General discussion

NEWS - April 29, 2010

Federal Agencies Wrestle With Cybersecurity's Harsh Realities

"Sophistication of attacks, shortage of resources leads agency IT chiefs to focus less on perfect security " and more on risk management "

FedScoop Cybersecurity Leadership Summit -- In a perfect world, U.S. federal agencies would be able to prevent all attacks -- and identify those who launch them. In a perfect world, agencies would comply with all security regulations and provide open access to public information while tightly securing all data that might be important to national security.

There's just one problem: the world isn't perfect.

That was the message here today as top IT executives of several federal agencies -- as well as federal business unit executives of some of the industry's largest vendors -- met in a panel discussion on government cybersecurity programs and the challenges they face. In essence, all of the executives described their efforts to deal with security's realities in a practical fashion, rather than attempting to build impenetrable perimeters.

"The fact is that there is no point of attack that is too obscure to be found, and there is no security perimeter that can't be breached," said Tom Quillin, director of security alliances at Intel Corp. "We need tools and strategies to protect [system] from attack -- but we also need ways to detect attacks and recover from those attacks when they penetrate those defenses."

Continued here:
Discussion is locked
Reply to: NEWS - April 29, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - April 29, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Russia dominating automated malware kit market

"Kits increasing in size and complexity, says M86 Security"

Russia is dominating the market for automated malware creation kits that are sold online to phishers and data thieves.

A new report from M86 Security, entitled Web Exploits: There's an App for That (PDF), found that the majority of new malware creation kits, such as Adpack and Fragus, are being sold in Russia.

The company had seen a big increase in the size and complexity of such kits, and said that more than a dozen had launched in the past six months.

"People can launch attacks without even knowing a line of code, and the infrastructure now exists to pay the attacker per exploit achieved," said Bradley Anstis, vice president of technology strategy at M86 Security.

"With an attack kit there is literally 'an app for that' and it is driving the explosive growth in internet-borne threats such as spam and zero-day attacks with new kits popping up every day."

Continued here:

- Collapse -
Costs Of Data Breaches Much Higher In U.S. ...
Costs Of Data Breaches Much Higher In U.S. Than In Other Countries, Study Says

"Legal requirements for disclosure, notification add high expense to data compromise, Ponemon research says"

A data breach in the United States could cost enterprises twice as much as the same breach costs companies in other countries with less stringent disclosure and notification laws, according to a study published today.

The study, conducted by the Ponemon Institute and sponsored by security vendor PGP, is an extension of the companies' previous cost-of-breach research that examined regional differences in the costs inflicted by compromises of enterprise data. In a nutshell, the study finds breaches are much more expensive in countries that have stringent regulations than in countries that don't.

"The overarching conclusion from this study is the staggering impact that regulation has on escalating the cost of a data breach," says Larry Ponemon, chairman and founder of The Ponemon Institute. "The U.S. figures are testament to this, and it's clear that as breach notification laws are introduced across the rest of the world, other countries will follow the same pattern, and costs will rise."

Continued here:
- Collapse -
Spam Poses as a Twitter Email Notification

From TrendLabs Malware Blog:

Beware, Twitter enthusiasts! Spam posing as Twitter email notifications are currently proliferating in the wild. The spam are of two types?the first type attempts to steal personal information or login credentials while the second attempts to infect systems with malware.

A legitimate Twitter notification email looks like this: [...]

It usually begins with ?Hi, *name of user*? and contains the words, ?You have a direct message:,? followed by the message itself.

The two Twitter spam samples, on the other hand, look like these: [...][...]

The sample on the left uses a generic greeting while the email body only says, ?You have 1 unreaded message from Twitter,? followed by a URL. This directs recipients to a site where they are asked to give out personal information. The sample on the right also uses a generic greeting along with the message, ?You have 3 information message(s),? followed by a URL. Instead of asking the recipients for personal information when they click the link, malware are instead downloaded onto their systems. However, the malicious URLs are already inaccessible as of this writing.

