Novatel Wireless Announces Successful HSPA+ Dual-Carrier Data Transmission with Qualcomm's MDM8220 Chipset

First Data Call with Peak Throughput of up to 40 Mbps Completed

SAN DIEGO, January 2010 – Novatel Wireless, a leading provider of wireless broadband solutions, today announced that it has successfully completed the first data transmission over dual-carrier HSPA+ using Qualcomm's industry-leading MDM8220 chipset. Dual-carrier HSPA+ is a network innovation that will deliver more advanced data capabilities and support more compelling applications with richer user experiences. Novatel Wireless is working with operators and plans to launch commercial data devices based on the MDM8220 in the second half of 2010.

"Novatel Wireless is continuously investing in research and development to ensure that we lead the market with cutting edge wireless data solutions," said Dr. Slim Souissi, CTO, Novatel Wireless. "We are very pleased to be working closely with industry technology leader Qualcomm to achieve these technical milestones, and we look forward to continuing to evolve our product line to deliver innovative solutions to meet the needs of our customers."

Novatel Wireless, Inc. is a leader in the design and development of innovative wireless broadband access solutions based on 3G and 4G technologies. Novatel Wireless' Intelligent Mobile Hotspot products, software, USB modems and embedded modules enable high-speed wireless Internet access on leading wireless data networks. The Company delivers specialized wireless solutions to carriers, distributors, OEMs and vertical markets worldwide.

SOURCE: Novatel Wireless

Origin says Swiss Army encryption challenge worth more than $100K

Basingstoke, January 2010 (Eskenzi PR) – News that an encrypted Swiss army knife from manufacturers Victorinox remained uncracked – and a $100,000 prize went unclaimed – at the Consumer Electronics Show in Las Vegas this month (http://bit.ly/70fZpP) comes as no surprise, says Origin Storage.

And, says Andy Cordial, managing director of the storage systems integration specialist, even if someone had cracked the 2010 version of the famous Swiss army knife, they would have obtained a lot more than $100,000 from other sources.

"Victorinox, the manufacturers of the Swiss army knife, which dates back to the late 1800s in its various forms, has made much of the unit's tamper-proof self-destruct mode, but the reality is that the crypto USB drive supports elliptical curve and AES encryption, which makes it almost impervious to crackers using current known technology," he said.

"The reputation of encryption technology has taken a battering with the revelations that the A5/1 and A5/3 crypto systems used on cellular networks (http://bit.ly/651JHG) have been compromised in the last few weeks, but the elliptical curve and especially the AES systems are still, I'm pleased to report, uncracked," he said.

And, the Origin Storage MD went on to say, the AES encryption system is likely to remain uncracked for some time to come, as even Bruce Schneier - the renowned ITsec industry sceptic and researcher - said in his research last summer (http://bit.ly/J3VBt) that "AES-128 provides more than enough security margin for the foreseeable future."

"As Schneier observed in his research, cryptography is all about safety margins and that's why our own DataLocker encrypted hard drive units give users a choice of 128- and 256-bit AES encryption," he said.

"If a hacker manages to crack 128-bit AES technology, then you can bet your bottom line that Schneier would be interested, and governments would pay a lot more than $100,000 for the secret. But this clearly isn't going to happen for some time to come, so I think Victorinox' cash is safe for the time being," he added.

For more on Origin Storage: http://www.originstorage.com

<>

RockYou hack reveals world's most popular passwords

Imperva Releases Detailed Analysis of 32 Million Breached Consumer Passwords

Data Security Firm’s Report Highlights Consumer Susceptibility to Cyber Attack

London, January, 2010 (Eskenzi PR) – Imperva, the leader in Data Security, announced today the release of study analyzing 32 million passwords recently exposed in the Rockyou.com breach. Imperva’s Application Defense Center (ADC) analyzed the strength of the passwords in a report, Consumer Password Worst Practices, that analyzes 32 million passwords to help consumers and website administrators identify the most commonly used passwords they should avoid when using social networking or e-commerce sites.

The report can be downloaded at: http://www.imperva.com/ld/password_report.asp.

The report identifies the most commonly used passwords:

1. 123456

2. 12345

3. 123456789

4. Password

5. iloveyou

6. princess

7. rockyou

8. 1234567

9. 12345678

10. abc123

“Everyone needs to understand what the combination of poor passwords means in today’s world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second—or 1000 accounts every 17 minutes,” explained Imperva’s CTO Amichai Shulman. “The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of passwords as a security mechanism. Never before has there been such a high volume of real-world passwords to examine.”

Some key findings of the study include:

The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic forms of cyber attacks known as “brute force attacks.”

Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password is “123456”.

Recommendations for users and administrators for choosing strong passwords.

For enterprises, password insecurity can have serious consequences. “Employees using the same passwords on Facebook that they use in the workplace bring the possibility of compromising enterprise systems with insecure passwords, especially if they are using easy to crack passwords like ‘123456’,” said Shulman.

“The problem has changed very little over the past 20 years,” explained Shulman, referring to a 1990 Unix password study that showed a password selection pattern similar to what consumers select today. “It’s time for everyone to take password security seriously; it’s an important first step in data security.

Imperva, the Data Security leader, enables a complete security lifecycle for business databases and the applications that use them. Over 4,500 of the world’s leading enterprises, government organizations, and managed service providers rely on Imperva to prevent sensitive data theft, protect against data breaches, secure applications, and ensure data confidentiality. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring from the database to the accountable application user and is recognized for its overall ease of management and deployment. For more information, visit www.imperva.com.

<>

FalconStor® FDS Version 2.0 Delivers Enterprise-Class High Availability Plus Double the Performance with Symantec OST Support

Nexsan First FalconStor Technology Partner to Incorporate FalconStor FDS 2.0 into its Storage Systems

MELVILLE, N.Y., January, 2010 - FalconStor Software, Inc. (NASDAQ: FALC), the provider of TOTALLY Open™ data protection solutions, today announced version 2.0 of FalconStor® File-interface Deduplication System (FDS), which takes LAN-based deduplication to the next level of enterprise-class functionality with high availability and other enterprise capabilities. Nexsan is the first FalconStor technology partner to incorporate FalconStor FDS 2.0 into its storage offering in the Nexsan DeDupe SG 2.0 family of deduplication appliances.

FalconStor FDS is designed for both small-to-medium-size businesses and large enterprises looking to reduce storage space and costs by writing backup data more efficiently to disk. With the addition of high availability, enterprises of all sizes will retain access to their backed-up data, ensuring that backups of critical systems can always be completed within narrow backup windows - which is especially important for databases that may run a company's ERP, CRM or other important applications. Other enterprise-class features in FDS 2.0 include:

Support for Symantec OpenStorage (OST) delivers 5.4 terabytes per hour of backup data throughput, ingest rates of 1.5 gigabytes per second over two 10 Gigabit Ethernet links for double the performance.

An increased fan-in ratio of 150-to-1 that supports more distributed environments and enhances the scope of global deduplication.

An enhanced replication dashboard for real-time status monitoring.

More granular, folder level, replication support.

Policy driven end-to-end data integrity checking

Collision avoidance that ensures data consistency and prevents data loss.

"The release of Nexsan DeDupe SG 2.0, which integrates the advanced enterprise-class capabilities of FalconStor FDS 2.0, underscores our commitment to offering market-leading deduplication solutions," said Bob Woolery, senior vice president of marketing for Nexsan. "Today's organizations require cost-effective solutions for high availability and continuous data access; the Nexsan DeDupe SG 2.0 meets these requirements while providing the optimized performance and efficiency enterprises of all sizes demand."

"With this significant enhancement to FalconStor FDS, FalconStor now leads the market in features, scalability and performance in enterprise-class deduplication solutions for data centers," said Fadi Albatal, vice president of product marketing for FalconStor. "The market has been demanding a high-availability dedupe solution for NAS-based disk-to-disk backup environments, and we are the first to deliver."

Pricing and Availability

FalconStor FDS 2.0 will be generally available at the end of February through FalconStor's worldwide network of channel partners. The Nexsan DeDupe SG 2.0 family of deduplication appliances will be available at the end of February through Nexsan's worldwide channel partner network.

FalconStor FDS offers block-level deduplication of backup data via a simple file interface. FalconStor FDS extends the company's highly scalable data deduplication technology - already widespread as part of the industry-leading FalconStor® Virtual Tape Library (VTL) solution - to network-attached storage (NAS) disk-to-disk backup environments. With built-in many-to-one replication capability, the file-interface system provides global deduplication by replicating from remote sites to a central data repository across the wide-area network.

FalconStor Software, Inc. (NASDAQ: FALC) is the market leader in disk-based data protection. FalconStor delivers proven, comprehensive data protection solutions that facilitate the continuous availability of business-critical data with speed, integrity, and simplicity. The company's TOTALLY Open™ technology solutions, built upon the award-winning IPStor® platform, include the industry leading Virtual Tape Library (VTL) with deduplication, Continuous Data Protector (CDP), File-interface Deduplication System (FDS), and Network Storage Server (NSS), each enabled with WAN-optimized replication for disaster recovery and remote office protection. FalconStor products are available from major OEMs and solution providers including 3Com, Acer, COPAN Systems, Data Direct Networks, Dynamic Solutions International, EMC, Pillar Data Systems, Spectra Logic and Sun and are deployed by thousands of customers worldwide, from small businesses to Fortune 1000 enterprises.

