ISAF raising awareness of the main threats to online security

Monthly Information Risk Themes

February 2010 – The Information Security Forum (ISAF) has produced a rolling calendar of themes for the 2010 where each month sees a focus on a main threat to information security. Many of the member organisations will be working on awareness activities to this schedule, magnifying the message. The information security world has never been very good at delivering bite-sized and interesting nuggets of knowledge to the General Public, even though the threats to those people are ever increasing, with the digital netherworld of criminality costing the UK “billions”. Formed in 2008, the ISAF was created to co-ordinate the awareness activities of its 23+ member organisations and to improve the communication of information risk issues to industry and the General Public.

Like insurance, information security tends to be interesting only to people when something bad happens. It is quite easy to take simple steps to reduce the likelihood of the victim being you.

“The ISAF calendar will help the member organisations and others in the industry co-ordinate their awareness activities around specific themes. This increased focus will help create opportunities for partnership and assist in planning and collaboration to raise awareness of good security practices.” Dr David King, Chair of the ISAF

Professor Jim Norton, Chair of the IET IT Policy Panel welcomed the intiative saying: “Creative use of ICT continues to bring great benefits to our Society, but every silver lining has a dark cloud. It is vital that we continue to raise awareness of the risks involved and I commend ISAF’s comprehensive approach to this.”

Tony Neate, managing director of Get Safe Online the UK's national internet security initiative, commented: "Get Safe Online very much welcomes the work that the ISAF is doing in collating the activities of its member organisations through its new monthly themed calendar. The calendar will be an essential tool in the co-ordinating security events that the ISAF does so well. This initiative will help to harness the skills and experience of a wide variety of experts to raise awareness and get the message of good security to all.”

John Colley. Managing director of (ISC)² EMEA, “As founding members of the ISAF, (ISC)2 welcomes this initiative. Too often awareness is ineffective due to the fact that too many messages are being communicated to too many people. By focussing on specific issues each month, the calendar provides a means to deliver these important messages to the people that really need to understand them”

The Calendar

February – Mobile devices

Mobile phones, laptops and PDAs are increasingly holding vast amounts of information. Aside from the resale value, devices synchronised with email, either personal or through work, are useful to identity thieves. Many people use their devices to carry contact details, birthdays and files around with them, but apply less security than where this data normally lives, i.e. on their computer. Every device has the facility to PIN or password protect it, but most people don’t use this functionality.

March– Child Protection/Online identities

It is very hard for people to really know who they are talking to online. Children find this especially hard, as they have not had the life experiences that make most older people cautious. Predatory paedophiles take advantage of this trait to trick children into believing they are talking to a person of their own age.

April – Awareness – Infosecurity Europe

Part of any drive to improve information security must include raising awareness of staff and customers of the risks of using the Internet and computers in general. The most important element in this piece is to identify the audience, bearing in mind that many people wear multiple hats (employee in a large corporate ad a home user) and what is relevant, specifically, to them. It is important that awareness is not restricted to campaigns in big business, or the Government, but is promoted by everyone with the capability to provide advice.

May – Compliance/The law

While the Internet does seem to be very open and borderless, this isn’t actually the case. Geographic laws apply equally online as in the real world. The Internet reduces the distance between them. Companies and individuals should be aware of where their data is being stored and what laws apply to it. For example, two people in the UK communicating using Hotmail are actually exporting their data to the US. Different countries have different laws on encryption, and international travellers should be aware of these. There are also a series of conditions for trading that many companies need to adhere to, for example relating to credit card processing, that sit over and above the laws of the land, like PCI DSS.

June – Identity Protection

Identity theft is an increasing problem and criminals are getting more inventive. There are a number of simple ways to protect yourself from falling victim to these sorts of scams, including reviewing what information you post on social networking sites, shredding important documentation before it goes into the bin and regularly reviewing your credit rating.

July – Convergence/Physical protection relating to InfoSec

Many of the concepts in physical security are just as applicable to electronic security. The two disciplines complement each other and, yet, few organisations take a holistic approach to both. Often, the responsibilities lie with different parts of the business and opportunities are missed. Major benefits can be realised through the bringing together of physical and information security.

August – Risk Management/How to assess dangers online

The basis for implementing any sort of information security programme must be based on an understanding of the risk being faced. Similarly, home users should be aware that some of the people connected to the Internet do want to do them harm. Most unprotected PCs on the Internet will be infected with malicious software within minutes.

September – Business Continuity/Backups

It is important when planning to protect yourself that you consider the worst case scenario. If your data is lost, what is its value to you and what do you put in place to protect it. In many cases, the information that a company holds is its most valuable asset. At home, many families prize their digital photo albums. By keeping backups and recovery strategies, you will ensure that your information remains available even after the worst case.

October – Corporate Governance

Companies that want to reduce their risks associated with information security should undertake a strategically-focused programme of works, centred on a formal methodology for information security management. A number of sets of standards exist to help with this, the best known of which is the ISO27000 suite. By creating a framework within which to operate, companies can ensure that they cover all aspects of the discipline and reduce their risks in a controlled manner.

November – Crime

Due to the Internet’s nature of removing distance as a barrier between people and the ease of interacting with large numbers of people simultaneously, criminals are exploiting the Internet in a similar way to business. All users of the Internet must be made aware that the scale of the criminal activity on the Internet is enormous, running into billions of pounds each year and comprising multiple layers, from money mules to organised crime bosses. However, the frontier-nature of the Internet is coming to an end. The same sorts of crimes can be committed online as in the real world, by and large, and the Police are increasingly dealing with online crimes in the same way as those committed offline.

December – Malware

Malicious software is a constant threat on the Internet. It installs itself on a victim’s computer and then undertakes some unwanted action, without the victim’s consent. Much of it has links back to organised crime and the effects on infected machines vary. Bot nets are virtual networks of infected machines that are rented out to other criminals to do a variety of things, including send spam, take down established businesses if they don’t pay protection money and more. It is imperative that everyone uses anti-virus software and keeps their machines patched.

About the Information Security Awareness Forum

A number of professional bodies and organisations involved in information security have come together to form the Information Security Awareness Forum (ISAF) to coordinate and build on existing work and initiatives, to improve their overall effectiveness, and ultimately to increase the level of security awareness in the UK that will help protect us all. We are a group whose aim is to deliver rather than to merely talk about awareness.

The forum was launched on the 13th February 2008. The member representatives meet monthly to progress the agenda and actions of the forum.

Founding members of the forum include ASIS International , the BCS, CMA, the Cybersecurity Knowledge Transfer Network, eema, EURIM, Get Safe Online, IAAC, the Information Technologists' Company, Infosecurity Europe, the Institute for the Management of Information Systems (IMIS), the Institution of Engineering and Technology , the International Underwriting Association of London (IUA), ISACA, (ISC)², ISF, ISSA, the Institute of Information Security Professionals, the Jericho Forum, the National Computing Centre, the National e-Crime Prevention Centre (NeCPC), the Police Central e-Crime Unit, SANS and SASIG.

The forum is chaired by Dr David King and its secretary is Stephan Freeman.

Source: Eskenzi PR

Goldman Sachs indictment highlights need for secure data sharing says Cyber-Ark

Cyber-Ark says Goldman Sachs indictment highlights need for secure data sharing

Reports that a computer programmer – charged with stealing data from a major bank – has been indicted by a federal grand jury in the US shows how easy it is for valuable company data to electronically go walkabout, says Cyber-Ark.

"This case is interesting as it apparently involves a former member of the bank's IT staff allegedly downloading software and allied data from his former employers’ servers, and relaying it to a German Internet account," said Mark Fullbrook, UK and Ireland director with
the data security specialist.

"It's also alleged that the ex-employee also stored company computer data at his home, ready to take to his new job. The fact that the man was earning $400,000 a year indicates how high up he was before left the bank last June," he added.

More than anything, says Fullbrook, the case is a classic example of what can go wrong when you allow IT staff complete and unfettered access to the company's data.

Whilst it's clear that IT staff have the best chance of gaining unauthorised access to company data, had the data been stored in a secure and encrypted environment, then it could have been securely shared with only those staff that needed access, and logs maintained on who accessed what information and when, he explained.

"If private data is relayed across a company's network in any way, it should be protected from prying eyes. This is commonsense IT security. Using this approach would have meant that those who should have had access to the data, would have been able to look at it” he said.

"This case is a significant failure of IT security procedures at multiple levels as far as the financial institution is concerned. It is to be hoped that a full investigation will ensue and remedial action is taken, including installing a secure and managed file sharing solution, allowing staff access to the data they need, but in a highly controlled manner," he said.

