MXI Security to Work with Financial Institutions to Battle Phishing and Identity Theft

First completely portable anti-phishing tool based on the Stealth MXP will help banks restore trust with customers by securing online financial transactions from threats

London, United Kingdom, October 2008 – At RSA Europe, held at the end of October 2008 at the ExCel in London, MXI Security™, the leader in superior managed portable security solutions, announced it is collaborating with financial institutions worldwide to arm its customers with a completely portable anti-phishing tool to combat the threat posed by spear-phishing and man-in-the-middle online security attacks. Targeted attacks to steal personal and business data and financial information are increasing exponentially. According to CIFAS, the UK's fraud prevention service, identity theft was up almost 20 percent in 2006 and 77,500 cases were recorded in 2007. The Home Office estimates that identity fraud, which is the UK’s fastest growing crime, costs the UK economy £1.7 billion a year.

To restore customers’ trust in the institutions with which they do business, MXI Security will work with financial institutions to provide an anti-phishing solution based on the Stealth MXP product family of portable security devices, which are trusted by governments worldwide. The Stealth MXP anti-phishing device secures business-to-consumer and business-to-business financial online transactions by going beyond the strong AES 256-bit hardware-based encryption and strong biometric and password authentication to provide private keys and support for IdenTrust digital certificates along with a secure portable Internet browser and token interface in a trusted FIPS 140-2 Level 2 validated hardware device and USB flash drive.

“Business and technology have advanced to the point that, for the first time, the personal portable security device can achieve its full capability to provide consumers and businesses alike the security demanded by governments and financial institutions to protect digital identities, sensitive data, information and applications,” said Lawrence Reusing, CEO of MXI Security. “Adding digital signature capability to a completely portable and secure storage device, like the Stealth MXP, benefits anyone wanting to protect online transactions.” The Stealth MXP has been certified to be part of the IdenTrust global identity network, which means its IdenTrust compliant signing interfaces can create legally binding digital signatures across all identity-enabled applications and accepted in 172 countries.

MXI Security Stealth MXP portable security device allows zero reliance on a personal computer-based footprint. Consumers and businesses can have a completely portable and secure experience that can be used with virtually any system connected to the Internet.

In addition, the Stealth MXP has biometric authentication capabilities to unlock secure access to applications and digital credentials to support multiple purposes – whether it’s authenticating onto e-banking, digitally signing a payment authorization, and securing a personal email communication to a financial advisor, among other possibilities. Re-authentication can be enforced when a transaction is performed, ensuring that the person performing the transaction is authorized to carry it out.

“People have trust in financial institutions – however, the threat comes from criminals that use the Internet to steal their passwords, account information and their money,” said Reusing. “With this device, the Stealth MXP will not only protect identities, it will prevent fraudulent transactions by cyber criminals.”

Source: MXI Security
<>

MXI Security MXP Portable Security USB Devices Certified by IdenTrust

Stealth MXP portable security devices and ACCESS Identity software secure IdenTrust credentials to enable innovative identity solutions for trusted online banking

Montreal, Canada, and Santa Ana, California, October 20, 2008MXI Security™, the leader in superior managed portable security solutions, today announced a global partnership with IdenTrust, the only bank-centric global interoperable identity network, to provide a compelling, easy-to-use identity solution for financial institutions.

The collaboration delivers a completely portable, three-factor authentication solution, for fighting identity theft, securing online transactions, and increasing customers’ trust in the institutions with which they do business. MXI Security’s leading edge zero footprint and driverless Stealth MXP portable security devices and ACCESS Identity software are certified to operate in an IdenTrust compliant manner. The joint solution goes beyond strong authentication and offers defense against man-in-the-middle attacks, by securing private keys and IdenTrust digital certificates in trusted hardware with biometric and password authentication, along with a portable Internet browser and hardened token interface. Zero reliance on a workstation footprint provides an incredibly easy user experience for mobility. IdenTrust compliant signing interfaces create legally binding digital signatures across all identity-enabled applications. Users can also get secure portable storage with AES 256-bit hardware based encryption in the Stealth MXP devices. ACCESS Identity software further allows organizations to leverage the Stealth MXP devices for advanced portable identity capabilities.

“We are pleased to be working with IdenTrust a leader in providing financial institutions with innovative identity authentication solutions,” said Lawrence Reusing, CEO of MXI Security. “Together we will deliver to the financial services industry the most advanced portable security devices that will provide banking customers the highest assurance that their IdenTrust identities, financial information, and online banking experience are secure and protected.”

“By partnering with MXI Security, IdenTrust can offer greater portability and usability of high assurance IdenTrust identities to uniquely address the increasing security threats financial institutions face in their eBanking channels,” said Christy Serrato, Director of Business Development at IdenTrust.

MXI Security is a leading provider of portable security devices to the governments and corporations worldwide, and the company and its technology has received numerous awards including, the Stealth MXP winning Network Products Guide The 2008 Outstanding Award in World’s Best Security Products Category and Government Computer News Best of FOSE 2007, and MXI Security was name to Bank Technology News top 10 FutureNow List for 2008. A premier provider of authentication solutions to global financial institutions and the United States government, IdenTrust has won numerous awards and received global recognition from Ernst and Young, Bank Technology News and Financial-i.

Source: MXI Security
<>

SkyRecon Extends Lightweight Endpoint Protection Solution with Anti-virus Protection

StormShield Security Suite version 5.1 to further reduce operating costs for businesses that want single-policy protection for their business systems and sensitive data

SkyRecon® Systems
, the premier provider of integrated, proactive endpoint security solutions, today announced that it has launched StormShield Anti-Virus Protection (AVP) – an integrated anti-virus and anti-spyware protection available as part of its unified endpoint protection platform, StormShield® Security Suite.

The addition of the AVP security service, part of the StormShield Security Suite, provides an unprecedented level of protection for banking, financial, government, retail, and other institutions looking for 360° protection from attack, loss, theft, and misuse of their business laptops, desktops, servers, applications, and information. The new endpoint security service complements the StormShield Host IPS and Desktop Firewall services to provide an additional layer of attack prevention and remediation coupled with additional information to help isolate attempted breaches and outbreaks.

Licensed from Panda Security, the customized signature-based anti-virus and anti-spyware engine provides some of the most efficient detection and repair capabilities available in the market, where, according to AV-Test.org, PandaLabs is currently the fastest laboratory in the industry in providing complete updates to its users. Panda Security’s engine is a natural fit for StormShield as the innovative and unique security model developed by Panda automatically analyzes and classifies thousands of new malware samples every day, allowing StormShield to protect against far more threats than the products of any other company.

“At Panda we have several teams that specialize in specific types of malware and who work 24/7 to provide global coverage,” said Josu Franco, Corporate Customer Unit Manager, Panda Security. “With the support of TruPrevent® Technologies, thousands of new threats are neutralized and sent daily to PandaLabs for in-depth automated analysis and classification as either malware or goodware,” Mr. Franco continued. “We are very excited to see our innovative capabilities reach additional organizations around the world as is it delivered in SkyRecon’s StormShield Security Suite,” Mr. Franco concluded.

Available now, StormShield version 5.1 introduces the following new features:

  • StormShield Anti-Virus Protection (AVP): Lightweight endpoint security solution with integrated anti-virus/anti-spyware protection for fixed drives, removable drives, and email
  • Support for Windows Vista SP1 and Windows Network Access Protection (NAP)
  • Numerous functionality additions within the already-powerful and dynamic policy enforcement function; anti-virus/anti-spyware policy, event-derived rules, temporary policy actions
  • The Flexible Data Encryption (FDE) service supports multiple Smart Card technologies along with improved key management
  • Added ability to control the Windows clipboard, print-screen, and drag-n-drop functions
“SkyRecon is pleased to offer organizations an attractive alternative to the extremely bloated endpoint security products that have been built from market consolidation – and not necessarily customer need,” said Philippe Honigman, President and COO of SkyRecon Systems. “Integrated endpoint solutions are top-of-mind for many businesses around the world, and our StormShield solution provides an innovative option for organizations looking for a way to remove the maintenance renewal chains that have been clamped on by the traditional AV vendors.”

SkyRecon’s partnership with Panda Security, along with its own ongoing and recent vulnerability research, enable the innovative endpoint security vendor to be proactive in responding to customer needs and adds to its strategic technological and business relationships with other industry leaders such as Microsoft, Juniper, VMware, and SanDisk.

StormShield Security Suite offers integrated system protection, data protection, and access control in a multi-layered, light-weight single endpoint security suite, providing: anti-virus/anti-spyware, device control, data encryption, application control, host-based intrusion prevention (HIPS), system firewall, wireless security, and network access control (NAC).
About SkyRecon Systems Inc.

