Friday, January 27, 2006

Cybercrime more likely than physical crime

A survey of U.S. adults revealed that three times the number of respondents said they were more likely to be victimized in an online attack such as phishing or virus outbreaks than a physical crime.

Twenty six percent of respondents said they think they will be a victim of a virtual crime in the next 12 months, compared with just 8 percent who think that a physical crime is more likely, according to the survey of almost 700 people, which was sponsored by IBM.

The fear of online crime may already be affecting the behavior of adults. Thirty seven percent of those responding to the survey said they don't provide credit card information in online transactions. A similar number said they don't bank online and half said they refuse to use shared wireless networks, such as those in coffee shops and airports.

CATEGORIES : 1cybercrime, 1trends, 1user
Rate this post: (Provided by NewsGator)

Most businesses don't enforce Mobile Security

Enterprises are doing a poor job of securing workers’ handheld devices, according to a report released Thursday by Orange PLC and Quocirca Ltd. The survey of 2,035 IT professionals in the U.K. found that one in five companies that already have wide deployments of mobile devices have no policies in place for mobile security.

Of the surveyed companies that do have mobile security policies, more than 60% say their policy is not enforced. The survey mainly looked at security from the point of view of ensuring that unauthorized people can’t use employees’ devices to access corporate information, rather than examining protection against viruses or other malware. The study found that 80% of businesses surveyed said that their employees are the main threat to mobile security. But the report’s author says that IT departments have tools that they can use to help secure the devices.

One policy that IT departments should be implementing is remote management capabilities that can help in case a device is lost or stolen, said Rob Bamforth, an analyst at Quocirca and the report’s author. For example, synchronizing the device with back-end servers can ensure that data stored on the device isn’t lost. Enterprises can also implement remote wipe or kill features that delete data or make devices unusable if they are lost or stolen. Mobile device management should also include a legal aspect if case sensitive data is stolen, as well as insurance for any financial implications of lost data, Bamforth noted. IT departments should also be responsible for deploying products for securing devices such as firewalls and VPN (virtual private network) protection, said Shaun Orpen, vice president of marketing for Orange UK.

CATEGORIES : 1mobility, 1best practices, 1advice, 1policy, 1survey, 1trends, 1user
Rate this post: (Provided by NewsGator)

Stolen Ameriprise laptop compromises 230,000

Ameriprise Financial, an investment advisor firm, said that a company laptop stolen from an employee's parked car in December contained the personal information of some 230,000 customers and company advisors, The New York Times reports.

Within the stolen laptop was a list of customer accounts that had been reassigned, all stored unencrypted, a violation of Ameriprise's privacy policies. The sensitive information contained in the laptop included the names and Social Security numbers of roughly 70,000 current and former financial advisors, as well as the names and internal account numbers of about 158,000 customers.

CATEGORIES: 1laptop, 1idtheft, 1theft
Rate this post: (Provided by NewsGator)

EU Data Security Failings

Businesses across Europe are failing to secure their critical business data, despite its importance to the business, a survey of 150 IT directors has revealed. The research, covering organisations in the UK, France and Germany, suggests that companies regard data security as a lower priority than the security of the rest of their IT systems.

Across the three countries surveyed only 25% of companies listed corporate data as an asset on their balance sheets, the survey by Embacadero and Vanson Bourne found. Some 66% of organisations listed their networks, servers and applications as a security priority, but only 15% listed corporate data, and just 6% said the security of their databases was a priority. Roughly 50% said they would have difficulty making data available if they kept it secure.

More than 25% of firms felt their organisations did not have a thorough understanding of their legal obligations for corporate data. Less than 50% were able to grade their corporate data in order of importance, and 25% treated all data as of equal value, the research revealed.
Data management was a higher priority in the UK - where it was rated as an issue by 67% of IT directors- than in France (51%), or Germany (40%), the survey found.

CATEGORIES : 1data security, 1survey, 1trends
Rate this post: (Provided by NewsGator)

"Robin Hood" hacker convicted

Stealing from the rich and giving to the poor might have worked for Robin Hood, but it landed hacker Thomas Gawith in court on six charges of computer crime. Gawith pleaded guilty before Judge Gregory Ross in Palmerston North District Court yesterday and was convicted and remanded on bail until March 2 for sentencing.

