The most recent articles from IT Week

Government sows seeds for new ID systems

Dave Bailey — 2008-08-07T17:49:00.000Z

Dave Bailey, IT Week, Thursday 7 August 2008 at 17:49:00

Government to invest £5m into identity systems research

The UK government is to invest £5.5 million in developing the next generation of secure identity management systems.

The investment, led by the Technology Strategy Board, Engineering and Physical Sciences Research Council (EPSRC) and Economic and Social Research Council (ESRC), will create three new research projects, called EnCoRe, VOME and Privacy Value Networks.

The projects will be collaborations between business, academia and the public sector and will aim to ensure that the next generation of identity management systems strike appropriate balances with privacy concerns, the Technology Strategy Board said.

“In order to prepare UK businesses for competition in this global market, practical and cost effective solutions need to be developed which inspire public confidence by improving privacy and enabling consent as an integral part of future procurements," said Iain Gray, chief executive of the Technology Strategy Board.

Project EnCoRe will focus on providing more rigorous means for individuals to grant and revoke consent for the use, storage and sharing of personal data.

VOME will give a clearer hardware and software requirement for end users’ ideas and concepts regarding privacy and consent.

The final project, Privacy Value Networks (pvnets), aims to generate, a detailed understanding of individuals’ and organisations’ conceptions of privacy and identity.

EPSRC chief executive Professor David Delpy said that the new research had a unique approach, "looking at both the technological advances that need to be made alongside the social considerations and implications. The long term aim is to ensure a good balance between freedom and security for everyone.”

Microsoft opens up to security vendors

Rosalie Marshall — 2008-08-06T10:46:00.000Z

Rosalie Marshall, IT Week, Wednesday 6 August 2008 at 10:46:00

Microsoft launches Active Protection Programme and an Explotability Index

Microsoft has confirmed it will give security vendors advance notice of vulnerabilities that it intends to address in its monthly patches, in order to provide users with better safeguards.

Microsoft's Active Protection programme will reduce the chances of cyber criminals outpacing the security professionals, said George Stathakopoulos, Microsoft general manager of security engineering and communications,

It will also issue a new Exploitability Index, which will provide customers with early information on the likelihood of exploit code being developed.

Previously security professionals had to wait for Microsoft’s monthly security update process to address vulnerabilities.

“As security threats become more sophisticated, the global security community must combine its resources and work together to provide maximum security protections to worldwide internet users,” said Stathakopoulos in a statement.

Secure Computing launches new reporting tool

Phil Muncaster — 2008-08-05T00:15:00.000Z

Phil Muncaster, IT Week, Tuesday 5 August 2008 at 00:15:00

SC releases new product to help firms improve their security and compliance efforts

Enterprise gateway security firm Secure Computing boosted its reporting capabilities today with the launch of a new tool to help firms gain greater insight into their web traffic and improve security, compliance and performance.

Secure Web Reporter is comprised of the firm's SmartReporter and Content Reporter tools and enables administrators to view enterprise data, such as web surfing and downloading activity and amount of malware blocked, in real-time.

With this information, firms can then change security policies and investigate potential problems, according to Secure's Mike Smart.

"There's been a massive surge in threats targeted at the web," he said. "A lot of people are struggling to make sense of it – but this tool helps you to do this."

The Premium version of the product also features distributed reporting functionality to help spread the reporting burden throughout an organisation, and the ability to produce highly configured reports, said Smart.

In related news security vendor Kaspersky Lab has expanded its hosted offering to include web and instant messaging security.

Kaspersky Hosted Security Services previously contained just anti-spam and anti-virus capabilities.

McAfee boosts data loss toolkit

Phil Muncaster — 2008-08-01T15:04:00.000Z

Phil Muncaster, IT Week, Friday 1 August 2008 at 15:04:00

McAfee prepares £23 million deal for DLP vendor Reconnex

Web security firm McAfee has sought to expand its outbound security capabilities with the acquisition of data loss prevention (DLP) vendor Reconnex.

The proposed £23 million cash deal will give McAfee technology which can proactively identify which information in an organisation should be kept confidential and who should have access to it.

The deal follows the purchase of DLP firm Onigma by McAfee last year, and comes after a flurry of recent acquisitions in the space by rivals Symantec and Trend Micro.

