Thursday, January 26, 2012

Symantec Urges Customers to Disable pcAnywhere

The breach of Symantec source code by an Indian hacking group a few weeks ago was all but brushed off by the security giant. Symantec went on the record saying that the leaked code is, "so old that current out-of-the-box security settings will suffice against any possible threats that might materialise as a result of this incident." 

However, in a posting on their website yesterday and an accompanying technical white paper, Symantec suggests that pcAnywhere customers are at a heightened risk and advises users to "disable the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks." Customers could be at risk for "man in the middle" attacks where an unauthorized person accesses pcAnywhere transactions and intercepts data as it travels from its source to its destination. These attacks are more likely because the blueprints for Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks (Norton Utilities and Norton GoBack) and pcAnywhere were accessed in the breach. The information contained in these blueprints makes it easier to identify and exploit software vulnerabilities. 

Symantec reps say that there are 50,000 people using the standalone version of pcAnywhere along with an unknown number of users who received the product bundled within other security packages.
Posted by at 9:21 AM 0 comments
Labels: , , , , , , , , ,

Wednesday, January 25, 2012

Almost 1/3 of Americans Own an E-Reader or a Tablet

According to new research released by the good people at The Pew Internet Project,  "the share of adults in the United States who own tablet computers nearly doubled from 10% to 19% between mid-December and early January and the same surge in growth also applied to e-book readers, which also jumped from 10% to 19% over the same time period." This brings the total number of Americans who own at least one tablet or e-reader to 29%.

gadget ownership over holidays



This study puts solid numbers on the tablet and e-reader market growth speculations. It is becoming more and more important for organizations to look into how they are going to integrate tablet and, more broadly,  mobile security into their enterprise DLP strategy. 

Two of the largest enterprise DLP vendors,Symantec and Websense, are introducing a DLP plug-in for tablets this year. The concept for tablets is pretty basic and shared for the most part across vendors. It works like an endpoint monitor that views and classifies information as it flows from a tablet to a web or cloud application. If the content is deemed appropriate it is allowed to reach its destination, and if the content is sensitive it will either notify DLP administrators, block the content or a combination of both.
Posted by at 10:54 AM 0 comments
Labels: , , , , , , , , ,

Tuesday, January 24, 2012

Unsecured Video Conferencing Systems May be Exposing Your Meetings




In a New York Times Article by Nicole Perlroth published on January 22nd. Perlroth describes one of the latest organizational vulnerabilities found and exploited by Rapid7, a Boston based company that looks for security holes in computer systems. 


"SAN FRANCISCO — One afternoon this month, a hacker took a tour of a dozen conference rooms around the globe via equipment that most every company has in those rooms; videoconferencing equipment.

With the move of a mouse, he steered a camera around each room, occasionally zooming in with such precision that he could discern grooves in the wood and paint flecks on the wall. In one room, he zoomed out through a window, across a parking lot and into shrubbery some 50 yards away where a small animal could be seen burrowing underneath a bush. With such equipment, the hacker could have easily eavesdropped on privileged attorney-client conversations or read trade secrets on a report lying on the conference room table.

In this case, the hacker was HD Moore, a chief security officer at Rapid7, a Boston based company that looks for security holes in computer systems that are used in devices like toaster ovens and Mars landing equipment. His latest find: videoconferencing equipment is often left vulnerable to hackers."
Read the rest of this article here: Flaws in videoconferencing systems put boardrooms at risk

