Virus Warning Emails

Unsubstantiated rumors that are being passed on

by Michael Smith

Time and again we see the Internet being swamped with people passing around “virus warnings” by email, as well as on the non-tech forums of various kinds, that state that they have had this information from this or that anti-virus software company or that one of their associated got that from there and that this report also is Snopes verified, and then always claiming that, if one clicks on a link in this or that titled email a virus is released that wipes all the contents of the computer.

Those are then headed as “Computer Danger – Please Read!” or other such like and, as mentioned above, make those claims, and claims that the information, as said, came from this or that company and that it is verified on “Snopes”.

Such emails are like the chain letters the the “Bill Gates wants to share his billions with you” and clog us the systems like all spam mail does.

The truth is that while it is very possible indeed to release a virus, Trojan, worm, or other kind of malware by clicking at links in emails, or even simply by opening an email that comes with a payload, the virus that is designed to destroy hard drive contents is hardly ever seen nowadays– in fact there has not been one of those for years now.

The aim of today's virus and malware creators is not to show what they can do by destroying a PC and its contents but their aim is to extract data from personal computers and especially company networks for financial gain, such as passwords, and complete identities.

Thus the malware creator of today is not interested in destroying the contents of your computer; far from it. The primary thing that he is interested in is that his little program can remain on a PC or a network undetected for as long as possible in order too phone home with the information it is programed to gather. It is this information that the writers, or those that the writers sell the virus kit to, are interested to gather to sell on too other criminals to exploit.

The virus writer of old often had only one intention and that was to get his virus noticed, after it had gotten through onto the computer(s), by the program destroying information or holding information captive, as in some cases, and for those that wanted the information back to pay a ransom. This is no longer the case today. Hence anyone talking about viruses being in the wild that are out to destroy your PC are talking a lot of bull dust, as the Australians would say.

Most infections today also no longer – though some people still try – on emails but on “drive by shootings” where the infection is downloaded automatically by simply visiting a website, genuine or spoof.

Even one or two anti-virus software companies' own sites had been injected with malware that would download to computers in such a manner when people visited their, totally legitimate, sites.

So, the adage must remain to “be careful out there” on the Net and to have adequate protection software and, and this is most important, such software that is updated on a daily basis.

Anti-virus software, firewalls and other such programs are a must.

While some people keep on about the need to keep the Windows system always patched with the latest patches from Microsoft I have found that many of those downloads have caused havoc to my system and rather keep ports secure and run all the protection software that I can run (and all of it is free), updated as regularly as possible.

Both BitDefender and ThreatFire, for instance, check for updates at two-hourly intervals, and while this can be annoying as, while such checking and updates are applied the system may run a little sluggish, it ensures that the system is protected.

If one would want to avoid the possibilities, to a 99% chance, of virus and malware attacks to a computer one best run an operating system that is not Microsoft.

I know that people will now look as say “but Apple Mac is too expensive”, to which I say (1) you are right and (2) those that know me will know I am not talking Apple Mac. I am talking Linux and all Linux distributions, whether Ubuntu, Fedora, or whichever, are free to obtain. In the case of Ubuntu the distributor, Canonical Ltd., will even send you a CD free of charge, if you do not wish to download the ISO and burn it yourself.

Yes, Linux does not – as yet – work with every bit of hardware and software but we are getting there, slowly but surely.

In conclusion let me stress once again that while we must be careful on the Net and especially not to open any emails that we are not sure about, if they are downloaded onto the PC via an email client, viruses that destroy your hard drives are nowadays about as rare as gold dust on the streets of London.

© M Smith (Veshengro), January 2009
<>

9 Steps to halt Data Breaches

By Alan Calder, Chief Executive of IT Governance Limited

Alan Calder, Chief Executive of information security experts IT Governance Limited, looks at how complying with the requirements of legislation around data protection is a key challenge for organisations; companies have, for too long, been ignoring the importance of protecting data, and urgent attention to both the spirit and the letter of the law is urgently required, especially as a much tougher regulatory regime is now coming into place. The only away to avoid these dangers is to take steps.

The high-profile data-handling fiascos of recent months have underlined the importance of data protection. The loss of millions of child benefit records by HM Revenue and Customs, and the mislaying of laptops and security dossiers by MoD staff – as well as the recent disclosure of BNP members’ details are part of the same problem – institutional failures to define and implement basic compliance procedures in line with the requirements of the Data Protection Act (DPA).

Complying with the requirements of the DPA – the core UK legislation around data protection – is a key challenge for Whitehall departments and commercial organisations alike. A much tougher regulatory regime is now coming into place, which builds on the major fines recently levelled by the Financial Services Authority, such as the £980,000 penalty served on the Nationwide Building Society and a £1.26 million fine incurred by Norwich Union – both criticised for failing to adequately protect personal data. Added to this, there is the recently passed Criminal Justice and Immigration Act, which brings in a regime of ‘substantial’ fines for organisations that fail to meet their compliance obligations.

The IT Governance Data Breaches Report identifies that spectacular data breaches are not caused by the misdemeanour of a junior employee but arise, rather, from systemically inadequate information security arrangements at the organizations where the incident occurs.

The Attrition database of data loss and data theft incidents shows a ten-fold increase in the number of reported data breaches – in the US, the UK and across Europe – since 2004. The peaks in reported data breaches following the disclosure of nationally significant breaches such as the UK’s HMRC data loss, suggests that there were – and probably still are – many data breaches that go unreported and research suggests that organizations are reluctant to officially report data breaches unless they have already been exposed. The evidence suggests that waiting to be found out is not the best strategy.

Data protection is receiving so much attention for three reasons: Identify theft is a low-risk, high return option for organized crime. Traditional crime, including violent robbery and theft, has clearly identifiable risks. It is easy to be recorded on video by CCTV, seen by witnesses or caught by means of DNA, and the returns are relatively low. High-tech crime creates real problems for the police force and is, conversely, relatively low-risk for the criminal. Contributing factors include the perpetrator’s anonymity, the speed at which crimes can be committed, the volatility or transience of evidence, the trans-jurisdictional nature of cybercrime and the high costs of investigation. Legal and regulatory compliance initiatives, such as the EU Data Protection directive and California's data breach disclosure law, SB1386, have both formalised the concept that personal data must be legally protected, and introduced penalties for failing to do so. The recent amendments to the UK Data Protection Act (DPA), and changes to regulatory activity across the EU that are introducing significant financial penalties for non-compliance with the Directive, make this a particularly urgent issue for UK organisations. The proliferation of mobile data storage devices – laptops, USB sticks, PDAs – has changed the boundaries of where we store our data and effectively eliminated "fixed fortifications" as an effective tool for preventing data breaches.

The Ponemon report (2007) commented that “the investment required to prevent a data breach is dwarfed by the resulting costs of a breach” and ” the return on investment (ROI) and justification for preventative measures is clear”. Costs of data breaches – legal costs, the costs of restitution, brand damage, lost customers and so on – are significant; for financial services organisations, it was about £55 per compromised record. Whilst not involving legal compliance, if an organisation has a credit card-related data breach and is found not in compliance with the Payment Card Industry Data Security Standard (PCI DSS), there are potentially severe contractual and financial penalties, including a bar on the business accepting payment cards.
All these factors make the protection of personal data a key business and compliance responsibility. There are nine key steps that every organization should take:

As a minimum:

1.Encrypt all personal data on laptops; whole disk encryption is a more secure solution than folder or file level encryption, and FIPS 140-2 is the recognised standard for encryption engines.

2.Encrypt all removable and portable media that might contain personal data, including USB drives, CD-Roms and magnetic backup tapes.

In addition:

3.Establish rigorous procedures to ensure the physical destruction of redundant computer drives, magnetic media and paper records prior to disposal, and ensure that disposals are made in line with a formal data retention timetable.

4.Organizations that accept credit and other payment cards should also comply with the PCI DSS.

5.Provide regular training and awareness on legal responsibilities for all staff that deal with personal data.

6.Deploy outward-bound channel (email, instant messenger) filtering software with customised dictionaries for relevant legislation such as Data Protection Directive, PCI, etc

7.Establish a vulnerability patching programme and implement anti-malware software.

8.Implement a business-driven access control policy, combined with effective authentication.

9.Develop an incident management plan that enables the organization to respond effectively to any data breaches.

IT Governance Ltd is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th – 30th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk

Alan Calder is chief executive of IT Governance Limited, the one-stop-shop for information security books, tools, training and consultancy. He is author of ‘Data Breaches: Trends, Costs and Best Practices’. The report is available from www.itgovernance.co.uk/products/1615

Courtesy of Infosecurity PR
<>

Check your spelling

Mistyped URLs can land you in hot water explains Greg Day, security analyst at McAfee

Just when you thought you were on top of the risks online another threat presents itself. Twenty years ago we learnt that infected floppy disks could spread viruses so we learned how to deal with that. Then we got used to social engineering techniques and stopped clicking on every link or file we were sent. But the evolution of threats didn’t stop there and we have since been learning to deal with spam, phishing and other online scams, to make sure that our personal information is not being targeted. However, that’s not the end of it as even our own spelling errors can land us in trouble, with typosquatters just waiting for us to make mistakes.