Prosecutor Sergeant Johnny Ireland claimed the defendant had purchased access codes for Kiwibank accounts and using a computer at a house where he was staying in Tauranga had taken money from those who had it and given it to those who didn't. On June 7 last year he had taken a total of about $7700 from three accounts. The next day he broke into three more, taking $6050.

Gawith told police he thought he had not done anything wrong because he hadn't kept any of the money for himself, Sgt Ireland said. Kiwibank restored the money to the correct accounts as soon as the Gawith's transactions were discovered.

CATEGORIES : 1hack, 1convictions
Rate this post: (Provided by NewsGator)

Top Spam countries : USA first

Almost a quarter of the world's spam in the last three months of 2005 was sent from computers in the United States, according to U.K. antivirus company Sophos.

While the U.S. still tops the chart, the latest figures mark the first time the country accounts for less than one quarter of all spam relayed. The decline in U.S.-sourced spam is thanks in part to the crackdown against fraudulent e-mail, Sophos said. In particular, the company pointed to monetary damages that spammers have been ordered to pay as well as jail sentences, tighter legislation and improved coordination among Internet service providers.

The numbers do suggest, however, that Microsoft Chairman Bill Gates' prediction two years ago that the spam problem would be solved by now has not come true. The majority of the junk mail, 60 percent, is now being relayed by compromised PCs, called zombies, that are at the beck and call of cybercriminals, Sophos said.

The top 12 spam relaying countries, according to Sophos, are as follows:
1. United States, 24.5 percent
2. China, 22.3 percent
3. South Korea, 9.7 percent
4. France, 5 percent
5. Canada, 3 percent
6. Brazil, 2.6 percent
7. Spain, 2.5 percent
8. Austria, 2.4 percent
9. Taiwan, 2.1 percent
10. Poland, 2 percent
10. Japan, 2 percent
12. Germany, 1.8 percent

CATEGORIES : 1spam, 1zombies, 1stats, 1report, 1trends
Rate this post: (Provided by NewsGator)

Gartner warns on Oracle security

Analyst group Gartner has warned administrators to be "more aggressive" when protecting their Oracle applications because they are not getting enough help from the database giant.

Gartner published an advisory on its Web site just days after Oracle's latest quarterly patch cycle, which included a total of 103 fixes with 37 related to flaws in the company's database products. Some of the flaws carry Oracle's most serious rating, which means they're easy to exploit and an attack can have a wide impact.

According to the advisory, which was posted by Gartner analyst Rich Mogull on Monday, "the range and seriousness of the vulnerabilities patched in this update cause us great concern. Oracle has not yet experienced a mass security exploit, but this does not mean that one will never occur."

CATEGORIES: 1database, 1vulnerabilities, 1patching, 1trends, 1analyst, 1gartner
Rate this post: (Provided by NewsGator)

Hacker pleads guilty to building, renting attack

A 20-year-old hacker admitted Monday to surreptitiously seizing control of hundreds of thousands of Internet-connected computers, using the zombie network to serve pop-up ads and renting it to people who mounted attacks on Web sites and sent out spam.

Jeanson James Ancheta, of Downey, Calif., pleaded guilty in Los Angeles federal court to four felony charges for crimes, including infecting machines at two U.S. military sites, that earned him more than $61,000, said federal prosecutor James Aquilina.

Under a plea agreement, which still must be approved by a judge, Ancheta faces up to 6 years in prison and must pay the federal government restitution. He also will forfeit his profits and a 1993 BMW. Sentencing is schedule for May 1.

Prosecutors called the case the first to target profits derived from use of "botnets",' large numbers of computers that hackers commandeer and marshal for various nefarious deeds. The "zombie'' machines' owners are unaware that parasitic programs have been installed on them and are being controlled remotely. Botnets are being used increasingly to overwhelm Web sites with streams of data, often by extortionists. They feed off of vulnerabilities in computers that run Microsoft Corp.'s Windows operating system, typically machines whose owners haven't bothered to install security patches.

CATEGORIES : 1zombies, 1botnets, 1spyware, 1patching, 1convictions
Rate this post: (Provided by NewsGator)

Notre Dame University Hacked

Hacker causes Notre Dame's first significant computer security intrusion.

The personal and financial information of some University donors may be at risk after an unknown intruder hacked into a Development Office server Jan. 13 - the first computer security breach of its magnitude at Notre Dame, University officials said Sunday.