Posted by at 11:11 AM 0 comments
Labels: , , , , , , , ,

Friday, January 6, 2012

Symantec confirms source code leak in two enterprise security products


Computer world has a great article on Symantec's recent source code leak in India. It was supposedly taken from a government database in India where it is not uncommon for tech companies to have to submit their source code to prove they are not using their software to spy on the government. I think many organizations will take notice of this breach and begin to push back more on the requirements to submit source code.
Computerworld - Symantec late Thursday confirmed that source code used in two of its older enterprise security products was publicly exposed by hackers this week.In a statement, the company said that the compromised code is between four and five years old and does not affect Symantec's consumer-oriented Norton products as had been previously speculated."Our own network was not breached, but rather that of a third party entity," the company said in the statement. "We are still gathering information on the details and are not in a position to provide specifics on the third party involved. Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec's solutions," the statement said.Symantec spokesman Cris Paden identified the two affected products as Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2. Both products are targeted at enterprise customers and are more than five years old, Paden said."We're taking this extremely seriously, but in terms of a threat, a lot has changed since these codes were developed," Paden said. "We distributed 10 million new signatures in 2010 alone. That gives you an idea of how much these products have morphed since then, when you're talking four and five years."Symantec is developing a remediation process for enterprise customers who are still using the affected products, Paden noted. Details of the remediation process will be made available in due course, he added.
Posted by at 1:40 PM 0 comments
Labels: , , , , ,

Compliance and Protection are NOT Synonymous

Much of the focus in the Data Loss Prevention market is on questions such as  "How do I pass a PCI audit?" or any kind of data security/privacy audit for that matter. While not passing an audit can be costly in the form of  penalties and upgrades it can also lead to a myopic view of data security. 


Beyond compliance lies much more.  Passing an audit with flying colors can still mean an organization's data is vulnerable to a variety of evolving attack vectors such as the much publicized "zero-day attack." In a zero-day attack a hacker exploits computer application vulnerabilities that are unknown to others or the software developer. These vulnerabilities are shared with other hackers and used as a way to gain entry to an organizations network. 


How should an organization protect themselves from zero-day attacks and other attack vectors? One way to do this is by taking a data-centric approach to protecting corporate information assets. Voltage Security President and CEO Sathvik Krishnamurthy recently discussed his idea of what a data-centric approach entails:
"From the very first point of entry, the data, structured or unstructured, is encrypted. As it is used across data centers, public and private clouds and mobile devices—in use, in transit, or at rest—it remains encrypted. That’s important because in the event of a breach, the theft of data is minimized."
The idea of encrypting all data across an organization gives many IT managers a headache. The thought of managing the encryption keys with the use of a key database that stores copies of every key ever issued and and having to make changes to existing structure according to how the database behaves can be costly and create undue pressure on IT management and create oppressive overhead. These operational barriers have made encryption an impractical and expensive option for large scale deployments.


Fortunately, there is a solution that makes key management less cumbersome and more practical. Voltage Security has released a Stateless Key Management system that securely and mathematically derives any key, as required by an application, once that application and its users have been properly authenticated and authorized against a centrally managed
policy. Voltage Stateless Key Management reduces IT costs and eases the IT administrative burden by:

  • Eliminating the need for a key database, as well as the corresponding hardware, software and IT processes required to protect the database continuously or the need to replicate or back-up keys from site to site.
  • Easily recovering archived data because keys can always be recovered.
  • Automating supervisory or legal e-discovery requirements through simple application APIs, both native and via web services.
  • Maximizing the re-use of access policy infrastructure by integrating easily with identity and access management frameworks and dynamically enforcing data-level access to data fields or partial fields, by policy, as roles change.
Posted by at 10:08 AM 1 comments
Labels: , , , , , , , , , , , ,

Wednesday, January 4, 2012

Stratfor Breach

New year, new breach investigation. This time hackers claiming to be a part of the "hacktivist" group Anonymous have breached Austin based research company Strategic Forensics. A spokesperson from Anonymous denies this claim and lays blame on a hacker known as “Sabu,” who is closely associated with the LulzSec group.


Strategic Forensics, commonly known as "Stratfor", lost data for about 4,000 clients including passwords, credit card details, and home addresses. 


The hacker or hackers claim they will use the credit card information to make fraudulent donations to charities. Many experts speculate that they will also make efforts to decrypt the passwords and then use them to try and gain access to other accounts held by Stratfor's considerably high-end clientele. Their clients span many big name organizations including U.S. Military, U.S. State Department, Bank of America, JP Morgan Chase, IBM, and Microsoft employees.


This initial dump of client information is apparently not final blow for Stratfor from Anonymous. The group is planning to release millions of private company emails as well.


For a great article on this breach: Digital Trends -- Stratfor Breach
Posted by at 4:02 PM 0 comments
Labels: , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)