Typosquatting is the term used to describe how malicious-minded Internet fiends out there prey on those of us who mistype web addresses, registering common misspellings of popular domain names and products to then redirect those who make mistakes to alternative websites. In fact, a typical person misspelling a popular URL has a 1 in14 chance of landing at a typo-squatter site.

These sites – run by the typosquatters – then generate click-through advertising revenue, lure unsuspecting consumers into scams, harvest email addresses in order to flood unsuspecting Internet users with unwanted email and can even result in malware infections. This just goes to show that when it comes to keeping yourself secure on the Internet, it’s an ever-moving target and there is a real need to continuously question the validity of sites and sources in order to maintain your Internet safety.

The use of URLs that look like the real thing but are in fact far from it should come as no real surprise. Just as phishing emails replicate valid messages from banks and the perpetrators of malware attempt to make you download a file by claiming it is something that will appeal to you, the bad guys out there know what the average Internet user is interested in and what will appeal to the greatest number of surfers.

This tactic is no different to physical retailers trying to pass off fake goods as something altogether more legitimate. It’s important to learn what to look out for, as at worst, typosquatting can lead to innocent computer users becoming the victims of online scams or “get rich quick” tricks.

If your business has an online presence, the danger is that your customers may unwittingly be lured from your site to one that may well look similar at first glance but is far from it. A recent example of a brand that has been targeted by typosquatters is the iPhone – although it was released fairly late in 2007, it was predicted that by the end of that year there would be approximately 8,000 URLs using “iPhone”. Gaming sites and airline sites also emerged as being highly squatted.

So with they way that online villains constantly change approach to try to trick us, how can we maintain good security and protect our identity? Well the reality is that those bad guys are always trying to stay one step ahead of us but we don’t need to let them. The bottom line is that you’re not sure of the URL you’re looking for, you’re far safer using a search engine than trying to make a guess. If we stay alert, are careful with the information we share and the websites we visit, and also use security technology to block or highlight risks, there is no reason why we can’t continue to get the most out of the Internet. With the right approach, the Internet can continue to play a pivotal role in our lives and we can protect our friends and families from those who will continue to try to trick us.

McAfee International Ltd is exhibiting at Infosecurity Europe 2009, Europe’s number one dedicated Information security event. Now in its 14th year, the show continues to provide an unrivalled education programme, the most diverse range of new products & services from over 300 exhibitors and 12,000 visitors from every segment of the industry. Held on the 28th – 30th April 2009 in Earls Court, London this is a must attend event for all professionals involved in Information Security. www.infosec.co.uk

Source: Infosec PR
<>

Interxion to sponsor Datacentre World Conference and Expo

Platinum sponsorship of one of the UK's leading events on datacentre management

Interxion, a leading European operator of carrier-neutral datacentres, today announced its platinum sponsorship of the annual Datacentre World Conference and Expo event, taking place 24th-25th February, 2009 at the Barbican Exhibition Halls in London. The conference is the UK’s largest datacentre event.

As an element of its support for the event, Interxion will also be providing two leading industry figures to deliver keynote addresses on the latest challenges facing the sector. Anthony Foy, Interxion Group Managing Director, will be discussing the impact of the credit crunch on European infrastructure hosting strategies. And Lex Coors, Interxion VP Datacentre Technology & Engineering, will outline how organisations can optimise their datacentre efficiency by improving power usage efficiency (PUE) ratios.

"The Datacentre World Conference and Expo provides a vital forum for sharing best practice on current challenges like the credit crunch and emissions management,” said Anthony Foy, Group Managing Director. “By sharing the experience we have gained serving our customers across Europe, we aim to help attendees meet these challenges while improving their application availability and connectivity.”

The conference is free to attend and will cover case studies, technical implementation papers, migration issues and scalability. Over the two days 30 sessions will be presented that will focus on the key topics of interest to professionals planning, managing or hosting a datacentre.

Interxion is a leading European provider of carrier-neutral datacentres. Headquartered in Schiphol-Rijk, The Netherlands, Interxion serves its customers from 24 carrier-neutral datacentres located in 13 cities across 11 European countries. Interxion serves network and carrier-based, hosting and enterprise customers who require professionally managed and strictly controlled physical environments within which to operate mission-critical applications and computer systems. Interxion’s datacentres offer cost-effective and fast access to multiple local and global communication networks. For more information please visit www.interxion.com

Source: Spreckley Partners Ltd
<>

12 tips that IT security experts use to shop safely online

By Andy Dalrymple – Managing Consultant - Information Risk Management, Global Secure Systems (GSS)

Despite the carnage that the credit crunch has wreaked on the High Street, online retail demand remains strong and is projected to grow into 2009 as economic conditions remain tight and competition between web retailers for our online spend heats up.

An early indication of this counter-cyclical trend was the significant growth of Christmas Day online trade in response to early January sales and the deep discounts available online from traditional High Street vendors.

The credit crunch, however, has also had the effect of bringing more scammers onto the internet than ever before.

As scammers become more sophisticated and people become more desperate to find ways to make money during the recession, consumers shopping online need to become more vigilant and wary as to pitfalls out there. As an IT security expert who shops frequently online, I have outlined some of the few basic internet security measures and “must do’s” that we in the IT security industry adhere to to make sure that we shop safely online to avoid falling foul to the many scammers, exploiters and opportunists who are all to ready to pounce!

The twelve golden rules to safely shopping online:

Rule One: Most Malware exploits are known problems with software and operating systems. The hacker, or code writer, is relying upon people being lazy and not keeping systems up to date. For this reason it is very important to keep your anti-virus product up to date with the latest signature files (this usually happens automatically in the background with most commercial anti-virus products) and operating system updates from Microsoft. This reduces the likelihood of malicious code or key-logging software running on your PC without your knowledge, transmitting your details to fraudsters across the internet.

Rule Two: Never go online without ensuring you have your personal Firewall enabled. This personal Firewall adds a layer of protection to the PC by stopping unknown connections to the PC. The personal firewall included within Windows XP and Vista is generally considered to be insufficient. They can control data coming in at the PC – an inbound filter – however they can not properly control outbound connections. If your PC is infected by Malware, you could be sending out Spam or other data on to the Internet without your knowledge. By adding a personal firewall you can control and stop unwanted outbound connections. There are a number of personal firewalls on the market – both free and paid for. Some anti-virus vendors include personal firewalling as part of their products.

Rule Three: Don’t ever select the ‘remember my password’ option when registering online as your passwords are then stored on the PC, often in plain text, and are the first thing that a fraudster will target. Some malware is designed and written to go and search your PC for these passwords. In addition to this, if you use a laptop that is lost or stolen, the passwords go with it….

Rule Four: Ensure that your credit cards are registered with your card provider’s online security services such as ‘Verified by Visa’ and ‘MasterCard SecureCode’.

Rule Five: Use only one card for online shopping, maintaining a limit on the card as low as possible or even using a top-up card for your online purchasing.

Rule Six: Be sure to use a Credit Card and not a Debit Card. The bank provides you security guarantees with a credit card that are not given with a debit card. So don’t be tempted to take your shiny new platinum card on an online shopping spree.

Rule Seven: Be sure to check your statements regularly, and if there is any sign of irregular activity, report it straight away.

Rule Eight: Always check for the little padlock at the bottom right hand corner of the browser (when using Internet Explorer) before entering your card details. Recently Verisign have added the green display bar to show a website with an Extended Validation certificate – this means the encryption key has been made strong, and the site has external validation.

Rule Nine: Make a habit of checking the site’s privacy policy for details of how your personal information will be used and only provide the minimum of personal information, especially in on-line forms.

Rule Ten: Never shop from sites that you arrive at from clicking links in unsolicited marketing emails (SPAM).

Rule Eleven: It is important to remember that you could be doing everything right, but that the Vendor may do something wrong. A vendor may well be storing all your credit card data on a single server. This creates a single big target for a hacker to go after. If the Vendor’s web site is breached, your details may well be compromised. The Payment Card Industry has recently introduced their own Data Security Standards to try and protect this data at rest. However the standards are not yet fully enforced and this risk is for all credit card transactions, not just those over the Internet.

Rule Twelve: Finally, don’t rely on previous customer’s testimonials – they are part of the organisation’s marketing and not necessarily factual. The Golden Rule of commerce is still the same as it ever was…. if the offer looks too good to be true, it probably is!

These are the rules I follow as do many of my colleagues. Internet shopping is only going to get more popular, with scams being more sophisticated, so make sure you’re not caught out by being lured into unsafe territory. By following these rules you can log on and access those internet bargains…safely! Good luck and enjoy.

For more information please visit: www.gss.co.uk

Source: Eskenzi PR
<>

Data hung out to dry as 9,000 USBs left in Laundrettes

London, January 2009 - Data leakage and data loss is at an all time high. It could be blamed on the ever-popular USB or memory stick which most people now use to download and transport large amounts of sensitive data. So it’s no surprise to find in a survey released today by data security experts Credant Technologies that in the last year, 9000 USB sticks have been forgotten in people’s pockets as they take their clothes to be washed at the local dry cleaners.

