What links Twitter, stolen bikes and the Boston Police Department

Q: What links Twitter, stolen bikes and the Boston Police Department?
A: Infosecurity Adviser

London, UK – July 2009 (Eskenzi PR) – An innovative Twitter-based scheme operated by the Boston, MA., Police Department has got the thumbs up from Mike Barwise, a regular blogger on Infosecurity Adviser, the online community for the information security industry,
"The scheme, which involves posting relevant details on the Web by owners of the stolen bike, and that information being tweeted to police officers, bike shops and other relevant people, has been a success thanks to its immediacy and security," he said.

"The service is immediate, thanks to the use of Twitter as an information carrier for the messages, and secure, because the police department has a highly secure IT system," he added.

According to Barwise, the fact that the Boston PD has been able to securely implement Twitter on its IT resource sends a positive message out to IT managers everywhere.

Twitter is, he explained, an essential part of the communications infrastructure and, as a result, it is down to the IT manager to develop a security strategy to counter any potential problems its usage creates on a firm's computer resource.

And, says Barwise, using Twitter effectively isn't rocket science, especially when you realise that UK police in the 1970s and 1980s made use of pagers to relay information to groups of shopkeepers in selected cities across the UK, alerting them, for example, that a team of shop-lifters was in the area.

"From an IT manager's perspective, the use of Twitter by the Boston PD is fascinating as it's pretty obvious that the police operate a pretty tight ship on the IT security front," said Barwise.

"And if they didn't, we'd soon hear about it," he added.

For more on the Barwise's comments on the Boston PD: http://www.infosecurityadviser.com/view_message?id=129

Infosecurity Adviser is a unique community portal representing the information security industry and it's users, organized in association with Infosecurity Europe. It offers advice from industry experts and bloggers as well as end user product reviews. It also contains information on qualifications, career paths and jobs from all the major accreditation bodies and is supported by the Information Security Awareness Forum. For more information see http://www.infosecurityadviser.com

<>

Ironkey Announces over 1,000 Enterprises have Adopted its Cloud Computing Security Service and Secure Flash Drives

IronKey Secure Intelligent USB Drives with Centralized Remote Management Service Reach More Than 1,000 Enterprise Deployments

LOS ALTOS, Calif. – July 2009 (Eskenzi PR) – IronKey, maker of the world's most secure flash drives, today announced that over 1,000 companies and government agencies have adopted IronKey secure and intelligent USB flash drives and are managing them remotely using IronKey's cloud-based Internet security remote management online service. This makes IronKey one of the largest online security SaaS companies in the world.

IronKey online security services include:

  • Remote management and tracking of IronKey secure intelligent flash drives
  • Remote kill of lost and stolen devices
  • Content recovery, password reset and device redeployment
  • Internet update of software and security updates to IronKey devices
  • Internet update of anti-virus and anti-malware software on IronKey devices
Key Facts/Highlights:
  • IronKey has had successful large deployments with over 1,000 enterprise organizations and government agencies globally using its online security service to remotely manage IronKey intelligent secure USB flash drives over the Internet.
  • IronKey provides secure USB management services to its customers in government, financial services, healthcare, enterprise and education markets worldwide.
  • IronKey has over 25 distributors in more than 40 countries and has signed on over 180 Elite and Certified VARs.
  • IronKey designs and develops the world's most secure USB memory sticks (flash drives or thumb drives) at its facilities in Los Altos, California. IronKey products are designed and assembled in the USA to ensure top security and quality for enterprise customers.
  • IronKey's new S200 family of secure intelligent flash drives are the only USB portable storage devices in the world to have been validated to FIPS 140-2 Level 3 security standards by the National Institute for Standards and Technology (www.NIST.gov).
  • Despite their extremely high levels of security, IronKey flash drives are easy to use, and work on Windows, Macintosh and Linux computers without installing software or drivers.
  • IronKey secure intelligent flash drives are available starting at just $79, and volume discounts are available for government and enterprise deployments.
  • IronKey products are available on GSA schedules from Computech, Dell, DLT Solutions and GovPlace.
Dave Jevans, CEO at IronKey said: "As businesses today carefully assess every dollar they spend, our continued success highlights the growing importance of secure mobile device management services and data protection for organizations large and small. Providing remote management and security services for portable devices over the Internet as a security service helps reduce the costs and overhead for managing these popular devices. Companies can easily manage the security of remote workers by using the IronKey cloud security service, without the hassles and costs associated with installing servers and the continued maintenance of such an infrastructure. Even better, an Internet managed service is ideal for managing mobile workers who could be using their IronKey secure intelligent flash drives from anywhere in the world. The expansion and growth we are experiencing with our channel partners, as well as the continued adoption of IronKey products highlights the value and trust customers place in IronKey devices and online services."

Recent Industry Awards:
  • Best of FOSE
  • SC Magazine Reader's Trust Award
  • Most Valuable Solution Provider from Government Technology Research Alliance
  • Best Hardware Vendor Finalist from Computing Awards for Excellence
  • Best Security Management Tool by Tomorrow's Technology Today
  • Network Products Guide 2009 for Best Mobile Device Security
  • Gold Star in the Mobile Village Mobile Star Awards
  • CRN Emerging Tech Award
IronKey's award-winning products and services combine the world's most secure flash drive with the world's most powerful USB management software. IronKey's USB flash drives bring the power of authentication, encryption, identity management and privacy to businesses and consumers in 23 countries. IronKey's management software and associated services allow enterprises of all sizes, government agencies, the military, and other organizations to take back control of the mobile data that has been leaking out of their organizations due to the uncontrolled proliferation of USB drives. With IronKey, organizations centrally administer, remotely manage, and enforce policies on thousands of devices located anywhere in the world. Thousands of customers, including over 50 Fortune 500 companies, government agencies and military organizations that handle some of the most sensitive security information in the world trust IronKey to protect business critical data. All IronKey products are FIPS 140-2 validated. For more information, please visit www.IronKey.com.

<>

Website login with Biometric Identity Card

by Michael Smith (Veshengro)

Germany, July 2009: According to information moves are afoot for German computer users, and I doubt it will remain German ones only if the EU has any say in that, to having to use their biometric personal identity cards – such ID cards are compulsory in Germany – for logging in at Internet sites, such as Ebay, and others.

No longer will pseudonyms be permitted and neither made up personal information. Instead the ID card's details will be used to create accounts and used for logins. Aside from the simple issues of data security – well, not so simple really – there are issues here of privacy and such.

Big Brother definitely is taking over, as far as I can see, and biometric IDs and token RFID logins on PCs can easily be combined and thus track, basically, our every moves now on the computer; at least as regards to those sites where login is required.

While to begin with it is said that this will be for the online auction and other trade sites as well as for online shopping accounts only, it has already been muted that this system is going to be extended to all social networking sites as well, such as Facebook, MySpace, Twitter, etc.

Noooo good at all. This is a privacy and ID theft disaster waiting to happen. Help!

Aside, as said, from the fact that this may be an ID nightmare waiting to happen it also means that any kind of anonymity and thereby personal privacy on the Internet will be gone.

Big Brother will then know precisely, through the use of the ID card, as to where you spend your time online and, probably, even what you “say” online, what you buy in an auction or in an e-store; you name it it will rack it.

Now someone tell me again that we are not headed for a total “Big Brother” world, with the powers that be trying to control every individual and his or her actions and lives.

Food for thought! And a call for action, perhaps?

© 2009
<>

Twitter email account hack multi-vectored and but taps into poor security

Twitter email account hack was multi-vectored but tapped into poor security safeguards says Imperva

Burlington, MA & Redwood Shores, CA, 22nd July, 2009 (Eskenzi PR) - The hacking of a Twitter senior executive's email account was the result of a complex series of events but, says Imperva, the data security specialist, was the end result of a combination of poor security practices and safeguards.

"As expected, the modus operandi of the hacker that emailed the Twitter planning documents to TechCrunch has now been revealed, and it shows that it is possible for a hacker to retrieve an account password for a legitimate user's cloud-based email service," said Amichai Shulman, Imperva's chief technology officer.

"If you examine what actually happened, it's clear that the security system for retrieving an account password in the cloud needs to be every bit as rigorous as a customer calling, for example, their bank and identifying themselves over the phone," he added.

According to Shulman, people using cloud-based services are happy to respond to `secret questions' such as "your childhood hero", "your pet's name" and "your mother's maiden name."

Whilst these answers, he says, are likely to be unique and relatively difficult to guess on a purely random basis, they can often be second guessed by careful observation of a person's social networking site records, which then paint a very good picture of someone's likes and dislikes.

"Because of these security shortcomings - which legal professionals may yet argue about in court if Twitter does decide to sue those concerned for publishing the data - the big question is who is to blame for this highly public account hack?"

Is fault of the email service provider or Twitter, or the senior manager concerned? says the Imperva CTO.

Or is it, as we surmise, a combination of circumstances and security failures that have conspired to create the situation?

The reality of the Twitter email account hack, says Shulman, is that the hacker exploited a complex set of security shortcomings to reach his goal of gaining unauthorised access to the documents in question.

"Companies should take note of this risk and plan their security safeguards accordingly. Today, most companies haven't properly considered the implications of employees using social networking and the information," he said.

