http://www.informationweek.comInformationWeeken-usCopyright 2012, UBM LLC.2007-09-18T00:01:00ZApplication framework automatically pulls risk and security-related information from various security systems, letting insurer quickly respond to threats while also cutting costs.http://www.informationweek.com/news/201806190?cid=RSSfeed_IWK_AuthorsWith threats proliferating and a steady stream of software vulnerabilities to track, it's only natural that companies want as much information about the security of their IT environments as possible. That's no small task, though, when the information is spread across a dozen applications scattered throughout a company that handles sensitive personal information, and lots of it. </P> <P> With this in mind, MassMutual, known officially as Massachusetts Mutual Life Insurance, spent the past year and a half making use of an application framework that automates its ability to pull risk and security-related information from a number of different security systems. Automation has let the company more quickly respond to threats while cutting costs associated with finding, assessing, and responding to these dangers. And it helps prioritize, so the company is spending time on the greatest risks.</P> <P> MassMutual's approach to security is "now based on a more current, holistic picture of the enterprise," CIO Mike Foley says.</P> <P> With so many risks to evaluate, MassMutual needs to be able to move back-and-forth from the big picture to specific areas of concern. "We need to be able to drill down on specifics, but there are so many things to track that we also need to look at them collectively," says Bruce Bonsall, VP of information security at the financial services company, which had $456 billion in assets under management at the end of last year, and U.S. insurance policy sales of $1.6 billion.</P> <P> <DIV style="width:185px; padding-right:10px; margin-bottom:10px; float:left;"> <IMG SRC="http://twimgs.com/infoweek/1154/154IW500_TechStand_Sec.jpg" alt="Illustration by Curtis Parker" width="175" height="175" hspace="0" vspace="0" border="0"><br /> <DIV style="margin-top:7px; text-align:center;"> <span CLASS="artCaption">Illustration by Curtis Parker</span></I> </DIV> </DIV> Bonsall and his team are charged with protecting MassMutual's main offices in Springfield, Mass., and Enfield, Conn., against intrusions and cyberthreats. With 6,000 employees across those two locations, an equivalent number of PCs, thousands of servers and networking devices, and about 700 applications, that's no small order.</P> <P> Just as important is the need to protect MassMutual's Web site, which is composed of 7,000 pages and dozens of applications, much of which is available to its more than 12 million individual and business clients looking for information about the dozens of services the company provides. In addition to life, disability, and long-term care insurance, MassMutual offers mutual funds, college savings plans, and other investments. From the Web, investors can track the performance of their investments, transfer funds, and set alerts that inform them of changes. Business owners and benefits administrators rely on the site to manage insurance, retirement, and other benefits they offer employees. Brokers and financial services providers that resell MassMutual's services look to the site for information about marketing and maintaining those services.</P> <P> <strong>SPOTLIGHT ON SECURITY</strong><br /> As it interacts with all clients and partners, MassMutual collects and retains a lot of sensitive company and personal information. The risks involved with handling that data are something CIO Foley is hyperaware of. "Customer confidence and our reputation in the industry are critical to the continuing success of our business," he says.</P> <P> As a result, security has garnered more attention within MassMutual, among its clients, and from regulators. "A lot more people care about security than did in the past," Bonsall says. "And a lot of this comes from what customers read about data breaches elsewhere." Potential customers are asking a lot more questions about security, and they can be very specific when submitting requests for proposals, right down to asking MassMutual what kinds of firewalls it uses, he says.