FalconStor is headquartered in Melville, N.Y., with offices throughout Europe and the Asia Pacific region. FalconStor is an active member of the Storage Networking Industry Association (SNIA). For more information, visit www.falconstor.com.

<>

Data hung out to dry as 4,500 USBs are left in Dry Cleaners

Users could face fines of up to £500k if they cause a data security breach!

London, January 2010 (Eskenzi PR) – A survey released today reveals that in the last year, 4,500 memory sticks have been forgotten in people’s pockets as they take their clothes to be washed at the local dry cleaners. From 6th April onwards if data is lost and it causes a major security breach, this could now cost a company up to £500k with new powers given to the Information Commissioner’s office (ICO) to fine companies who have not sufficiently protected customers details under the Data Protection Act[1].

However, when compared with the same study twelve months ago, the number of these devices languishing forgotten in people’s pockets has halved, and yet it’s still a staggering number of possible data breaches and a potential money spinner for the ICO.

However, the study sponsor - data security experts CREDANT Technologies, has a theory that this decline is likely to be a change in users’ habits as opposed to a significant breakthrough in people’s vigilance. In fact, its experience on the frontline of this battle is that users are now downloading information onto smartphones and netbooks, which have boomed in popularity in the last year, so although on the surface the decline looks promising in reality the situation has just been spread across a multitude of other devices.

Sean Glynn – vice president and chief marketing officer at Credant Technologies said “Although this study shows a positive drop in the number of lost memory sticks we would urge users to take more care than ever not to download unprotected customer details and other sensitive information that if lost could lead to a security breach, especially now there are harsh fines afoot. ”

The survey was carried out in the UK to gauge the frequency and ease with which mobile devices, such as memory sticks, are lost or forgotten in strange places such as dry cleaners and should warn people across the globe to demonstrate prudence when downloading information to carry around with them as it does frequently get lost. In previous studies conducted by Credant Technologies amongst taxi drivers in London and New York over 12,500 handheld devices such as laptops, iPods and memory sticks are forgotten at the back of taxis every 6 months!

Concluding Sean Glynn said “This survey is just one illustration of the stark truth that device losses are happening everywhere, everyday, worldwide. Organisations want to leverage the business benefits of mobile computing and provide their employees the flexibility to work wherever and whenever they want to. However, this must be balanced with the requirement of protecting the organisations data, especially to avoid penalties - such as that promised by the ICO, brand damage or even embarrassing press headlines. If sensitive or valuable data is being carried then people should protect it with encryption to prevent unauthorised access at any point - as it could easily end up in the wrong hands.”

Not just USB sticks left at the dry cleaners……but wedding rings, lipstick and ……….

When asked to recall what the strangest objects were that they’d found in customers pockets most had found pens, lipstick, stockings and a wedding ring, however one unfortunate dry cleaner had found a pair of false teeth!

CREDANT Technologies is the market leader in endpoint data protection solutions. CREDANT’s data security solutions mitigate risk, preserve customer brand, and reduce the cost of compliance, enabling business to “protect what matters.” CREDANT Mobile Guardian is the only centrally managed endpoint data protection solution providing strong authentication, intelligent encryption, usage controls, and key management for data recovery. By aligning security to the type of user, device, and location, CREDANT permits the audit and enforcement of security policies across all computing endpoints. Strategic partners and customers include leaders in finance, government, healthcare, manufacturing, retail, technology, and services. CREDANT has been recognized by Inc. magazine as the #1 fastest growing security software company in 2008 and 2007; was selected by Red Herring as one of the top 100 privately held companies and top 100 Innovators; and was named Ernst & Young Entrepreneur of the Year 2005. Austin Ventures, Menlo Ventures, Crescendo Ventures, Intel Capital (NASDAQ:INTC), and Cisco Systems (NASDAQ:CSCO) are investors in CREDANT Technologies. For more information, visit www.CREDANT.com.

[1] http://www.ico.gov.uk/upload/documents/pressreleases/2010/penalties_guidance_120110.pdf

<>

8,378 reasons for better banking security

Imperva identifies 8,378 reasons for better banking security

Reports that the Suffolk County Bank - a subsidiary of Suffolk Bancorp, the US financial institution - had its banking servers hacked last November (http://bit.ly/8XSjHM) were met with astonishment at Imperva.

According to Amichai Shulman, the data security specialist's chief technology officer, what is amazing about the case is not just the fact that the bank has taken until now to reveal that around 10 per cent of its customers' credentials were compromised, but that the data was stored as plain text.

"This confirms our observations in our recent end-of-year analysis, in which we predicted that 2010 will be year of hackers going after people's credentials, since they have become a saleable - as well as usable - commodity on the Internet," he said.

"The main reason for credentials being more valuable than credit card details is that, whilst cards are usually invalidated a short time after they have been fraudulently used, people regularly use the same credentials on multiple systems," he added.

As a result, the Imperva CTO says, it's a lot more difficult for a large number of Internet users to `lock down' their electronic identities, as they have to change their passwords on multiple systems.

A much better strategy, he went on to say, is for organisations to start using multiple layers of security - including strong passwording and firewall-protecting their databases from prying eyes.

In this case, Shulman explained, it is clear the hackers realised that bank user credentials have a much higher community value that, say, payment card information as, once a hacker can log in with a user's credentials, s/he has access to their accounts and perform as many transactions as they wish.

"What I find astonishing about this hack is that you would think that a banking application would undergo much more stress testing than most and, as a result, the storage of user credentials in plain text would have been spotted and remediated early on in the system development process," he said.

"Although the full modus operandi for this banking hack has yet to be revealed, but given that the server was accessed and 8,378 credentials were stolen, I would assume the attacker gained access using an SQL injection approach," he added.

For more on Imperva: http://www.imperva.com

<>

MiFi security weakness highlights need for code auditing

Fortify says MiFi security weakness highlights need for code auditing

January 2010 (Eskenzi PR): News reports that the GPS-enabled Wireless MiFi unit can be persuaded to reveal its position across the internet – without the user being aware of the information leak (http://bit.ly/8tZcKF) – highlights the fact that manufacturers are cutting corners and failing to code audit products before they ship, says Fortify Software.

"As our colleagues at EvilPacket have discovered, the unit's integral GPS interface can be hacked in such a way that a MiFi user visiting a malicious Web site can have their geographic location and passphrase revealed without their permission," said Richard Kirk, European director with the application vulnerability specialist.

"This is symptomatic of a product that has shipped before the designers have thought through the possible security issues with their product, and failed to test the security of the device’s software at all stages of its development," he added.

According to Kirk, regular security testing of the code as part of a development process ensures software that is being developed is inherently secure.

In other words, he explained, this approach `builds security into' the device - as opposed to attempting to add it after the device has been designed as is what will happen in this situation.

This approach, the Fortify European director went on to say, is not only more cost-effective, but also results in applications that are much more secure because security was considered at every step of the development process.

"This isn't singling out the manufacturer of the affected MiFi unit for specific criticism. The failure to test the security of device software at all stages in their development is a common issue amongst technology products - the days of breadboarding up a device and then manufacturing it without a security test of the software have long gone," he said.

"That approach to technology product development may have applied in the early days of computing - as seen by BBC TV's Micro Men recently (http://bit.ly/5aICn) - but technology has moved on, so IT systems designers now owe it themselves, as well as their customers, to test the security of their software at all stages of product development," he added.

For more on Fortify: http://www.fortify.com

Editor's comment: The device in question here is, unfortunately, the Novatel Wireless's MiFi ‘portable Wi-Fi' hotspot, that we reviewed some time ago.

CTO Doubts Internet Explorer Vulnerability Was Behind China's Google Hack

Imperva CTO Amichai Shulman Doubts Internet Explorer Vulnerability Was Behind China's Google Hack

In response to McAfee’s claim that vulnerability in Internet Explorer played an important role in the recent attack against Google China, Imperva CTO Amichai Shulman cast doubt over the assertion.

“First, why are Google employees using IE and not Google’s own browser, Chrome? This doesn’t make sense,” explained Shulman.

“Second, to execute an attack this sophisticated, it likely occurred as a result of spear phishing Google employees to gain access to Google users credentials. A hacker would have to jump through many hoops inside an internal network. This requires network—not browser—vulnerabilities so that the attacker can communicate with malware inside Google’s internal network,” explained Shulman.

“Unfortunately, blaming Microsoft is all too easy and it’s leading to a panic. France and Germany are now recommending that its citizens not use Internet Explorer given its role in the recent Google hacking incident,” he said citing today’s decision by the leading European governments. “Could this be a clever way to boost Google Chrome downloads?”

