In late 2004, 3Com was in a buying mood when it acquired IPS vendor TippingPoint for $430 million in cash. This past June, 3Com announced it was planning an IPO for its TippingPoint security unit some time in the near–or not-so-near–future. Now there’s more uncertainty for TippingPoint users, with 3Com announcing it will be acquired by private-equity firm Bain Capital Partners for $2.2 billion in cash.

As part of the acquisition deal, Chinese networking vendor Huawei Technologies Co. is set to gain a minority stake in 3Com, according to published reports.

In a conference call, 3Com Chief Edgar Masri insisted customers won’t know the difference. “It’s business as usual at 3Com,” he declared. “We’ll continue to focus on their current and long-term needs.”

Whether it’ll still be business as usual when the new parent company decides how to assimilate the pieces is anyone’s guess.

IT professionals we’ve talked to in the past have always had mixed feelings about the management of their security tools after they pass from the hands of one vendor to another. Some saw improvement in their security tools and services after an acquisition, while others have reported the opposite.

Google’s security reputation has been taking a beating in the blogosphere this week, with researchers spotlighting new flaws in the search giant’s popular tools.

Software developer Giorgio Maone offers a very good analysis in his Hackademics blog of which Google programs are flawed and who discovered them. He outlines four issues:

– A Google Search Appliance XSS flaw discovered by researcher MustLive, affecting almost 200,000 paying customers of the outsourced search engine and its users.

– A Picasa exploit discovered by researchers Billy Rios and Nate McFeters that leverages a combination of XSS, cross application request forgery, Flash same domain policy elusion and URI handler weaknesses to steal private pictures straight from the user’s local hard disk when he or she visits a malicious Web site.

– A simple yet impressive flaw — given the huge number of users involved — is one discovered by researcher beford in a Google Polls XSS that allows Google services to integrate the same functionality across multiple services. Apparently, it can be used to attack Search, Blogspot, Groups and Gmail. Two proof-of-concepts demonstrate how Google contacts and incoming Gmail messages can be stolen by those who exploit this one.

– An Urchin Login XSS disclosed by GNUCITIZEN’s Adrian Pastor, which could be exploited to compromise local Google Analytics installations.

“These vulnerabilities are surely being fixed at top speed, since Google is one of the most reactive organizations in this fight,” Maone writes. “But they’re nonetheless disturbing because they hit the very main player on the field, with the largest user base on the Web.”

Computer scientist Kurt Wismer writes in his Anti-Virus Rants blog that there are relatively simple ways for Google users to protect themselves against these types of flaws.

“What if you’re like me [and] you use more Google apps than just Gmail?” he asked in his blog entry. “What if you use Blogger for example, or Google Reader, or Google Notebook, or Google Groups, etc. If you’re like most people you use the same Google account for all of them — your gmail account. It’s convenient, you only need to remember one username and password, and when you visit an exploit page while still logged in to one of these other Google Web applications your Gmail account gets pwned because logging into one logs into all.

“Now, you could always hope Google fixes these problems before you get caught, or use tools like the noscript Firefox extension that should be able to help most of the time, but you might not realize that you can also use a non-Gmail Google account for those Web applications. Then, not only is it easier to stay logged out of Gmail while using the other Web applications, logging into the account used for those other applications will actually force you to log out of your Gmail account.”

He then outlines steps users can take in that direction.

I checked the Google security blog to see if they had anything to say about all this, and they didn’t. But if our coverage of the search giant in recent months is any indication, there’s reason for optimism. Google has shown in a number of ways that it’s taking security seriously. One thing that impresses me is that they just come out with security initiatives, without months of hype leading up to it. Some examples:

– Last week, Google unveiled a new fuzzing tool called Flayer.

– In May Google acquired security firm GreenBorder Technologies Inc., which specializes in sandbox technology to defend email and Web users from malware.

– In July, Google acquired security and compliance vendor Postini Inc. for $625 million in cash, promising to use the company’s technology to harden defenses around its popular line of hosted applications.

I think it’s safe to say they understand how tempting a target their tools are to the bad guys.

But in the final analysis, it’s up to users to use all these nifty Google tools with care. A good example is the use of Gmail. We’ve written time and time again about the dangers of Web-based email offerings and about the need for IT shops to have sound policies to govern how they can be used in the work place.

Mike Chapple, an IT security professional with the University of Notre Dame, wrote a decent tips column outlining the risks of such Web-based programs a couple years ago, and his points are still relevant today.