“The growing number of high-profile incidents in which customer records, confidential information and intellectual property were leaked, lost or stolen has created an explosive demand for [DLP] solutions,” said IDC analyst Brian Burke, in a statement. “This acquisition creates a great opportunity for McAfee to fulfill a critical need in this space.

IDC predicts the market for these types of solutions, which it has termed information protection and control (IPC) to grow by 33 per cent a year to $1.6 billion in 2011.

Hackers continue to target "safe" sites

Phil Muncaster — 2008-07-30T12:15:00.000Z

Phil Muncaster, IT Week, Wednesday 30 July 2008 at 12:15:00

New research points to growth in web site hacks and browser plug-in exploits

Web threats continue to dominate the security landscape, according to two new studies released this week.

Web and messaging security provider Websense reported that in the first half of 2008, 60 of the 100 most popular web sites either hosted malicious content or redirected users to malicious sites.

Hackers are targeting these sites, many of which are social networking sites, because of their large user base, good reputation and use of user-generated content, which makes it easier to upload malicious code, said Websense.

"There is an element of trust in the Web 2.0 world that the web sites we frequent every day are safe, but attackers are taking advantage of the 'good reputations' of web sites to launch attacks," said Websense chief technology officer Dan Hubbard in a statement.

In related news, IBM's X-Force threat report has found that hackers are focusing their efforts on vulnerabilities in browser plug-ins. According to the new report, in the first half of this year, 78 per cent of web browser exploits were targeted at this area.

The research also argued that new automation techniques mean hackers can exploit vulnerabilities more quickly than ever before, often before an effective patch has been written.

"The two major themes in the first half of 2008 were acceleration and proliferation," said X-Force operations manager Kris Lamb. "Without a unified process for disclosing vulnerabilities, the research industry runs the risk of actually fueling online criminal activity."

Fortify warns open source is insecure

Dave Bailey — 2008-07-21T17:10:00.000Z

Dave Bailey, IT Week, Monday 21 July 2008 at 17:10:00

Business users warned to approach open source with "great caution"

Business leaders have been warned by security firm Fortify Software that increased use of open source software within the enterprise should be approached with "great caution".

In a new report, entitled "Open Source Security Study : How Are Open Source Development Communities Embracing Security Best Practices?" Fortify warned that IT chiefs should be extra vigilant when deploying open source software.

"Government and commercial organisations… should use open source applications with great caution," the report concluded.

All software development carries the risk of vulnerabilities in the code, the report noted, but the open source community trails in-house development and commercial rivals when it comes to developing enterprise-class security support, it suggested.

"Today’s enterprises are built and operated by software that comes from a variety of sources - but as we’re seeing more often, can be based on open source," said Roger Thornton, chief technology officer at Fortify.

Fortify based its analysis on a study carried out by application security consultant Larry Suto, in conjunction with Fortify's Security Research Group. Eleven open source Java applications were examined, using Source Code Analysis (the static analyser module in Fortify's recently released Fortify 360 package), including the Geronimo, JBoss and Tomcat application servers, the Struts web application framework and the OpenCMS content management solution.

These applications were then evaluated for the sophistication of their security support, including documentation and availability of support.

Fortifuy concluded that many open source applications provide inadequate access to security expertise, do not adopt a sufficiently rigorous approach to security in the development process, and do not use state-of-the-art tools to test application security.

A cloud of suspicion hangs over online security

Tim Anderson — 2008-07-18T15:17:00.000Z

Tim Anderson, IT Week, Friday 18 July 2008 at 15:17:00

Online services need stronger security if business users are to entrust their critical data to the cloud

There’s a lot of hype about IT services living “in the cloud” these days. But is this approach to computing safe? If the recent experience of one software developer is anything to go by, then potential customers ought to have second thoughts.

Marko Karppinen, who uses Apple’s .Mac online services, got a shock when he tried to log into his Apple Developer Connection account (see his blog here). He found that the password and the email address associated with his account had been changed. Apparently, someone other than himself contacted Apple’s Developer Relations unit claiming to have forgotten the password, and Apple responded by changing both the email and password without any further checks - effectively handing over the account to the hacker.