</P> <P> Answers to security questions come from MassMutual's 50-person security group that includes an internal consulting team, which assigns members to projects based on security subject matter experts; a security infrastructure engineering team that supports firewalls, intrusion prevention devices, and other security tools; a security assurance team that analyzes security monitoring data; and a team responsible for identity management. </P><strong>RISK TOURING</strong><br /> Early last year, MassMutual deployed security management software--Archer Technologies SmartSuite Framework--to help its security staff quickly assess and prioritize risks. "We needed something to aggregate information, to bring data into one source," says Mandy Andress, the company's assistant VP of information security. The information being aggregated ranged from data related to security and compliance requirements to vulnerability assessments provided by Qualys' managed security services and data on server configuration settings from NetIQ's Security Management software. </P> <P> SmartSuite lets companies create applications and databases that automate the storage and management of security-related information. Companies such as MassMutual use this information to assess compliance with government regulations, like the 1999 Gramm-Leach-Bliley Financial Modernization Act, which lays out rules for protecting consumers' personal financial information. SmartSuite also can be used to classify data according to its sensitivity and track change requests to firewall policies. </P> <P> With the SmartSuite Framework, MassMutual has built what Andress describes as a "risk-touring engine" that assesses applications and systems, taking into consideration factors such as operating systems, programming languages, Internet exposure, and known vulnerabilities. It creates an aggregate risk score for each app and system that the company uses to determine which risks need to be addressed first. The system assigns security problems, such as a virus outbreak or an unauthorized user attempting to access a database, a weighted value that's also calculated into the risk score. It produces bar graphs, pie charts, and other visual displays from these scores to help managers make sense of the data and formulate a security strategy. When Bonsall or his team wants more detail, they click on the charts to see what factors went into assigning a particular score. </P> <P> <strong>PATCH ALERT</strong><br /> MassMutual has configured the framework to identify high-level risks and issue alerts to its security assurance team, which has three workers assigned to evaluate risks to determine actions needed to address them. One such alert recently was triggered by an unpatched server. Further investigation revealed that although it was running one of the company's management programs, it was an older system that MassMutual wouldn't be using for much longer, so it didn't need to be patched. </P> <P> <DIV style="width:285px; padding-left:10px; margin-bottom:10px; float:right;"> <DIV style="border: solid 10px #a93b20; background-color:#fef391; padding: 10px;"> <span style="font-size:1.4em; font-weight:bold; color:#000000; text-transform:uppercase;">LESSONS LEARNED</span> <div style="margin-top: 10px;"> <span style="font-size:1.2em; font-weight:bold; color:#000000; text-transform:uppercase;">Look At Big Picture</span> MassMutual integrated multiple-risk data sources to get a more holistic view of threats. </div> <div style="margin-top: 10px;"> <span style="font-size:1.2em; font-weight:bold; color:#000000; text-transform:uppercase;">Offload</span> By automating risk assessment, it could respond faster to critical threats. </div> <div style="margin-top: 10px;"> <span style="font-size:1.2em; font-weight:bold; color:#000000; text-transform:uppercase;">Make Use Of existing resources</span> Insurer leveraged internal systems of record for key items such as application and server asset listings. </div> <div style="margin-top: 10px;"> <span style="font-size:1.2em; font-weight:bold; color:#000000; text-transform:uppercase;">Be Prepared</span> MassMutual found it needed to provide detailed remediation options with the initial communication of an identified risk. </div> </DIV> </DIV> After its first year in operation, the risk assessment framework's ability to aggregate information about vulnerabilities and threats has led to configuration changes that improved efficiency, Andress says. Analysis that previously required months of research can be done in minutes and in much greater detail, leading to a 97.5% cost reduction in the risk analysis process, she says. But the cost savings were ancillary, she adds. "We didn't implement the Archer system specifically to save money."