The survey was carried out across the UK, to gauge the frequency and ease with which mobile devices such as USB and memory sticks are lost or forgotten in strange places such as dry cleaners and also as a warning to people to be vigilant when downloading information to carry around with them as it does frequently get lost. A similar survey was conducted by Credant Technologies last September amongst taxi drivers in London, which showed that 6,193 handheld devices such as laptops, iPods and memory sticks are forgotten at the back of taxis every 6 months!

Michael Callahan – senior vice president and chief marketing officer at Credant Technologies said “We conducted this survey to show people how easy it is to lose data, even in their local laundrette and that none of us are infallible. If the data is sensitive or valuable then people should protect this information with encryption so no-one can access the data at any point - as it could easily end up in the wrong hands.”

A warning message to the business community and individuals to be vigilant when travelling with their mobile devices has never been more relevant, especially as many of these devices now have the capacity to store as much as 10,000 Word documents, 11,000 pictures, 500,000 contact details or an amazing 1.1 million emails, making them an obvious target for identity theft criminals and hackers who can steal this information and assume the identity of the user both in their personal or business life.

City workers are most forgetful
Dry cleaners in the suburbs, on the commuter belt or based in city centres find the most USB or memory sticks. One dry cleaner in the heart of the City of London said he is getting an average of 1 USB stick every 2 weeks, another said he had found at least 80 in the past year.
Not just USB sticks left at the dry cleaners……but Rolex watches, credit cards, drugs and an envelope filled with diamonds ……….

When the dry cleaners were asked to recall what the strangest objects were that they’d found in the customers pockets most had found keys, money and credit cards, however one had found a gold Rolex watch and another in Hatton Garden had found an envelope filled with diamonds. All of which were reconciled with their owners along with their clean and pressed laundry.

CREDANT Technologies is the market leader in endpoint data protection solutions that are critical components of an endpoint protection platform. CREDANT’s data security solutions preserve customer brand and reduce the cost of compliance, enabling business to “protect what matters.” CREDANT Mobile Guardian is the only centrally managed endpoint data protection solution providing strong authentication, intelligent encryption, usage controls, and key management that guarantees data recovery. By aligning security to the type of user, device and location, CREDANT ensures the audit and enforcement of security policies across all computing endpoints. Strategic partners and customers include leaders in finance, government, healthcare, manufacturing, retail, technology, and services. CREDANT was selected by Red Herring as one of the top 100 privately held companies and top 100 Innovators for 2004, and was named Ernst & Young Entrepreneur Of The Year 2005. Austin Ventures, Menlo Ventures, Crescendo Ventures, Intel Capital, and Cisco Systems are investors in CREDANT Technologies. For more information, visit www.credant.com.
Credant is exhibiting at Infosecurity Europe 2009 on the 28th – 30th April 2009 in Earls Court, London. www.infosec.co.uk

The survey figures were based on phone interviews conducted amongst 500 dry cleaners across the UK who on average had found 2 USB sticks during the course of a year. These figures were then extrapolated amongst the number of dry cleaners which is 4,500 according to the Textile Services Association.

Yvonne Eskenzi
EskenziPRr
<>

Deutsche Bank’s CIO to Give Keynote Address at ISACA’s EuroCACS Conference for IT Professionals

Rolling Meadows, IL, USA (21 January 2009)—Wolfgang Gaertner, chief information officer at Deutsche Bank AG, will present a keynote address on the relationship between information technology (IT), business and audit at the European Computer Audit, Control and Security (EuroCACS) conference, which will be held 15-18 March 2009 at the Intercontinental Hotel in Frankfurt, Germany. Presented by ISACA, a nonprofit association serving 86,000 IT governance professionals, the conference will focus on the latest strategies to address IT auditing and security challenges.

EuroCACs will feature 40 sessions divided into four streams:

IT Governance
This stream presents topics, processes and frameworks designed to enable well-informed planning and resource decisions, transparency in actions, and delivery of stakeholders’ expectations.

Speakers include Lisa Young from CERT Software Engineering Institute; Robert Stroud, IT governance evangelist at CA Inc.; and Ken Doughty, senior risk manager at ING Australia.

IT Audit
This stream discusses how others have approached and solved complex auditing issues and technology challenges. It reviews new resources, processes, tools, and trends and technologies critical to the success of IT audit.

Speakers include Milan Patrovic, IT audit manager at General Motors, and Peter Yetzes, associate director at Audit Commission.

Information Security
This stream helps IT assurance professionals understand the fundamentals and new trends of information security. Sessions examine the key elements of information security in relation to the threats to confidentiality, integrity, and the availability of information and systems. Examples of steps needed to evaluate the enterprise’s overall security management program and ways to counter the threats are also covered.

Speakers include Eddie Schwartz, CSO at NetWitness Corp.; Mike Small, principal consultant, security management at CA Inc.; and Mark Seward, director of product marketing at Qualys Inc.

IT Risk Management and Compliance
This stream examines risk management concepts and how to apply them to benefit the enterprise. It also explores regulations and compliance requirements, including the new ISO information privacy standard currently under development, and presents methods to test and assure compliance from risk management and IT audit perspectives.

Speakers include Stephane Geyres, corporate head of risk management at Reed Elsevier PLC; David Ramirez, senior manager for Quality Assurance at Barclays Bank; and Urs Fischer, head of corporate IT governance and risk management at Swiss Life.

EuroCACS attendees can also register for workshops on topics such as using the COBIT and Val IT frameworks, and spreadsheet auditing.

The registration fee for the conference is US $2,374 for ISACA members and US $2,612 for nonmembers. Attendees can earn up to 40 continuing professional education hours. Additional information is available at www.isaca.org/eurocacs.

Founded in 1969, ISACA (www.isaca.org) sponsors international conferences, publishes the ISACA Journal, develops international information systems auditing and control standards, and administers the Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), and the new Certified in the Governance of Enterprise IT (CGEIT) designations.

Neil Stinchcombe
Eskenzi PR
<>

Fortify Software Ends 2008 with Largest Quarter in Company History

Q4 2008 closes with record growth, bookings increase 80% over Q4 2007

London, January 20, 2009 - Fortify Software, the market leader in Software Security Assurance solutions, announced today that it achieved record growth in Q4 2008, finishing a strong fiscal year 2008 with the largest quarter in company history. Most notably, Fortify increased its bookings in Q4 2008 80% over Q4 2007. The company’s success is driven by significant new business growth in the commercial and government sectors, adding 49 new customers in Q4 alone, growing their customer roster to more than 500 commercial enterprises and government agencies. In addition, Fortify saw the U.S. Air Force expand its purchase of Fortify solutions to over $11M, further increasing the industry’s largest investment in software security.

“At a time of such economic uncertainty, when we see others in the market struggling for viability, it is especially gratifying to have a strong showing at the end of 2008,” commented John Jack, president & CEO of Fortify Software. “Despite the trying economic climate, we are seeing increased investment in software security by forward thinking companies who realize the business risk associated with insecure software continues to rise. Our customers understand that now is no time to skimp on security.”

"As a leading provider of bank-centric solutions and payment services worldwide, it is imperative that the software we offer is fundamentally secure," said Jeff Schilling, Chief Technology Officer of S1 Enterprise. "Today's compliance requirements and the increasing threats to enterprise applications demand a proactive strategy for addressing software security - Fortify's technology and approach for implementing software security assurance aligns well with our global security vision."

Highlights of the quarter include:

  • Achieved 80% growth in bookings over Q4 2007
  • Named Jim Yares as Fortify Software’s Vice President, Global Services
  • Increased customer roster to over 500 enterprise customers
  • Added 49 new customer agreements with major global telcos, banks, insurance and pension companies, systems integrators and armed forces, including:
  • Barclays
  • Halliburton
  • Vodafone
  • USBank
  • eBay, Inc.
  • S1 Enterprise
  • China Construction Bank
  • Defense Logistics Agency
  • U.S. Army Knowledge Online
  • Armasuisse
  • Federal Reserve Bank of Atlanta
  • Conventry Building Society
  • Arval
  • Vonage
Additionally in Q4, Fortify expanded the market’s largest investment in software security through continued customer agreements with the U.S. Air Force (USAF). In October 2007 the USAF - a leader in the Department of Defense’s strategy for cyber security - purchased more than $7 million of Fortify’s complete product portfolio to develop secure code, as well as identify, protect and monitor applications from attacks and other malicious activities. That investment now reaches over $11 million, an industry high in software security.

Fortify’s record showing in Q4 finishes off what has been a strong 2008 overall. This year, Fortify marked the release of its cornerstone software security product, Fortify 360, as well as made key additions to both its Board of Directors and executive team. The company received accolades from the analyst community, having been recognized as the global leader in the application security market by both Gartner/Dataquest and Bloor. Additionally, the company continued its industry-leading work in open source software security, expanding the Java Open Review to include more than 100 projects and releasing its “Open Source Security Study” on the state of open source software security. Fortify also continued its efforts around e-voting security, with 5 states making use of a free version of its security software to test their electronic voting machines, and with the release of “Voting in America,” a report on the current state of U.S. voting systems.

