The security industry is in a state of consolidation. Some experts point out that it’s normal for larger vendors to fill in feature gaps with smaller niche players, but what happens when one of your products gets gobbled up by a larger vendor? For this podcast, I spoke with Andy Jones, a researcher with the UK-based Information Security Forum, and he explained to me how to develop an effective security strategy to deal with large projects and defend the budget to upper management. Paul Adamonis, director of security solutions at Forsythe Security talked to me about navigating industry consolidation by developing a unique buying strategy based on topics, not vendor relationships; and finally freelance journalist, Sandra Kay Miller gave me her observations of the industry and explained why she thinks some companies aren’t prepared to deal with this era of consolidation.

Technorati Tags: Industry+consolidation, security+consolidation, security+vendors,

As you most likely know by this point, Google has recently built an in-house anti-malware team and brought the team out into the light of day via a new blog. When I read Ryan Naraine’s post about the Google security team, my first reaction was, What does Google know from security? A lot, as it turns out. The company has taken a similar approach to the one Microsoft employed in building its antivirus response team: identify the best people in the field and go hire them. In Microsoft’s case, they lured Vinny Gullotto away from Symantec and Jimmy Kuo away from McAfee, among others. Google is not so much worried about viruses as it is about things such as malicious code hosted on legitimate Web sites, spyware, botnets and other Web-based threats. So the company has brought in Niels Provos, an expert on DoS attacks and worm defense; Panayiotis Mavrommatis, who knows a thing or two about distributed systems and worm detection; and a handful of others.

So it seems like Google is on the right track, but it’s still unclear to me exactly what the company’s intentions are in regards to security. Will they be releasing Web security tools for users and webmasters to implement? Or will the security folks just be working behind the scenes on in-house projects? It’s probably too early to tell, but if the recent past has taught us anything about Google, it’s that the company doesn’t do anything halfway or without a lot of forethought. That might portend more sleepless nights for security vendors who already have to worry about Microsoft encroaching on their turf and now have the considerable shadow of the Googleplex hanging over them.

Technorati Tags: Google, Google+security, Symantec, McAfee

Had an interesting conversation with new Sun Microsystems CISO Leslie Lambert this week. Lambert is a Sun veteran having held a litany of IT roles including several line-of-business CIO titles. Lambert shared a little bit about her short- and long-term goals and they include different aspects of identity management such as role-based access controls, and change management. The most interesting, however, reflects concerns any enterprise with intellectual property would have: data protection and mobility.

Sun is a global enterprise and its development and sales forces operate on campuses around the world. Sun Ray virtual desktop Java thin clients will remain standard issue, she says, but the need for mobility means a prevalence of Macintosh and Windows-based notebooks and devices. This is unavoidable and necessitates some flexibility and admittedly some security tradeoffs, says Lambert, who carries a Sony P910 mobile phone.

“Sun is an environment where we have not permitted a lot of Windows desktops. We’re shifting there,” Lambert says. “With our [employees] working from home or various campuses, the need to put more mobile devices for productivity is a reality. We’ll have to now focus on higher levels of data protection.”

Lambert says Sun employees can expect a ramp-up of awareness programs and security tools on those devices including antivirus, firewall and network access control that authenticates and audits mobile devices before they connect to the Sun network. In addition, depending on the categorization of data on the device and job responsibilities, hardware encryption may soon be part and parcel of laptops; all will have encryption software installed.

“Sun has been in a position to be able to create so much unique intellectual property to offer to the industry,” Lambert says. “Our collection of IP is who we are; protecting that is important.”

Technorati Tags: Sun, Java, identity+management, access+controls, intellectual+property, Leslie+Lambert

Wednesday is the day Mozilla will release the final security update for Firefox 1.5. After that, it will nudge users to make the switch to version 2.0.

The Mozilla Developer Center blog outlined the plan:

“On Wednesday, May 30, we expect to begin distributing Firefox 1.5.0.12 and Firefox 2.0.0.4 via automatic updates. These are standard stability and security updates for the browser to ensure a fast and secure online experience for our users. We expect this is the final stability and security release for the version 1.5 product series. Firefox 1.5.0.12 includes an auto-update mechanism that offers users the ability to migrate to Firefox 2. The upgrade offer will be enabled within in a few weeks. We strongly encourage everyone to download Firefox 2 now at www.getfirefox.com to benefit from features that make search, communication and online security more effective.”

Technorati Tags: Mozilla, Firefox, Firefox+update

The Better Business Bureau has posted a warning about phishing attacks that target top executives in different business sectors.

“The BBB name continues to be used in phishing scams,” the organization said. “Fraudulent emails containing malicious links and viruses have been sent to businesses and consumers around the country claiming to contain information on a complaint filed with the Better Business Bureau. None of the BBB’s computer and email systems are involved in this hoax. The BBB and authorities are working together to stop these continued attacks.”