<>

New Security Score Offers Snapshot of Firewall Risk and Compliance

Tufin Delivers Best-In-Class Risk REPORT and advanced security workflow Capabilities with Tufin Security Suite (TSS) 5.1

New Security Score Offers Snapshot of Firewall Risk and Compliance Posture; Updated PCI-DSS Reports and Complex Workflow Automation Round Out New Release

Ramat Gan, Israel, January 2010 (Eskenzi PR) – Tufin Technologies, the leading provider of Security Lifecycle Management solutions, today announced version 5.1 of its award-winning Tufin Security Suite (TSS). TSS is the combined offering of Tufin’s flagship firewall operations product, SecureTrack, and Secure Change Workflow, its innovative change management solution. Version 5.1 features the Tufin Security Score, a risk scoring engine that provides all stakeholders with instant visibility into the security and compliance posture of their firewalls, enhanced workflow automation, and updated PCI-DSS reporting. With TSS 5.1, Tufin once again sets the bar for what any organization looking to automate network security policy and change management should expect in terms of functionality, business value, and ease of use.

“With highly dynamic networks, finding and eliminating network security risks as soon as - or even before they happen is a prime objective,” said Colin Miles, Corporate Network Manager, Virgin Media. SecureTrack’s new Security Score automates risk management in a very useful way, making it much easier to manageably and consistently to spot trends and identify issues that require immediate attention. Tufin’s focus on automating more complex security change processes is exactly the kind of innovation that is needed within the industry. With every release, Tufin demonstrates how well it understands the challenges its customer face by delivering enhancements that enable us to be more strategic and make better decisions.”

Tufin customers report that deploying TSS cut the time and cost of firewall operations in half, resulting in a return on investment in less than eight months. By further automating risk and change management, Tufin extends additional time and cost savings to areas that are either still highly manual in nature or have only baseline automation, enabling organizations reap dramatic, quantifiable efficiency gains.

“Technology such as Tufin’s, that provides a clear picture into what would otherwise be difficult for operational teams to consistently manage, adds some much needed science to the art of managing network security,” said Scott Crawford, EMA. “Sifting through numerous firewalls from multiple vendors, each with hundreds of rules, just to pinpoint why a seemingly straightforward policy change caused a significant outage or problem is incredibly painful – yet this is all too often the day-to-day reality in hundreds of enterprises. Tufin offers a very practical solution whose strength lies in its ability to simplify this complexity and make firewall management more realistic, not just for the large or complex enterprise but for any organization that struggles with this all-too-common reality.”

TSS 5.1: Delivering Metrics that Matter, Productivity-increasing Process

Tufin’s new risk report enables administrators to vet firewalls across a wide set of predefined and customizable factors. When the analysis is complete, each device is assigned a unique Security Score. TSS provides the Security Score of each firewall gateway and also provides a comprehensive, cross vendor, organizational level score. This provides non-technical stakeholders with a clear understanding of the nature and level of overall network security risk and technical stakeholders with the granular, actionable data they need to manage it accordingly.

On the change management front, Tufin has automated complex, parallel workflows, enabling a trouble ticket to be dynamically split into concurrent activities and divided up between different administrators or groups of administrators to follow up on. The ability to support parallel workflows provides greater flexibility when automating complex business processes and substantially reduces the time it takes for policy changes to be crafted, approved, tested and implemented. TSS 5.1 also features deeper integration with BMC Remedy, so that all changes can be managed in Remedy while retaining the security elements inherent in SecureChange Workflow workflows.

TSS 5.1 also features enhanced support for Fortinet VDOMS. Already a FortiVerified partner, Tufin is committed to its partnering with industry leaders and innovators. TSS is architected to easily integrate into highly heterogeneous environments which include full support for logical and virtual environments – an important distinction as companies continue to explore virtualization as a way to reign in costs. Also in this version is an updated PCI 1.2.1 report, in line with the latest specification of the PCI DSS standard.

“In a market that is quickly growing in size and expanding in scope, and with feedback from more than 500 customers, we are extremely focused on what will provide the greatest return in the shortest time to our customers,” said Reuven Harrison, CTO, Tufin Technologies. “By enabling our customers to implement standardized, scalable, transparent and auditable processes, we mitigate the risk stemming from operational complexity. This allows them to focus on more proactive, strategic decision making, which in turn fuels our ability to deliver functionality such as the new Risk Report or the APG, our rule base optimization engine, that enables them to execute on those decisions faster and easier.”

Pricing and Availability

TSS 5.1 will be Generally Available in February 2010. Pricing starts at $20,000.

About Tufin Security Suite

Tufin Security Suite (TM) (TSS) is industry's first comprehensive Security Lifecycle Management solution. Seamlessly integrating its award-winning SecureTrack and SecureChange Workflow solutions into an open, extensible and distributed architecture, TSS features full interoperability with Check Point, Cisco, Juniper, Fortinet, F5, Blue Coat and others, TSS provides the capacity to automate security policy management for any device in the Security Lifecycle Management eco-system, enabling organizations to reduce the cost of security operations and compliance while increasing operational efficiency, tightening network security, and ensuring business continuity.

Tufin™ is the leading provider of Security Lifecycle Management solutions that enable companies to cost-effectively manage their network security policy, comply with regulatory standards, and minimize IT risk. Tufin’s products SecureTrack™ and SecureChange™ Workflow help security operations teams to manage change, minimize risks and dramatically reduce manual, repetitive tasks through automation. With a combination of accuracy and simplicity, Tufin empowers security officers to perform reliable audits and demonstrate compliance with corporate and government standards. Founded in 2005 by leading firewall and business systems experts, Tufin serves more than 500 customers in industries from telecom and financial services to energy, transportation and pharmaceuticals. A respected member of the network security community, Tufin partners with leading vendors including Check Point, Cisco, Juniper, Fortinet and F5, and is committed to setting the gold standard for technological innovation and dedicated customer service. For more information visit www.tufin.com, or follow Tufin on:

Twitter at http://twitter.com/TufinTech,

LinkedIn at http://www.linkedin.com/groupRegistration?gid=1968264,

FaceBook at http://www.facebook.com/group.php?gid=84473097725,

The Tufin Blog at http://tufintech.wordpress.com/,

The Tufin Channel on YouTube at http://www.youtube.com/user/Tufintech

<>

360°IT Event gives thumbs up on IBM/Panasonic cloud deal

London, January 2010 (Eskenzi PR) – News that IBM has secured the industry's largest cloud computing contract to date with Panasonic (http://bit.ly/69Sj8a) has been welcomed by 360°IT - The IT Infrastructure Event.

Natalie Booth, the show's event director, said that the deal - which sent IBM's share price soaring late last week - will see the LotusLive system being used initially by 100,000 Panasonic employees, but eventually rolled out to an impressive 300,000 staff worldwide.

"This news confirms - if confirmation were ever needed - that cloud computing, with all its technical and economic advantages, is now firmly established on the boardroom agenda. It also comes hard on the heels of HP and Microsoft's plans to spend $250 million to co-develop cloud computing systems (http://bit.ly/6HfKWF).

"Although financial terms of the IBM/Panasonic contract have not been revealed, you can be sure this is a big ticket item, even for IBM, which is why the stock market has viewed this deal so favourably," she added.

According to Booth, as the year unfolds, she fully expect other major companies to hop on board the cloud train, especially now that Gartner is predicting that sales of cloud-based applications, including email programs, will soar 47 per cent in 2010 to $9.6 billion.

And with the research firm also predicting that, by 2012, a clear 20 per cent - one in five - of firms will have no assets at all, having shifting most of their systems to the cloud (http://bit.ly/8iOF8b),the stage is now set for a seachange in the IT infrastructure industry, she explained.

The IBM/Panasonic deal will be viewed by many as the litmus test of success for cloud computing by IT historians in the years ahead, but whilst many of the major companies are preparing to embrace the benefits of cloud technology, there is still a lot of education needed about how legacy systems will interface with the cloud, the 360°IT Event director went on to say.

"It's also interesting to see Panasonic's CIO saying that he intends to sign other large deals to outsource key parts of his firm's technology infrastructure in the months ahead," she said.

"This year promises to be a watershed for cloud computing, so it is down to shows like ours to help business professionals better understand the technology that is set to a major topic on boardroom agendas in the months ahead," she added.

For more on the 360°IT event: http://www.360itevent.com

360°IT is the new IT Infrastructure Event and the event dedicated to the IT community addressing the needs of IT professionals responsible for the management and development of a flexible, secure and dynamic IT infrastructure.

With high level strategic content, product demonstrations and technical workshops, 360°IT will provide an essential road map of current and emerging technologies to deliver end to end solutions.

360°IT will facilitate vendor and end user collaboration to create the IT infrastructure necessary to achieve key business objectives - improving service, reducing cost and managing risk whilst gaining competitive advantage and growth.

360°IT is the event dedicated to the IT community addressing the needs of IT professionals responsible for the management and development of a flexible, secure and dynamic IT infrastructure.

With high level strategic content, product demonstrations and technical workshops, 360°IT will provide an essential road map of current and emerging technologies to deliver end to end solutions.