The data in question - possibly including Social Security numbers, credit card information and check images from donations made between Nov. 22, 2005 and Jan. 12 - pertains to a "minority" of alumni donors and friends of the University, said Hilary Crnkovich, vice president
of Public Affairs and Communication. She declined to provide a specific estimate of the number of donors affected.

The intrusion was not initiated from an on-campus location, Crnkovich said, but its source is still a mystery.
CATEGORIES : 1hack, 1id theft
Rate this post: (Provided by NewsGator)

Thursday, January 19, 2006

Cartoon : Hacking the Feds

Based on some recent complaints it would seem I have been lax with keeping the cartoons going. Enjoy!

CATEGORIES : 1cartoon
Rate this post: (Provided by NewsGator)

NAC sales soar 1,100%

We have been on the Network Access Control bandwaggon for some time now on this site. Now some heavyweight analysts are "weighing in". Infonetics published some sobering forecasts today. It looks like 2006 is the year that NAC "comes of age", growing from $323M in 2005 to $1.3Bn in 2006.

Worldwide manufacturer revenue for NAC enforcement will grow 1,101%, from $323 million to $3.9 billion between 2005 and 2008, according to Infonetics Research’s latest report "Enforcing Network Access Control". Network access control, or NAC, is considered the holy grail of network security, as it is an intelligent network infrastructure that can identify users, identify and do integrity checks on the computers they are using, and then grant them access to specific locations and/or resources and set policies based on user and machine identity.

There are three main components in most NAC solutions: clients, enforcement, and backend. Infonetics’ report focuses on the enforcement market, including network integrated NAC enforcement devices, NAC enforcement appliances, and SSL VPNs for NAC enforcement. “By far the largest portion of NAC enforcement revenue between now and 2008 comes from network-integrated enforcement devices, but the biggest change is in NAC enforcement appliances, whose share of the market nearly triples between 2005 and 2008,” said Jeff Wilson, principal analyst at Infonetics Research and author of the report.

Three big guns loom large in the burgeoning NAC market: Cisco, Microsoft, and the Trusted Computing Group. The first two are developing their own NAC-like solutions and the third is an independent consortium working on standard implementations for NAC. In addition, there are many companies focused on building NAC solutions, with the NAC enforcement appliance market being a hot area of startup activity.

Report Highlights

  1. Cisco’s NAC solution is the most recognized brand of the three main NAC solutions, followed by Microsoft’s NAP, and then the Trusted Computing Group’s Trusted Network Connect solution in distant third
  2. The NAC enforcement appliances segment will grow dramatically starting in 2006, growing 3,062% between 2005 and 2008, and will be a volatile space over the next three years, with significant consolidation in the market
  3. Network integrated NAC enforcement devices will grow almost a thousand percent between 2005 and 2008, and SSL VPNs for NAC enforcement will grow 798%
  4. The most common type of network integrated NAC enforcement device will be an Ethernet switch that supports 802.1x, and is able to talk to NAC clients and policy servers

RELATED TOPICS : Endpoint integrity architectures start to hot up, Cisco 1st out blocks with integrity architecture, Do you know about the Jericho forum?, First TNC products released, More NAC announcements

CATEGORIES : 1nac, 1endpoint security, 1enforcement, 1trends, 1marketstats, 1report, 1analyst

Rate this post: (Provided by NewsGator)

More Cisco vulnerabilities

In a continuation of last years' trend, and predictions by SANS and the community in general that IOS flaws will become more of a target over time, Cisco warned that new flaws in its Systems software (IOS) for routers and IP telephony could be a conduit for attacks on enterprise networks.

On Wednesday, it released two security alerts along with fixes for Cisco CallManager, which runs internet based phone calling. Two flaws exist in the software: One could allow an attacker to paralyze a Cisco IP telephony installation, the other could allow someone with read-only access to the system to gain full privileges, according to the alerts. The denial-of-service problem in CallManager exists because the software does not manage certain network connections well, leaving it vulnerable to attacks. "This may then lead to phones not responding, phones unregistering from the Cisco CallManager, or Cisco CallManager restarting," according to the company's advisory.

Cisco also patched a vulnerability in its Internetwork Operating System (IOS), which runs the routers and switches that make up much of the plumbing of corporate networks and the Internet. A feature called the Stack Group Bidding Protocol in certain versions of IOS is vulnerable to a remotely-exploitable denial of service condition, according to a company advisory.