For more on the Goldman Sachs ex-employee indictment:

For more on Cyber-Ark:

Source: Eskenzi PR

Malware in Current Cybercrime and the Grey zone

By Juraj Malcho, Head of ESET VirusLab

It has been quite a long time since the first personal computers hit the market, during which time many serious vulnerabilities and design faults have been discovered, and many things have changed. Mankind has slowly got used to the fact that every new technology can be misused, or rather, we can be fairly sure that someone will try to misuse it, whether merely to prove the concept of misuse, or to initiate a serious threat against people and/or the infrastructure. The design of new devices and technology must therefore take into account the securing of the data, dataflow, and any communication in general.

However, the systems that are being developed today are more and more complex, so even though huge effort is invested in security, faults are quite often introduced during either the design or the implementation stage. The growing number of technologies and devices broadens the attack surface available to the attackers who try to make profits by exploiting existing security flaws. And that’s exactly the domain of computer infiltrations. Nowadays a vast amount of malicious or unwanted code is financially motivated. We could even say that there are only trace amounts of infiltration which exist only to demonstrate the presumed ability of the author (whether maliciously motivated or not). Proof-of-Concept (PoC) virus writing is not as popular as it used to be. In fact, if a security researcher nowadays hears the term PoC the first image that comes to a mind is a chronic, even pathological search for security vulnerabilities and exploits programming. And yet often the underlying motivation is far from altruistic service or efforts to improve software reliability and security. On the contrary, new security vulnerabilities are now very much in demand on the black market, and present great opportunities for illegal income. That is the reason why PoC code and vulnerabilities tend to gravitate more easily towards malware authors than to the respective software developers. And that’s how we get to the typical malware of today, which takes advantage of some type of vulnerability – whether a technical or a human one. The decision about whether malice is intended and threat classification is very straightforward and unambiguous in this case. For an AV company the main problem here is implementing detection. The protection schemes in modern malware tend to be complicated, new variants are coming out in huge volumes and the professional groups on the other side work deliberately on evading detection. The income of these criminal groups is mostly derived from trading stolen credentials or any data stolen from compromised computers, or by renting botnet services, such as adware push-installations, advertisement and spam delivery or DDoS attacks.


Let’s leave the clearly defined malicious code aside and focus more on greyware – the software from the grey zone. The complications with these applications are not usually inherent in code complexity, code protection/obfuscation, or in implementing detection. The problem lies in the decision as to whether the software is or is not malicious, or if it’s actually useful somehow. Of course, one will automatically assume that the decision criteria have to be subjective and possibly ambiguous to some extent – every user could have a different opinion or different desires. So the boundary between good and evil, usefulness and uselessness is unclear. Even different AV companies might have different views on various issues and the philosophy might differ somewhat, leading to disagreements even among the experts. Naturally, these companies cooperate closely (and not only in order to evade similarly conflicting situations).

Over the years several projects and organizations have been established in order to introduce generally respected rules and best practices that have been developed and discussed within the community.

One of the goals is to create a stable reference point which can be used in discussions of controversial issues. Let’s mention a few of the initiatives that are most related to the topic of this article: the Anti-Virus Product Developers Consortium (AVPD), the Anti-Spyware Coalition (ASC) and the Anti- Malware Testing Standards Organization (AMTSO). AVPD was formed to provide an open forum in which developers could work toward common goals such as product testing, product certification, surveys, studies and market research. ASC is a group dedicated to building a consensus about definitions and best practices in the debate surrounding spyware and other potentially unwanted technologies. And finally, AMTSO was founded in May 2008 as an international non-profit association that focuses on addressing the global need for improvement in objectivity, quality and relevance of anti-malware testing ethodologies. More information about these organizations and initiatives can be found on their web pages.


Let’s have a closer look at the previously mentioned problematic software where the decision-making process about its malicious intent or legitimacy is complicated and tricky. What kind of software is it? Well, put very simply – it’s the software that is, in fact, completely useless and doesn’t provide any real value. Or, in other words, if the software is actually paid for, then the only party that gets any genuine benefit from it is the author/company that develops it. That’s a very simple and elegant definition, right? But in the real world, endless discussions could be held regarding the usefulness or legitimacy of these kinds of software.

What is worse, sometimes it even leads to lawsuits. It happens more and more often that after a lengthy analysis an AV company decides to detect some application and a few months later the developers complain about unjustified detection and request that the false positive (FP) be fixed. The rounds of decisions and considerations that follow are usually very uneasy due to the collision of interests. There are many factors that need to be taken into account – not only the software itself, but also the user base, and it is necessary to verify the company’s credibility and to analyse the distribution channels that are used. The distribution channels themselves can easily turn a legitimate application into an unwanted one.

Basically we have two reasons to flag an application as potentially unsafe or unwanted: the application is being misused by some malware, or the distribution model constitutes direct incitements to illegal profit. In the first case you could think of countless system tools that are often misused by malware to enhance its features. Some examples are the system tools from SysInternals/Microsoft, various password crackers/ password recovery tools, using remote administrator tools to implement backdoors, and so on. In the second case (the use of dubious distribution channels) we’re talking about a payper- install business model where the distributor earns a small cut of the profit for every successful installation of the software. This effectively means that the software is often spread by malware and automatically installed on a victim’s PC, or offered in spam campaigns.

A very important piece of information is the incentive for detection itself. Often it comes in the form of a request from the customers who notice strange and unexpected behavior on the part of their PCs. Rogue companies and their products (rogue anti-virus, rogue anti-spyware) have their fraud fine-tuned to every little detail – the product and their website has a professional look, and often they are inspired by real anti-virus software. The websites are full of fake FAQ lists, along with lots of forged positive reactions and testimonies from non-existent users, etc.

Even if we base our decisions on relatively clear rules and recommendations such as those made by the ASC, the decision is difficult and time consuming to make. An in-depth analysis can take hours and days before a good reason for detection is found. That’s where the AV companies expend a lot of resources nowadays. It is beyond the scope of this article to talk in detail about the ASC rules and best practices: the relevant documents are available on the ASC website.

Eset Spol.s R.O is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th – 29th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit

Courtesy: Eskenzi PR

Novatel MiFi makes its debut in Thailand

CAT Launches Novatel Wireless MiFi 2200 Intelligent Mobile Hotspot in Thailand

Leading Mobile Operator First in Asia to Launch EVDO MiFi 2200

SAN DIEGO AND BANGKOK – February 2010 – Novatel Wireless, Inc. (Nasdaq: NVTL), a provider of wireless broadband access solutions, today announced that CAT, the only CDMA operator in Thailand, is launching the Novatel Wireless' MiFi 2220 Intelligent Mobile Hotspot.

The MiFi platform represents the industry's first Intelligent Mobile Hotspot, a new category of mobile broadband that lets users put their world of content, services and connectivity in their pocket. Unlike existing router solutions that require an external broadband modem and serve only to provide connectivity, the MiFi platform creates a personal cloud of high-speed Internet connectivity that can be easily shared between multiple users and up to five Wi-Fi devices such as laptops, cameras, gaming devices and multimedia players. For its innovative design and engineering, the MiFi Intelligent Mobile Hotspot was awarded the “Best of Innovations” award winner in the "Enabling Technologies" category at the International Consumer Electronics Show (CES) 2010 in Las Vegas, among many other awards.

“As the only CDMA operator in Thailand, CAT has the established customer base and expertise to meet increasing demand for innovative and easy to use mobile connectivity solutions for both business and casual use,” said Rob Hadley, CMO, Novatel Wireless. “With the MiFi Intelligent Mobile Hotspot 2200, CAT is providing its customers with unrivaled high speed Internet access for their wireless devices virtually anywhere they want to go.”

“CAT is dedicated to delivering the industry's most cutting edge solutions to users across Thailand,² said Mr. Preecha Chindamai, Senior Executive Vice President, CAT. “We are delighted to be the first operator in Asia to deliver the unprecedented functionality and access of Novatel's MiFi 2200.”
The MiFi 2200 device will be available through CAT at the beginning of
February 2010.

More info is available via CAT contact center 1322 or


CAT Telecom Public Company Limited (CAT) is a leading telecommunications
provider in Thailand. CAT operates and delivers a wide range of service based on advanced technology and world-class network infrastructure to customers domestically, internationally and overseas. Its services include international telephone service, data communications service, internet services, E-Business services, and CDMA mobile phone services. With its CDMA2000 1xEV-DO Rev. A infrastructure, CAT has the most extensive 3G coverage in Thailand.


Novatel Wireless, Inc. is a leader in the design and development of innovative wireless broadband access solutions based on 3G and 4G wireless technologies. Novatel Wireless' Intelligent Mobile Hotspot products, software, USB modems and embedded modules enable high-speed wireless Internet access on leading wireless data networks. The Company delivers specialized wireless solutions to carriers, distributors, OEMs and vertical markets worldwide. Headquartered in San Diego, California, Novatel Wireless is listed on NASDAQ: NVTL. For more information please visit (NVTLG)


Launchpad Europe Launches "API" to Encourage Spread of Innovative New U.S. Technologies

Augmented U.S. activities enable Launchpad Europe to "fly the U.S. flag in the U.K.," stimulating a transatlantic cross-exchange of technological innovation

London, UK – February 2010 – Launchpad Europe, the global business accelerator for information technology companies, today unveiled an increased focus on U.S. technology partners, a move designed to stimulate the cross-exchange of technological innovation between the U.S. and the U.K.