Founded in 2003, SkyRecon Systems is a leading global provider of endpoint protection platforms. With its award-winning single-policy endpoint security solutions and ongoing and recent vulnerability research, organizations are able to ensure protection and enforce policy for the endpoint systems, applications, data and users upon which their business relies. The company is a contributing member of the SecureIT Alliance, has received the prestigious Red Herring 100 Award, and has been named "Entrepreneurial Security Company of the Year” by Frost & Sullivan. StormShield has also received 4 stars in the SC Magazine Endpoint Security Group Test, has been nominated as a finalist for the SC Awards magazine in the US Best Mobile Device Security Solution category and the 2008 TechWorld.com Awards in the Endpoint Security Product of the Year category, and was also recently selected as a top 10 vendor for the 2008 Computer Reseller News list of Emerging Tech Vendors You Need to Know.

More information about SkyRecon can be obtained by visiting www.skyrecon.com

Source: Open2Europe
<>

Wipro and Fortify Software Form Partnership to Assure the Security of Client Software Worldwide

Wipro’s new Software Assurance Center (SAC) is the industry’s first software assurance center of excellence for on-demand and managed services

London, October 27, 2008Wipro Technologies, the global IT services business of Wipro Limited and Fortify Software Inc., the market leader in enterprise application security solutions for Business Software Assurance, announced today the launch of the industry’s first joint center to assess and assure the security of client applications. The new Wipro Software Assurance Center (SAC) uses industry-leading Fortify 360 technology and will operate from Wipro’s India and regional facilities in the US and EMEA, delivering software assurance capabilities to thousands of global clients via managed (SaaS) or on-demand models.

“A changing vulnerability and threat landscape, as well as continuing compliance-related requirements, are driving an expansion of vulnerability management programs into the application space,” states Vinod Muniyappa, Practice Head, Application Security.

“Traditionally, organizations have focused their vulnerability management efforts on desktops, servers and network devices, reacting to critical vulnerabilities through patch management programs. But this changing landscape is requiring companies to expand their vulnerability management activities to include large-enterprise applications, databases, externally facing Web applications and internally developed applications. Wipro’s Software Assurance Center (SAC) allows organizations to proactively detect and mitigate the risk from various threat sources, applying Fortify’s industry-leading technology.”

According to NIST (National Institute for Standards & Technology), 92% of network security vulnerabilities are found in software applications. At the same time, enterprise outsourcing of application development is becoming increasingly widespread - a survey by research firm Quocirca this April found that 90 percent of companies surveyed outsource almost half of their code development. Recent, highly publicized data breaches at companies such as TS Ameritrade and Hannaford Brothers also illustrate the need to ensure the security of any software application that might contain exploitable vulnerabilities.

“Enterprises need a cost-effective, scalable way to assess the business risk posed by insecure applications and remediate those vulnerabilities, whether those applications are developed within their organization, or by an outsourcing relationship with a trusted provider,” said John M. Jack, CEO, Fortify Software. “Wipro has the resources, skills and customer base to complement Fortify’s market-leading technology and deliver a service to meet those needs.”

The Wipro SAC offers clients a service that provides visibility into the risks posed by vulnerable software and assesses applications using world-class Fortify technology and skilled personnel to provide a measure of the application’s security health – the Software Assurance Score™. The Wipro SAC can also validate an application’s compliance to key regulations such as PCI, GLBA and HIPAA.

“Application development and IT security have been outsourced for years, and now organizations are also beginning to outsource for application security,” notes Diana Kelley, principal analyst, SecurityCurve. “With application attacks on the rise, software security is something every organization must address.”

“Fortify is the clear leader of the application security testing market, providing the most comprehensive assessment and remediation technology available,” added Vinod Muniyappa. “This partnership is strategic for both of companies, allowing Wipro to offer the industry’s first joint center for software assurance to our clients, and providing Fortify with a solution for software development serving the world’s largest enterprises.”

“Wipro’s Enterprise Security Solutions is a global leader in providing IT services and technologies to help large organizations address a broad range of information security issues,” added Jack. “This partnership marks a major milestone for Fortify as we continue to build out our framework for Business Software Assurance and help companies address enterprise risk at the application level.”

To read more about this partnership or to read the whitepaper on the Wipro Security Assurance Centre please visit www.fortify.com/landing/assetsreg/wipro.jsp

Wipro Technologies, a division of Wipro Limited is the first PCMM Level 5 and SEI CMM Level 5 certified global IT services organization. Wipro is one of the largest product engineering and support service providers worldwide. The company provides comprehensive research and development services, IT solutions and services, including systems integration, information systems outsourcing, package implementation, software application development, and maintenance services to corporations globally.

Fortify®'s Business Software Assurance products and services protect companies from the threats posed by security flaws in business-critical software applications. Its software security suite - Fortify 360 - drives down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software's customers include government agencies and FORTUNE 500 companies in a wide variety of industries, such as financial services, healthcare, e-commerce, telecommunications, publishing, insurance, systems integration and information management. The company is backed by world-class teams of software security experts and partners. More information is available at www.fortify.com.

Source Eskenzi PR
<>

Can the British government be trusted with people's data?

The short answer to this question is a certain resounding NO!!!

by Michael Smith

More and more data losses come to light on an almost daily basis as to agencies and contractors of the British government and most of those losses could have been prevented or at least mitigated in one way or the other.

The great majority of all losses include memory sticks, removable hard drives and laptops where none of the data appears to have been encrypted. This is negligence bordering on the criminal.

In other instances there was data that was encrypted decrypted and then, unprotected, stored on a cheap USB memory stick which was, subsequently, lost. That is criminal.

The fact is that there is no need to have any data without encryption and security, especially nowadays.

USB sticks with automatic 256 AES hardware encryption are are multiplying as regards to makers and types and there becoming cheaper as well. So there is no excuse – and many should not be an excuse at all – to handle data, sensitive, personal data, entrusted to the government in such a slipshod manner.

One GB sticks with full 256 AES hardware encryption can be had for around the £30 mark and the personal details and data of its citizens, even if the British are in truth but subjects, should be worth at least that much to the government. The truth is, though, that they appear to be not. They rather stick the stuff on a £5 stick that has no encryption and can be opened by any Tom, Dick or Harry when lost.

While the government will prosecute people, like small membership organizations, rather quickly should someone there send the details of their members to another officer of the organization unencrypted and get them lost, for instance, when it comes to their own shortcomings there is one law and one set of rules for them and a completely different, stringent, one for everyone else.

The British government is pressing on hell-bent with the idea of this and that database for this and that information about the people, Aside from the voluntary ID card that by now is being talked of as a compulsory one, and the database for that one, the latest is one with the details of the emails, phone calls and sites visited of every person in the United Kingdom. We can just imagine how safe all that data is with them.

Safe? What is that? The pass people's personal details about on CDs, memory sticks, removable hard drives and laptops like some people pass out candy at a party. About most of those things that get lost in the post, by people mislaying them or laptops from the MoD and such getting stolen (or just mislaid), not being encrypted, there seems to be a culture of total disregard for security prevailing in the circles of the British government.

In no other developed country there appear to be even half as many security and data breaches as there are in the United Kingdom but still it is all being treated with a lackadaisical attitude that beggars belief.

Each and every time there is such a breach one or the other minister or such comes out and makes silly statements and then promises that it will not happen again and – well, guess what? The next day or so the same happens again and sometimes in the very same service.

There is no reason, absolutely none, for not using encrypted devices and cryptology per se on drives and what-have-you. Neither programs, such as PGP or similar, not the devices with automatic 256 AES hardware encryption cost the earth.

Private industry and even non-governmental organizations and charities even take better care of data than does the government, and while nothing is ever 100% secure, whether hardware encryption, public keys and such, they at least offer some protection.

Network security and such is, obviously, an entire different story and to be honest, I would not even like to put those to the test either.

© M Smith (Veshengro), October 2008
<>

Freedom in the Cloud?

Is there freedom in the Cloud and who owns your data???

by Michal Smith

Richard Stallman, founder of the Free Software Foundation and outspoken critic of anything proprietary, recently slammed ‘cloud computing’ as “stupidity” and a “marketing hype campaign”.

It makes sense the Stallman is against cloud computing - by its very nature it requires you to be running software on someone else’s machine, which you have no control over. Such an idea is repugnant to Stallman and other free software purists, as it does not guarantee you as a user any freedom.

The problem is, though, that cloud computing looks set to be the next big thing. There are probably a number of advantages to moving your data and applications off your local machine and accessing them from any device, rather than them being stuck to a single physical device and this is especially useful for the so-called “road warrior” but...

And that is where the but comes in, in my opinion. The but is about access and about who owns your data.

While cloud computing does not necessarily have to be incompatible with the concept of free software and open source the problem is, as far as I am concerned, and many others, the subject of who owns the data and the access to the data.

When reading the small print in the EULAs of so many of the services then the great majority, and especially here the free services and those that are most popular, take it upon themselves to claim that as soon as you put stuff up onto their servers in the cloud you have given them copyright to the material you are storing there.

Richard Stallman's issue with “in the cloud” is, I assume, that most of the services are not free software/open source software but someone's proprietary software used on someone else's server. This is not, predominately my concern, and also not that of most people that I have spoken with. My concern and theirs is simply the fact that (1) they may not be able to access the data for one reason or the other and (2) that most of the service providers take upon themselves, through the EULAs the right to your data and mine if it is stored on their servers.

