The data loss prevention (DLP) market continues to consolidate. McAfee on Thursday said it agreed to acquire privately owned DLP company Reconnex for $46 million in cash. Last year, EMC/RSA Corp. acquired Tablus Inc. and Symantec Corp. acquired Vontu Inc.

Data protection is the top concern for CISOs, “but today’s DLP solutions take too long to deploy and obtain results,” McAfee Inc. CEO Dave DeWalt said in a prepared statement. “With the pending acquisition of Reconnex, McAfee expects to redefine the entire data protection market by bringing together a leader in the hottest segment with our comprehensive portfolio of data protection technologies.”

McAfee’s announcement included a statement from Brian Burke, program director of security products and services at IDC, describing Reconnex Corp.’s gateway-based technology as complementing McAfee’s host-based data protection technology.

McAfee previously acquired Onigma and SafeBoot Corp. and in January repackaged SafeBoot’s endpoint encryption with its DLP products. The Reconnex deal is expected to close in the third quarter.

A recent Forrester Research Inc. report on the DLP market gave high marks to Reconnex for its automated data classification and analysis engine.

California Secretary of State Debra Bowen spoke to an appreciative crowd at the USENIX Security Symposium this week in San Jose. The state’s top elections official earned a long round of applause from the techie crowd after her opening keynote, “Dr. Strangelove or: How I Learned to Stop Worrying and Love the Paper Ballot.” A couple of attendees praised Bowen for ordering a top-to-bottom review of electronic voting systems used in California. The review, conducted last year by a team of computer security experts, uncovered a number of flaws in systems from Hart InterCivic Inc., Sequoia Voting Systems Inc. and Diebold Elections Systems ULC (now Premier Election Solutions Inc.)

In her keynote, Bowen compared those who “continue to deny the insecurities with electronic voting machines” to those who deny the evidence about global warming. “We’re always going to be chasing the latest exploits,” she said. “That’s why we’re looking at layered security.” While she doesn’t think a perfect voting system exists or could be created, Bowen promoted a system using paper ballots backed up with optical scanning to record the votes. The state can verify vote counts through random sample hand tallies. “Hand tallies mean never having to say ‘I trust you’ to thousands of lines of code,” Bowen said.

At the USENIX Security Symposium in San Jose on Wednesday, a Google researcher presented a study on the pervasiveness of drive-by-downloads on the Internet, and the findings were unsettling, to say the least. Over a 10-month period last year, researchers analyzed 66 million URLs and detected more than 3 million that tried to automatically install malware on a visitor’s computer. They also found that about 1.3 % of Google search queries returned at least one malicious URL.

 “Our research has shown Web-based malware is a significant problem. … and there are no good proactive defenses against it,” said Niels Provos, senior staff software engineer in Google’s infrastructure group. The problem is so widespread that even cautious Web surfers can run into malware. While adult websites had twice as many drive-by-downloads, “regular Web users, even if they stay away from the dirty parts of the Internet, have a good chance of running into malicious sites,” he said.

The fundamental problem is insecure Web servers, Provos said. Attackers often inject new content into a compromised website and use invisible HTML components such as zero pixel IFrames to hide the content, according to the study. In most cases, the injected content redirects a website visitor to a remote site that hosts a script designed to exploit the browser. The researchers counted more than 9,000 malware distribution sites.

China is a big contributor to the problem, the study showed. Sixty-seven percent of all malware distribution sites were hosted in China; 64 % of sites that trigger drive-by-downloads were hosted in China.

Aladdin Knowledge Systems Inc. agreed to acquire Secure Computing Corp.’s Secure SafeWord two-factor authentication business Wednesday for $65 million.

The deal adds to Aladdin’s strong authentication eToken product line and gives it a network of channel partners. Secure Computing’s president and CEO Daniel Ryan said the sale of SafeWord allows the company to focus on its security gateway appliance business. Secure Computing’s SafeWord business unit and all its employees are expected to be incorporated into Aladdin.

The latest upgrade to Symantec Network Access Control (SNAC) significantly improves management of guest users, a prime driver in the NAC market and not a strong suit for Symantec Corp. until now.