A market accelerator providing high-tech start-ups with a "rapid-entry" methodology to European markets, Launchpad Europe has spent its foundational years working with visionary ICT companies launching into the UK. The globally focused company accurately matches its team's extensive skill set to each client's specific needs, offering tailored services packages based on each client's particular stage of commercial development, priorities and budget.

Launchpad Europe is now increasing its U.S. market focus with "Mission: API" ("American Program Interface," a play on computing term "Application Program Interface"). The augmented range of U.S. initiatives includes:

U.S. Commercial Service – Business Service Provider Listing

The U.S. Commercial Service, which connects U.S. companies with international buyers worldwide, now recognises Launchpad Europe as an official Business Service Provider in the U.S. Embassy in London.

The affiliation will enable Launchpad Europe to provide its British and American clients with market research, trade events, professional contacts, business counselling and more.

"The U.S. Commercial Service is pleased to work with Launchpad Europe to help get American ICT companies 'fighting fit' for the U.K. market," said Andrew Williams, Commercial Specialist at the U.S. Embassy in London. "Activities we are working on together this year include Infosecurity and IFSEC 2010."

The Launchpad Europe team will also be supporting U.S. firms at Infosecurity Europe in London, 27 - 29 April 2010.

Attending the 2010 RSA Conference

Launchpad Europe will be attending the RSA Conference in San Francisco, March 1 - 5 2010. The primary purpose of the visit will be to meet with U.S. IT security companies looking to develop their presence in the U.K., Europe and beyond, as well as potential partners such as U.S.-based public relations firms and channel and business development organisations.

Membership of the British-American Business Club

Launchpad Europe has joined BritishAmerican Business, the leading transatlantic business organisation. Launchpad Europe's BritishAmerican Business membership will enable the company to extend its network of contacts throughout the United Kingdom and the United States, hence widening its scope of capabilities as a transatlantic ICT intermediary.

According to Mike Burkitt, Launchpad Europe's technical director, the company has prepared for its increased U.S. focus by laying the foundations of success in the U.K. and Europe.

Burkitt explained, "Launchpad Europe's long-term goal has always been to facilitate a cross-exchange of technological innovation worldwide – not only inward-bound to the U.K., but also outward-bound to Europe, North America and beyond. We've used the recent economic slowdown to streamline our services, refine our company vision and build lasting relationships to help our clients grow along with the technology industry when it picks up again in 2010, as EITO, Forrester, and others have predicted. Now, with the vision and clarity of purpose of Mission: API, we will meet with scores of North American start-ups, influencers and resellers, hence widening our network of international talent and decision-makers. Building new relationships with North American start-ups, influencers and resellers extends our capabilities in both markets, thus driving revenue for the entire ecosystem."

Burkitt added, "Our organizational structure and proven sales management methodology, along with our hundreds of end-user and channel relationships, allow us to scale our sales and marketing activities to rapidly and effectively penetrate any specific target market. We are looking forward to extending these benefits to high-tech North American start-ups as well as to our current European clients looking to penetrate the U.S. Market."

Launchpad Europe will be attending the RSA Conference in San Francisco March 1 - 5 2010. If you would like to meet with the team, please telephone +1 781 519 0245 / +44 (0)20 8255 2345; email; or follow us on Twitter: @launchpadeurope

About Launchpad Europe:

Launchpad Europe is a leading market accelerator providing high-tech start-ups with a proven "rapid-entry" methodology to European markets. Services range from individual sales representation to building an entire, fully functional business entity. Launchpad Europe accurately matches the team's extensive skill set to each client's specific needs, offering tailored services packages based on each client's particular stage of commercial development, priorities and budget.

Launchpad Europe provides and supports the full range of:

• sales, marketing and PR activities

• direct and indirect third party channel representation

• distribution

• technical backup and support services

• legal and financial advice

• HR functionality

A member of Intellect, the U.K. trade association for the IT industry, Launchpad Europe recently announced a new range of U.S.-focused activities aimed at accelerating transatlantic exchanges of innovative new technologies.

For more information about Launchpad Europe, please visit; telephone +1 781 519 0245 / +44 (0)20 8255 2345; email; or follow us on Twitter: @launchpadeurope

Source: Omarketing Limited

Common Assurance Metric – Beyond the Cloud

Common Assurance Metric launched to provide security beyond the Cloud

London, February 2010 – The Common Assurance Metric (CAM) launched today is a global initiative that aims to produce objective quantifiable metrics, to assure Information Security maturity in cloud, third party service providers, as well as internally hosted systems. This collaborative initiative has received strong support from Public and Private sectors, industry associations, and global key industry stakeholders.

There is currently an urgent need for customers of cloud computing and third party IT services to be able to make an objective comparison between providers on the basis of their security features. As ENISA’s work on cloud computing, has shown, security is the number one concern for many businesses and governments. Existing mechanisms to measure security are often subjective and in many cases are bespoke solutions. This makes quantifiable measurement of security profiles difficult, and imposes the need to apply a bespoke approach, impacting in time, and of course cost. The CAM aims to bridge the divide between what is available, and what is required. By using existing standards that are often industry specific, the CAM will provide a singular approach of benefit to all organisations regardless of geography or industry.

"With today's complex IT architectures and heavy reliance upon third party providers, there has never been a greater demand for transparency and objective metrics for attestation", said Jim Reavis, Executive Director of the Cloud Security Alliance. "The Common Assurance Metric framework has great promise to address this demand and the Cloud Security Alliance is proud to support this initiative and align our own cloud security metrics research with it"

"Microsoft is committed to delivering secure, private, and reliable computing experiences. Today's interconnected world trustworthiness of computing solutions depends on many interdependent components and requires broad industry collaboration. We look forward to contributing to the work on Common Assurance Metric.” Matt Broda, Senior Security Strategist, Microsoft.

This work is essential. The number one barrier to adoption of cloud computing is assurance – "how can I know if it’s safe to trust the cloud provider?” This is a problem for providers too - answering a different security questionnaire for every customer is a huge drain on resources. Giles Hogben, Network Security Policy Expert, ENISA

“The Information Security Awareness Forum (ISAF) is committed to improving accessibility of advice through the promotion of consistent messages to help protect individuals and businesses alike. The Common Assurance Metric is a bold initiative that aspires to provide greater consistency in the security of cloud computing services. This will help to make the Internet a safer place for business and pleasure - an objective which the ISAF very much supports.” Dr David King, Chair ISAF.

“Security maturity is a major consideration in the adoption of cloud and collaboration technology, in fact a recent poll by Infosecurity Europe found that the lack of transparency around information assurance maturity was the biggest barrier to getting into the cloud for 94% security professionals (sample size 1014). Infosecurity Europe recognises that the CAM initiative can provide objective metrics which will enable customers to make timely and informed decisions to assure Information Security for cloud, third party service providers and internally hosted systems.” Tamar Beck, Group Exhibition Director, Infosecurity Europe.

“In an environment that is increasingly driven by regulatory and cost issues, confidence that your information is secure is a key factor to business success. But knowing who to trust your information to is an issue many businesses struggle to deal with effectively. The Common Assurance Metric will provide businesses with that confidence to choose the most appropriate partner to whom they can entrust their sensitive information.” - Brian Honan, Principal Consultant with BH Consulting.

The project team anticipate delivery of the framework in late 2010 followed by a process towards global adoption for organisations wishing to obtain an objective measurement of security provided by cloud providers, as well as the level of security for systems hosted internally.

Source: Eskenzi PR

Securing the Smart Grid: The Road Ahead

By: Joshua Pennell

With the push for more efficient energy distribution, the Smart Grid has quickly transformed from the hottest buzzword to a global reality. While the Smart Grid promises to deliver many benefits, it is essential to secure this critical infrastructure now, before it's too late.

So what exactly is the Smart Grid? The Smart Grid provides a much-needed update to our electric grid by connecting local power distribution with the national infrastructure, effectively changing the way electricity is delivered. The Smart Grid’s energy delivery network is best described as a two-way flow of electricity and information that is capable of monitoring everything from power plants to customers’ individual appliances. The Smart Grid leverages the benefits of distributed computing and fault-tolerant communication to deliver real-time information and enable the near-instantaneous balance of supply and demand at the device level.

A critical part of the Smart Grid is the Advanced Metering Infrastructure (AMI), or smart meter network, which acts as both a distribution and endpoint for communication and sensor nodes. Smart meters include a wireless network interface and mesh networking software, which allow utility companies to update the software running the devices automatically and allows them to shut off a customer’s electricity over the network, known in the industry as remote disconnect.