Some people, even in the free and open source field, think that Stallman’s stance on this issue is untenable and reckon that cloud computing is likely to continue to be an important market
and they also reckon that free and open software must corner that market to some large degree. What most forget, probably, is that open source software will already be running on many of those servers for cloud computing for many of them will, more than likely, be Apache servers. If free software does not evolve to have a presence in that market, it could seriously suffer, some reckon.

The issue that really needs to be addressed, in my opinion, is not whether those applications run proprietary software or free and open source, for to me as a user that is hardly relevant. What needs to be addressed is whether my data is my data and remains that exclusively until such a time that I expressly give someone the written authority for each and every individual article or picture, or whatever, a user right, and also as to whether I will be able to get at my data at any time, day or night, as and when I need it.

Another important factor needed is that there is going to be an open exchange of data between applications, whether Google or who- or whatever.

Open data exchange is another important issue in empowering users to have the freedom to switch between solutions, rather than being locked in as soon as they have put data into a system. It should be noted that in some cases this is already possible - Google Calendar iCalendar exports, for example, and many ‘cloud’ webmail services offering POP or IMAP access to get your messages out.

The largest concern here is and remains the fact someone else is holding your data, and that, in the great majority of instances, they elect that they have shared copyright with you over your data. This means that they could data mine your data for information about you, the user; that they could lock you out of it for a ransom, if they would want to do so, or a third party could hack that site and do that; that they could simply go down for no reason for any length of time thereby, even if unintentional, deny you access to your data for however long (this happened to me with Yahoo services, e.g. My Web 2.0 bookmarks); they could ‘lose’ your data; and many other things. I do use Gmail, together with Yahoo Mail, for email and I also use Yahoo's My Web 2.0 for bookmarks in the cloud, and also Google Calendar, and iScrybe, but will think very hard before handing all of my data over to one of these services.

I also must say that whatever the case, I cannot, actually see the reason for using “in the cloud” for anything else but webmail, for sharing of documents and photos with friends, family and co-workers, for online cooperation of some documents and such, as well as for keeping bookmarks backed up in that way. Actual proper storage of data, whether documents or photos, online to me does not compute.

But then that is my personal opinion in the same way as Richard Stallman has his opinion against “cloud computing”.

However, storage media, including external hard drives are today that cheap that to me storing online does not make any sense at all.

As a solution to the possibility of those services getting access to the data it has been suggested by someone that one could encrypt the data and it was said that that would ensure that whoever gets that data can’t really have access to it. While that may be so to some degree it would also mean that each and every time that the user, namely you and I, would like to access our data stored there in the cloud to, for instance, do some work “on the move” from somewhere around the world, we would have to have the means to decrypt the data with us. Not always feasible if you are using a computer other than your own that holds the appropriate encryption/decryption software and keys.

Encryption is not the solution as the data would still reside on someone else's computers and servers and your access to the data would be dependant on their systems being rumnning properly at all times. Often it is just at the mission critical times that you cannot then lay your hands on the particular document or other piece of data simply because it is held on someone's machine the service of which just has gone wobbly for an hour or so or, if unlucky, a day or more even.

Working on corporate machines from remote, so-called satellite, locations already sometimes shows that problem in that the server may be inaccessible for this or that reason and I have experienced it to be so for more than a day at times.

Give me an external hard drive any day rather than something somewhere that I have no control over, regardless, and sorry of I upset some of the open source fraternity, whether that service runs free and open source software or not. To me, though I am an advocate of free and open source software, it does not mater what the system runs. And because I cannot be certain how well it is running and whether or not someone might like to make use of something I have written and claim that I have given them the right to use the material I insist that my material and my data resides with me as far as possible. If need be I go and salvage a number of hard drive from “obsolete” PCs and create my own server station at home.

While new technology certainly should be used to make our lives easier, and having some material “in the cloud” for when we are on the move maybe fine but I think that one best stick with application such as webmail, calendars, and such, and has the rest of the material on other media. Even USB drives with 16GB are now available and they no longer cost the earth, and while I would strongly suggest to keep that data backed up elsewhere, they are grat for on the move.

© M Smith (Veshengro), October 2008
<>

Infosecurityadviser.com highlights need for central e-crime body

London, UK, October 2008: Research carried out by Infosecurity Europe has shown that 95 per cent of people would prefer to report online fraud directly to a dedicated e-crime agency, rather than having to go through APACS and/or the financial services firm with whom the fraud took place.

The research by the Infosecurity Europe show - which took in online responses from 359 visitors to the site - follows on from a debate in the House of Lords on e-crime and IT security issues.

In that debate, their Lordships noted it was anomalous for UK banks not being obliged - in law - to refund account holders who have been electronically defrauded.

Lord Broers, the Chairman of the House of Lords Committee on Science and Technology, said that the current situation is that account holders are only being refunded under a voluntary code, noting that that in today's environment, this is scarcely appropriate.

In addition, Lord Broers said, whilst customers currently report their e-frauds to the banks, it is not in the banks' interests to draw attention to the fact that their anti-fraud systems have failed.

Against this backdrop, their Lordships concluded there is a need for specific legislation - similar to the Bills of Exchange Act 1882 - which specified that if a bank honoured a forged cheque, the bank, not the customer upon whose account the cheque had been drawn, was liable.

Commenting on the results of the security debate and the Infosecurityadviser.com research, the Earl of Erroll, a cross-bench member of the House of Lords, said that he was not surprised that 95 per cent of people would like to be able to report online fraud directly to a dedicated body.

"I think that people instinctively realise that you cannot expect people or organisations to report their own shortcomings reliably," he said, adding that the industry must always have independent bodies looking after our interests.

"I am delighted that money is finally being put into out into the new National Fraud Reporting Centre and is actually going to be given some teeth in the form of the new Police Central e-crime Unit," he added.

Lord Erroll's comments were echoed by Mike Barwise, Editor of Infosecurityadviser.com, the online forum for the information security industry who noted Lord Broers' description ( "extraordinarily complacent" ) of the government's response to the August 2007 report on personal Internet security by the House Science and Technology Committee.

The House of Lords debate, he said, was fascinating, as it illustrated the degree of confidence that consumer must have in a system for it to flourish.

"Lord Sutherland of Houndwood's comments that Internet trading and purchase... depend on confidence and trust in the processes employed by the banks and in the priority that they give to personal Internet security, highlights this fact," he said.

"As events in the financial world in recent weeks have shown, without an underlying level of confidence in a given market, that market will collapse spectacularly. The danger with e-trading security is that, if confidence fails, the e-trading market will similarly slump," he added.

For more on Mike Barwise's comments: http://www.infosecurityadviser.com/view_message?id=74

Source: Eskenzipr.com
<>

ProDefence Launches 1.5TB Removable Disk Backup Media

50% Increase in Removable Media Capacity Moves ProDefence to the Head of the Pack

London—October 16, 2008ProDefence, a UK distributor of eSecurity products and services across the UK and Ireland, announced today that they will be launching at Storage Expo a 1.5TB removable SATA disk for use with their line of removable disk backup systems as part of Idealstor’s product suite – a leading manufacturer of removable disk-to-disk backup solutions. This announcement increases their lead in removable disk media capacity which they claim further strengthens the argument for using removable disk media in place of tape for backup and disaster recovery.

ProDefence who distribute Idealstor’s products in the UK and Ireland, produce removable disk backup systems that are designed to replace or augment tape backup. The Idealstor backup systems are available for organizations of all sizes with systems available with 1 removable drive bay up to 8 with removable disk capacities up to 12TB per system. Unlike most disk to disk backup systems on the market today that are designed for storing data, Idealstor uses a combination of hardware and software to make the disks removable so they can be used for offsite storage of data and disaster recovery. Idealstor removable media is unique in that they utilize non-proprietary 3.5” SATA2 drives as backup media. These drives are available as a kit from ProDefence that includes a ruggedized removable disk caddy and a protective carrying case.

“This announcement is especially important for their SMB range of products”, says Ross Holmes, Sales Manager of Prodefence the UK based distributor of Idealstor products. “Our partners have been selling Idealstor backup systems for a few years now and have had a number of wins with their Teralyte product which targets the SMB. Most used to sell LTO-3 drives for these customers because of the capacity LTO offered. They have since switched to selling the Idealstor Teralyte because it not only offers much faster transfer rates and more reliable backups, their native capacity is nearly 4 times that of LTO-3 and twice that of LTO-4. Now with 1.5TB drives available this product is even more compelling as our partners can offer up to 1.5TB of removable media for much less than a branded LTO Drive”.

“We are very excited to announce that we have successfully tested and certified the 1.5TB SATA2 drives for use with our removable disk backup systems,” said Ben Ginster, channel marketing manager at Idealstor. “This increase in capacity offers a major benefit to our existing and potential clients. Without having to upgrade their backup system, our capacities just increased 50%. This means that existing clients can simply purchase larger disks as their data increases rather than having to upgrade the entire drive and backup media like one would have to do with tape.”

