Blockmaster SafeStick – Product Review

Review by Michael Smith (Veshengro)

SafeStick® Business edition is a password protected USB Flash Drive with automatic hardware encryption. It secures stored information in an instant and user friendly way. Insert it, set a password and start using it. No other product combines corporate security and flexibility requirements like SafeStick® does.


Works With End-point Control Systems and is compatible with all third party endpoint lock down solutions such as DeviceLock (http://www.devicelock.co.uk).

Unlike other encrypted USB flash drives there is no encryption program to launch and set up on the stick and on the PC.

I received a sample of the SafeStick drive at the recent Infosec 2008 held at London's Olympia and once I had emailed for the factory password and received same everything else was just plain sailing.

Once you open the stick with the factory password (for fist use) and then set up your own password you simply add your files.

Afterwards, every time that you insert the stick into the PC you are being prompted for your password. This is all that is required to keep your data safe, secure and encrypted to AES256 military-grade hardware encryption. To remove drive from PC you right click on the “Blockmaster” symbol in the system tray and then chose “lock & eject” and that's it. All administration of the SafeStick is achieved by a right click on the icon in the system tray.

The slimline case is metal and its size allows to get the stick inserted in small spaces, such as on crowded hubs or on Laptops and Notebooks.

Linux support is possible via VMware for Linux and the same virtual machine software is required to use the stick on Mac OSX.

This is the first encrypted USB flash drive that I have encountered that actually mentions Linux compatibility, even though in order to achieve this VMware has to be installed on any such Linux machine. Direct Windows and Linux support together would still be much better and is definitely be something that should be aimed for, I think. But I must applaud this already as a very good way and point, and while it does require additional software to run the SafeStick on other systems apart from Windows least Linux (and Mac) is being considered in this case as being in existence.

Therefore this seems to be the only one, or one of a very small number, of such encrypted pen drives (still have to see others that do though), that offers full cross-platform interoperability of sorts even though the Linux PC or the Mac will have to have VMware installed. That is, probably, something one could live with, but, as said already, direct interchangeability would be best of all.

As soon as I can work out how to actually install VMware on my Ubuntu “Dapper Drake” machine I shall test it there too.

As I have said in the intro of this journal, I am no geek so sometimes I do need a little hand still when it comes to such things as installing add-ons to Linux, and even though I love Ubuntu and Linux and will, as soon as possible for me, migrate over entirely to Linux, I still have to learn how to do some of the things on that system.

The great thing, as said, with SafeStick, in my opinion, is that no (additional) software needs to be installed and/or run for the purpose of securing your data on the drive.

As someone who has tested encrypted stick of a number of different manufacturers and distributors before I must say that SafeStick is the easiest. It is truly a “plug & work” product.

Pro:
  • Ease of use
  • No software installation for encryption or otherwise
  • Hard metal case
  • Slimline case
  • Linux and Mac support through VMware (must be on the host machines)

Con:
  • No direct Linux and Mac support (needs installation of VMware)

Official reseller for the Blockmaster SafeStick in the United Kingdom is Softek Limited - http://www.softek.co.uk

© M Smith (Veshengro), April 2008


Windows is 'collapsing,' Gartner analysts warn

by Michael Smith (Veshengro)

Due to poor response to the marketplace and decades of legacy issues, Microsoft must either radically change Windows or risk its collapse

Calling the situation "untenable" and describing Windows as "collapsing," a pair of Gartner analysts said recently that Microsoft must make radical changes to the operating system or risk becoming a has-been.

The latter might not be all that bad a thing seeing the things that are going on presently as regards to the Vista operating system and the intrusive practices of Microsoft.

In a presentation at a Gartner-sponsored conference in Las Vegas, analysts Michael Silver and Neil MacDonald said Microsoft has not responded to the market, is overburdened by nearly two decades of legacy code and decisions and faces serious competition on a whole host of fronts that will make Windows moot unless the developer acts.

"For Microsoft, its ecosystem and its customers, the situation is untenable," said Silver and MacDonald in their prepared presentation, titled "Windows Is Collapsing: How What Comes Next Will Improve."

Among Microsoft's problems, the pair said, is Windows' rapidly-expanding code base, which makes it virtually impossible to quickly craft a new version with meaningful changes. That was proved by Vista, they said, when Microsoft – frustrated by lack of progress during the five-year development effort on the new OS – hit the "reset" button and dropped back to the more stable code of Windows Server 2003 as the foundation of Vista.

But still Vista is about as stable as an ordinary chair that has lost a leg. That is to say that it is not, according to what one gets to hear from users.

"This is a large part of the reason [why] Windows Vista delivered primarily incremental improvements," they said. In turn, that became one of the reasons why businesses pushed back Vista deployment plans. "Most users do not understand the benefits of Windows Vista or do not see Vista as being better enough than Windows XP to make incurring the cost and pain of migration worthwhile."

It also would appear that recently Microsoft had to admit to all and sundries that Vista is not a complete program as yet but remains a “work in progress”. Well, that has been quite obvious from nigh on the very beginning when it was tauted as the safest (Windows) operating system the first crucial security updates followed rather quickly.

Other analysts, including those at rival Forrester Research, have pointed out the slow move toward Vista. Last month, Forrester said that by the end of 2007 only 6.3 percent of the 50,000 enterprise computer users it surveyed were working with Vista. What gains Vista made during its first year, added Forrester, appeared to be at the expense of Windows 2000; Windows XP's share hardly budged.

The monolithic nature of Windows - although Microsoft talks about Vista's modularity, Silver and MacDonald said it doesn't go nearly far enough - not only makes it tough to deliver a worthwhile upgrade, but threatens Microsoft in the mid- and long-term.

Users want a smaller Windows that can run on low-priced – and low-powered – hardware, and increasingly, users work with "OS-agnostic applications," the two analysts said in their presentation. It takes too long for Microsoft to build the next version, the company's being beaten by others in the innovation arena and in the future – perhaps as soon as the next three years – it's going to have trouble competing with Web applications and small, specialized devices.

Such a small Windows does not seem to be something that MS is capable of producing. Therefore many people are migrating to the likes of Linux operating systems that offer just that, such as Puppy, DSL and such.

"Windows as we know it must be replaced," Silver and MacDonald said in their presentation.

While rumor had it that Microsoft recently granted Windows XP Home a reprieve from its June 30 OEM cut-off, saying it would let computer makers install the older, smaller operating system on ultra-cheap laptops through the middle of 2010, the latest message out of Redmond is, yet again, the June 30 cut-off date for XP as a OEM software – though this may relate to XP Pro – to be installed and all new PCs and Laptops, so it is said, will from then on be preloaded with one or the other version of Vista. Thanks, but no thanks.

© M Smith (Veshengro), April 2008

Microsoft Removes Outlook Express Support For Hotmail

by Michael Smith (Veshengro)

According to an email circulated to Hotmail users that I assume many of us have received Microsoft is phasing out Outlook Express access to Hotmail/Live Mail accounts. Below is part of the email sent out by Microsoft to users:

Quote
Dear Microsoft Outlook Express customer,

Thank you for using Microsoft® Outlook® Express. Our information indicates that you use Outlook Express to access a Windows Live™ Hotmail® e-mail account via a protocol called DAV (Distributed Authoring and Versioning protocol). DAV, like POP3 or IMAP, is the way that a mail client communicates with a web-based mail server.

As a valued customer, we want to provide advanced notice that as of June 30, 2008, Microsoft is disabling the DAV protocol and you will no longer be able to access your Hotmail Inbox via Outlook Express. As an alternative, we recommend that you download Windows Live Mail, a free desktop e-mail client that has the familiarity of Outlook Express and much more. This next generation of free e-mail software will allow you to easily manage multiple e-mail accounts—including Windows Live Hotmail, plus other e-mail accounts that support POP3/IMAP. Better yet, Windows Live Mail integrates well with other Windows Live services, and downloads in minutes. After you provide your user name and password, you will automatically be linked to your Hotmail account, providing continued access to your email and contacts.
Unquote

It then goes on to list the reasons, which are rather strange to me, one of them being the size of inbox, for instance. I have a Yahoo mail account and that has an unlimited mailbox now and I have no problem using POP3 protocol to retrieve my mails and even leave all mails on the server. I could remove them but found that sometimes, as we all make mistakes, I erase one in Outlook Express that I did not mean to erase and so there is a copy – generally – left on Yahoo Mail. So my inbox at Yahoo is rather sizeable and still there is no problem. To me the excuses of MS tell me that they want to have a tracking of one way or another.

