Posts tagged Security
Security Leaders: How Can Something This Dumb Be Called a “Smart Grid?”
Mar 8th
“I don’t know how you can call something this dumb a ‘smart grid.’” This from the former Assistant Secretary for Policy at the Department of Homeland Security – the man who created the job. Serving nearly three-and-one-half years at DHS, and before that, several years with its predecessor agency and with the NSA, Stewart A. Baker got a first-hand look at the present and future battlefronts of electronic terrorism. You could read his book, or you could get the gist of his impressions from its title: Skating on Stilts.
Sec. Baker was referring to the relative state of readiness and resilience of the computer equipment protecting America’s energy distribution networks and industrial control systems. Presently a senior counsel at the Washington, D.C. law firm of Steptoe & Johnson, LLP, he introduced his firm’s report on our present status. “I thought I would start with some obvious things,” he began. “Security sucks.”
Sponsor
Last year, the pervasiveness of the Stuxnet worm demonstrated that it’s possible to break, Baker said, the industrial control systems after penetrating the Windows networks that connect to them. “Not only can you, it’s a great idea if you’re thinking about attacking another country,” he told the RSA Security conference in San Francisco last week, with only a hint of sarcasm. “It’s a wonderful weapon, if you’re into weapons. It’s very effective at bringing down industrial control systems, upon which civilian life depends. There’s none of the taboos around this weapon that you have around nuclear weapons. And it’s easy to develop if you’ve got the makings of a cyber-weapons industry. It’s asymmetric – you can go up against the toughest guys in the world and cause some real pain in ways that they may not be able to cause you.”
A Fence Around a Hole
Baker notes that the authority for government agencies today, such as the Commerce Dept.’s NIST, to contribute to the management of Internet security is somewhat repurposed from their original mandate. But partly because these agencies are now perceived as protectors of all things digital, he said, those responsible for direct management and operation of industrial control systems are not focused on digital network security. Remarked Baker during an RSA panel on smart grid protection, “They’ve got an equally important nightmare that they have to live with every day, which is that the power will go out and they won’t be able to deliver it. All of their security features are designed around that.”
While these operators are focused on maintaining the nominal status of the power infrastructure, they tend to trust one another, like soldiers locked in combat against the common enemy of rust and corrosion. And as trusted co-combatants, they share everything with one another – including passwords. So when a power system does fail, and experts are sent down from Canada to manage the issue (gee, I wonder whom Baker was referring to), someone leaves them a note with the passwords so they can get into the system.
Because of incidents like this, Baker says, the security of power systems today is actually worse now than in the past several decades. “This is not exactly the security that you and I grew up with.”
Defending her agency’s role in protecting the grid, however smart or dumb it may be, was Donna Dodson, NIST’s Deputy Chief Cybersecurity Advisor. “The goal of standards is to provide the fundamental tools and technologies that you can use in support of information assurance, to really help protect the smart grid,” she told the panel. “We’ve been working very closely with DHS, the Dept. of Energy, with the entire smart grid community, so that public/private partnership has come together with our smart grid efforts… to begin to understand, from the very top level of understanding risk and risk management, down to the technical details of what standards are available. NIST has pulled that community together.”
Dodson said this community is comprised of standards development organizations and academic leaders, brought together by agencies with the goal of identifying gaps and deficiencies in current standards. As part of a partnership with DHS and private organizations, NIST is supporting a National Initiative for Cyber-Education. Later this spring, it will be hosting a workshop on smart grid security, followed by another on cyber-physical systems.
The Legislative Foundation
But the authority for these agencies to take decisive action, even after these more concrete standards have been ironed out, may only be established through new legislation. That process has made molasses seem slippery. As House Homeland Security Committee general counsel Kevin Gronberg described it, “The activity on the Hill, depending on whom you ask, is fast and furious or slow and monotonous.
“Cyber security – and especially securing the smart grid – has been recognized as an increasing need for legislation in Washington… Because there have been previous attempts at passing cybersecurity legislation, they have been thwarted, so to speak, by multiple jurisdictions.” Gronberg then reminded attendees of the simplified version of how a bill is passed, as presented by the old Saturday morning kids’ show from the 1970s, “Schoolhouse Rock.”