CATEGORIES : 1ciscogate, 1ios, 1advisory, 1vulnerabilities
Rate this post: (Provided by NewsGator)

Antiphishing working group report

Phishing attacks reached a new high at the end of 2005 after growing steadily all year, according to a study published Wednesday. The number of unique e-mail-based fraud attacks detected in November 2005 was 16,882, almost double the 8,975 attacks launched in November 2004, said the report, published by the Anti-Phishing Working Group, an industry consortium that provides information on phishing trends.

Phishing e-mails pretend to come from legitimate companies, such as banks and e-commerce sites, and are used by criminals to try and trick Web users into revealing personal information and account details. The number of brands targeted increased by nearly 50 percent over the course of 2005, from 64 to 93 percent in November.

Top brands continue to be hijacked, with phishers using established names to try and lure people to their sites, Websense said. Most phishing sites spoof global e-commerce and banking institutions.

CATEGORIES : 1phishing, 1report
Rate this post: (Provided by NewsGator)

Royal London snoops on staff PC's

Royal London, the mutual life and pension company, has installed new security software to snoop on the computer activity of its 2,900 staff across the UK. Designed by 3ami, the software is being used to enforce “sensible rules relating to the personal use of e-mail and the internet”. Royal London group IT security manager Nick Harwood said, “Although the system will let us, we do not sit and secretly watch what people are doing day-to-day, but we do consider it our responsibility to be able to check, if we need to, how our IT is being used.”

It is also being used as a deterrent against the theft of data files – including their e-mailing to a third party, by copying or printing them or putting them on a CD, floppy or memory stick.
The system is also used to deter staff from sending or handling pornography, illegal images and racist and sexist material.

CATEGORIES : 1policy, 1trends, 1case study, 1user monitoring, 1data theft
Rate this post: (Provided by NewsGator)

Tuesday, January 17, 2006

Sony BMG "rootkit" still widespread

Hundreds of thousands of networks across the globe, including many military and government networks, appear to still contain PCs with the controversial copy-protection software installed by music discs sold by media giant Sony BMG, a security researcher told attendees at the ShmooCon hacking conference this weekend.

Building on previous research that suggested some 570,000 networks had computers affected by the software, infrastructure security expert Dan Kaminsky used a different address used by the copy protection software to estimate that, a month later, 350,000 networks--many belonging to the military and government--contain computers affected by the software.

"It is unquestionable that Sony's code has gotten into military and government networks, and not necessarily just U.S. military and government networks," Kaminsky said in an interview after his presentation at ShmooCon. The researcher would not say how many networks belonged to government or military top-level domains.

RELATED LINKS : SonyGate Landing Page

CATEGORIES : 1sonygate, 1rootkits, 1threats, 1infection
Rate this post: (Provided by NewsGator)

Nuclear Sub hacker arrested

Here's one for the good guys - but I dont know whether to be scared or happy...

MADRID, Spain (CNN) -- An 18-year-old suspected Spanish hacker who allegedly breached the top-secret computer security of a U.S. Navy base in San Diego has been arrested, according to the Spanish Civil Guard.

The alleged hacker "seriously compromised the correct operations and security of a maintenance dry dock for nuclear submarines" a statement said on Monday. The alleged hacker was part of a group that aimed to breach computer security systems connected to the Internet for illegal means, the Civil Guard's statement said, adding that the group allegedly had breached more than a hundred computer systems, causing damages of more than $500,000.

CATEGORIES: 1hack, 1arrest, 1threats
Rate this post: (Provided by NewsGator)

Three more states add laws on data breaches

Companies struggling to keep up with a patchwork of state laws related to data privacy and information security have three more to contend with, as new security-breach notification laws went into effect in Illinois, Louisiana and New Jersey on Jan. 1.

Like existing statutes in more than 20 other states, the new laws prescribe various actions that companies are required to take in the event of a security breach involving the compromise of personal data about their customers.

CATEGORIES: 1law, 1privacy, 1notification
Rate this post: (Provided by NewsGator)

Feds to banks: Put security policies in writing

Even if US federal law doesn't explicitly say so, all companies that handle personal information for their customers should have written security policies, a computer security attorney said.

Last month, the Federal Reserve Board, which governs the U.S. banking industry, issued a new guide stating that all banks and other financial institutions must take certain steps to safeguard the personal data they handle.