</P> <P> The system does provide as much as 75% cost savings when MassMutual adds new sources of risk data because the process of adapting to them takes weeks rather than months. "We made sure we would be able to easily adapt to changing threats," Andress says. She sees security problems in the future mostly coming from existing threats that find new channels--such as the Web or wireless networks--into IT environments. </P> <P> One of the most recent threats: toolkits that help criminals create multivector threats, Bonsall says. "The pace of this is quickening," he notes, "and the threats are more lethal than they were before." This means MassMutual, like most companies, has less time to fix an increasing number of software vulnerabilities. In such a situation, knowledge truly is power. </P> <P> <center><a href="http://www.informationweek.com/1154/"><IMG SRC="http://twimgs.com/infoweek/1154/returntohome3.jpg" alt="Return to the 2007 InformationWeek 500 homepage" width="364" height="42" hspace="0" vspace="0" border="0"></a></center></p>2007-08-13T00:00:00ZStolen TJX data has surfaced in two cases in Florida.http://www.informationweek.com/news/201400172?cid=RSSfeed_IWK_AuthorsWhile the culprit (or culprits) who stole 45.7 million customer records from TJX remains at large and unknown, law enforcement officials have arrested at least 10 people since the beginning of the year for their roles in using that stolen information to commit fraud.</P> <P> In July, the U.S. Secret Service announced the arrest of four Floridians: Miguel Alegria, 46, of Hialeah; Raynier Pupo, 22, of Miami; Ariel Montero, 32, of Aventura; and Javier Padron-Bravo, 35, also from Aventura. They're charged with aggravated identity theft, counterfeit credit card trafficking, and conspiracy. The Secret Service was able to trace the origin of the data used by these alleged fraudsters back to the TJX theft, as well as to a separate data breach at Polo Ralph Lauren.</P> <P> The south Florida arrests resulted in the recovery of about 200,000 stolen credit card account numbers responsible for fraud losses roughly calculated to be more than $75 million. Agents also seized two pickup trucks, $10,000 cash, and a handgun in connection with the case.</P> <P> <table width="185" cellspacing="0" cellpadding="0" border="0" align="left"><tr><td width="175"><IMG SRC="http://twimgs.com/infoweek/1150/150IDtjx_mugshots.jpg" alt="Six people arrested in Florida allegedly had bought $8 million worth of Wal-Mart gift cards using stolen TJX data" width="175" height="146" hspace="0" vspace="0" border="0"></td><td rowspan="3" width="10"><img src="http://twimgs.com/infoweek/spacer.gif" width="10" height="5" hspace="0" vspace="0" border="0"><br></td></tr><tr><td width="175" class="artCaption" align="center"><img src="http://twimgs.com/infoweek/spacer.gif" width="175" height="4" hspace="0" vspace="0" border="0"><br>Six people arrested in Florida allegedly had bought $8 million worth of Wal-Mart gift cards using stolen TJX data<br></td></tr><tr><td width="175"><img src="http://twimgs.com/infoweek/spacer.gif" width="175" height="7" hspace="0" vspace="0" border="0"></td></tr></table>This was the second high-profile bust related to the TJX breach. In March, the Gainesville Police Department and Florida Department of Law Enforcement caught six people with fake credit cards, created using stolen TJX data, who had bought $8 million worth of gift cards at Wal-Mart and Sam's Club stores in 50 of Florida's 67 counties. Police charged Irving Escobar, 18; Reinier Camaraza Alvarez, 27; Julio Oscar Alberti, 33; Dianelly Hernandez, 19; Nair Zuleima Alvarez, 40; and Zenia Mercedes Llorente, 23, with an organized scheme to defraud, a first-degree felony. Police issued additional warrants at the time, hoping to catch others involved in the fraud ring.</P> <P> The alleged fraudsters were exposed when Wal-Mart employees became suspicious of certain shoppers who were using multiple gift cards--many of them worth $400--to pay for their purchases. The $400 denomination was significant because gift cards valued at $500 or more require the customer to provide some form of identification.</P> <P> The arrests were made after police analyzed transaction records and video footage of the alleged perpetrators, who were buying large quantities of computers, gaming devices, and big-screen televisions.</P> <P> Additional evidence suggests that TJX's exposure to fraud is likely worse than these two high-profile cases indicate. In January, Visa's director of fraud control e-mailed financial institutions that the data theft involved millions of card accounts across all major payment brands accepted by TJX. The e-mail also stated that 77% of the fraudulent transactions using stolen TJX customer information took place in the United States, particularly in California, Florida, Illinois, New York, and Texas.