360°IT will facilitate vendor and end user collaboration to create the IT infrastructure necessary to achieve key business objectives - improving service, reducing cost and managing risk whilst gaining competitive advantage and growth.

<>

Lighting Down the Line

By Davin Fligel, Security Analyst

Nobody wants to be an innocent bystander; we avoid high risk areas where problems are likely to break out. The risk averse amongst us avoids areas that pose even a modicum of risk. You are unlikely to find me trawling a battle ground even for the most precious of loot. So it was with horror that I learnt as a teenager that lightning could come down a telephone line and kill you. More precisely kill me!

I could become an innocent bystander in my own home. I was not safe inside all that brick and mortar. The first thing that came to mind was: “What are the chances of that?” closely follow by, “I live in a lightning prone area” and “I need the phone to communicate.” This was the choice of communication methods before the ubiquitous mobile phone and the pervasive Internet. So I ran to my mother and demanded that we get lightning surge protectors as fast as humanly possible. How could I survive without a telephone, I was a teenager.

On the Internet computers are to homes as browsers are to telephones. To be able to communicate between houses you need to use your browser. Some would say the Internet is somewhat “lightning prone.” You browse around as normal until unsuspectingly hitting an intentionally malicious or even legitimate site that had been compromised and your computer is compromised. How does not using the internet for security reasons sound you? Could you do it or would you sprint out and get the first “surge protector” you could find?

“But I have a firewall” cries the recently recruited member to the latest fashionable botnet. Unless your firewall can stop you connecting outbound to a compromised site then it is useless against this threat. Last I checked I was not blocking my browser from connecting to the Internet. That would defeat the purpose.

“But I only visit safe sites” cries the latest attack vector into a corporate network after being compromised by the penetration testing team. Man in the middle attacks from fake or compromised wireless access points or internet cafes, even man in the middle attacks on the LAN if the opportunity arises. No WiFi? I think not, Sir!

“But I have antivirus” cries the IT Manager as he explains to the CIO how he just lost a stack of confidential records. Kernel rootkit injection and core library replacement through an un-patched vulnerability had left him open long enough to get the data and leave without writing the files that AV definitions would easily identify.

The truth of the matter is browser security is the new file and network security. Even legitimate web sites fall prey to zero day vulnerabilities, cross site scripting and SQL injection attacks. If not the sites themselves, then the advertising engines posting advertisements for their parent sites. This is assuming you are surfing from a safe network let alone the added risks of unprotect wireless networks and the hacker friendly man in the middle opportunities they present.

This is lightning down the wire all over again, only on a grander scale with exponentially more lightning.

The moral of this story is simple to elucidate but difficult to implement: Make yourself a smaller target, install your lightning protectors, patch your browsers and if you cannot patch them use ones that are not vulnerable, use Intrusion Prevention Systems (IPS), Host Intrusion Prevention Systems (HIPS), Layer-7 aware Web Application Firewalls (WAFs), use a secure VPN from public WiFi hotspots, block unnecessary outbound communications, or at a minimum monitor them.

Surf safe, don’t browse without protection.

Caretower Limited is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th – 29th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk

German Government advice on web security not optimal

Trusteer says German Government advice on web security not optimal

by Michael Smith (Veshengro) (with material from Eskenzi PR)

London, January, 2009 – Reports that the German government has advised Internet users not to use Internet Explorer may not be the optimum solution to the problem of Web browser security, says Trusteer, the customer protection company for online businesses.

"The German government appears to be taking a knee-jerk reaction to reports that hackers have been exploiting an IE security weakness, but the problem is that, even if users switch to another Web browser, they are still likely to encounter similar potential security problems,” said Mickey Boodaei, Trusteer's CEO.

"What is really needed is a high security - but light-weight – browser security service that creates a secure environment between the users' keyboard and the Web site, so preventing man-in-the-middle, man-in-the-browser, phishing and similar attack methodologies," he added.

According to Boodaei - whose company has a number of prestigious banking clients whose customers use the firm's security technology to protect their online banking sessions - the German saga is in danger of descending into a war of words between the regulators and Microsoft, leaving Internet users to fend for themselves on the security front.

Browser vulnerabilities will keep cropping up, and as such the concept of perimeter defense for the consumer's PC are not realistic. The German government, he said, should really be working to help Internet users make their Web banking sessions more secure, rather than steering users towards alternative browser software which may also have its fair share of security vulnerabilities.

The problem, he explained, is that most Web browsers have vulnerabilities, in the same way that a regular telephone handset has potential for eavesdropping. What is needed is a technology - which is already available in the marketplace - to make the communication session more secure, rather than simply advising users to switch devices.

Trusteer's CEO went on to say that most of the vulnerabilities that his company hears about are discovered by researchers and then patched by the vendor, before being published. The problem is that, however, just like white hat security researchers, criminals have their own research activities and they find vulnerabilities which obviously they don't share with the vendors. And, he says, when they start exploiting one of these vulnerabilities, this is when it becomes a zero-day attack like the one used with Google.

"It's against this backdrop that we think Internet users need to understand that Firefox is actually not more secure than Internet Explorer. There are no significant architectural differences between the two browsers that would make Firefox less vulnerable," he said.

"Owing to its higher market profile, IE is tested more than other browsers by both the security and the criminal communities, resulting in more vulnerabilities being discovered. It's therefore important that the regulators understand this, and advise users accordingly," he added.

“If the German Government is advising on browser security will they next be telling Germans that they should not use adobe or flash as there are inherent risks and vulnerabilities in many widely used programs not just internet explorer?” he concluded.

For more on the German government IE advisory: http://bit.ly/72MdGW

For more on Trusteer: http://www.trusteer.com

Rapport from Trusteer is a lightweight browser plug-in plus security service that acts like a vault inside the browser and prevents redirection of user information to fraudulent websites. It protects personally identifiable information (PII) and Web pages from unauthorized access and theft while users are accessing sensitive Web sites. Trusteer also offers in-the-cloud reporting services where unauthorized access attempts detected by Rapport are analyzed by fraud experts who provide actionable intelligence to financial institutions.

Trusteer enables online businesses to secure communications with their customers over the Internet and protect PII from a user's keyboard into the company's Web site. Trusteer's flagship product, Rapport, allows online banks, brokerages, healthcare providers, and retailers to protect their customers from identity theft and financial fraud. Unlike conventional approaches to Web security, Rapport protects users' PII even if their computer is infected with malware including Trojans and keyloggers, or is victimized by pharming or phishing attacks. Trusteer is a privately held corporation led by former executives from Cyota/RSA Security, Imperva, and NetScreen/Juniper. For more information visit www.trusteer.com.

Personally, I must say that some companies are rather disingenuous when they make claims about Firefox being no more secure than Internet Explorer. The truth, from experts and normal users, is that Firefox is much more secure, and even more so if and when certain kinds of free and open-source plug-ins are being provided, installed and used.

Too many vendors, and this can be seen again and again, are too much in the pockets of the people in Redmond and cannot not, therefore, be seen as unbiased and neither are they. Rather the opposite and this can be seen time and again and in many different situations.

This is the same when the attacks are being led by many such vendors and companies against Open Source software, whether they be operating systems such as Linux, or simply applications such as Open Office, the GIMP and others. Understandably, in a way, as most Open Source, if not indeed all, is free at the point of take up. Something that those who make a living from writing software for a fee and selling proprietary software are dead against, it would seem, and hence the negative attitude.

Yes, there are problems with other browsers too and with Open Source software, including the likes of Ubuntu Linux and others but maybe the proprietary software vendors and companies might like to remember that it took just a few seconds for hackers to crack the latest Apple OS not so long ago, a couple of minutes for Vista but had to give up after a number of days on Ubuntu.

I rest my case.

© 2010

Oaklee Housing Association protect sensitive data with DeviceLock

London, January 2010 (Aspectus PR) – DeviceLock, Inc., a worldwide leader in context-aware endpoint data leak prevention software, announces that Oaklee Housing Association, a voluntary non-profit organisation providing social housing, care and support services, has chosen DeviceLock to protect its sensitive data. The software will establish comprehensive control over employee access to workstation’s local ports and peripheral devices including printers and personal mobile devices to reduce the risk of data leakage.

Oaklee Housing Association has over a hundred and forty network users working across sixty-five satellite offices throughout Northern Ireland. From a corporate network perspective there is a lot of highly sensitive information, that of tenants and the business as a whole which needs to be hosted on the network. Although the association had not experienced an incident of data theft or leakage, the high profile incidents in central and local government over recent years alerted the Association of the need to be vigilant. Therefore, Oaklee wanted to ensure it was compliant with the most robust security standards.

“On the tenant side of the business, there is a lot of delicate personal information we need to protect, such as account information, details of vulnerable tenants and arrears histories, for example. There is also a whole host of information on the business that we need to secure,” said Brain McKenna, Communications Manager at Oaklee Housing Association. “Therefore, we wanted to ensure we protected ourselves against data leakage, be it accidentally or maliciously.”