CATEGORIES: 1banking, 1legal, 1policies, 1best practices, 1trends
Rate this post: (Provided by NewsGator)

InfoSec Salaries spike

A new study released on the 10th January 2006 confirms that there is indeed a growing market for IS expertise. Alan Paller, director of research at The SANS Institute, a respected IT research and education organization, suggests that people "are waking up to the fact that there’s a shortage of security talent."

The SANS Institute’s 2005 Information Security Salary and Career Advancement study of over 4,250 IS pros finds that compensation for IS jobs is strong and growing. For U.S. IS professionals, the median income, including bonuses, is now $81,558. In Great Britain, it’s $76,389. In Canada, it’s $67,982. In the rest of the world, it’s $51,250.

Paller says his organization has not conducted a salary survey since 2002 because it didn’t want to “pile on” during a time when salaries were under pressure. But he contends salaries in 2005 were significantly higher than three years earlier.

CATEGORIES : 1salaries, 1trends, 1survey
Rate this post: (Provided by NewsGator)

iPod, PSP, Xbox & MacOS in spotlight

Further to various predictions for 2006 and SANS Top-20 reports that threats and attacks will move beyond Microsofts' ubiquitious Windows operating system, we have reports that Cyber-security and computer experts from the government and law enforcement are increasingly concerned with malicious code that runs on Linux and Apple Computer Inc.'s Mac OS X operating systems and threats posed by devices such as iPods, USB sticks, Playstation Portables (PSP's) and Xbox gaming consoles.

Intensive courses on the Mac OS X and Linux operating systems, as well as iPods, were just a few of the offerings at a recent cyber-security conference sponsored by the U.S. Department of Defense. Network administrators and cyber-investigators say they are increasingly being called on to investigate compromises of non-Windows operating systems and to analyze portable devices such as iPods, according to interviews with attendees by eWEEK. The annual Cyber Crime Conference draws top cyber-security talent from the U.S. military, federal agencies, and federal, state and local law enforcement to hone their skills and learn about emerging cyber-security threats.

Innocuous devices such as the iPod Shuffle, a small, portable version of the massively popular MP3 player from Apple, are also an underappreciated threat, as demonstrated at a session called "Hacking with iPods and Forensic Analysis" at the conference. Experts said that they believe alternative computing platforms will come to play a bigger role in cyber-crimes and criminal investigations in the years to come. Devices such as the PlayStation Portable, which has a large hard drive and wireless capability, will become more common and more capable of carrying out or being targeted in online attacks.

Governments, as well as enterprises, worried about losing sensitive data need to institute tough policies that bar devices such as iPods, PSP's and USB sticks from their networks. However, technology to enforce those policies, often referred to as endpoint security tools, is still not widely used, they acknowledged.

You know you're at an inflection point when IT Security interects with cultural phenomenons such as the iPod, PSP and Xbox. An wait...the Playstation 3 console will be no different...

CATEGORIES : 1trends, 1endpoint security, 1mobility, 1threats, 1conference
Rate this post: (Provided by NewsGator)

Monday, January 16, 2006

Top 5 vulnerability management mistakes

Excellent article on the top five vulnerability management mistakes. This article looks at common mistakes that organizations make on the path to achieving vulnerability management perfection, both in process and technology areas.

No. 1: Scanning but failing to act
No. 2. Thinking that patching is the same as vulnerability management
No. 3. Believing that vulnerability management is only a technical problem
No. 4. Assessing a vulnerability without looking at the whole picture
No. 5: Being unprepared for the unknown -- "zero-day exploits"

RELATED TOPICS : Top security mikstakes to avoid

CATEGORIES : 1vulnerability management, 1best practices, 1advice, 1mistakes
Rate this post: (Provided by NewsGator)

Bank tape lost with data on 90,000 customers

It would seem there is no end to these "Lost in transit tape" makes you wonder how much this was going on before the new disclosure laws came into effect.

A computer tape from a Connecticut bank containing personal data on 90,000 customers was lost in transit recently, the bank reported Wednesday. People's Bank, based in Bridgeport, Conn., is sending letters to the affected customers, it said in a press release. The tape contains information such as names, addresses, Social Security numbers and checking account numbers. It was bound for the TransUnion credit reporting bureau, based in Woodlyn, Pa., via UPS, the release said.