“With the underlying nature of cybersecurity being what it is, as everyone knows, it permeates almost every element of our economy. And as such, there are so many different committees on Capitol Hill that feel they have jurisdiction over the issue – whether it’s Financial Services or National Defense or Homeland Security,” he explained. “With the Republicans regaining the majority in the House in 2010, Speaker of the House [John] Boehner commissioned a task force report on what should be included in the cybersecurity bill.”
That report was released last October, with the hope of each committee being able to create a bill that addresses its respective jurisdiction. Those bills would then be combined into a version that could then be reconciled with a Senate counterpart bill. The resulting bill, called the PRECISE ACT (PDF available here) and which passed Gronberg’s committee on February 1, would enable interagency sharing of standards and information in the event of a national cybersecurity event, as NIST’s Dodson has called for.
The bill also includes measures enabling agencies, under DHS supervision, to acquire databases that happen to include personally identifiable information from services that host critical government infrastructure, so long as that data remains protected. So far, the ACLU has responded with guarded skepticism, but has not raised any alarms. The Union has stated its tentative approval of cybersecurity measures being managed by DHS, instead of the NSA which is also an intelligence service.
“As of now, the cybersecurity mission is poorly defined in legislation,” said Gronberg. “It has been more of a function of executive order and public expectation. I think the Department [of Homeland Security] has filled that role admirably, but we’d like to clarify those roles, especially the cross-jurisdictional aspect of the team sport that is cybersecurity.”
Next page: Failure By Design?
Stock image by Shutterstock.
Verizon: External Security Threats Skyrocketed in 2011
Mar 6th
The conventional wisdom has been that industrialized hacking organizations have become particularly successful with social engineering – coaxing employees into doing something stupid that unlocks their networks’ security. Analysts at the RSA Conference in San Francisco last week spoke of increasing incidents of telephone calls – actual human beings from call centers, pretending to be “Windows Security” or some other service, offering to help employees eradicate a non-existent virus from their systems and asking for their passwords outright.
If such incidents are indeed increasing, then they were no match last year for a staggering rise in external threats directed against data center servers. This according to data pre-released last week by Verizon and given to select reporters, in advance of the carrier’s annual Data Breach Investigations Report. As the report’s director of research and intelligence, Wade Baker, told ReadWriteWeb, data collected from its own security investigative team’s caseload with Verizon’s own enterprise customers – which include the U.S. Secret Service – shows some 92% of threat agents contributing to security events were discovered outside the firewall.
Sponsor
“Since 2005, it’s pretty obvious that attacks are becoming external in nature,” stated Baker in a news conference. “By external, I mean the threat originates from outside your environment. It is not an employee of your organization. Yes, they commit crimes too, but by and large, we see these increasing attacks stemming from the outside.”
The Verizon team’s investigation revealed that servers were targeted by 90% of the threat agents identified in some 90 breach events throughout last year. Baker said it’s obvious that the objective of attacks now is moreover to acquire data rather than to disrupt systems and services. While about 49% of threat agents also targeted “user devices” – which in Verizon’s classification includes PCs, tablets, and smartphones – a vast majority of that targeting was intermediate, a way to eventually get at the server.
Are the user devices in this class comprised of “BYOD” devices, which were the subject of many separate sessions at RSA 2012 – devices that companies allow their employees to bring inside and connect to the network? And if so, are those considered external or internal agents? I asked the report’s contributing risk analyst, Marc Spitler, who told me that if an employee device were connected to the network contrary to policy, then it would be classified as an internal agent – the class which Verizon perceives as a less significant threat component. “I don’t know if we actually did see bring-your-own-devices as the ‘Patient Zero,’ if you will, of a malware outbreak,” said Spitler.
A potentially more disturbing statistic from the report, which Verizon shared with reporters in advance, concerned the elapsed time between the actual attack incident and the discovery of its having taken place. “Most of the time, it takes months,” Baker told reporters. Backdoor tactics have regained favor for evading discovery, he said, having been utilized in 26% of investigated incidents. “And to be honest, the capabilities of the victim are pretty terrible sometimes. We’re not seeing a lot of maturity in this space.”
