Security savvy professionals careless with business data

Latest survey reveals over one-in-five has lost a portable storage device containing confidential data despite new legislation and knowing better

More than one in five people have lost a portable storage device containing personal or company data, according to a recent survey of security savvy professionals conducted at this year’s Infosecurity Europe event in London. The findings come less than two months after the Information Commissioner’s Office (ICO) announced it would implement fines of up to £500,000 for companies that incurred serious breaches of the Data Protection Act.

The survey, which was conducted by iStorage, a leading specialist of portable data storage devices and digital encryption, also revealed that while 97% of people regularly carry data on some form of portable device, under half encrypt it. This is despite the fact that 98% of those surveyed stated that they believed data loss to be a serious and/or growing concern and 96% felt an encrypted hard drive to be preferable to an unencrypted one.

Key findings:

  • 23% of security professionals have lost a portable storage device containing company or personal information

  • 98% of those surveyed believe data loss to be a serious and/or growing concern

  • 46% encrypt their data yet 96% would prefer an encrypted hard drive

iStorage Managing Director John Michael said, “Our survey suggests a considerable disconnect between what security professionals believe and how they act. The majority of respondents recognised data loss to be a serious and growing concern and that protecting that data would be preferable to not protecting it. Yet we find that many fail to adequately encrypt and over a fifth of those surveyed have lost a portable device with personal and business information.”

After several high profile blunders, including the recent revelation that a USB stick of patient medical records from a Scottish hospital was left in a supermarket car park, diskGenie offers an ideal solution to safely storing and transporting sensitive data. The device guarantees absolute file privacy as information can only ever be retrieved by the PIN code holder. It requires no software installation and has an integrated USB 2.0 cable for quick and easy access.

For more information please visit www.istorage-uk.com

iStorage provides high performance and ultra secure portable data storage and security products to users who need to protect their data held on PCs, Macs and portable devices. The founders of iStorage are pioneers in their field and hold several patents, both granted and pending, on a range of related data storage and security products.

With a strong belief in careful product selection and unrivalled customer service, iStorage continues to deliver market leading innovations in portable data storage and digital encryption technology.

Source: Media Safari

Napatech to Demonstrate How To Build 10G IPS from Standard servers

ANDOVER, Massachusetts – Napatech today released a new whitepaper on how a Universal Network Appliance approach can be used to develop high-performance Intrusion Prevention Systems (IPS). At the upcoming Interop Las Vegas and Infosecurity events, Napatech will show a 10 Gbps IPS demonstration based on this approach.

“Napatech does not develop network appliances, but with this demonstration, we can show OEM network appliance manufacturers what can be achieved using the latest “Nehalem” class of industry standard servers combined with Intelligent Real time Analysis adapters” said Erik Norup, President of Napatech Inc. “We already have several IPS customers who have more than tripled their performance using this approach for both 1 Gbps and 10 Gbps IPS applications”.

The development of network appliances based on standard PC servers and Intelligent Real-time Network Analysis adapters is gaining momentum as it promises to reduce cost, risk and time-to-market for OEM network appliance manufacturers, while at the same time providing a high performance platform.

“This approach takes advantage of the latest generation of standard PC servers, which provide unprecedented processing power and efficient memory architectures. When combined with Intelligent Real-time Network Analysis adapters it provides a hardware platform ideal for any network performance monitoring, test & measurement, network security and network optimization applications” added Norup.

“Building IPS solutions that can operate at 10 Gbps is not an easy task”, said Rob Ayoub, CISSP, Global Program Director - Network Security, Frost & Sullivan. “The traditional approach has been to develop proprietary hardware, which is costly and time-consuming. By basing network appliance development on a standard PC server with Intelligent Real-time Analysis network adapters, IPS manufacturers can take advantage of a high-performance hardware platform to reduce cost, risk and time-to-market.”

The Napatech demonstration is based on a standard PC server using Napatech NT20E 2x10 Gbps In-line adapters for reception, pre-processing and re-transmission of Ethernet frames. A separate Napatech NT20E will be used for full wire-speed 10 Gbps traffic generation.

Napatech is the leading OEM supplier of multi-port 10 GbE and 1 GbE intelligent adapters for real-time network analysis with over 60,000 Ethernet ports deployed. Napatech network adapters provide real-time packet capture and transmission with full line-rate throughput and zero packet loss no matter the packet size. Intelligent features enable off-load of data traffic processing and packet analysis normally performed in the CPU. This results in more processing power for the network monitoring, analysis, management, test, measurement, security or optimization application being supported. Napatech has sales, marketing and R&D offices in Mountain View, California, Andover, Massachusetts, and Copenhagen, Denmark.

Source: Eskenzi PR

3M launched new privacy filter at Infosecurity Europe 2010

by Michael Smith (Veshengro)

At last, says 3M, Privacy Filters enter a Golden Age, but I for one, I must say, will still need to be convinced.