“2008 has marked a turning point in software and application security,” noted Jack. “Organizations are increasingly aware of the changing threat landscape and recognize the need to secure their business-critical software against malicious attack. It is our mission at Fortify to continue to provide the services and technologies they need to achieve their long-term software security goals.”

Fortify®’s Software Security Assurance products and services protect companies from the threats posed by security flaws in business-critical software applications. Its software security suite—Fortify 360—drives down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software’s customers include government agencies and FORTUNE 500 companies in a wide variety of industries, such as financial services, healthcare, e–commerce, telecommunications, publishing, insurance, systems integration and information management. The company is backed by world–class teams of software security experts and partners. More information is available at www.fortify.com.

Yvonne Eskenzi
EskenziPR
<>

Heartland card data heist could be part of a global scam

Fortify Software, the application vulnerability security specialist, says that the Heartland Payment Systems data breach - which could turn out to be largest data heist of its type in history - was probably the result of highly sophisticated software installed on the card processing firm's computer systems.

"It will be interesting to see how this incident pans out. Our best guess is that the software was either installed by a sleeper, a rogue employee working inside the firm who passed the usual vetting procedures, or a direct systems attack followed by the insertion of a custom application on the processor's IT resources," said Rob Rachwald, Fortify's director of product marketing.

"The $64,000 question, of course, is whether Heartland and the US Secret Service, who are working with company staff on an investigation, will reveal the actual modus operandi of the fraudsters. I somehow think this will not happen," he said.

According to Rachwald, assuming - as seems likely - the rogue software was inserted into Heartland's payment computers, the question of Secret Service staff lips will be `what happened to the security systems the card processor employs?'

Heartland, he explained, is the sixth largest card transaction processor in the US with around a quarter million businesses on its books, and processes 100 million transactions each month.
"Reports are also coming in that Forcht Bank, one of the top ten banks in Kentucky, has started reissuing more than eight thousand debit cards to customers, owing to its systems being compromised. If the two incidents are related as Secret Service and Department of Justice officials have intimated, then the card processing industry could have a major challenge on its hands," he said.

"Both incidents seem unrelated, since Forcht uses a different transaction processor to Heartland. Unconfirmed reports also suggest that these two cases could be part of a much larger global scam, although that remains to be confirmed," he added.

Rachwald went on to say that the authorities have been throwing everything they have at the Heartland data breach, with two forensic audit teams working at the New Jersey card processor since late last year, when Visa and MasterCard notified the company of suspicious activity. Forch Bank's transaction processor, Star, he added, is also investigating the source of its loss, data from which has been tapped to produce a number of cloned debit cards.

"It's good to see that Heartland has established a Web site - www.2008breach.com - to provide information about the incident to customers and other interested parties, but the authorities and the IT security industry in general is going to want to know how these incidents happened, and how they can be prevented from happening again in the future," he said.

For more on the Heartland data breach: http://tinyurl.com/8admv4

For more on Fortify Software: http://www.fortify.com

Yvonne Eskenzi
EskenziPr
<>

Avoid data breaches with secure file transfer

By Gary Shottes, President, Ipswitch File Transfer Division

You cannot pick up a newspaper today or view a news website without reading about the latest incident of a mass data breach. The financial loss associated with a company’s data breach is potentially huge, not only destroying an organisation’s reputation, but also putting the security of its customers or clients at risk.

Data loss has become a contentious issue over the past year, particularly since the revelation that HM Revenue & Customs managed to lose 25 million child benefit claimants’ details on two CDs a year ago. This dramatically positioned the issue into the public eye and instigated a sudden flurry of media interest and further revelations. Even more worryingly, a recent government review concluded that instances such as the HMRC’s loss were ‘entirely preventable’.

The HMRC were also found accountable this year for risking approximately 15,000 Standard Life customers’ details when the compact disc containing the information got lost en route from their offices in Newcastle to the company’s headquarters in Edinburgh. In another instance, the personal data of around one million bank customers from three different companies, including Royal Bank of Scotland (RBS) and its subsidiary, NatWest, were found on a laptop sold on eBay. This contained information including account details, signatures, mobile phone numbers and family details. In November, IT professionals compromised confidential patient data by leaving a memory device in the street, whilst the BNP’s membership list was subject to unauthorised publication.

These are just some of the more high profile cases that have actually been revealed. Many companies experience data breaches yet fail to tell their clients, let alone the authorities or police. The reason for this is due to the fact that the majority of companies realise they would expect to lose customers immediately, on a massive scale, if a data breach was revealed.

However, many individuals and businesses believe that repeated data breaches should become a criminal offence. Making banks and businesses accountable for data breaches is something that the National Consumer Council (NCC) has been petitioning for recently. The reckless loss of data actually became a civil offence earlier this year and the Information Commissioner's Office has recently been given more powers to fine offending private and public-sector organisations.

As more and more electronic data is collected and stored on company networks, the chances of mismanaging and losing the data, especially when it is being transferred, is inevitable, unless controls and systems are put in place. Too many employees are not aware of the risks involved in transferring sensitive data, especially to portable devices such as memory sticks as well as information attached to unencrypted emails. Companies are moving more files than ever before and there is often an oversight of compliance and regulatory issues.

Security experts agree that employees not only need to change the way that they handle data but they also need to invest in software capable of controlling the movement. This software has actually been available for quite a number of years though; secure file transfer. It is quite incredible how companies moving vast amounts of data are not using this simple, yet highly effective technology. There is little cutting edge about secure file transfer, but is slowly repositioning from an old technology knows as FTP or File Transfer Protocol to a more secure, more integral solution used by thousands of companies and businesses.

Once the system is in place, data can easily be uploaded and accessed by authorised personnel, essentially eradicating the possibility of theft or loss of a disc, laptop, memory stick or other storage device. File transfer also provides the ability to encrypt files making it even harder for data breaches.

Hospitals, retail outlets and insurance companies are also discovering the benefits of using these products to securely transfer data, especially with the size of the data being transferred and the ease of which transfers can be automated.

The solution is intuitive, easy-to-use, secure and very cost effective, which is extremely important for the majority of businesses. Once companies start utilising secure file transfer systems, they often wonder why they haven’t implemented them earlier.

Ipswitch, Inc. is exhibiting at Infosecurity Europe 2009, Europe’s number one dedicated Information security event. Now in its 14th year, the show continues to provide an unrivalled education programme, the most diverse range of new products & services from over 300 exhibitors and 12,000 visitors from every segment of the industry. Held on the 28th – 30th April 2009 in Earls Court, London this is a must attend event for all professionals involved in Information Security. www.infosec.co.uk

Source: InfosecurityPR
<>

WiFi users urged to step up security as Russia firm releases new software

London 20th January 2009 - Global Secure Systems (GSS), the value-added security consultancy, says that the release of a WiFi password auditing utility by Russia's Elcomsoft should act as a wake-up call on the dangers of wireless insecurities to all IT managers.

"Elcomsoft caused a stir in IT security circles last year when it released a utility that supported accelerated `retrieval' of WiFi encryption keys, but the release of Wireless Security Auditor moves the wireless security ballgame on by several stages," said David Hobson, GSS' managing director.

"At the very least, it highlights the fact that WiFI users need to be using more complex alpha-numeric passwords in order to protect their wireless networks, as well as consider wired connections wherever possible," he added.

According to Hobson, the new software uses a wireless packet sniffing approach to the issue of encryption key retrieval, then uses up to four high-end graphics cards installed on a PC to significantly accelerate what is, to all intents and purposes, a brute force attack on a given WiFi transmission.

"Let's not beat about the bush here. If a user builds a custom PC with four high-end graphics cards and installs the 599 pound software, they then have a machine capable of tumbling wireless keys out of the ether and decrypting then in a matter of hours rather than months," he explained.

Hobson says that, if a WiFi user has employed an eight character encryption key - currently the recommended norm for WPA – then Wireless Security Auditor can "retrieve" the password within a few hours, effectively giving a user near on-demand access to supposedly secure wireless transmissions.

The repercussions from the release of this software, says Hobson, are that it drives a stake through the heart of the widespread usage of eight character WPA encryption keys as means of protecting WiFi transmissions.

"It's a wake-up call to IT managers. Pure and simple. IT managers should now move to 12 and even 16 character keys as a matter of urgency. It's not very user-friendly, but the potential consequences of staying with eight character keys do not bear thinking about," he said.

For more on Elcomsoft's wireless key auditing software: http://tinyurl.com/76eva4

For more on GSS: http://www.gss.co.uk

Yvonne Eskenzi
EzkenziPR
<>

Does Web 2.0 mean Threat 2.0?

By Alan Calder, Chief Executive of IT Governance Limited

All manner of companies are beginning to adopt Web 2.0 technologies, encouraging employee blogs, customer forums, greater use of multi-media content and images and self-created encyclopaedias (or ‘wikis’). As with all new technologies, there are issues, argues Alan Calder, Chief Executive of information security experts IT Governance Limited.

First and foremost, privacy – the rapid growth of social networking has meant the risk of harmful private information or compromising materials being published is far greater. There are also technical Web 2.0 security issues – like the recent Facebook and MySpace worm – which are only the start of what might be called Threat 2.0.