For more on the Twitter email account hack: http://blog.imperva.com/2009/07/twitter-getting-into-the-underwear-drawer.html

For more on Imperva: http://www.imperva.com

Imperva, the Data Security leader, enables a complete security lifecycle for business databases and the applications that use them. Over 4,500 of the world’s leading enterprises, government organizations, and managed service providers rely on Imperva to prevent sensitive data theft, protect against data breaches, secure applications, and ensure data confidentiality. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring from the database to the accountable application user and is recognized for its overall ease of management and deployment. For more information, visit www.imperva.com.

<>

ISACA Leader Calls for Fundamental Changes to Information Security

Security by Compliance Is No Longer Working: ISACA Leader Calls for Fundamental Changes to Information Security

Los Angeles, CA, USA, July 2009 (Eskenzi PR) - At ISACA’s International Conference in Los Angeles this morning, security professional John Pironti called for a sweeping change in how enterprises deal with information security.

“Security by compliance is no longer working,” said Pironti, who is president of IP Architects and an ISACA volunteer. “The number and impact of security breaches have dramatically increased in the last couple of years, even though companies were in compliance with standards like PCI, GLBA, FFIEC, FISMA and others.”

If organizations continue to focus on security by compliance, he argues, the adversaries will continue to win as their attacks become more effective and more damaging. “Compliance can be a good starting point for securing information infrastructure and data if an organization has not put anything in place previously, but it cannot be the end point of the conversation.”

“We need to change the fundamental approach to the way enterprises deal with information protection,” Pironti said in his “Information Security 2.0” presentation at ISACA’s conference. “We need to stop thinking about information security and start thinking about information risk management.”

Information risk management requires more input from and decisions made by the business, instead of solely by security professionals and regulators.

Explaining the difference between the two, Pironti said, “Information security sets the tone for organizations that forces them to put measures in place that may actually end up preventing the business from being successful. Risk management gives the organization the power to make the security decisions that align with its business requirements and then implement appropriate controls.”

Another critical change, according to Pironti, is to focus on protecting data and information instead of just technology.

“The technology is just a vessel for the data and has little value by itself. By focusing on the data, enterprises will be better prepared for the challenges that they may face from any adversary” Pironti said.

In addition to Pironti’s presentation, ISACA’s International Conference also featured the unveiling of Risk IT, a new IT enterprise risk management framework developed by ISACA. The framework will be publicly available as a free download in September.

With more than 86,000 constituents in more than 160 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA® Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA®), Certified Information Security Manager® (CISM®) and Certified in the Governance of Enterprise IT® (CGEIT®) designations.

ISACA developed and continually updates the COBIT®, Val IT™ and Risk IT frameworks, which help IT professionals and enterprise leaders fulfill their IT governance responsibilities and deliver value to the business.

<>

Don't always jump on the SSD bandwagon

Don't always jump on the SSD bandwagon says Origin Storage

Basingstoke, July 2009 (Eskenzi PR) - News that Intel is expected to release a 320GB solid sate drive (SSD) later this month is good news for users with a specific requirement for SSD-based storage on their notebooks and netbooks, says Andy Cordial, Origin Storage's managing director.

"But not all notebook/netbook users really require the specific features that SSD storage systems offer," he said, adding that a growing number of portable PC users are returning to the benefits that traditional magnetic-based hard drives can offer.

Magnetic drives, says the storage system integration specialist, can support a wide range of facilities, not the least of which includes encryption against prying eyes, and the ability to be ruggedised against a wide range of difficult conditions.

The days when you could drop a hard drive on the floor from hand height and expect it to fail are long gone, he explained, adding that, in some hostile situations - notably where electrical currents are involved - magnetic drives can still have the clear edge.

And encryption systems on magnetic hard drives can easily outdo most pure electronics-based SSD systems, for the simple reason that the drive can be completely powered down in hostile conditions, and the disk head `parked' into a robust travelling position.

SSDs, says Cordial, evolved for a very specific set of user situations where magnetic-based drives could not be used.

"Unfortunately, with the arrival of small footprint laptops and netbooks, some vendors have promoted SSDs as a full alternative to magnetic drives, for which they are not," he said.

"Yes, they can offer robustness, but they often cost a lot more. That's why a netbook with SSD storage will often not have the capacity of a similar magnetic drive-based machine," he added.

For more on Intel's 320GB SSD plans: http://preview.tinyurl.com/kjwb6y

For more on Origin Storage: http://www.originstorage.com

<>

Experts predict more mobile trojan slip-ups on the way

Fortify Software: expect more mobile trojan slip-ups in the future

July 2009 (Eskenzi PR) - As news that the Symbian Foundation has admitted it needs better safeguards to prevent malicious apps finding their way onto mobiles, Fortify Software predicts this problem is going to get worse for mobile phone manufacturers and their operating system developers.

"The problem with mobile phones is that their processing capacity is increasing at a near-exponential rate, with some of the latest smartphones the technological equivalent of the PCs seen in the early part of this decade," said Richard Kirk, director of the application vulnerability specialist.

"And whilst the power of the average smartphone has soared on the last few years, the behind-the-scenes technology and security assurance practices required to prevent any security loopholes in the operating system and/or applications is not as up to speed as it is on the desktop/laptop platforms," he added.

Because of this, Kirk went on to say, hackers and malware developers - blocked by increasing sophistication on the desktop/laptop security front - are now turning their attentions to the microcomputer many of us have in our pockets - the smartphone.

The problem with smartphones, he explained, is that they are truly mobile devices, travelling with us between home and office, and out into the untethered real world, but remaining constantly connected thanks to a mixture of GSM, 3G and WiFi connections.

Add in a high quality mobile email and Internet access, and you have a potential recipe for a data leakage disaster in the making, as the humble smartphone can offer hackers a nearly always-on back door into desktop PCs at home and corporate networks in the office.

The fact that the Symbian Foundation has admitted a boo-boo in allowing a botnet-building Trojan - Sexy Space - past the group's digital signing procedures, is a potentially serious failure in the foundation's audit procedures.

"At the same time, it's an understandable mistake, and one that the IT security industry's early movers and shakers probably made in the 1990s," he said.

"Because of this, you can expect more of the same to happen in the weeks and months ahead, as the mobile industry gets to grips with its growing IT security teething troubles," he added.

For more on the Symbian Foundation's security slip-up: http://preview.tinyurl.com/klflmm

For more on Fortify Software: http://www.fortify.com

<>

Split Stick, Double-Sided USB Drive, Hits quirky's Online Store collaboratively developed in one week by quirky's community


New York, NY, July 2009 (27 Threats) – July 23 marked the official release of the Split Stick - a community designed double-sided USB drive.

Everyone always tells you to keep your work and your personal life separate. Now you can maintain that divide with your files too.

With the Split Stick, you can enforce the digital divide between office and personal, home and away, yours and hers, g rated and x rated, or whatever else you choose to separate.

Split Stick is the sixth product designed and developed by the quirky community since quirky’s launch on June 2nd. quirky gives everyone the chance to get product ideas out of their heads and onto shelves. Each week quirky’s community collaborates to select and produce one new product idea. This week ends the development of the Split Stick and it is now available for sale at quirky’s online store for $19.99. Accompanying the Split Stick are 4 other quirky developed products: the Sling Back, a universal wire retractor; the Ouch Pouch, a funkier version of the traditional blue and white arm sling; the Pressto, a tofu press, and a kid's Sudoku set; the Sudokid.

Designed and developed by the quirky community, Split Stick is two, two-gigabyte retractable USB drives that are built into one slim (four gigabyte) stick. The Split Stick is made of an anodized aluminum body and encased in a protective rubber membrane. The Split Stick comes in a range of colors: orange, blue, pink, red, black, violet, grey, or green. This plastic button allows one to easily navigate between the two different sides of the drive.

Customers can select how they want to divide their Split Stick by selecting their own text or choosing icons from quirky's icon gallery. These will be laser etched during the ordering process.

quirky engages participants to collaborate in every aspect of product creation - from ideation, design, naming, manufacturing, marketing, right on through to sales. Anyone can participate on quirky.com either by submitting their own product idea for $99, or by voting, rating, and influencing other people’s product ideas. Cooler still, 30¢ of every dollar generated from the sale of a quirky product goes back to these influencers.

Every week users post ideas on quirky to be rated by the quirky community. The community surveys the submissions during the 7-day evaluation period and selects one product to move forward to product development. quirky’s community then begins weighing in on everything from naming to logo selection to packaging through to prototype.

The final product becomes available for pre-sale at the quirky online store. Once the product hits its pre-sale threshold, credit cards are charged, and the product goes into production and delivery. At this point, 30¢ of every dollar made from the sale of these products goes back to the community. “Community” in this case covers both the ideator as well as all people who voted, commented, and rated the project idea along the way.

<>

Charmaga brothers card fraud case highlights need for securing customer data

Charmaga brothers card fraud case highlights need for securing customer data says Cyber-Ark

July 2009 (Eskenzi PR) - The jailing of three brothers in London on charges of scamming credit and debit card companies of more than 600,000 pounds highlights the need for companies to be take extreme care when handling customer's financial details, says Cyber-Ark, the digital data vaulting expert.

The Charmaga brothers case, says Mark Fullbrook, Cyber-Ark's UK and Ireland director, in which the three men created a raft of fake payment cards - using data sourced through illegal channels - and used them to draw cash from ATMs, as well as make luxury goods purchases, shows how valuable stolen card data can be.