Smart meters are the most common component in the Smart Grid and are designed to give utilities and end-users more control over electricity distribution, generation, and usage, as well as greater savings and more efficient, reliable services. The benefits are undisputed; however, it is critical to examine the security of these smart meter devices, which are appearing rapidly on homes across the globe.

In 2008, IOActive researchers evaluated the security of a series of smart meter devices and uncovered several security vulnerabilities. In addition to being vulnerable to common attack vectors, IOActive achieved proof-of-concept, worm-able code execution on standard smart meters. Since the smart meter’s radio communication chipset is publicly sourced and the communication protocols lacked authentication and authorization, IOActive researchers were able to leverage these weaknesses – among others – to produce a proof-of-concept worm. If an attacker were to install a malicious program on one meter, the internal firmware could be made to issue commands that would flash adjacent meters until all devices within an area were infected with the malicious firmware.

Theoretically, once the worm spreads to meters, the attacker gains several abilities including connecting and disconnecting customers at predetermined times; changing metering data and calibration constants; changing the meter's communication frequency; and rendering the meter non-functional.

While IOActive’s findings are serious and warrant immediate attention, it is certainly not too late to secure the Smart Grid. So, how is that done, exactly? Just like remediating any serious security vulnerability, securing the Smart Grid is a joint effort that requires the support of utility companies, smart meter vendors, the government, and leading privacy and security experts.

Utility companies are in a powerful position to secure the Smart Grid because they can apply pressure to meter vendors so that they produce more secure devices. By continuing to conduct security reviews that test the meters' security, quality, and reliability for the entire duration of the product lifecycle, utilities can ensure that meter vendors continually improve their security protocols.

To help meter vendors develop more secure products, IOActive advocates for the adoption of leading security methodologies including Microsoft’s Secure Development Lifecycle (SDL). Taking a proactive stance, the SDL implements security and privacy measures during each stage of a product's development, requires third-party auditing, and conducts a final review before software is released. The SDL also makes business sense, as it is a proven tool to save money – studies indicate that overall project costs are 60 times higher when gaps in information security controls are addressed late in the development phase.

Following an SDL will help meter vendors resolve many of the design flaws discovered in their devices including the lack of layered defenses. Multiple layers of defense provide the best security, using the theory that if one mechanism fails you have several others to prevent a breach. It is especially important for smart meters to have a layered defense because they are installed on the outside of homes with minimal physical protection. Without a layered defense in place, someone with a basic understanding of electronics could easily steal a meter, reverse engineer it, and potentially uncover exploitable vulnerabilities.

Contributing to the lack of layered defenses, IOActive discovered that strong encryption, authentication, and authorizations were often poorly implemented in smart meter devices. IOActive found that many devices do not use encryption or implement any authentication before carrying out sensitive functions like executing software updates and performing disconnect operations. Even when meters had encryption algorithms in place, it was found that functionality was unmanageable, and that the keys were often exposed, extremely weak, and could be recovered through simple hardware hacking techniques.

Just like the invention and implementation of any new technology, the Smart Grid promises many benefits, but it also displays many weaknesses. A lot of work needs to be done to secure this critical infrastructure and it is fortunate that this effort currently is taking place. With the help of the government and security experts, utilities are taking strides to improve the security of the Smart Grid and all of its components. As a result of improving security protocols, both consumers and utilities will thrive from the vast benefits of the Smart Grid, while ensuring the present and future safety of the world’s critical infrastructure.

IOActive is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th – 29th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit

About IOActive

Established in 1998, IOActive is an industry leader that offers comprehensive computer security services with specializations in smart grid technologies, software assurance, and compliance. Boasting a well-rounded and diverse clientele, IOActive works with a majority of Global 500 companies including power and utility, hardware, retail, financial, media, router, aerospace, high-tech, and software development organizations. As a home for highly skilled and experienced professionals, IOActive attracts the likes of Dan Kaminsky, Ilja van Sprundel, Mike Davis, Ward Spangenberg, and Wes Brown—talented consultants who contribute to the growing body of security knowledge by speaking at such elite conferences as Black Hat, Ruxcon, Defcon, Shakacon, BlueHat, CanSec, and WhatTheHack. For more information, visit

Courtesy: Eskenzi PR

Cloud computing creates a new legal ballgame

- But who will solve the legal issues on this important new technology?

London, February 2010 – Although there are a number of benefits that cloud computing brings to the better business table - including reduced servicing costs and increased flexibility on IT services - there are still a number of legal issues that need to be addressed, say the organisers of 360°IT – The IT Infrastructure Event.

According to Natalie Booth, the show's event director, Microsoft is quietly lobbying for new legislation in a number of key countries, with the software giant's general counsel reportedly visiting several countries to lobby for the changes.

"Microsoft's corporate counsel Brad Smith has been globe-trotting in connection with this for some time, as was confirmed by his presentation at the Brookings Institution last month," she said.

"Brad Smith referred in his Brookings speech about Facebook's founder Mark Zuckerman's comments that `privacy is no longer a social norm,' and questioned this statement, calling on the US Congress to modernise the law, and filling in the gaps that cloud computing clearly creates," she said.

"Smith also noted that it is often difficult to place a specific monetary value on the theft of content, reasoning that it makes more sense to impose statutory penalties on a per-victim basis," she added.

The problem facing regulators in most countries, Booth says, is that the penalties for hacking into an individual computer are the same as for a cloud-based IT system, even though the potential financial losses are clearly a lot higher.

According to the 360 IT Event show director, Smith's observations that legislation as it relates to cloud computing - with the courts in Belgium, Brazil and Italy seeking to impose penalties on US cloud entities in recent cases - is complex, is a very valid one, but the big question is who will administer this legislation.

It's interesting to note, she says, that Kroll Ontrack's major survey into data risk breaches - the third annual ESI trends study - the results of which were released last November, noted that firms may also face legal consequences following a breach due to the rising level of breaches in the news.

And, she explained, as firms place more and more of their data and IT assets in the cloud, the legal risks arising from cloud computing will rise, especially now that Gartner is predicting that, by 2014, around 20 per cent of businesses will have most, if not all, of their IT assets in the cloud.

"What we are seeing is a seachange in the way companies access and storage their data. The cloud is clearly the option of choice for a growing number of businesses, but the legal challenges this creates are a potential minefield," she said.

"This year's 360 IT Event - which takes place in London's Earls Court exhibition centre in September - will have a number of cloud-related exhibitors, as well as a show education programme, that will answer many manager's concerns on the legal aspects of the cloud. In the meantime, it's clear there are a range of legal issues that must be addressed by jurisdictions around the world," she added.

For more on:

Microsoft's legal counsel's globe-trotting lobbying:

Brad Smith's Brookings Institution presentation:

Kroll Ontrack's data breach survey:

Gartner's IT asset predictions:

The 360 IT event:

360°IT is the event dedicated to the IT community addressing the needs of IT professionals responsible for the management and development of a flexible, secure and dynamic IT infrastructure.

With high level strategic content, product demonstrations and technical workshops, 360°IT will provide an essential road map of current and emerging technologies to deliver end to end solutions.

360°IT will facilitate vendor and end user collaboration to create the IT infrastructure necessary to achieve key business objectives - improving service, reducing cost and managing risk whilst gaining competitive advantage and growth.

Source: Eskenzi PR

How Important is the Role of Testing?

Simon Morris, Research & Development Director


In such an uncertain economic climate organisations need to be far more competitive, one simple way to stay ahead of competitors is for businesses to make sure their products get to market first. This can mean a business has an advantage over its competitors by being the initial occupant of a market segment. This advantage can be based purely on the fact that the first entrant can gain control of resources that followers may not be able to match. Sometimes however, the first mover is not able to capitalise on its advantage, which means the opportunity is there for another organisation to gain ‘second-mover advantage’.

This theory plays heavily in the technology testing arena. Organisations need to develop a balance between being first to market and being the best in the market. In most businesses the sales and marketing team will push for new products to be ready in time for certain market conditions, to be ahead of competitors and to position the organisation as the leader in its market place. This however is somewhat of an issue when it comes to testing security products because the two tactics do not sit well together. Testing is not a process that can be rushed, it is essential for businesses to make sure their products meet their customer’s objectives and needs and yet the product needs to be ready in time to ensure a competitive edge. So how best can an organisation realise this balance between competitiveness and product accuracy?

Getting the Right Balance

Organisations need to take a semi formalised approach to testing in order to keep a ‘real world’ aspect. Many organisations in the past have used mathematical testing, which has proved a product to be accurate and safe to use however once the human factor has been introduced to the equation the product has crashed. Some organisations do not use validation testing and instead release a BETA so that they can make corrections as they go along. These tactics only work to a certain extent; organisations need to prioritise the risks involved with the product and how accurate the testing needs to be e.g. online banking products must be safe and have no bugs/vulnerabilities before they are introduced to customers and so must undergo a meticulous testing process.

