Security Bites

Security Bites 122: IBM sees security challenges ahead

securitybites@cnet.com (CNET.com) — Fri, 21 Nov 2008 13:20:21 PST

Last month, IBM released a report (PDF) identifying the security challenges facing enterprises in the next two to five years. The survey is based on data collected internally by IBM.

One theme is that as the pace of globalization picks up, traditional boundaries continue to disappear. In this new global reality, "open for business" can mean pooling resources or sharing sensitive information among organizations.

The IBM report notes that "the line between participation and isolation can also mark the line of opportunity and risk. (Enterprises) rely on business systems and automated policies to guard that line--to root out the threats, to safeguard our intellectual property, to protect our reputations and privacy. With the emergence of each new technology, the line can shift just a bit."

Kris Lovejoy, director of Governance and Risk Management and Corporate Security Strategy at IBM, spoke with CNET's Robert Vamosi about the report. She cites nine trends companies should be watching:

1. Securing virtualized environments
2. Alternative ways to delivery security
3. Securing mobile devices
4. Managing risk and compliance
5. Identity governance
6. Information security
7. Predictable security of applications
8. Protecting the evolving network
9. Sense and respond physical security

Listen now: Download today's podcast

Security Bites 121: What Microsoft's Geneva means for online IDs

securitybites@cnet.com (CNET.com) — Fri, 07 Nov 2008 13:20:00 PST

In this week's Security Bites podcast, CNET's Robert Vamosi talks about user authentication with Kim Cameron, chief architect with the Identity and Security group at Microsoft.

At this year's PDC and again at WinHec, Microsoft certainly talked up its new Windows Azure cloud-based services, along with Windows 7. It has also been talking about Geneva, the code name for the next version of CardSpace, the Microsoft user authentication system. One goal of Geneva is to extend the reach of its predecessor, Active Directory Federation Services.

To help developers, Microsoft unveiled at PDC and WinHec the Geneva Server and the Geneva Framework. To play well with other system, Geneva accepts industry standards WS-Trust and WS-Federation, as well as the SAML 2.0 protocol.

(Credit: Microsoft)

Windows CardSpace Geneva releases digitally signed security tokens to Web sites, and allows multiple sites to accept the same tokens, so users don't have to be authenticated for various related sites. On the other hand, if a phishing site lures a user to accidentally use a card and submit a token, that token would not be "redeemable" at any other site and therefore is not useful for impersonating the user in any other context.

Another example of its use might be that an enterprise could have its employees use their Windows Live ID to access various assets within the company.

In addition to working on Geneva at Microsoft, Cameron is part of the Identify Card Foundation, a group that is advocating open standards around the use of ID cards for authentication.

Listen now: Download today's podcast

Security Bites 120: When social networks host malware

securitybites@cnet.com (CNET.com) — Fri, 31 Oct 2008 14:02:00 PDT

In this week's Security Bites podcast, Robert Vamosi speaks with Ryan Naraine, security evangelist for Kaspersky and Zero Day blogger for ZDNet, about malicious software.

Naraine recently spoke at a conference on emerging security threats sponsored by the Georgia Tech Information Security Center about the increasing risks of malware on social networks, such as Facebook pages that to lead people to Google pages with additional links to malware sites (a two-step infection process), and the more straightforward approach of Facebook being used for botnets.

In this podcast, Naraine and Vamosi talk about the changing nature of threats today and what we might see in the future.

Listen now: Download today's podcast

Security Bites 119: Does the Internet need its own Interpol?

securitybites@cnet.com (CNET.com) — Fri, 24 Oct 2008 12:22:00 PDT

In this week's Security Bites podcast, Robert Vamosi spoke with Patrik Runald, chief security adviser at F-Secure, about the need for a new international agency to handle cybercrime. Although there have been several high-profile arrests--such as that of "Chao," an alleged Turkish ATM skimmer-- Runald said, "the message we're sending today is not enough."

With a budget of only about $90 million (U.S.), Interpol was created, in part, to fight drug trafficking and human trafficking worldwide, and now it has taken on Internet crimes without any direct increase in funding. Runald concludes, "there's not enough resources to do this, and not enough coordination to do this."

He suggests that the European Union, the U.S., and maybe the G8 could fund such an organization. Even the United Nations might get involved. "Whether it's Interpol getting more funding or the U.N. spear-heading, it doesn't matter. The whole point was to raise the topic for discussion."

Runald also said some industries are reluctant to disclose how much is lost to cybercrime. Certainly banks don't disclose how much is lost due to phishing attacks. "If that was well known that might convince governments to help fund this type of organization."

Listen now: Download today's podcast

Security Bites 118: Voting in America

securitybites@cnet.com (CNET.com) — Fri, 17 Oct 2008 15:17:28 PDT

Voting--it's the cornerstone of our democracy. But in recent years, both the systems we use and the trust we have in the accuracy of our votes have been challenged.

A new report (PDF) looks at all the systems currently in use--from paper ballots to Direct-Recording Electronic machines--and the issues that surround them. Researchers at Fortify analyzed threats against three phases of an election (voter registration, casting votes, and tabulating votes), highlighting specific ways voting systems have been compromised, summarizing the strengths and weaknesses of current voting techniques, and then providing guidance for voters to ensure their votes are handled properly in upcoming elections.

This week, Robert Vamosi spoke with co-authors Brian Chess and Jacob West of Fortify about their report.