“We are regulated by the department of social development, so it’s clearly important for us to have the right security procedures in place,” continued McKenna. “DeviceLock provides us with the appropriate levels of management access to important data. It proved a good balance between the functionality we were looking for, and cost - and has been very simple to implement.”

DeviceLock is a precise and flexible tool for precisely controlling, logging, shadow-copying and auditing end-user access to all types of local ports and peripheral devices, including local and network printers, as well as Windows Mobile®, iPhone®, Palm® and BlackBerry® smartphones. Complementing its port, device, and data channel-based controls with data type-level security, DeviceLock supports true file type detection and filtering by intercepting any file system’s read/write operations with peripheral devices, performing real-time analysis of the entire binary content of transmitted data and enforcing applicable file-type based security policies.

DeviceLock also integrates with leading encryption products from PGP®, Lexar®, SecurStar®, and TrueCrypt® in order to protect data on removable storage devices. In addition, DeviceLock blocks operations of USB and PS/2 hardware keyloggers.

DeviceLock features a comprehensive central management console natively integrated with Microsoft Active Directory® platform through a custom-made MMC snap-in for Group Policy Object Editor, thus making the process of device access control easy and simple for corporate security administrators. DeviceLock’s administrative functions can be shared among multiple security administrators with different roles defined from the DeviceLock management console.

The Oaklee Housing Association provides and manages quality social housing, care and support services to meet a wide range of needs. These include sheltered housing for the elderly, general family housing and people with special needs. The organisation has a turnover of 16 million and a property asset base of 280 million.

Since its inception in 1996 as SmartLine, DeviceLock, Inc. has been providing endpoint device control software solutions to businesses of all sizes and industries. Protecting more than 4 million computers in over 60,000 organizations worldwide, DeviceLock has a vast range of corporate customers including financial institutions, state and federal government agencies, classified military networks, healthcare providers, telecommunications companies, and educational institutions. DeviceLock, Inc. is an international organization with offices in San Ramon (California, US), London (UK), Ratingen (Germany), Moscow (Russia) and Milan (Italy).

<>

False Advertising by Vodaphone

by Michael Smith (Veshengro)

London, UK, January 2010: Recently I have noticed the latest billboard ad by Vodaphone, the cell phone company in Britain that always likes to claim that it is the best service in the UK, where they claim that “Only Vodaphone guarantees a mobile signal in your home.”

This, in my experience, is not just a false claim but outright lies.

Having used Vodaphone for my business cell phone initially and never been able to get anything of a signal in my home or anywhere in the direct local area where I live I can but say that Vodaphone, in my opinion, is useless in many places of Britain.

I have had the same problem with a Vodaphone SIM for a mobile broadband Internet service and, yet again, the company claims that their signals are the most reliable ones in this country. I beg to differ and disagree here and have found only one service to that fits that bill but, in order not to appear biased or wanting to do some free publicity for them, I will not mention the service here.

It is my belief that the Advertising Standards Agency should take a very serious look at Vodaphone's claims and get Vodaphone to rectify their statments.

© 2010

Time for multi-factor security on portable data as 768-bit RSA encryption cracked

Origin Storage: Time for multi-factor security on portable data as 768-bit RSA encryption cracked

Basingstoke, January 2010 (Eskenzi PR) – Hard on the heels that the GSM A5/1 encryption system has been cracked (http://bit.ly/4KgwT7) comes reports that a second crypto system - 768-bit RSA - has now been hung out to dry using a cluster PC brute force approach http://bit.ly/7xmqco

Recent news that the 768-bit RSA encryption has been cracked - generating a huge five terabyte password file in the process - was met with a sanguine response from Origin Storage.

"Cracking this crypto system using a 2.2GHz Opteron processor-based PC would reportedly have taken around 1,500 years, but the process has been dramatically speeded up using distributed computer resources and cluster PC approach," said Andy Cordial, managing director with the storage systems integration specialist.

"Whilst this crypto cracking feat is impressive, it highlights the fact that the days of relying on encryption alone as a means of defending private data are now drawing to a close," he added.

According to Cordial, the use of a PIN-based protection - and even biometric authentication - alongside a fully encrypted drive is now the logical choice for companies wanting to protect sensitive data from prying eyes.

Now that a 768-bit RSA crypto decryption table has been produced, Origin's MD says that organisations can no longer be expect their encrypted data to be secure from anyone equipped with a RAID-driven high-powered PC.

And, he explained, it's even conceivable that a regulator at some stage in the future may take a dim view of, say, a bank claiming that its encryption system is sufficient to protect customer data - especially in a mobile situation - from prying eyes.

We are, said Cordial, rapidly reaching the stage where a single layer of protection for data is starting to become about as effective as a chocolate teapot against high-powered crypto hackers.

"And since biometric-enhanced encryption systems are still relatively expensive, the logical choice is a PIN/password-enhanced external encrypted drive such as our DataLocker range (http://bit.ly/2vb6y9), which uses a hardware based AES/CBC encryption chip, backed up by an onboard PIN/password unit," he said.

"At the very least, this will allow the CEO or chairman to put his/her hand on heart and say the company's data is secure whilst in transit from one place to another. That's a claim you can't truly make any more with single factor encryption," he added.

For more on Origin Storage: http://www.originstorage.com

<>

Cyber-Ark Labs launched to combat emerging threats in IT security

Cyber-Ark Labs Launched to Develop Innovative Information Security Solutions to Combat Emerging Threats and Solve Compliance Challenges

Led by Identity Management Engineer and Visionary Shlomi Dinoor, Cyber-Ark Labs to Focus on Emerging Technologies

London – January 2010 (Eskenzi PR) – Committed to helping customers leverage innovative technologies and processes to protect against emerging security threats and prepare for new compliance challenges, Cyber-Ark® Software today announced the launch of Cyber-Ark Labs. Cyber-Ark Labs is a new group dedicated to researching emerging trends in technology and information security. Cyber-Ark Labs will be headed by Shlomi Dinoor, who recently joined the company as its first vice president of emerging technologies.

Housed in the company’s U.S. headquarters, one of the goals for Cyber-Ark Labs is to create an environment where innovative ideas can be nurtured into commercially-viable solutions. Dinoor and his team are focused on new technologies that help customers prepare for “what’s next” in terms of emerging insider threats, data breach vulnerabilities and audit requirements, while supporting new business models such as the secure delivery of cloud-based applications and services.

“Cyber-Ark Labs plays an instrumental role in our commitment to leading the industry in the continuous delivery of novel products that solve customers’ current and emerging security and compliance challenges. As a successful independent company, Cyber-Ark Labs is also important to supporting organic corporate growth and strategic expansion into new business areas,” said Udi Mokady, president and CEO of Cyber-Ark Software. “Shlomi’s deep, multifaceted experience in the security and identity management space, combined with his passion for innovation and visibility into new market trends make him ideally suited to lead this strategic endeavor.”

Dinoor has more than 12 years of security and identity management experience in senior engineering management positions. Before joining Cyber-Ark, Dinoor was the director of engineering at Verdasys and was responsible for leading strategic initiatives in the Information Protection space. Previously, he was the director of development at CA where he spearheaded strategy, product development and program management for the company’s Identity Management solution, one of CA’s top selling products.

“Innovation can’t happen in silos, it must be a collaborative effort and naturally infused into everything we do – spanning across technologies, departments and processes,” said Dinoor. “Cyber-Ark’s commitment to innovation starts at the top and is supported throughout all levels of the company, and across geographies. Cyber-Ark’s culture presents an ideal opportunity for me and my group to create a powerful innovation engine, and support the company’s long term growth plans and vision.”

Dinoor was the director of development at Netegrity before it was acquired by CA. While at Netegrity, he led all development activities and product releases for Netegrity’s Identity Management integrated product and headed architecture work and planning for new generation products. Previously, Dinoor worked as a development manager at Business Layers, which was acquired by Netegrity.

Cyber-Ark® Software is a global information security company that specializes in protecting and managing privileged users, applications and highly-sensitive information to improve compliance, productivity and protect organizations against insider threats. With its award-winning Privileged Identity Management (PIM) and Highly-Sensitive Information Management software, organizations can more effectively manage and govern application access while demonstrating returns on security investments. Cyber-Ark works with 600 global customers, including more than 35 percent of the Fortune 50. Headquartered in Newton, Mass., Cyber-Ark has offices and authorized partners in North America, Europe and Asia Pacific. For more information, visit www.cyber-ark.com.

<>

Where Does the Ownership Lie?

  • Roundtable experts discuss issue of liability in software ownership
  • Virtualisation, SaaS and Cloud Computing make it harder for organisations to keep track of IT estates – especially when it comes to outsourcing and M&A
  • Experts agree organisations need to forward plan and have better understanding of software ownership and liability

Maidenhead, UK, January 2009 (C8 Consulting Ltd) – FAST Ltd, a leading independent UK authority on Software Asset Management and IT Compliance, providing software, education, consulting and managed services, hosted a roundtable of industry licensing specialists recently, the results of which were illuminating. The experts gathered together to give their views on software ownership and the issue of liability following outsourcing and M&A activity.