"Card fraud hit a five-year high in the UK last year and this case is just the tip of iceberg. Granted, the three brothers have received more than 11 years in prison between them, but they have left a trail of financial devastation behind them,~ he added.

And with card fraud approaching the 170 million pounds mark last year in the UK alone, Fullbrook said that companies should now be protecting their customer's financial records more than ever before.

Chip & PIN technology, he explained, has dramatically reduced the level of retail card fraud involving the use of stolen, but legitimate cards, but criminals are now turning to cloning cards - often using data obtained illegally on the Internet - for their income stream.

The fact was rammed home, he says, when police confiscated around 600 cards ready to be used by fraudsters, as well as card details on more than 3,400 people's accounts in the possession of the brothers.

Stopping card fraud at the company level, he went on to say, is now a pre-requisite of effective security at any company that accepts plastic payments, whether in person, over the phone or on the Internet.

"And protecting that data is essential to protecting any company's reputation, so the use of data vaulting to protect customer's financial details is a must-have," he said.

If your company does not protect its customer records and card details are traced back to your firm, you run the risk of not easily being able to accept card payments in the future. That, coupled with the risks of reputational and legal damage, should be enough to persuade any company of the need to secure customer data," he added.

For more on the latest London criminal card saga: http://preview.tinyurl.com/ntkule

For more on Cyber-Ark: http://www.cyber-ark.com

<>

Twitter hack caused by lack of security

Basingstoke, July 2009 (Eskenzi PR) - News that Twitter has been hacked yet again comes as no surprise, given the fact that many IT staff are and managers are being pushed into adopting cloud computing services on a fasttrack basis, says Origin Storage, the storage systems integration specialist.

"Our observations suggest that a number of companies and their staff are being forced down the cloud computing route and are having to adapt their IT security systems on the fly." said Andy Cordial, Origin Storage's managing director.

"We have had concerns about this rate of change in the business sector for some time and, with all the data breaches occurring on the cloud front, it's obvious that the chickens are now coming home to roost," he added.

According to Cordial, this latest Twitter hack appears to be the result of the password of a company co-founder being guessable on the GoogleApps service which then allowed the hacker access to his personal information including details of his wife’s computer.

It is, he explained, a common problem in IT departments, but one that can be solved by applying a sizeable slice of common sense and adding a selection of encryption technologies plus policies to the mix.

Adding encryption to a company's data storage - whether in the cloud or not - he said, will ensure that data at rest, as well as on the move, is protected from prying eyes.

And if a secure password best practice is applied on top of corporate encryption policies, the resultant multiple layers of defence can help prevent human error causing a faux pas like the latest Twitter hack.

"Applying effective security is all about planning and then applying that planning, backed up by a set of solid security policies with encryption at its heart," he said.
"If Twitter had had this strategy operating at all levels of its hierarchy, rather than apparently going for user growth at any cost, it wouldn't be in the embarrassing situation it is now," he added.

For more on the latest Twitter security lapse: http://preview.tinyurl.com/nyw728

For more on Origin Storage: http://www.originstorage.com

Mark Fullbrook, UK and Ireland Country Manager for Cyber-Ark said: “I find it amazing that a company such as Twitter still holds company sensitive information such as HR records on servers that can be accessed with a simple username and password, without any ability to audit who has access.

The fact that this has come from the use of an administrators account, further underlines our advice to utilise a digital vaulting solution to store and manage highly sensitive info whether that be a file or a privileged password.”

Amichai Shulman CTO of Imperva went on record saying: “This is a great lesson in cloud security. My guess is that once the hackers got hold of the email account they used the “recover password” feature of Google Apps to compromise the Google Apps account for that individual. Not that this could not have happened to a corporate account but… in order to compromise a corporate account you’d usually go through two authentication mechanisms (VPN and then internal network login). Plus, if you had a good data loss protection solution in place, you would prevent your business sensitive documents from leaking. With a cloud service there is no one to “double check” the extraction of documents and other sensitive information.”

Calum Macleod Regional Manager of Tufin Technologies said on this issue: “This highlights one of the many security and compliance issues that cloud computing raises. Although issues such as strong authentication and securing sensitive data are clearly issues in the cloud computing scenario, fundamentally one of the areas that organizations are not addressing and in many cases not even aware of is how lax their firewall configurations are. Allowing internal users to pass through corporate firewalls and access uncontrolled services on the Internet due to a failure to properly police their firewall policies will continue to result in information leakage. Obviously these employees were allowed to access the information but surely the corporate firewall policies should ensure that only essential traffic is allowed pass through. If nothing else this should serve as a warning to any Security officer to manage their firewall policies more effectively and provide their administrators the essential tools to control who has access to what!”

<>

New Oracle security flaws facilitate data leaks according to Imperva

Burlington, MA & Redwood Shores, CA, July, 2009 (Eskenzi PR) – The hacker attacks on Web sites in South Korea - which spilled over to selected US government sites last week - were almost certainly orchestrated by hackers sympathetic to North Korea, but the attacks could have been organised by anyone with a modest budget, says Imperva, the data security specialist.

A raft of Oracle security flaws - which were fixed on Wednesday of this week - are potentially serious and, as a result, Imperva, the data security specialist, is recommending that all users of Oracle's software products should patch their applications without delay.

According to Amichai Shulman, Imperva's chief technology officer, the fact that Oracle has issued 33 patches - 10 of which are sealing vulnerabilities in Oracle's database server offering - indicates the severity of the problem.

"The scale of the problem is such that, if companies do not patch, then they could end up leaking customer account data, including credit and debit card details, to hackers on remote access," he said.

"The patches affect Oracle's Application Server, Secure Backup, Identity Management, E-Business Suite, Enterprise Manager, WebLogic Server and JRockit, as well as PeopleSoft and Siebel tools," he added.

Shulman noted that two of the flaws in Oracle's Secure Backup earned scores of 9.0 and 10.0 - out of 10.0 - on the CVSS risk rating. The JRockit flaw also scored a 10.0.

Two vulnerabilities on the Oracle database server, he explained, are remotely exploitable without any authentication being required.

This is, he says, not unheard of but always interesting, as it indicates a vulnerability in the network protocol layer.

Shulman went on to say that these vulnerabilities mean a hacker can attack the database without authenticating to the system or logging in, meaning that a major attack could go undetected by the IT manager of the system concerned.

According to the Imperva CTO, the number of vulnerabilities in the Oracle eBusiness suite - one of the remotely exploitable flaws not requiring authentication - remains consistent with previous releases.

"Worryingly, since the eBusiness suite touches and transacts a lot of critical data - including the usual suspects such as social security numbers, debit/credit cards and so on - as well as important corporate information, including customer lists or financials, this could result in data leaking out without any knowledge on the part of the IT managers concerned," he said.
"It's very important, therefore, that anyone using Oracle products visit the software company's portal and update their applications, as a failure to patch could result in a very serious data leakage situation," he added.

For more on the Oracle security flaw fiesta: http://preview.tinyurl.com/mbtsfw

For more on Imperva: http://www.imperva.com

Imperva, the Data Security leader, enables a complete security lifecycle for business databases and the applications that use them. Over 4,500 of the world’s leading enterprises, government organizations, and managed service providers rely on Imperva to prevent sensitive data theft, protect against data breaches, secure applications, and ensure data confidentiality. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring from the database to the accountable application user and is recognized for its overall ease of management and deployment. For more information, visit www.imperva.com.

<>

Head Office of Powerpets, Inc. has switched to Ubuntu Linux

by Michael Smith (Veshengro)

In 2002, a small Canadian company was started based on a small idea and big dreams – to create an entertaining virtual world with many educational aspects and a company goal to support and spread awareness of abused and abandoned animals.

Less than half a year into the project, powerpets.com was experiencing explosive growth and an explosive amount of problems, mainly e-mail based viruses.

The company would be affected by the next big threat, weeks before large anti-virus companies such as McAfee would have a fix for it. More time was spent by those involved in the IT part of the business and nigh on everyone else in fixing the Windows based office computers than what was spent working on the business itself.

A switch to Linux was then made, with quite a few hurdles, but, as Elizabeth Routliffe, the President of the company said, “it was nice to know once a system was set up, you wouldn't have to worry about it. You wouldn't even need to restart it.”

The, unfortunately in 2008, the 'flavor' of Linux that they had chosen for their office sold out to another company, the latter who pretty much abandoned the operating system.

A bit like ASUS abandoning their version of the Linux OS that they used to have for the Netbooks and small Laptops.

Much research then went into selecting a new Linux operating systen that will be able carry the company through the next decade without headaches or an overload of IT expenses.

It was Ubuntu that very quickly caught their attention. Elizabeth Routliffe said that they actually waited for about a month because they could not find an option to purchase one copy of the Ubuntu OS and felt uncomfortable requesting a free CD. Because of the fact that the company has only satellite Internet, they were unable to download the ISO of Ubuntu OS.

Having then requested a free CD this arrived a few weeks later in the mail.

It was not until June 2009 that they finally were able to experiment with the OS, when an old test laptop was loaded with Ubuntu. The installation went quick and without a hitch, despite hardware being well outdated.

The the remainder of the office went through the overhaul and in a matter of hours everyone was using Ubuntu. Some changes were hard to get used to, so Elizabeth Routliffe said, such as the SAMBA shares, but overall everything was a success.

