Uncategorized


A Good Year for Security Collaboration

By George Stathakopoulos

It seems like just yesterday when I was at Black Hat.  Now as I get ready to fly to Las Vegas again, I look forward to seeing a lot of security researchers, hearing their latest exploits and how they fared over the last 352 days.  At the same time, it is a great opportunity to look back at the past year in security and ask myself, “was it a good year or a bad year?”
What comes immediately to mind when I think of the past year?  The rise of rogue security software, Conficker, two out-of-band security updates (thanks to the MSRC for the great work!) and of course the fact that cyber security has garnered national attention fueling the search for a cyber czar.   Security researchers and analysts have said that security investments like the security development lifecycle (SDL) are making products harder to crack.   More people are interested in secure development, as seen by the uptick in downloads of Microsoft !exploitable and Threat Modeling tools.  More companies – Adobe comes to mind – are clearly demonstrating their commitment to protecting customers through security fundamentals.  And really, the collaborative spirit was obvious across the industry over the past year.

iPhone 3GS Offers Enterprise-Class Security for Everyone

From TidBITS (Rich Mogull)

The original iPhone was widely criticized by security professionals for lacking essential security features for the enterprise, the large corporate networks that have special needs because of huge numbers of users and the massive back-end operations to support those users.
The original iPhone was hard to lock down, had only limited secure connectivity options, and lacked both data protection and some way to destroy data remotely if you lost the phone. Those capabilities have continued to improve with every iPhone software release and, combined with the hardware improvements in the iPhone 3GS, even regular users can now enjoy security equivalent to that provided by most corporate environments. Read the full story [tidbits.com]


From Computerworld (Jaikumar Vijayan)

Computerworld – Compared to other key corporate executives, CEOs appear to underestimate the IT security risks faced by their own organizations, according to a survey of C-level executives released today by the Ponemon Institute.

The Ponemon survey of 213 CEOs, CIOs, COOs and other senior executives reveals what appears to be a perception gap concerning information security issues between CEOs and other senior managers. For instance, 48% of CEOs surveyed said they believe hackers rarely try to access corporate data. On the other hand, some 53% of other C-level executives believe that their company’s data is under attack on a daily or even hourly basis. Download the survey (PDF).  Read the full story [computerworld.com]

From DarkReading (Kelly Jackson Higgins)
A former security guard for a Dallas hospital has been arrested by federal authorities for allegedly breaking into the facility’s HVAC and confidential patient information computer systems. In a bizarre twist, he posted videos of his hacks on YouTube, and was trying to recruit other hackers to help him wage a massive DDoS attack on July 4 — one day after his planned last day on the job. Read the full story [DarkReading].

From Wired (David Kravets)
A federal appeals court, in the first decision of its kind, said Thursday that companies providing malware, spyware and adware blocking services are immunized by the Communications Decency Act of 1996 from lawsuits claiming unfair business practices.
A three-judge panel of the 9th U.S. Circuit Court of Appeals found that the CDA treats security software makers the same as internet service providers when they block material they find objectionable, granting them so-called “good Samaritan” immunity from civil lawsuits.  Like an ISP, such companies provide an “interactive computer service”  because they pull updates from a central server, the San Francisco-based appeals court said. Read the full story [Wired.com].

From SearchSecurity.com (Robert Westervelt)
The dismal economy has put the brakes on a lot of security projects, but the need to maintain the basics and automate some security functions has fueled interest in managed security services and some specific security areas, according to analysts at Gartner Inc.
Despite the dour economy, core security software functions are on pace to continue to grow, said Adam Hils, a principal research analyst with Gartner Research. Antivirus, antimalware and email security will continue to gain interest. New projects will be driven by regulatory compliance initiatives and areas affected by cost cutting measures. Read the full story [techtarget.com]

From Computerworld (Jaikumar Vijayan)
In a move that is unlikely to sit well with many merchants, MasterCard has quietly changed a key security requirement for all businesses handling between 1 million and 6 million card transactions annually.
Starting Dec 31, 2010 companies that fall into this category, called Level 2, will be required to undergo an onsite review of their security controls by a MasterCard approved third-party assessor. Read the full story [Computerworld].

From SC Magazine (Angela Moscaritolo)
A financial services technology group is developing standards for making secure mobile payment transactions.  The goal of the project,  an effort of the Financial Services Technology Consortium (FSTC),  is to develop standards and processes so that banking customers are able to securely pay a merchant or another bank customer using their phone, no matter what mobile device or carrier they use.  Read the full story [scmagazine.com]

From Wired.com (Kim Zetter)
Accused TJX hacker kingpin Albert Gonzalez called his credit card theft ring “Operation Get Rich or Die Tryin.”
He spent $75,000 on a birthday party for himself and once complained that he had to manually count $340,000 in pilfered $20 bills because his counting machine broke. But while Gonzalez apparently lived high off ill-gotten gains, a programmer who claims he earned nothing from the scheme sits broke and unemployed, his career in shambles, while awaiting sentencing for a piece of software he crafted for his friend. Read the full story [Wired.com].