ProDefence is a UK distributor of eSecurity products and services throughout the UK and Ireland. ProDefence offers the highest level of account management and technical support within the security channel. www.prodefence.co.uk

Idealstor manufactures removable/ejectable disk backup systems that are designed to augment or completely replace tape as backup and offsite storage media. The Idealstor Backup Appliance has been on the market for over 5 years offering a fast, reliable and portable alternative to tape based backup systems. Each Idealstor system uses industry standard SATA disk as the target for backup data and as offsite media. Systems range from 1 removable drive up to 8 and can be used by a range of businesses from SMB to corporate data centers.

Source: StoragePR
<>

Backup Attack Defeats Disk Encryption Software

Attack on Backups of Disk Encryption Image Files potentially reveals plaintext information

Global IP Telecommunications, a leading manufacturer of Voice-over-IP (VoIP) software telephones, PMC Ciphers, a leading specialist for ultimate ciphers, and CyProtect AG, a leading internet security specialist, have announced today that they’ve published research describing a new ciphertext-only attack on backups of encrypted image files.

In the paper, "Visualisation of potential weakness of existing cipher engine implementations in commercial on-the-fly disk encryption software”, the companies revealed that disk-based encryption schemes can in part be circumvented to reveal protected data. The attack was named “Backup Attack” by the author.

In order to mount the attack successfully, an encrypted volume image file is duplicated and both files are subsequently used independently to store information. Subtracting data bits with identical bit positions in the two files from each other yields zero for blocks or sectors that contain identical bit patterns in both files. This proves undeniably use of encrypted image files, how much data is stored in the encrypted image file and plaintext can even be revealed under certain circumstances without any knowledge of the key. As formatting commonly implies initialisation with all zero bits, blocks or sectors with all zeros can easily be identified in more recent copies. The new attack applies to ECB Mode (Electronic Codebook), Counter Mode (CM), Galois/Counter Mode (GCM), LRW, XEX, XTS, as well as CBC-based modes of disk encryption applications.

Most disk encryption softwares take advantage of disk keys. Changing passwords does thus not require re-encrypting an entire image file and security does not suffer at all due to the fact that password encryption is performed using a one-time-pad.

The companies further disclose software-assisted creation of image file backups by a disk encryption software as very effective countermeasure to render the novel attack unsuccessful.

This countermeasure is already built into the new version of the disk encryption software “TurboCrypt”. Existing users of earlier “TurboCrypt” or “Global Safe Disk” versions are advised to migrate to the new “TurboCrypt” as soon as possible. A beta version of the new software is already available online for Windows XP, Vista 32 and Vista 64 operating systems by following each of the URLs below:

http://downloads.turbocrypt.com/turbocrypt_beta/
or
http://www.cyprotect.com/encryption/

The paper, "Visualisation of potential weakness of existing cipher engine implementations in commercial on-the-fly disk encryption software” is accessible through the following URL:

http://www.turbocrypt.com/eng/content/TurboCrypt/Backup-Attack.html


Global IP Telecommunications has become well known since 2004 as Prefered Development Partner of Counterpath Solutions Inc. (formerly Xten). Global IP Telecommunications is now a leading manufacturer of softphone applications for Voice-over-IP. GlobalIPTel products are being sold worldwide through leading PC-, USB- and headset manufacturers, internet service providers, telcos as well as international sales partners (www.globaliptel.com).

PMC Ciphers is a marketing company for the Polymorphic Cipher invented by co-founder C.B. Roellgen in 1999. The company develops and markets ultra-secure ciphers based on the unique technology of the Polymorphic Cipher. All ciphers of the company are created in Germany (www.pmc-ciphers.com).

CyProtect AG was founded in the year 2000 and is focused on security, respective internet security. We are protecting data and applications against external attacks and are offering encryption for sensitive information saved on storage systems and during network and transfer connections. Furthermore we secure important data against unauthorized access with powerful hardware and software solutions (www.cyprotect.com).

<>

Fortify Software Releases Voting Guide in Time for US November Elections

New Study ranks manual and electronic voting methods to guide voters and government officials in choosing the most reliable voting option available

London October 15, 2008 - Fortify Software Inc., the market leader in enterprise application security solutions for Business Software Assurance, today released a report on the current state of voting systems in America including a guide to choosing the most secure voting method for the November elections. Furthermore, the study points to the lasting inadequacies of today’s electronic voting software, and calls upon elections officials and voting machine manufacturers to work alongside government officials in establishing better security metrics for the development of e-voting software.

“In November, voters will participate in one of the most critical elections in U.S history, and unfortunately many will still be at risk of inaccurate vote tallying and e-voting software vulnerabilities,” says Brian Chess, Chief Scientist and Co-Founder of Fortify Software. “It is important for voters to understand the voting methods available as they go to the polls in order to make sure their vote is counted. The voting public must also urge government and manufacturers to adequately address the insecurities that remain in these systems and that weaken the integrity of our democratic process.”

Fortify’s report, Voting in America, recommends the following voting methods in order of most desirable to least desirable to voters this November:

1) Hand-Counted Paper
2) Optical Scan
3) Absentee
4) Direct Recording Electronic (DRE)
5) Lever Machine
6) Punch Card

While not all voting methods are available in every state or precinct, Fortify suggests that voters take advantage of the most secure option available to them.

“It is simply dangerous to rely on today’s electronic voting machines to deliver a fair and accurate election,” said Avi Rubin, Ph.D. Professor of Computer Science at John Hopkins University. “The software flaws we uncovered before the 2004 election continue to plague today’s voting systems, and Fortify Software’s study provides voters with a solid assessment of their voting options for this November.”

Additionally, the study notes that the growth of large, urban voting populations continues to add to the complexity of the American voting system, and has made electronic voting systems crucial to achieving an inclusive elections process; however, today’s software-based voting machines remain inherently insecure. The report also concludes that in order to accommodate to the growing voter population, government and voting machine manufacturers must work to ensure that these technologies are developed with both accuracy and security in mind.

“The technology used for voting machines is an innovation which our democracy depends on,” adds Chess. “Elections officials and voting manufacturers need to focus on putting the right processes and technologies in place to make voting safe and reliable.”

Fortify®'s Business Software Assurance products and services protect companies from the threats posed by security flaws in business-critical software applications. Its software security suite - Fortify 360 - drives down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software's customers include government agencies and FORTUNE 500 companies in a wide variety of industries, such as financial services, healthcare, e-commerce, telecommunications, publishing, insurance, systems integration and information management. The company is backed by world-class teams of software security experts and partners. More information is available at www.fortify.com.

To access a full copy of the report, please visit: http://www.fortify.com/landing/assetsreg/evotingstudy.jsp.

Source: Eskenzi PR
<>

European firms understand Open Source better than those in the USA

by Michael Smith

Larry Augustin recently published an overview as to how, according to his experience, Open Source is being treated in the USA and in Europe on a commercial basis, on his Blog. His summary: The Europeans have understood the principle of Open Source better and are using much more efficiently.

“I have said it already often: Europe and the greatest part of the remaining world are well ahead of the USA as regards to the take up and use of Open Source. This is so, ever since I have been observing the numbers of Linux users, distributed according to countries, since about the End of the 90s”, he said in his conclusion of his comparison study

During the Europe Open Source Think Tank, in which Larry Augustin participated, he was hearing again and again about the differences between companies which in Europe and those that in the USA make their money with Open Source Software. Augustin made those findings into a Blog entry and which he compared the different concepts of the two sides with one another. We are not talking here about a predominately scientific study but one that reflects the views which he has heard all the time from all manner of people during this two-day conference.

While companies and organizations in Europe, for instance, go for an Open-Source license model, because of the fact that way they do not tie themselves down to a particular manufacturer, in the USA the choice for Open Source is made because of the fact that if is free and that through use of the free software the investors can achieve higher profit margins.

Many companies in the USA that write Open Source Software are run with risk capital. They have got there a strong and successful Software industry which produces proprietary software. In the USA they are aiming to create a new generation of software companies, which is not the case in Europe. In Europe it is rather the case of developing an independent European software industry and Open Source creates the right chances and conditions for that.

In Europe, furthermore, people in the know as to what it means to actually be able to use the source code and to be able to participate in the further development of this or that software project. In the USA, on the other hand, people just do not seem to be interested in the source code.

GNU and Penguin

It is very common in the USA to work dual-tracked: a program is brought to market under a free licence, often with limitations in what it does, and an expanded version is marketed under a proprietary licence. In the eyes of the Europeans that is no real Open Source but just a PR trick. In all honesty it has to be said that neither of those companies ever states that it is Open Source; far from it. Still, it is a PR gimmick and it is not just software companies from the USA that do this. Grisoft does the same with AVG, for instance.

Larry closes his entry with the conclusion that the European Community of Open Source is much further ahead than it American counterpart (if there in fact is such a thing). In Europe it has become obvious that the openness of the source code really makes the usefulness of a piece of software. Hence is Open Source much more taken up in Europe than it is in the USA. He hopes though that the USA will gain this high standard of the Open Source Community in Europe as well.