Powerpets, Inc. say that they are very happy with their Ubuntu solution and from what can be understood from what has been said they would recommend Ubuntu to others, as do I.

Personally I find Ubuntu Linux – though I only use it for the workhorse PC that does all the writing work – a great system and will carry on working with it and testing it.

In my opinion Linux is the way forward and the Netbooks from ASUS, for instance, with ASUS' own version of Linux prove that everything works out of the box.

To me Linux, especially Ubuntu, is so very intuitive that I can never understand that people seem to have problems with using it, while I can well understand that there ate sometimes hardware issues.

Ubuntu rocks!

© 2009
<>

McAfee partners with Tufin to automate network security policy management

TUFIN JOINS MCAFEE SECURITY INNOVATION ALLIANCE

Security Lifecycle Management Leader Partners With Industry Giant to Lower the Cost and Increase the Effectiveness of Security Operations

RAMAT GAN, Israel, July 2009 - Tufin Technologies, the market leading provider of Security Lifecycle Management solutions, today announced that it has joined the McAfee® Security Innovation Alliance™ (SIA) partner program. As part of this program, Tufin will integrate its award-winning Tufin Security Suite (TSS) with McAfee Firewall Enterprise (formerly Sidewinder) and the McAfee ePolicy Orchestrator® (ePO™) software.

The joint solution will enable McAfee customers to take advantage of Tufin’s award winning SecureTrack and SecureChange Workflow products for firewall operations management, security optimization, compliance auditing, and change automation. McAfee customers will not only experience reduced time and cost of firewall operations, but will also be able to implement a range of process and audit controls needed to streamline internal and regulatory compliance, tighten network security, and ensure business continuity.

“We are delighted that Tufin has joined the McAfee Security Innovation Alliance program,” said Ed Barry, senior director for the McAfee Security Innovation Alliance. “When Tufin completes its integration, we expect our joint solution to stimulate powerful new efficiencies and cost savings for security and compliance, a key goal of the SIA program.”

Tufin's SecureTrack™, SecureChange™ Workflow products, which make up the core of its Tufin Security Suite™, help security operations teams to manage change, minimize risks and dramatically reduce manual, repetitive tasks through automation. Tufin’s open extensible architecture, the Tufin Open Platform (TOP), enables McAfee to seamlessly extend Tufin’s automated policy management to its McAfee Firewall Enterprise solution, providing joint customers a cohesive, automated framework for network security policy management.

McAfee ePO software is the first platform that lets enterprises and governments centrally manage security and compliance products from multiple vendors, offering unprecedented cost savings and return on investment. With more than 35,000 customers and managing close to 60 million PCs and servers, this unique platform is helping McAfee SIA partners to extend their reach and create complementary functionality. For more information on the McAfee SIA and McAfee Firewall Enterprise appliance, please visit: http://www.mcafee.com/sia.

“We are pleased to join the McAfee SIA program and be working with an industry giant that, much like Tufin, is deeply committed to making security easy to manage,” said Shaul Efraim, vice president of products, business development and marketing, Tufin. “Our joint solution will enable our mutual customers to immediately and dramatically streamline security operations and reduce the complexity involved with managing heterogeneous network environments. The result will be greater protection, reduced risk and increased compliance.”

Tufin Security Suite ™ (TSS) is industry’s first comprehensive Security Lifecycle Management solution. Seamlessly integrating its award-winning SecureTrack and SecureChange Workflow solutions into an open, extensible and distributed architecture, TSS features full interoperability with Check Point, Cisco, Juniper, Fortinet, F5 and Blue Coat. TSS provides the capacity to automate security policy management for any device in the Security Lifecycle Management eco-system, enabling organizations to reduce the cost of security operations and compliance while increasing operational efficiency, tightening network security, and ensuring business continuity.

Tufin Technologies is the leading provider of Security Lifecycle Management solutions that enable large organizations to enhance security, ensure business continuity and increase operational efficiency. Tufin's products SecureTrack™, SecureChange™ Workflow, and the Tufin Security Suite™, help security operations teams to manage change, minimize risks and dramatically reduce manual, repetitive tasks through automation. Tufin’s open, extensible architecture enables any company with best of breed applications, devices and systems to take advantage of Tufin’s unmatched policy optimization, change management, and auditing capabilities. With a combination of accuracy and simplicity, Tufin empowers security officers to perform reliable audits and demonstrate compliance with corporate and government standards. Founded in 2005 by leading firewall and business systems experts, Tufin now serves more than 325 customers around the world, including leading financial institutions, telecom service providers, transportation, energy and pharmaceutical companies. For more information visit www.tufin.com, or follow Tufin on:

Twitter at http://twitter.com/TufinTech,
LinkedIn at http://www.linkedin.com/groupRegistration?gid=1968264,
FaceBook at http://www.facebook.com/home.php#/group.php?gid=84473097725
The Tufin Blog at http://tufintech.wordpress.com/

<>

Microsoft's Gazelle Web browser project a positive?

Cyber-Ark says Microsoft's Gazelle Web browser project may prove the answer to vagaries of the Internet

July 2009 (Eskenzi PR) - Microsoft's planned `super-sandbox' Web browser - code-name Gazelle and due to be released later this year - may turn out to be the best means of protecting users' PCs against the vagaries of the World Wide Web, says Cyber-Ark, the digital data vaulting specialist.

"Memory sandboxing has been proven time and time again as a highly effective method of creating a relatively bullet-proof environment in which to run potentially risky applications, as the environment disappears entirely when the sandbox is closed," said Mark Fullbrook, Cyber-Ark's UK and Ireland director.

"This is not dissimilar to our segmented approach to storing company critical and private data, keeping access to the main company data completely separate to the private information," he added.

According to Fullbrook, Gazelle's planned segmented approach to the PC environment will similarly make it a lot harder for hackers to steal data from PCs accessing the Internet.
Unlike previous sandbox browser approaches, he says, Gazelle mixes the features of a browser with that of an operating system, giving protection to Internet users from malicious or unstable code targeted at Internet users from adverts, and other content whose origins cannot be fully trusted.

It's important to realise that Web browsers have evolved from being a flat data sheet viewer like a text file notepad to a rich media viewer that assembles data dynamically from across the Internet, he explained.

This 3D approach to viewing data is an exciting option for most Internet users, but, he said, for IT security managers, it's often a complete nightmare. And that, he added, is just for company users of the Internet. For home and consumer users of the Web the stakes are potentially even higher, owing to their having fewer IT security resources at their fingertips.

"When Microsoft reveals the gameplan for Gazelle at next month's Usenix Security Symposium in Montreal, Canada, there are going to be some very interesting developments," he said.

"Just as our silo approach to storing private data is being adopted by a number of players in the data security space, so we expect the sandbox features of Gazelle to be picked up by the browser software mainstream," he added.

For more on Microsoft's plans for Gazelle: http://preview.tinyurl.com/mp4tcl

For more on Cyber-Ark: http://www.cyber-ark.com

<>

Organisations unprepared for iPhone security threat – survey

London, July 2009 (Aspectus PR) – A new survey sponsored by DeviceLock, Inc., reveals that companies are failing to appreciate the risks attached to iPhone use among employees*. Timed to coincide with the introduction of DeviceLock’s endpoint security support for iPhone devices, the survey quizzed senior IT decision-makers in medium-to-large firms on their attitude towards the security threat posed by the iPhone.

The survey revealed that while 65 per cent of IT decision makers recognised that unauthorised users could access valuable company data through the iPhone, 64 per cent said they had not taken any steps to secure company data against this threat.

Given the high number of companies with inadequate protection against data breaches via an iPhone, the survey also revealed that 40 per cent of businesses knowingly allow staff to download company data onto removable devices without any security provision.

“We know that the consumerisation of corporate IT is an increasing problem for IT departments. The amount of removable and mobile memory-enabled devices that employees have on their person at any one time is now quite considerable - be it a USB stick or an iPhone. Therefore, we were very surprised to see that most companies were not prepared for this threat,” said Sacha Chahrvin, managing director at DeviceLock UK. “DeviceLock 6.4.1, which is now in beta, will provide a secure way for companies to have more control over how employees use their iPhones as a business tool.”

This DeviceLock version has added granular access control, auditing and shadowing capabilities for the local synchronizations of iPhone devices connected to employee computers. Now companies can set permissions for different data types (media, contacts, files, etc.) transferring to/from iPhone. It also enables auditing and shadowing for objects copying from the PCs to iPhones.

Since its inception in 1996 as SmartLine, DeviceLock, Inc. has been providing endpoint device control software solutions to businesses of all sizes and industries. Protecting more than 4 million computers in over 58,000 organizations worldwide, DeviceLock has a vast range of corporate customers including financial institutions, state and federal government agencies, classified military networks, healthcare providers, telecommunications companies, and educational institutions. DeviceLock, Inc. is an international organization with offices in San Ramon (California, US), London (UK), Ratingen (Germany), Moscow (Russia) and Milan (Italy). For more information, visit DeviceLock web-site at www.devicelock.com.

<>

Denial of Service attacks could have been engineered by anyone according to Imperva

Burlington, MA & Redwood Shores, CA, July, 2009 (Eskenzi PR) – The hacker attacks on Web sites in South Korea - which spilled over to selected US government sites last week - were almost certainly orchestrated by hackers sympathetic to North Korea, but the attacks could have been organised by anyone with a modest budget, says Imperva, the data security specialist.