Part of the excitement about Web 2.0 technologies is that they have such widespread personal adoption. A survey carried out by IT Governance in May of this year showed that over 39% of people who responded are typically on a Web 2.0 site for more than an hour every day. This is especially true for the 16 to 25-year-old demographic. These people, now entering the workforce in appreciable numbers, think e-mail is outdated; they want instant messaging, they expect to talk to their friends about what they did last night online, sharing photos, music files, bits of video – whatever they can manipulate digitally, it seems.

What to do about this, if you're an employer? Social networking is a challenge. Your staff are spending work time doing all this. And the danger is, of course, that confidential corporate data and protected personal information could very easily find its way into the public domain via this sort of largely unsupervised electronic interaction, along with the embarrassing shot of a member of staff after one too many drinks.

The threats associated with Web 2.0 are not clearly understood, but range across the whole gamut from regulatory and compliance issues to electronic and cyber attack.
Connotations of 'friendship' mean that Web 2.0 users are lulled into a false sense of security – and because the web service is free, users assume that it is acceptable, safe and compliant with data protection and privacy regulations. That’s a dangerous and usually unfounded assumption.
Also, the security settings for personal and sensitive data on social networking sites are not transparent. This means that individuals are not immediately aware as to how much of their information is accessible to possibly unwanted third parties. Malware (worms, Trojans and spyware) can be spread, for example, via the (so far!) 25,000 different free third-party applications available for users of Facebook.

And what goes 'out there' tends to stay there – Facebook accounts cannot be deleted, for example. This sort of easy-to-acquire personal data, as well as professional information on the Web like CVs and previous employers is an open door to conmen to steal individual identities. And that rule applies to corporate information, in terms of data leakage and also exposure of what businesses want to keep inside the firewall.

So any company looking at this way of opening up to the outside world needs to consider how Web 2.0 could lead to the risk of litigation, significant brand damage or other privacy and data protection transgressions.

A very natural impulse is to just put controls in place to regulate Web 2.0 use. The negative aspect of this approach is that it may prevent staff from carrying out tasks that they need to do in order to do their jobs and work effectively. Web 2.0 enables a multi-directional, sharing of information). This offers enormous business benefit – by helping people share knowledge. In any case, Web 2.0 is now embedded in the cultural DNA of tomorrow’s workforce. The best and brightest of tomorrow’s workers will gravitate toward organisations which embrace these new working and social practices.

So how to get the mix of controls and access right? Identify those Web 2.0 technologies that could be usefully deployed, together with a realistic description of the benefits, current and future risks staff could open you up to, e.g. data 'leakage' and reputation damage – and set out an appropriate risk management strategy.

Doing this will enable managers to offer staff the more information-rich and agile way of working and operating they crave – and curb the risks, so you will not miss out on one of the biggest change in working and social practice in our lifetimes.

IT Governance Ltd is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th – 30th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk

Alan Calder is chief executive of IT Governance Limited (www.itgovernance.co.uk), an organisation offering a range of information security resources. Alan has recently published a special report on the issues outlined in this article, ‘Web 2.0: Trends, Benefits & Risks,' which is available from http://www.itgovernance.co.uk/products/1800

Source: Infosecurity PR
<>

ASUS unveiled Green IT at BETT Show

by Michael Smith

ASUS has been exhibiting at the BETT Show at Olympia, from January 14 – January 17, 2009, for the first time.

Here they have unveiled a range of technical innovations designed to reduce the impact of computing on the environment, including a revolutionary use of bamboo.

As well as launching new products ASUS has been showcasing a number of their most notable products from this year including;

1. The VESA-mountable, economic Eee Box, the world’s smallest PC that consumes up to a penny-saving 90% less power than conventional PCs, and which can be mounted, for instance, at the back of a computer monitor.

2. The compact and versatile new Eee Top all-in-one touchscreen PC that is ideally suited to the classroom with options on either desk or wall mounting, though the wall mounting is, as far as I understand, not as ready to roll.

3. A selection from the trend-setting Eee PC range of ultra-portable Netbooks will also be on display, some of which are rather very new as well.

Having recently acquired an Eee PC 900 for use on the move and such and the fact that I am, so far, extremely happy with it, I would most dearly love to be able to review the new models, especially the new versions of the Eee PC.

4. Amongst the more traditionally designed products on demonstration are the recently launched N series notebooks, that lately scooped the world’s first EU Flower Eco Certification for computers, and the world’s first EuP Certification for portable notebooks, as well as 9 EPEAT Gold Awards. This is a testament to ASUS’ commitment to the environment.

This commitment is captured by the Green ASUS initiative, part of ASUS’ sustainability drive, that ensures their disciplined adherence to environmentally-friendly principles at every step of design and production, and an uncompromising commitment to eco-consciousness.

As the world’s fourth largest notebook PC manufacturer, though not always immediately one that comes to mind and this needs changing, I think, ASUS are ideally positioned to offer an insight into which devices will have the biggest impact on education in 2009.

ASUS is a global leader in the creation and manufacture of innovative digital solutions that empower people and businesses to reach their full potential.

Over a remarkably short period of time ASUS has become one of the top laptop manufacturers worldwide creating compelling computer experiences that have delighted consumers across the world. ASUS are the Fastest Growing Laptop Brand in Europe and ASUS sales are outstripping manufacturers who traditionally dominated the market.

ASUS notebooks have changed the face of the consumer electronics market place with the introduction of highly original and ground breaking notebooks like the Eee PC™ family and the Lamborghini range.

ASUS’s design excellence is renowned and it is always informed by the life-style needs of consumers creating laptops that are technologically advanced, sophisticated and refined yet ruggedly robust.

ASUS is the world’s leading enterprise of new digital era. ASUS was rated No.1 in quality and service by the Wall Street Journal Asia. With an unparalleled commitment to innovation and quality ASUS won 2568 awards in 2007 – an average of 7 awards for every day of the year.

Employs over 130,000 people worldwide and its revenue in 2007 exceeded £11billion.

During 2007 ASUS has shipped over 60 million PC motherboards that equals one in three desktop PCs that was shipped during 2007 was powered by an ASUS motherboard.

ASUS is ranked in the top four worldwide notebook manufacturers though, as I said, it is not the first name – not even the fourth – that comes to the mind of most people when thinking of a notebook/laptop. Maybe this is something that must be changed by more marketing.

Especially as far as Green IT is concerned the ASUS Eee PC this company must definitely be seen as a world leader for, as far as I am aware ASUS may have indeed been the first company that actually brought out the Netbook variety of the laptop.

I must say though that for real computing power on the go the 6-cell battery is a must. The standard 3-cell that comes with, say, the Eee PC 900, like the one I have got, does not last for very long when on the move and using battery power only.

© M Smith (Veshengro), January 2009
<>

IT Security Spending Will Increase to Match Rising Cybercrime Threat in 2009

Finjan’s Web Security survey finds that enterprises increase their IT security budgets for 2009 while their overall IT budgets tend to be reduced

Farnborough, United Kingdom, January 2009 - Finjan Inc., a leading provider of secure web gateway solutions for the enterprise market, today announced the findings of its IT security survey conducted during December 2008. In light of the economic downturn and rising cybercrime attacks as indicated in Finjan’s Web Security Trends Report Q4 2008, Finjan conducted an online survey among 200 IT and security professionals. The survey focused on determining the trends for allocating IT budgets in 2009 compared to 2008.

The results reveal that the total IT budgets for 2009 tend to be reduced compared to 2008. However, the IT security budget outlook was more optimistic since organizations intend to dedicate a larger part of their total IT budgets to IT security.

Key findings from the survey:

  • 38% of all respondents stated that they do not expect a change in their 2009 IT budgets, while 34% indicated that they expect them to be slightly smaller - reflecting the general declining trend in corporate budgets.
  • 34% of the respondents indicated that their IT security budgets for 2009 will increase, indicating a general trend that organizations will allocate a larger part of their overall IT budget to IT security. 43% of all respondents expect their IT security budget for 2009 to remain the same.
  • The survey also found that the upward trend in IT security budget allocation was more pronounced in the financial and governmental sectors than in others.
“During an economic downturn it is to be expected that all budgets come under scrutiny. Organizations are trying to get the most out of their spending and reduce the Total Cost of Ownership (TCO) of their IT investments – efficiency being the name of the game.” said Yuval Ben-Itzhak, Chief Technology Officer at Finjan. “While 2008 saw IT security departments facing new challenges in protecting valuable business data against an ever-increasing wave of cybercrime attacks, 2009 is adding a further economic challenge to the mix. As a result, organizations are looking for a comprehensive security solution with low TCO that covers all their Web security needs and is also simple and easy to manage.” added Ben-Itzhak.

Finjan is a global provider of secure web gateway solutions for the enterprise market. Our real-time, appliance-based web security solutions deliver the most effective shield against web-borne threats, freeing enterprises to harness the web for maximum commercial results. Finjan’s real-time web security solutions utilize patented behavior-based technology to repel all types of threats arriving via the web, such as spyware, phishing, Trojans, obfuscated code and other malicious code, securing businesses against unknown and emerging threats, as well as known malware. Finjan's security solutions have received industry awards and recognition from leading analyst houses and publications, including Gartner, IDC, Butler Group, SC Magazine, eWEEK, CRN, ITPro, PCPro, ITWeek, Network Computing, and Information Security. With Finjan’s award-winning and widely used solutions, businesses can focus on implementing web strategies to realize their full organizational and commercial potential. For more information about Finjan, please visit: www.finjan.com.