Having said all that, however, and this was, in the main, paraphrased at time, what was quoted by Larry Augustin on his Blog, I must add that it would be nice of the European Union and the Council of Europe and the rest of the EU bodies, such as the parliament, would actually take up Open Source themselves and make the websites of the parliament, for instance, usable to people who use, say, web browsers other than those from Microsoft. Time for a real change, also in Europe, and especially the bodies of the European Union.

© M Smith (Veshengro), September 2008
<>

NORTHERN PARKLIFE JOINS THE HP DEVELOPER AND SOLUTION PARTNER PROGRAM

Tampa, FL - October 15, 2008: NORTHERN, a leading provider of storage resource management software solutions, today announced that it has joined the HP Developer and Solution Partner Program (DSPP). As a member of the HP DSPP, Northern will work closely with HP to offer customers a more efficient way to manage storage systems, minimize administrative overhead, and increase across-the-board productivity.

The software solution Northern Storage Suite brings state-of-the-art storage resource management to even the most demanding, heterogeneous enterprise environments, streamlining content and bringing usage down to manageable levels. Northern Storage Suite provides flexible, granular and scalable enterprise storage management within a non-intrusive, low impact architecture. Features include: award-winning disk quotas and file block capabilities, comprehensive reporting, an end-user portal and out-of-the-box storage chargeback. The suite focuses on increasing manageability and decreasing overall cost of networked storage. Administrators now have a centralized means of identifying and reclaiming wasted capacity, controlling user behavior, making users responsible for the data they store and accurately forecasting storage needs at individual device and enterprise levels.

"Northern Storage Suite enables organizations to meet the challenges of today's heterogeneous storage environments, giving IT administrators an unmatched combination of simplicity, flexibility and control across the enterprise," said Thomas Vernersson, Northern's CEO. "The suite allows customers to maximize their existing storage infrastructure and realize the ensuing efficiencies and cost-savings of active storage management."

In addition to joining the HP DSPP, Northern is also a gold member of the HP Information Management and Software Partner Program. By leveraging the technical, sales and marketing support provided by HP's partner programs such as the DSPP, Northern can offer customers efficient, cost-effective means of managing their storage infrastructure and extracting value from their data.

"ISVs are often looking for ways new ways to help their customers and grow their business," said Kristy Ward, worldwide marketing and business development manager, Developer and Solution Partner Program, HP. "With membership in the HP DSPP, Northern Parklife can tap into our worldwide community to more easily develop and market offerings that work with HP's business technology portfolio."

Northern is an international software company specializing in the development of reliable, flexible and easy to use solutions for storage management. Northern Storage Suite breaks Storage Resource Management down into four goals; to identify and reclaim wasted storage capacity, control user behavior, plan for future storage needs and make the end-users a part of the storage solution. World-wide over 28,000 organizations and more than half of the companies on Fortune Global 100 use Northern software to bring control and order to their storage environments. The company serves a global market through its five bases of operations, United States [Tampa, FL], Sweden [Stockholm], France [Biarritz], United Kingdom [London], and Germany [Munich].

Source: NORTHERN
<>

Tighter Budget, Canny Spending

by Michael Callahan, Vice President Global Marketing

If the headlines are to be believed we are either already gripped by recession or its arrival is imminent, with even the suggestion of a depression skulking on the horizon. One thing that is certain during these dark days is that companies will need to look at ways to reduce overheads, be smart with their diminishing budgets and seek solutions that provide value for money.

Recent months have seen a number of high profile organisations fighting for survival, from redundancies within the financial sector, downtime on production lines in manufacturing, to major retailers slashing costs. All organisations, across all sectors – from small businesses to international conglomerates, are being affected by today’s economic climate. Their continued existence will depend on them reducing their bottom line and tightening their belts effectively.

When a company needs to limit its spending the first area to be examined, and habitually slashed, is its IT budget often with the security element considered non-essential. While many businesses overwhelmingly recognise that security has the power to determine whether they live or die commercially, many remain frustrated by the strain it places on finances and human resources. The reality is that growing regulatory requirements demand enterprises protect data making such a cost saving strategy risky and potentially damaging.

Learn From Others Expensive Mistakes
Many an organisation has fallen foul when, having taken the decision to deploy technology, it has then inadequately scoped the investment, instead restricting it to what it considers the bare minimum and failing to anticipate the implications of its deployments. No matter what type of software or device is chosen, security should be an important consideration to lock down both the device, and the data that’s contained within it to avoid ‘hidden’ expense. Taking a mobile device, as an example, the questions that should be asked are: the types of information it will be able to access and carry; and how easy would it be for the device to be lost or stolen. The answers will have a great impact on security concerns and risks and will dictate the type and amount of security needed for the device. Simple, cost effective solutions, like boot-up passwords, two factor authentication and encryption, can all play a role.

One publicised example of inadequate, or even shortsighted, investment is a Marks & Spencer’s owned laptop that contained a database of its 26,000 employees’ details that was stolen from a third party. Having taking the decision to invest in laptops, it had opted not to take the precaution of sufficiently protecting those with sensitive data stored on them, as in this case. The Information Commissioner’s Office found Marks & Spencer in breach of the Data Protection Act leaving the retailer, not only with its reputation tarnished, but also an enforcement notice to ensure that all laptop hard drives were encrypted – a modest investment in hindsight which would have saved its blushes, not to mention the costs involved in handling the breach.

Cost Saving Strategies
Many leading companies and organisations have already looked to decrease their overheads by reducing their property spend and energy expenses in downsizing to smaller, cost-effective premises. Redundancies are inevitable as workforces are slimmed down, with remote working and hot desking practises feasible alternatives.

As department numbers decrease, the resultant increased workload for those that remain may force diligent employees to take work home with them to avoid falling behind or missing deadlines. Hot-desking could become widespread as companies strive to maximise their use of resources and cut costs by providing limited desks for their workforce, if at all - a drastic option could be to cut the cost of a central office altogether in favour of a ‘virtual’ office. Another solution may be to utilise external resources, such as contracted labour, consultants, and possibly entire departments - IT support, HR and payroll are just a few examples.

Survival At Any Price?
While many companies try to weather the storm, data security must still be paramount. Privacy laws, along with corporate governance and industry-specific regulations, have become prevalent over recent years and ignorance, nor lack of funds, will be deemed as adequate defence. If organisations decide to lower their fortifications to allow flexible working practices, it is important that they do so securely and in a controlled manner. Here are a few ways for companies to examine what they currently have in their arsenal, and those that they really shouldn’t be without:-

  • Mobile computing allows people to use IT without being tied to a single location. Any business with staff that work, or will work, away from the office can benefit from using it. Devices - from laptops and personal organisers to "third generation" (3G) phones - can help to keep in touch and make the most productive use of your time. They can change the way you do business and lead to new ways of working, even new products and services that can be offered to customers, bringing new business opportunities. Increasingly, networking "hot spots" are being provided in offices where multiple employees access the same machine and network. While this increases productivity and can reduce costs, it must be done securely. Data security advice from the Information Commissioner’s Office is to encrypt any personal information held electronically if it will cause damage or distress if it is lost or stolen and only provide data access to approved personnel.
  • With new technologies, it’s not only easier but more secure than it once was to let workers log onto the company network from home. Having fewer people working at the office could save money on energy bills – this could be taken further and shut down the office completely one day per week and have everyone work from home, with further savings realised by shutting down the heating or air conditioning system. However, it is still imperative to secure the data as it leaves the office and travels home on the tube.
  • Replace dedicated WAN links with site-to-site VPN. If your business has multiple physical locations and you have dedicated leased lines connecting them, it might be time to think about ditching the expensive dedicated links and replacing them with site-to-site VPN connections instead. Midsize and large businesses may be able to save thousands on monthly fees by doing this.
  • Software application management (SAM) identifies installed applications, and then monitors their usage (or lack of) to determine compliance with software licenses, adherence to corporate usage and security policies. SAM is often perceived as a compliance exercise, yet the truth is organisations tend to underutilise licenses - typically 10-20% on dead, outdated, or unnecessary application licenses. Reducing underutilised software has security benefits as well. Fewer applications means fewer opportunities for compromises and configuration errors. Also, the process of inventorying and auditing software usage often paves the way for additional control disciplines that cut costs and boost asset productivity.
  • Outsourcing is a sensitive subject, often conjuring images of personnel cuts. Yet the reality is judicious outsourcing can allow you to better utilise existing personnel.
  • Make good use of existing investments, advice PA Consulting should have heeded when an employee decided to circumnavigate existing security procedures, transferring data unencrypted to a memory stick, in breach of the company's contract and its own security policies. The memory stick, containing a Home Office database of 84,000 prisoners, was subsequently lost and, as a result, it has had its three year contract worth £1.5million terminated, with the Home Office further reviewing its other contracts worth £8million a year. Everyone within an organisation must understand their responsibility for keeping sensitive information secure and how to use the available technology, such as encryption software, to do so.
  • Fundamentally, effective security means doing more with less - it is about people, processes and technology. There are plenty of interesting technologies available although they're all useless if they're inappropriately deployed, managed and maintained. Allowing devices to operate in your enterprise without any rules or policies is truly the biggest risk. Complicated policies that regular users can't grasp are futile, instead they should be simple, precise and basic common sense. Often if people understand why they need to do something, then they’ll do it. If all else fails look for something that can be enforced, often unseen, that takes the onus away from them.
  • In difficult economic times it is important to remember that the evidence of past downturns shows that those who make smart use of innovative technology will be the ones who live to fight another day.
BOX OUT : What is Encryption?