"It doesn’t make sense that this attack came exclusively from North Korea. First, the attack was using widespread code executed by zombie computers all over the world. Second, this attack is relatively inexpensive to execute—no more than $50,000—making it doable not just by any government, but also by any Tony Soprano. That’s the really scary part.”," he added.

According to Shulman, whilst the attacks on the US Government and South Korea were almost certainly the result of hackers sympathetic to the cause of North Korea, the government in the North should not be held exclusively responsible.

Further, in the case of US government, he explained, the impact of the attacks could have been easily mitigated. US government has placed too much reliance on multiple Internet service providers. “The US government can learn a lesson from Israel who set up a central connection authority, the Tehila, for all government agencies that provide traffic management services as well as security, redundancy and disaster recovery. In this case, a central authority would have had an easier time blocking an attack of this nature.”

“The attacks,” he went on to say, “show that security experts must never take their eye off of `old school' threats as the industry moves to protect itself from new and more sophisticated attacks. As organisations shift their security focus to protect against data- centric attacks, he said, they should never forget about the importance of perimeter defences.”

"Had the right defences been in place in the first place, the hacker attacks would only have caused a minor slowdown in Internet operations and the hackers would have been unsuccessful in their quest," he added.

For more on the South Korean hacker attack fall-out: http://preview.tinyurl.com/m8ehso

For more in Imperva: http://www.imperva.com

Imperva, the Data Security leader, enables a complete security lifecycle for business databases and the applications that use them. Over 4,500 of the world’s leading enterprises, government organizations, and managed service providers rely on Imperva to prevent sensitive data theft, protect against data breaches, secure applications, and ensure data confidentiality. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring from the database to the accountable application user and is recognized for its overall ease of management and deployment. For more information, visit www.imperva.com.

<>

IronKey first USB storage device to achieve FIPS 140-2, level 3 validation

IRONKEY UNVEILS WORLD’S MOST PHYSICALLY AND CRYPTOGRAPHICALLY SECURE USB FLASH DRIVE

IronKey S200 is the First and Only USB Storage Device to Achieve FIPS 140-2, Level 3 Validation; Delivers Advanced Cryptochip Featuring AES-256, Tamper-Resistance and Self-Destruction Circuitry

LOS ALTOS, Calif., July 2009 (Eskenzi PR) – IronKey, maker of the world’s most secure flash drive, today announced the launch of its S200 device for government and enterprise customers, featuring hardened physical security, the latest Cryptochip technology, active anti-malware and enhanced management capabilities.

Highlights of IronKey S200:

  • The first and only USB flash drive to meet the rigorous government security requirements of FIPS 140-2, Security Level 3.
  • Hardware-based AES 256-bit encryption in CBC mode.
  • Tamper-resistant and tamper-evident rugged metal case.
  • Secure management of encryption keys.
  • Anti-malware capabilities in hardware provide an unprecedented layer of protection from malware and prevent its spread onto enterprise and government networks.
  • AutoRun lock-down protects against worms.
  • Read-only mode prevents malware on infected hosts from infecting IronKey devices.
  • Trusted network restrictions prevent IronKey devices from unlocking on uncontrolled PCs.
  • Optional anti-virus/anti-malware scanning cleans the devices in the background.
  • Dual-channel architecture enables significant performance when writing large and small files to the drive.
  • Includes extended-life flash memory capable of running high-bandwidth applications such as data backups, virtual machines, or bootable mobile desktops.
  • Enterprise Management Cloud Service over the Internet for the enforcement of security policies, security and anti-malware updates, and the tracking and auditing of hundreds or thousands of devices.
  • Optional Enterprise Management Server that customers can host themselves.
  • IronKey FIPS 140-2, Level 3 Validation:
  • The IronKey S200 USB flash drive has been awarded FIPS certificate 1149.
  • IronKey S200 includes the ability to prevent intruders from gaining access to Critical Security Parameters (CSPs ) held within the cryptographic module.
  • The physical security mechanisms required at Security Level 3 validate that IronKey thumb drives can detect and respond to attempts of physical access, use or modification of the cryptographic module.
  • IronKey includes the physical security mechanisms required for the validation including the use of production-grade components, hard potting material to encapsulate the chip circuitry and a hard metallic enclosure.
  • Enterprise Management Service Enhancements:
  • Mac support for Silver Bullet service provides remote wipe, comprehensive tracking and rich reporting capabilities.
  • Configurable time-out policy enables the ability to automatically lock devices after a specified period of inactivity.
  • Search capabilities help to locate device information by user name, email address, serial number or other specific information.
  • Enhanced backup and recovery capabilities from previous Password Manager to the Identity Manager.
  • Management capabilities are available as cloud-based SaaS or on-premise server software for flexibility in meeting organizational requirements.
David Jevans, CEO at IronKey said: “As one of the world’s leading information security companies, IronKey is continually innovating to push the boundaries of security and ease of use. Our new IronKey S200 family of secure USB flash drives puts a whole new level of security into the hands of government, military and enterprise customers, at an affordable price. The IronKey S200 is the first and only USB flash drive to achieve the demanding FIPS 140-2, Level 3 security validation from NIST, giving even more proof that IronKey is the world’s most secure flash drive. We are also releasing a suite of new enterprise remote management capabilities, available over the Internet from the IronKey managed service, or from our enterprise server software that companies can install and operate themselves.”

Scott Crawford, research director for the security practice at Enterprise Management Associates said: “FIPS 140-2, Level 3 is most often associated with devices such as high-confidence security hardware typically found in the data center. To have implemented this in a USB form factor is a noteworthy achievement—yet is just one of the many measures IronKey has integrated with its products, which speaks to IronKey’s commitment to extending a distinctively high level of security to portable media devices.”

IronKey’s award-winning products and services combine the world’s most secure flash drive with the world’s most powerful USB management software. IronKey’s USB memory sticks bring the power of authentication, encryption, identity management and privacy to businesses and consumers in 23 countries. IronKey’s management software and associated services allow enterprises of all sizes, government agencies, the military, and other organizations to take back control of the mobile data that has been leaking out of their organizations due to the uncontrolled proliferation of USB drives. With IronKey, organizations centrally administer, remotely manage, and enforce policies on thousands of devices located anywhere in the world. Thousands of customers, including over 50 Fortune 500 companies, government agencies and military organizations that handle some of the most sensitive security information in the world trust IronKey to protect business critical data. IronKey products are FIPS 140-2, Level 3 validated. For more information, please visit www.IronKey.com.

<>

Napatech zero packet loss technology boosts data throughput

NEW NAPATECH PRODUCTS CHANGE THE RULES IN IN-LINE

ANDOVER, Massachusetts, July 2009 (Eskenzi PR) – Napatech today extended its range of In-line adapters to support 1 Gbps networks. The NT4E In-line and NT4E-STD In-line adapters provide full line-rate throughput at 1 Gbps with zero packet loss, no matter the packet size. This allows vendors of network appliances, such as Intrusion Prevention Systems (IPS) or WAN Optimization solutions, to build high performance products based on cost-effective, standard server platforms.

“This is not just a question of introducing new, more advanced network adapters. The NT4E and NT4E-STD change the rules of the game. It is no longer necessary to build proprietary hardware to achieve high performance. Cost-effective standard servers can be used with the NT4E and NT4E-STD providing the data processing horsepower and throughput to guarantee that all traffic can be analyzed at full line-rate, in real-time”, said Erik Norup, President Napatech Inc.

“We are witnessing a transition from 1 Gbps to 10 Gbps networks. But this does not mean that 1 Gbps is no longer interesting; quite the contrary. There will still be a need for in-line network appliances that monitor, analyze and secure the 1 Gbps links into 10 Gbps networks. One can expect that these links will be fully utilized requiring full 1 Gbps line-rate performance. In this regard, Napatech’s 1 Gbps network adapters are highly relevant”, said Roy Illsley, senior research analyst, Butler Group.

The NT4E In-line and NT4E-STD In-line adapters are ideal for OEM network appliance vendors in the network performance monitoring, network test, network security, financial trading and policy enforcement markets, especially those, which require full 1 Gbps throughput. The NT4E-STD In-line adapter provides a cost-effective solution for customers who require accurate time-stamping and full line-rate reception and transmission of 1 Gbps data traffic with zero packet loss. The NT4E In-line adapter extends these features with advanced protocol and flow recognition, filtering and intelligent distribution of traffic processing on up to 32 CPU cores. An extensive software suite is provided for ease of integration supporting Linux, FreeBSD and Windows.

Napatech is a leading OEM supplier of multi-port 10 GbE and multi-port 1 GbE intelligent real-time network analysis adapters. Napatech adapters provide full line-rate, real-time throughput with zero packet loss no matter the packet size. Intelligent features enable off-load of data traffic processing and packet analysis traditionally implemented in software or proprietary hardware. Napatech has sales, marketing and R&D offices in Mountain View, California, Andover, Massachusetts, and Copenhagen, Denmark. For more information visit www.napatech.com.

<>

ASUS Eee PCs and Linux

by Michael Smith (Veshengro)

Many readers may wonder why I have begun “attacking” ASUS, and they could be forgiven to think that considering my, what some might consider, negative articles recently. The truth is though that often criticism of this nature is the only was to have policies be looked at again and – maybe just maybe – changed.