There is no doubt that over the past year, CIOs and IT managers have been under pressure. Demonstrating good cost control continues to be critical and in an attempt to achieve this, many organisations have outsourced the problem or are looking at new pricing models and ways of procuring technology. Participants reported that the with the need to react to economic downturn plus growing complexity in licensing and technology, a new types of technology such as Cloud Computing, Virtualisation and SaaS and new revenue models being tabled, keeping track of IT estates and who owns what, in regards to software ownership and liability, is actually very difficult. Even more so when it comes to a major outsourcing programme and /or a new merger or acquisition (M&A).

The roundtable event, ‘Where Does The Ownership Lie’, part of the CEO Series was hosted by FAST Ltd and included software vendor Symantec, together with sponsor LANDesk, Webroot, Rocela, The UK Oracle User Group, Bytes Technology Group, ConnectSphere, Flexera Software, Regent Partners International, Beachcroft LLP, FAST customers LeaseDrive Velo and Lloyds Register, and a representative from industry analyst Quocirca.

A key driver for the discussion was the current confusion around the software ownership landscape and how it’s multiplied when you add M&A to the mix. Clive Longbottom at Quocirca said the situation is confusing for businesses. “Originally organisations went for the very old style of ‘thou shalt pay’ and thou shalt pay on a yearly basis when it came to licensing their software. However, now there are a lot of organisations that are moving towards subscription-based software as they don’t want the responsibility or liability when it comes to licences. But, the reality is that they still aren’t reading the contracts and don’t realise they are responsible for counting licences, so ultimately they are back to square one.

“And when you add M&A into the mix, these problems are multiplied three-fold. The amount of stress being put on organisations to conclude the deal quickly is immense and businesses are waking up to the fact that their IT is in a real mess and are therefore looking for ways out of it.”

Tim Pollard, Director Enterprise Sales at Symantec agreed and said that he’s seen an increase in tier 1 vendors introducing and offering more flexible licensing packages. “There are more and more ‘all you can eat’ licences, and we tier 1 vendors need to work with the customer to figure out what is right for them, but also what makes commercial sense for us. More organisations are looking to outsourcing and functional computing, and we’re seeing more clauses being drawn into our contracts.”

Head of Customer Services at FAST, Paul Clements said that he has seen an increase in organisations affected by ownership concerns and software licensing, and who are looking to cut costs. “One of the biggest issues a lot of our customers are facing is that they are being told to outsource as a result of the economy. We have to explain that although you can outsource projects, you can’t outsource the liability.”

Peter Rowell from Regent Partners International agreed and added that it’s a whole new story when M&A is added to the mix. “In the past year Regent has tracked over 300 acquisitions of European software companies and there have been three times the acquisitions of software companies today than there were nine years ago. Generally when a company makes an acquisition it’s not because of the IT, it’s because it’s a strategic business decision for them. Therefore IT is overlooked at the beginning of the process which really shouldn’t be the case, and this is where due diligence comes in.”

When asked why this happens, Robin Fry from Beachcroft LLP commented: “Secrecy during an M&A is one of the biggest challenges. “Businesses simply aren’t going to go to their software vendor to discuss their future licensing before they tell investors, staff and the Stock Exchange. It's a huge risk with the relevant enterprise likely to be unlicensed the day after the deal closes, and companies are continuously taking this risk.”

Martin Mutch Chief Executive at Rocela added: “Most clients we deal with want to know the complexities and the implications of their licensing. However they struggle to understand the impact an acquisition will have on this. We encourage clients to ‘embrace it, control it and manage it’ to ensure they are controlling their costs more effectively.”

All participants agreed that managing IT assets through effective Software Asset Management and utilising ITIL best practice is important to ensuring that if and when a merger or acquisition happens organisations won’t get stung with large penalties.

“It’s surprising that there are a lot of companies that just don’t have a clue - when it comes to physical IT assets and also their software,” said roundtable sponsor, Andy King at LANDesk.

“A merger or acquisition will merely highlight existing inefficiencies within an organisation’s software and licensing,” said Michelle Hales, Training Director at ConnectSphere. “Organisations need to have good Service Portfolio Management – they need a good understanding of the end-to-end process and an overall plan for the future.”

Asked on whether SaaS will solve licensing and ownership problems, Ian Moyse at Webroot added: “There are benefits to SaaS and it does solve deployment issues of companies coming together in M&A. However it’s not a one size fits all, and it doesn’t solve all of the problems of M&A and licensing.”

Lloyd’s Register’s Mark Duffy welcomes SaaS, but believes more work needs to be done to convince him of its Widespread suitability: “Where we utilise SaaS solutions at the moment, life is certainly easier in regard to licensing who can use what, where, when and how. Part of me would like to see more of this style of licensing across the board. However pricing models in this space need to be more flexible in order to gain the true benefit of using such a service.

“Buyer Beware is key,” said Ronan Miles, Chairman of the UK Oracle User Group. “You need to understand what your company may be doing now, what it may plan to do in the future, and what will happen if that happens. This will make all of the conversations that you have afterwards a darn sight easier.”

Paul Clements at FAST Ltd concluded: “Software licensing won’t go away. And in the current auditing climate, companies are more at risk of being pursued for non-compliance. Where licensing has been put on the back burner because companies have said, ‘Let’s just get the business going for the next 12 months’, there should be an effort now to start catching up and trying to put things right, because vendors audits are not going to go away in 2010.”

FAST Ltd, part of IRIS, is the UK’s leading authority on Software Asset Management and IT Compliance, providing software, education, consulting and managed services. For over 24 years FAST Ltd has helped over 8,000 organisations control their IT costs, mitigate risk and deploy best practice IT using expert impartial and independent advice.

The FAST Compliance Programme focuses on helping organisations achieve ‘best practice’ in IT and software compliance. The business supports its 2,700 customers to reach and maintain The FAST Standard for Software Compliance (FSSC–1:2007), a private Standard which was developed in collaboration with BSi. The FAST Standard also addresses a significant proportion of the requirements of ISO/IEC 19770-1, the International Standard for Software Asset Management. The Federation Against Software Theft Investors in Software (FAST IiS), which aims to combat software piracy, endorses the Standard.

FAST IiS, which is a not for profit organisation limited by guarantee is owned and funded by its members – software publishers, solicitors, IT resellers etc. FAST Ltd has a mandate from FAST IiS to advise and help UK organisations on the issue of software compliance and promote the legal use of software and it is the only organisation that meets the FAST IiS’ mandate.

<>

Creating uniform security across the police force

By Holly Sacks, Senior VP, Marketing and Corporate Strategy, HID Global

Identity and access management (IAM) continues to a huge challenge for police forces throughout the country. Enabling employees to quickly and securely access data and facilities has always been a high priority. The growing number of data sources now available to police is making it more critical than ever that the right people have access to the information they need, and that this data can be assessed and monitored in a secure way.

However, a legacy of disparate IT systems with little ability to work together means that this is no small undertaking. Police forces in different regions currently have different levels of access to different systems, each of which has its own IT platform and its own access control platform. The National Policing Improvement Agency (NPIA) has launched a review of IAM processes within the police force that is designed to bring these systems together in the best way possible. As a core part of the review, the NPIA is aiming to provide every police officer in the UK with a multi-application smart card that can combine logical and physical security.

The project focuses on authenticating the identity of officers and civilian staff who access police systems via a single user identity that can work across all police systems. With police increasingly accessing confidential data via mobile devices, in-car units and station-based PCs, the ability to safely access systems from any location will also cut costs incurred through travel while boosting the time available for frontline policing.

A nationally aligned smart card system would also reduce the IT and administrative costs associated with resetting forgotten usernames and passwords, and it would conserve man hours spent on these tasks. The police face constant demands to be a more visible presence on our streets and the ability to access IT systems with a single smart card minimises downtime spent on administrative tasks, and freeing up bobbies to get on the beat.

Another interesting potential application for smart card technology is in securely checking out firearms from a police station. Every time a police officer takes a weapon out of the police station, he or she has to show a warrant card to the person in charge of the armoury; that person will inspect the warrant card and sign a piece of paper; the paper is countersigned by the officer in charge; and only then does the requesting officer take receipt of the weapon. When the weapon is returned, the process is repeated. This kind of convoluted process is a prime example of one that could be handled electronically with a combination of radio frequency identification (RFID) tags on the firearms themselves, a contactless smart card for the officer and a contactless card smart reader at the checkout point.

As police forces across the country look to combine their logical (IT) security and physical access control into one multi-purpose system, there are several options open to them. The most basic form of secure access control is the magnetic stripe – or ‘mag-stripe’ – card, where magnetic data is stored on the back of the card. While mag-stripe cards are inexpensive to produce, they can be more costly in terms of maintenance. Magnetic stripe cards come in contact with the reader when inserted, and any debris that collects on the card inevitably ends up inside the reader and on its contact pins. They are also susceptible to magnetic interference and wear and tear: constant swiping through the card reader causes the stripe to deteriorate and eventually fail. This type of card is also extremely restricted in terms of its data storage capacity compared to that of smart cards, some of which now have up to 164K of memory.