Here’s some more from the Web site posting:

THE EMAIL YOU RECEIVED MAY BE FRAUDULENT IF:

• The email reply address is fake, like those listed below. (Please note: the phishers are constantly changing their tactics but so far they have been using addresses similar to these.)
  • complaints@bbb.org
  • operations@bbb.org
  • consumer-complaints@bbb.org
  • complains-serv@bbb.org
  • compl-srv@bbb.org
  • complntscentercase@bbb.org
• The body of the email begins with text similar to the below:

You have received a complaint in regards to your business services .The complaint was filled By [Complainant’s Name] on 24/05/2007/Complaint Case Number: 363619942
Complaint made By Consumer - [Complainant’s Name]
Complaint registered against : - [Company Name]
Date: 25/05/2007/

Targeted execs are advised to steer clear of such links and attachments, and to aid the investigation by forwarding the email and its headers to phishing@cbbb.bbb.org.

Technorati Tags: Phishing, Pfishing+attacks

If the Defense Department’s recent report to Congress on China’s military might is to be believed, the communist nation is going all-out to prepare for future warfare in cyberspace.

According to the report, China’s military has amassed first-strike capabilities that include units tasked with writing malware that can be hurled at enemy computer networks.

“The PLA (People’s Liberation Army) has established information warfare units to develop viruses to attack enemy computer systems and networks, and tactics and measures to protect friendly computer systems and networks,” the report says. “”In 2005, the PLA began to incorporate offensive CNO (computer network operations) into its exercises, primarily in first strikes against enemy networks.”

Fears over state-sponsored cyberattacks grew recently when the Baltic country of Estonia suffered a series of blistering distributed denial-of-service attacks. Experts initially feared the attack was sponsored by Russia, but researchers ultimately determined the onslaught was the handiwork of ragtag groups in command of botnets.

Technorati Tags: Chinese+botnets, botnets, chinese+military, cybercrime

VeriSign — parent company of iDefense Labs — has a new chief executive, following the abrupt resignation of Chief Executive and Director Stratton D. Sclavos.

The new president and chief executive is William A. Roper Jr., who has been a director of VeriSign since November 2003. He was most recently executive VP of Science Applications International Corporation.

The company isn’t offering a specific reason for Sclavos’ exit, though the Dow Jones Market Watch site says the board of directors determined it had “reached a point in its evolution where it can benefit from new leadership.” However, the board did say in a statement that a “review of the company’s historical stock option grant practices by an ad hoc group of independent members of VeriSign’s board of directors … did not find intentional wrongdoing by any current member of senior management, including Sclavos.”

Sclavos said in the statement: “I want to thank the people of VeriSign for their support and contributions over the past 12 years. I am proud of my role in building VeriSign into the great company it has become, and wish all of my associates the very best in the coming years.”

The company has postponed its June 6 analyst meeting until a later date.

Technorati Tags: VeriSign, William+Roper, iDefense+Labs

How knowledgeable is your CIO or CISO about the latest security technologies or even the most basic security concepts?

Writing about her recent experiences speaking at several security conferences, security researcher Joanna Rutkowska, said in her Invisible Things blog recently that she was shocked at the level of understanding many CIOs and CISOs had about basic security concepts.

Rutkowska keynoted at the InfoSecurity conference in Hong Kong. Her central message was that “technology is just as flawed as the so called ‘human factor,’ understood here as a user’s unawareness and administrator’s incompetence.” Rutkowska said that although it was the least technical presentation she’s ever given in her life, it was still perceived as too technical by the audience.

“And I didn’t even mention any specific research I’ve done – just some standard stuff about exploits etc…,” Rutkowska wrote.

In a discussion panel after the keynote, Rutkowska observed that some CIOs and CISOs were naïve to many basic security concepts.

I’m sure some upper level IT pros go to security conferences to gain a higher level of understanding of security technologies. But if you’re going to be a presenter or taking part in a panel discussion, you should probably have a basic level of IT security knowledge. Do CIOs and CISOs have an agenda when they take part in a security conference or are they really there to give attendees insight on ongoing IT projects?

Technorati Tags: CIO, CISO, Joanna+Rutkowska,

For the last year and a half, I’ve been writing a weekly column called Security Blog Log, about what IT security pros are discussing in the blogosphere. Starting this week, the column will be posted in this blog. Since this is a column about blogs and we now have our own, we thought the move would make sense. Let us know what you think. Meantime, here’s a look at what security bloggers are focusing on this week:

Google launches its own security blog

We’ve written plenty about Google-based threats of late, but the search giant has just made a big gesture to show it takes security seriously — It has launched a blog all about Google security.

Panayiotis Mavrommatis and Niels Provos of Google’s antimalware team say in the blog’s inaugural posting that online security is an important issue for Google, its users and anyone who uses the Internet.