The stand for 3M at Infosecurity Europe 2010 was extremely well visited and I was unable myself to get anywhere near to actually have a look at this filter myself. The stand was not very big and hence there was little chance to get near the exhibits let alone talk to any of the staff.

However, I have had a sample of the older version of the privacy filter and must say that it made reading the screen rather difficult with the normal light of the screen and hence found the filter rather as a use though it did do the job of making it impossible fro someone to read from the sides.

The 3M privacy filter has been around now for a couple of years and while it does the job of preventing someone sitting beside you snooping on what you are doing it also makes it difficult, as far as I am concerned, for the user.

If 3M would like one of the new filters given a test they are welcome to get in touch with the ICT REVIEW but until I have been able to take it through its paces myself I shall say that the jury is still out on whether the new gold filter is what the makers claim it is and does.

© 2010

Origin Data Locker 1TB – Product Review

Review by Michael Smith (Veshengro)

The Data Locker from Origin Storage has now been with us for some time and this is the latest one, with a full whacking 1TB of capacity.

The capacity of the 1TB is a little nominal, however, as we all know, in the way those calculations go, and also the fact that over 110MB are used for the encryption program on the drive.

The Data Locker measures 3.13" x 5.11" x 0.91" (W x D x H), is bus powered via USB Port so does not require any extra power supply.

According to the data sheet the supported Operating Systems are Windows 7, Linux (USB Support). I used it on Vista with no problem so it is probably XP and up.

The Data Locker 1TB comes with a recommended retail price of £399 plus VAT, and that is where I did have to gulp, as I find that somewhat on the steep side, even for a hardware encrypted external HDD. And, once you add the VAT in the UK, you get to the best part of £500, which would make it a cost of US$800.

Two different levels of security are available for the device and they are:

  • Data Locker Pro AES: Corporate and Local Government

  • Data Locker Enterprise: Military and transportation of mission critical data

The Data Locker offers state of the art features which include:

  • Brute Force Attack Detect / Self Destruct Response

  • One touch drive erase for rapid re-deployment using admin password

  • Hardware Based Malware Detection / Deflection

  • Unattended Auto Lock Function

  • 100% Platform Independent Security and Authentication

  • Hardware Based AES Encryption (CBC mode)

  • No Software or pop-up password entry screens

Getting started with the device was very simple and changing the password intuitive after a quick read through the Quick Start Guide, and that is a definite plus in my book. Data transfer from laptop to drive extremely fast without any problems.

Connectivity with Linux is no problem whatsoever, even with older versions of that operating system, as no connection to software required.

Initial setting up of drive was done on Linux operated ASUS Eee PC netbook and there was no difference between use in Windows and Linux.

In fact Linux works better and faster as to connecting first time as it does not hang about needing to install the software drivers for the USB connection.

The Data Locker does not have, it would appear, Mac support, at least it is not mentioned on the specs, and if that is the case, one that I cannot understand as the Data Locker is not software dependent, it would be a shame.

The one problem I found was the “keypad” which takes some getting used to, and not only because it seems to change the display from time to time, that is to say the sequence of the keys. I also found the keys on the keypad somewhat sticky, if one could all it thus. Entry must be made very positive and careful for them to be registered by the device.

The above problem is, more than likely, a case of getting used to it but that time does not really exist unless one owns the device and does not just have it on loan for a review only. Over time one would certainly get the key entry down to a T without any glitches that I experienced in my tests.

The features that make the Data Locker, in my opinion, are the rugged construction, hardware malware detection/deflection and the fact that is works with Linux as well as Windows. The AES hard encryption is a given fact.

The one thing that always worries me with secure drives such as this is when the term “Brute Force Attack Detect / Self Destruct Response” is quoted. My question then is does it recycle the drive by destroying the data safely only and resetting the drive or does it render the drive unusable, as some do. The latter would be something costly, considering the price, though not as costly as data breach, obviously.

A very good, and what would appear to be, rugged drive, though, unfortunately, at rather a chunky price tag.

It would be a drive that I would definitely recommend for use by government, security services and the military, for it is a rugged device that will keep the data strongly secured.

For the SME and ordinary user who wants a secure drive this may still be something a little out of the league, especially in an economic situation such as the one the world is still experiencing even in early 2010.

While encryption and security is more and more a requirement to keep data secure also SMEs and the “normal” user other kinds of encryption and securing data may have to be used if funds do not allow for expensive devices such as this one.

One day, maybe, we will actually have external drives, whether HDD or SSD, that actually work on all operating systems without the use of software dependent on the OS that are actually affordable.

For those who can afford the best and should use but the best because of the sensitivity of the data to be secured the Data Locker probably is the best that is out there presently; the ordinary mortal more than likely will still has to bide his or her time.

Verdict: 8 out of 10. The cost and the difficulty I had with working the keypad took the verdict down the two notches.