CATEGORIES : 1lost tapes, 1id theft, 1disclosure, 1encryption
Rate this post: (Provided by NewsGator)

IDs of 50,000 Bahamas resort guests stolen

The identities of more than 50,000 customers of major Bahamas resort Atlantis have been exposed to possible identity fraud following the theft of personal information from the hotel, the owners said. Kerzner International Ltd., owner of the luxury 2,300-room Atlantis resort on Paradise Island, revealed details of the data theft in a document filed with the Bahamas Securities and Exchange Commission .

Information stolen included names, addresses, credit card details, social security numbers, drivers license numbers and bank account data, the filing said. The information appears to have gone missing from the hotel‘s computer database and was the work of either an insider or outside hacker.

The Atlantis hotel management is notifying affected customers in writing so they can take steps to protect themselves from possible identify fraud. The hotel is also providing, at no cost to customers, a credit monitoring service for a year.

CATEGORIES : 1id theft, 1hack, 1disclosure
Rate this post: (Provided by NewsGator)

Security Predictions 2006 Landing Page

As we start the year, 2006 security predicitions start emerging and these stories are currently the most sought after on this blog. So we have created a landing page to all these 2006 predictions for ease of reference:

Dimension Data Predictions for 2006 from CSO Online
ComputerWorld security predictions 2006
Red Herring Top trends for 2006
Survivors guide to 2006

Categories : 1landing page, 1predictions
Rate this post: (Provided by NewsGator)

Predictions for 2006

Dimension Data North America have posted their security predictions for 2006 in the January issue of CSO Online. Click here for the full text.

1. More damages, fewer epidemics
2. Accelerated legislation, some litigation
3. Points of attack move beyond Microsoft
4. Mobile phone, PDA and smartphone concerns
5. Spyware becomes business issue
6. IM and P2P becomes a big headache
7. Data protection energized as publicized data breaches in the United States intensify
8. Messaging security gets serious
9. Security Convergence will accelerate

CATEGORIES : 1predictions, 1trends, 1futures,1threats
Rate this post: (Provided by NewsGator)

Wednesday, January 04, 2006

WMF Patch Fiasco

I have been observing the steady climb of the Windows Media File (WMF) vulnerability with some interest. Whilst the intention of this site is not to report on vulnerabilities, merely their effects, there is a lesson to be learnt in this episode.

The problem is in the way various versions of Windows handle graphics in the Windows Metafile format. When a vulnerable computer opens a maliciously crafted WMF file, it can be forced to execute arbitrary code. The number of users potentially at risk is high, with all versions of Windows exhibiting the vulnerability. Microsoft published its first security advisory on Dec. 28, saying it had received notification of the problem on Dec. 27 . Security researchers first spotted malicious Web sites using the exploit on Dec. 27, but those sites may have been doing so as early as Dec. 14, they said.

Infections started rising and the noise on this topic rapidly escalated and eventually reached fever pitch today with many security researchers urging Windows users to rush to install an unofficial patch. But today Microsoft announced that it wants customers to wait another week for its official security update on January 10th. This is bound to confuse customers.

Regardless of who is right, the important trends I wish to highlight is that :

1. Vulnerabilities will continue to surface,
2. Many times this will happen before Microsoft knows about them
2. Exploits will continue to circulate very shortly (days) thereafter,
3. Infections will rapidly rise and finally
4. The "window of vulnerability" as demonstrated by this case, is 7-10 days

The bottom line is that you can't singly rely on Microsoft or patching to protect you anymore as they are now 7-10 days behind the hackers. It will be interesting to see if "unofficial patching" emerges as a trend in 2006. It certainly is performed by virtual patching devices on the network already but it would seem the trend may move to the desktops as well.

CATEGORIES : 1patching, 1endpoint security
Rate this post: (Provided by NewsGator)

Symantec aquires IMLogic

Security company Symantec leaped into the nascent market for protecting instant messaging systems on Tuesday, announcing that it has agreed to acquire IMlogic, one of the sector's top players. Financial terms were not released. But Carlin Wiegner, a senior director of Web security at Symantec, said in an interview with CNET that the Cupertino, Calif.-based company has agreed to pay all cash for 100-employee IMlogic, and expects the deal to close later this quarter.

IMlogic, headquartered in Boston, sells the IM Manager software, which promises to safeguard public and corporate IM networks while providing companies with a means to monitor and archive IM traffic. Security companies have largely focused on protecting e-mail servers up to now, but they're starting to turn their attention to instant messaging as it grows in popularity.