“Thus, we’ve started this blog where we hope to periodically provide updates on recent trends, interesting findings, and efforts related to online security,” they wrote. “Among the issues we’ll tackle is malware.”

They note that Google started an anti-malware effort about a year ago. “As a result, we can warn you in our search results if we know of a site to be harmful and even prevent exploits from loading with Google Desktop Search,” they said.

Still shopping after the data breach

In the Emergent Chaos blog, Adam Shostack asks why customers don’t take their business elsewhere after a company acknowledges a data breach. He offers two theories: people may simply not know about the breaches, or they are so overwhelmed with notices that they can fail to grasp the significance of a data breach notification letter.

“The trouble is, I haven’t met anyone who says that they’ve gotten so many notices they just ignore them now,” he wrote. “Absent data, “I’m leaning toward the first explanation.”

One of his readers responded that his or her parents continued shopping at TJ Maxx even after TJX disclosed the breach that exposed at least 45.7 million credit and debit card holders to identity fraud. This, the respondent said, is because they didn’t understand what it means to have that information stolen, and that’s probably what has happened in many instances.

Shostack is looking for more feedback, so here’s my two cents: People have a tendency to ignore a problem until they personally suffer some consequences. I doubt identity theft victims who have traced their woes back to the TJX breach are still shopping there.

From phishing to vishing

Gunter Ollmann over at IBM ISS has an entry in the Frequency X blog this week about the increasing threat to VoIP users. He points to a white paper on what has become known as “vishing” — phishing attacks directed at VoIP users. Given the explosion of VoIP usage in the last couple years, it makes sense that attackers would use the technology to dupe users with the same social engineering tricks that seem to work so well for them everywhere else. Here’s a bit from Ollmann’s posting:

“Phishing has increasingly developed into a broader category of threats that rely on social engineering to cause a message recipient to perform auxiliary activities that enable the phisher to conduct the second phase of the attack. Phishers rely on numerous Internet messaging systems to propagate their attacks. As such, many similar-sounding threats have been named based on the messaging system being used—each with its own nuances and target audiences.”

Hence the term “vishing,” for phishing attacks aimed at VoIP users.

Update on Mary Ann Davidson blog

I recently took Oracle CSO Mary Ann Davidson to task for not updating her blog more often. Out of fairness, I’m back to report that after a gap of nearly four months, the Mary Ann Davidson blog has a fresh entry connecting her travels in the Holy Land with some lessons about security in the age of Web 2.0.

I’ll leave it to readers to visit her blog for the full details. My purpose here is to restate my opinion that blogs should be updated regularly, especially when the blogger is focusing on current events.

My gripe with Mary Ann’s blog was that she hadn’t updated a Jan. 29 posting in which she touted what was at the time an upcoming keynote address at the RSA security conference from Oracle CEO Larry Ellison. As RSA attendees know, it’s a keynote Ellison canceled at the 11th hour.

It’s understandable when a blogger is kept from filing regular updates due to business travel and other reasons. But when facts that were true at the time of posting change, the blogger has a responsibility to correct the record, at least out of respect to customers who are visiting the blog for guidance on what the company is up to.

As I said in that previous column, Oracle has caught plenty of flak for not being on top of its security game. To be fair, the company has taken some encouraging steps in recent months to improve the patching process for DBAs, including its decision to streamline the quarterly patch bulletin, offer more details about its security holes and even offer advance notice on upcoming fixes.

But when the database giant’s main security voice stays silent for long periods of time and leaves her blog out of date, it doesn’t help to bolster the company’s image.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

Recent columns:

Scrapping Patch Tuesday a bad idea, say bloggers

Bloggers not for easing PCI DSS

Are hacking contests good or evil?

Technorati Tags: Google, antimalware, data+breach, VoIP+Security

The University of Colorado at Boulder has acknowledged that 44,998 student names and Social Security numbers were exposed to potential identity fraud when a worm attacked a computer server in the College of Arts and Sciences’ Academic Advising Center. The students, enrolled at CU-Boulder from 2002 to the present, are being notified by the University of Colorado at Boulder’s College of Arts and Sciences, the university said in a Web site statement.

The IT department discovered May 12 that the worm entered the server through a flaw in its Symantec antivirus software. That flaw had not been properly patched by Arts and Sciences Advising Center IT staff, the university admitted. Investigators don’t believe the hacker sought personal data, but was instead attempting to take control of the machine to allow it to infiltrate other computers both on and off the Boulder campus.

“The server’s security settings were not properly configured and its sensitive data had not been fully protected,” Bobby Schnabel, CU-Boulder vice provost for technology, said in the statement. “Through a combination of human and technical errors, these personal data were exposed, although we have no evidence that they were extracted.”

Todd Gleeson, dean of CU-Boulder’s College of Arts and Sciences, said he would request that all Arts and Sciences Advising Center IT operations be placed under the direct central control of CU’s Information Technology Services department.

Technorati Tags: Symantec, data+breach, identity+theft