No doubt this was an isolated incident, but it is one that highlights several security issues. First, it underlines the drawbacks of single sign-on. Apple is one of several IT giants offering a suite of services linked to a single user account. What Karppinen lost, as he noted in an indignant email, was not just his developer account, but files stored in the iDisk remote storage services, an iTunes account, personal email, and more. Single sign-on is convenient, but increases the risk to you, and the value to criminals, if that flimsy username and password combination is discovered.

Apple has just launched its MobileMe service, a revamped version of .Mac that synchronises email, contacts, calendar and files to the web, and to all your devices. The service looks compelling, but the more usage grows, the more likely it is that stolen password incidents will come to rival stolen laptop incidents for putting confidential data at risk.

Second, Apple’s identity management is weak even disregarding Karppinen’s story. It has an automated forgotten password service that lets you reset your password either through an email sent to the registered email address, or by answering a secret question that you specified when signing up.

Password reset via email is common, but desperately vulnerable. Emails generally travel through the internet unencrypted, so there is risk of interception. Further, once it arrives at its destination server, its security is dependent on the ISP running that server. Finally, the user may read that email through unencrypted POP3 collection, or in plain text on a web email service. If you put this together with the popularity of public Wi-Fi services, it is clear that resetting or reminding users of passwords via email is no security at all.

The secret question idea is no better. Users are often encouraged to use semi-public information, such as their mother’s maiden name. Apple makes you state your date of birth as well, but that is no better.

The difficulty for businesses is that services like Apple’s MobileMe, Microsoft’s Live SkyDrive or Google Docs are effectively unmanageable. But at the same time they are so useful that they gradually cross over from personal to business use, while staff may not realise that data stored online is just as vulnerable as it is on laptops or USB storage devices.

Security practices in some parts of the industry are astonishingly immature. We are long past the time when no passwords should be sent in the clear, yet the FTP protocol, for example, still does exactly that. Data stored online can and should be more secure than it is when stored locally. The technology is there, but it is frustrating to see stronger authentication schemes like Microsoft’s CardSpace languishing with little use even by Microsoft itself.

In 2008 you would have thought it would be easy to send a sensitive email signed and encrypted, but it is not. Password reset can be done securely too, by doing what banks do and sending a real letter to a physical address. Apple, please take note.

Lords renew calls for security action

Phil Muncaster — 2008-07-18T12:20:00.000Z

Phil Muncaster, IT Week, Friday 18 July 2008 at 12:20:00

The Upper House is refusing to lie down in its fight to protect personal data

The House of Lords Science and Technology Committee released its long-awaited follow-up report to its 2007 document on personal internet security earlier this month. But although government attitudes to some of the issues have softened, there appears to still be a long way to go before any of the recommendations are acted on.

“We acknowledge that, following the government’s disappointing response to our report, they have reflected further and, with regard to some of the issues we raised, there has been some progress towards meeting our concerns,” the report concluded. “What progress there is, however, appears to be slow.”

The main recommendations in the follow-up report are:

The introduction of a data breach notification law.

A return to old fraud reporting laws whereby the first point of contact is the police, not the banks.

New laws to place liability for losses through online fraud on the banks.

The Lords maintained that current Banking Code rules are not sufficient as they allow the banks to claim that customers have been negligent in fraud cases.

“We have significant concerns about the way in which complaints of online banking fraud are currently handled and, in particular, the basis on which the banks determine that an alleged fraud is to be attributed to the customer, whether by fraudulent or negligent activity,” said the report.

The committee was given evidence suggesting between 1,000 and 10,000 individuals have been denied compensation.

On the issue of fraud reporting, the report is critical of the government for doing little to address concerns about the current system, whereby fraud victims must report to their banks in the first instance, rather than the police. “We were concerned about reporting fraud in this sequence on the grounds that the decision of the banks to pass a report to the police might be influenced by commercial factors,” said the report.

Committee member Lord Broers argued that it was “encouraging that the government has come round slightly in this issue” by saying it will look at the problem again.

But others argued that police are currently ill-equipped to deal with handling fraud cases. Simon Heron, managing director of network security vendor Network Box, said that law enforcement suffers from a lack of funding and is not interested in small incidents of online fraud.

“If they come across a multimillion pound internet fraud case then they can push it up to the Serious Organised Crime Agency, but my impression is that the small and damaging incidents are not under control,” he said. “Internet crime is just not taken seriously, the people making the decisions are not aware of the commercial ramifications a lack of confidence in the internet could cause.”