Organisations also need to ensure that the testing process is as efficient, accurate and fast as possible. In many cases and particularly programming, there are millions of lines of code that have been created and written by a programmer who is no longer with the company and so the code is almost impossible to understand, even if a bug is found it is extremely difficult to fix and so the new programmer needs to start from scratch again.

Testing is hugely important when developing a new product and many issues can be easily overlooked in the rush to get a product to market. Unfortunately testing is often seen as an overhead as organisations are too eager to reach the end product and cannot see the tangible return-on-investment testing can bring.

Communication is also imperative in the product development process; many programmers still struggle to articulate their ideas and plans and very often find themselves under pressure from marketing and sales to deliver a product far quicker than it should be. If it was up to programmers to get products out to market however it would never happen. There needs to be a clear middle ground/compromise between these two business departments. Getting it right is the bouncing point.

Importance of Testing

Firstly an organisation needs to test the stability of a new product, but simple questions such as does it do what it says on the tin and does it do what the marketing and sales department has asked for; are very often be overlooked. Also the ease of use of a product is vital, it needs to be aimed at the right audience because even if it is a remarkable piece of code if it’s not something that can be used easily by the customer then the project objectives have not been met.

One of the main reasons Apple has been a success is because of its focus in the early days on the human computer interaction aspects of its products. Apple tested its user interfaces to assure they could be used by anyone and everything was where a user would expect to find it. Businesses must follow this example to keep customers satisfied.

To ascertain the quality of a product perimeter checking is vital situations where a perimeter that allows a user to enter a number between one and ten must be tested for situations where a user enters a number outside of that range as this can crash the product and it must be able to cope with irregular input.  On the flip side of this products must also be tested on its data validation. Here at Pentura we have seen examples in the past where some of the leading fire wall products allow users to enter any kind of data and only at the end of the process does the product crash because the data was wrong. Organisations must ensure the information that users enter, no matter how random, does not break the product.

There is tremendous pressure on software engineers to get new products out quickly and, at Pentura the aim is to catch as many problems as possible before a product goes to market. Organisations today are realising the value in a carefully planned product development process and the value in testing all possibilities. Many of the exploits on banking sites that are banded around the media are from bad coding. Banks have realised this over the last few months and are now investing in accurate code checks.

How should an organisation implement testing accurately?

In order to make the product development process as streamlined and efficient as possible there are a number of tactics an organisation can use. With time being a very important factor in product engineering it is not possible for businesses to stay competitive if products need to be constantly redeveloped and bugs removed. With so many products released way ahead of time without adequate testing the only way to stay ahead of competitors and maintain customer satisfaction is to take the ‘second-mover advantage’.

A well respected and recognised way to manage the software lifecycle to follow the seven stages of the ‘Waterfall Model’, a sequential software development process so called because the product development progress is seen as flowing steadily downwards, like a waterfall through the seven phases of

  1. Requirements specification

  2. Design

  3. Construction (AKA implementation or coding)

  4. Integration

  5. Testing and debugging (AKA Validation)

  6. Installation

  7. Maintenance

Each of these phases must be completed accurately and precisely before moving on to the next. To ensure the testing process is not seen as the only section in the product development process to filter out any bugs and analyse the success of the product, each phase must be completed correctly before moving on to the next. The more time spent in the early stages of a software production cycle the better the results and cost efficiencies at the later stages. It has been shown that a bug found in the early stages such as requirements specification or design is cheaper in terms of money, effort and time, to fix than the same bug found later on in the testing phase.

It is very difficult however to ensure every phase of a software product's lifecycle is perfected, this is why testing is still a very important and necessary step in the product development process. One way of ensuring a product is meeting the original objectives is to break the process down into smaller projects or ‘quick wins’. This allows developers to clearly see if they are on target to deliver on customer objectives at the end of each of the smaller projects.

Some long term software engineering projects can last years and as new programmers come through the business, objectives can get misinterpreted and misunderstood, the code that was originally written is difficult for another programmer to translate and understand and very often projects have to started again from scratch. It makes sense to break large projects into smaller sections so there are clear benchmarks where objectives can be reviewed, re-set and monitored and new programmers can be introduced with minimal disruption.

Another way of minimising time spent developing and writing new code is to use smaller sections that have been implemented before and tested successfully and then interlink these with new code.

A business can develop lots of libraries of code to be more holistic. This creates a type of jigsaw of lots of smaller product parts that a business may need at a later date giving it the building bricks for future products of the projects you might need to do.

There are no regulatory measures for writing code, it is generally understood and an unwritten rule that programmers will annotate and document their coding so that should another programmer need to edit, and develop their code further the annotations will allow them to do this with ease.


The issues of time and understanding the ins and outs of product development will not be fixed over night, the best way to ensure that product is ready to go to market is by setting up targets and milestones to monitor the progress of a product, this can be done using the modulisation options in tools such as Pascal and Modular 2. ADA a defence language promoted this modularisation plan so that they didn’t have a million lines of code that were impossible to break up.

It is important to put the final product into perspective, if it’s not going to be deployed into a high risk environment then testing is not as essential and perhaps the BETA technique can work well in this environment. In high risk environments it is essential to spend more time testing because the impact of a bug can be catastrophic in the banking industry.

In a perfect world there would be more staff and time available to test and ensure consistency. Consistency is important to ensure everyone can understand the objectives. Marketing and product engineer departments need to set realistic time allocations to ensure they manage customer expectations well.

Software testing should provide accurate information about the quality of a product or service with respect to the context it is intended to operate in. Software testing should also provide an objective and independent view of the product to allow an organisation business to appreciate and understand the risks involved in implementing the software. It must validate and verifying that a product meets business and technical requirements that were agreed in the early stages and it must work as expected.

Testing can never completely highlight all the bugs and faults within a product. Instead, it identifies how well and product will work in a particular environment. Every software product has a target audience and when an organisation develops or invests in a software product, it must ensure the product will address the needs of its end users, its target audience and its purchasers.

Pentura is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th – 29th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit

Courtesy: Eskenzi PR

Who can you trust?

Don’t underestimate the value of screen privacy

By Lloyd Cole, European Marketing Manager, 3M Mobile Interactive Systems Division

The effective management of private, personal and confidential information is an ever increasing concern for international organisations large and small, as factors such as remote working, global travel, public wi-fi availability and the explosion in laptop sales combine to put their employees under imminent threat from data exposure. While on the one hand this threat stems from the indifference of many employees to the security risks posed by use of company laptops in public places, on the other hand many organisations are failing to educate their workforce on best practice for maintaining and improving data protection compliance.

According to a British Standards Institution (BSI) 2009 survey, of over 500 small and medium businesses, almost one in five has unwittingly breached the Data Protection Act (DPA) at least once. 65 per cent provide no data protection training for their staff and nearly half admit that there is no one in their business with specific responsibility for data protection. 15 per cent are not confident that their data sharing practices conform to the DPA and worryingly, almost 5 per cent frequently share data regardless. Furthermore, 18 per cent said that data protection is less of a priority in the current economic climate.

On the contrary, data protection has never been so important and organisations should not let down their guard. Loss of data – whether it is sales and marketing plans, legal cases, customer names, purchasing details, human resource information, salary scales or proposed redundancies – can have potentially damaging consequences to competitive edge and credibility leading to serious financial consequences, loss of customers and reputation.

The number of data breaches and the costs involved for UK organisations is rising at a staggering rate. This trend is reflected in a Ponemon Institute study released in February 2009 (2008 Annual Study: Cost of a Data Breach), which examines the costs incurred by 30 UK organisations from 10 different industry sectors after incurring a data breach. The study found that the total average costs of a data breach grew to £60 per record compromised - an increase of 28 per cent since 2007 (£47 per record). The average total cost per reporting company was more than £1.73 million per breach (up from £1.42 million in 2007) and ranged from £160,000 to over £4.8 million.

The Information Commissioner’s Office (ICO) has called the amount of data being stolen, lost in transit or mislaid by staff “unacceptable”. Around 33 European countries have passed some form of privacy and data protection legislation, and many of these have a requirement for notification to either the regulatory authorities or those affected by the breach. In the UK, under current legislation, the individual inside an organisation charged with implementing the DPA is responsible for notifying the ICO of any significant breach and deciding together whether there is a need to notify any potential victims. From 2010, companies that recklessly or deliberately break the data protection rules will face fines of up to half a million pounds.

So what measures can be implemented by organisations to defend against losses that can never be quantified? As a first line of defence for employees using company laptops while travelling or in public places security filters that help guard the laptop screen are a simple and cost-effective privacy tool. Such screen filters are ideal for shoulder surfing prevention and help improve data protection compliance. They are easily fixed to laptops, can be removed or replaced instantly and laptops can be closed with the filters in position. They work by restricting the viewing angle of laptop displays so that only users positioned directly in front are able to see the data.