Concerned about the damage and liabilities of lost and stolen data, enterprises are turning to encryption as a backstop to prevent corporate and customer information from ending up in the wrong hands. In fact, data security advice from the Information Commissioner’s Office is to encrypt any personal information held electronically if it will cause damage or distress if it is lost or stolen. Data security has evolved beyond simply securing “bits on disks.” To ensure data protection in today’s dynamic IT environment, leading analysts recommend that security protects what matters most: the data.

Organisations need a data-centric, policy-based, centrally managed approach to data protection. One that doesn’t complicate essential IT and user operations. A data-centric encryption solution simultaneously meets security, IT operations and compliance needs. Encryption can take place whether data is on a desktop, laptop, PDA, or USB stick and it's granular, so administrators can set policies to determine which data is protected and against whom. A data-centric solution uniquely protects individual users’ data, without interfering with the other operational processes (upgrades, patches, etc) that need to be done, it protects against the internal threat and provides lower TCO.

www.credant.com

Green IT still a priority despite Credit Crunch

London, 14th October – A survey conducted by Storage Expo of 513 organisations has found that even though IT budgets are getting tighter due to the credit crunch 70% said that Green IT and efficiency is still a priority provided it also saved them money, and 4% declared that it was a priority even if there were no cost savings. One in ten organisations are no longer pursuing Green IT because of budget cutbacks and 4% said Green IT was never a priority. Finally a few respondents (2%) said that they were so worried about their job they could not even think about it.

Natalie Booth, Event Manager for Storage Expo 2008 says, “In today’s uncertain economic environment, and with energy usage and prices increasing at a rapid rate, finding ways to reduce power consumption whilst maintaining the growth of one’s business is high priority. In the Energy Efficiency Zone at Storage Expo, sponsored by IBM, visitors will be able to hear from leading authorities and technical experts on the best way to increase energy efficiency, save money and stay green. The credit crunch has made a number of businesses rethink their IT strategies and budgets. However contrary to what most companies think green IT and beating the credit crunch can go hand in hand if the right strategy is used.”

Talks at the Energy Efficiency Zone include:

  • Energy Efficient Storage Systems by Mick Walker, IBM STG Green Computing Consultant, IBM
  • Green Enterprise Storage Reinvented by Eyal Zimran, Global Director of Marketing and Alliances
  • Archive Green by David Longson, IBM Storage and Data Services
Mick walker, IBM STG Green Computing Consultant says, “With the increasing cost of energy it is making an energy efficient Data Centre an even more compelling proposition, which for storage should be a blend of disk and tape solutions that will optimise both performance and energy consumption.”

With two days of stimulating and thought provoking seminars that reflect the needs of today’s data storage professionals and information management experts, Storage Expo 2008 gives you the chance to improve and update your storage and information management strategies
For more information on all seminar sessions visit Storage Expo the UK’s definitive event for data storage, information and content management, which provides visitors with the opportunity to compare the most comprehensive range of data storage solutions from all leading suppliers whilst addressing today’s key issues.

Now in its 8th year, the show features a comprehensive FREE education programme, and over 100 exhibitors at the Olympia, London from 15-16 October 2008. For more information visit at www.storage-expo.com

Source: StoragePR
<>

How to avoid on-line manipulation: "Nigeria-letters"

EU Agency ENISA launches "Social Engineering"-report with 5 defence advice to counter fraud threat

Heraklion, Crete, October 2008 - The EU Agency ENISA (The European Network and Information Security Agency) launches a white paper on 'Social Engineering', (i.e. on-line manipulation, through social networks, email, also known as 'Nigeria-letters' or 'advance-fee frauds', instant messaging, or Voice Over Internet Protocols (VoIP). The Agency provides 3 case studies portraying how easy users are manipulated, identifies 5 defence measures and issues a check list, 'LIST', for users to counter social engineering. Finally, the Whitepaper includes an exclusive interview with the world famous security author, speaker, and consultant Kevin Mitnick.

What are the risks of on-line manipulation, or "Social Engineering"? Fraudsters frequently manipulate people and exploit human weaknesses through 'social engineering'. That way, people break their normal security procedures. The scale and sophistication of such fraud is increasing, (27.649/month, Jan.'07-Jan '08, according to APWG). Several new ways are used to reach users (e.g. instant messaging, VoIP, and social networking sites apart from emails). Successful social engineering entails:

1. A convincing pretext for contacting the target,
2. Getting the facts right by research,
3. Timing and exploitation of current events, e.g., the Tsunami event, or a Santa Claus mail around Christmas, with a worm included.
4. Exploit human behaviour and psychology.

Three e-mail based case studies portray how easy it is to trick ordinary users:

- Case 1: 179 respondents assessed 20 messages (11 bogus, and 9 legitimate), and only 42% of the users could correctly classify the mails; (32% were classified incorrectly and 26% as 'do not know'.)
- Case 2: Of 152 targeted end-users within an organisation, 23% were tricked into accepting malware infections.
- Case 3: Over 500 undergraduate students followed embedded links, opened attachments, etc. The rate of failure was 38-50%. The good news is that the failure rate was reduced with training.

The Agency identified 5 defence measures against social engineering. However, the key to success lies in improving users' awareness. Users should use a checklist of questions to verify the Legitimacy, Importance of the Information, the Source and Timing (LIST) (for full checklist see p 25-26 of the report.) Mr Mitnick underpins the report with the claim that it is much easier to trick someone into revealing their password, rather than making an elaborate hack. The Executive Director of ENISA, Mr. Andrea Pirotti, comments: "Making staff and users aware of security is of serious concern for Europe. We should all become more aware and 'responsible on-line EU-citizens', in our own interest of being able to benefit of the Internet safely."

The report has been elaborated with the kind support of the ENISA Awareness Raising Community and is available at: http://enisa.europa.eu/doc/pdf/publications/enisa_whitepaper_social_engineering.pdf

<>

Trusted Computing Group Shows Trusted Platform Module Security at RSA Europe

Users to Get Hands-on with Trusted Platform Module, Network Security, Self-Encrypting Drives

PORTLAND, OR.: Attendees at the security RSA Europe Conference held from October 27 to October 29 at the London ExCel Centre, can learn first-hand how to protect their data, network and systems at a seminar hosted by the Trusted Computing Group (TCG).

The session, “Trusted Computing in Action: A Hands-On Day to Secure Data and Systems,” will take place on Monday, October 27th 11:30 a.m. - 5:00 p.m. in the ExCel Centre’s Platinum Room 5/6/7 – Level 2. It is free to attend, but registration is requested at http://www.rsaconference.com/2008/Europe/Agenda/Trusted_Computing_ Group_Seminar.aspx.

Session presenters include RSA alumni Brian Berger, who is a TCG board member and marketing work group chair; frequent RSA speaker and panelist Steve Hanna, TCG Trusted Network Connect work group co-chair and Juniper distinguished engineer; Dave Anderson, director of strategic planning and Liam Rainford, senior engineering manager, Northern Europe, Seagate Technology; and Soenke Sothmann, Infineon.

Brian Berger, also executive vice president, marketing and sales, Wave Systems, will address the topic of passwords in an RSA technology showcase session “Machine Authentication: Stop the Password Madness with the TPM” on Tuesday, October 28, 11:15 a.m. on the exhibitor floor. On Wednesday, October 29, 10:30 a.m., Steve Hanna will address “NAC 2.0: Unifying Network Security” in the Network Security Track.

Throughout the show, RSA attendees can see various applications of the Trusted Platform Module, network security and self-encrypting drives in action on the exhibit floor in TCG Stand 4.

Trusted Computing Group develops specifications, including the Trusted Platform Module, Trusted Network Connect network security and hardware-based encrypted storage, to enable computing security across the enterprise.

Trusted Computing Group, an industry organization that enables computing security, has created a portfolio of specifications to enable more secure computing across the enterprise in PCs, servers, networking gear, applications and other software, hard drives and embedded devices.

More information and the organization’s specifications and work groups are available at the Trusted Computing Group’s website, www.trustedcomputinggroup.org. The group’s blog, at www.trustedcomputinggroup.org/blog, offers commentary from work group chairs and experts in the fields of computing and security.

