SearchSecurity.com’s Security360 podcast offers fresh perspectives — from vendors, experts and infosec pros — on a variety of complex information security issues. In this episode, we look at endpoint security and how encryption fits into the puzzle. Burton Group senior analyst Trent Henry explains the most effective approach to endpoint security and the pros and cons of full disk encryption, Roger Herbst, a senior IT specialist with the Timken Company talks about how he led his company’s deployment of full disk encryption on about 5,000 employee laptops, and Charles King, principal analyst of Pund-IT Research discusses Seagate’s new encrypted hard drive. (Runtime: 20:43)

Download the podcast here.

Technorati Tags: IT+Security, encryption, endpoint+security

Here’s something you don’t see from Microsoft often — a detailed assessment of how it missed a big security hole. In this case the topic is the much-attacked ANI flaw and how it was allowed into Vista.

Michael Howard, Microsoft’s point man on the Security Development Lifecycle (SDL) — the software giant’s effort to get developers to be more security-minded when writing code — offers up a very detailed assessment of what went wrong in the company’s new Microsoft SDL blog.

Among the problems found:

– A Vista security feature called Address Space Layout Randomization (ASLR) is designed to randomly attach data to memory to stymie attackers who are trying to find the location of critical Windows functions, but it didn’t seem to work in the case of ANI.

“If the vulnerable code is wrapped in an exception handler that catches many errors [as was the animated cursor code], a failed attempt will not crash the component and the attacker can try again with a different set of addresses,” Howard wrote.

– Microsoft testing tools failed to see the trouble with the code, which actually dates back to the aging Windows 2000 OS.

“Our static analysis tools do not flag this construct as a security bug because it’s a very low-priority warning,” Howard wrote. “Why? Code that uses calls such as ‘memcpy’ is hard to flag as vulnerable without generating a great many false positives. This is a research problem that no one has solved, here or elsewhere.”

As for lessons learned on ANI, he wrote, “SDL is not perfect, nor will it ever ever be perfect. We still have work to do, and this bug shows that. We have a new -GS pragma that adds more stack cookies; we’ve updated our fuzz tools; we will pay closer attention to exception handlers that could mask vulnerabilities, and we will investigate the impact of banning memcpy for new code. Finally, we will update our education as necessary with lessons learned from this bug.”

Technorati Tags: ANI+flaw, Microsoft+flaw

We all know the security conference schedule is already overcrowded, but there’s always room for another good one. The folks at USENIX this summer will be putting on a new workshop called WOOT–Workshop on Offensive Technologies–at their annual security conference here in Boston. According to the workshop’s site, it will be focused on understanding new attacks. It will be by invitation only, but if the makeup of the program committee is any indication of the level of content WOOT will have, I’d suggest calling in any favors you can to wangle an invitation to this one. Greg Hoglund, Nate Lawson, Halvar Flake, David Litchfield and Thomas Ptacek are all on the committee. Not too shabby.

The call for papers for the conference has just been posted, so if you want to guarantee yourself a spot, submit a cool paper. Maybe something on, oh, rootkits, or reverse engineering might grab the committee’s attention.

Technorati Tags: WOOT, USENIX, security+conference

McAfee has had its share of setbacks in the last couple years. There was a stock options scandal that forced a major shake-up among the top brass, and a lawsuit in which rival vendor DeepNines accused it of patent infringement and false product marking.

But if the company’s latest profit report is any measure, things are looking up. Thursday the company beat Wall Street forecasts and boasted higher profits and revenue for the first quarter, thanks to rising worldwide demand for its products.

“We feel pretty good about the business,” McAfee CEO Dave DeWalt told reporters during a media conference call. “There is a lot of growth in the overall security market that gives us a bullish outlook.”

Some of this success may also be attributed to McAfee’s more recent offerings. When it unveiled Total Protection last year, the company said it was responding to IT professionals who want fewer security tools and a better way to manage what they have. Analysts have said that security vendors must move in this direction to effectively counter Microsoft’s thrust into the security market.

Technorati Tags: McAfee

One of my favorite sayings is, “You can’t beat free!” It’s not always true of course, but as the industry has learned from the many useful open source tools available today, free is often good enough to avoid paying for a commercial product that does the same job.

So it was in the spirit of getting something for nothing that I tried Panda Software Canada’s new free NanoScan at its InfectedOrNot.com Web site.

The site offers two different scans: TotalScan, which looks for active and latent malware, and the NanoScan, an alleged one-minute scan that looks only for active infestations.

Seeing as I wanted to save some time in order to write this blog entry, I went with the NanoScan. But, does it really only take one minute? With my stopwatch in hand, I accepted the user agreement (and the ActiveX control, which I never feel good about) and I initiated the scan. Despite the disclaimer that it may take longer (…depending on the characteristics of your PC and the speed of your Internet connection…), the scan finished in exactly 60 seconds, and confirmed that my PC is malware-free and running up-to-date AV.

I also liked the site’s “Infex” statistics, which showed (at posting time) that more than 56% of scanned PCs were infected with malware, and 52% of those with malware had active, up-to-date antivirus software.

Ultimately the site didn’t tell me anything I didn’t already know, and while it’s hardly unique in offering a free PC scan, infectedornot.com’s effective branding and as-promised quick scan time could make it an effective marketing/awareness tool, especially for SMB users who are often hard-pressed to buy into the complexity of security.

Technorati Tags: ActiveX, malware, nanoscan, infectedornot

First Data CISO, Phil Mellinger told a group attending a recent PCI DSS conference that the PCI DSS standards should be eased to allow more businesses to meet the standards. The rules would rise gradually and reward compliant merchants.