I, for one, am not happy to have to replace Outlook Express with this new email client they tell us to download simply because I am not happy as to why. So, therefore should we now download this new client – and maybe allow MS to track our every move – or should we instead remove our support from Hotmail and leave them? I am definitely thinking about doing the latter. There are other email services out there, especially Web Mail services, that don't force me to do this or that though I rather have the option of using my email from an email client on the PC.

Who is with me here in thinking that Microsoft is, yet again, having us download some more software that probably communicates with that place in Redmond? Or am I just paranoid as far as MS and such are concerned?

Why, if as Microsoft states, Outlook Express does not work with the “new” protocol they cannot simply also make Hotmail into a POP3 service which will work? It just beats me.

I also have, as said already, a Yahoo Mail account with now unlimited inbox size – not just miserly 5GB – and use POP3 access with that without problems. When Microsoft stops making up excuses people may actually have less of an issue with them, I am sure.

Personally, I have had some issues with Hotmail access via Outlook Express before and it refused to work and was then told by MS support that Outlook Express “support” for Hotmail accounts was only a Beta service and therefore was no guarantee that Outlook Express would work reliably with Hotmail and was also told that while they would try to ensure that generally that Beta service would work they would not every rush to repair it, so to speak. It was then that I basically migrated from Hotmail over to Yahoo Mail with most of my work.

The new look – still in Beta basically – of Yahoo Mail and its functionality, even though there are the occasional issues, and though I primarily use the POP3 access, in my opinion, beats that of Windows Live Mail hands down. In addition to that Yahoo Mail now gives even free users unlimited storage. Personally, I do no reason to need that much storage for myself but I must say that I keep quite a few messages for additional backup on Yahoo Mail. Yahoo Web Mail to me also loads faster than does Windows Live Mail and, as said, the look is better. Also, if there is an issue I can switch to the Classic Look and solve it through that very often.

Maybe I am too much of a conspiracy nut, as some, I am sure, might think, but I cannot see why MSN had to do this new system and then make us download – if we want to be able to use Hotmail/Live Mail from our desktops and off line – a new email clinet. Does Hotmail work in Thunderbird? No, Hotmail does not work in Thunderbird – period. Why not? Because, I am sure, of the fact that Thunderbird would block some of the talkback protocol. One I find a plugin that works to pull Yahoo Mail emails from the server for Thunderbird I will definitely change over entirely, as Hotmail will not longer be accessible via Outlook Express anyway. That was the only reason I had retained the use of Outlook Express.

Yes, I do know that Yahoo uses so-called “web beacons” but, for some reason I do trust Yahoo more than I do MSN.

© M Smith (Veshengro), April 2008

Solcara become catalysts… for Catalysts Ltd

Catalysts Ltd have teamed up with software developers for business Solcara in a ground-breaking deal to develop a range of new products to address the rapidly growing market of business risk management.

As part of the partnership, Solcara will licence its Solcara Communications Centre and Solcara Crisis Control Centre to Catalysts on an OEM basis, for integration into Catalysts’ business risk management application suite, FutureActive. Catalysts will re-badge the Solcara applications with Catalysts product names and integrate Solcara’s code into the full product set.

Catalysts have worked in partnership with customers large and small for more than 18 years designing and building information systems which confer competitive advantage and are experts in helping clients gather, disseminate and profit from information.

Rob Martin, Managing Director of Solcara said:

“As we know from recent economic events, business risk management is now a board level agenda item. Our own work in creating awareness of the need for risk management is greatly enhanced by our partnership with Catalysts who will be using our products within their own portfolio.”

Nigel Phelps, Managing Director of Catalysts said:

"We were attracted to working with Solcara for a number of reasons – Solcara is a UK company; its products exceeded the requirements for our new FutureActive business unit and working with their people feels like a real partnership, so the customer experience is excellent. We anticipate a mutually-productive relationship."

Another MS Vista Screw-Up

A recent update for the Microsoft Vista operating system is causing headaches for users with USB devices.

by Michael Smith (Veshengro)

Microsoft last week re-released a software update intended to provide performance and reliability enhancements for Windows Vista-based and Windows Vista Service Pack 1-based systems. It was one of eight security bulletins and updates the company made available on April 8.

Users who installed the update, however, soon found their USB devices unresponsive, particularly mice and flash drives. Removing and re-installing the programs reportedly did not immediately solve the problem.

Microsoft confirmed the bug, but declined, let's call that “refused”, to provide further details.

"We are aware of concerns that a recent Microsoft update may be causing problems with USB devices," according to a Microsoft spokeswoman. "We are investigating the matter and at this time do not have any additional information to share."

Why am I not surprised? Especially since Microsoft has now had to admit that rather than a finished product Vista is very much a “work in progress”. Duh? So, it too over 5 years to develop and release and then still it is a “work in progress”. Sorry, folks, but that sure is NOT good enough. Time for a switch, dearest readers. Ubuntu on the desktop is becoming of ages. Let's go and get it.

© M Smith (Veshengro), April 2008

Women 4 times more likely to give away passwords than men for chocolate

London, UK 16th April 2008 - A survey by Infosecurity Europe (www.infosec.co.uk) of 576 office workers have found that women far more likely to give away their passwords to total strangers than their male counterparts, with 45% of women versus 10% of men prepared to give away their password, to strangers masquerading as market researches with the lure of a chocolate bar as an incentive for filling in the survey. The survey was actually part of a social engineering exercise to raise awareness about information security. The survey was conducted outside Liverpool Street Station in the City of London.


This year’s survey results were significantly better than previous years. In 2007 64% of people were prepared to give away their passwords for a chocolate bar, this year it had dropped to just 21% so at last the message is getting through to be more infosecurity savvy. The researchers also asked the office workers for their dates of birth to validate that they had carried out the survey here the workers were very naïve with 61% revealing their date of birth. Another slightly worrying fact discovered by researchers is that over half of people questioned use the same password for everything (e.g. work, banking, web, etc.)


“Our researchers also asked for workers names and telephone numbers so that they could be entered into a draw to go to
Paris, with this incentive 60% of men and 62% of women gave us their contact information”, said Claire Sellick, Event Director, Infosecurity Europe.


As she revealed her details to our researchers one woman said, “even though I have just been to
Paris for the weekend I would love to go again.”


Sellick continued, “that promise of a trip could cost you dear, as once a criminal has your date of birth, name and phone number they are well on the way to carrying out more sophisticated social engineering attacks on you, such as pretending to be from your bank or phone company and extracting more valuable information that can be used in ID theft or fraud.”


Workers were also queried about their use of passwords at work, half said that they knew their colleagues passwords and when asked if they would give their passwords to someone who phoned and said they were from the IT department, 58% said they would. Researchers also asked workers if they thought other people in their company knew their
CEO's password. 35% them thought that someone else did with Personal Assistants and IT staff being the most likely suspects.


“This research shows that it’s pretty simple for a perpetrator to gain access to information that is restricted by having a chat around the coffee machine, getting a temporary job as a PA or pretending to be from the IT department.” Sellick continued, “This type of social engineering technique is often used by hackers targeting a specific organisation with valuable data or assets such as a government department or a bank.”


One man said, ‘I work for a government department, I would never give my password to anyone else, it could cost me my job’.


Most people used only one (31%), two (31%) or three (16%) passwords at work, but a few poor souls had to use as many as 32! It was also found that 43% of people rarely or never change their password which is very poor security practice.


After the survey was completed, each worker was told ‘We do not really want your personal information this is part of an exercise to raise awareness about information security as part of Information Security Awareness Week which runs from the 21-25 April 2008. We will tabulate results to find out how good people are at securing their information.’ At this one man told one of our pretty researchers you look so well dressed and honest I did not think you could be a criminal, which was a sentiment echoed by many others.


Claire Sellick continued “This is precisely the problem, whether a criminal approaches you on the street or online, they will often not be who they appear to be, a criminal can often look very presentable. Many of the social engineering techniques used by face-to-face fraudsters have been adopted by criminals to encourage people to open spam emails or visit websites that are infected with viruses, trojans or malware collectively known as crimeware. The crimeware silently takes control of PCs and other devices then steal identities and cash or in many cases joins the PCs to a network of controlled PCs as part of a “BOTNET” to launch attacks on other people or organisations.”


The survey was carried out as part of the run up to Information Security Awareness week which starts on the 21st April. Infosecurity Europe is part of the weeks activities and is the event where those responsible for securing their organisations information can find all the latest technology, services and advice from over 300 of the top security companies from across the globe exhibiting.


The cutting-edge education programme at Infosecurity Europe is the highlight of the Information Security industry's international calendar reflecting the issues that visitors want to hear about. Over three days visitors will have the opportunity to gain an insight from 123 experts in the FREE to attend education programme. Two key pieces of industry research will also be released at the show this year with the launch of the 2008 Information Security Breaches Survey on behalf of the UK Government and the (ISC)² Global Information Security Workforce Study 2008.