As dangers he cited the following:

1. Failure to secure Web-based email sites.

2. Inadequate policies regarding employee access to external Web-based email.

3. Inadequate policies regarding Web-based access to corporate email.

4. Bypassing corporate content filters.

5. Use of third-party email services.

While his advice is specific to email, it still illustrates an important lesson for any IT shop that allows the use of Google programs:

There must be rules for when and how these programs can be used, and the IT environment must be equipped with layers of security technology that will blunt the impact of any Google-related exploits.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

I wanted to highlight an article that debuted on the site this week that was written by Joel Dubin, which makes the case for identity-enabled network devices. On one hand, as Joel writes, the technology is meant to add an extra layer of security to any kind of network device by requiring both the user and the device to authenticate, but at the same time, it’s worth asking whether the added complexity and hardware requirements (devices dating back before 2006 won’t cut it) make it more of a burden than it’s worth.

We’re always interested in what our readers think, so let us know if this is or isn’t a concept that makes sense (and one you’d like us to write more about in the future).

Remember that power outage in 2003 that left New York and other Northeastern cities in the dark? The situation was corrected in a few days and in that time business came to a complete standstill. Now imagine that on a greater scale and you could start to see the economic consequences.

CNN is reporting today about a secret experimental cyber attack which caused a generator to self-destruct. Officials at the Department of Energy’s Idaho lab conducted an experiment in which security researchers hacked into a replica of a power plant’s control system. The experiment was called “Aurora,” and conducted in March.

According to a video, obtained by CNN, the experiment caused a generator to self-destruct sending sparks and smoke shooting from it.

The threat to our electrical infrastructure is so alarming that the Department of Homeland Security officials are making it a priority. Or is it a priority? The fact that the experiment made it out of the DHS and into the hands of CNN reporters raises a red flag. Someone may have thought that public pressure is needed to make it a priority.

Industry experts told CNN that the experiment shows large electric systems are vulnerable in ways not previously demonstrated. They point out that cybersecurity spending is projected to increase only slightly next year. In fact, spending in the Department of Homeland Security is projected to decrease to less than $100 million, with only $12 million spent to secure power control systems.

And right now Congress is debating spending more than $200 billion for the war in Iraq.

eBay is getting a lot of unwanted attention today, after someone managed to post personal contact information and credit card numbers for about 1,200 eBay users on the eBay.com Trust & Saftey forums.

eBay has yanked the Trust & Safety forums offline, but the trouble doesn’t end there. According to published reports, someone recorded a video of the hacked forums and put it on Youtube.com. (Update: The video was recently removed for a terms of use violation.)

eBay posted this message on the eBay Chatter blog in response:

“Very early this morning, a malicious fraudster posted on the Trust & Safety forum on eBay.com posing as approximately 1,200 eBay users. The fraudster made these posts in a way that was intended to appear as though he logged in with their accounts. The posts contained name and contact information, which appears to be valid, and could have been secured as part of an account take over.

“The posts ALSO appeared to contain credit card information — however, these credit cards are not associated with financial information on file for these users at eBay or PayPal. We’re in the process of reaching out by phone to these members to, so that if the information is valid somehow — regardless how this fraudster acquired the information — these members can take the steps they need to take to protect themselves.

“eBay and our forums vendor, LiveWorld, began taking steps to remedy the situation within an hour after it started. As things evolved behind the scenes, a decision was made to make the the Trust & Safety forum unavailable to our Community. It’s still temporarily inaccessible, as the teams work on this issue.”

The marketing team at Symantec has dreamed up its own competition analogous to the Halo 3 launch set for this week.

Symantec wants to turn its customers into Master Chief to save their IT infrastructures – instead of alien hordes, it’s viruses and worms that you’ll have to gun down.

The marketers are trumpeting their new endpoint security software with its own 3D first-person-action video game, the Symantec Endpoint Protection Game Contest.

Players have a chance to win a 42” Panasonic HDTV Plasma Television and a Sling Media SlingBox Pro device.

Symantec explained in a press release, “Players must eliminate all viruses, worms, and other online threats to their IT infrastructure. Their only weapons are a cool pair of sunglasses and the integrated tools in Symantec Endpoint Protection 11.0.”

The contest starts Sept. 27 and ends Nov. 27. The marketing geniuses have produced a trailer and a Web site to register and learn more about the game.

Technorati Tags: Halo+3, symantec, game

The agency tasked with protecting America from terrorist attacks is apparently having trouble keeping the bad guys out of its computer systems. What’s worse is that the company hired to secure those systems knew about hacking activity and tried to cover it up, according to investigators.

According to published reports, hackers were able to compromise dozens of machines at the Department of Homeland Security (DHS) and transfer sensitive data to Chinese-language Web sites. Investigators accuse Unisys Corp. of trying to hide the attacks from DHS. Unisys — which has a $1 billion contract to protect DHS computers — has denied doing so.