Verizon also previewed this bit of data: Some 29% of threat incidents involved the ability to guess a user’s password correctly. In the wake of Windows 8 tying together a variety of cloud services under an arguably guessable, single Microsoft Account password, I asked Baker whether this percentage was likely to go up in 2012.
“There’s a balance to be struck between usability and security,” Baker responded. “The reason we do single sign-on is because it’s highly usable. I don’t want to sign into 15 different accounts on my computer; I want one password that lets me not remember all these different things. Of course, there is increased risk, and there’s a security trade-off in doing that. It would be best to do something different with every single place that you sign in. So yes, it’s going to get [to be] more and more of a problem, because we’re integrating more things. And it’s also more of a problem because the attackers seem to have picked up on this.”
Baker noted that Verizon’s Top 10 list of threat actions, over the last five years, have shifted towards authentication and authorization. I asked him what organizations he’s seen that use three-factor authentication to address this issue. He answered perhaps none, but added that the reason for this could very well be because Verizon deals with companies whose systems have already been breached – and maybe three-factor systems aren’t among them. “It seems like there’s been such a big push to get a good two-factor system set up, in many cases, that three and more is pretty rare.”
View full post on ReadWriteWeb
RSA Security Giants on the State of Crypto: Can Whit Be Right and Ron Be Right?
Feb 29th
Two weeks ago, a security researcher set off an intentional firestorm over the discovery of data that seemed to indicate a flaw in the way cryptographic systems using “multiple secrets” (more than one key) protect a session. Since the report of that discovery was published, experts have claimed its author may have reached an unsubstantiated conclusion.
In any event, yesterday at the RSA Security conference in San Francisco, the man the report’s very title praised for being “right” all along – cryptographic pioneer Whitfield “Whit” Diffie – told attendees that if a problem actually does exist, its solution may be deceptively simple.
Sponsor
The problem, as the report “Ron was wrong, Whit was right” indicated, was that a substantial percentage of generated RSA keys contained common factors, thus rendering them ineffective or untrustworthy. “That seemed very serious to me, and sort of a phenomenon unique to RSA,” Diffie told a packed keynote session. “And eventually I realized – and as I thought about it for a week, it’s come to seem just as charming, but as a practical matter, much less serious than it did to start with, but something that probably does need a bit of addressing.”
Diffie noted, with perhaps a hint of sarcasm, that the report’s authors – who included Swiss professor Arjen K. Lenstra – avoided sensationalism by refraining from alleging that RSA keys had been “cracked.” But he posited that what Lenstra’s data could actually be indicating is a flaw in as few as one bad random number generators. “It seems unlikely that two independent prime random number generators are going to be producing the same 500-bit primes.” He then expressed skepticism at the idea that one person’s key could be compromised by someone else, simply by virtue of that person holding a key generated by a common factor – when that fact is not automatically made evident to either party.
“But the fact is, if you manufacture your key material correctly – that is to say, you’re very careful about production testing of your own random numbers – this is simply not going to happen to you,” he said. “If you adopt a random number generator that has whatever this fault is, you might get this effect.”
To help improve the system, Diffie suggested it might be necessary to “out” the bad random number generators. “So my notion is, why don’t we just publish hash codes for all of the primes selected to go into keys? As a matter of fact, you might publish hash codes for all of the keys that you’ve selected for any purpose… and then anytime you generate one, if you see that it’s already in the database, you know two things immediately: One, you probably have the same random number generator they did. Two, it’s no good.”
At that point, Diffie turned to the fellow that Prof. Lenstra called “wrong,” who was seated to his immediate left: Ron Rivest, the “R” in “RSA.” “I think if I get a chance to referee the paper, I’ll suggest a change of title,” Rivest said. “You are often right, and I am sometimes wrong.”
Switching back to serious mode, Rivest suggested that behind the firestorm in the report, there really wasn’t much substance. He noted a much earlier work in 1996 by Adam Young and Moti Yung on cryptovirology – the intentional creation of deceptively secret and malicious software, often for extortion. A maliciously bad random prime number generator could theoretically be written, Rivest said, so that the public key may be computed in such a way to reveal the corresponding secret key to an adversary. “I don’t think we’ve paid enough attention to that possibility,” he remarked, noting the much more serious prospect for damage.
View full post on ReadWriteWeb
What Words Are Homeland Security Looking for When It Cyberstalks You?