The Lords also renewed calls for US-style data breach notification legislation to

be enacted in the UK.

Richard Turner, chief executive of content security vendor Clearswift, said that firms that clearly communicate to their customers what information they gather and store, and what will happen in the event of a breach, could use that as a competitive differentiator.

“Without this legislation there won’t be the constant driver for the responsible and safe management and collection of information,” he added. “As a custodian of someone’s information, you have an absolute obligation to tell that person as soon as you find out.”

Cloudmark warns on new spammer techniques

David Neal — 2008-07-16T12:52:00.000Z

David Neal, IT Week, Wednesday 16 July 2008 at 12:52:00

Spammers are more prolific, and more inventive than ever before, warns messaging firm

According to messaging and security firm Cloudmark spammers are using increasingly inventive ways to circumvent email systems and find their way into inboxes.

The firm said today that spam is now accounting for over 85 per cent of all email traffic in the UK, and that much of this is due to the inventiveness of the senders. The attacks, Cloudmark said, take a variety of forms, but most involve the manipulation of text, images, or URLs.

“As spam filters get smarter and more accurate, we are seeing spammers get craftier in their attacks. The over-the-top and in some cases, almost amusing, lengths spammers are taking in their attempts to bypass spam filters really showcase their desperation” said Neil Cook, vice president, technology services at Cloudmark.

Examples offered by the firm include spammers disguising their campaigns as images, or using repeated small text to spell out one larger word.

Gartner predicts great things for security-as-a-service

Phil Muncaster — 2008-07-16T08:30:00.000Z

Phil Muncaster, IT Week, Wednesday 16 July 2008 at 08:30:00

Analyst firm says cloud-based security services will rocket in popularity over next five years

Use of some cloud-based security services could more than triple in the next five years, as the delivery model edges towards widespread acceptance, according to analyst Gartner.

A new report released today by the firm, Cloud-Based Computing Will Enable New Security Services and Endanger Old Ones, predicted that while 20 per cent of the revenue of messaging security tools currently comes from the software-as-a-service model, this will grow to 60 per cent by 2013.

It also argued that the increasing popularity of on-demand enterprise applications such as those provided by Salesforce.com will force security teams to put controls between mobile workers and these cloud based services.

Firms should look at security as a service as a delivery option where it enables them to perform existing security processes more efficiently (less staffing, lower cost) or more effectively," argued Gartner analyst John Pescatore.

However he added that some security areas, "such as where very sensitive internal data and applications require security" will not fit this model

Tim Best, director of enterprise security solutions at consultancy Logica, argued that firms can make their money go further with "security-as-a-service".

"However before such a decision is made, a security risk assessment should always be conducted," he cautioned. "Always check the supplier's credentials and where the service is operated from, and check what external assessment the supplier has been subject to."

DPA hits 10-year milestone

Dave Bailey & Gareth Morgan — 2008-07-16T00:00:00.000Z

Dave Bailey & Gareth Morgan, IT Week, Wednesday 16 July 2008 at 00:00:00

Are the 10-year-old data protection laws still fit for purpose?

The Data Protection Act (DPA) 1998 today marks the ten-year anniversary, but increasingly data specialists are split on whether it still fit for purpose.

With the issue of data protection today receiving unparalleled attention, some commentators are suggesting that the rapid advances in technology have outpaced the legislation.

The amount of data being stored by enterprises today was inconceivable when the DPA received Royal assent on 16 june 1998, said Jamie Cowper, marketing director at security vendor, PGP Corporation. "I’d be surprised if nearly all companies aren’t in some way contravening the Act as it currently stands, whether they realise it or not."

Cowper called for a major overhaul of the legislation, arguing that it needed to be given "much sharper teeth", to persuade business leaders to abide by its principles.

But others believe that little change is needed, arguing that the broad principles of the Act provide a solid basis for navigating a complex issue in a fast-changing environment.

"[The DPA] doesn't need any major overhaul and can be seen as a good building block to move forward with," said Annabel Lyell, a solicitor with law firm Morgan Cole. "The fair and lawful processing of personal data is still a very useful concept."

Under the DPA's first principle, also known as the "fair and lawful processing" principle, individuals have the right to know who is collecting and storing information about them.