“Unisys vigorously disputes the allegations … ,” Unisys said in a statement Monday. “Facts and documentation contradict the claims described in the article, but federal security regulations preclude public comment on specific incidents. We can state generally that the allegation that Unisys did not properly install essential security systems is incorrect. In addition, we routinely follow prescribed security protocols and have properly reported incidents to the customer in accordance with those protocols.”

The news has some in Congress demanding a deeper investigation. “The results of our [committee] investigation suggest that the department is the victim not only of cyberattacks initiated by foreign entities, but of incompetent and possibly illegal activity by the contractor charged with maintaining security on its networks,” Democratic Reps. James Langevin of Rhode Island and Bennie Thompson of Mississippi said in a written statement.

Microsoft is holding the latest edition of its twice-yearly BlueHat Security Briefings this week, and the speaker lineup is a who’s who of researchers and technologists. The topics of the scheduled talks run the gamut from security problems in virtualized platforms to mobile and embedded security to the current state of the Microsoft Security Response Center. Here’s a quick look at some of the talks:

• Black Ops 2007: DNS Rebinding Attacks, Dan Kaminsky, IO Active
• Subverting Windows CE Kernel for Fun and Profit, Petr Matousek, Coseinc
• Mobile and Embedded Security-The Elephant Under the Carpet, Ollie Whitehouse, Symantec
• WabiSabiLabi: The Exploit Marketplace Project, Roberto Preatoni, WabiSabiLabi
• Malware, Isolation and Security Boundaries: It’s Harder Than it Looks, Mark Russinovich, Microsoft

Looks like a great conference. Too bad you can’t attend, and neither can I. BlueHat is strictly invitation-only and Microsoft mostly just invites internal folks and a couple of outsiders. We’ll be keeping an eye on it, though, and will let you know what comes out of it.

For any of you who are nostalgic for the halcyon days of 2001 and 2002 when network-aware worms such as Code Red, Slammer and Nimda ruled the headlines, the success of the Storm worm in the last year must bring back some fond memories. Or not. But at the very least it has shown us that the malware writers have not completely abandoned their craft. The good folks at the Microsoft Anti-Malware Engineering Team have been on the ball as well, and the team has put together a fascinating analysis of the Storm worm–which they call Nuwar–and its prevalence and resilience.

After much work and testing, we made this month’s Malicious Software Removal Tool available for download September 11, and now after one week, we would like to share some of the statistics with you. But before I do, the researcher in me requires that I give you the caveats. First, MSRT is targeted against very specific known malware. It is well known that the “Storm” attacks are engineered by criminals who update their malware frequently. As a result, we are in an endless chase. But that doesn’t mean we shouldn’t try to make things better. Also, once we decide to take on a family in the MSRT, we continue the assault on that family moving forward, so we will keep at it. Because of all the testing that has to be done, we have to freeze our signature additions weeks in advance to make sure we have ample time to do the testing required to release a product as error free as possible (since even a small percentage of errors will impact thousands or millions of people).

Finally, to the numbers (numbers as of 2PM Tuesday, PDT).

The Renos family of malware has been removed from 668,362 distinct machines. The Zlob family has been removed from 664,258 machines. And the Nuwar family has been removed from 274,372 machines. In total, malware has been removed by this month’s MSRT from 2,574,586 machines.

So, despite some public concern in the press and among researchers about the “Storm” worm, it ranks third among the families of malware whose signatures have been added to the MSRT.

Jimmy Kuo, who wrote the Storm post, said that information from other AV researchers tells Microsoft that the MSRT took out about 20% of the worm’s DDoS capabilities in one day on Sept. 11. Not too bad. The only problem is that the worm’s authors know when Microsoft releases a new version of the tool and typically releases a new version of Storm the next day. So the cat-and-mouse game continues.

This hasn’t been the best of weeks for Windows administrators. First came news that Jonathan Sarba of the GoodFellas Security Research Team had discovered a flaw in the MFC42 and MFC71 libraries offered natively in Windows.

Now, researcher Petko D. Petkov — discoverer of the QuickTime attack vector Mozilla moved to block this week with a Firefox security update — is warning of a serious flaw in Adobe Acrobat/Reader in which .pdf files can be used to compromise a Windows machine. Petkov says in his blog that this can be done “Completely!!! Invisibly and unwillingly!!! All it takes is to open a .pdf document or stumble across a page which embeds one.”

He adds in the blog posting: “The issue is quite critical given the fact that .pdf documents are in the core of today’s modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs (proof-of-concept code). You have to take my word for it. The POCs will be released when an update is available.”

The folks at the SANS Internet Storm Center warned about the flaw on its Web site, but said they have no information about any exploits.