© 2010

Full Disclosure Statement: The ICT REVIEW received no compensation for any component of this article.

Addendum

In addition and clarification of what is said above in the review:

I have now heard from Origin who state that:

  1. The Data Locker is entirely compatible with the Mac operating system which I had assumed anyway but which was not on the information that I had to hand.
  2. The drive is just wiped and recycled when the Brute Force attack prevention is enacted. This was the data is destroyed but the drive is reusable.

Thanks to Andy Cordial of Origin Storage for this clarification and to Darshna Kamani of Eskenzi PR for passing the comments back and forth.

Origin Storage’s 1TB Data Locker Has Arrived

Origin Storage, a leading manufacturer and distributor of IT storage solutions, has announced the arrival of their one terabyte (1TB) Data Locker.

The Data Locker Secure Drive gives users peace of mind in the unfortunate event that their data storage device is lost or stolen, the 1TB Data Locker is the highest capacity portable hard drive available in the marketplace as it is compatible with 12.5 mm HDD’s.

Data on the unit – which was being be demonstrated at the recent Infosecurity Europe held from 28th – 30th April 2010 at Earls Court, London – is secured by a 6-18 digit PIN number that is entered directly on the device itself.

According to Andy Cordial, Origin Storage’s managing director, he expects the 1TB device, which can easily store two or more hard drive images from a typical desktop or a laptop PC, to be used in a variety of situations, as organisations grapple with the fact that penalties for breaches of the Data Protection Act will soar a hundred-fold - from £5,000 to £500,000 – with effect from the 6th of April this year.

“The Information Commissioner’s Office has already indicated that it will penalise those organisations that experience a data leak, loss or theft which could reasonably have been prevented,” he said.

“And financial penalties aside, there is the credibility issue that arises when a company has been pilloried in the media for failing to protect its staff or customer data. This can have a serious effect on a firm’s share price and longer-term reputation,” he added.

It’s against this backdrop that Cordial says he expects the 1TB Data Locker to appeal to a broad spectrum of users, ranging from laptop users wanting to secure their data for home working or whilst on the move, to IT departments looking for a means of quickly backing up data via the supplied USB cable, then securing the drive using its PIN/password protection system.

And, Cordial explained, because the Data Locker is so portable, it’s increasingly being used by organisations wanting to back up their data in a highly secure manner, and placing the unit in a physically secure environment, such as a fire-proof safe.

At the competitive price point of £399 plus VAT it is offered at, he says, companies can back up their data in a highly secure manner and help avoid their business experience a potentially expensive visit from an ICO inspection team, for which the ICO has reportedly been recruiting extra staff for in the last few months.

On the specifications front, the Data Locker uses a hardware based encryption chip to seamlessly encrypt and decrypt data using military grade AES / CBC mode encryption, with the unit only allowing its hidden SATA drive – connected via USB cable – to mount when the correct PIN is entered via the LCD keypad.

You can also use the LCD screen to change the Data Locker PIN, dismount the drive, toggle the encryption on or off, or wipe the drive clean.

Two different levels of security are available:

Data Locker Pro AES: Corporate and Local Government

Data Locker Enterprise: Military and transportation of mission critical data

The Data Locker offers state of the art features which include:

  • Brute Force Attack Detect / Self Destruct Response

  • One touch drive erase for rapid re-deployment using admin password

  • Hardware Based Malware Detection / Deflection

  • Unattended Auto Lock Function

  • 100% Platform Independent Security and Authentication

  • Hardware Based AES Encryption (CBC mode)

  • No Software or pop-up password entry screens

Founded in 2001 and based in Hampshire, UK, Origin Storage Ltd. is fast becoming one of Europe's leading IT storage manufacturers. Its wide-ranging product portfolio includes branded hard disk drive solutions, RAID solutions and OEM parts.

Origin Storage is a main supplier for all Tier one manufacturers, providing matched storage upgrades and has held a Pan European Agreement with Dell™ for the past five years. The business has grown year on year and now supplies to main distribution and reseller partners across EMEA.

In January 2006 Origin Storage acquired the brand and assets of Amacom and began to manufacture the Amacom range of portable storage solutions including the Flip2disk, IOdisk and Portable Optical solutions. It is also a distributor for some of the most respected storage enclosure manufacturers and offers a full range of rack, desktop and RAID products and accessories.

The company’s emphasis on superior customer service, UK-based assembly and stock-holding that delivers competitive pricing and unbeatable turn-around times makes Origin Storage the ideal partner for all storage management needs.

Full Disclosure Statement: The ICT REVIEW received no compensation for any component of this article.

Securing the Mobile Workforce

by Jon Fielding CISSP, Director, EMEA, IronKey

Don’t be fooled, just like a book; you can’t judge a USB device by its cover. So what should you judge it by?