Nearly 12,000 visitors are expected to attend this year's event with many travelling from overseas to participate in the education programme that addresses both strategic and technical issues. It draws on the skills and experience of senior end users, technical experts and real world case studies. Infosecurity Europe takes place at the Grand Hall,
Olympia, London from 22nd to 24th April 2008 www.infosec.co.uk.

If you can’t trust the Compliance Officer who can you trust?

Or is the temptation these days too great for anyone to resist?

Written by Calum Macleod, European Director for Cyber-Ark

I often wonder if I’ll get to an age where I’m not disillusioned by the world around me. It started so early in life when I experienced corporal punishment, got the belt!!, from my father for bringing home a bottle of soft drink without paying for it! I discovered that you just didn’t walk into the store and pick something up and walk out. It went downhill after that; Santa Claus didn’t exist, you had to learn stuff in school and write the letters between the lines, or else you got the belt! In 2008 this would be called child abuse but back then it was called preventative medicine. Then having finally entered the world of the employed I discovered that half my salary had been allocated to pay for speed cameras and various other “useful” items. And having thought I’d seen it all I just found out that Compliance Officers cannot be trusted!!

Here I’ve been for years advising supposedly concerned Compliance Officers about the risks posed by their IT staff, or even worse their For-Ex dealers, who are all petty criminals waiting to steal company secrets and misappropriate funds, and then lo and behold I walk into a company a few weeks ago and discover they’ve just fired their Compliance Officer. It was a minor indiscretion. He had simply accessed every contract that the company had to ensure that the company was complying with all the relevant policies. And everyone was convinced that their CO was just doing his job in the diligent pursuit of internal evil doers only to discover that he was being handsomely rewarded by the competition. After all you can only lose so many deals and blame it on bad luck! He was the biggest evil doer of them all!!

It seems that it doesn’t matter where you look these days; you can’t trust anyone and herein lies the crux of the problem faced by many organizations. They assume that their employees can be trusted not to do something stupid or they can trust their employees because they’re all basically honest.

Unfortunately it’s the honest ones that are most often the victims and very often an organization’s failure to grasp the magnitude of the damage one dishonest or careless employee can cause that results in the disasters we keep hearing about. Whether it’s careless employees working for the Government or unscrupulous employees working in the financial sector the end result is the same.

Every organization today, no matter how small or large needs to ensure that privileged access to systems is controlled and that confidential data is secure. And a key factor in this is ensuring that people in positions of responsibility understand what they’re doing. The example of the CISO of a UK Fortune 100 company who stated that the M&A data about planned acquisitions was secure because the server was in the boardroom may not be typical of the level of CISOs but it only takes one idiot to give you all a bad name – or for that matter one Compliance Officer on the take to have every Compliance Officer labeled as a crook.

The lack of sufficient internal controls result in data breaches, denial of service attacks, and compliance review failures and the key areas of vulnerability are Privileged Users access controls both inside and outside the network, confidential data exchange via public networks, and securing highly sensitive data inside the network. The insider threat is the #1 security risk enterprises today, primarily because it is clear that insider incidents perpetrated by using system administrator or privileged account access are responsible for 9 out of 10 breaches in data security.

Information leaks in all forms are occurring with increasing frequency today within some of the largest and most important organizations and enterprises. These breaches, whether inadvertent or as part of a coordinated attack, release highly sensitive information into the larger market where it is used to damage the originating organization’s business, competitiveness and reputation, and also significantly impacts the privacy and confidence of their customers, partners and vendors.

Common solutions such as mail (CDs in the post for example), e-mail or FTP suffer from several disadvantages. Distributing vast number of documents via mail is cumbersome and hard to track. FTP solutions are not reliable or secure. E-mail solutions, including encrypted e-mails, are also not reliable because they are dependent on the recipient's e-mail infrastructure. Large files or encrypted files often tend to fail e-mail security policies and bounce back. Organisations need global accessibility and connectivity while maintaining security.

As an IT security advisor at Cyber-Ark, this is the advice I give my clients to suggest how they should go about protecting their data.

Information needs to protected from unauthorized modification, deletion, and exposure. Encryption and other security mechanisms are not helpful if someone hacks the computer and circumvents the security layers. For instance, encryption is good for confidentiality, but does not protect data from intentional deletion or accidental modifications. In order to build multi-layered security, a sterile environment must exist to accommodate and protect the security infrastructure.

Ensure you have visual Auditability – Owners of information need to actually see what happens with their information at all times. Combined with auto-logging and auto-alerting, it ensures that an organisation has a prevention and detection mechanism.

Separation of Duties must be possible between the owners of the information and the administrators of the information. In other words there is no need for IT staff to be reading employee contracts, unless of course he or she is doubling as head of HR!

Dual Control ensures that highly sensitive data can only be accessed provided it has been authorised by another person.

Data should always be backed up in encrypted form, and kept encrypted even while on backup media, to prevent unauthorized disclosure.

And access should be controlled based on user location. In other words it’s not the employers’ responsibility to help an employee show-off to the cute blonde in the Internet Café. Make sure that if the information is for internal use only then that’s exactly where it stays

No organization is immune to the risk of exposure, embezzlement, embarrassment. There is no such thing as the 100% trustworthy work force, and especially when you’re outsourcing or using contract staff. How many organizations can echo the sentiments they been cheated by someone and they have no idea when. And they make up their mind that it has to come to an end.
So let’s just say that since people have a habit of letting you down its time you ensured your data is secure and locked away. As someone wants famously said“I generally avoid temptation unless I can't resist it”.

www.cyber-ark.com

Study Finds 'Alarming' Ignorance About Cybercrime

"Consumers' unsecured computers play a major role in helping cybercriminals conduct cybercrimes," the National Cyber Security Alliance warns

by Michael Smith (Veshengro)

At the recent RSA Conference, it was reported by the National Cyber Security Alliance (NCSA) that consumers, in the USA, and I can also guarantee to that, elsewhere, do not understand botnets; those networks of compromised computers that have become one of the major methods for attacking computer systems.

"Botnets continue to be an increasing threat to consumers and homeland security," said Ron Teixeira, executive director of the NCSA, in a statement.

"Consumers' unsecured computers play a major role in helping cybercriminals conduct cybercrimes not only on the victim's computer, but also against others connected to the Internet." (See also my article “Unsecured PCs – The Bane of the Internet”)

Many computer users, especially consumers, so to speak, that is to say the “ordinary” home user or the small entrepreneur working from home, often simply do not understand to what degree their computers can be subverted, thereby degrading security for others.

A great majority have no idea as to the term "botnet"; more than half actually believe it is unlikely that their computer, even if compromised, could affect homeland security; just under half believe it not to be possible for their computer to be commandeered by hackers; again more than half have not changed their password in the past year; and nearly half of users do not know how to protect themselves from cybercriminals.

I can vouch for that with the amount of people that I come in contact with who use a PC from home for all kinds of activities, often including running a business, who do not have any anti-virus software even, of if they do they have never ever updated it.

Such findings really should come as no surprise. Last October, a joint study conducted by McAfee and the NCSA found that almost half the consumers surveyed erroneously believed their computers were protected by antivirus software.

Moreover, the ongoing success of social engineering attacks demonstrates that people are easily fooled. And really, given the frequency with which studies exposing people's ignorance about all manner of things appear, it should be assumed that more education about everything is needed. However, how much more can you educate people?

As said, there are many that have not even got anti-virus software on their PCs or they have never updated it, if they have such a program, believing that having such a program installed does protect then for ever and they have to do nothing.

Let us not ask them whether they have software firewalls (hardware firewalls would just confuse them) installed. The same is true as regards to anti-spam and anti-malware programs. The great majority, I am sure, have neither.

Ron Teixeira considers it "alarming" that people don't know how to keep their computers secure.

While that may well be cause for alarm, it is, however, worth noting that companies with highly paid IT professionals get hacked, too. That should at least be as alarming, if not more so. And, it is not just companies; the very security services get hacked.

Tell a hacker or cracker that your system is secure and he has his homework for the week. He will try to hack your system and, more likely than not, he will, given time, succeed.

There is no such thing as a fireproof system; all we can do is keep on top of it. This means anti-virus software must be, as I already said in the previous piece, updated daily, if not even every couple of hours, if need be manually, while one is online. The same for any other protection software. If it is not updated and has not the latest signatures then it cannot catch and disable the threats that are out there.

Now, let's be careful out there... In addition a change of OS might be an idea too...

