Berners-Lee: Social networks are a ‘threat to the web’   Leave a comment

Founder of the web, Sir Tim Berners-Lee, has slammed social networks claiming they are “a threat to the web”.

Berners-Lee believes Facebook and other social networking sites encourage users to enter their information, which is captured and then reused, but not shared with other websites.

“Large social-networking sites are walling off information posted by their users from the rest of the web,” he said in the Scientific American journal.

Singling-out Facebook, LinkedIn and Friendster, Berners-Lee added: “Your social-networking site becomes a central platform — a closed silo of content, and one that does not give you full control over your information in it.”

“The more this kind of architecture gains widespread use, the more the web becomes fragmented — and the less we enjoy a single, universal information space.”

He also slammed Apple and iTunes for being “centralised and walled off”.

“You can access an iTunes link only using Apple‘s patented iTunes program,” he said.

“You are no longer on the web. You are trapped in a single store, rather than being on the open marketplace. For all the store’s wonderful features, its evolution is limited to what one company thinks up.”

On the subject of net neutrality, Berners-Lee said it should cover both fixed Internet lines and mobile broadband.

“It is … bizarre to imagine that my fundamental right to access the information source of my choice should apply when I am on my Wi-Fi-connected computer at home but not when I use my mobile phone,” he said.

His comments come just days after culture minister, Ed Vaizey, suggested the UK have a ‘fast-lane’ for internet access, with content providers and web users paying to ensure their access to the web is prioritized over other traffic.

Vaizey has since backtracked and claimed his comments are in-line with the thoughts of Berners-Lee. However, Berners-Lee said: “There’s no passage in [Vaizey’s] speech where he says he’s against net neutrality. We have discussed it on the phone. But I can’t say yet that we’re entirely in line.”


Posted November 29, 2010 by axxerainc in Uncategorized

Corporate laptops unprotected against theft or data loss   Leave a comment

Over half of UK public and private sector organizations are at risk of data breaches, losses and leaks from portable PCs and devices, according to Check Point. A total of 52% of respondents said they do not use data or device encryption to secure their business laptops, and a further 8% admitted they didn’t know if encryption was in use.

Despite the lack of data security on laptops, 68% of organizations reported they had a VPN client deployed on their corporate fleet of portable PCs. This leaves a majority of businesses potentially vulnerable to unauthorized network access from lost or stolen laptops.

In addition, the survey of 130 UK IT managers and senior IT staff revealed a growing preoccupation among organizations over consumerization of technology – employees using personal devices like laptops or smartphones for work purposes.

Employees use personal devices for work in 55% of the organizations surveyed; yet 39% of the respondents said they had no formal process for deploying security to these devices.

Only 37% of the organizations prohibit the usage of laptops or smartphones for professional purposes, and 61% restrict access to the organization’s network or data resources from personal devices.

The study also raised the issue of corporate laptop allowances. 10% of respondents said that their company already offers – or plans to offer – personal ‘laptop allowances’ to employees so they can purchase their own laptop for both personal and business use. While 48% agree this will cut down IT expenditure, a majority (68%) were concerned about the security risks involved, and 76% feel this will increase IT management overhead.

Consumerization of business IT is also a clear concern among IT administrators. Many organizations haven’t set up an appropriate plan to secure the use of personal laptops and smartphones in the workplace. These vulnerabilities need to be addressed by a combination of education and technology so that organizations can protect their data, their business and their employees against security risks.

Posted November 29, 2010 by axxerainc in Uncategorized

Malware-as-a-service and mobile security set to be the dominant themes of 2011   Leave a comment

Smartphone application control will be the headache of 2011 for IT managers.

According to Ed Rowley, product manager of M86 Security, people have been thinking about smartphone security and threats to the mobile platform for a decade, yet 2011 will be the year when managing applications will cause headaches for the IT department.