Mellinger, who wrote the precursor to the current PCI DSS rules also called for a PCI DSS status directory listing compliant merchants. We would like to hear what you think about PCI DSS. We’ve heard complaints from merchants who say the rules are too rigid, while others say different auditors give varying interpretations of the rules.

Will it take another massive data breach for lawmakers to act? Is the private sector doing enough to police itself? Let us know what you think.

Technorati Tags: data+breach, PCI+DSS

I’m out in Las Vegas this week at CA World and on Tuesday I ran into Ron Moritz. CA’s chief security strategist and the former CTO at Symantec. Moritz is one of those people who is not often in the spotlight, but who works tirelessly behind the scenes on any number of industry-wide initiatives and public-private projects.

He’s served on a number of government advisory committees and on Tuesday he was showing Greg Garcia, the assistant secretary for cybersecurity and communications at the Department of Homeland Security, around the show.

Garcia gave a speech yesterday on the need for better cooperation among software vendors, customers and the government on software security. Garcia has been spending a lot of time on the road, taking the pulse of the industry and customers on this topic, and he made it clear that he believes the government has a role to play in improving software quality, but that in the end it is ultimately the responsibility of the vendors themselves. He urged customers to encourage their software suppliers to focus more on security, even if it means sacrificing some bells and whistles. This happens in some corners of the industry now, and the federal government does some of this as well, with its requirement that software work with its secure configurations.

“In my view it’s not yet enough on a national scale,” Garcia said. “I’m not sure we’re keeping up with our adversaries. They’re organized and they are committed.”

Technorati Tags: CA+World, Cybersecurity, Greg+Garcia

Firefox 2.0 has been out since last fall, but Mozilla has continued to support those still using version 1.5 with regular security updates.

That will stop next month, Mozilla announced Tuesday.

In a message on its Mozilla Developer Center blog, a developer named Basil wrote that Mozilla will only supply security and stability upgrades for Firefox 1.5 until mid-May, explaining, “We are focused on delivering a faster and more secure online experience. We want all of our users to benefit from the new features in Firefox 2.0.”

Mozilla security chief Window Snyder gave a pretty good overview of the organization’s patching process when I interviewed her in January. While Microsoft typically rolls out security fixes the second Tuesday of each month, Snyder said Mozilla aims for a security update every six to eight weeks.

Ending support for Firefox 1.5 should simplify that process.

Technorati Tags: Mozilla+security, Firefox+security, Window+Snyder

The security configuration management market appears to be in flux in the last year or so. Vendors in this market provide tools to enforce compliance policies against check security configurations.

In a study conducted last year by Cambridge, Mass.-based Forrester Research, Altiris and BindView, security vendors that were both acquired by Symantec, were identified as the leaders in the market, followed by LANDesk Software.

But there are a few vendors that remain in the space and are trying to differentiate themselves from the big players. Configuresoft, which competed against Altiris and BlindView is making itself stand out by trying to capitalize on organizations upgrading systems to a service oriented architecture and those that are using server virtualization.

One of the gaps identified by Forrester was on reporting, risk and trend analysis. Configuresoft seems to have addressed that in its recent product.

The company just released its Configuration Intelligence platform, which integrates with BMC Remedy, Microsoft SMS provisioning software, and EMC VMware virtualization software. The software uses business intelligence to provide a level of analytics to give an indicator of system changes and security event issues.

In a briefing I had recently with George Gerchow, Configuresoft technology strategist, Gerchow said that Configuresoft is seeing an increase in businesses choosing security configuration management software as part of their compliance initiatives. Whether it’s PCI DSS or Sarbanes Oxley, companies are finding that they may be in the dark when it comes to the number of configuration issues that exist in their environment, he said. Also, becoming compliant means having knowledge about how a configuration change affects the company’s entire IT environment.

Do you believe there is room in the security market for vendors in this niche or are larger vendors such as Symantec now providing security configuration management features that are needed?

Technorati Tags: security+configuration+management

With a growing number of states enacting laws to deal with identity theft, a White House task force has come out with a plan to protect people at the federal level.

In a press release issued Monday on the Federal Trade Commission’s Web site, Attorney General Alberto Gonzales and FTC Chairman Deborah Platt Majoras announced the completion of the President’s Identity Theft Task Force strategic plan. The goal, according to the statement, is “to improve the effectiveness of criminal prosecutions of identity theft; enhance data protection for sensitive consumer information maintained by the public sector, private sector, and consumers; provide more comprehensive and effective guidance for consumers and the business community; and improve recovery and assistance for consumers.”

Majoras said, “Identity theft is a blight on America’s privacy and security landscape. Identity thieves steal consumers’ time, money, and security, just as sure as they steal their identifying information, and they cost businesses enormous sums.”

The task force recommends:

– Reducing the unnecessary use of Social Security numbers by federal agencies.

– Establishing national standards that require private organizations to safeguard the personal data they compile and provide notice to consumers when a breach occurs.

– Implementing a “broad, sustained awareness campaign” by federal agencies to educate consumers, the private sector and the public on methods to deter, detect and defend against identity theft.

– Creating a national identity theft law enforcement center that helps law enforcement agencies coordinate efforts to investigate and prosecute identity thieves more effectively.

The task force recommends several pieces of legislation to make these things happen. While there are already several laws at the state and federal levels to hunt down and prosecute identity thieves, the task force believes sharper teeth need to be added to what’s already on the books.

“Although much has been done to combat identity theft, the specific recommendations outlined in the strategic plan — from broad policy changes to small steps — are necessary to wage a more effective fight against identity theft and reduce its incidence and damage,” the task force said in its press release.

Do you think more federal legislation is the answer to the problem? Let us know what you think in our comments section.

Technorati Tags: data+breaches, identity+theft