in national security debate
At the OSCON open-source software convention last week, the
Foresight Institute's Christine Peterson—the individual
credited with conceiving the term "open source"—urged technology
enthusiasts to help redefine the way that society responds to
security threats. The stakes are high, she claims, and the cost of
failing to act could be enormous. She began her presentation
by discussing the multitude of serious problems that have emerged
from the adoption of electronic voting machines in the United
States. Although electronic voting was originally devised to
simplify elections and increase the accuracy of ballot tabulation,
the voting machines in use today are disastrously unreliable and
insecure. The hardware failures and demonstrable susceptibility to
tampering exhibited by these devices is undermining the transparency
and credibility of American democracy.
Resistance, however, is not enough. In order to overcome such
challenges, technology enthusiasts must find better ways to address
the underlying problems that seemingly necessitate the faulty
solutions. According to Peterson, the area where there is the
greatest need for action is in national security. The federal
government's controversial use of secret surveillance raises serious
questions and poses a very real threat to privacy. She believes that
the government has adopted this risky top-down approach to security
because it lacks the tools it needs to address the problem in a more
responsible way.
Instead of using secret spying, "we need to track the problem, not
the people." The best way to combat the problem is to redefine the
solution space. The answer is to drive innovation and deliver new
technologies that can guarantee both privacy and security. Tools
must be built that can detect security threats while also imposing
verifiable limitations on government intrusion. In order to prevent
abuse, these tools must be utterly transparent and perpetually
subjected to the highest level of public scrutiny. Her mantra is "no
secret software for public sensing data."
The people who will build such tools, she insists, need to have a
deep understanding of security, privacy, functionality, and freedom.
She is completely convinced that the open-source software community
has the values and expertise needed to lead the way.
|
|
|
|
|
|
|