Feb 28th
What do the terms “dirty bomb” and “pork” and “gas” have in common?
They’re all on a list of words that raise red flags with the government when you use them in a tweet or a Facebook status update. Hubze has released the complete list of terms the Department of Homeland Security is looking for when it monitors your social media activity.
So if you tweet that you’re “brute forcing my way onto a crowded Metro subway because the last train got canceled” (words in italics are on the list), you may find yourself on a list of people who used words that Homeland Security calls “Items of Interest,” or IOIs.
Sponsor
The list was only released after a long round of legislative posturing. And, for the record, the Department of Homeland Security has told the House Homeland Security Subcommittee on Counter-terrorism and Intelligence it is more interested in tracking what people are saying and not necessarily who is saying it.
The monitoring is being done at an expense to taxpayers of about $11 million and extends beyond social networks to comments left on articles and Websites, including Huffington Post and the New York Times, according to Hubze.
We’ve asked Homeland Security is ReadWriteWeb is on the list; we’ll update as soon as we hear back from them.
View full post on ReadWriteWeb
What Words Are Homeland Security Looking for When It Cyberstalks You On Social Media?
Feb 28th
What do the terms “dirty bomb” and “pork” and “gas” have in common?
They’re all on a list of words that raise red flags with the government when you use them in a tweet or a Facebook status update. Hubze has released the complete list of terms the Department of Homeland Security is looking for when it monitors your social media activity.
So if you tweet that you’re “brute forcing my way onto a crowded Metro subway because the last train got canceled” (words in italics are on the list), you may find yourself on a list of people who used words that Homeland Security calls “Items of Interest,” or IOIs.
Sponsor
The list was only released after a long round of legislative posturing. And, for the record, the Department of Homeland Security has told the House Homeland Security Subcommittee on Counter-terrorism and Intelligence it is more interested in tracking what people are saying and not necessarily who is saying it.
The monitoring is being done at an expense to taxpayers of about $11 million and extends beyond social networks to comments left on articles and Websites, including Huffington Post and the New York Times, according to Hubze.
We’ve asked Homeland Security is ReadWriteWeb is on the list; we’ll update as soon as we hear back from them.
View full post on ReadWriteWeb
Expert Panel at RSA 2012: Who’s Responsible for Cloud Security?
Feb 27th
“Whose problem is this? Whose problem is a vulnerability in an app? Is it the app developers? Is it the service provider of the operating system? Or is it the distribution center of the application?”
These aren’t questions presented to an expert panel by attendees at the Cloud Security Alliance Summit at RSA in San Francisco this morning. These are questions coming from that panel – specifically, from a professional security analyst whose firm openly experiments with app store security, including from Google’s app stores for Android and Chrome OS.
Sponsor
Pictured above, from left to right: Phillipe Kourtot, CEO, Qualys; Don Godfrey, security consultant, Humana; Matt Johansen, Threat Research Center manager, WhiteHat Security; Patrick Harding, CTO, Ping Identity.
Matt Johansen runs the Threat Research Center for WhiteHat Security, a private analysis firm that specializes in determining the relative security characteristics of Web sites and Web apps on behalf of their proprietors. Sometimes their research extends outside the security of the app itself, and into the environment in which it’s distributed and propagated.
Speaking a one of a powerhouse panel assembled by Qualys CEO Phillipe Kourtot, Johansen related some of WhiteHat’s experiences with testing the fringes of Google security. He noted that consumers’ expectations of responsibility are based on consumers’ history – when someone buys tainted food, they blame the supermarket, even though legally the farmer may be at fault. Maybe there should be some sort of code review process at Google, he suggested.
Maybe. “When I was doing some research on the Chrome OS, we uploaded an extension to the Chrome Web store called, ‘Malicious Extension,’” admitted Johansen. “There was absolutely no code review process there at all.” The app contained fake buttons which read, “Steal cookie,” and the like. For a while, it stayed available for download until WhiteHat took it down. But before that, he approached Google to demonstrate the problem and to ask them the string of questions which led this article.