</P> <P> <font size="1">Photo by Sacha Lecca</font></p> <P> <CENTER>Return to the story:<BR> <B><A HREF="http://www.informationweek.com/story/showArticle.jhtml?articleID=201400171">The TJX Effect</A></B></CENTER></P>2007-08-11T00:02:00ZDetails of the largest breach of customer data are starting to come to light.http://www.informationweek.com/news/201400171?cid=RSSfeed_IWK_AuthorsTJX will be glad when this year is over. The $17 billion-a-year parent company of T.J. Maxx, Marshall's, and several other discount retail chains has spent the past eight months dealing with the largest breach of customer data in U.S. history, the details of which are starting to come to light.</P> <P> Last December, TJX says it alerted law enforcement that data thieves had made off with more than 45 million customer records. Since that time, at least one business, Wal-Mart, has lost millions of dollars as a result of the theft, while TJX has spent more than $20 million investigating the breach, notifying customers, and hiring lawyers to handle dozens of lawsuits from customers and financial institutions. Should TJX lose in the courts, it could be on the hook for millions more in damages.</P> <P> But there's an even broader TJX Effect: The data breach, which actually took place over a period of years, has put the entire retail industry on the defensive and stirred up demands for all businesses that handle payment card information to do a better job of protecting it. Legislators are invoking TJX's name to fast-track data-security bills.</P> <P> Few details of the TJX debacle have been made public by the company or investigators. As recently as June, TJX said in a regulatory filing that it didn't know "who took this action, whether there were one or more intruders involved, or whether there was one continuing intrusion or multiple, separate intrusions." Still, important details can be gleaned from internal and external sources.</P> <P> Poorly secured in-store computer kiosks are at least partly to blame for acting as gateways to the company's IT systems, <i>InformationWeek</i> has learned. According to a source familiar with the investigation who requested anonymity, the kiosks, located in many of TJX's retail stores, let people apply for jobs electronically but also allowed direct access to the company's network, as they weren't protected by firewalls. "The people who started the breach opened up the back of those terminals and used USB drives to load software onto those terminals," says the source. In a March filing with the Securities and Exchange Commission,TJX acknowledged finding "suspicious software" on its computer systems.</P> <P> The USB drives contained a utility program that let the intruder or intruders take control of these computer kiosks and turn them into remote terminals that connected into TJX's networks, according to the source. The firewalls on TJX's main network weren't set to defend against malicious traffic coming from the kiosks, the source says. Typically, the USB drives in the computer kiosks are used to plug in mice or printers. The kiosks "shouldn't have been on the corporate LAN, and the USB ports should have been disabled," the source says.</P> <P> In May, <i>The Wall Street Journal</i> cited a separate entry point, reporting that data thieves had accessed an improperly secured Wi-Fi network from the parking lot of a Marshall's store in St. Paul, Minn. The thieves reportedly used a wireless data poaching tactic called "wardriving" and exploited the deficiencies of the aging Wired Equivalent Privacy wireless security protocol.</P> <P> <i>The Wall Street Journal</i> cited sources close to the investigation, and TJX wouldn't comment. Mark Loveless, senior security researcher for network-access control vendor Vernier, who goes by the online handle of "Simple Nomad," says it's possible the cyberattackers stumbled across a vulnerable store location while patrolling a strip mall or shopping center in their car using a laptop, a telescope antenna, and an 802.11 wireless LAN adapter. While the TJX store wasn't likely at the top of their list, they found that it was accessible and yielded information they could use to further penetrate TJX's IT systems. "The allure was too good to pass up," he posits.</P> <P> TJX admits that some of the data was stolen during the payment card approval process, in which data is transmitted to payment card issuers without encryption. That might refer to a hacking technique called "skimming," a variation of which was used to steal 238 payment card account numbers earlier this year from four 24-hour Stop & Shop stores in Rhode Island and one in Massachusetts.</P> <P> That scam worked like this: When the data thieves entered a store, one of them distracted a clerk while another swapped the store's PIN-pad terminal with a nearly identical device that had been electronically altered to capture customers' account numbers and PINs. The switch took as little as 12 seconds, according to the U.S. Attorney's Office for the District of Rhode Island. Several days later, the thieves returned to the store, replaced the original terminal, and made off with the altered one containing customers' account information.