When working on laptops in public places, users are generally unaware of the activity going on in their surroundings, making them vulnerable to curious bystanders, opportunistic criminals or even practiced experts peering over their shoulder to read or record on-screen information. Being the victim of shoulder surfing can make laptop users feel uncomfortable and can impede work productivity if it means shutting down and closing the laptop as a result of being observed. According to research commissioned by 3M United Kingdom plc in 2007, there is an 80 per cent chance that laptop users have already been a victim. Almost a quarter of UK computer snoopers do it for the opportunity to read people’s business emails and 16 per cent are trying to get a glimpse of someone’s company documents.

The shoulder surfing threat does not only lie in wait outside the office, there is an internal threat in open plan offices as well. By specifying these simple on-screen privacy tools in their security policies, backed up by clearly defined defence strategies, organisations can tighten up on data privacy and ensure effective, practical implementation throughout their mobile and office-based workforce.

3M are exhibiting at Infosecurity Europe is the No. 1 industry event in Europe held on 27th – 29th April at Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit

Courtesy: Eskenzi PR

Four stolen laptops highlights need for multiple layer security

St Albans council report on four stolen laptops highlights need for multiple layers of security on data in transit

A consultant's report ( on the theft of four laptops at St Albans council - in which the details of more than 14,500 postal voters went walkabout – has highlighted continuing lapses on the security front, says Origin Storage, the storage systems integration specialist.

"The theft of the laptops caused an uproar, but the report from Socitm has identified that staff are still being lax on data security, despite the fact that other security procedures have been tightened up," said Andy Cordial, Origin's managing director.

"Local press notes about the report make for interesting reading, not least because, although staff are physically locking hardware to their desks, and portable device data is being encrypted, employees are still taking a poor approach to security generally, such as sharing their passwords," he added.

According to Cordial, whose company supplies portable data security systems with multiple layers of defence to clients, using encryption is only part of the equation when it comes to protecting data.

As reports in the security press have revealed, it's all to easy to lose the encryption key along with the laptop ( and, as IT analyst agency Quocirca reported last July, companies must take better control of their critical information and use all possible methods to prevent information falling into the wrong hands should a
device be lost or stolen.

That report (, the Origin Storage MD went on to say, concluded that there are significant productivity gains to be generated through the ease of good administration and management when it comes to protecting data in transit.

"Multi-layered data systems - such as the Datalocker device ( we recently introduced, and which defends data using PIN and encryption technologies – are now the best option for organisations wanting an easy to use portable data security system," he said.

"When added to other security procedures such as positive staff vetting for employees handling private data, the multi-layered defence strategy starts to make sense – specially if how the layers work are easy for understand, as well as use, for the employees concerned," he added.

For more on Origin Storage:

Source: Eskenzi PR Ltd.

Imperva’s SecureSphere 7.5 Bolsters Protection against Insider Threats

SecureSphere 7.5 Introduces User Rights Management, Streamlines Database Auditing

London, UK – February 2010 – Imperva, the leader in data security, today announced a major update to its market-leading Data Security Suite. The release extends Imperva’s database auditing solution with numerous platform, storage and scalability enhancements and introduces User Rights Management for Databases (URM), which allows organizations to automate the process of finding and eliminating excessive user access rights to sensitive data. This capability helps enterprises reduce the risk of insider abuse and data theft as well as achieve compliance with regulations such as PCI DSS and Sarbanes-Oxley that mandate limiting user access rights to a “need to know” basis.

“URM will help security professionals better understand who should have access to sensitive data. For instance, suspicious activity from employees, contractors, and partners downloading data they shouldn’t see can be quickly identified,” explained Brian Contos, Imperva’s chief security strategist and author of Enemy at the Water Cooler and The Convergence of Physical and Logical Security. Rogue insiders can be the source of major data theft. For example:

  • Ford Motor Company’s intellectual property was stolen with the intent of giving it to a Ford rival in China.

  • A Coca Cola formula was stolen by several employees who tried to sell it to Pepsi.

  • DuPont experienced a $400M theft in valuable research from a single employee trying to gather documents before joining a competitor.

“In tough economic times, insider threats go up—but the ability to prevent them remains limited. By tightening the control over user rights enterprises can reduce the risk associated with insider data theft.”

Key highlights of SecureSphere 7.5 include:

  • User Rights Management for Databases – automates the labor intensive process of aggregating user rights across heterogeneous databases, identifying rights pertaining to sensitive data and validating those rights against users’ organizational context and data access patterns.

  • Improved agent management technology for SecureSphere Database Activity Monitoring (DAM) and SecureSphere Database Firewall (DBF) – with new agent analytics, configuration, filtering and remote management capabilities, Imperva enables enterprises to manage large scale environments that include hundreds and thousands of audited databases.

  • Virtualized Discovery and Assessment Server (Virtual DAS) – enables customers and partners to easily perform periodic vulnerability assessments, data classification and user rights review for databases by carrying a virtual DAS instance on a laptop. Customers can also deploy multiple instances on the network for maximum coverage without deploying physical appliances.

  • SecureSphere Agent for DB2/400 —integrates DB2/400 platform coverage into the SecureSphere comprehensive Database Activity Monitoring (DAM) solution.

  • New Data Security Hardware Appliances with increased storage capacity, easier management and simplified deployment. These enhancements help security professionals protect and audit more web applications and databases to mitigate insider threats and external hackers.

SecureSphere 7.5, URM for Databases, and the SecureSphere Agent for DB2/400 are scheduled for general availability in March 2010. Virtual DAS is available now. Please contact Imperva or an authorized reseller for pricing information.

Imperva, the Data Security leader, enables a complete security lifecycle for business databases and the applications that use them. Over 4,500 of the world’s leading enterprises, government organizations, and managed service providers rely on Imperva to prevent sensitive data theft, protect against data breaches, secure applications, and ensure data confidentiality. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring from the database to the accountable application user and is recognized for its overall ease of management and deployment. For more information, visit

Source: Eskenzi PR Ltd

Value of stolen credentials determined by Internet service

Cybercrime evolution means value of stolen credentials now determined by Internet service

London, February 2010 – The rapid evolution of Web 2.0 services and the parallel world of cybercrime is driving a revolution in the price that criminals charge each other for user credentials, says Imperva, the data security specialist.

The price of a file of user credentials – known as a 'dump' in hacking circles – depends greatly on the Internet service(s) where they can be used, says Amichai Shulman, the firm's chief technology officer.

"Just five years ago, the illegal trade in credit card details was a rising problem for the financial services industry, as well as their customers, with platinum and corporate cards being highly prized by the fraudsters," he said.

"Today, however, there are reports of Twitter credentials changing hands for up to $1,000 owing to the revenue generation that is possible from a Web 2.0 services account. This confirms our observations that credentials can fetch a high sum according to both the popularity of the application, and the `popularity' of the account in question," he added.

This is clearly illustrated by the `going rate' of $1.50 for a Hotmail account, and $80.00-plus for a Gmail account. As a service, Hotmail has fallen out of favour of serious Internet users, while Gmail's all-round flexibility means it is central service for business users, he went on to say.

According to the Imperva CTO, this means that Gmail credentials can also give access to a range of Google cloud services, including Google Docs and Adword accounts.

Google Docs, he explained, can contain valuable additional information on the legitimate owner, while an Adwords account can allow criminals to manipulate existing and trusted search engine results.

And it's a similar story with Twitter accounts, but with the added dimension of the immediacy of a rapid-fire social networking connection, said Shulman.

This, he went on to say, is almost certainly the reason why some newswires were reporting earlier this week ( that Twitter had blocked the accounts of some users whilst they changed their passwords.

"Twitter accounts are valuable to criminals that they will use almost any technique to harvest user credentials, including targeted phishing attacks. Once a fraudster gains access to a Twitter account, they can misuse it in a variety of ways to further their fraudulent activities," he said.

"If this isn't a wake-up call to anyone with multiple IDs that use the same password, I don't know what is. Internet users - especially those with business accounts - need to use different passwords for different services, or they could face the disastrous consequences of taking a slack approach to their credentials," he added.

For more on the $1,000 Twitter accounts story:

For more on Imperva:

Source: Eskenzi PR

Novatel Wireless Announces First Successful 4G LTE Data Transmission

SAN DIEGO, Feb. 8, 2010 – Novatel Wireless (NASDAQ: NVTL), a leading provider of wireless broadband solutions, today announced that it has successfully completed the first data transmission call using Long Term Evolution (LTE) 4G technology. LTE provides high data rates of up to 100Mbps on the uplink and 50 Mbps on the downlink and an enhanced user experience by leveraging new, wider bandwidth spectrum. Many operators are already planning to overlay LTE on their 3G networks to augment data capacity. Novatel Wireless is working with operators and plans to launch commercial data devices in late 2010.

“We are pleased to achieve these important first data transmission milestones on next generation technologies, last week with dual carrier HSPA+, and now with LTE, and we expect to leverage our industry-leading position to offer 4G wireless data products to our customers,” said Dr. Slim Souissi, CTO, Novatel Wireless. “We believe our aggressive development efforts will enable us to deliver these innovative solutions with the fastest possible time to market.”