“I’ve never gotten the same answer twice from anyone that I’ve asked,” he remarked. “It’s an interesting problem, and I think we’re going to see it more and more. One of the scariest facts about it is, the iPad didn’t exist more than two years ago… [So] we don’t really know the answer to these problems. Who’s problem is it to fix this vulnerability in an app that you’re installing on your operating system, and that has permissions that it maybe shouldn’t.”
Everyone who’s installed an app on a smartphone has seen the permissions screen which informs the user what kinds of information may be shared. A banking app should be expected to communicate a certain quantum of personal data, specifically with the bank. That’s if the app works properly. If it doesn’t, it may share something else instead. Or it may share the right data with the wrong source. If that ends up compromising the integrity of someone’s bank accounts, who’s responsible? It’s such a new industry, Johansen pointed out, that the question really hasn’t had time to be answered before the technology behind it became suddenly ubiquitous.
The Cloud as Agitator
To an ever-greater extent, the mobile app serves as a facilitator between a device and a cloud-based service. It’s a “cloud” service, as opposed to a conventional Web server, because its structure is virtual, its location is variable, and the resources it provides are made to appear local – as though the user installed them on his phone.
That doesn’t change everything, though, argued panelist and Ping Identity CTO Patrick Harding. “The cloud doesn’t solve developers building insecure applications,” Harding told the RSA audience Monday morning. “They’re going to do that no matter what. What people are finding, though, is that SaaS applications [developers] specifically have a business incentive to seriously write secure applications. But as you drift down the stack, so to speak, the risk goes up. If you talk about IaaS and people deploying to the cloud there, you’re not getting the same level of analysis and control as somebody like a Salesforce or a Google, or someone like that, might have.”
Matt Johansen may have a different perspective. One service WhiteHat provides, for example, is asset discovery – taking inventory of a customer’s digital resources. A Web app serves as the public doorway for data stored elsewhere, he explained. With respect to a vulnerability management job, WhiteHat often finds that its clients have no clue how many Web apps they have, nor how many Web sites they need the firm to analyze. “That seems to be one of the harder questions to answer for a lot of people,” said Johansen, “and I think that’s very telling. I think that’s kinda scary. If you have a footprint on the Internet with your applications, and you don’t even know the size of them, how are you going to manage every entry point into your data when you don’t even know where the doors are?”
Ping’s Patrick Harding took the opportunity of speaking before the CSA Summit to stomp just a bit further on one of his pet peeves: the growing uselessness of passwords as lynchpins for authenticity. Cloud computing only exacerbates this problem, Harding believes, because cloud-based resources typically require authentication.
“I actually think that passwords are the Achilles’ heel of cloud security,” Harding said, striking a familiar theme. “For all the money that people are going to spend on encrypting their data and putting Web app firewalls in front of them… if I can get your password from any one of the applications that you use, I’ve got instant access to all that data, essentially.”
Harding noted that in his research, Web apps that use a person’s e-mail address as her identifier (Google Apps being the most prominent of these) tend to provoke that person to utilize the same password for each app. One very dangerous discovery that Ping made, in conjunction with Google, is that when corporate e-mail addresses are used to identify apps users, the apps password ends up being the e-mail password.
“With the cloud, what you start to see is a lot more applications available for users. It’s that much cheaper, it’s that much quicker to deploy applications out in the cloud,” stated Harding. “So there’s just going to be more of them. Every one of those applications is going to end up being accessible from my laptop, from my mobile phone, from my iPad… it could be any point at any time. That whole anywhere, anytime access is just ending up forcing the exposure of login forms to the outside world.”
Grafting Identity Back Onto APIs
One class of resource whose architects often eschew the need for identity and authentication, is the API. A growing number of Web apps are actually remote clients for open APIs, as the panel acknowledged. Many architects believe anonymous access is a necessary factor for open APIs, and that security is a matter best addressed by security architects – API architects need to focus on providing the answer, not questioning the questioner.
I asked the CSA panelists, if they were indeed the ones tasked with securing open APIs, how do they approach this task without introducing identity back into the picture, and wrecking the developers’ vision of beauty through anonymity. Ping Identity’s Patrick Harding commended me for asking a question that answered itself.
“API architects are in the wild, wild west,” Harding responded. “They love it because it’s simple and easy, and completely forget about securing them in any way at all. The only standards that exist in the REST world for security, up until the last two years, was HTTP basic, and SSL. The same stuff we’ve had for, I don’t know, 20 years. It’s crazy.”