But perhaps their biggest disadvantage is that they are very easy to clone. You can even buy a mag-stripe reader from a high-street store that will let you take data off one of these cards and use it to create an unlimited number of clones. This is clearly an unacceptable risk for the police force where officers have access to the personal details of criminals like terrorists and paedophiles. The consequences of this information being released into the public domain by someone with unauthorised access are easy to imagine.

A far more secure and flexible option is the new generation of contactless smart cards that use encryption and the internal computing power of a smart chip, reducing the risk of data being compromised or cards being duplicated. Contactless cards can offer three levels of security: single, dual or three-factor authentication. With single-factor authentication, using the card on its own will grant access to a system or open a door. Dual-factor authentication adds an extra level of security in the form of a PIN code. Three-factor authentication goes a step further, using a PIN code and an extra security measure such as a biometric scan. Contactless smart cards are traditionally used for physical access control and are now being adopted for logical access control as well.

The other advantage of contactless smart cards is the possibility for adding other applications such as contactless payments for the staff canteen, time and attendance records and authorised equipment check out.

As with all areas of the civil service, the cost of implementing and deploying a new, nationwide IAM system is a key consideration. However, the need to identify, authorise and authenticate users is a critical one. It’s clear that government and police see this drive as one that is definitely worthy of investment.

Portable and secure, contactless smart cards are fast becoming a valuable tool for safeguarding physical security and guaranteeing the privacy of sensitive electronic information across many sectors. When weighing up the costs of smart card technology against the benefits, it’s obvious that they can offer considerable value to the UK police force, saving time and money, protecting officers and civilian staff and safeguarding the public’s data.

HID Global is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th – 29th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk

HID Global is the trusted source for secure identity solutions for millions of customers around the world. Recognised for robust quality, innovative designs and industry leadership, HID Global is the supplier of choice for OEMs, system integrators, and application developers serving a variety of markets, including physical and logical access control, card personalization, eGovernment, cashless payment and industry and logistics.

Article supplied by InfoSecurity PR

Modified portable devices create significant security risks

Fortify Software warns on modification risks from portable devices

(Eskenzi PR) Fortify Software, the application vulnerability specialist, has warned that software crackers are likely to continue modifying relatively low-cost specific-application devices, such as e-readers, but that the potential security risks to companies are significant.

The reason, says Richard Kirk, Fortify's European director, is that whilst best practice principles are usually applied to a firmware-driven device, such as an e-reader, in terms of operating system and allied software, all of these principles disappear out of the window when the device is cracked and re-purposed.

Kirk's comments come as the Nook e-book reader, a low-cost device developed by Barnes & Noble last year, has been hacked (http://bit.ly/4sW9Oq) to fully utilise the Android operating system.

"Although the Nook (http://bit.ly/6xFTGa) uses a customised version of the Android operating system, it also supports WiFi and 3G cellular, which means it has connectivity with all manner of systems via the Internet," he said.

"This is why the e-reader, which has already been cracked to load the Pandora Web-based music service, the Twitter application and a number of Facebook applications, has now been fully cracked to run most Android applications," he added.

According to Kirk, whilst this is potentially great news for home users of the Nook, it poses a significant security risk for companies interested in using the device for corporate purposes, since there is no way of knowing whether the newly installed software - as well as the operating system cracks - comply with security best practices.

These practices, he explained, include the need for regular security testing to ensure software that is being developed is inherently secure.

The software industry, he says, has been extolling the benefits of secure coding practices - so that developers do not keep introducing vulnerabilities - for many years now, as witnessed by the Fortify 360 initiative (http://bit.ly/5bNfsm)

Most `home brew' software is excellent from a functional perspective he went on to say, but rarely complies with software development best practices when it comes to security, which is where the risk of using such cracked devices in a company environment enters the frame.

"You wouldn't expect an IT manager to allow unchecked third-party applications to be loaded onto company desktops, so why allow a modified e-reader into the office environment?" he said.

"The problem facing IT managers is that they have no way of knowing whether a portable device like the Nook, has been modified or not, which is why we believe that cracked devices like this pose a potentially serious security risk for companies of all sizes," he added.

For more on Fortify Software: http://www.fortify.com

<>

Serious SQL flaw could have compromised millions

Security Problems with Social Networking Persist

Serious SQL flaw could have compromised millions of Rockyou.com users

(Eskenzi PR) – Imperva has issued a warning after finding a serious SQL injection flaw with Rockyou.com - a social networking application development web site.

"Rockyou.com is not just any software site. Since its creation in 2006, it's become the hub for many social networking sites such as Bebo, Facebook and Myspace, to mention but a few," said Amichai Shulman, chief technology officer with the data security specialist.

"The bad news is that the SQL injection flaw could have allowed hackers to access the 32 million entries of user names plus passwords in the Rockyou.com database - and since the user names and passwords are by default the same as the users webmail account—such as Hotmail, Yahoo or Gmail—this is a major lapse in security," he added.

“The vast majority of subscribers to Rockyou.com are using the same credentials on the site as their regular Web email service,” explained Shulman. “The users are young and security is not top of mind, but nonetheless companies need to keep them protected and ensure their details are safe. With the popularity of web 2.0 tools, companies may focus more on becoming successful quickly at the expense of security.”

An attacker can use these credentials to perform any of the following actions:

1. Extract private information from the inbox: credit card numbers, confidential business information, passwords to another application such as bank application embarrassing pictures etc.

2. Identity theft – The attacker can send mail to the victim’s entire contact list on behalf of the victim.

3. Harvest the contacts info for spam – if each account has 10 unique contacts then the spammer will have 300 million addresses to spam.

“While individual users are urged to show prudence when surfing the web and especially providing account credentials to applications, it is the responsibility of application owners to protect the information trusted to them by users” adds Shulman. “Web development in general can be rushed in order to get a service to market quicker. However, by rushing the time to deploy, companies may tend to overlook security.”

"We have notified the site operators of this problem, who re-acted quickly and fixed the issue over the weekend. Unfortunately some accounts had already been compromised before the vulnerability was fixed. All users need to be cautious and ensure they change their email passwords as their credentials may have been put at risk.” he added.

Imperva recommendations for keeping safe online:

Internet Users:

1. Have separate business and personal email accounts

2. Carefully choose applications you trust with your email address

3. Change passwords regularly

4. Ensure default passwords are changed so they are not the same as ones used for email accounts

Administrators:

1. Protect your applications against application level attacks using available technologies such as web application firewall.

2. Never store passwords in plain text.

3. Don't ask for your user's webmail's password unless it's absolutely necessary, and certainly don't store it afterwards.

Imperva, the Data Security leader, enables a complete security lifecycle for business databases and the applications that use them. Over 4,500 of the world’s leading enterprises, government organizations, and managed service providers rely on Imperva to prevent sensitive data theft, protect against data breaches, secure applications, and ensure data confidentiality. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring from the database to the accountable application user and is recognized for its overall ease of management and deployment.

For more on Imperva: http://www.imperva.com

<>

Logitech Speaker Lapdesk N700 Brings the Cinema Home

Latest Lapdesk Offers Immersive Audio and Increased Comfort with Integrated Stereo Speakers, Built-in Fan and Padded Base

LAS VEGAS - CES - January 2010 – You’re already using your laptop to listen to music, play games, and watch movies, TV and videos. You’re already using it on the sofa and on the bed. But you’re looking for a way to be comfortable, and you know what a difference high-quality audio can make when you’re enjoying good entertainment. For a cinema-like experience on your laptop, Logitech has now introduced the Logitech® Speaker Lapdesk N700 — the company’s first all-in-one laptop accessory with integrated stereo speakers, a built-in fan and a wide padded base.

“More and more people around the world are enjoying fantastic entertainment on their laptops – but with mediocre sound and comfort,” said Denis Pavillard, Logitech vice president of product marketing for laptop accessories. “In fact, according to our research nearly 50 percent of laptop users report being dissatisfied with the sound quality of the built-in speakers. The Logitech Speaker Lapdesk N700 helps transform your laptop into a private cinema in the cosy confines of your lap.”

Unlike most laptop speakers, the Logitech Speaker Lapdesk N700 offers two built-in high-definition speakers with 2-inch high-performance speakers. Specially designed for notebook computers, the stereo speakers are precisely positioned on either side of your laptop to give you rich sound and powerful bass. And, because they connect through a single USB cable, there’s no cable clutter or the hassle of moving and setting up external speakers.

While you’re enjoying entertainment on your laptop, the Logitech Speaker Lapdesk N700 helps keep you comfortable. Whether you’re on the sofa or in bed, the viewing angle of your screen and the padded base help you sit in a more comfortable position. Meanwhile, a quiet, efficient fan circulates air under your notebook, and the heat-shielding design helps keep laptop heat off your legs and lap. Plus, a grill protects the fan from dust and damage, and rear and bottom air intakes ensure steady, unobstructed airflow.