You may think a USB device just transports data and you’d be almost right. There are those that transport data; there are those that transport data securely; and then there are those that transport data securely whilst also providing an array of additional features and functions. This article provides an overview of the areas to evaluate when looking to procure secure USB multi-function devices.

Q1. Who To Trust

Fundamentally the first decision to make is who to trust to provide an effective solution that protects your data. There are many companies that sell ‘secure’ USB multi-function devices however many are not security companies - where security is an add-on to their solutions. A security company, on the other hand, thinks security first and foremost and builds up from there. The question you need to ask yourself is which do you believe is in a position to protect your data the way it needs to be protected?

Q2. Management, Policy Enforcement, and Auditing

The ability to manage security, governance, and compliance gaps in a centralised way is critical to solving risk to the business. Expeditious risk identification assist security and operation’s teams can respond quickly, accurately and confidently if policies a broken. Reports must allow companies to take immediate action directly to perform tasks to resolve issues such as a lost or stolen device.

Q2. FIPS – what is it and why is it relevant

Federal Information Processing Standards (FIPS) is an independent third party endorsement with four levels of certification, “level 1” to “level 4”, with 1 being the lowest. However, while a useful tool in assessing the security of products, it is not a guarantee. You need to look not only at the level of certification gained, but also what it relates to. There have been instances recently where USB multi-function devices have had FIPS certification for one component within the device yet another part was found to be insecure. To be 100% certain every component of the device should have FIPS certification. After all a robust lock on your front door is worthless if the key is under the mat.

Q3. Malware Protection

Organisations have concentrated their malware prevention efforts on spam and web filtering so attacks are being launched through different channels. One prevalent example is the Conficker virus that has infected millions of PCs worldwide. Having first corrupted the ‘Autorun’ feature, it is commonly introduced when an infected device is plugged into a USB port, spreading the virus from within the heart of the enterprise. A correctly architected solution will mitigate against such an exploit by recognising and reacting to a corrupted auto run file, stopping the worm at source.

Q4. Spend A Little – Waste A Lot

Price is always a consideration however what may look like a cost-effective product today may deliver an expensive lesson tomorrow. For example, the Information Commissioner’s Office has been granted new powers to impose £500K penalties on organisations for serious data breaches. It has advised that its deliberations, when considering its punishment, will include whether all reasonable steps have been taken to prevent breaches occurring. Organisations need a solution that gives them the ability to manage and control their devices in the field, defining and enforcing policy; destroying those that go AWOL or are in the possession of someone who is no longer considered trustworthy; and providing auditable evidence for all these processes to satisfy the ICO.

Q5. Secure Today – Enable Tomorrow

You’re investing money in secure USB multi-function devices to transport data but these devices are also capable of serving as authentication tokens and can provide a platform for virtualisation – invaluable for remote workers especially as part of a disaster contingency plan.

Lost or stolen USB multi-function devices, containing everything from individuals private information to military secrets, have turned up practically everywhere — on the London Underground, in hire cars, at motorway services, at the side of the road, even in a bazaar in Afghanistan. Don’t add your data to the list.

For more information visit www.ironkey.com.

Atlassian password breach due to forgotten database

The recent database breach that exposed passwords that hit software development tool maker Atlassian was, due, in their words to an old database table that “was not taken offline or deleted, and it is this database table that we believe could have been exposed during the breach.”

Amichai Shulman, Imperva’s CTO explains, “This is an example of a database that was forgotten and left unprotected—something that happens more frequently that most would prefer to admit. In this case, the database contained sensitive information, but once it wasn’t used as a production system it was forgotten. Unmanaged systems put sensitive data residing on them at a high risk - unmanaged systems are the top targeted systems.”

“In order to protect sensitive data, organizations must ensure that ALL their databases are managed and under control,” recommended Shulman. “It is imperative that organizations scan their networks to discover databases, including unmanaged databases, and follow with data discovery and classification which provides the needed awareness. Access to databases hosting sensitive data should be tightly controlled and the data must be protected from both external threats (hackers) and malicious insiders.”

Imperva, the Data Security leader, enables a complete security lifecycle for business databases and the applications that use them. Over 4,500 of the world’s leading enterprises, government organizations, and managed service providers rely on Imperva to prevent sensitive data theft, protect against data breaches, secure applications, and ensure data confidentiality. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring from the database to the accountable application user and is recognized for its overall ease of management and deployment. For more information, visit www.imperva.com.

Source: Eskenzi PR

Are we facing yet another banking crisis?

How cybercriminals’ are stealing corporate funds, and putting pressure on the global banking system

The last eighteen months have delivered some of the most testing challenges to the global banking system. Whilst financial institution and businesses alike both struggle to emerge from a brutal recession, they’re now having to face up to a new threat which can potentially steal away their funds and corporate reputation with the simple click of a mouse.

In this article Dave Tripier, CMO of IronKey, explains how organised cyber crime rings have begun to target corporate banking transactions - and offers valuable advice to help banks and businesses to deal with this new threat.