© M Smith (Veshengro), April 2008

USB Flash Drives – A Warning!

by Michael Smith (Veshengro)

This is a little warning to all those of us who use USB Flash Drives, the so-called USB Sticks, Memory Sticks, etc. to not to rely on them for – one – write & rewrite use like a mini hard drive and – two – also not to rely on them for long-term storage of data (without having a synchronized backup).

Why am I saying this? Because I am speaking from butter experience of having used a small lower-end of market USB Memory Stick as a kind of portable mini/micro hard drive transferring data between PCs but also writing articles onto the drive directly without, alas, I have to admit, making daily backups of the drive. Bad move on all counts.

Whether the device, that is to say the USB Stick was not shut off properly from the Windows PC before using it on the Linux PC I do not known and could not say but this is a distinct possibility. The, when I was trying to write an article to the drive it simply “locked” all files and folders and then ever so kindly wiped all the data contained on the memory stick. Oops! And I have no backup to some of the articles that were on that drive in draft format.

Hence the warning(s) to not to rely on flash medium, especially here the removable flash medium – and again here probably the cheaper one will be more prone to such problems – for – one – long term storage and – two – using them as external micro hard drives (without employing a data backup that is synchronized at least once a day if not more often).

While those drives are ever so handy and I am rather grateful to all the vendors on all the shows and fairs I get to attend that so kindly like to give away USB flash drives of various degrees of quality and I do have a rather nice collection of them and do make good use of quite a number of them, I still must issues the warning given here. It is the how we use them that will be the important thing here.

If we use them as a kind of micro dive then we do must endure that – one – the stick is from a good manufacturer of known quality and – two – that we have a backup of the data on that disc for the “just in case” moment.

We used to get the “backup, backup, backup” mantra chanted at us so often when floppy discs were in use and it was standard practice to have a backup of the backup even. We have become rather lazy now and come to trust the flash media more than we did the magnetic media of the floppy discs.

Backup of Backup it may not have to be but backup definitely and that in a synchronization kind of way.

© M Smith (Veshengro), April 2008

Unprotected PCs – The bane of the Internet

by Michael Smith (Veshengro)

Unsecured and unprotected personal computers by users who have not got anti-virus and other protection software installed and kept updated are a menace to the rest of us on the Web, and I do not use the word “menace” lightly.

It is the likes of those computers, to a very great degree, if not in the main, that are being used as part of bots nets to transmit all the spam traffic and also to spread viruses and other malware that is, primarily, email-borne.

How many times do I hear when someone comes to me with a PC that has caught the sniffles upon my question as to anti-virus protection that they don't have any or someone may come and say 'but I have got this or that anti-virus program,' often one of the big ones, 'on my PC and still it got a virus (or hundreds) and when I then enquire as to when it was last updated I get this blank expression. 'Updated?', is the invariable question. 'What do you mean with updated?' and I then find that they in fact believe that the program that is installed will do it for ever and a day without them having to do a thing. No one seems to have told them when they got a PC.

OK, one could ask on which planet those users have been as it is often enough even in the “ordinary” media about needing all those bits of protection software and the need to keep it all updated regularly, ideally on a daily basis. Checking for updates should be done, in my opinion, at least once a day, or more often even, when one is online. Signatures change so quickly that, especially when it is “virus season”, sometimes the companies release more than one update in a day in the space of a couple of hours. It is, therefore, always good advice to check, maybe, every time that one logs on if one has not been on for a few hours and has checked in between times.

Those that use the Internet for work and, say, work from home, should use an opportunity every couple of hours, when they think about stretching their legs and other parts of the body (no, I am not trying to be rude, so put that dirty mind away). Often it is but a little right-click on an icon in the system tray that allows one to check as to whether there are updates available and then the programs will normally do the work of downloading and installing any available updates all on their very own. Given us a time to go and have a coffee (or tea, if you so desire – mine is tea, white, one sugar – thanks).

There are some servers, as far as I am aware, that will not allow someone to send emails if their PC transmits attached viruses unbeknown to the user even. This, in my view, is a good way of protecting the Web. They also return emails with an attached notification that an email was detected in the email one tried to send.

I have once, many years now, been in that position myself when, unbeknown to me, a virus had been sent to me and the system was transmitting it to all contacts in my address book. In those days I had a, what I thought to have been updated, anti-virus program of a large well-known company, but alas, although it was completely updated on a daily basis it had failed. That was the days before I used to use a software firewall which would have prevented the transmission of the outgoing virus. I also changed the anti-virus software after to the FREE version of AVG and have been using AVG ever since without any problems and while other people I know and work with who were using software from the two of the biggest anti-virus software companies had viruses get through AVG caught the same version each and every time.

There are other very good systems available for FREE, aside from AVG, such as Panda, Avast, and others that no personal user has any excuse not to have his or her PC secured against viruses, Trojans, malware, adware, and other.

Remember folks: If you PC is unprotected not only do you risk your own PC and the data on it, you also enable malicious hackers to use your PC as a transmitter, often entirely unbeknown to you, of spam, viruses and other malware. If and when the law hits out against someone then, if and when they manage to trace the whereabouts of the computer from where a virus or such was sent it could be you who then is the one who could end up on the wrong side of the law, without you having done anything yourself actually.

Aside from that, any unsecured PC is a potential menace to other Internet users. Secure your PC.

© M Smith (Veshengro), April 2008

Solcara’s simultaneous retrieval technology at Olswang

Leading UK law firm, Olswang, has deployed Solcara SolSearch to provide a comprehensive legal search tool to service the information management needs of its team of 600 staff. SolSearch creates a speedy one-stop search for all internal and internet based content, simultaneously accessing free-to-air and subscription-based Internet search sources.

Amanda Mckenzie, Information Services Manager at Olswang said:

“At Olswang we have utilised SolSearch to search across our internal and external legal databases at the same time. This was a much needed tool. It saves time as users no longer need to know where to look for information as they have one point of contact, which can then lead them to the individual databases. Search in itself is not the answer to all of one's information needs but it is a cog in a wheel and this is an extremely effective cog in the wheel.”

Rob Martin, Solcara’s Managing Director added,

“SolSearch is fast becoming the search solution of choice for UK & Irish law firms. Solcara has been serving the needs of information management professionals for nearly 10 years. As Olswang discovered, SolSearch provides a simple, effective solution that supports the information management process quickly and efficiently, whilst complementing the usefulness of existing information management systems.”

Credant & Symantec's Altiris Products Come together

CREDANT Integrates Its Industry-Leading Endpoint Data Encryption Solution with Symantec’s Altiris Endpoint Management Platform

Industry-first integration of endpoint data encryption with popular endpoint management platform helps global enterprises prevent data breaches

London – April 14, 2008CREDANT Technologies, the market leader in endpoint data encryption solutions, today announced the integration of its CREDANT Mobile Guardian solution with Symantec’s Altiris endpoint management platform. For the first time ever, IT administrators can use the Altiris management console to encrypt, audit, and protect the data residing on enterprise endpoints. The integration of CREDANT encryption with Symantec endpoint management solutions allows IT administrators to seamlessly deploy and manage data protection and encryption enterprise-wide, to establish and change encryption policies, and to generate end user reports directly from the Altiris management console.

This partnership between CREDANT and Symantec and the integration of CREDANT encryption with the Altiris management console addresses the growing business imperative to protect sensitive data residing on PCs, laptops, removable media and smartphones. Additionally, it further simplifies the control of critical data by providing management and security within a single environment. CREDANT engineered its endpoint data security solution to “protect what matters” while ensuring that the security does not interfere with operational processes and is totally transparent to the end user.

The integration will also enable companies to quickly locate unprotected corporate notebook computers and automate the deployment and provisioning of encryption through a single management console. This helps protect vulnerable endpoints, safely encrypts lost or stolen data, and secures enterprise desktop computers, laptops, smartphones, and removable media, from emerging threats, both external and internal.

“The need for enterprises to more easily secure corporate and customer data is front and center for companies today, and new regulations demand wide scale and auditable compliance,” said Bob Heard, CEO of CREDANT Technologies. “Now that CREDANT Mobile Guardian is integrated with Symantec’s Altiris endpoint management platform, customers can easily manage endpoint encryption without deploying yet another management console,” he added. “This solution fits the needs of large, dispersed enterprises, whose IT administrators can rely on Altiris technology to help automate the deployment of data protection to thousands of desktops and notebook computers without changing patch management, application deployment, or any other element of their endpoint management process.”

CREDANT leveraged the Altiris Developer Program and the open Altiris architecture to develop this integration. Symantec’s Altiris solutions offer IT lifecycle automation solutions designed to help IT organizations manage, secure and support IT assets while promoting confidence in IT service delivery. Symantec solutions help reduce enterprise costs of owning, operating, securing and supporting technology by automating management tasks.