The Logitech Speaker Lapdesk N700 is easy to set up and use, just plug in the single USB cable and play movies, music, online videos, and more in rich, full stereo sound – there’s no software to install and no need for batteries. And to put convenient, independent control at your fingertips, the Speaker Lapdesk N700 offers volume controls for the speakers and an On/Off switch for the fan.

Pricing and Availability

The Logitech Speaker Lapdesk N700 is expected to be available in Europe in March for a suggested retail price of £69.99.

Logitech is a world leader in personal peripherals, driving innovation in PC navigation, Internet communications, digital music, home-entertainment control, gaming and wireless devices.

For more information about Logitech and its products, visit the Company’s Web site at www.logitech.com.

Did Santa bring you a Netbook?

Yes?!?

Then now get the best traveling companion for it...

The Novatel Wireless Intelligent Mobile Hotspot 2352.

If you Netbook is on any version of the Linux operating system then the Novatel Wireless Intelligent Hotspot 2352 is the only mobile broadband option available and possible. Standard dongles do not work with any Linux version, as yet, as the makers do not think about Linux at all. All they think is Microsoft Windows, and Apple Mac if you are lucky.

Police force computer misuse investigation "no surprise" to 3ami

Managing Director Tim Ellsmore says protective monitoring of police systems is necessary to uphold the laws of a digital network

Manchester, 7th January 2010 (Omarketing) – Reports that there have been more than 50 cases of misuse of the force's computers in the 13th largest police force in England, Wales and Northern Ireland over the last five years (http://bit.ly/8tMBsR) comes as no surprise to Tim Ellsmore, Managing Director of 3ami, a Manchester-based company that produces audit, compliance and control technology.

"With more than 239,000 police officers employed in the UK (http://bit.ly/5622Ub), as well as larger numbers of civilian staff, it's inevitable that human nature will rear its ugly head," said Ellsmore. "Our 3ami MAS software helps police management enforce the laws of their digital network and prevent this type of situation from causing embarrassment and the suspension or dismissal of otherwise good members of staff."

Ellsmore added, "I realise how hard police forces are working, and have been working, to make true data accountability a reality in the UK. I have seen their dedication in my many interactions with police forces looking to trial and purchase our Monitoring and Audit Systems (MAS). Police forces are beginning to realise the simple truth that you can't enforce the laws of a digital workplace without being able to police and protect that workplace--and that's where comprehensive computer activity monitoring and auditing comes in."

Ellsmore said the problem with those forces that do not fully monitor the activity on their computer networks is that they have no real way of knowing whether officers or civilian staff are misusing the data they have access to, forwarding that data to third parties or even using the network to conduct personal business when they should be working. There are also the issues of viruses and malware, as well as hacker attacks, attempting to subjugate data on the police computer network, for usually criminal means.

Ellsmore went on to explain that 3ami recently conducted a survey into senior police officers' concerns about data security at UK police forces. Ellsmore noted that the security required goes beyond controlling who has access to what data and at what times.

3ami's survey - conducted among senior police officers last year - found that all respondents were in favour of audit and controls on police computer resources. Ninety-six percent said they believed abuse and/or misuse of UK police systems occurred "frequently."

According to Ellsmore, the survey also found that inadequate staffing and the lack of an effective digital audit trail were the two biggest barriers to investigating police officers or staff members suspected of illegal or inappropriate computer activity. Ellsmore pointed out that both of these barriers could be mitigated--or removed altogether--with the effective use of a comprehensive computer activity monitoring and auditing package, such as 3ami.

"The Freedom of Information Act data released to the press this month suggests that more than 400 UK police officers and civilian staff have been dismissed or disciplined on the issue of computer misuse in the last five years," he said. "It's investigations like this that highlight the fact that installing effective audit and control software is now a no-brainer in financial terms, not to mention responsibility and accountability."

For more information: www.3ami.com

3ami Monitoring and Audit System (MAS) is a complete computer activity monitoring package that tracks all changes to hardware and software throughout an organisation's entire network(s) by capturing and securely storing records of all user activity - not just on the Internet but on every application, including email, word processing, spreadsheet applications, instant messaging and online. MAS monitors and audits police systems including ANPR (CLEARTONE BOF), PNC, Niche RMS, CORVUS and Quick Address (QAS). Even when other stand alone capability is already present, MAS coordinates and corroborates all systems to provide a comprehensive auditing framework.

Developed specifically for police forces, 3ami MAS makes true data accountability possible. 3ami MAS both proactively prevents inappropriate and/or illegal computer activity from occurring and reactively tells you - with certainty - not only who is responsible, but also the full breadth of such activity, when it does occur.

<>

Companies advised to code audit open source applications before deployment

Fortify advises companies to code audit open source applications before deployment

(Eskenzi PR) - Following Sun Microsystems' decision to release a raft of open source applications to support its secure cloud computing strategy (http://bit.ly/7qrbou), Fortify Software is recommending companies conduct extensive security tests of their customised open source software before deployment.

"Given the significant savings to be had from using open source applications, Sun's strategy is a security testing at all stages in the customisation process," said Richard Kirk, European Director with the application vulnerability specialist.

"It's also good to see Sun announcing its support for the new security guidance from the Cloud Security Alliance, since this means that its open source apps will support the best practice guidelines, which is essential when supporting a private cloud infrastructure," he added.

According to Kirk, whilst the use of encryption and VPNs to extend a secure bridge between a company IT resource and a private cloud facility is very positive – especially now that Amazon is best testing its pay-as-you-go private cloud facility (http://bit.ly/Kojyo) – it's important that the underlying application code is also secure.

Security in any IT resource, he explained, is only as strong as the weakest link, so it's just as important to secure the source code of the software being used as it is to defend the cloud environment, as well as other aspects of a company's IT systems.

"Sun's strategy in opting for open source cloud security tools - including OpenSolaris VPC Gateway, Immutable Service Containers, Security Enhanced Virtual Machine Images and a Cloud Safety Box - is excellent news on the private cloud security front," he said.

"Even so, if businesses go down this route, it's critically important that they invest some of the costs saved by taking the open source path, in security at the program code development and customisation stages. This will help them to create an even more robust solution," he added.

For more on Fortify: http://www.fortify.com

<>

Securing Web 2.0 in the workplace

Synopsis:

Simon Morris, Research and Development Director at Pentura looks at how the adoption of Web 2.0 makes the job of keeping email and the web free from attacks, malware and spam even more difficult. Yet, simply closing access to unapproved tools can be short sighted as unhappy employees drift to rival businesses with more enlightened policies

Web 2.0 is growing with increasing momentum and businesses seem to be harnessing some of its benefits to bring them closer to their customers and improve overall brand experience. However Web 2.0 as a concept is quite vague and is becoming all encompassing. Firstly it is important for businesses to distinguish between Web 2.0 social networks and Web 2.0 functionality in the workplace; Social Media is very similar to Web 2.0 the only main difference is that social media focuses on people and Web 2.0 focuses on content.

Social Networks are heavily focused at keeping in touch with friends and sharing photos, video and chatting in real time. Using social networks such as Myspace, Twitter and Facebook in the workplace is arguably questionable in terms of how it benefits the business. Evidently organizations need to keep staff happy and not enforce draconian rules upon them; however providing such a distracting media in the workplace and encouraging its use can’t be beneficial.

Web 2.0 functionality however can be very beneficial. Using a combination of different mediums (web, audio, and video) to convey a message to new and existing clients can be used to great effect. A number of Pentura’s clients have started to use such techniques drawing on the principles of the social networking environments to provide a new canvas for marketing. An example of this was a company that produces cosmetics, which used Web 2.0 functionality to provide a feature rich website for customers to become members of if they were interested in the brand in question. Additionally members could liaise with each other via chat but also enter online competitions and win prizes.

The original question of security is significant in both instances as both use diverse integrated functionality to convey information. Social networking sites’ very essence is defined by feature rich functionality and this encompasses web, chat, audio, video, pictures and integrated applications. There are issues of personal data to consider with profile information but the most significant risks exist with the integrated applications as these can be hosted third party and not subject to any security or information assurance controls. In the last 18 months it has been demonstrated that these applications can have malware or functionality issues, which have serious security implications.

Business are becoming more aware of the security risks associated with using Web 2.0 however, existing security architectures have a limited ability to manage them effectively. Most block at a higher level, which inhibits useful functionality or just block the URL outright. Firewall technology mostly enforces policy at network layer with a degree of layer application functionality but again with limited effect.

Technologies are now starting to emerge, which offer granular control of Web 2.0 functionality. Palo Alto Networks offer one such technology, which is currently unique in the Firewall marketplace. It allows businesses to gain user application usage visibility and affect a policy to control Web 2.0 applications from almost any aspect such as chat, email, apps and file transfer. Companies that harness Web 2.0 technology for their own use should make sure their application and website code is fully checked and written in a secure manner as experience shows the use of third party libraries can diminish a business’s security baseline and should be used prudently. Businesses need to understand the security issues of both Web 2.0 and Social Networking as their use in the workplace seems to be here to stay.

Pentura Limited, the first Risk Management Service Provider in the UK, is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th – 29th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk

Courtesy of InfoSecurity PR

<>