Dropping Linux from the Eee PC (and general ASUS products) is a bad idea. The Li9nux operating system is what makes and made the Eee PC what it is/was. Windows is no answer here at all, regardless of what some at ASUS seem to believe.

The only real choice as operating system goes for a Netbook is Linux and while there are sometimes things that do not work straight away out of the box, so to speak, with Linux because of driver codes not having been shared with the developers, such as those for some stuff, such as, for instance, mobile Internet dongles, on the Eee PC with ASUS' own version of Linux everything does and did.

I have an Eee PC 900 (which I love) and ever works well and did so straight out of the box (bar the card reader but then I do not really care on that front as I do not, really, use such SD cards, for instance) and that includes the wireless LAN Internet connection.

ASUS claims that the reason for abandoning Linux is that people asked for Windows on the Netbooks instead of Linux, and that being the reason for the “move”.

However, the better system for Netbooks – and not just for Netbooks – is Linux and that should have been the sales pitch in marketing the Eee PCs at least with Linux. It was, however, marketing that let down ASUS and the Eee PC.

It is true that people who have used Windows are “afraid”, for lack of a better word, often to use an alternative operating system (OS) even if that is a free one, and one that is superior, especially as far as Netbooks are concerned.

Linux boots fast and is stable in most environments; more than can be said for any version of Windows. But I do not mean to be Windows bashing.

The Netbook and Linux go hand-in-glove and are the ideal partners and ASUS had the right idea to start with and a winning combination. ASUS may, however, come to regret abandoning Linux in Netbooks, at least, if not more.

The latest Eee PC Netbooks are becoming small Notebooks/Laptops with 160BG hard disc drives (HDDs) rather than Solid state drives (SSDs). And while apparently still claiming great battery life it would all be better still with the previous concept, that is to say, Linux. If something is not broken then, please, people don't go and fix it – just market it better.

The right marketing has not been done, however, and still is not being done. Instead Linux is being abandoned.

How much, I wonder, is Microsoft paying to oust Linux is something that I would like to know, and may other people, I am sure, too. Or for how little does Microsoft sell the OEM licenses in order to get Windows onto everything.

Dell, on the other hand, still sells Laptops and Netbooks with Linux Ubuntu installed though in on one website of their they had marked Ubuntu down as “Microsoft Operating System – Linux Ubuntu”.

As there is absolutely nothing wrong with Linux on the desktop, whether on PCs, Laptop or Netbook, and Ubuntu, for example, is very intuitive and easy to use, the problem must lie (1) with marketing (but no reseller rewards in it, I guess) of Linux and (2) with the pressure that is put on manufacturers from the side of Microsoft.

I leave the reader to make up his or her mind here.

© 2009
<>

Information Commisioner's Office action against insurance firm

ICO action against insurance firm reminds us that encryption is now needed for all private data, says CREDANT Technologies.

July 2009 (Eskenzi PR) - Reports that the Information Commissioner's Office (ICO) has taken action against a Kent-based insurance company for failing to protect data on around 2,100 of its policy-holders reminds the industry of the need to encrypt private data, whether at rest or on the move, says CREDANT Technologies.

According to Andrew Kahl, the endpoint data protection specialists Senior Vice President of Operations & Co-founder, the insurance firm, part of Lloyds, lost an unencrypted disk holding the data, and has been instructed by the ICO to sign a `formal undertaking' to enhance its data protection methods.

"The firm blamed the data breach - which involved data going back as far as ten years - on a lack of staff training and poor data handling procedures, but the reality is that all firms need to adhere to IT security policies involving encryption of staff and customer's personal data," he said.

"In addition, companies also need to enforce those encryption security policies using suitable IT systems. These systems act as an audit safeguard and can save companies money and embarrassment in the longer term," he added.

Kahl went on to agree that the ICO's comments that the case is a reminder that the appropriate safeguards should be in place to protect personal information is very timely.
We are now 20 months on since the Inland Revenue famously lost a CD- ROM containing the details of around 15,000 pension holders in the post between its Tyneside operation and an Edinburgh office, he explained.

Since that time, countless reports of data breaches and thefts have hit the headlines, again and again.

"The bottom line to all of this is that companies need to take care when handling private data. Data needs to be encrypted and the good news is that the technology required to do this need not cost the earth," he said.

For more on the ICO's action against the Kent-based insurance company: http://preview.tinyurl.com/kwptl2

For more on CREDANT Technologies: http://www.credant.com

<>

Finjan Blocks New Zero-Day Attack on Microsoft Video ActiveX Control

Farnborough, United Kingdom – July 2009 (Eskenzi PR) - Cybercriminals are targeting yet another vulnerability in Microsoft product - the Microsoft Video ActiveX Control. The zero-day vulnerability that was found can be exploited via a malformed Web page.

The attack, that was already spotted in the wild, enables remote code execution (RCE) on the targeted machine. By exploiting this vulnerability cybercriminals are inserting a data-stealing Trojan to the victim’s machine.

For more information about this zero-day attack and a snapshot of the actual code visit Finjan’s blog at: http://www.finjan.com/MCRCblog.aspx?EntryId=2300

Microsoft has just released an Advisory about this vulnerability: http://www.microsoft.com/technet/security/advisory/972890.mspx

Microsoft is currently working to develop a security update for Windows to address this vulnerability.

Web security products utilizing real-time code analysis technologies are the preferred solution to block such 0-day attacks. Yuval Ben-Itzhak, Finjan CTO explains, “Finjan customers are protected from this zero-day attack as Finjan’s Vital Security Web Gateway is able to detect the exploit and block the attack without prior knowledge of the specific technique.”

Finjan’s MCRC specializes in the detection, analysis and research of web threats, including Crimeware, Web 2.0 attacks, Trojans and other forms of malware. Our goal is to be steps ahead of hackers and cybercriminals, who are attempting to exploit flaws in computer platforms and applications for their profit. In order to protect our customers from the next Crimeware wave and emerging malware and attack vectors, Finjan MCRC is a driving force behind the development of Finjan's next generation of security technologies used in our unified Secure Web Gateway solutions. For more information please also visit our info center and blog.

Secure Gateway provides organizations with a unified web security solution combining productivity, liability and bandwidth control via URL categorization, content caching and applications control technologies. Crimeware, malware and data leakage are proactively prevented via patented active real-time content inspection technologies and optional anti-virus modules. Powerful central management enables intuitive task-based policy management, excellent drill-down reporting capabilities and easy directory integration for all network implementation options. By integrating several security engines in a single dedicated appliance, Finjan’s comprehensive and integrated web security solution enables quick deployment, simplified management and reduction of costs. Business benefits include real-time web security (no patches or updates needed), lower total cost of ownership (TCO), cost savings in administration efforts, lower maintenance costs, and reduction in loss of productivity. Finjan's security solutions have received industry awards and recognition from leading analyst houses and publications, including Gartner, IDC, Butler Group, SC Magazine, eWEEK, CRN, ITPro, PCPro, ITWeek, Network Computing, and Information Security. With Finjan’s award-winning and widely used solutions, businesses can focus on implementing web strategies to realize their full organizational and commercial potential. For more information about Finjan, please visit: www.finjan.com.

<>

Britney Spears hack highlights reputational risk of weak Web 2.0-based service passwords

Burlington, MA & Redwood Shores, CA, July 2009 (Eskenzi PR) – The apparent hacking of Britney Spears' Twitter picture service account - with consequent false reports of her death - is a reflection of the increasingly mischievous nature of a small, young – and probably immature - section of the Web user base, says Imperva, the IT compliance and business risk mitigation specialist.

Mildly alarming as reports of Britney's premature demise were, they also came in the wake of incorrect Web reports from New Zealand of the actor Jeff Goldblum also having passed away," said Rob Rachwald, Imperva's director of marketing.

"What the complex online events leading up to the incorrect reports of the celebrity deaths spreading around the Web show us, however, is the sheer power of the Internet in terms of potential reputational damage," he added.

According to Rachwald, since Twitter's picture service currently only has a four-digit numeric password system, a brute force attack would be able to hack into the account in a matter of hours.

And, he says, as new Web 2.0 services evolve on the Net, the effort and focus of the application owners is going to be devoted to the fast availability of new features and commercial models.

As a result, he explained, the new services' IT security protection is likely to get left behind and will almost certainly not be integrated into the application.

For this reason, he went on to say, as well as being careful when it comes to setting secure passwords on these next-generation services, companies need to implement Web application firewalls alongside the services so as to afford better overall protection.

"The key issue here is that companies need to install additional security technology at the same time as when they deploy these new Web 2.0-based services in their organisation," he said.

"This is because Web application firewalls and other protective Internet security systems are becoming more and more important, as they can compensate for internal security control issues," he added.

For more on incorrect reports of Britney Spears' demise: http://preview.tinyurl.com/kn5m6a

Imperva, the Data Security leader, enables a complete security lifecycle for business databases and the applications that use them. Over 4,500 of the world’s leading enterprises, government organizations, and managed service providers rely on Imperva to prevent sensitive data theft, protect against data breaches, secure applications, and ensure data confidentiality. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring from the database to the accountable application user and is recognized for its overall ease of management and deployment. For more information, visit www.imperva.com.