Data watchdog serves notice on government departments

Gareth Morgan — 2008-07-15T17:19:00.000Z

Gareth Morgan, IT Week, Tuesday 15 July 2008 at 17:19:00

HMRC & MoD slapped with enforcement notices

Data protection watchdog, the Information Commissioner's Office has confirmed that it has served enforcement notices on both HM Revenue and Customs and the Ministry of Defence, following high profile data breaches at the organisations.

Both departments will now be compelled to provide progress reports detailing how they are improving data governance practices.

The announcement was made as the Information Commissioner, Richard Thomas, released his annual report.

Thomas used the launch to criticise government proposals to store details of citizens' phone and internet communications.

"There needs to be the fullest public debate about the justification for, and implications of, a specifically created database … holding details of everyone's telephone and internet communications," he said.

"Such a scheme would require the fullest public debate to establish whether, whatever the benefits, it amounted to excessive surveillance as a step too far for the British way of life."

Microsoft points piracy finger at children

David Neal — 2008-07-15T11:18:00.000Z

David Neal, IT Week, Tuesday 15 July 2008 at 11:18:00

Microsoft piracy experts tell parents to tell their kids to behave themselves when they are online

New research released by Microsoft today suggests that the UK is a nation of unrepentant pirates, who know what they are doing is wrong but just do not care.

Microsoft warned that when downloading copy written material internet users run the risk of installing spyware, and explained that downloads from file-sharing sites are more than twice as likely to contain such malicious attachments. These in turn, it explained, pave the way for data loss, ID theft and viruses.

Much of the blame for piracy is placed at the feet of the young, who are accused of being street savvy, but not tech savvy. This disconnect is blamed for their tendency to download files that could be malicious, and for opening up home PCs, which could be used by flexible workers, to the risk of infection.

Michala Wardell, head of anti-piracy at Microsoft in the UK, said that parents should do more to protect both their home computers, and their children. "File sharing is a great technology, but parents should make sure that their children are doing it legally. We know that there are dangers associated with downloading illegal software; research has shown a computer running pirated software is more likely to catch viruses - leaving the back gate open to identity fraud or the loss of photos and other files saved on the computer."

Yoggie launches security ExpressCard

Rosalie Marshall — 2008-07-14T14:14:00.000Z

Rosalie Marshall, IT Week, Monday 14 July 2008 at 14:14:00

Gatekeeper Card aims to protects mobile workers

Israeli vendor Yoggie Security Systems has released its new Gatekeeper Card Pro which helps businesses secure laptops used outside the corporate firewall.

Gatekeeper, which can be slotted into a laptop's ExpressCard slot, acts as " a computer within a computer", Yoggie claimed, providing users with 13 different security applications to protect against threats, including spam, viruses and phishing.

The Gatekeeper Card Pro should significantly free up system resources, said the firm, with the plug-in device eliminating the need for users to install security applications on their laptops.

The cost of the Gatekeeper Card Pro is £99. A USB stick version - the Gatekeeper Pico – is also available at a cost of £75.

UK leads the way in fighting online crime

Phil Muncaster — 2008-07-14T13:31:00.000Z

Phil Muncaster, IT Week, Monday 14 July 2008 at 13:31:00

Internet stakeholders hail UK's "blended approach" to online crime reduction

The UK approach to tackling online crime has been held up by internet experts as an exemplar of best practice from which other nations could learn.

At the UK Internet Governance Forum meeting in London last week, internet stakeholders met to discuss themes including online crime reduction, personal internet security and diversity.

The UK’s blended approach to tackling internet crime was singled out for praise, allowing as it does industry groups to coordinate their own initiatives to fight crime in their specific sectors. The Apacs-backed Dedicated Cheque and Plastic Crime Unit is one such body.

“There are things the UK does very well and it’s a positive story for us to take to the [international] IGF meeting,” said Apacs’ Richard Martin, reporting back from the online crime reduction track. “It’s a very good model to be taken up elsewhere, especially our national culture towards a blended, bottom up approach.”

However, while businesses are in the best position to understand the nature of the threats they face, the UK is still lacking a joined-up business and law enforcement response to online crime, he said.

“It is important to have the routes to take the information [on internet crime collected by firms] to the next level – organised law enforcement,” he added. “It is a potential gap we have but we understand that and are trying to do something about it.”