Source: Trusted Computing Group
<>

Atlanta Technology demonstrates hosted storage services at Storage Expo

Storage Expo, 15th - 16th October 2008, London, Olympia – Stand 130

London, UK, 10 October 2008: Atlanta Technology, hosted technology specialists, is showcasing its range of storage virtualisation services at this year’s Storage Expo. During the show, Atlanta will be explaining how IT Directors, Managing Directors and CTOs can reduce capital expenditure on IT hardware and minimise administration costs whilst optimising storage capacity and performance via a hosted service model.

Atlanta Technology, which is sharing a stand with disaster recovery partner FalconStor, aims to demonstrate the benefits storage and server consolidation can deliver to businesses of all sizes. Atlanta has many years experience designing, installing and supporting converged networks that are able to scale to meet the strategic needs of a business as it grows. During the show, the team will provide case studies of existing client implementations that demonstrate the time, cost and resource savings businesses have received as a result.

Simon Kelson, managing director, Atlanta Technology said: “In today’s current market conditions, directors and managers are looking at identifying cost savings to help protect cash-flow. Hosted IT services, including storage and server virtualisation, is ideal for businesses that require guaranteed service levels and have the ability to scale when needed, yet it does not carry the burden of heavy capital expenditure as it becomes a monthly operational cost. So, not only can businesses reap financial savings, but by opting for hosted services can aim to increase service levels, whilst improving business continuity and disaster recovery plans.”

In 1996, the founders of Atlanta Technology began to build their business vision for managed services. Atlanta is a new breed of customer-focused IT Partner that combines high levels of technical expertise with an in-depth understanding of customer needs. Today Atlanta is a trusted IT partner offering strategic advice and scalable, cost-effective IT solutions to customers in small business and the small to medium enterprise. Atlanta has developed a compelling remote services offer that removes the burden of managing expensive in-house IT resources, allowing customers to focus on core business issues. The key competencies include: Hosted Disaster Recovery Services; Hosted Servers; and self-hosted Server & Storage Virtualisation.

To find out more about Atlanta Technology’s range of services, visit stand 130 at Storage Expo on 15th - 16th October 2008, London, Olympia, or visit www.atlantatechnology.co.uk.

Source: Atlanta Technology
<>

Poor Data Classification can cost companies millions

London, UK 10th October 2008, a recent survey conducted by Storage Expo found that one of the main reasons companies classify data was access control (67%) the second reason was retention control (21%) and the third was retrieval and discovery (12%). Access control may be the key reason to classify data; however Alan Pelz- Sharpe, Principal, CMS Watch believes companies should place more importance on the impact of retrieval and discovery with costs in this area reaching £1,000,000 per Terabyte.

He says “typically 80% of mail data consists of duplication. Yet any search tool has to treat each piece of data equally, thus slowing down the process and pushing discovery costs through the roof.”

He goes on to add, “ We estimate that the cost of 1GB of storage is about 10p, however the cost of legal discovery on 1GB of storage would cost at least £1000, so storing everything may seem cheap on the one hand, but can become very expensive should something go wrong.”

Pelz- Sharpe will be chairing a Keynote session on the subject of ‘Email Management and Archive- How to Spend Wisely’ on the 16th of October at 10:30am at Storage Expo 2008.
Theresa Regali, Principal, CMS Watch, says, “Increasingly, data classification is determined based on intended use of data, rather than simply its subject matter or source. Classification is vital to ensure data doesn’t fall into the wrong hands and security protocols are met and to facilitate enterprise-wide search, retrieval and discovery”.

Theresa Regali will chair a keynote session on ‘Data Classification: Can anyone really do it’ at Storage Expo on the 15th of October at 1pm. This session explores the criteria and policies that should be in place to assure coherent classification with respect to information value as it passes through its lifecycle. Key challenges addressed include managing information lifecycle value, meeting retention, discovery and recovery needs and determining appropriate classification schemes.

Speakers at the session include:

  • Bob Plumridge, Member of the Board of Directors, SNIA Europe.
  • Edward Wood, Director of Information Services, House of Commons Library.
With two days of stimulating and thought provoking seminars that reflect the needs of today’s data storage professionals and information management experts, Storage Expo 2008 gives you the chance to improve and update your storage and information management strategies.

Sessions that focus on Data Classification and Email Management include:
  • Email Management beyond Archiving by Ken Hughes, CTO, C2C.
  • The problem with archived data and how to solve it by Alec Bruce, Solutions Manager, Hitachi Data Systems.
  • Information Lifecycle Management by Shahbaz Ali, CEO and Founder, TARMIN.
For more information on all seminar sessions visit Storage Expo (www.storage-expo.com) the UK’s only definitive data storage and information management event, which provides visitors with the opportunity to compare the most comprehensive range of data storage solutions from all leading suppliers whilst addressing today’s key issues.

Now in its 8th year, the show features a comprehensive FREE education programme, and over 100 exhibitors at the Olympia, London from 15-16 October 2008. Register free to visit at www.storage-expo.com

Source: StoragePR
<>

Cloud Computing, according to Richard Stallman, "worse than stupidity"

by Michael Smith

Richard Stallman, the founder of the GNU project – which is NOT an operating system as claimed by one author and journalist recently – finds the euphoria as regards "Cloud Computing" as entirely over the top.

Stallman sees in this present debate simply another way of the software companies to bind as many users as possible to proprietary concepts, and he finds the use of Web-Software, such as Google-Mail, as a means of storing personal data “in the cloud” somewhere “as worse than stupidity”.

While on some levels Cloud Computing might look good and useful and having some sort of documents for working on the move online is a good idea, probably, total Cloud Computing is, I have to agree, as Richard Stallman says. Especially if we consider the small print in the EULAs of Google and other in the cloud services, the majority of which consider the data that the user stores there as also legitimate theirs. This is to say that Google, etc. claim that they have been given, as soon as the user stores data with them, an extension of the copyright and hence can use the data as and how they see fit to use it. Doh?

To him all the talk of Cloud Computing is nothing more than market hype and to me, personally, it has some sinister undertones.

According to Stallman there are no possible positive reasons as to why anyone would want to store personal data on the servers of those businesses whaile one has the possibility to store such data locallly. The argument, he says, that the use of bought in, in other words hired, services instead of the use of local software saves money is more than ludicrous. Furthermore is it as ludicrous to claim that, as it is being done, the development towards Cloud Computing is going to be inevitable.

"Somebody is saying this is inevitable – and whenever you hear somebody saying that, it's very likely to be a set of businesses campaigning to make it true." Stallman said.

The 55-year-old New Yorker said that computer users should be keen to keep their information in their own hands, rather than hand it over to a third party.

A sentiment that I can but agree with wholeheartedly and this for more than one reason, though privacy being the greatest of them all.

His comments echo those made last week by Larry Ellison, the founder of Oracle, who criticised the rash of cloud computing announcements as "fashion-driven" and "complete gibberish".

"The interesting thing about cloud computing is that we've redefined cloud computing to include everything that we already do," he said. "The computer industry is the only industry that is more fashion-driven than women's fashion. Maybe I'm an idiot, but I have no idea what anyone is talking about. What is it? It's complete gibberish. It's insane. When is this idiocy going to stop?"

The growing number of people storing information on internet-accessible servers rather than on their own machines, has become a core part of the rise of Web 2.0 applications. Millions of people now upload personal data such as emails, photographs and, increasingly, their work, to sites owned by companies such as Google.

But there has been growing concern that mainstream adoption of cloud computing could present a mixture of privacy and ownership issues, with users potentially being locked out of their own files.

This is a dangerous affair, however, for once they are uploaded to those servers the question remains as to who owns them, and if the EULAs are to be believes, and I have addressed that earlier in this article, then the service provider, whether Google, or whoever else, owns a shared copyright of your data.

Think about it... they claim that they own the data, your personal information, your essays and manuscripts, your photos, and whatever else, equally and the right to do with it as they please. Do you really want to hand such rights over to such people?

The possibility of being locked out of your own files is real, let me tell you that. It happened to me and while I do store bookmarks and such online, they are but copies of what I store off line either on a hard drive, a flash drive or CDs.

Stallman, who is a staunch privacy advocate, advised users to stay local and stick with their own computers.

"One reason you should not use web applications to do your computing is that you lose control," he said. "It's just as bad as using a proprietary program. Do your own computing on your own computer with your copy of a freedom-respecting program. If you use a proprietary program or somebody else's web server, you're defenceless. You're putty in the hands of whoever developed that software."

This advice of Richard Stallman I can but endorse and while he may be better in many aspects of computing and have much more knowledge on the subject, I have been there and experienced the issue of not getting to my data for over two months.

While I know that there are many advocates of Cloud Computing I wonder how many of them have, in fact, stopped to think as to what they are doing and how many have, in fact, carefully ready the EULAs of the services. If they have done with those licenses the same that the majority of us tend to do with the EULAs of software, whether Open Source, Freeware, Shareware or proprietary, then they, more than likely will not have done so. Few of us ever tend to read those licenses, do we now. In the case of Cloud Computing services, free or paid for, I do sincerely think that we should read those licenses and we should read them very, very carefully indeed.