OAuth, which we’ve talked about here in RWW, does address one method of trusting someone else with the task of authenticating and authorizing the user, thus giving API developers one way to take the subject off their hands without ignoring security altogether. Harding suggests more API architects look into OAuth. “It doesn’t speak to, ‘Is my API secure, per se?’” he noted. “How do I know that SQL injections aren’t being slapped through that API effectively, via JSON messages?”
WhiteHat’s Matt Johansen acknowledges OAuth adds identity to the mix, but endorses it as what needs to be done. “Tokenization and checking the source and destination… is adding identity to the problem,” he said, “but it is helping solve it.”
The Cloud Security Alliance holds its annual Summit event as part of the RSA Conference, complete with its own panel session, keynote speaker, and innovator awards.
View full post on ReadWriteWeb
What Security, Where? Keys to the RSA Conference
Feb 24th
The cloud is huge. Client access devices are small, and they’re everywhere. Personal computers are virtual. Access to all of these resources is continual. Control over the world’s single most precious information resource – identity – has become a jump ball.
Next week, ReadWriteWeb will be covering the annual RSA security conference in San Francisco. I never attend a conference without an agenda, and no, I’m not talking about the pamphlet and the floor plan. There’s an agenda all my own, and it’s based on the subject matter that I’ve discovered you want to know more about.
Sponsor
There are six flashpoint topics that are relevant to this year more than any other. We’ll be touching on each of these flashpoints throughout the week on RWW, and at the end, we’ll revisit each one and review what we’ve learned… or whether we ended up with more questions than we started out with.
1. Who or what defines identity for cloud access? With Windows 8 – which may come sooner than you might think – you’ll be logging on using something called a Microsoft Account. Apple iPad and iPhone users are already becoming accustomed to the iCloud account, which we can expect will be integrated into the iTunes account scheme. Before long, for you to use any functionality from any device, you will need access, and the thing that you access must either have or discover some way of recognizing you.
Are you prepared for that something to discover you through Facebook? Is that level of trust something you can accept? This will likely be a huge topic of discussion during the colossal four-hour Cloud Security Alliance Summit session on Monday. Business users expect single sign-on. That means, the credentials they use to log onto their computers or portable devices, must be translatable into credentials recognized by the services they use once they’re logged on. Imagine trusting the credential level you use today to log onto your Desktop, applied to your bank account or your company’s private network. (And you thought Facebook was dangerous?)
2. The rise of risk management. Because both cloud service providers and their customers have more specific expectations for their service level requirements than ever before, they’ve been able to state those expectations in service contracts with greater ease. And because businesspeople protect their interests when they’re specified in contracts, the insurance industry plays a greater role now.
It is insurance that is compelling enterprises everywhere (including insurance itself) to institute risk management procedures. Every year when you see the ads for a security conference, you expect to see blurbs about the latest vendors for remedial technologies like backup and recovery, disaster management, loss mitigation. Now you’re seeing the antithesis: Risk management, when done right, minimizes the need for loss mitigation, and replaces disaster management with disaster avoidance.
3. The decline of endpoint security? “Hardening the endpoints” was a metaphor intended to convey a picture of an armored fortress, a “Helm’s Deep,” impenetrable from the outside. With transaction models now incorporating cloud services at a rapid rate, suddenly the imperfections in modern endpoint security become clearer. New and more clever security services are demonstrating that it’s not only feasible, but preferable, to secure the fortress by stopping malicious activity from ever reaching the endpoint in the first place. And it may be more practical to achieve this through the cloud than anywhere else.
At RSA next week, we expect to see some live demonstrations of cloud-based security in action; though we’ll also certainly hear from the endpoint security pioneers, with the latest antivirus, firewalls, and spam blockers, defending the fortress the only way they know how.
4. Can privacy be delivered by technology? It’s a question our Joe Brockmeier explored on Thursday, casting a ray of hope for technological methods – especially when compared to the legislative alternative. On the other hand, my interview with the co-creator of P3P revealed that privacy could be more of a psychological concept that technology may only serve to exacerbate – the way the presence of armed guards at an airport makes people feel less secure.