“Network-based vendors tend to focus on guest users and unmanaged devices, because that’s where their strength is on the network,” said Patrick Wheeler, Symantec’s senior product manager for endpoint security.

Wheeler said Symantec has always been strong in the managed user area. He said the upgrade gives managed and unmanaged users a single product.

The upgrade allows Symantec NAC customers to centralize policy for both managed and unmanaged users and devices in one place, through Symantec Endpoint Protection Manager. Further, temporary guest client software — dissolvable Java agents — can be issued directly by the Network Access Control Enforcer appliance in gateway or DHCP mode.

Up until now, these guest features were only available in a separate product, Symantec On-Demand Protection for Web Applications. Wheeler said this is serviceable, but requires some integration and two management points.

Symantec customers can have a Web login and RADIUS or Active Directory authentication for guests, as well as a single point of policy control for both managed and unmanaged users.

In addition to guest users, Symantec NAC now supports MAC-based 802.1X authentication for undamaged devices, such as printers and UPS devices.

A dangerous new remotely exploitable vulnerability in one of Oracle Corp.’s key products has prompted the database giant to step outside its normal quarterly patch cycle and publish a workaround to help customers protect their networks.

The flaw in WebLogic Server and WebLogic Express enables an attacker to compromise a vulnerable machine without having to go through any authentication phase. There is exploit code available for the vulnerability and Oracle said in its advisory that the issue is as serious as they come. The company is working on an emergency patch for the problem, which it plans to publish soon. The vulnerability lies in the Apache plug-in for Oracle’s WebLogic server and is a buffer overflow, which could allow a remote attacker to use a special HTTP request to compromise the server. The attack could either crash the server or give the attacker the ability to run code. Oracle officials said the emergency patch response was the result of the vulnerability becoming public shortly after the company’s July 15 patch release.

“Unfortunately, the person(s) who published this vulnerability and associated exploit codes did not contact Oracle before publicly disclosing this issue. This means that the vulnerability was made public before providing Oracle an opportunity to develop an appropriate fix for this issue and notify its customers. In addition, the vulnerability was made public shortly after the publication of the July 15th Critical Patch Update, therefore prompting Oracle to issue an out of cycle security update,” Eric Maurice, marketing director at Oracle, said in a blog post on the issue.

Interesting news on the HIPAA front. Seattle-based Providence Health & Services has agreed to a settlement over HIPAA security and privacy violations, the U.S. Department of Health and Human Services (HHS) announced last week. In what HHS called the first of its kind “resolution agreement,” Providence will pay $100,000 and implement a corrective plan after losing backup media and laptops containing personal health information in 2005 and 2006.

Previously, HHS’ Office for Civil Rights (OCR) and the Centers for Medicare & Medicaid Services (CMS), which enforce HIPAA’s privacy and security rules, settled complaints by requiring organizations to make changes to their security and privacy practices. A CMS spokesman said last fall that the agency preferred resolving problems rather than punishing mistakes, but this agreement with Providence may indicate that the government is stepping up HIPAA enforcement. A statement by Winston Wilkinson, OCR director, certainly seems to signal a change: “We are committed to effective enforcement of health information privacy and security protections for consumers. Other covered entities that are not in compliance with the privacy and security rules may face similar action.”

In the Providence case, backup tapes, optical disks and laptops containing unencrypted personally identifiable health information were taken out of two Providence home health care operations and later lost or stolen. More than 360,000 patients were affected. In addition to the fine, Providence agreed to revise its policies and procedures regarding safeguards for off-site transport and storage of electronic media containing patient information. It also must train employees on the safeguards, conduct audits and site visits of facilities, and submit compliance reports to HHS for three years.

A new study from researchers at the University of Michigan reveals that 76% of more than 200 bank websites had at least one security design flaw.This is truly shocking news. I had to go back and read the results a couple of times just to make sure I had it right. I could not believe that 24% of the tested sites didn’t have a flaw. How is this possible? Have that many companies really gotten their acts together on software security?