About CREDANT Technologies

CREDANT Technologies is the market leader in endpoint data protection solutions that are critical components of an endpoint protection platform. CREDANT’s data security solutions mitigate risk, preserve customer brand and reduce the cost of compliance, enabling business to “protect what matters.” CREDANT Mobile Guardian is the only centrally managed endpoint data protection solution providing strong authentication, intelligent encryption, usage controls, and key management that guarantees data recovery. By aligning security to the type of user, device and location, CREDANT ensures the audit and enforcement of security policies across all computing endpoints. Strategic partners and customers include leaders in finance, government, healthcare, manufacturing, retail, technology, and services. CREDANT was recognized by INC magazine as the #1 fastest growing security software company and #15 overall in 2007; was selected by Red Herring as one of the top 100 privately held companies and top 100 Innovators for 2004; and was named Ernst & Young Entrepreneur Of The Year 2005. Austin Ventures, Menlo Ventures, Crescendo Ventures, Intel Capital, and Cisco Systems are investors in CREDANT Technologies. For more information, visit www.credant.com.

A matter of personal security

Gary Clark, VP EMEA of SafeNet, discusses how the Government is fuelling the UK’s rate of ID fraud, and what needs to change

In the last year, the Government and public sector bodies have lost 37 million items of sensitive data. In most cases, this wasn’t due to a skilled computer hacking operation. But rather, it was down to basic public sector mistakes, including courier error of unencrypted discs, theft of laptops from parked cars and the accidental upload of very private personal details to public websites.

HMRC quickly established itself as a serial offender. In the space of a few months it lost details of 15,000 Standard Life customers, a laptop containing sensitive information of thousands of taxpayers and, infamously, 25 million unencrypted citizen’s benefit records went missing.

But, while HMRC is particularly prolific in the data loss stakes, it is not unique. Organisations such as the NHS, DVLA and Ministry of Defence have also admitted to losing sensitive data of employees, citizens and army personnel.

Not surprisingly, the public’s faith in the Government’s ability to secure personal data has fallen to an all time low. This is particularly worrying, as a person’s identity has never been so valuable to a criminal. Last year there were 77,500 reported cases of identity fraud in Britain. That is 68,500 more than were reported in 1999. Meanwhile, the cost of the problem exceeds £1.5 billion annually. Considering the rate of errors in the UK public sector, both these figures are likely to be higher for 2008.

While the Government’s ID card initiative is designed to combat ID fraud, I do worry it will create more problems. After all, the Government’s track record in the last year raises serious concerns about its ability to secure the National Identity Register. Can we be 100 per cent assured that personal data held will be safer than, for example, the NHS patients’ data which were held on a laptop?

Quite simply, to ensure the National Identity Register does more good than harm, the data protection culture requires an overhaul – and quickly. The public sector needs to start taking the responsibility of protecting data seriously. In my view, organisations – public and private – that deal recklessly with the personal details they trusted to hold must be held accountable by law.

Recent recommendations from the Justice Committee, which call for criminal charges to be brought for reckless data loss, are on the right track, but do not go nearly far enough. There must be significant steps taken to prevent the loss from happening in the first place.

Organisations should be penalised not only for losing the information they hold on citizens, but for failing to have necessary safeguards in the first place. These include identifying process weaknesses, adopting robust security standards and encrypting all sensitive data. Quite simply, charges must be brought against those organisations which aren’t meeting required standards.

Perhaps the UK public sector should look to the United States for direction. The Government there has already taken steps in this direction. It has mandated encryption protection for all sensitive data for its population, held on discs, laptops and workstations. We know that Government departments already encrypt data in the effort to protect intelligence for the purposes of national security – and rightly so. However, at a time when the level of ID fraud is rising, this same level of security and caution must be applied to ensure the personal security of citizens, patients and employees.

Half-hearted pledges will not regain public confidence, and we need to see meaningful legislation, which puts data protection at the heart of the Government. Otherwise we will continue to make it easy for criminals, and leave the entire UK population vulnerable.

<><><>

Now in its 13th year and held on the 22nd – 24th April 2008, Olympia, London, Infosecurity Europe remains Europe’s number one, dedicated Information Security event. For further information visit www.infosec.co.uk

Beware when throwing away Promo CDs

UMG says throwing away "promo" CDs is illegal

by Michael Smith (Veshengro)

In a brief filed in federal court recently, Universal Music Group (UMG) states that, when it comes to the millions of promotional CDs ("promo CDs") that it has sent out to music reviewers, radio stations, DJs, and other music industry insiders, throwing them away is "an unauthorized distribution" that violates copyright law. Yes, you read that right – if you have ever received a promo CD from UMG, and you do not still have it, then UMG thinks you're a pirate. That you have committed and act of “unauthorized distribution” of their music.

UMG seems to argue that the “first sale doctrine” does not apply to prom CDs to which it slapped the label of “promotional use only” and any subsequent sale, even if those have been found or whatever, infringes copyright law. The Supreme Court first recognized the first sale doctrine when a book publisher tried the same thing with a label stating "may not be sold for less than one dollar,” and we've seen patent owners trying the same trick, unsuccessfully, as far as we know, on printer cartridges.

UMG apprently thinks that by simply slapping the "promotional use only" label onto a CD it somehow gives it "eternal ownership" over the CD. While this might make sense to a goblin living in Harry Potter's world, it is not the law under the Copyright Act.

According to the first sale doctrine, once a copyright owner has parted with ownership of a CD, book, or DVD, whether by sale, gift, or other disposition, they may not control further dispositions of that particular copy (including throwing it away). It's thanks to the first sale doctrine that libraries can lend books, video rental stores can rent DVDs, and you can give a CD to a friend for their birthday. It's also the reason you can throw away any CD that you own.

I mean, erm, excuse me for a moment. It was sent to me, to review, I no longer wanted it and threw it in the trash but by doing so I break the law? Someone somewhere is having problems in the upper ranges of his or her body, methinks.

However, despite the fact that this may be the law, e.g. regarding the “first sale doctrine”, no doubt this is not going to be the last time that someone, some huge company, will try this trick, especially on someone smaller than themselves.

I personally have seen the stamps in review copies of books that stated “review copy only – not for resale”, and in some cases the mere acceptance of the book, it was claimed, for review, was agreement to this policy and that any gifting and especially sale of such a book would be a felony under copyright law, etc.

I must say that, in general, I very rarely ever part with books, CDs, etc. that have come my way for review but I am damned if I allow some such statement to have any influence on me as to what I do with this book or whatever product that, by virtue of having been given to me for review on the understanding that it become the reviewer's property – we do not do reviews of articles loaned – it is then up to me what I do with the book or product afterwards. Ownership has passed to me from the previous owner, whether it is a publisher, manufacturer, or vendor, and this even whether or not a review is forthcoming.

So, folks, don't get yourself browbeaten by the big boys. If need be get good legal advice and there are enough precedents set to fight such lawsuits.

© Tatchipen Media, April 2008

UNESCO promotes use of free software in Latin America and the Caribbean

Montevideo, Uruguay, April 8, 2008

UNESCO Office in Montevideo, Uruguay, in cooperation with the network of Free/Libre and Open Source Software (FLOSS) in Latin America and the Caribbean, published the Guía práctica sobre software libre: su selección y aplicación local en América Latina y el Caribe (Guidelines on free software: how to choose it and apply it locally in Latin America and the Caribbean).

Authored by Fernando da Rosa and Federico Heinz, the book has its genesis in the regional FLOSS conference LACFREE 2005 organized in Recife, Brazil, where the need for such publication was discussed.

This easy to read and practical guide promotes FLOSS contribution to sustainable development. It gives practical advice on the selection of adequate FLOSS solutions with the requested functionality and addresses the issue of migration from proprietary software to FLOSS. To facilitate the exchange of experience, the book offers a list of organizations and country related contacts. It also gives an overview of the thematic and regional landscape of the FLOSS community through the hints on annual FLOSS conferences in Latin America and the Caribbean.

According to Richard Stallman, founder of Free Software Foundation and the GNU Project, who wrote an introduction article for the book, the society "needs information that is truly available to its citizens - for example, programmes that people can read, fix, adapt, and improve, not just operate". FLOSS offers today a broad spectrum of programmes covering various areas: audio, video and design; networks and connectivity; office applications; file management; operating systems; mail and web server management, etc. FLOSS applications contribute therefore to digital opportunities in education and public administration, and support social inclusion of people with special needs.

The Guidelines were presented and distributed in several regional FLOSS events and are available online on many local websites. To download the book in Spanish, please click here.

