Communications services were uniformly designed assuming positive
human-to-human interactions. No inventor anticipated the nefarious
activities that have evolved as threats to order and civilization as we
know it. Here are security stories and experiences.
|
|
|
Written by Peter Brockmann
|
|
| |
The creation of job posting websites like monster.com, hotjobs.com, careerbuilder.com or even dice.com has really made the marketplace of employers finding employees and employees finding employers an automated, fast and high quality process. Of course, finding 300 resumes in a week is easy. Finding the 5 resumes of the people that you really intend to interview is another story.
The visitor's familiarity with job sites and knowing that they can lead to interviews and hopefully a job or a better job makes them vulnerable, and makes the thief's job easier.
A story in BusinessWeek highlights the risk of 'how much information' you should give to a jobs website. In the story, identity thieves are asking for your social security number, drivers licence number, mailing address and birthdate details - even before you start the search let alone start the job.
My recommendation? Never divulge birthdate information except to family, and never, ever, ever give your SSN to a website. |
|
|
Written by Peter Brockmann
|
|
| |
Identity theft is a $50 billion problem, and the habits of citizens can sometimes make them targets for identity theft. A recent article highlighting that the very sensitive Social Security Number is crackable, that is predictable at an increasing rate made me reflect on my own habits and practices and put me in a sharing mood.
The algorithm developed by computer scientists at Carnegie-Mellon University was able to correctly predict the SSN for Americans born after 1988 for 8.5% of targets in less than 1,000 attempts. That's an alarming prospect involving trivial computational resources.
 Of course victims don't deserve to have their identities stolen. But their online activities does impact their ability to be safe.
For example, the other day a social networking site that I was contemplating joining asked me to provide my birthdate information. I ignored the request and was told it was mandatory. Too bad and I left.
FaceBook allows users to post their birthdates for friends to see. Of course, we all love getting attention on our birthdays, but since it is a big site and acts as a big target for hackers, getting that database of birthday information is worth a great deal of effort.
A friend in New Jersey signed up to a birthday registration site and asked me to do the same so both he and I could exchange automated email birthday wishes in some kind of grand calendar. I refused. Even though I like to birthday greetings (my half-life is coming due soon) like anybody else, I don't like to share it online because I am concerned about the risk of theft and abuse. Surely if the nations largest retailers are routinely hacked for credit card information, a crummy birthdate calendaring site is not only a softer target but they're not likely to do anything about it when they discover the hack... and neither are the victims.
So what can you do if you know where someone lives and their birthdate?
With the rise in phishing attacks masquerading as banking sites, ebay or paypal sites, users can be duped into providing other sensitive personal information like mother's maiden names that further takes down one more layer in the wall of security around any one person, like the brick game, shown here for Pocket PC.
So, if someone can predict your SSN, and someone else can find your birthday, and someone else can find out your address.... Isn't that a recipe for disaster?
Solution:
Stop the gathering, publishing and promoting of birthdates on line. Keep this a personal, human-to-human thing.
Create a service that discovers and reports what the web knows about you. I like the idea of reports that are more personal than the web reputation services I've seen for brand reputation management services. Downside of course, is that you can find out information about people who aren't you. Could be useful in tracking down deadbeat dads that owe child support payments. |
|
|
Written by Peter Brockmann
|
|
| |
 Some folks think that recessions are exactly the wrong time to introduce new products. Sadly, these industry laggards miss out on the great advantage that recessionary times bring to vendors. Fortunately, NCP and Brockmann & Company (and many others I'm sure) believe that recessionary times are EXACTLY the right time to introduce new products.
That's because:
- Prices for marketing services such as advertising, PR agency fees, consulting and contracting are lower. These service providers' sales teams are working to keep production to capacity and will do deals to at least cover costs, if that means a new client or saved client.
- Editors of websites and trade magazines are tired of the bad news because the readers are tired of bad news. They are looking to write/talk about people and organizations that are in it for the long haul and have something positive to say.
- Analysts and opinion leaders are keen to explore potentially hot new areas, and so have the time open on their calendars to listen and write about new product introductions.
- Customers have time to discover and learn about new and interesting products and services that solve real business problems.