Not surprisingly, Chess and West draw parallels between the electronic systems handling our votes and those that handle our financial transactions. They conclude with several ways the federal and state governments can work with voting machine vendors to adopt business software assurance techniques into the systems they create.

Listen now: Download today's podcast

Security Bites 117: How 'Clickjacking' attacks hide behind the mouse

securitybites@cnet.com (CNET.com) — Fri, 10 Oct 2008 13:45:00 PDT

Criminals may have found a way to get you to click on malware without you even knowing. Worse, they might also be able to open the microphone or Webcam on your PC to eavesdrop.

Called Clickjacking, the process allows the attacker to trick you the user into clicking on something only briefly visible on the screen. While it's mostly a problem for the browser makers, it also affects Adobe Flash, Microsoft Silverlight, and Sun's Java.

Although clickjacking, which may contain up to half dozen specific vulnerabilities, has been around for years, it has recently come to the attention of online criminals and security researchers alike.

One of those researchers is Jeremiah Grossman, CTO of WhiteHat Security. Robert Vamosi of CNET News spoke with him by phone.

Grossman recommends users of Firefox consider using the NoScript plug-in and set it to forbid IFrame content. More details on configuring NoScript to block this attack can be found here. Additional US-CERT tips for securing other browsers can be found here.

Listen now: Download today's podcast

Security Bites 116: Investigating data breaches

securitybites@cnet.com (CNET.com) — Fri, 03 Oct 2008 12:30:03 PDT

According to a report this week from Verizon Business, risk factors for data breaches vary industry to industry and defy a "cookie cutter" approach to security, which is why Verizon has revisited an earlier report. The goal of both the new and the prior report is to offer detailed insight into how data breaches occur, so that companies can address the problems within their specific industry.

The June 2008 report spanned four years and included more than 500 forensic investigations involving 230 million compromised records. The new report uses that same data but drills down within four key industries: financial services, tech, retail, and food and beverage. The four constitute 82 percent of all the attacks in the original Verizon report.

Verizon found the attacks on the financial industry tend to be sophisticated. A majority come from outside hackers, although a healthy amount could also be attributed to insiders who have been granted access to the data. Retail and food and beverage, which includes restaurants and grocery stores, are the polar opposite. In both retail and food, less sophisticated attacks are used and are often the result of a compromised third-party vendor.

Bryan Sartin, co-author of the report and director of investigative response for Verizon Business security solutions, talks with CNET News' Robert Vamosi about some of the investigations Verizon has done into thefts by third parties, and the possible ties to organized crimes and terrorism.

Listen now: Download today's podcast

Security Bites 115: Inside ID fraud's underground forums

securitybites@cnet.com (CNET.com) — Fri, 26 Sep 2008 16:00:51 PDT

This week Tom Rusin, president and chief executive officer of Affinion's North America operation, is Robert Vamosi's guest. His company monitors the criminal underground for several thousand banking institutions by lurking in carder chat rooms.

"Carders" are the people who buy, sell, and trade online the credit card data stolen from phishing sites or from large data breaches at retail stores. Affinion is global, with offices in more than a dozen countries. And over the years they have provided a wealth of information to the U.S. Secret Service and the FBI. A few weeks ago, Affinion identified .Mac users who found themselves victims of a phishing scam.

"Any piece of info is priceless to these people," says Rusin.

Listen now: Download today's podcast

Security Bites 114: Desktop application risk

securitybites@cnet.com (CNET.com) — Mon, 15 Sep 2008 11:35:41 PDT

It may seem trivial to you what applications are on your desktop, but from a business or organization's perspective, it can be a serious matter. If an application provides unfiltered access to the outside world, this could create regulatory issues. Certain desktop applications can also indirectly or directly introduce malware inside the perimeter through file sharing. At the very least, some applications simply take away bandwidth (for example, streaming audio or video).

In its second report on Application Usage and Risk, Palo Alto Networks finds that 56 percent of the desktop applications surveyed use HTTP. Use of port 80, which the server uses to listen to requests from a Web client, makes it hard for organizations to filter or firewall the content.

Chris King, who appeared on Security Bites last April, talks this week with CNET News' Robert Vamosi about the report's findings, including the hidden risks in running Microsoft SharePoint or Lotus Notes.

To see all the risks associated with several hundred common desktop applications, Palo Alto Networks provides an online Applipedia.

Listen now: Download today's podcast

Security Bites 113: The security of Chrome

securitybites@cnet.com (CNET.com) — Fri, 05 Sep 2008 12:15:36 PDT

Google has entered the browser space. Chrome, its browser still in beta, is based on the open source Webkit project. Some will recognize Webkit as the foundation for another browser, Apple Safari. But Chrome also borrows heavily from Mozilla Firefox and Microsoft Internet Explorer, giving this new browser an old and familiar feel.

There is, however, innovation.

Tabs are arrayed atop the browser instead of in the traditional toolbar. And users can drag and drop the tabs on the desktop outside the browser. There is also a way to make an icon for GMail and Google Calendar on your desktop.

Deep down, Google has also upgraded how the browser handles Javasript. Gone are the days when Java applets simply gave you dancing babies on a Web page. Today we're running robust applications.

Joining CNET News' Robert Vamosi this week is Billy Hoffman, manager of HP's Web security group. Hoffman, along with Bryan Sullivan, also co-authored AJAX Security.

In this podcast, Hoffman offers what he thinks Google did right with Chrome, and what could be trouble down the road.

Listen now: Download today's podcast