Search success at Matheson Ormsby Prentice


Having completed an initial trial, leading Irish law firm Matheson Ormsby Prentice has appointed Solcara to provide and integrated search solution across its business. The company is deploying Solcara SolSearch to simultaneously search internal and online legal content.

SolSearch introduces effective targeted searching, reducing the time to find information and improving productivity across the firm. The SolSearch integrated search solution is a favourite in Ireland, used by four of the top five legal firms.

John Furlong, Director of Legal Resources at Matheson Ormsby Prentice, is spearheading the firm’s use of SolSearch. Furlong chose SolSearch to improve the efficiency of searching in two ways: by allowing one composite search across different databases and by directing users to relevant databases.

Furlong said of Solcara’s Managing Director, Rob Martin that he, “promised and has delivered an impressive hands-on approach to the deployment of Solcara SolSearch.”

Rob Martin said: “Matheson Ormsby Prentice had a great attitude towards the new technology and enthusiastically engaged with the search solution. We look forward to working with them.”

Open Source Software can save you lots of money

by Michael Smith (Veshengro)

The truth and applicability of this statement, obviously, depends on what you do with your PC/s and the Internet. If you run a business, especially a web-based business then, I am sure, using Open Source software and application can safe you lots of money, and this can run well into the thousands of dollars per annum. We are talking here about money that you otherwise would have to pay out on licenses for proprietary software and applications, something that you do not have to do with Open Source Software (and applications).

Using Open Source Software rather than proprietary software will enable you to keep as low of an overhead as possible. It also will keep you running legal. Legal in such a way as not to use a copy of someone else's software that your friend burned onto CD for you or even “cracked” software that some people distribute.

Let us start with the PC. What makes a (new) PC so expensive? It is not the hardware, that's for sure. The true cost behind every PC is the software that comes pre-installed. So, OK, I don't want that pre-installed Microsoft operating system and the rest. Well, with the exception of building your own and/or buying PCs that come with Linux (unless you want to go Apple Mac and then there is not much open source about and such) such as buying PCs now from DELL that come pre-installed with Linux you have no option but to buy a PC with Windows installed. But, you say, I don't want Windows. Well, folks, that's how Bill Gates makes his money; by forcing you, through the PC manufacturers, to buy his operating system.

Is there another option aside from building your own PC or having someone build one for you; the latter being an expensive option. You bet there is. It is called “buying second-hand”. The machine that I am using, on which I am running Ubunty Linux “Dapper Drake” (yes, that is an oldish version of Ubuntu but, thanks muchly, it works), is a Compaq Evo desktop that was a couple of years old when I bought it for the equivalent of around US$100 from a vendor who sells nothing but ex-government and ex-industry PCs. While it came with a version of Windows, in this case Win 2000, installed which would have its license expired by now anyway, I stuck Ubunbtu on it and, well, everything comes with Ubunbtu and works.

Aside from Ubuntu, folks, there are masses of other different distros of the Linux operating system about, one of which will sure fill your needs (I think all will but...) and especially be what you may be looking for in looks and behavior.

Every Linux user has his or her favorite or favorites and therefore I am not the one who is going to stand here and say “use this or use that”. The systems are free – most of the time you will have to download the installation CDs or the live CDs – but in some cases the developers/distributors, as in the case of Canonical for Ubuntu Linux, they are actually prepared to send you a couple of CDs free of charge. I ordered a CD and got, I believe, five. And you are always permitted to make as many copies as you wish to distribute yourself as long, I believe, this is done free or at cost. This means that, unlike with Windows, you can have as many PC run with the same – or different – versions of Linux operating system(s) as you wish and you can also install it on Aunt Hilda's and Uncle Tom's, on cousin James' one, and on the PCs of the twins. Oh, and did I forget Grandma Carol? Sorry, I could not resist this example. I know neither of them folks that I have mentioned here, so don't ask after their health or how their PCs work. I cannot help there.

For most users, even small business, Linux distros come with everything on board that you might need, such as and office suite, email client, and outlook equivalent, photo manipulation software, IM client, etc. Well, at least the Ubuntu systems do.

For writing, publishing, database, finances, and other such office tasks there is Open Office, the free office suite that is a complete replacement for Microsoft Office. This software is also available for the Windows environment, should you just wish to use Open Source software on a Windows PC rather than change over the operating system too.

For web browsing there is Mozilla Firefox, the equivalent to, though much safer and more secure than it will ever be, Microsoft's Internet Explorer.

The build-in email client in Ubuntu “Dapper Drake” is Evolution Mail but I am sure that Mozilla Thunderbird, Firefox's email client sibling, could be installed on an Ubuntu environment as well.

As Firebox Browser works with Yahoo Mail there should be nothing stopping you, for instance, to have a Yahoo Webmail account, or a Gmail account with Google.

I run a small web publishing business – obvious, I know – with, at time of writing of this article, 28 online magazines on a variety of subjects on Blogger (Blogspot) and those too can be managed nicely with Firefox. The only problem I have is with some of the older websites that I still operate for the Romani organizations that I run and those still require the use of a Windows enabled PC (so I cannot, as yet, ditch Microsoft altogether) as the website management software needs the Internet Explorer in order to work. Maybe, by the time MS withdraws support from XP Pro those site have upgraded their systems to work with Firefox and other browsers. Alternatively, all those sites will just have to be migrated to other providers.

When I last looked at the online depositories for Ubuntu Linux programs that are available to download, many of which are this or that business kind of program, there were tens of thousands of free titles there for the asking and installing.

For manipulating of photos Ubuntu, for instance, comes with the Gimp, which is, basically, a Photoshop replacement though instead of costing you around US$ 1,000 is comes free. Let me say only that it can do things I never thought I could and would.

Included in the package is also the equivalent of Adobe Acrobat, in that a PDF maker is built into the Open Office software that allows documents to be converted to PDFs with the click of a button. I have found though that those can be rather sizeable in way of bytes and find that actually using PDF maker, another piece of open source software, as a virtual printer to “print” the PDF document, though a little more tedious, in that it requires a few clicks more than one, the output file is smaller size as regards to bytes, or kilobyte/megabytes. This can be important if the file is to be sent by email to someone with, maybe, dial-up connection rather than broadband. We all know that as soon as someone is somewhat outside the main urban areas in the USA broadband just does not exist and one is lucky to get 56Kb dial-up. So, the smaller the file the more appreciated that will be by the recipient.

How are those savings I talk of possible? It is possible because of all the good people out there who believe that open source should exist. That software should be free. What is surprising to me is that many companies, especially small business/home business still continue to live in ignorance of these wonderful tools, and rather pay through the nose for software that is no more tailored to their individual needs as would be free open source software.

Without the use of free open source software and the free providers of web space – thank you Blogger – and emails – thank you Yahoo (as long as “Uncle” Bill don't buy you) – I could not do what I do and provide the news and information services to the Romani-Gypsy community specifically and the general public at large.

© M Smith (Veshengro), April 2008

THREE QUARTERS OF ORGANISATIONS THINK APPLICATIONS CAN BE EXPLOITED BY CRIMINALS

London, UK 9th April 2008 - A survey by Infosecurity Europe of 757 organisations has found that 75% think their applications contain security holes that can be exploited by criminals. Further, interviews conducted by Infosecurity Europe with a panel of 20 Chief Security Officers (CSOs) of large enterprises on the topic revealed that they are very concerned about the security of application code. They were especially concerned about the work carried out by developers working on mission critical web applications outsourced to third parties. Many of them said that they would welcome an initiative to raise awareness of security amongst the developer community and change their behaviour to make secure software applications a priority.

According to Professor Howard A. Schmidt, Director, Fortify Software and former Cyber Security Adviser to the White House, "this figure of three quarters of organisations having security holes based on application vulnerabilities, while dramatic, is unfortunately not that surprising. When organisations develop applications, quality is one of the highest priorities but security vulnerabilities are seldom recognized or fixed. Priority is often given to delivering application features and business benefits without the understanding of fundamental coding errors that lead to security issues. Cybercriminals are targeting applications to steal money and information, and they know all too well how to exploit vulnerabilities not only in commercial software but are also very adept in finding security holes in applications that are developed "in house". Business leaders need to set in place business software assurance processes including development practices designed to ensure that their applications are secure to protect the data of citizens, customers and shareholders from the new wave of threats from cybercriminals."