NCP, the German VPN security company plans to introduce the NCP Secure Enterprise Server and the NCP Secure Enterprise Management System to the US market. Until now, only the client has been available for download, sale and support from NCP. For the first time users can purchase licenses to the server that terminates the IPSec and SSL clients through a newly forming network of NCP authorized security resellers.
Secure Enterprise Server
Software is designed to enable large scale terminations of both IPSec and SSL sessions, providing a monitoring window and control point for any VPN connection to the enterprise network. This way, the same security policies can be applied regardless of access methodology. The recommended configuration of hardware and software (NCP software is integrated onto a hardware platform by the reseller) platforms can support a high availability load balancing service for SSL session integrity and quality. The architecture is scalable to as many as 10,000 concurrent SSL sessions.
The server supports termination of iPhone VPN clients including PPTP, L2TP and Cisco IPSec. And for Windows shops, the software can be loaded onto Windows Server 2008 (32 or 64-bit servers) or Linux. (The client already supports Symbian OS).
The server can also provide a VPN-oriented Network Access Control to confirm policy settings (presence of updates and patches) and initiate remediation services to 'clean up' poorly managed devices BEFORE they attach to the enterprise network.
Secure Enterprise Management System
Once an enterprise gets to about 100 or so clients, the time and cost of effective management of the VPN communications system overwhelms the general deployments. At that level, enterprises need professional tools to managed the automated deployment of software, the management of updates and surveillance of the sessions.
The management system acts as the central point of control for administration, configuration and operation and can be integrated with LDAP or Active Directory services for Identity and Access Management controls such as password authentication, or other methods or policy services. Activity logs record what VPN-attached users did while connected, providing an effective central audit trail in the event of suspicious activities, and software version control features assure that plugin updates and configuration settings can be delivered over the LAN without necessarily engaging in a VPN connection.
The SEMS can also pass information up into higher level enterprise management applications.
I'm confident that NCP will discover that a recession is precisely the right time to expand their footprint in the US and introduce the server and management software products. The power of their careful approach to the market - downloadable clients first and then servers with plenty of reseller value-add to be enabled - will certainly attract clever security resellers who appreciate quality product and focused market entry. Besides, NCP knows many client users that are looking for more sophisticated and complementary server solutions that can support their environments and security requirements for an array of remote and mobile device implementations.
|
|
|
|
Written by Peter Brockmann
|
|
| |
 In a nod towards lawful EU intercept of Skype calls, Skype earns endorsement from an Italian drug dealer. The Luxemburg division of eBay has until now refused to unlock the encryption of Skype calls, prompting a more concentrated effort by EU law enforcement and regulatory bodies.
I tried to find out if Skype conforms to [[CALEA]] the US requirements for lawful intercept, but good ol' Google let me down.
|
|
|
Written by Peter Brockmann
|
|
| |
 7 beta promises to deliver substantial user experience improvements over the global whipping boy of OS releases: Vista. According to Microsoft, the key improvements in Windows 7 include an improved task bar (at the bottom of the screen), making it easier to use, adding a jump list of the most recently and most frequently used documents, features for window-manipulation to increase the scale of folder or application windows, IE 8, Windows Live Essentials which incorporates many Live services - messenger, photos, mail, word processing, movie making - support for touch screens and networking with other Windows 7 PCs in the home.
My impressions of the new OS are that Windows 7 will also improve the performance and responsiveness of the OS in everyday applications - shutdown, hibernate, power usage, reboot, open file for example, which were the big issues for many users.
NCP, the German VPN specialist has been working with Windows 7 and introduced their own beta client in early January 2009. According to Simon Ford, Director of Sales, the software works and will be ready to go GA whenever Microsoft makes Windows 7 generally available. Of course, in security applications there really isn't a beta option, so this designation is purely to align with Microsoft release vectors, justify the free download option and to reserve the right to make last minute changes to the commercial release.
GA for Windows 7 is expected "forthcoming", according to Microsoft's Engineering Blog. The release is thought to be the anti-Vista storyline, with an uncharacteristic non-launch and therefore non-disappointment to paraphrase Alexander Wolfe of Information Week. It is entirely likely that this release will happen sooner than later to restart the revenue growth that Microsoft has been accustomed to over the past many years, and to restore the shine on the brand somewhat tarnished by the gap between expectations and delivery that was the disappointment caused by Vista.