Spammers and cybercriminals have had a long history with Twitter and its users, as featured in these previous entries:

Diet Twitter Spam (on the) Run
A New Twitter Worm Is Making the Rounds Your Passwords One Tweet at a Time

To protect yourself against similar attacks, always pay attention to every detail in emails you receive. It is, after all, easy to distinguish what is real from what is not. All you need to do is carefully observe.

Continued here:

- Collapse -
Symantec buys PGP and GuardianEdge too

"Crypto shopping spree"

Symantec has announced a surprise deal to buy both email and data encryption firms PGP Corporation and GuardianEdge Technologies for a combined total of $370m in cash.

The security giant is paying $300m for PGP and $70m for GuardianEdge as part of deals announced on Thursday and expected to close in June. Both agreements are subject to regulatory approval. Each of the acquisition targets are privately held.

In a statement, Symantec said that encryption technology was key to preventing increasingly frequent and costly data breaches as well as complying with regulatory controls, such as the UK's data protection laws. The proposed deals allow Symantec to offer full-disk, email and mobile encryption products alongside its traditional line of security suites

Post acquisition, Symantec plans to standardise on the PGP key management platform in order to deliver centralised policy and key management across a suite of encryption products and services. Symantec also intends to integrate the PGP key management platform into the Symantec Protection Center, providing a common dashboard for encryption, endpoint security, data loss prevention and gateway security products.

Continued here:

- Collapse -
HP To Buy Palm For $1.2 Billion

"The deal shakes up the smartphone market and gives HP its very own mobile platform: webOS. "

Throwing a lifeline to beleaguered smartphone maker Palm, HP on Wednesday said that it has signed an agreement to acquire the company for $1.2 billion in cash.

HP is characterizing the deal as an opportunity to participate more aggressively in the lucrative smartphone market by combining its scale and financial strength with Palms innovative webOS. "Palm's innovative operating system provides an ideal platform to expand HP's mobility strategy and create a unique HP experience spanning multiple mobile connected devices," said Todd Bradley, EVP of HP's Personal Systems Group, in a statement. "And, Palm possesses significant IP assets and has a highly skilled team."

In a conference call on Wednesday afternoon, Bradley described the deal as transformational. "Together, HP and Palm will make a powerful combination," he said.

Continued here:

- Collapse -
Beijing security know-how rules irk suppliers

"Secret sauce"

Chinese government rules due to come into force on Saturday would oblige security vendors to disclose encryption information.

The regulations mean that suppers of six categories of products - including smart cards, firewall and routers - will need to submit trade secrets to a government panel in order to receive a license to sell to government departments.

EU officials have described the move as both protectionist and commercially risky. One concern is that security know-how supplied to the government panel might be disclosed to local firms.

Handing over encryption information is "something companies cannot and will not do," said president of the European Union Chamber of Commerce Jorg Wuttke, The Wall Street Journal reports. US authorities are also opposed to Chinese demands, AP adds.

Continued here:

- Collapse -
Why doesn't Windows include native PDF reader support?

On a (much) lighter "PDF note" from the F-Secure Weblog:

Dear Microsoft,

We'd like you to consider developing a PDF reader for your Windows OS.

Something such as Apple's Preview would be great:

PDF Preview
"To view a PDF file, just double-click it to open it in Preview."

Mac doesn't require a third-party app to view PDFs, so why does Windows?

Heck, you don't even need to build it into the OS. Just make it an optional download such as your Save As PDF add-in for Office. [...]

We know, we know? even though anyone is allowed to create applications that can read and write PDF files without having to pay royalties to Adobe Systems, you guys can't. You're just too big and can't ship add on PDF functionality without freaking out Adobe.

But you know what?

You really shouldn't care anymore. Freak them out.

Your customers are tired of the exploits and the complications that so many of today's PDF readers include.

We just want to read PDFs. We don't want to /launch executables, to play video & audio, or to run JavaScript. A viewer that provides the basic functionality of the PDF/A standard is all we want. Is that so much to ask?

Please give it some thought, thanks.

Sincerely yours,
F-Secure Labs

Posted Here:

CNET Forums

Forum Info