Talking to SC Magazine about its M86 Security Labs Predictions 2011 Report, Rowley said: “Managing applications is difficult enough in its own right, from a security perspective bringing applications on to the network means there is more data to control and that is not easy to control and manage. It is not going through an HTTP mainframe and each application is a microcosm in its own right and self sufficient in accessing data.

The report claimed that while the RIM operating system continues to dominate, use of Google’s Android operating system and phones running the Google OS have seen tremendous growth over the last year, while the introduction of tablet devices such as the Apple iPad, HP Slate and Android-based tablets signals a potential shift in which cyber criminals target end users via mobile platforms. The report said that as with other platforms, the attackers will go where the most users are and where these users are the least protected.

Elsewhere the report focuses on the evolution of advanced malware, with the likes of the Zeus Trojan an example of how data stealing Trojans are becoming more sophisticated while data-stealers such as SpyEye, Carberp and Bugat have also emerged.

Rowley said: “It is getting better, and equipment has to be better and more developed to where it is driven by the needs of security. It is good to see the likes of Microsoft making its operating system more secure and also with web-based email becoming more secure it is very good.”

He also commented that Trojans have gone from just data stealing to man-in-the-browser attacks, actively participating in cyber crime attacks through internet banking. Using this method, they do not need to worry about collecting the information required to impersonate the user, instead they wait for the user to log on and then take over their browsing session.

Finally M86 Security also said that more ‘attack toolkit’ services are being offered as a new ecosystem has emerged with different players in the cyber crime ecosystem now offering their products as services, teaming up with other players to offer complete, one-stop shop cyber crime-as–a-service capabilities.

According to the report, while a decline in the usage of exploit kits is not anticipated, M86 predicts there will be more consolidated service offerings for cyber criminals. Bradley Anstis, vice president of technical strategy, M86 Security, said: “In 2010, we have seen dramatic increases in issues regarding mobile malware, as well as growing complexity of Trojan horse attacks in the banking industry. Although malware-as-a-service is not new, we are seeing it take hold.

“To outsmart the bad guys, organisations need to first understand where the threats are likely to come from and then second define exactly what needs to be protected, and how critical it is. But just as important, they must lay out their best practice strategies and policies for proactively combating and staying ahead of the emerging security threats.”

Posted November 23, 2010 by axxerainc in Uncategorized

Survey find that more than half of IT departments do not protect laptops or use data or device encryption   Leave a comment

More than half of UK corporate laptops are not protected against theft or data loss.

A survey of 130 UK public and private organisations by Check Point found that 52 per cent of respondents do not use data or device encryption to secure their business laptops, while a further eight per cent admitted they did not know if encryption was in use.

The survey of UK IT managers and senior IT staff revealed a growing preoccupation among organisations over consumerisation of technology, with employees using personal devices like laptops or smartphones for work purposes. It found that employees use personal devices for work in 55 per cent of the organisations surveyed; yet 39 per cent of the respondents said they had no formal process for deploying security to these devices.

Only 37 per cent of the organisations prohibited the usage of laptops or smartphones for professional purposes and 61 per cent restricted access to the organisation’s network or data resources from personal devices.

Nick Lowe, Check Point’s head of sales for Western Europe, said: “All the data security surveys conducted by Check Point in the UK in the last three years have consistently revealed similar results. The use of encryption on corporate laptops has not grown, with less than 50 per cent having data encryption deployed.

“The HMRC data breach of three years ago stressed the need for data encryption, but a majority of businesses have not yet learnt the lesson. Data loss and breaches can strike anytime and affect any organisation, whether private or public.

“Consumerisation of business IT is also a clear concern among IT administrators. Many organisations have not set up an appropriate plan to secure the use of personal laptops and smartphones in the workplace. These vulnerabilities need to be addressed by a combination of education and technology so that organisations can protect their data, their business and their employees against security risks.”

Posted November 23, 2010 by axxerainc in Uncategorized

China did not hijack 15% of the Net, counters researcher   Leave a comment

Talk that China hijacked 15% of the Internet earlier this year is overblown, a researcher said today.