For many years, global cyber crime organisations have been successfully stealing millions from personal customer bank accounts, through large scale phishing attacks. However these hi-tech criminal gangs have shifted focus to instead target the more lucrative corporate bank accounts of both public and private sector organisations.

Reiterating the seriousness of this new cyber threat, Ponemon’s 2010 Business Banking Trust survey recently revealed that 80% of banks had failed to catch fraud before funds were transferred out of their institution. More worryingly still, 57% of the businesses that have experienced a fraud attack were not fully compensated by their banks. So, businesses are naturally waiting for guidance on protecting their accounts from crime – and insuring their funds are returned if they are hit by an attack. And as analyst firm Gartner warns that the increasing attacks on online banking transactions is merely the tip of the cyber crime iceberg, the banking industry is faced with a threat that could cripple confidence in the corporate online banking system.

Why the threat landscape has changed

Global cyber crime rings have changed their tact, in recognition that it’s far more profitable to make numerous large transfers from a single corporate bank account than to try to hijack thousands of consumer-based accounts and make small money transfers.

The cyber criminals are using commercial online banking malware which comprises of a number of new families of Trojans that use live authenticated sessions to defeat traditional security defenses. The new Trojans are even able to beat multi-factor authentication that banks have employed to protect consumers against phishing fraud. They are not only capable of stealing corporate authentication credentials, but can also perform fraudulent transactions from a victim’s own computer.

These “man-in-the-browser” Trojans also rewrite the Web browser pages that a victim sees and often request secondary authentication credentials such as secret questions and answers that can be used later to change the victim’s login credentials.

Can the banks afford to take another reputational hit?

It’s natural that the threat of criminal activity will mean that companies’ confidence in their banks will drop. The Ponemon study revealed that 40% of businesses have moved their banking activities elsewhere after a fraud incident. 11% of firms that have experienced fraud claimed they have terminated their banking relationship following the attacks, and an additional 29% said they did not fully terminate their relationship, but moved their primary cash management services to another institution.

While consumer confidence is clearly a big priority for banks, reassuring corporate customers is even more pressing – with the large amounts of money changing hands. Where banks may be able to deal with the loss of ten individual customers that have experienced fraud, the financial and reputational damage of losing a big corporate customer is significantly more difficult to recover from. It’s clear that after the global banking crisis of 2009, financial institutions cannot afford any further damage to their status.

Dealing with the threats

This undoubtedly a global threat, as yet, the only authority to issue advice to banks and businesses to date has been the US Electronics Payment Association, NACHA. NACHA has advised that any business uses separate computers for banking transactions – which are not enabled for web browsing or email services. This means that while the computer is only used for banking transactions, it is not open to email nor Web based cyber attacks.

The security industry welcomes NACHA’s advice; the reality for organisations is that each member of a company’s finance team will need two computers - one for web browsing and email – and one for its banking transactions. This adds pressure time and complexity to the employee – and can prove costly for an organisation. Add to the cost of infrastructure, the associated security protocols for setting up new computers, and the need to renew the systems every three years, and this is an increasingly costly exercise.

A possible alternative?

However, it seems that just as cybercriminals are using technology to commit fraud, the banking industry can make use of advances in technology to fight back.

One approach is by IronKey who has developed a unique integration of custom silicon, security firmware, security software, and online security services into one cost-effective safe oasis for online banking.

Following NACHA’s guidance and best practices IronKey has created an integrated solution into one easy to use package which includes:

  1. A virtualised environment that operates in a read-only mode, so that malware cannot tamper with the stored image on the IronKey device. The virtualised environment can be written to only when a digitally signed update is delivered from the IronKey security management service and verified locally on the IronKey device.

  1. A secure browser runs inside a virtualised environment, it is isolated from the host’s PC malicious software providing a safe transactional environment to corporate customers.

  1. Two-factor authentication with RSA SecurID for a defense in depth approach.

  1. Anti-malware to scan of the user’s computer before running the secure environment

  1. A online service to manage the devices and provide security updates - no management infrastructure required

In summary the IronKey multifunction security device, combined with IronKey security services, gives financial institutions a cost-effective way to protect their commercial banking customers from the next generation of banking malware.

References:

Ponemon’s 2010 Business Banking Trust survey

FS-ISAC Account Hijacking of Corporate Customers. Recommendations for Customer Education.

August 24, 2009. A joint effort between the Federal Bureau of Investigation (FBI), the Financial

Services Information Sharing and Analysis Center (FS-ISAC), NACHA - the Electronic Payments

Association, and other Federal government agencies.

http://www.fsisac.com/

FFIEC Guidance–Authentication in an Internet Banking Environment

http://www.ffiec.gov/pdf/authentication_guidance.pdf

Newly discovered flaw affects all recent Java versions in Windows

Just when you thought it was safe to go back into the water along comes yet another problem

by Michael Smith (Veshengro)

Two researchers released information on a vulnerability in Sun's Java Runtime Environment that could give attackers a new point of attack to perform drive-by-downloads and compromise targeted clients on all current versions of Windows operating systems and several popular browsers. The vulnerability has been rated 'extremely critical' by the experts of security software, G Data. The company expects large attacks, targeting computers with Windows operating systems.