</P> <P> TJX says it was first tipped to a security problem on Dec. 18, 2006. Incident response experts from General Dynamics and IBM confirmed within a few days that there had in fact been an intrusion.</P> <P> However, some financial institutions say they noticed an increase in fraudulent activity on cards in their networks in November, which would put the break-in, or break-ins, earlier--probably much earlier. "We were notified of the TJX compromise by Visa--as well as in the news--in January," says the CFO of one credit union, which then reissued payment cards to the customers whose data might have been stolen.</P> <P> TJX says that "due to the type of technology used in the intrusion as well as deletions of transaction data in the ordinary course of business," it may never be able to identify "much of the information believed stolen." The company says the stolen data includes account information for about 45.7 million separate payment cards, though TJX claims that 75% of those cards were either expired at the time of the theft or the stolen information didn't include the security code data from the magnetic stripe on the cards. The company thinks that driver's license numbers, military IDs, and state IDs for 455,000 customers, together with their names and addresses, also were stolen.</P><strong>STANDARDS WORK -- IF THEY'RE FOLLOWED</strong><br /> To adequately protect cardholder data, companies that handle this information need a secure network, some way of securing cardholder data during storage and transmission (such as encryption), a process for identifying and patching software vulnerabilities, and well enforced access control measures. So says the Payment Card Industry data security standard introduced by American Express, MasterCard Worldwide, Visa International, and other credit card providers two years before TJX announced its data breach.</P> <P> Of course, PCI improves security only if retailers follow the standard closely. TJX said in its 2006 annual report that it "generally" had stopped storing magnetic-stripe data after Sept. 2, 2003; "generally" encrypted all payment card, check transaction, and personal information after April 7, 2004; and "generally" had masked payment card PINs as well as portions of payment card transaction and check transaction information after April 3, 2006.</P> <P> <DIV style="width:185px; margin-right:10px; margin-bottom:10px; float:left;"> <DIV style="width:175px; margin:0; padding:0; background-color:#fefde1; border: solid 1px #000000;"> <IMG SRC="http://twimgs.com/infoweek/1150/150IDtjxkeypad.jpg" alt="credit card keypad" width="175" height="175" border="0"><br> <DIV style="padding:10px; text-align:center;"> <DIV style="font-weight:bold; color:#FFFFFF; font-size:1.2em; line-height:normal; margin-bottom:10px; padding:5px; background-color:#333333">TJX Hack:<BR />Possible Entry Points</div> <strong><font color="#990000">IN-STORE KIOSKS</font></strong><br> Data thieves attached a USB device to an in-store online employment terminal that bypassed the company's network firewall and planted software in TJX's computer system<br><br> <strong><font color="#990000">WARDRIVING</font></strong><br> Data thieves used mobile access technology to enter a poorly secured wireless network from outside the store, and from there got into TJX's computer system<br><br> <strong><font color="#990000">PIN TERMINALS</font></strong><br> Data thieves accessed card-payment data flowing through point-of-sale PIN-pad devices, perhaps by substituting look-alike doctored devices surreptitiously and then retrieving them later<br> </DIV> </DIV> </DIV> However, Visa indicated in February, through a number of documents sent to financial institutions that issue cards and manage Visa transactions, that TJX was storing card number, expiration date, and card verification value codes, all of which are prohibited by PCI. As for its efforts at encryption, "We believe the intruder had access to the decryption algorithm for the encryption software we utilize," TJX said in its annual report.</P> <P> PCI also covers wireless network security, stating that wireless networks transmitting cardholder data must encrypt transmissions by using Wi-Fi-protected access (WPA or WPA2) technology, IPsec VPN, or SSL/TLS. "Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN," the standard states.