© M Smith (Veshengro), October 2008
<>

EuroSOX – TIME FOR a new approach to compliance

By Jürgen Obermann, CEO of GFT inboxx GmbH

The 5th September 2008 marked the deadline for European organisations to transpose two new directives – the Statutory Audit Directive and the Company Reporting Directive – into domestic law. Commonly referred to as EuroSOX, this latest initiative is the European Commission's eighth guideline for the protection of shareholders, brought in with the aim of ensuring the reliability of annual accounts and consolidated financial accounts of companies, in the wake of recent high profile corporate fraud cases, such as the Parmalat scandal.

Despite the publicity around the introduction of EuroSOX proclaiming the drastic requirements expected from IT, there is surprisingly little said in the EU guidelines as to the concrete IT requirements necessary for organisations to become compliant. Thus suggesting that the current hype regarding 'EuroSOX compliance in IT' has been somewhat exaggerated. After all, companies operating globally have already had to abide by the International Financial Reporting Standards (FRS) or the United States Generally Accepted Accounting Principles (US-GAAP) if they wish to adhere to international legal regulations.

The impact on IT
Aside from the obvious changes necessary in IT, EuroSOX will additionally lead to some indirect IT requirements. These ultimately derive from requirements that qualified auditors have to meet, though they are mainly general requirements regarding the quality of systems, processes and data management, as have already been prescribed for years - e.g. in accordance with Basel II.

In implementing EuroSOX, companies should not look on this as just another compliance regulation to be abided by, but rather as an advantageous tool which should be used to encourage greater business transparency.

Best practice approach to EuroSOX
As far as EuroSOX and other compliance rulings are concerned, IT departments should not interpret individual regulations and laws such as EuroSOX, Basel II etc., but should instead concentrate on a holistic approach. This is as proven in recent research commissioned by GFT inboxx which found that 94% of IT managers in Europe have insufficient knowledge of the legal requirements regarding archiving of e-mails.

IT departments must concentrate on their core tasks. They are not in a position to tackle the legal details of individual laws. This is a job for legally trained and specially qualified expert staff. By concentrating on the combined, generic requirements of all compliance guidelines, IT departments can tackle the issues at a higher level.

The requirements that should be met by an IT department can be roughly divided into three basic tasks, however these are not mutually exclusive:

1.Generic best practice data management and data handling – making sure that a consistent approach is taken across the board.

2.
Long-term safeguarding and processing of all information. Preparation for possible disturbances (disaster recovery), secure long‑term archiving of all information and ensuring access at all times within the parameters of storage times are of the utmost importance in this context.

3.
Transparency, which is above all facilitated by creation of powerful search functions and analytical methods regarding all information in the company.

The first task is very much open to interpretation and is broad in nature. In the event of any doubt, any weak points coming to light as a result of audits and inspections can be resolved in this context. Items two and three, however, are clear and not open to interpretation. An email document either exists or it doesn't. Either powerful overall search is possible or impossible. Inspections will thus concentrate on these points. Thus in the short term there is a need for action from the IT department in this respect.

Recommendations for IT departments

1.
Do not tackle individual legal regulations such as EuroSOX – leave the interpretation to the specialist departments.

2.
Don’t take a siloed approach. Instead concentrate on implementing the common requirements for all compliance guidelines:
a.Transparency of IT processes;
b.Audit-proof long-term archiving and planning for disaster recovery
c.Creation of an overall search and analysis platform to facilitate e‑Discovery

3.
In the short term focus on (b) and (c). They are rigorous requirements that cannot be avoided.

4.
Use this as an opportunity to create a business case for other IT projects.

GFT Inboxx is exhibiting at Storage Expo 2008 the UK’s definitive event for data storage, information and content management. Now in its 8th year, the show features a comprehensive FREE education programme and over 100 exhibitors at the National Hall, Olympia, London from 15 - 16 October 2008 www.storage-expo.com

Source: StoragePR
<>

"Children on Virtual Worlds" - 25 parental safety tips, report launched by the EU Agency ENISA

The EU Agency ENISA, the European Network and Information Security Network Agency, launches a report on virtual worlds with 25 safety tips for parents on how to make their children behave safely in online virtual worlds.

Heraklion, Crete, 06.10.2008 - Club Penguin, Barbie Girl, Moshi Monsters, Webkinz, etc. Is your child spending hours playing online games? Well, you are not alone. Virtual world sites are now hugely popular and have become a compelling activity for many Internet users. The rate of growth in online social networks, including virtual words for children has risen over the last past years. With more than 100 youth-focused virtual worlds, regulators and parents are struggling to keep pace. It has been estimated that 20 Mn children and tweens will visit virtual worlds by 2011.

Parents are naturally concerned about how their children use and behave in virtual worlds. The biggest concerns is the online safety of children (7 years old and under) and tweens (8-12 years old) and how they can be protected from online predators. Awareness of what children can do online and parental involvement is crucial. Parents should be educated, empowered and engaged to ensure truly positive and valuable experiences for their children, while reinforcing safety online habits in these three-dimensional environments.

The ENISA paper gives 25 safety tips to parents. These tips provide clear and comprehensive tools for parents to decide with their child what is appropriate and safe, to behave responsibly as well as to have fun in virtual worlds. Sample tips range from computer security, to rules, and advice on parents? and children?s education, e.g;

1. Keep the computer in a common room.
2. Set house Internet/mobiles rules if and how to use virtual worlds.
3. When activating a child?s account, always do it using the parent?s email address.
4. Be aware that parental consent should be required to process sensitive personal data, for chat rooms, send unsolicited commercial e-mails, etc.
5. Have children use neutral nicknames, not their real ones.
6. Communicate with your children about their experiences. Encourage them to tell if they feel uncomfortable or threatened online.

For all 25 safety tips, , please read the full report: http://www.enisa.europa.eu/doc/pdf/deliverables/children_on_virtual_worlds.pdf

The Executive Director of ENISA, Mr. Andrea Pirotti remarked: ?It is our responsibility as adults to secure that our children can have both fun and safely enjoy online gaming and virtual worlds?

<>

Kedron UK announced partnership with INFOSIM

Kedron UK are first to distribute Infosim's StableNet product in the UK

Kedron UK, experts in enterprise management solutions, announced on October1, 2008, a deal with Infosim, provider of advanced OSS solutions. The deal gives Kedron UK extensive UK distributions rights to provide the Infosim StableNet technology both directly to end users and through the channel.

Infosim's StableNet technology is an end to end service level network management solution. The product is designed to address the growing business need to relate information technology management to business services. StableNet comes in three editions to target SMEs, larger organizations and Telecoms companies specifically.

Initially Kedron will be selling the StableNet product portfolio directly, but there will be opportunities for VAR's in the network management and security market space, network integration companies and IT Outsource providers. Kedron is planning an exciting Channel Partner Program with high rewards in this resellers will receive certified training, quality led generation, marketing collateral in the form of sales brochures and presentations as well as pre-sales support from certified engineers. Meanwhile, Kedron will also be promoting the StableNet product via marketing and trade shows.

“We've worked very closely with Infosim in bringing this product to market to ensure that the proposition delivers tangible benefits for our customers, This includes network optimisation and analysis that will allow all people in an organization from the IT manager to the CFO to receive the best performance from their IT systems”, says Roland Stigwood, Managing Director of Kedron UK, who continues, “What really impressed us about StableNet is that it is a truly end to end service delivery solution offering fault ands event alerting and inventory and configuration management. The different editions suit a variety of industry sectors presenting Kedron with a huge potential opportunity to develop market space.”

Dr. Stefan Koehler, Managing Director at Infosim comments, “We're thrilled to have Kedron UK as our partner, working in the Enterprise Management space. They were ideally suited to understand both our offering and out marketplace. This, coupled with their customer focused approach and existing relationships with big name vendors and clients made it a simple decision to choose them as our first venture into the UK market.”

The StableNet product is a flexible solution that comes in three variants to suit different needs, Express, Enterprise and Telco. The base package pricing delivers a solution that includes a number of compulsory modules with optional modules available as chargeable extras.

Kedron UK provides a wide range of network monitoring and traffic analysis solutions and support services that will add real value to any company or organization; from Proof of Concept right through to solution delivery and optimization, Kedron works with clients to endure complete satisfaction and maximization of their network investment.

Infosim is internationally recognized as a technology leader in the OSS market. Superior technology, products and an unrivaled commitment to innovation, have put Infosim at the forefront of the network performance management and optimization market. Infosim is a privately owned corporation. Today, many world leading companies like Siemens and SingTel rely on Infosim technology.

StableNet is Infosim's next generation service assurance solution. Service providers, enterprises and public sector IT departments trust StableNet to increase service levels to their users by reducing or preventing service disruptions and enhance the quality of experience by proactively managing performance. StableNet comes in three editions which are optimized for the requirements of different user segments:

  • StableNet Express: Entry level, SMEs, workgroups
  • StableNet Enterprise: Public Sector, Education, MNCs
  • StableNet Telco: ISPs, Data Centers

Source: Clark Moulder Purdie Communications
<>