Source: Eskenzi PR Ltd.
<>

Digital Fingerprints – who knows where you have been?

By Greg Day, Security Analyst, McAfee International Ltd

The Internet has changed the way we live: in our personal lives, we can communicate with friends and family - both near and far - and know that our message will reach them at the touch of a button. Similarly, we no longer have to spend precious lunch breaks or Saturday mornings queuing at the bank as we can do everything we need to on our computers. At work, we talk to customers, partners, suppliers and colleagues electronically, we manage budgets, expenses and any number of things online and we embrace any new, electronic, time saving tool that comes our way.

It’s clear that these days, nearly all of us are using the Internet for a wide range of tasks, not to mention for fun. Many of us have had our lives revolutionised: working has become more of a process and certainly more flexible, information can be sent, received, stored and retrieved efficiently and we are able to free up personal time by banking, shopping and communicating at the touch of a button? This is fantastic and truly demonstrative of what makes the human race an ever-evolving species. Our ability to grasp and make use of new technologies has been visible over the last 20 years, as we’ve fallen in love (most of the time!) with computers, taken our phone calls mobile, got connected to the Internet and embraced Web 2.0 and social networking. Yet with the advantages that all these technologies bring, they also have an impact on when and where we are visible and the availability of intricate details of our lives.

We know that in day-to-day life, we leave fingerprints wherever we go and on whatever we touch. What we may not know is that when we enter information online, what we do is create a digital fingerprint, the tracks of which are left all over the Internet as our use of online services grows. These fingerprints won’t always be tracked, but there is certainly the potential for this to happen and it’s vital that this risk is not overlooked. It’s a terrifying fact but the worst case scenario is that this information gets into the wrong hands, and can then be used to build a profile of us and even to fake our identities, to access our finances or defraud others.

This all makes the Internet sound like a terrifying place but that really doesn’t need to be the case. What this means is that we do need to think twice before completing web forms of entering sensitive information in any online systems or in unusual places. Examples of the kinds of information that should be shared with some considerable caution are full dates of birth, places of birth, mothers’ maiden names and full addresses, not to mention bank details and passwords. The thing to remember is that just because there is a space for information on the website doesn’t mean that it has to be provided. As a rule, only enter the information deemed obligatory – an asterisk usually denotes this – the rest could give away vital clues to your passwords or make available enough information for the malicious minded Internet fiend to create an account using your identity. You should similarly take care when given the opportunity to write about yourself and in such cases, a good rule is to only give information that you would be happy to give a stranger in the street. Similarly, be suspicious if you receive an email or phone call asking for such information – your bank will never ask you for your account number or passwords by email and if you do receive such a phone call, use the bank’s public phone number to call them back and be sure that the request is legitimate.

One thing that is important to be aware of is that unlike any medium that has gone before it, once information is on the Internet, it’s pretty much there forever as content is far more difficult to remove than it is in the first place. Even if information is not sensitive from the perspective of helping to build up information on you that could be used for fraudulent reasons, it may be something that is OK now but which you may not want viewed in later years when you’re at a different stage of your life: you may be a student now, but it won’t be long until you may be looking for a job in an organisation that will use the Internet to see what can be found out about you. Similarly, if you’re single now, don’t post something that you may not want a future partner to be able to see. These are extreme examples but highlight the fact that something you post today will be visible from this day onwards, and you may not always want that to be the case.

It’s also worth remembering who else holds our personal information: a number of recent, high-profile stories of lost data have caused something of a stir in the media, resulting in increased awareness that we are not always the ones in control of our valuable personal information. While it would be difficult to simply refuse to provide any information requested and still have bank accounts, mortgages, store credit, receive benefits and generally continue to function, it’s important to know who has our details so at least if an incident occurs, we know how best to respond based on whether we are likely to have been affected.

The bottom line when it comes to sharing information is that less is always best. If someone knocked on your door in the middle of the night and asked for your mother’s maiden name or the name of the town where you were born, you’d slam the door in their face and go back to bed, and that really is the approach that also needs to be taken online. There’s no escaping the fact that we will all have digital fingerprints moving forwards, and that really can help us to save time that was previously spent on going places to do things in person, we just need to exercise some caution in terms of how big, how personal and how public that fingerprint should be.

McAfee International Ltd is exhibiting at Infosecurity Europe 2009, Europe’s number one dedicated Information security event. Now in its 14th year, the show continues to provide an unrivalled education programme, the most diverse range of new products & services from over 300 exhibitors and 12,000 visitors from every segment of the industry. Held on the 28th – 30th April 2009 in Earls Court, London this is a must attend event for all professionals involved in Information Security. www.infosec.co.uk

Source: InforsecurityPR
<>

Webroot Launches Global "Go Green" Program - Offers Free Security Hardware Recycling

Security SaaS Leader Partners with Guaranteed Recycling Xperts and Centillion to Improve Security While Minimizing the Global Environmental Impact of Obsolete Hardware

Boulder, CO: Webroot, a leading provider of security solutions for the consumer, enterprise and SMB markets, today announced the launch of “Go Green,” a global program which offers businesses free, earth-friendly recycling of legacy security hardware. In partnership with Guaranteed Recycling Xperts (GRX), one of the leading recyclers of computers and electronics in the US, and Centillion, a global e-waste recycling leader in Europe and Asia, Webroot will properly dispose of any legacy security hardware replaced by the purchase of a Webroot® Security Software as a Service (SaaS) solution.

“When we realized that the tremendous success of security SaaS solutions would be making hardware-based security obsolete, we took steps to provide a socially responsible alternative for recycling this influx of electronic waste,” said Peter Watkins, CEO, Webroot. “In conjunction with GRX and Centillion, the leading e-waste recyclers in the world, this program is a natural fit with SaaS. The move to the software-as-a-service model will greatly reduce the need for on-premise hardware, which will help lower the amount of electronic waste and conserve energy.”

According to estimates by the US Environmental Protection Agency, 2.25 million tons of TVs, cell phones, and computer products have been discarded in the US over the last two years. Only 18 percent (414,000 tons) was collected for recycling and the remaining 1.84 million tons was sent to landfills in the US and to unregulated third world countries.

“Because electronic waste accounts for 80 percent of Americans’ toxic garbage, and is growing exponentially, we’re excited to be working with Webroot on their ‘Go Green’ initiative,” said Mike Wright, president and CEO of GRX. “GRX collects, disassembles and shreds or crushes material, and then distributes the end product to certified partners for reprocessing and recycling into new products or raw materials. We expect to see a sharp increase in demand for our services as more IT departments convert to the SaaS computing model.”

GRX does not export hazardous waste material, it does not land-fill or incinerate hazardous waste material, it audits its partners and has signed the Basel Action Network’s Pledge of True Stewardship which provides the most rigorous set of environmental business standards for electronics recyclers. After electronic waste material is collected, GRX invests in the labor-intensive process of de-manufacturing to divert greater than 95 percent of materials from landfills and incinerators.

“With only 20 percent of all electronic hardware getting properly recycled, the Webroot Go Green Program allows us to respond to the increased demand for comprehensive security while providing an earth-friendly approach,” added Watkins. “Webroot was an early adopter in the Green movement internally in our business practices and we have always led by example – now we can offer the market better protection for their networks and our planet.”

The Webroot Go Green Program is available to any customer who replaces a security appliance or an on-premise security solution with a Webroot Security SaaS solution. Webroot will send the customer a prepaid shipping label to transport the hardware to the closest GRX facility in the US or Centillion outside the US. Once the hardware has been properly recycled, the customer will receive a certificate of authentication suitable for framing and a Webroot “Go Green” logo which signifies they are a member of our program and have contributed to a cleaner planet.

Webroot Security SaaS Solutions
Webroot Security SaaS solutions give IT departments the ability to outsource their security applications to centralized data centers for better manageability, better value and better protection than hardware appliances and server-based solutions.

Webroot E-Mail Security SaaS protects against spam, viruses and data leakage, along with additional compliance, archiving and business continuity features.

Webroot Web Security SaaS provides protection against Web-based malware threats for corporate and mobile users while ensuring appropriate employee Web usage and data leak protection.

Webroot Security SaaS solutions are backed by free US-based support that includes 24x7x365 access to a robust knowledge base, toll-free telephone support and free product and defense updates for the duration of a subscription.

Centillion Environment and Recycling Limited (“Centillion”) is a fully integrated provider of recycling and processing services for electronic waste with presence across North America, Asia and Europe. The Group provides services for recycling and processing electronic components and products in order to extract ferrous and non-ferrous metals and plastics.