This is a very logical buy and frankly I am surprised IMLogic and FaceTime have not been snapped up sooner. This will undoubtably put pressure on FaceTime now, IMLogics' biggest competitor. IM security will become as important as messaging security and we have been discussing the looming IM issues quite often on this site.

RELATED TOPICS : IM Security in a mess, IM marches on relentlessely, Worms take aim at IM and P2P

CATEGORIES : 1IM, 1aquisitions
Rate this post: (Provided by NewsGator)

Tuesday, January 03, 2006

Top stories for December 2005

Rate this post: (Provided by NewsGator)

Sony settles lawsuits

Embattled music label Sony BMG Music Entertainment has agreed to settle consumer complaints about its controversial attempt to copy-protect CDs.

Under terms of a settlement consolidating several lawsuits, Sony will give consumers who purchased an estimated 10 million CDs a combination of cash, replacement music and free downloads.

The settlement, which must be approved by a New York court, consolidates most of the lawsuits related to "SonyGate". A handful are still outstanding, including a lawsuit by Texas' attorney general.

CATEGORIES : 1spyware, 1sonygate, 1idtheft
Rate this post: (Provided by NewsGator)

Computerworld security predictions 2006

It's that time of the year...some more from the 2006 security predictions department from ComputerWorld:

1. Regulations: The Big Stick
Compliance will dominate the security agenda for 2006. The growing number of regulations -- and the consequences of not complying with them -- have elevated security into the boardroom. CIOs will use compliance to justify most of their information security spending this year -- even for technologies IT would have implemented anyway.

2. Goodbye Worms. Hello Trojans, Rootkits and Targeted Attacks.
Enterprises will keep getting better at dealing with e-mail-borne worms and viruses, and unless hackers come up with a fiendishly new way of delivering them, 2006 could well see the end of the mass-mailing worm phenomenon. But Trojan horses, rootkits, spyware programs, phishing and targeted attacks will continue to pose big challenges.

3. Patch and Pray No More
Hackers often take advantage of new software flaws faster than companies can apply patches. This year, the goal will be to prioritize patching based on asset value and specific threats rather than the more generalized patching processes currently in place. But the asset and data classification needed to enable such a patching process will be a major challenge.

4. Securing the Data
Most security efforts have traditionally focused on securing the perimeter and the network using tools such as firewalls, antivirus software and intrusion-detection systems. This year, expect to see more attention devoted to securing the data residing in storage networks, databases, servers and desktops. Why? Because hackers and insiders have started going after the data and because traditional network perimeters have begun fading away as companies tie their networks with those of partners, suppliers and customers.

5. Locking Down the Network Endpoints
One of the biggest threats to corporate security comes from insecure network endpoint devices such as desktops, notebooks and other client systems belonging to remote and mobile workers, contractors, partners and consultants. As a result, expect to see a lot -- and I really mean a lot -- of focus on tools that can permit, restrict or deny admission to corporate networks based on the security status of the end users' systems. The 800-pound gorillas move in Microsoft Corp. and Cisco Systems Inc. will expand their influence in the security market. But pure-play security vendors that offer more innovative, and enterprise-tested, products will continue to appeal to corporate customers.

6. CISOs get some R.E.S.P.E.C.T.
Information security may have become a boardroom issue, but most security executives remain anonymous Joe Somebodies when it comes to recognition at the C levels of their companies. I've lost count of the chief information security officers who have lamented their remarkable lack of visibility within their organizations -- including one CISO who was never consulted by his CIO or CEO even after his firm suffered massive negative publicity following a major data compromise. But growing awareness of the potential reputational damage, financial losses and legal problems that a data breach can cause could improve the CISO's status in 2006.

CATEGORIES : 1forecast, 1trends
Rate this post: (Provided by NewsGator)

Marriot loses customer data

The hotel chain Marriott admitted on Tuesday that backup computer tapes containing data on approximately 206,000 customers were missing from a company office in Florida. The data, which relates to customers of its timeshare division, Marriott Vacation Club International (MVCI), included personal information such as the credit card details, social security numbers and, in a few cases, the bank details of customers.

The company said it has contacted the affected customers and is offering to enroll them free-of-charge in a credit monitoring service, so that customers can discover if there is any irregular activity on their account.

CATEGORIES : 1breach, 1idtheft
Rate this post: (Provided by NewsGator)