With Java being installed on many computers, this flaw will undoubtedly catch the eye of cyber criminals, who will be quick to find a way to exploit this vulnerability. As this leak can be exploited in most popular browsers, and is not slowed down by the security features of Windows Vista and Windows 7, this could bring serious damage to a large number of computers.

Protect yourself against this

Disabling Java-script does not protect against exploits of this vulnerability. Because it is not yet clear when this leak will be patched by Sun, users need to manually change their settings. For the two most popular browsers there are details below of how to rectify this problem:
- For Microsoft Internet Explorer, it is necessary to set a killbit for the ActiveX class ID CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA. The manual on how to do this can be found through the following link: http://support.microsoft.com/kb/240797.

- For Mozilla Firefox, you need to go to the 'Tools' menu and click on 'Add-Ons'. Under the header 'Plugins', you will find the Java Deployment Toolkit, that can be disabled by clicking 'Deactivate'. N.B. Recent updates to the latest versions of Firefox have disabled this Java Deployment Toolkit automatically now.
Background

Security researcher Tavis Ormandy released the information about this vulnerability on seclist.org. The vulnerability originates in the browser plug-in Java Deployment Toolkit, which is installed automatically alongside Java Runtime Environment since version 6 update 10 into browsers like Microsoft Internet Explorer, Mozilla Firefox or Google Chrome. The method launch in the toolkit enables an attacker to execute Java's Web Start Launcher with arbitrary parameters. Ormandy provided a proof-of-concept web page that starts the calculator in Microsoft Windows products.

Only a few hours later, researcher Rubén Santamarta released information on how to load an arbitrary remote DLL. According to Santamarta he was able to bypass security measures DEP and ASLR given that the DLL is directly loaded into the process memory of Web Start Launcher.

While this exploit, as indicated, can also be used in Google Chrome we have not, as yet, found a way to disable, if it is attached, the Java Deployment Toolkit in Chrome. It might be therefore advisable for Chrome users to drive Firefox instead of Chrome for a while, until the problem is overcome.

© 2010

Cloud computing and social networking leave UK businesses exposed to cyber attacks - survey

Cloud computing and social networking leave UK businesses exposed to cyber attacks according to 2010 Information Security Breaches Survey

Business use of technology is evolving faster now than at any point in the last decade. Internet use has moved way beyond email and websites and into the realms of social networks and externally-hosted software services accessed across the Internet (often referred to as cloud computing).

These changes have increased the vulnerability of UK companies and public sector organisations to new cyber attacks. Hacking and denial of service attacks have doubled in the last two years. As a result, security remains high on management’s list of priorities.

These are among the preliminary findings of the 2010 Information Security Breaches Survey (ISBS) commissioned by Infosecurity Europe and written by PricewaterhouseCoopers LLP. The full results of the survey including details of the number and cost of security breaches in the UK, have be revealed at Infosecurity Europe in London on 28 April.

The rate of adoption of newer technologies has accelerated over the last two years and most respondents now say they use wireless networking, remote access and VoIP. Some 85% of smaller organisations said they were using wireless, almost double the use in 2008. The number of organisations allowing staff to have remote access to their systems has also increase with nine tenths of large companies now doing this.

As organisations have looked to cut their IT costs, they have increasingly turned to external providers who host applications on their behalf. These services, including Software as a Service (SaaS) and cloud computing, are now used by over three-quarters of the organisations polled and of these, 44% said they were entrusting critical services to third parties. All sectors are making use of the services, but government is least likely to release control of critical services.

At the same time that companies are increasing their dependence on other organisations for their IT services, there has been an explosion of new cyber attacks. 61% of large organisations have detected a significant attempt to break into their network in the last year, twice as many as two years ago.

Some 15% of large organisations have detected actual penetration by an unauthorised outsider into their network in the last year, and it is likely that many more were undetected. 25% of large organisations have suffered a denial of service attack in the last year, also more than double the proportion in 2008. Outsourcing IT services does not make the security risk go away, but few companies are taking enough steps to ensure their outsourced services are not vulnerable to attack.

Chris Potter, partner, OneSecurity, PricewaterhouseCoopers LLP, said: “Very few organisations are encrypting data held on virtual storage, including the ‘cloud’. Worryingly, only 17% of those with highly confidential data at external providers ensure that it is encrypted. Virtualisation and cloud computing seem to be set to follow the trend, established over the last decade, of controls lagging behind adoption of new technologies. Given the increased criticality and confidentiality of information held on virtual storage, organisations need to respond quickly to close this control gap.”