Novatel Wireless, Inc. is a leader in the design and development of innovative wireless broadband access solutions based on 3G and 4G technologies. Novatel Wireless' Intelligent Mobile Hotspot products, software, USB modems and embedded modules enable high-speed wireless Internet access on leading wireless data networks. The Company delivers specialized wireless solutions to carriers, distributors, OEMs and vertical markets worldwide.


Lancashire Constabulary Chooses 3ami MAS for Protective Monitoring of Force's IT Systems

3ami MAS helps Lancashire Constabulary comply with new ACPO regulations for data security ahead of the March deadline

Manchester, UK, 8th February 2010 - Lancashire Constabulary is using 3ami Monitoring and Audit System (MAS) to comply with new data security regulations from the Association of Chief Police Officers (ACPO). Coming into effect March 2010, the ACPO Information Systems Community Security Policy lists "protective monitoring" as a control UK police forces must score against to comply with the policy matrix. With a few minor exceptions, such as passwords and confidential reporting, 3ami MAS will monitor all data input on Lancashire Constabulary's network of terminals, including mobile and portable terminals.

"We expect that the implementation of 3ami MAS will ultimately result in a cost-saving, not just in the typical productivity sense, but also in the preventive message it sends out to the users of force computer systems," said Detective Superintendent Martyn Leveridge. "It will provide us with the ability to resolve allegations of systems misuse more quickly and with more certainty, and allow the public additional confidence that systems are in place to protect data."

Mr Leveridge added that the transition to 3ami MAS was a well-timed decision, with the ACPO Information Systems Community Security Policy coming into effect in March.

"The security and leakage of information has been identified in a number of national police assessments as being the greatest threat to operational security and integrity," said Mr Leveridge. "Recent HMIC reports have made recommendations that all internal police computer systems should be made capable of auditing and being audited themselves, in order to ensure the integrity and confidentiality of sensitive information. The 3ami MAS installation is the cornerstone for achieving this."

Lancashire Constabulary's primary use of 3ami MAS will be to aid the investigations of any corruption-related issues involving officers' and police staff's use of force computer systems. Activities falling under the umbrella of "police corruption" include the following (among others): inappropriate disclosure of police information, interference with police evidence, breaches of information security, system infiltration/attack, and perverting the course of justice.

Tim Ellsmore, Managing Director of 3ami, said, "3ami MAS is an essential tool for enforcing the laws of a digital network. Police forces that do not monitor and audit activity on their network's computers have no real way of knowing what officers and civilian staff are doing on their computers, let alone their portable terminals, which are becoming increasingly prevalent."

3ami MAS will coordinate and corroborate Lancashire Constabulary's existing auditing facilities into one comprehensive auditing framework. The software will be installed early in 2010, after a staff education programme.

"Before 3ami," said Martyn Leveridge, "our existing force auditing capabilities were application-based. Therefore, any activity conducted other than via the user interface--such as database file transfers, printing, screen captures and copying onto external data devices -- was not capable of being monitored. 3ami provides a single solution to these problems, binding together existing application-based auditing."

For more information on Lancashire Police, please visit:

Or follow them on twitter at:

3ami Monitoring and Audit System (MAS) is a complete computer activity monitoring package that tracks all changes to hardware and software throughout an organisation's entire network(s) by capturing and securely storing records of all user activity - not just on the Internet but on every application, including email, word processing, spreadsheet applications, instant messaging and online. MAS monitors and audits police systems including ANPR (CLEARTONE BOF), PNC, Niche RMS, CORVUS and Quick Address (QAS). Even when other stand alone capability is already present, 3ami MAS coordinates and corroborates all systems to provide a comprehensive auditing framework.

Developed specifically for police forces, 3ami MAS makes true data accountability possible. 3ami MAS both proactively prevents inappropriate and/or illegal computer activity from occurring and reactively tells you - with certainty - not only who is responsible, but also the full breadth of such activity, when it does occur.

3ami will be the headline sponsor at the upcoming ACPO Professional Standards Conference 2010 (Nottingham, June 28-30)

For more information on 3ami check log on to

Source: Omarketing

Two Thirds of Internet Users Expose their Online Banking Credentials on Other Websites

Trusteer Finds that Two Thirds of Internet Users Reuse their Online Banking Credentials on Other Websites

73 Percent Share Online Banking Password with Non-Financial Applications;

47 Percent Repurpose Both their Online Banking User ID and Password

London, UK, February 2010 –Trusteer, the customer protection company for online businesses, reported today that the vast majority of online banking customers reuse their login credentials to access non-financial and much less secure websites. Trusteer found that 73 percent of bank customers use their online account password to access other websites, and that 47 percent use both their online banking user ID and password to login elsewhere on the Internet. These findings are based on a sample of more than 4 million users of the Rapport browser security service, many of whom are customers of leading North American and European banks.

This widespread reuse of online banking credentials is being exploited by criminals who have devised various methods to harvest login credentials from less secure sources, such as webmail and social network websites. Once acquired, these usernames and passwords are tested on financial services sites to commit fraud.

Trusteer based its research on data collected over a 12 month period from millions of Rapport users in North America and Europe. Rapport protects online banking credentials, recognizes when users attempt to submit them to other websites, and warns them not to do so. The report’s key findings include:

73% of users share the passwords which they use for online banking, with at least one nonfinancial website

47% of users share both their user ID and password with at least one nonfinancial website

When a bank allows users to choose their own user ID, 65% of users share this ID with nonfinancial websites

When a bank chooses the user ID for its customers, 42% use the bank issued user ID with at least one other website

The full report is available at

“Using stolen credentials remains the easiest way for criminals to bypass the security measures implemented by banks to protect their online applications, so we wanted to see how often users repurpose their financial service usernames and passwords,” said Amit Klein, CTO of Trusteer and head of the company’s research organization. “Our findings were very surprising, and reveal that consumers are not aware, or are choosing to ignore, the security implications of reusing their banking credentials on multiple websites.”


For consumers:

Maintain at least three sets of credentials: the first set to be used only with financial websites; the second set to be used with nonfinancial sensitive websites that hold information about your identity; the third set to be used with non-sensitive websites that do not maintain confidential information about the user. Memorizing three sets of credentials is not difficult, yet significantly improves a user’s level of security.

For financial institutions:

Identify customers who use their bank login information on nonfinancial websites and:

Educate them to avoid this risk

Set your risk engine to higher sensitivity for these customers

Rapport from Trusteer is a lightweight browser plug-in plus security service that prevents criminals from tampering with a user’s browser and protects against man-in-the-browser, man-in-the-middle, and phishing attacks. When users browse to sensitive websites such as internet banking, Webmail, or online payment pages, the Rapport plug-in immediately locks down the browser and prevents any unauthorized access to web pages and confidential information that flow through the browser. Trusteer also offers in-the-cloud reporting services. When unauthorized access attempts are detected by Rapport, these are analyzed by fraud experts who provide actionable intelligence to financial institutions.

Trusteer enables online businesses to secure communications with their customers over the Internet and protect personally identifiable information (PII) from a user's keyboard into the company's Web site. Trusteer's flagship product, Rapport, allows online banks, brokerages, healthcare providers, and retailers to protect their customers from identity theft and financial fraud. Unlike conventional approaches to Web security, Rapport protects users' PII even if their computer is infected with malware including Trojans and keyloggers, or is victimized by pharming or phishing attacks. Trusteer is a privately held corporation led by former executives from Cyota/RSA Security, Imperva, and NetScreen/Juniper. For more information visit

Source: Eskenzi PR Ltd

360°IT Welcomes Renowned CIO to Management Team

London, February 2010 - Reed Exhibitions is thrilled to welcome Denise Plumpton as Non-Exec Director for 360°IT. Denise will work with its management team to advise on the continuous development of the 360°IT strategy and content, including its exciting new show 360°IT - The IT Infrastructure Event. Having previously held roles as Director of Information at the Highways Agency, CIO at Powergen (now part of E.On), IT Director with TNT UK Ltd and currently holding non-exec positions at Centro and The Heart of Birmingham Teaching Primary Care Trust, Denise’s experience will provide unparalleled insight into the issues causing Heads of IT within UK organisations anguish today.

Denise’s reputation for leading strategic change and bringing IT and the core business closer together is renowned. Having worked with IT departments of all sizes including one numbering several hundred people, her experience spans resourcing to outsourcing including insourcing, changing suppliers, rightsizing, downsizing, and more recently, whilst with the Highways Agency (HA), she recruited and developed an in-house team of IT professionals in programme/project management and business analysis. Whilst with HA she is credited with transforming the provision of traffic information to the public, media and industry bodies; and brought together a whole range of infrastructure services into a single managed service contract. Denise is well versed in using developments in infrastructure to save costs while improving service for the business (and its customers). This hands-on understanding will provide the management team with immediate feedback and input into the entire strategy around 360°IT – focused specifically on ensuring the event delivers unrivalled value to both its CIO and mid-tier management audience.