Well, it turns out that the kind of flaws that the Michigan researchers were looking for aren’t the kind that can be identified by a scanner or automated code test. Instead, they were looking for the kind of problems that cause customers to make bad decisions about security when they’re using a particular bank’s site. To include:

• a break in the chain of trust
• presenting secure login options on insecure pages
• contact information/security advice on insecure pages
•  inadequate policies for user IDs and passwords
• emailing security-sensitive information insecurely

If you think about the ways that most users interact with their bank’s website, you could argue that these problems are just as worrisome, if not more so, than the software bugs that lurk in every Web application. One would assume that the vast majority of banks do some sort of code review of their Web applications before deploying them. Those reviews are vital and can catch a lot of serious issues. But it seems clear from the Michigan team’s work that not many banks are doing any kind of usability/design review to see how users interact with their applications and where they might trip up.

“However, our work shows that most financial websites are not adequately protected against secure usability design flaws. These flaws can prevent even the most knowledgeable user from making proper security decisions. We found that 76% of sites have at least one design flaw. The pervasiveness of these flaws indicates that they are not well-understood by Web security experts,” the researchers wrote in their conclusion. “Our work also shows that the current set of Web security analysis and design techniques still leave significant security gaps.”

Halvar Flake, CEO of SABRE Security GmbH, who criticized Dan Kaminsky’s DNS server flaw as overblown, has caused a stir among security researchers for possibly exposing the details in a blog post.

Flake hypothesized on his blog about how an attacker could conduct DNS cache poisoning by overloading the server with requests until a legitimate answer is received. The goal is to get a DNS cache poisoning packet to match the transaction ID, according to Flake’s post. The technique also involves redirecting the name server to an IP address set up by the attacker, and the use of Bailiwick checking to dupe the server that the queried domain is legit.

Security researcher Thomas Ptacek and the team at Matasano Security, LLC responded quickly to the post with a post of their own, but quickly pulled it down, calling the post an error in judgment. Ptacek was one of two researchers briefed by Kaminsky on the details of the flaw. In the original post, Matasano said the attack could occur in less than 10 seconds, according to a researcher who had the post cached in his RSS feed reader.

“We confirmed the severity of the problem then and, by inadvertently verifying another researcher’s results today, reconfirm it today,” Ptacek said. “This is a serious problem, it merits immediate attention, and the extra attention it’s receiving today may increase the threat. The Internet needs to patch this problem ASAP.”

Kaminsky said he was trying to keep details of the flaw private to give companies and the government time to patch the domain name servers (DNS). In a Twitter post late Monday night, Kaminsky confirmed that the researchers figured out the details.

“DNS bug is public. You need to patch, or switch to opendns, RIGHT NOW,” Kaminsky said.

In a similar message on his DoxPara Research blog, Kaminsky warned IT pros to deploy the patches immediately.

“Patch. Today. Now. Yes, stay late. Yes, forward to OpenDNS if you have to. (They’re ready for your traffic.) Thank you to the many of you who already have.”

Intel Corp. and Symantec Corp. executives touted the benefits of application virtualization in a roundtable discussion with reporters Thursday in San Francisco.

Virtualization at the application level separates the application from the operating system, preventing applications from modifying system files and avoiding DLL conflicts, said Mike Ferron-Jones, marketing manager at Intel. The technology allows applications to run on clients and be administered from a central location.

“It’s a great way to deploy applications in a way that eliminates the root cause of many helpdesk calls,” he said.

Application virtualization offers IT organizations the ability to save money and maintain control over licensing and patching while giving end users the mobility and performance they need, Ferron-Jones and Brian Duckering, senior product marketing manager in the Endpoint Virtualization Group at Symantec said.

“You can strike a balance between the user and IT needs,” Duckering said.

Virtualization, however, doesn’t eliminate security problems, the executives said.

“An unpatched virtual application is just as vulnerable as an unpatched local application,” Ferron-Jones said.

Duckering cautioned that companies shouldn’t deploy virtualization just for the sake of it. “Understand why you’re doing it and what you’re trying to accomplish.”

Symantec is working on a virtualized security system for Intel’s vPro platform, but a published report last summer said licensing issues were delaying its release. The system will be isolated from the primary OS with the goal of making it tamper resistant.

In a statement Friday, Symantec said customers have been beta testing the first version of the virtual security system and “that customer input will be used for virtual security solutions going forward, but we do not have any dates set for a product release yet.” The company said it’s continuing to work with Intel and its vPro platform from an endpoint management standpoint.