“There’s been some confusion over routing versus traffic,” Craig Labovitz, chief scientist at Arbor Networks, said in an interview today. “While maybe 10% to 15% of the routes to other peers may have been diverted, a lot of those routes didn’t propagate.”

Instead of the widely-reported 15%, Labovitz estimated that the actual amount of Internet traffic affected by the April 2010 incident was much lower, on the order of just 0.015%.

Labowitz was reacting to media reports, many of which he said got it wrong, on the disclosure this week by the U.S.-China Economic and Security Review Commission that for 18 minutes on April 8, a significant portion of the Internet’s destinations were routed through servers belonging to China Telecom.

The Commissions’ report to Congress noted that the route redirection had affected U.S. government and military networks, as well as major U.S. commercial sites such as Microsoft’s and Dell’s.

“China Telecom advertised erroneous network traffic routes that instructed U.S. and other foreign Internet traffic to travel through Chinese servers,” the report stated. “Other servers around the world quickly adopted these paths, routing all traffic to about 15% of the Internet’s destinations through servers located in China.”

But routes do not equal traffic, argued Labovitz.

“Think of it like a telephone book,” said Labovitz. “A telephone book could have millions of phone numbers. Say 15% of those numbers are corrupted. But you have to ask how widely were those [corrupted] telephone books distributed.”

Based on data from Arbor Networks’ ATLAS (Active Threat Level Analysis System), Labovitz said that the amount of traffic through the hijacked routes was much, much smaller than 15%.

“There was no statistically significant increase in traffic [through China Telecom] due to the hijack,” said Labowitz. “Most of the re-routing [propagation] didn’t make it very far.”

The Internet relies on a routing system where numerous servers exchange information with each other to determine the best path for traffic to take to a specific URL. The protocol that decides such routing is called Border Gateway Protocol, or BGP.

Last April, China Telecom’s servers started advertising themselves as the best routes for approximately 15% of the Internet’s total routes. China Telecom has denied hijacking the routes, and experts today said that the incident was probably an accident, not a deliberate attack.

ATLAS provides carriers, providers and others with what Labovitz called “a 20,000-foot view” of how much of the Internet’s traffic goes through any of the 110 to 120 carriers that the system monitors.

“[ATLAS] is the largest data set in the world of traffic impact,” claimed Labovitz. “It gives a really good coarse-grained picture of the Internet.”

While the confusion over routes versus traffic created what Labovitz dubbed “hyperbole” in the media, he refused to downplay the significance of the incident.

“Any corruption of the Internet’s infrastructure is significant,” he said. “What this shows is that routing has a number of critical security problems, and that the industry is on borrowed time.”

In a blog post earlier Friday, Labovitz called BGP “incredibly insecure,” and bemoaned the lack of progress in the last 15 years, even in the face of numerous demonstrations of the routing system’s fragility.

“The Internet routing system still relies primarily on trust, or ‘routing by rumor’ if you are more cynical,” he wrote.

But he was still optimistic that change might come.

“We talked DNS security even longer than BGP, [and although] it took something that was so scary, we’re now seeing a community will to make the changes in DNS happen,” Labovitz said.

The “scary” DNS event Labovitz referred to occurred in 2008, when researcher Dan Kaminsky uncovered a critical design flaw in the DNS (domain name system) routing protocol, and then led a months-long effort to coordinate a large-scale, multivendor patching effort in July 2008.

Posted November 23, 2010 by axxerainc in Uncategorized

Most common malware detected on Macs   Leave a comment

Recently Sophos launched its free Mac anti-virus for home users which now has 150,000 active users and Sophos has analyzed the most commonly encountered malware that Mac users are seeing.