</P> <P> <strong>SUNSHINE STATE</strong><br /> Other retailers are starting to feel the TJX Effect. In March, some of the stolen data surfaced in Florida, where thieves used it to make phony credit cards to steal about $8 million in merchandise from Wal-Mart stores in 50 Florida counties. In July, the U.S. Secret Service tied stolen TJX customer data to another south Florida fraud ring (see story, "<a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=201400172">The Face Of Identity Theft</a>").</P> <P> Banks and transaction processors are pushing back against having to cover fraud losses when the poor security practices of others are to blame. Several financial institutions have taken the unusual step of filing lawsuits against TJX, claiming that the retailer acted negligently by storing unprotected credit card holders' information and failing to install firewalls to protect sensitive financial databases. The Massachusetts Bankers Association filed a class-action suit against TJX that will seek to recover damages in the "tens of millions of dollars." The Connecticut Bankers Association and the Maine Association of Community Banks joined the Massachusetts association's suit as co-plaintiffs. TJX is based in Framingham, Mass.</P> <P> Although aimed at TJX, these lawsuits aren't good news for retailers in general. "You don't usually sue merchants," says Mark Macheska, a VP of card risk prevention at Citizens Bank, but "the banks are taking all of the losses." Payment card information for hundreds of thousands of Citizens Bank customers may have been compromised as part of the TJX breach.</P> <P> Lawmakers have used the TJX debacle to push data security legislation. On Aug. 1, the Plastic Card Security Act of Minnesota took effect, making the state the first to shift the costs associated with data breaches from financial institutions to the retailers that mishandle consumers' financial data. The law makes it illegal for Minnesota businesses to store a customer's PIN, security code, or magnetic-stripe information for more than 48 hours after a transaction is authorized. Next year, penalties are set to kick in that would give Minnesota financial institutions, such as banks and credit unions, the ability to sue merchants caught keeping private financial data if there's a security breach.</P> <P> Massachusetts passed a data breach notification law this month, partly in reaction to TJX, joining some 30 states that require organizations to notify those affected when their personal data has been compromised. But not every state is rushing in. In May, Texas shot down a bill that would have compelled businesses to better protect and safeguard sensitive personal information contained in their customer records.</P> <P> Still, the passage of the Minnesota law indicates that the TJX data breach is "the straw that broke the camel's back" in terms of the public's patience with lax data security, says PayPal chief information security officer Michael Barrett. "If more states don't pass laws like Minnesota did," Barrett says, "we'll just be waiting for the next incident before we act."</P><strong>A PARADOX</strong><br /> There's an interesting paradox in the TJX Effect, and it has to do with the company's financial performance. While at least a dozen customers have sued the company for not properly protecting their payment information--the cases are being consolidated into class-action suits and venues are still being chosen--many more are still shopping at its stores.</P> <P> Financial analysts continue to raise their expectations for the company's stock price, as first-quarter 2008 sales were up about 6% compared with the year-earlier quarter, to $4.1 billion. Net income was down less than 2% from a year ago, to $162.1 million--not bad considering the $20 million charge TJX had to take.</P> <P> In a February survey of 1,200 debit card holders by Javelin Strategy & Research, three out of four said they wouldn't continue shopping at a merchant where a data breach had occurred, says Mary Monahan, a Javelin analyst, and 84% said they would shop at merchants that said they were security leaders. But the reality seems quite different. "As Americans, we're a very convenience-oriented society," says James Lee, public and consumer affairs officer for ChoicePoint, a provider of identification and credential verification services. In 2005, ChoicePoint reported that identity thieves had stolen about 163,000 customer records.</P> <P> TJX also may be benefiting from reports that identity fraud isn't as rampant as many think. Of the 24 data breaches analyzed by the U.S. Government Accountability Office in a report issued last month, only three included evidence of resulting fraud on existing accounts and only one included evidence of an unauthorized creation of a new account. The GAO report states that for the 18, "no clear evidence had been uncovered linking them to identity theft; and for the remaining two, there was not sufficient information to make a determination."