At Infosecurity Europe 2008 the subject of cybercrime and application security will be covered in a number of keynotes and seminars. In the interactive theatre, Fortify Software will present their new documentary, “The New Face of Cybercrime”. Visitors can be among the first to watch this groundbreaking feature. Directed by Academy Award®-nominated filmmaker Frederic Golding, it highlights the impact cybercrime has on consumers and businesses, and is tipped to win awards at independent film festivals this year. The film will be followed by an interactive panel debate led by Professor Schmidt, who also sits on Fortify Software’s Board of Directors.

The main focus of the film is to emphasis that the criminal, as well as the crime, has evolved. Where hackers were once young nerds who did it for fun or experimentation, now e-crime is the domain of organised gangs, often from Eastern Europe or China, who simply want to make money. Gone is any desire to embarrass website owners or just cause mindless e-vandalism. It's no longer an ego boost or a method of earning bragging rights. It’s just about the cash. Their main targets are ecommerce web sites and the customer databases behind them. Databases that hold credit card numbers, expiry dates, PINs, addresses, and everything else that’s needed to empty a victim’s bank account. In many cases, the data isn’t used directly by the hackers, but is sold to other gangs.

“Today's cybercriminals are highly sophisticated”, says Richard Kirk, VP EMEA for Fortify. “Their technical expertise is extremely good, as is their knowledge of the systems they're trying to break into. They know the thresholds at which an online ordering system will seek additional verification of a customer's identity, and take care to stay below it when placing fake orders. They also have at their disposal the resources of large organised crime gangs who are fully aware that the world's police forces are woefully under-resourced for tracking down internet fraudsters. In the panel debate we will discuss the solutions to the problem of cyber-crime and application security.”

Claire Sellick, Event Director, Infosecurity Europe said, “The internet is here to stay, as is internet crime. With the relentless move online by all sorts of business and government agencies, e-crime will continue to evolve. As more coffee shops and libraries offer free, anonymous WiFi access, tracking down cybercriminals will get harder. So as hackers evolve, so must your efforts to defeat them.”

Infosecurity Europe is the number one event dedicated to information security. With over 300 exhibitors, the event is the most comprehensive showcase for the most diverse range of new and innovative products and services from the World's top information security experts and vendors. The event enables security professionals and business managers to establish a commercial justification for information security, refine their security policies and select the most appropriate solutions to support their security strategy in order to safeguard their company's reputation and assets. Over 11,000 visitors are expected to attend this year's event with many travelling from overseas to participate in the FREE education programme that addresses both strategic and technical issues. It draws on the skills and experience of senior end users, technical experts and real world case studies. Infosecurity Europe takes place at the Grand Hall, Olympia, London from 24th to 26th April 2007.

To register to attend or for more information please visit www.infosec.co.uk

Free Open Source Software could help Third World development, experts say.

In many developing countries, whether in Africa or elsewhere in the countries formerly referred to as the “Third World”, few people have access to computers and the Internet. Experts concur that this is hindering development and preventing students from being able to compete for jobs.

At a conference in Dakar, software experts, government officials and students came together to look at how open-source software, which is free for anyone to use, could make technology available to more people.

Experts say that open source software is not only good for Africa and other areas of the developing world because it is free, but also because it allows users to make changes to the source code, which in itself can provide a lesson in technology. The code and the programs can then be adapted and modifies to local requirements, even.

Derek Keats, a professor at the University of Western Cape in South Africa, says that free, open software is having the greatest impact on average people, non-governmental organizations or NGOs, and small, medium and micro businesses, which he calls SMMEs.

"I think the real key to the success of free and open source software is to imagine all of the smaller scale activities that are program happening within Africa: the SMMEs [small, medium and micro enterprises] that are deploying free and open source software, the Internet service providers that are making abundant use of free and open-source software in creating opportunities for connectivity, the NGOs that are enabled through free and open-source software," he explained.

Keats says being able to see the software's source code, or computer language code, and being able to rewrite or make changes gives users a sense of ownership. He says explaining to people how open-source software works and how it can help them is one of the biggest challenges.

"By having access to the source code it gives them power they would not otherwise not have," he added. "And that power, when you do not have access to the source code, is taken away from you. How do we make people understand that free and open source software is as much about democracy as it is about technology?"

Government officials at the conference said they hope free, open-source software will allow them to use computers in more of their work to increase efficiency and in the long run save money. Students said they hope learning to write computer source code will give them an advantage in job markets where there are few opportunities for employment.

Hassan N'diaye is a university student who attended the conference. He says he believes open-source software could be helpful for students like himself. But, he says, that when he watches European students walking around with personal laptop computers, he realizes that software is not enough. He still cannot afford the price of a computer or an Internet connection, but, he says, at least it is a start.

But why should just the Developing World and NGOs from there be able to make use of Open Source Software in such a way. Everywhere this could happen, in my opinion, and everyone who can should be doing it. Then again, why should not everyone can. Start by getting an older PC for cheap, nearly free or even free and install upon its hard drive one of the Linux operating systems and play with it. Even on Microsoft Windows we all can use this or that Open Source program, such as, for instance, Open Office. Beats MS Office hands down in many things, not at least in price. While MS Office sets you back 100s of US Dollars Open Office is free for the download.

Michael Smith (Veshengro) © April 2008

Finjan Identifies the Latest Cybercrime Business Model – Crimeware-as-a-Service

In its Q1 2008 Web Security Trends Report, Finjan signals Crimeware-as-a-Service as the latest development in the ongoing commercialization of cybercrime

Farnborough, United Kingdom, 7th April 2008

Finjan Inc., a leader in secure web gateway products, today announced important findings by its Malicious Code Research Center (MCRC) identifying and analyzing the latest trends in the ongoing commercialization of cybercrime.

Criminals have started to use online cybercrime services instead of having to deal themselves with the technical challenges of running their own Crimeware server, installing Crimeware toolkits or compromising legitimate websites.

“Currently, we see the rise of the Crimeware-as-a-Service (CaaS) business model in the Crimeware-toolkit market. Cybercriminals and criminal organizations are getting better and better at protecting themselves from law enforcement by using the Crimeware services, especially since the operator does not necessarily conduct the criminal activities related to the data that is being compromised but only provides the infrastructure for it,” said Yuval Ben-Itzhak, CTO of Finjan.

As with mainstream software providers, the creators and owners of these Crimeware toolkits provide their customer base with update mechanisms while tooling them with sophisticated, anti-forensic attack techniques, as well as the ability to manage and monitor malicious code affiliation networks. It enables a new level of Crimeware availability by supplying anyone willing to purchase an easy-to-use Crimeware toolkit.

During 2007, Finjan’s MCRC covered the trend of new Crimeware that purely focuses on financial gain, as well as the way it works to get revenue out of each infection. In this report, MCRC shows how the delivery and distribution of malware have been upgraded to deliver a different type of malware to different geographical regions.

“Cybercriminals can now generate more targeted infections and deliver specialized Crimeware for specific geographical regions,” Ben-Itzhak said. “Our report illustrates how these criminals are employing marketing and sales techniques to address the cybercrime economy and ensure that the market they are after gets the proper “product” localized for it.”

Finjan foresees the next phase in the commercialization process as creating a service for getting straight to stolen data by providing the victim data tailored to the criminal intent. Having such a service eliminates the need for attackers to even have to log-in to manage an attacker profile on a Crimeware-toolkit platform.

Concludes Ben-Itzhak: “The trends described in this report confirm that the security industry and law enforcement agencies should take an innovative approach in handling these Crimeware commercialization threats. Cybercriminals continue to adapt legitimate technologies and business models to support their criminal activities.”
.

Outsource your code & you're more likely to be hacked

More than 60% of companies overlook mandating security when outsourcing

London (UK); 7 April 2008 – In a new report released by European information technology analysis group, Quocirca, organisations that admitted to being frequently hacked, all outsource at least some of their coding practice, with 90 percent outsourcing more than 40 percent! With this in mind the hacker’s future looks rosy as outsourcing applications is on the up, with 78 percent of organisations that say software development is business critical for them choosing to outsource their vital applications. But security is being left out in the cold—with companies failing to build security in when they outsource the development of their critical applications, according to a report released today by Quocirca and supported by Fortify Software.

The survey has found that over 60% of companies that outsource the coding of their critical applications do not mandate that security must be built into the applications. In fact, the study has uncovered the chilling statistic that 20 percent of UK companies do not even consider security when building their applications—thus potentially leaving a great big stable door open to the hacking community. Yet outsourcing is very much on the up.

The report which was carried out amongst 250 C level executives and IT Directors from mainly 1000+ employee sized corporations from the UK, US and Germany, reveals that outsourcing of code development is widespread—and growing in importance. From this study of the organisations stating that software code development is business critical or important to them, 50 percent outsource more than 40 percent of their code development needs.