The top 20 most commonly detected malware from just under 50,000 malware reports between November 2nd and November 16th 2010 are listed below:

Mal/ASFDldr-A – 4.62%
Troj/Javadl-V – 3.67%
Mal/JavaKC-G – 2.96%
Mal/JavaKC-E – 2.36%
Troj/KeygenD-P – 1.59%
Mal/JavaHU-A – 1.36%
Mal/JavaK-CI – 1.35%
Troj/JavaDL-X – 1.21%
Troj/Bytever-G – 1.11%
Mal/JavaHibis-A – 1.06%
Mal/JavaK-CK – 1.03%
OSX/Jahlav-C – 0.98%
Troj/JavaDL-J – 0.96%
OSX/DNSCha-E – 0.95%
Mal/Javasnd-C – 0.91%
Macl/Conficker-A – 0.80%
Troj/JavaDL-W – 0.76%

Many of the threats detected are Windows-specific threats that do not attack Mac OS X directly, but can be transferred by Mac machines to other platforms.

However, this list also shows some Mac OS X-specific Trojans, that are typically disguised by hackers on BitTorrent sites, or planted on websites as alluring downloads or plugins to view videos, and platform-independent Java attacks.

“Mac users can no longer afford to keep their heads in the sand when it comes to protecting their machines,” said Graham Cluley, senior technology at Sophos.

“So long as Mac users don’t properly defend themselves, they will increasingly be perceived as a soft target by cybercriminals and we will therefore see the volume of Mac-specific malware continue to rise. It’s reassuring that we’ve been receiving feedback from users who were surprised to find malware on their beloved Macs. Hopefully, more and more Mac users will start to realise that security isn’t just an issue for PC users and they will start to take more measures to protect their computers.”

Posted November 23, 2010 by axxerainc in Uncategorized

You can do everything right and still be a security attack victim   Leave a comment

More organizations now rate information security an upper level priority compared to two years ago, according to a study by CompTIA.

But that good news is offset by bad news. Many companies continue to play catch-up, struggling to keep pace with new threats and vulnerabilities. Additionally, more organizations believe the severity level of security attacks is on the rise. For most organizations, it’s not a matter of “if” but “when” the next security breach will occur. Furthermore, organizations can do everything right and still succumb to a sophisticated, targeted security attack.

Across all countries included in the study, information security trends upwards as an organizational priority: 35 percent in 2008, 49 percent in 2010 and an expected 62 percent in 2012. Firms in South Africa, India, Brazil and the United Kingdom place the most emphasis on information security as an organizational priority, although other countries are not far behind.

Data suggests organizations continue to face traditional IT security threats – viruses, email and browser-based attacks and user abuse – and emerging challenges, including social media-based attacks, phishing, cloud computing security and security in a mobile environment.

“Information security affects more organizations on more levels as technology permeates every functional area of a business and more staff members assume the role of knowledge worker,” said Tim Herbert, vice president, research, CompTIA. “As organizations invest in new solutions to enable employees anytime, anywhere access to information, tools and collaboration, they must contend with the possibility of introducing new vulnerabilities into the security equation.”

From the perspective of IT and business executives, factors that make the security landscape riskier today include the rapid rise of social networking, cited by 52 percent of respondents; more reliance on Internet-based applications (50 percent); and the growing sophistication, criminalization and organization of hackers motivated by financial gain (48 percent).

Another new security challenge for organizations is the impact of the recession and economic distress. Thirty-four percent of respondents believe their internal security threat level has increased as a result of the recession, with their greatest concerns coming from departing employees having knowledge of logins, access points and other potential vulnerabilities.

Organizations employ a number of steps to respond to security breaches, including updating security policies, investing in better technology and expanding training. All these steps are having a positive impact. Respondents in the CompTIA study say the security landscape is improving due to better technology (55 percent), improving IT staff expertise (41 percent), improving security policies and procedures (36 percent) and better end user training (33 percent).

“While much attention is given to what’s wrong with information security, it’s sometimes easy to overlook what’s going right,” Herbert said.

IT security spending priorities are fairly consistent across geographies included in the study. Topping the list of priorities are firewall or other security infrastructure hardware, software for malware protection, other monitoring software and spam email.

Posted November 23, 2010 by axxerainc in Uncategorized