Guaranteed Recycling Xperts is based in Denver, CO and has been the leading electronic waste recycler since 1999. The company also maintains facilities in Colorado Springs, CO, Omaha, NE and Clearfield, UT. The company recycles all electronic devices and offers pick-up services for businesses and organizations. GRX provides complete data security processing and documentation. http://www.grxrecycles.com

Webroot, a Boulder, Colorado-based company provides industry-leading security solutions to consumers, enterprises and small to medium-sized businesses worldwide. For more information visit http://www.webroot.com/

Source: Webroot
<>

Public WiFi Security Tips

by David Hobson, MD of Global Secure Systems (GSS)

Access to the Internet via public “hotspots” is growing and will continue to grow as more and more hotspots are made available. We have McDonalds offering free Internet access and even Boris Johnson proposing that London becomes a WiFi city, with free WiFi, following the likes of Norwich!

This free bandwidth does come with an element of risk. Once you are associated to an access point, you are on the same network as others connected to the same access point, in the same way as plugging into the same network segment. A simple network discovery will show who else is connected....and from there an unscrupulous user could try and access your machine. This may not be deliberate - a Trojan may automatically be scanning in the background for, and trying to infect other machines. In addition to the possibility of direct attack, your data is probably going to be “clear text” – not encrypted.

So what are issues we face when using public ‘hotspots’?

  1. Clear text data – by its very nature a hotspot will not have any encryption or security on it. It is there to enable as many people as possible to connect, as easily as possible. To offer a pre-shared security key is impractical, and the more people have a key, the less valuable a key is. What does this mean? Well if you are sending email, someone on that network will be able to see, and read that data. It is a bit like handing a postcard over a post office counter. Everyone in the post office can read it. So you really would not write anything confidential on it. To say “Hi, having a wonderful time, wish you were here” is not exactly top secret. You may not want to put all your credit card information on it!
  2. Most web traffic is, by its very nature clear text. Most web sites will switch to secure, encrypted HTTPS traffic when doing commercial transactions. Web mail is normally in the clear...How can you tell if you have changed? Look for the little padlock in your browser!
  3. If you are using business email, we strongly recommend using a VPN (Virtual Private Network) between you and the business mail server. This should be provided by the business. This normally is a security overlay on your traffic. This will encrypt data and ensure no eaves droppers read it.
  4. Your PC needs to have a personal firewall installed, and switched on. A basic firewall is provided within Windows now. Use it! This stops unauthorised access on to the PC.
  5. Many businesses will add an additional personal firewall. The clever ones will actually change the policy based upon your location, which will control the flow of data in and out of your PC in accordance with your policy.
  6. Ensure your anti-virus software is installed, up-to-date and working! This will defend against known virus or Trojan attacks.
  7. Turn off ad-hoc networking – WiFi has two methods of working – ad hoc and infrastructure. Infrastructure is when your PC connects to an Access Point, and then on to a wired network. Ad-hoc is when two PC’s communicate to each other directly without an Access Point. You really should ensure no one can network directly, unless there is a specific reason!
  8. Shoulder surfing. Always be aware who is watching you. Don’t sit with your back to a crowd or window inviting unwanted snoopers to see you type your password or read your documents.
  9. Think about the length of time you are connected. As a precaution, prepare messages off line and only connect to send and receive. This will reduce the window of opportunity for someone to capture your data.
  10. Lastly, when accessing a hot spot be aware of hot spot high jacking. This is when a fake access point is used to fool you into connecting to it. It will record all traffic from your system. This type of attack is mainly used in internet cafes since access is open. Always try and make sure you connect to genuine access points.
For more information on security and WiFi visit www.gss.co.uk

Source: EskenziPR
<>

Australian government plans to block illegal sites

Finjan gives thumbs up to Aussie plan to block illegal sites

Farnborough, United Kingdom, December 2008 - Finjan, a leading provider of secure web gateway solutions for the enterprise market, has given a "thumbs up" signal to Australian plans to block access to thousands of Web sites with illegal content.

"The game plan is for Australian ISPs to be mandated to block access to Web sites containing illegal content such as child pornography or terrorist materials," said Yuval Ben-Itzhak, Finjan's CTO.

“I would also recommend the Australian government includes in this plan actions against ISPs and other Web hosting companies that allow cybercriminals to host their command and control servers and distribute malware.” says Ben-Itzhak.

A recent example from the US indicates that the global spam levels have dropped by as much as 75 per cent following the shutdown of a US web host that provided the backbone for most of the world's spam - http://www.smh.com.au/news/technology/security/spam-drops-75-as-major-host-shut-down/2008/11/14/1226318899436.html. This action turned to be very efficient and quick comparing to identifying each of the cybercriminals individually.

Finjan's quarterly trends reports, he said, have consistently shown that the volume and variety of malware on the Internet has been climbing steadily. This means that any move which seeks to limit access to those sites containing malicious code and other sources of malware infection can only do good as far as business Internet users are concerned.

For more on the Australian illegal content blocking plan: http://tinyurl.com/6nlz38
For more on Finjan: http://www.finjan.com

Malicious Code Research Center (MCRC) is the leading research department at Finjan, dedicated to the research and detection of security vulnerabilities in Internet applications, as well as other popular programs. MCRC’s goal is to stay steps ahead of hackers attempting to exploit open platforms and technologies to develop malicious code such as Spyware, Trojans, Phishing attacks, worms and viruses. MCRC shares its research efforts with many of the world’s leading software vendors to help patch their security holes. MCRC is a driving force behind the development of next generation security technologies used in Finjan’s proactive web security solutions. For more information, visit our MCRC subsite.

Finjan is a global provider of web security solutions for the enterprise market. Our real-time, appliance-based web security solutions deliver the most effective shield against web-borne threats, freeing enterprises to harness the web for maximum commercial results. Finjan’s active real-time web security solutions utilize patented behavior-based technology to repel all types of threats arriving via the web, such as spyware, phishing, Trojans and obfuscated malicious code, securing businesses against unknown and emerging threats, as well as known malware. Finjan's security solutions have received industry awards and recognition from leading analyst houses and publications, including Gartner, IDC, Butler Group, SC Magazine, CRN, ITPro, PCPro, ITWeek, Network Computing, and Information Security. With Finjan’s award-winning and widely used solutions, businesses can focus on implementing web strategies to realize their full organizational and commercial potential.

Source: Eskenzi PR Ltd.
<>

Brocade’s 8gbit/sec hba is chosen by Hitachi data Systems to boost its storage networking portfolio

Innovative Brocade HBAs deliver unmatched data centre performance, with advanced server and storage virtualisation support and integrated management

Brocade® (NASDAQ: BRCD) has announced in December 2008 that Hitachi Data Systems (HDS) has added its innovative 8Gbit/sec server Host Bus Adapters (HBAs) to the company's storage networking portfolio. Brocade’s HBAs deliver unique breakthrough performance and end-to-end customer networking capabilities, and empower customers considering server virtualisation as part of their data centre strategy.

Augmenting the industry-leading performance of the Brocade DCX Backbone and 48000 Director, the innovative Brocade 8Gbit/sec HBAs (the Brocade 815/825) utilise an industry-first integration of important adapter functions into high-performance hardware. The HBAs have been designed to deliver twice the throughput of competing products, Together, the new products offer unmatched server-to-storage connectivity and capabilities, supporting features such as fabric Quality of Service (QoS), traffic management and other Adaptive Networking services that benefit evolving data centres.

“We have been working with Brocade for several years and realise the importance of these HBAs to enable us to offer more value to our customers to help manage their storage infrastructure," says Michael Väth, Senior Vice President and General Manager for EMEA at Hitachi Data Systems. "We both understand the need to improve performance of data centres using tools such as server and storage virtualisation. These new solutions provide more of an end-to-end solution for our customers to give them greater choice and enhanced performance."

"With the introduction of our 8Gbit/sec HBAs, Brocade and HDS are delivering a new class of server connectivity for the evolving data centre,” said Barbara Spicek, Senior Director - Sales at Brocade. “Addressing the business need to make data centres more efficient, reliable and adaptable, these HBAs allow organisations to consolidate and virtualise server-to-storage environments while simplifying overall management. With innovative connectivity features that are years ahead of the competition, Brocade’s HBAs will deliver a true competitive advantage to HDS and its customers.”

Brocade's newest HBAs are designed to meet the growing performance, connectivity, and virtualisation needs of enterprise data centres. The HBAs are architected to extend I/O performance at the server up to an industry-best 500,000 IOPs (Input/Output Operations Per Second) per port, an important factor in highly virtualised environments. They are also designed to support new QoS, data mobility, and data encryption features that ensure faster and more secure communications between virtual servers and storage.

To learn more about Brocade’s HBAs visit http://www.brocade.com/products-solutions/products/server-connectivity/index.page.