Responding to the data leakage threat

The increasingly inter-connected business environment and prevalence of externally provided services is reflected by a growing data leakage threat. That threat is driving an increased demand for assurance over third parties. ISO 27001 is becoming a common standard for compliance; 40% of large organisations are being asked to demonstrate compliance with the standard.

ISO 27001 and PCI (Payment Card Industry) standards are also driving adoption of some specific security mechanisms. PCI, in particular, is driving more encryption of website transactions and sensitive data fields in databases. However, organisations that need to meet government requirements are more likely to encrypt data transfers and removable media.

Andrew Beard, director, OneSecurity, PricewaterhouseCoopers LLP, said: “It seems that organisations will respond to specific requirements mandated by government or other authorities, but when the requirements are less explicit, adoption of good practice is lower. Assurance reporting appears to increase organisations level of comfort. However, as adoption of the assurance reporting standards remains low, it seems likely that some organisations have a false sense of security.”

Staff postings to social networking sites pose a new data leakage risk. Yet, at the same time, social networking is increasingly important to businesses. Organisations are reassessing their approach to controlling staff access to the Internet. The trend, established between 2006 and 2008, of allowing more staff to access the Internet has been reversed. Nearly half of large organisations now restrict which staff can access the Internet; less than a third did so in 2008.

Organisations want to allow effective use of the Internet, but reduce inappropriate use. Use of software to block access to inappropriate websites is slightly up on two years ago. Web access logging and monitoring is relatively static. However, more sophisticated use is being made of these tools than in the past. Organisations are one and a half times as likely to monitor postings to social networking sites if social networking is considered very important to their business.

Source: Eskenzi PR Ltd.

Network performance at risk as bandwidth demand outpaces capacity across UK businesses

Demand for bandwidth on computer networks is rapidly outstripping capacity in over one third of UK businesses, leading to major concerns over application delivery, security and business continuity, according to new research from Brocade.

A recent study of over 100 senior UK IT decision makers found that 39 percent felt that they would need to increase network capacity by up to 50 percent over the next year just to keep pace with user demand. The underlying capacity concern is over network and application performance, with 39 percent of those questioned stating that it (performance) was of paramount importance to the success of the business. Enforcing this, two thirds of respondents stated that their existing network could only be described at best as ‘relatively quick’, and a further 18 percent describing it as ‘slow’ showing that work still needs to be done to maintain the status quo.

Paul Phillips, Regional Director - UK & Ireland, Brocade, stated: “CIOs expect tomorrow's corporate networks to fulfil a wide range of sometimes-conflicting demands. They want unprecedented scalability, but reduced management complexity. They want seamless mobility, but tight orchestration, and they want emerging networking technologies to complement the investments they are making today, instead of forcing them to refresh the entire environment in a wholesale 'rip-and-replace' exercise.

“This research has highlighted what many in the industry had suspected; network performance, scalability, availability and security is uppermost in the minds of network managers, struggling to meet end user expectations of an ‘always-on, always-available’ network,” he added.

Key findings include:

Over the next year, 15 percent of businesses are predicting they will need to increase network capacity by 20-30 percent; 13 percent expect to have to increase capacity by 30-40 percent and a further 11 percent by anywhere between 40-50 percent Network availability is the greatest concern of 18 percent of the sample, consolidation was cited by 39 percent and security by 15 percent.

Source: Spreckley Partners

Trusteer Warns of Impending Wave of PDF malware attacks

A structural flaw in the Adobe PDF format - which is widely used to distribute documents across multiple computing platforms - can be exploited to install almost any malware on a user's computer.

And says Trusteer, the browser security and fraud prevention specialist, security researcher Didier Stevens' demonstration (http://bit.ly/bDVf7W) of a multi-stage misuse of Adobe `/Launch' function - which is part of the PDF feature set - poses a potentially serious threat to organisations and individuals.

The demonstrated attack allows criminals to embed a malicious executable file inside a simple PDF file. When the user opens the PDF the malicious executable runs.

"Whilst Acrobat Reader normally display a warning that an executable inside a PDF file is being launched, Stevens appears to have found a way to modify the alert and fool users into approving the action," said Mickey Boodaei, Trusteer's CEO.

"Our research team were quickly able to replicate Didier's findings and there is every reason to believe this exploit will be added to the multi-exploit Adobe hacker toolkits in use by cybercriminals," he added.

As a result of this potentially very serious attack vector on Acrobat and Reader, Trusteer is advising all users disable the function of running PDF-embedded attachments within Adobe's software. This, he notes, can be achieved quite easily from the settings option within the software or, as Adobe has advised in a security blog, by a direct Registry setting change (http://bit.ly/b29yXB)

Boodaei says he anticipates that cybercriminals and hackers will try to exploit this structural Adobe issue using social engineering techniques, which lure Internet users into a false sense of feeling safe. Social engineering, he explained, is becoming an increasingly important tool used by criminals.