Natalie Booth, Event Director of 360°IT said, “Denise Plumpton comes highly recommended and is extremely well respected amongst her peers. Her experience and connections can only further strengthen the direction of this key event as she brings insight from both sides of the table – matching the attending audiences need for relevant information in the most suitable format carefully balanced with a strong blend of leading technologies. I look forward to working with Denise.”

360°IT is shaping up to be the UK’s ultimate event that addresses the needs of IT Professionals responsible for the management and development of flexible, secure and dynamic IT infrastructures that deliver competitive advantage and enhance business value. With high level strategic content, product demonstrations and technical workshops, 360°IT will provide an essential road map of current and emerging technologies to deliver end to end solutions. 360°IT reflects the changes that have occurred in the IT sector and will provide an essential road map of current and emerging technologies, including Networks & Communications, Cloud Computing & SaaS, Security, Virtualization, Storage, Data Centres, Applications, Enterprise 2.0, Information Management, Business Continuity, Risk & Compliance. The new 360°IT incorporates the Storage Expo show so data storage will remain a key area of the new event reflecting its importance in delivering IT infrastructure that maximises business value.

360°IT take place on 22nd - 23rd September 2010 at Earls Court, London. For more on 360°IT – The IT Infrastructure Event: or to book a stand contact the 360°IT Sales Team on +44 (0)20 8910 7966/7920/7020 or email Tony Moyo (, Jonathan Ouko ( or Petra Callaly (

360°IT - The IT Infrastructure Event: 360°IT is the event dedicated to the IT community addressing the needs of IT professionals responsible for the management and development of a flexible, secure and dynamic IT infrastructure.

With high level strategic content, product demonstrations and technical workshops, 360°IT will provide an essential road map of current and emerging technologies to deliver end to end solutions.

360°IT will facilitate vendor and end user collaboration to create the IT infrastructure necessary to achieve key business objectives - improving service, reducing cost and managing risk whilst gaining competitive advantage and growth.

Source: Eskenzi PR

Major European retail bank adopts DeviceLock to protect endpoints

Major European Retail Bank adopts DeviceLock® to Protect Endpoints

London, February, 2010 – DeviceLock, Inc., a worldwide leader in endpoint device control security, today announced that VTB 24, one of Europe’s largest retail banks, has selected its DeviceLock® software as its endpoint device control platform. DeviceLock has been deployed across the bank’s global network, including its City of London office, to protect its employees’ computers, laptops and mobile devices from data leaks.

Bank VTB24 is one of the Europe’s largest and fastest-growing banks. Part of the international VTB Bank Group, VTB24 provides a full range of retail banking products and services to individuals and small businesses. Over the last few years, it has been steadily improving customer convenience, privacy protection, and reliability – setting the bar high in each area for the entire financial services sector. Key to this strategy is careful investment in IT security systems and business continuity.

After thorough research in the field of endpoint information security, VTB24 selected DeviceLock software as its endpoint data leakage prevention platform. VTB24’s IT infrastructure is a distributed heterogeneous system that includes Microsoft Windows, as well as UNIX and Novell network operating systems. DeviceLock now protects servers and employee hardware across the entire IT infrastructure at VTB’s large London office and all branches in its native Russia.

As part of its rigorous IT security policy, Bank VTB24 takes an integrated, holistic approach to managing the entire life-cycle of its IT systems. Information security risks are managed by employing best-of-breed solutions from different IT security vendors for everything from anti-virus protection to PKI encryption. An annual general audit conducted by external audit firms includes an information security audit and assessment of the IT system.

According to Anatoly Bragin, Chief of VTB24’s Information Security Department: “Today, with the proliferation of high-capacity removable storage devices, there is a much greater threat of information leaks from the bank’s IT networks as well as its infiltration by destructive malware elements. We’ve determined that DeviceLock is the software product that can most effectively help us to fight this type of threat.”

Bragin continued: “It’s been on the market for almost a decade, building a rich feature set that has been field proven by other financial service customers around the world. In fact, we’ve used a previous version of DeviceLock and found it a highly functional and reliable product. DeviceLock provides flexible control over a computer’s local ports and devices, thus addressing one of our most significant information security problems.”

Previously, any unauthorised local connection of external devices to computers was blocked by either physically switching off some of the device interfaces or disabling them at the BIOS level. The bank’s IT staff realised that this approach was becoming impossible to implement and manage - a situation that would be aggravated by VTB24’s rapid growth plans. The number of computers in the bank’s network was quickly escalating and the network itself was being distributed over several more geographical locations.

Meanwhile, the number of peripheral devices employees were attempting to connect to the network was growing exponentially, particularly USB-connected devices. There were simply too many ways for employees to connect devices locally to computer endpoints spread across the network without supervision, creating potential channels for data leakage - from USB flash drives to printers, scanners, web cameras, etc. After the deployment of DeviceLock, the problem was solved.

“Installing DeviceLock was simple. The administrators of the IT Security Department were pleased with the results of the DeviceLock software deployment. The deployment did not impact the bank’s existing information security policy. Once deployed, DeviceLock enabled strict enforcement and auditing of device-related policy. It has optimised our device management processes,” emphasised Bragin.

For organisations of any size and industry, DeviceLock software proactively protects endpoint computers against local data leaks and malware infiltration resulting from insider negligence, accidental mistakes or malicious actions. It enables IT security personnel to precisely control, log, shadow-copy and audit end-user access to all types of local ports and peripheral devices, including Windows Mobile®, iPhone®, Palm® and BlackBerry® smartphones, as well as local and network printers. Complementing its port, device, and data channel-based controls with data type-level security, DeviceLock supports true file type detection and filtering. DeviceLock also integrates with leading encryption products from PGP, Lexar, SecurStar, and TrueCrypt in order to protect data on removable storage devices. In addition, DeviceLock blocks operations of USB and PS/2 hardware keyloggers.

VTB24 is part of the international VTB Bank Group and focus on servicing of individuals, private businessmen and small businesses. VTB Group is a leading Russian financial group with a strong tradition in Russia and the CIS, and a presence in more than 20 countries around the world. The Russian government is VTB's majority shareholder, with a holding of 85,5.5%. The remaining 14,5% of the shares are traded on the RTS and MICEX in Russia, and VTB's global depositary receipts are traded on the London Stock Exchange. VTB offers a wide range of services in corporate, retail and investment banking across Russia, certain other CIS countries and a number of countries in Western Europe, Asia and Africa.

Since its inception in 1996 as SmartLine, DeviceLock, Inc. has been providing endpoint device control software solutions to businesses of all sizes and industries. Protecting more than 4 million computers in over 60,000 organizations worldwide, DeviceLock has a vast range of corporate customers including financial institutions, state and federal government agencies, classified military networks, healthcare providers, telecommunications companies, and educational institutions. DeviceLock, Inc. is an international organization with offices in San Ramon (California, US), London (UK), Ratingen (Germany), Moscow (Russia) and Milan (Italy).

Source: Aspectus PR

UK Security Breach Investigations Report 2010 Published

Cambridge, UK – An analysis of actual data compromise cases has been released by Computer Security and Forensics consulting firm 7Safe and the University of Bedfordshire. Anonymised data has been analysed from over 60 computer forensic investigations undertaken by 7Safe in what makes for fascinating reading.

Co-author and 7Safe CEO Alan Phillips said “Compared with many existing studies that are based purely on survey data, this report reveals what is really happening in the UK. The work carried out by 7Safe’s breach investigation team has been expertly analysed by Professor Carsten Maple of the University of Bedfordshire, and the results are intriguing.

Professor Maple commented, “To my knowledge this report is the first of its kind in the UK, and many businesses will find the results very interesting. It has been a pleasure working with 7Safe, who are renowned as publisher and co-author of the ACPO Good Practice Guide for Computer-Based Electronic Evidence, and with whom the university operates a joint Master of Science in Computer Security and Forensics."

The UK Security Breach Investigations Report, supported by high profile organisations SOCA (Serious Organised Crime Agency) and the Metropolitan Police’s Police Central e-Crime Unit, is available in digital format free of charge from

7Safe will be giving presentations on data from the UK Security Breach Investigations report on-stand (G42) of Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th – 29th April in its new venue Earl’s Court, London.

7Safe is a leading Computer Security and Forensics consulting firm offering a diverse portfolio of services in the fields of computer forensics, penetration testing, PCI DSS compliance and audit, eDiscovery / eDisclosure, and IT security training & certification. To find out more, please visit

The University of Bedfordshire was established in August 2006, following the merger between the University of Luton and De Montfort University's Bedford Campus. The University has 1,000 staff along with 19,000 students from over 100 countries. To find out more, please visit

Source: 7Safe Marketing