<>

SecureFlash by Insight Promotions – Product Review

Review by Michael Smith (Veshengro)

This is one of the cheapest encrypted drives that I have reviewed so far. It is manufactured in the Far East, that is to say, China, but what is not those days.

The setup of the drive was extremely simple and only took a few minuted. Changing the password from the master, which in this case is “password” to a new one is very simple and easy too.

The encryption engine is by encryptX® and work extremely well, though, as the great majority of those devices, with MS Window only. We still need working devices of this kind on Linux.

While it is indeed true that Ironkey® now comes with Linux support, including Ubuntu from version Haughty Heron upwards, the great majority of encryption engines do not, as yet, work out of the box with Linux.

Unlike most, if not indeed all, hardware encrypted USB, and other drives, the files are hidden until the drive is opened by the encryption engine, here they can be seen – even the description of them – but they cannot be opened without the password, however.

encryptX®, a BeCompliant Company, provides encryption and compliance solutions that protect data, devices, and email communications. Over 100 large corporations, thousands of small/medium businesses, numerous government agencies, and 20 million consumers worldwide use encryptX products to secure their devices, data and email.

Could this stick be hacked. Probably, but then again there is no 100% security. Total and absolute security is an illusion, though many fall prey to that idea that it is a fact.

For the little price tag that this drive has got – just a little above a normal unencrypted drive – this is a good option for those that want some high enough degree of security and encryption for their removable discs without, necessarily, wanting to fork out for the likes of Cruzer Enterprise from Sandisc or Blockmaster Safestick (both in the 30 GBP range with the 1GB drives) or higher, such as Ironkey.

The devices at the higher price range do offer additional stuff such as device control, etc., that you do not get with this encrypted drive but then again you get what you pay for in many cases and here you get a basic 256 AES hardware encrypted UBS drive which, from the make, I assume to be a MLC device, for a good price.

One other thing that is different from all other AES 256 hardware encrypted drives that I have handles so far – aside from the Kingston Data Traveler VAULT where the vault is launched as and when – the SecureFlash drive from Insight Promotions does not launch and mount two drives. There is just one. How that is achieved I do not know but, I must say I like it.

To recap, the device is easy to use, sets up very fast and simple, launches quickly and, while the files are visible, encrypts those on the fly. Great secure drive for the price conscious. Maybe we could sell the British government a few thousand of them.

© 2009
<>

Tufin delivers first-to-market functionality with new automatic policy Generator (APG), Dramatically Simplifying firewall policy creation and optimiza

Innovative, Patent-Pending Add-on to SecureTrack Significantly Expands the Scope of its Award-Winning Automated Policy Management Solution

London, June 2009 (Eskenzi PR) - Tufin Technologies, the leading provider of Security Lifecycle Management solutions today announced the immediate availability of the Tufin Automatic Policy Generator (APG), an innovative extension of its SecureTrack firewall operations product. By extending SecureTrack to provide automatic policy generation, Tufin enables security operations teams to “bake security in” to network security operations, and in doing so, reduce a significant cause of operational and audit complexity at its source. Native to SecureTrack, the APG is also part of the new version of the Tufin Security Suite (TSS) version 5.0.

“Automating the creation of optimized firewall rule bases is critical to establishing an accurate baseline for increasing network security and reducing operational costs,” said Eric Ogren, principal analyst of the Ogren Group. “Well defined firewall rules lower the risk of creating holes in network security, eliminate many of the business disruption issues that can accompany firewall deployments, and reduce the number of costly support calls. Automation ensures that firewall rule bases act on the intelligence discovered from actual observed business traffic.”

Automatic Policy Generation: Expanding end-to-end Security Lifecycle Management

The Tufin Automatic Policy Generator (APG), a breakthrough SecureTrack feature, enables administrators to automatically generate a firewall rule base through analysis of firewall log usage. Powered by Tufin’s patent-pending Permissive Rule Analysis technology, SecureTrack’s APG “watches” firewall traffic for a set period of time, and then automatically generates a refined, accurate and specific rule base optimized to permit business critical traffic.

The infamous 'Any' objects in the firewall rule base, signifying any potential traffic in the source, destination or service, are replaced with actual network addresses and services, eliminating overly permissive rules that increase the risk of for unauthorized or curious users gaining unauthorized network access. The APG can be utilized with all network firewall vendors.

The APG can be used to easily integrate a firewall into a non-firewalled network segment with minimal business disruption. By eliminating the business continuity issues that often come with new firewall deployments, operations teams can secure open network segments in a non-invasive way and retain continuous availability for network services. The ability to painlessly firewall internal network segments also reduces the need to implement potentially questionable or weak compensating controls that might be used for relevant PCI or other compliance requirements.

“It’s said that an ounce of prevention is worth a pound of cure, and we have taken that to heart with the APG Add-on,” said Shaul Efraim, VP Products, Marketing and Business Development, Tufin Technologies.” With the APG, we have introduced automation at a very important and operationally critical juncture – the beginning of the lifecycle - delivering on our vision for end-to end-policy management. We’re grateful for the strong customer and channel relationships we have established – it’s their feedback that has enabled us to deliver functionality that continues to raise the bar for our class of solutions.”

Tufin has published a white paper on the Automatic Policy Generator, which is available for download at www.tufin.com/APG.

Tufin SecureTrack™ is the market-leading Security Lifecycle Management solution. SecureTrack enables organizations to enhance security, reduce service interruptions and automate day-to-day tasks through powerful firewall management capabilities and reporting. SecureTrack helps security operations teams to control and manage policy changes, analyze risks, and ensure business continuity and allows managers to easily understand the big picture and align operations with corporate and government security standards.

Tufin Technologies is the leading provider of Security Lifecycle Management solutions that enable large organizations to enhance security, ensure business continuity and increase operational efficiency. Tufin's products SecureTrack™, SecureChange™ Workflow, and the Tufin Security Suite™, help security operations teams to manage change, minimize risks and dramatically reduce manual, repetitive tasks through automation. Tufin’s open, extensible architecture enables any company with best of breed applications, devices and systems to take advantage of Tufin’s unmatched policy optimization, change management, and auditing capabilities. With a combination of accuracy and simplicity, Tufin empowers security officers to perform reliable audits and demonstrate compliance with corporate and government standards. Founded in 2005 by leading firewall and business systems experts, Tufin now serves more than 325 customers around the world, including leading financial institutions, telecom service providers, transportation, energy and pharmaceutical companies. For more information visit www.tufin.com, or follow Tufin on: Twitter at http://twitter.com/TufinTech,
LinkedIn at http://www.linkedin.com/groupRegistration?gid=1968264,
FaceBook at http://www.facebook.com/home.php#/group.php?gid=84473097725
The Tufin Blog at http://tufintech.wordpress.com/

<>

Tufin Technologies Delivers on the vision of Security Lifecycle Management with Tufin Security Suite (TSS) 5.0

TSS’ distributed deployment architecture, new workflow GUI and Tufin Open Platform API’s provide organisations with an automated, flexible, and highly robust platform to create, monitor, manage and audit network security policies

London, June 2009 (Eskenzi PR) - Tufin Technologies, the leading provider of Security Lifecycle Management solutions today announced a new release of its Tufin Security Suite (TSS). Version 5.0 elevates TSS from an integrated offering of Tufin’s award-winning SecureTrack and SecureChange Workflow product set to a robust, flexible and fully automated security and network policy management platform.

The significant innovations to the TSS architecture and workflow interface, combined with new functionality provided by the Automatic Policy Generator (announced today in a separate release), has provided Tufin with the foundation to deliver on its vision of Security Lifecycle Management: A cohesive framework for centralized network security policy management.

“Simplicity is the best antidote for complexity, which in the world of security operations, takes the form of automation and ease of use,” said Richard Stiennon, chief analyst of IT-Harvest.” What makes delivering that automation easier said than done is two things: the need to introduce it into the environment without creating new management complexity, and to be able to adjust it as needed based on business or regulatory requirements. Tufin has been consistent in delivering solutions that tackle these industry challenges head on, and this release is a huge step forward in extending its success beyond firewall operations.”

TSS 5.0 – End-to-end Security Lifecycle Management

  • TSS 5.0 enables administrators to accomplish more, with additional security and in less time. As the company and market continues to evolve, the architecture, usability, and functional innovations introduced in TSS 5.0 provide the foundation required for Tufin to extend its award-winning automation and management to any network device. These innovations include:
  • Automatic Policy Generation – True to its name, Tufin’s Automatic Policy Generator (APG) automates the creation of optimized rule bases for new and existing firewall deployments. This not only eliminates the risk introduced by overly permissive policies without impacting business continuity, it reduces future complexity that comes over time by ensuring the initial rule base is optimized from day one.
  • Distributed Deployment Architecture - For organizations spread across multiple data centers or a single large data center, TSS now supports a distributed deployment architecture, meaning that multiple TSS appliances can be centrally managed from a single console. By providing a flexible, distributed deployment architecture, Tufin Security Suite installations can scale to support any size organization while reducing the total cost of ownership and maintaining ease of deployment of its award-winning solutions.
  • New Workflow Interface – Tufin’s workflow engine is the core of its SecureChange Workflow product, a change management solution designed specifically for security and network policy change requests. Using Tufin’s re-engineered, user-friendly workflow GUI, organizations can easily and intuitively design an unlimited number of fully customizable policy changes with tight integration with directory services (such as Microsoft Active Directory) and proactively manage incoming change tickets with risk analysis, business continuity and compliance information.
  • Tufin Open Platform (TOP) – TOP is both an industry-wide alliance of leading security and networking vendors and the management framework for delivering open, multi-vendor Security Lifecycle Management. Purpose-built to enable streamlined, policy-driven network and security management, Tufin’s open architecture supports and expedites third party interoperability with TSS and helps joint customers to be better equipped to manage day-to-day operations of today's complex, intertwined, dynamic networks. TOP was formally launched last month with support for Check Point, Cisco, Juniper, Fortinet, F5 and Blue Coat.