“Many security solutions such as antivirus and personal firewalls rely on Internet users to make the right choice,” he said. “They present technical messages that are hard to understand and expect users to decide what to do with them. Acrobat Reader works similarly by expecting Internet users to understand the security implications of running an embedded file. Stevens' attack makes it harder for users to make the right choice as it allows criminals to tamper with the message that Acrobat presents and use social engineering techniques to convince users to take the wrong choice.”

"Over the last year we've seen criminals effectively using social engineering attacks to by-pass various security systems such as two-factor authentication, transaction verification, and desktop security," he said.

For example, he says, with transaction verification criminals are now using man-in-the-middle and man-in-the-browser attacks to change messages on banks' Web site and convince customers to approve fraudulent transactions. Instead of presenting the normal instructions for approving a transaction criminals change the webpage to include instructions on how to approve a fraudulent transaction. Most users just follow instructions and look for the easiest and quickest way of getting something done. They don’t stop to think if every step they make is a reasonable behavior.

Going forward Boodaei says that financial institutions and enterprises should evaluate the vulnerability of their security systems to social engineering attacks and consider measures to protect against it.

"Internet users can do their part by installing a browser security layer such as Trusteer's Rapport software (http://bit.ly/aRw8sj), which is offered as a free download by banks such as HSBC, RBS/NatWest and the Santander Group. This will help to protect their online banking account sessions."

Trusteer enables online businesses to secure communications with their customers over the Internet and protect personally identifiable information (PII) from a user's keyboard into the company's Web site. Trusteer's flagship product, Rapport, allows online banks, brokerages, healthcare providers, and retailers to protect their customers from identity theft and financial fraud. Unlike conventional approaches to Web security, Rapport protects customers’ PII from malware including Trojans, keyloggers, and pharming and phishing attacks. Trusteer is a privately held corporation led by former executives from Cyota/RSA Security, Imperva, and NetScreen/Juniper. For more information visit www.trusteer.com.

Source: Eskenzi PR

iStorage diskGenie – Product Review

Review by Michael Smith (Veshengro)

diskGenie - Portable Encrypted Hard Drive with Secure PIN code access

The diskGenie from iStorage offers powerful hardware encryption in a compact, portable device with a totally unique difference. With an easy-to-use keypad design and software free setup, the iStorage diskGenie is only accessible using a PIN code similar to using an ATM.

With its automatic AES 256 bit real time hardware encryption, it protects the data on the drive keeping it safe even if the hard drive is removed from its enclosure. Quite simply, the iStorage diskGenie is the ultimate portable hard drive and secure storage system.

With no software to install, easy setup and real-time encryption, the diskGenie is the best way to protect your data, customers and your business. The conveniently integrated USB cable eliminates the need to carry around cables, so is perfect for using with notebooks and taking your data on the road.

Its low powered, compact, robust design features a 16-point omni-directional shock mounting system, protecting the drive from drops and knocks. With storage capacities of now up to 640GB it is perfect for safely transporting data between office and home as well as storing photos, music and video files.

The iStorage diskGenie is the only hardware encrypted drive, whether USB stick kind or other, that I have so far encountered and been able to review that works with all versions of Linux straight out of the box, needing no command line or anything of that nature.

This is due to the fact, that unlike the USB drives that we encounter most of the time, and other hard drives, that are hardware encrypted the iStorage diskGenie does not use any software that has to be installed on the computer, thus working with all operating systems. A definite plus.

Its use is easy and straightforward and I did not even need to consult the guide or manual with the exception of the change of the pin code. That too, following the instructions, is a doddle and the code can be from a minimum of 6 number to 16, thus making it very secure. The drive is a total plug and play that works with any system of Windows XP and above, Mac OS 10.2 or greater, and all Linux distributions, as far as I can tell.

Key benefits of the iStorage diskGenie drive are:

  • Complete security with Real Time 256-bit AES Hardware Encryption and Pin Code Access

  • Easy to install and set up as no software needed andn thus working with all operating systems

  • Convenience via integrated USB2 so no extra cables or AC power needed

  • Robust, portable compact design with shock mounting to protect from knocks

  • Administration feature allowing up to 10 passkeys and passkey management

  • Compatibility with any operating system incl. Windows, Mac, Linux

  • Guaranteed with 3 year warranty

The iStorage diskGenie drive is available in capacities of 250GB, 320GB, 500GB, and 640GB, as real hard drives. SDD are also becoming available, so I understand.

As far as I am concerned this drive must get at least a 9 our of 10 if not even 10 out of 10. The reason I am sold on this drive is that it works, unlike so many others that claim it, with Linux straight out of the box without the need for any command line and all that jazz.

A great little drive and one that also looks good and feels good.

© 2010