Some still debate whether privacy actually belongs as a subtopic of security in the first place. From the end user’s perspective, no one feels truly secure unless she’s certain she’s not being spied on. The sad fact is that, while technology may have a better chance at delivering privacy than any laws passed by Congress, it has not done so yet, and it’s had plenty of chances.
5. Is infrastructure security a joke? With nearly all of computing moving to a service model, and with centralized and virtualized data center resources relying more upon the security of power centers and the integrity of energy infrastructure, is the notion of a “smart grid” really an illusion? As easy as it appeared for someone to don the name of “Anonymous” and shut down the Justice Dept. Web site, could it be just as easy to shut down electric power to the Great Plains?
We don’t talk a lot about the macrocosmic elements of technology around here, usually because we’re playing with our smartphones. It’s the little things that hold our attention, like cute kittens. The nation’s energy infrastructure, by comparison, is an unexplored wilderness. We hope to change that fact a bit next week.
6. Could government really lead the way in security architecture? No, seriously? Government?
I’m not talking about Congress, though. The Dept. of Homeland Security is implementing some very clever new policies for rethinking government resources’ approach to managing security. Risk management plays a role here as well, but also resilience – employing NASA-like procedures to keep the mission running smoothly even when failures do happen. And the National Security Agency is also implementing some bold initiatives in the field of mobile device security, that pick up at the point Research In Motion stopped moving.
Stay tuned to ReadWriteWeb all next week as we put on our thinking caps, our tinfoil helmets, and our stovepipe hats (hopefully not all at once) and talk to all the world’s leading security authorities in the public and private sectors, in the enterprise and in academia.
Stock photos by Shutterstock.com
View full post on ReadWriteWeb
New Endpoint Security Tools From Webroot, Bitdefender, Norton
Feb 21st
This week several security vendors announced new and improved versions of their endpoint security products that involve a new level of sophistication and protection. The tools include the launch of SecureAnywhere from Webroot and new products from Symantec’s Norton division. Finally, Bitdefender has a new version of its free QuickScan online malware scanner here just for Windows PCs. The scan initiates right from your browser window.
Sponsor
Let’s start with SecureAnywhere, which is a new product line from Webroot and puts a small agent on any Windows desktop or server OS since XP, including both 32 and 64-bit and Windows running in VMs too. It provides cloud-based endpoint protection that doesn’t rely on signature updates, unlike earlier products from Webroot. It includes anti-malware scanning, a host-based firewall, cleanup of various system and registry files and the ability to quickly scan your desktop.
It is priced at between $16 to $35 per user per year, depending on volume licenses. While the first version is just for Windows, they are working on Mac versions for later in the year. You can get more information on SecureAnywhere here and see a typical screenshot below.
Norton is also moving in a similar direction with its cloud-based integrated endpoint security tool called Norton One. It offers protection across a broad spectrum of endpoints, including Windows, Macs and Android devices. A single subscription covers a wide range of Norton products, including both security and online backup. New to this family is an integrated service called Norton 360 to help you manage downloads, online backup and saved online passwords. You can see a sample screenshot below, and the 360 service will be available later this spring.
You can get more information on Norton One here. Pricing starts at $150 to cover up to five devices.
One trend that is clear from these announcements is that the main-line security vendors have to broaden their offerings to handle blended threats and more sophisticated attacks. They have begun to move away from pure signature-recognition scanning tools and towards more integrated protection methods.
View full post on ReadWriteWeb
Microsoft Security Patch Marked Google.com As Malware
Feb 16th
Some of those who use Microsoft security software received a security patch a couple days ago that lead to malware warnings for users trying to visit Google.com. Softpedia posted a picture of the warning. Microsoft quickly learned about the issue on their support forums and issued a patch yesterday…
Please visit Search Engine Land for the full article.
View full post on Search Engine Land: News & Info About SEO, PPC, SEM, Search Engines & Search Marketing
Google Wallet Disables Prepaid Cards Until Security Flaw Fixed
Feb 13th
The company said it has temporarily disabled the use of prepaid cards on its retail platform as it looks to remedy a security flaw which could allow an attacker to steal the PIN number on Google Wallet systems. Google says a fix is coming soon.
View full post on Search Engine Watch – Latest