More alliance partners will be announced over the coming months.

“The launch of TSS 5.0 heralds a huge step forward in delivering on our vision of security lifecycle management by extending our ability to automate policy management for any device in an organizations network security eco-system”, said Ruvi Kitov, CEO, Tufin Technologies. “We have been able to execute on such a broad vision in a short period of time by maintaining a tight, laser-like focus on our fundamental mission -- to make security administrators’ lives easier while reducing operational costs. At the end of the day, that’s what drives both our roadmap and our decision making process.”

Pricing and Availability

TSS 5.0 will be Generally Available in August 2009. Pricing starts at $20,000.

Tufin Security Suite ™ (TSS) is industry’s first comprehensive Security Lifecycle Management solution. Seamlessly integrating its award-winning SecureTrack and SecureChange Workflow solutions into an open, extensible and distributed architecture, TSS features full interoperability with Check Point, Cisco, Juniper, Fortinet, F5 and Blue Coat. TSS provides the capacity to automate security policy management for any device in the Security Lifecycle Management eco-system, enabling organizations to reduce the cost of security operations and compliance while increasing operational efficiency, tightening network security, and ensuring business continuity.

Tufin SecureTrack™ is the market-leading Security Lifecycle Management solution. SecureTrack enables organizations to enhance security, reduce service interruptions and automate day-to-day tasks through powerful firewall management capabilities and reporting. SecureTrack helps security operations teams to control and manage policy changes, analyze risks, and ensure business continuity and allows managers to easily understand the big picture and align operations with corporate and government security standards.

Tufin Technologies is the leading provider of Security Lifecycle Management solutions that enable large organizations to enhance security, ensure business continuity and increase operational efficiency. Tufin's products SecureTrack™, SecureChange™ Workflow, and the Tufin Security Suite™, help security operations teams to manage change, minimize risks and dramatically reduce manual, repetitive tasks through automation. Tufin’s open, extensible architecture enables any company with best of breed applications, devices and systems to take advantage of Tufin’s unmatched policy optimization, change management, and auditing capabilities. With a combination of accuracy and simplicity, Tufin empowers security officers to perform reliable audits and demonstrate compliance with corporate and government standards. Founded in 2005 by leading firewall and business systems experts, Tufin now serves more than 325 customers around the world, including leading financial institutions, telecom service providers, transportation, energy and pharmaceutical companies. For more information visit www.tufin.com, or follow Tufin on: Twitter at http://twitter.com/TufinTech,
LinkedIn at http://www.linkedin.com/groupRegistration?gid=1968264,
FaceBook at http://www.facebook.com/home.php#/group.php?gid=84473097725
The Tufin Blog at http://tufintech.wordpress.com/

<>

Google's Anti-Malvertising.com Site Launch Welcomed by Finjan

Farnborough, United Kingdom, June 2009 (Eskenzi PR) – Finjan, a leader in secure web gateway products and the provider of a unified web security solution for the enterprise market, has welcomed the launch of Anti-Malvertising.com by Google to assist its advertisers in spotting potential providers of malicious advertisements.

In total, 45857 unique malicious, advertising, and potentially unwanted programs were detected on users' computers in March 09 alone according to Kaspersky Security Network.
"The launch of the new site by Google is not before time, however, as we originally identified the problem way back in our Q1 2007 Web Trends Security Report," said Yuval Ben-Itzhak, Finjan's chief technology officer.

This tidal wave of malware has become so overwhelming, that even Google has created a custom search engine - Anti-Malvertising.com - designed to help ad network customers conduct quick background checks. It researches a variety of independent, third party sites that track possible attempts to distribute malware through advertising.

This is a trend that Finjan's Malicious Code Research Center has followed and reported on during 2008 such as the high-volume banner ad server that delivered infected banner ads to many of the 14,000-plus web sites registered to receive ads. The attack employed the random JS toolkit, a crimeware Trojan that infects the end user's machine and sends back information to the hacker.

"With the automation of crimeware, the rise in all malicious code will increase exponentially and endanger both an advertiser's brand as well as their customer's PCs," explained Yuval Ben-Itzhak, CTO of Finjan.

Advertisers will have to be vigilant to ensure that their ads are malware free both in the creation of the advertisements as well as the delivery.

Businesses should employ a Secure Web Gateway utilizing real-time content inspection technologies to protect their valuable assets from today's Web2.0, Ads and other malicious content being served on compromised legitimate sites.

For more on Google's news service: http://www.anti-malvertising.com/about

For more on Finjan's report: http://www.finjan.com/trendreports

For more on Kaspersky's report: http://www.kaspersky.be/en/virus-news/monthly-malware-statistics-march-2009.html

Secure Gateway provides organizations with a unified web security solution combining productivity, liability and bandwidth control via URL categorization, content caching and applications control technologies.

Crimeware, malware and data leakage are proactively prevented via patented active real-time content inspection technologies and optional anti-virus modules.

Powerful central management enables intuitive task-based policy management, excellent drill-down reporting capabilities and easy directory integration for all network implementation options. By integrating several security engines in a single dedicated appliance, Finjan's comprehensive and integrated web security solution enables quick deployment, simplified management and reduction of costs.

Business benefits include real-time web security (no patches or updates needed), lower total cost of ownership (TCO), cost savings in administration efforts, lower maintenance costs, and reduction in loss of productivity. Finjan's security solutions have received industry awards and recognition from leading analyst houses and publications, including Gartner, IDC, Butler Group, SC Magazine, eWEEK, CRN, ITPro, PCPro, ITWeek, Network Computing, and Information Security.

With Finjan's award-winning and widely used solutions, businesses can focus on implementing web strategies to realize their full organizational and commercial potential. For more information about Finjan, please visit: www.finjan.com.

<>

Six pound broadband tax planned for UK telephone users

Government plans £6 a year levy on fixed telephone lines to boost broadband funds

by Michael Smith (Veshengro)

The British government plans a £6 (US$ 8.50) annual tax on everyone with a telephone line in order that rural and remote areas of the country can access next generation broadband.

The levy on copper lines is expected to raise about £150- £175m per year, which will be put into the Independent Next Generation Fund.

This will be administered by Ofcom, the telecommunications regulator, and the money will fund part of a subsidy to ensure operators roll out super-fast broadband – with speeds of up to 100 Mbits/sec – to the third of UK homes where it is considered commercially not viable to roll out these services.

The majority of places do not, as yet, seem to get anything in the order of this speed, including where I live not far from London for, as soon as you are more than a mile or so away from your telephone exchange with the current copper wire system nothing more than about 1Mbits/second works. The talk about 8Mb/sec or more only is feasible if one lives in the center of towns near the exchange and if one has optical lines.

The broadband tax plan has been unveiled in Lord Carter’s “Digital Britain” report, and he said placing a 50p per month levy on all copper lines was the “fairest” way of ensuring everyone benefited from fibre-based next generation services.

These services, which can deliver multimedia content such as TV and movies, are seen as vital to boost the UK’s economy. They are also expected to provide essential access to Government services.

However, the Internet Services Providers' Association (ISPA) was critical about the levy.

“ISPA welcomes the government efforts to encourage investment in infrastructure to create a competitive market for high-speed broadband for consumers. ISPA notes that the proposal to place a 50p per month levy was enabled by the 'historic fall in telecoms prices'. In effect customers and the ISP industry are being penalised for successfully bringing prices down.”

The report also, as expected, outlined the promised a Universal Service Commitment (USC) to ensure every home in the UK can access a 2 Mbits/sec service by 2012. Unlike the proposals in the interim report published at the end of January, the proposed 2Mbits/sec is not a headline speed or ‘up to’.

Lord Carter said: "The 2Mbit/s USC will be a floor rather than a ceiling – a kind of technological minimum wage."

This will be financed mainly through public funds including an estimated £200m surplus from the Digital Switchover Help Scheme.

Other contributions will come from private partners and money from other public sector organisations. Consumers themselves may also have to pay out by resolving any wiring issues in their homes.

However there were widespread criticisms of the proposals.

Michael Phillips, product director of price comparison site, BroadbandChoices said: "A 2Mbits/sec commitment is a pretty underwhelming aspiration given the rest of Europe already experiences over 6Mbits/sec as an average."

Some parts of Europe, such as in some places in Sweden the broadband speed now exceeds the 25Mbits/sec rate at a costs that is even lower than what I, for instance, pay for the 1Mbits/sec service that I am getting at present. However, don't anyone think that there is a download speed of 1Mbit/sec in that. The maximum that can ever be achieved here is somewhere around 110-118Kbits/sec on downloading a file. Not much, is it?

One can but hope that all of this is not just another stealth tax from the British government with which to fleece the people.

© 2009
<>