Statistics already show that the software application layer is where most hackers are accessing critical data. According to NIST (National Institute of Standards and Technology), 92 percent of vulnerabilities affecting computer networks are contained in software applications. As organisations increasingly look to outsource application development, more components of software applications are being developed outside of their direct control.

An organisation that has not developed the code itself can never be absolutely certain that it is secure. However strong a relationship with a third-party developer, or watertight the service-level agreements in place, a rogue developer can place vulnerabilities in the code that they develop—for example, by placing a backdoor in software that can be used to infiltrate a network in the future. This is something TS Ameritrade found out to its cost when it was forced to disclose in 2007 that personal details regarding 6.3 million customers had been leaked through a vulnerability caused by a backdoor created by an outsourced programmer.

Howard Schmidt, Member of Fortify Software Board of Directors and previously Cyber Security Advisor for the White House said: “These survey results help explain the recent, sudden rise in data breaches and should serve as a wake-up call to any executive whose company sits on a pile of mission-critical application code. “

In the report, financial services companies are identified as the most likely to outsource their code development needs and therefore could be putting themselves at serious risk, with 72 percent reporting that they outsource more than 40 percent. Disturbingly, 84 percent of these organisations report that code development is business critical or important.

Public sector organisations are also big outsourcers, with 55 percent outsourcing over 40 percent of their code development. Also, 64 percent stating code development is only of moderate importance to them.

At the other end of the scale are utility companies—the highest of all the industries to cite software development as business critical or important at 90%, however just 7 percent outsource more that 8 percent of code development.

Fran Howarth, Principal Analyst at Quocirca and author of the report said: “The findings of this report indicate that not enough is being done by organisations to build security into the applications on which their businesses rely. Not only that, but they are entrusting large parts of their application development needs to third parties. This creates an even greater onus for organisations to thoroughly test all code generated for applications—without which they could be playing into the hands of hackers.”

The fact that software applications contain flaws that can be exploited by hackers is nothing new. That organisations are increasingly reliant on bespoke applications to maintain a competitive edge, and are outsourcing a significant proportion of the coding for these applications to third parties, is an alarming trend. That said, German organisations are better at building in security than both their UK and US counterparts. As electronic crime continues to increase, organisations are under pressure to be seen to be more proactive about IT security. This is not only something that makes common sense but also is increasingly a requirement being placed on organisations across a wide range of industries by governments and industry regulators.

Fortify, who are advocates of Business Software Assurance, a holistic approach to protecting corporate digital assets at the most fundamental level, recommend that if a company outsource the development of critical applications, they should follow these guidelines:
  • Work with the outsourced vendor to fully understand what processes and procedures are in place to assure software security.
  • Review contract language and procurement procedures so outsourcers assume liability for software vulnerabilities
  • Make sure outsourcers are applying testing and assurance technologies on all code developed offsite.

Other key findings in this study are:
  • Exposure to Web 2.0 technologies—among the least understood, but considered to be among the most insecure technologies—is high, but many manage their use through policies alone
  • Organisations are exposing their applications to new security threats through use of a Service Oriented Architectures SOA
  • Data protection is the key driver behind application security for the vast majority
  • Using automated tools for building security into the software development lifecycle translates to lower overall spend on IT security

The information in the report is based on a survey of 250 IT directors, senior IT managers and C-level executives in Germany, the UK and the US. It was completed in December 2007 and January 2008. Those surveyed included organisations from 1,000 employees up to large multinationals within a wide range of industrial sectors.

Report can be downloaded here: www.fortify.com/quocirca

Fortify is offering security professionals the opportunity to benchmark their security practices against industry averages. This survey is available at:
http://www.nkv5.com/fortifysoftware/survey/2008_01_survey.php


Juice Jack – Product Review

The Juice Jack is a rather versatile charger for cell phones, PDAs, etc. that is great to have around the home, with you on vacation, in a bar or pub or at the place of work because it is:

Rather universal in that it has jacks for the most popular make of phones, PDAs, MP3s & satellite navigation systems such as TomTom PLUS standard USB & mini USB jacks

It can charge up to three devices at once, so you need fewer plug sockets

It is portable as it has a built in Lithium power source, which means that you can unplug it, take it with you and charge devices anywhere

It is low cost and there are no hidden extras to the price because it comes with 9 jacks including open standard USB

In addition to that it is freestyle which means that you can make it look how you want by print, sticker or insert.

PRODUCT SPECIFICATION
Juice
Output
5.0Vdc-5.8Vdc 1000mA max
Performance
via mains power (adapter supplied): permanent; or
via internal Lithium battery: up to 2 hours charge time
Jacks
Nokia (both standard & mini pin); Apple;
Sony Ericsson; LG; Samsung; plus
Standard, Micro & Mini USB for general compatability
including Blackberry, Palm, Motorola & TomTom
Media Space
Print / Sticker: 88mm diameter disc;
Insert: business card

<><><>

How it all started

Nigel's phone was always running out of juice – usually when he was out and about in the city. Can happen to anybody at any time, I know. I have been there and done it though I was unable to get the T-shirt.

One lunchtime, sat in a pub, it struck him that it would be nice if he could charge his phone whilst he was having a drink. After all, he was recharging his own batteries, so why couldn't he recharge his phone's as well. And so, over that quiet pint, he invented the Juice Jack.

He then got help: Rod, Julie and Gary with design, Chris with branding, James with words, Simon with numbers, Andrew with photos, Malcolm with advice, Tony with technical stuff, Bob with funding, George with production, Jay and Simon with logistics, (another) Gary with sales, and Fiona with everything.
And so the Juice Jack business was born.

Review

This little (well not that little but then it ain't big either) gadget work rather well once you know how to turn it on (see note below) and charging phones is then as simple as plugging it into the proper jack.

The Juice Jack will not, when on internal battery operation, charge phones that have still more than 25% or so of battery power left. So all you get then is the message on your phone that stat “Not Charging”. That does not mean that there is anything wrong with the juice jack or the phone. Being a lithium battery inside the unit means that is cannot “push” power into a phone that still has a high charge and therefore it will not charge it. This is, however, a “problem” only, so I am assured, with cell phones of the “Nokia” range and not with any others, and the Juice Jack will charge Blackberry, Samsung, LG, Motorola, Sony, etc. with no problem, whether or not the battery still has considerable charge in it.

Once your phone really needs juice the unit works well and this is one of the best things as regards to phone charging, aside from the solar powered charger for travel that work also on the principle of an internal battery that is charged and that then charges your cell phone when you need to, that I have seen and I can, from what I have seen so far, highly recommend the Juice Jack to anyone.

A Little Note: should you, for any reason, end up receiving, like I did on the show, the Juice Jack without user instructions, remember the yellow button on the side of the unit must be turned on by use of the tip of a ballpoint pen (or a pin) prior to charging it. Without it is will not work, as I found out. In fact it will charge your phones but only when the unit is connected to the mains not from its internal battery. It has to have a blue light showing once removed from the mains. If not then the unit has not been turned on.

Review © Michael Smith (Veshengro), April 2008

Mac and Vista hacked, Ubuntu Stands

by Michael Smith (Veshengro)

March 2008 saw the MacBook Air hacked through a Safari browser at the CanSecWest security conference. But before the week ended, Microsoft's Vista Ultimate also fell victim to hackers in the Pwn to Own challenge.

CanSecWest organizers offered a Fujitsu U810 laptop running Vista Ultimate SP1 to any security researcher who could find a way to breach security and gain access to the contents of system files using a previously undisclosed zero-day attack.

At the end of the last day of the three-day hacker challenge, which was sponsored by 3Com's TippingPoint, only the Sony VAIO laptop running Ubuntu (Linux) was left standing.

Shifting Rules

The first day of the contest, hackers were only allowed to hack into the computers over a network. No one was able to claim the prizes. On the second day, the rules changed. Contestants were allowed to use the machines to visit Web sites and open e-mail messages.

That rule change made it possible for a researcher at Independent Security Evaluators to hack the MacBook Air using the Safari browser within two minutes.

But the Vista and Ubuntu laptops seemingly remained airtight. On the third day of the contest, the judges again broadened the rules, opening up the scope beyond just default installed applications on those laptops to any popular third-party application, such as Adobe's Acrobat Reader, the Firefox browser, and voice-over-IP program Skype.

One of the contestants installed Adobe Flash on the laptops and proceeded to compromise the system. He had some help from Security Objectives colleague and an independent researcher.

Means Justifies the End

Client-side vulnerabilities like the ones exploited in the hacking contest are an increasingly popular attack vector. It is easy to protect a single server that is guarded by a well-designed fortress of controls, but it is a nightmare to secure thousands of client-side applications under the control of end users who are not (computer) security savvy.

© April 2008