In our briefing, Simon mentioned that their 64-bit client for Notebooks has been well received since Cisco and other security vendors have not (yet) delivered product, which gave me pause to consider the natural trend to smaller and more mobile devices in the enterprise. Of course, NCP offers a unified VPN implementation including security management services where the Enterprise Secure Gateway supports:
- NCP clients running on laptops of various Windows versions
- clients from leading VPN vendors
- unique NCP-developed clients for devices like 64-bit netbooks
- unique NCP-developed clients for [[Symbian]] mobile devices
- unique NCP-developed clients for Windows Mobile devices
- support for Apple's iPhone VPN client
NCP does not support BlackBerry or Google Android. BlackBerry enables only Java applets, which sufficiently neuters the VPN client application to render it unsatisfactory. Customers would have to support their BlackBerry users with the BlackBerry Enterprise Server and its data application support features. For many users this model is unsatisfactory since all traffic, though encrypted traverses through one of the regional RIM data centers in Waterloo Canada, Plano Texas, London UK or Australia (I think), which may disqualify BlackBerry in many enterprises.
Android is not yet suited or marketed for business applications. As I understand it, there is no 'corporate email' client on T-Mobile's G1, yet.
We also discussed the mobile phone clients and how mobile phones are taking on more and more of the functions previously reserved for laptops. The NCP solution set is particularly useful in a wide range of enterprise applications where security of communications must be device or brand independent. The new NCP client for Windows 7 promises to maintain and strengthen that powerful positioning.
On a related note, NCP also announced release 9.1 of the Secure Entry client which now offers support for Wireless Service Provider Roaming (WISPr). This feature supports auto-login by the client without engaging a browser. NCP users can establish a VPN connection at a WISPr-supported WiFi hotspot with only one click, improving productivity of busy mobile professionals.
|
|
|
Written by Peter Brockmann
|
|
| |
When I think of German software companies, I think of SAP, but not many more.
Well, last week, a second German software company gave me a solid reason to consider them in that same breath. It's not the size of the enterprise, but the dedication to excellence in one specialty domain that adds NCP to that short list of German software companies (that I know).
Founded in 1986 and today employing 44 engineers and sales professionals, the company offers remote access clients in support of IPSec and or SSL VPN, and a centralized management system that adds tremendous scalability to the enforcement of corporate policies, assuring compliance, up-to-date software and appropriate audit trails that large enterprises require.
|
|
Read more...
|
|
|
Written by Peter Brockmann
|
|
| |
 For organizations that care to characterize and study the evolution of malware, Norman, the Norwegian anti-virus, anti-spyware and firewall company offers the Norman Sandbox a virtual environment that allows viruses and malware to reveal their actions without threat to live systems and data. Of course, the technology works for organizations that worry about catching viruses before they become widespread, when everybody has the cure figured out. That's the zero-hour requirement.
The core idea of the Sandbox is that the application studies and blocks nasty behaviors, not matching the signature of files. It does this through an emulated or virtual replica of the host system. It fools the malware into recognizing the virtual environment as a real environment, which renders the threat harmless.
Arvid Gomez, the company's OEM and Technology sales VP based in San Ramon CA said that the sandbox provides protection against the dynamic signature virus or the zero-hour type malware before AV publishers can model the signature. This zero-hour type characterization is a great complement to remediation or even signature-based solutions to cover users for the short, but highly vulnerable window between release of the malware and publishing of the signature.
A behavior model is very powerful idea since most damage occurs as a result of unintended or unapproved system actions. It also depends less on global updates of PC clients to account for the latest malware signatures.
Norman trades publicly on the Oslo Stock Exchange, has 200 employees and $60 million in 2007 revenues. The role of Arvid from his office in San Ramon is to focus on OEMing this and other security capabilities into solutions by other vendors.
|
|
|
|
|
<< Start < Prev 1 2 3 4 5 Next > End >>
|
|
Page 1 of 5 |