Brocade is a leading provider of networked storage solutions that help organizations connect, share, and manage their information. Organizations that use Brocade products and services are better able to optimize their IT infrastructures and ensure compliant data management. For more information, visit the Brocade Web site at www.brocade.com

Hitachi Data Systems Corporation provides Services Oriented Storage Solutions that enable heterogeneous storage to be dynamically provisioned according to business needs and centrally managed via industry-leading Hitachi storage virtualization software. With over 4,000 employees, and as an integral part of the Hitachi Storage Solutions Group, Hitachi Data Systems delivers storage infrastructure platforms, storage management software, and storage consulting services through direct and indirect channels in over 170 countries and regions. Its customers include nearly 60-percent of Fortune 100 companies. For more information, visit the company's Web site at http://www.hds.com

Hitachi, Ltd., (NYSE: HIT / TSE: 6501), headquartered in Tokyo, Japan, is a leading global electronics company with approximately 390,000 employees worldwide. Fiscal 2007 (ended March 31, 2008) consolidated revenues totaled 11,226 billion yen ($112.2 billion). The company offers a wide range of systems, products and services in market sectors including information systems, electronic devices, power and industrial systems, consumer products, logistics, materials and financial services. For more information on Hitachi, please visit the company's website at http://www.hitachi.com

Source: Spreckley Partners Limited
<>

Less than one week to go until the world’s largest technology in education event opens!

Wednesday next week, the world’s largest technology in education show opens its doors to visitors from all over the UK and around the world. Celebrating its 25th anniversary in 2009, BETT offers educationalists, local authorities, parents and the industry a packed seminar and CPD programme, along with over 600 exhibitors showcasing a vast array of the latest ICT resources to hit the market. BETT runs from Wednesday 14 January to Saturday 17 January 2009 at Olympia, London.

If you are still to register for a press pass, please contact us as soon as possible so we can arrange this for you. Also, if you would like us to organise interviews with any of the show organisers, including Emap’s Richard Joslin, exhibition director, or Keith Clifford, marketing manager, please let us know and we can assist you.

Schools Minister Jim Knight is officially opening BETT with his keynote speech on Wednesday morning. At the show there is going to be a plethora of innovative feature areas, including Learning Elsewhere. Led by one of the industry’s most respected educationalists, Prof. Stephen Heppell, Learning Elsewhere explores the development of learning beyond the classroom environment.

With a number of big name exhibitors set to launch exciting new products at BETT, be sure that you are the first to see these in action.

Source: Mango Marketing
<>

Educationalists are taking CPD seriously at BETT 2009, proving technology in education is no longer an option

This year, BETT, the world’s largest technology in education show, has seen interest in its renowned seminar and CPD programme soar, with 30 per cent more educationalists booking places than last year, resulting in over 3,000 reserved seats for 2009. On average, each seminar attendee is booked on three seminars. Held at London Olympia from 14-17 January 2009, BETT offers teachers, leaders and local authority decision makers the chance to participate in an array of educational seminars.

These figures suggest teachers and leaders are addressing the recommendations made in Jim Rose’s recent independent review on primary schools in England, published on 8 December 2008, which stated that primary schools should place a stronger emphasis on ICT. Rose reported that computer skills should be given the same importance as reading, writing and arithmetic, and children should be taught how to use podcasts and PowerPoint presentations in primary education, to prepare them for secondary school.

The numbers also support Schools Minister Jim Knight’s comments made at the ICT for Education conference in Birmingham in July 2008, that: “We (Becta) want every educational institution to harness technology’s potential, every teacher and student to use it confidently”.
Keith Clifford, marketing manager of BETT organiser, Emap, comments: “The substantial rise in seminar bookings proves that BETT is the place to learn more about technology and its effects in the classroom. With technologies increasingly becoming integral to education in the UK and abroad, BETT is not only the place to touch and test the resources on offer, but to learn exactly why using technology makes such a huge difference to the learning experiences of today’s children.”

This year, seminar sessions respond to the show’s key themes, including techniques to enrich the curriculum, personalised learning, management and leadership and the modernisation of schools (BSF). With best-practice techniques core to the programme, visitors can attend practitioner-led sessions that showcase the very best in innovative and creative teaching practice, seek advice from a series of keynote speakers including Government agency seminars and attend SEN-focussed topics. If you would like to join the number of educationalists already booked in to an insightful seminar session, visit www.bettshow.com to search through the seminar programme and book your place.

Celebrating its 25th anniversary in 2009, BETT continues to be at the forefront of innovative solutions to assist schools to exceed education standards. Visit www.bettshow.com to register today, and to learn more about the features, exhibitors and seminars at BETT 2009.

Celebrating its 25th anniversary in 2009, BETT has evolved into the world’s largest technology in education event. With over 29,000 visitors and 700 educational exhibitors in 2008, BETT continues to support creative teaching and learning by enabling practitioners to touch and test resources, debate ideas and continue their professional development. BETT 2009 will run over four days from 14 – 17 January at Olympia, London. For more information on BETT 2009, please visit: www.bettshow.com.

Emap Ltd is a leading business to business media group and the largest UK exhibition organiser with brands in education that include BETT, the BETT Awards, The Education Show and the Scottish Learning Festival.

Source: Mango Marketing
<>

The Top Ten Data Security Myths

By Gordon Rapkin, CEO of data security specialist, Protegrity

1.If we buy the right security solutions, our data will be protected
No matter how much money you frantically throw at vendors, enterprise data will remain vulnerable until you pay equal attention to educating people and developing data-driven security processes and policies. One of the most positive things an enterprise can do from a security standpoint is to institute ongoing data defence training for employees. Then enforce policies using technologies like role-based access, automated enforcement and system auditing and ensure that there are real consequences if policies are ignored or thwarted.

2.The real threat emanates from inside/outside the organisation
Narrowing the enterprise’s focus to protect data against specific types of attacks often results in opening the doors to other types of attacks. Don’t implement a media-scare-story-driven security plan based on reacting to every overwrought report or bit of research. Constantly shifting focus to manage the threat of the moment will result in piecemeal security, focus instead on comprehensively securing data.

3.We’ve outsourced data storage/security, so we don’t need to worry anymore about securing personally identifiable information (PII).
The hard truth is that businesses cannot outsource their responsibility to protect data. If a business is required to comply with data protection standards or regulations, and its outsourcing partner fails to protect personal data, the company that owns the data will most likely be considered at fault. It will be liable for any associated costs, penalties or legal actions that might arise from its exposure. You must ensure that the company you are partnering with — offshore or domestic — takes data security seriously and fully understands the regulations that affect your business.

4.Certified applications are secure now and into the future
Certification is valid at the single point in time when the application was sanctioned. No certification comes with a “Happily Ever After” fairytale guarantee. Certified applications need to be managed in the same way as any other application, with regular reviews of vendor patches, monitoring changes in the environment and auditing usage to stay on top of the inherent risks.

5.We know our network doesn’t have vulnerabilities because we patch our applications regularly.
Patches fix only the exploits that we know about and not all flaws are public knowledge. Sometimes the bad guys find them first and they aren’t exactly eager to alert vendors to the problem. Vendors also can’t always patch holes immediately, and sometimes patches can create exciting new security holes and other problems. Patching is an important part of an enterprise security plan, but doesn’t alone equal a secure system.

6.We don’t need to worry about those far-fetched ‘Proof of Concept’ hack attacks the IT guys are always getting excited about.
Theoretical attacks shouldn’t keep you up at night, especially if they require a high skill level, physical access and a well stocked computer lab to conduct the attack successfully. That said, proof of concept attacks should be treated like a preview of an action movie that may or may not come to a cinema near you. IT should certainly be aware of the new and exciting things the security and underground communities are discussing, and should track emerging threats that seem likely to become actionable exploits. Forewarned is forearmed.

7.If a system is in compliance with industry data-protection regulations, that system is secure.
Nothing could be further from the truth. Regulations and standards tend to deal with specific and limited issues -- such as securing the systems that process payment card data -- and don’t address the network and applications holistically -- something which is essential for real security. Roll compliance into your security plan, but don’t make it the centrepiece or sum total of the enterprise’s data protection efforts.

8.The strongest possible security is essential for all business systems and every part of a system.
Defcon 1 level security is neither necessary nor desirable for all businesses, or for every aspect of a business environment. It makes far more sense from financial, usability and availability standpoints to focus the most stringent security efforts on protecting the most sensitive information. Companies should define their data security strategies based on a comprehensive risk analysis of the value of data they collect, use and manage and the enterprise’s own threat profile.

9.Open source software is inherently more secure than proprietary software, or vice versa.
Neither of these two software development methods results in 100% bulletproof applications. Comprehensive code testing, correct deployment and the right security plan are more important than whether applications were developed in open source or proprietary mode.

10.All security builds on prior investments
The success of an enterprise’s security efforts need to be regularly reviewed and measured, older goals may need to be dropped, new plans may need to be instituted, and sometimes technologies that seemed like great ideas at the time may become a gaping security hole as a result of changes in the computing environment or advances in the hacker community. An example of this is DES encryption. At one time it was considered secure until a dedicated group proved it was vulnerable to brute force attacks due to its short (56-bit) key. Security is always a moving target and we have to be willing to shift focus as conditions demand.

Protegrity USA Inc. is exhibiting at Infosecurity Europe 2009, Europe's number one dedicated Information security event. Now in its 14th year, the show continues to provide an unrivalled education programme, the most diverse range of new products & services from over 300 exhibitors and 12,000 visitors from every segment of the industry. Held on the 28th – 30th April 2009 in Earls Court, London this is a must attend event for all professionals involved in Information Security. www.infosec.co.uk

Source: InfosecurityPR
<>