</P> <P> <strong>WATERSHED CASE</strong><br /> However, the magnitude of the TJX data breach, and the fact that stolen data is starting to surface, may change that perception. "TJX is a watershed case in this regard," PayPal's Barrett says. When customer data is stolen, as opposed to lost, you can be sure that someone's looking to use that information for financial gain. "Having an information breach is now an extremely significant operational risk," Barrett says. "There are very few risks that are worse than that."</P> <P> <table width="185" cellspacing="0" cellpadding="0" border="0" align="right"><tr><td rowspan="3" width="10"><img src="http://twimgs.com/infoweek/spacer.gif" width="10" height="5" hspace="0" vspace="0" border="0"><br></td><td width="175"><IMG SRC="http://twimgs.com/infoweek/1150/150ID_HOGAN.jpg" alt="Retain info about the transaction, not the customer's personal data, says Retail Federation CIO Hogan" width="175" height="175" hspace="0" vspace="0" border="0"></td></tr><tr><td width="175" class="artCaption" align="center"><img src="http://twimgs.com/infoweek/spacer.gif" width="175" height="4" hspace="0" vspace="0" border="0"><br>Retain info about the transaction, not the customer's personal data, says Retail Federation CIO Hogan<br></td></tr><tr><td width="175"><img src="http://twimgs.com/infoweek/spacer.gif" width="175" height="7" hspace="0" vspace="0" border="0"></td></tr></table>Are executives nationwide worried about the TJX Effect? "Absolutely," says Andre Gold, head of technology risk management at ING U.S. Financial Services and former director of information security for Continental Airlines. "That's the kind of info that my executives are in tune to, because they want to make sure we're aware of this so that the same thing doesn't happen to us." The main takeaway: Look for weak links within your organization, because if you don't find them, someone else will.</P> <P> ChoicePoint's Lee says the TJX data breach will force companies to be more transparent about the customer data they keep and how they protect it. ChoicePoint has accelerated a project to automate the way it discloses personal information to consumers who request it. Right now, if consumers want to know what information ChoicePoint has on them, the company puts together a report manually and mails it to them. To keep up with TJX-inspired demand, Lee's working to automate the system, a project that could take up to 26 weeks to complete, he says.</P> <P> The National Retail Federation, whose eight-member executive committee includes CEOs from Ethan Allen Interiors, J.C. Penney, and Liz Claiborne, advocates several measures to prevent another data breach on the scale of TJX's. Rather than retain credit card information after a transaction is completed in order to settle disputes and handle chargebacks for returned merchandise, federation CIO Dave Hogan recommends retaining only information about the transaction itself--store number, time and date stamp, register number, and authorization number. "That would minimize, if not stop, payment card fraud," he says.</P> <P> At the very least, retailers should require customers to enter a PIN for debit and credit purchases to be processed. This doesn't solve the data theft problem, but it does reduce risk, Hogan says. Even better, credit card companies will eventually replace magnetic-stripe cards in favor of those with embedded chips that require PINs whenever they're used.</P> <P> For others, the lesson is simple. "Get serious about getting PCI certified," says PayPal's Barrett. To get that seal, you must have your IT systems inspected by a Qualified Security Assessor or an Approved Scanning Vendor that's been blessed by American Express, Discover, JCB, MasterCard Worldwide, and Visa International--all founding members of the PCI Security Standards Council. The inspector checks an organization's IT systems against the criteria published in the PCI data security standard. There are dozens of QSAs and ASVs, including Deloitte & Touche and Dimension Data.</P> <P> With any luck, the TJX Effect will teach retailers this basic lesson: Thieves can't steal sensitive customer data if retailers aren't storing it.</P> <P> <font size="1">Photo by Sacha Lecca</font></p> <P> <CENTER>Continue to the sidebar:<BR> <B><A HREF="http://www.informationweek.com/story/showArticle.jhtml?articleID=201400172">The Face Of Identity Theft</A></B></CENTER></p>2007-08-11T00:00:00ZRimini Street CEO Seth Ravin has survived forming an IT consulting startup as a teen and receiving death threats while brokering trade agreements in Russia. http://www.informationweek.com/news/201311327?cid=RSSfeed_IWK_Authors<CENTER><B><FONT SIZE="+2">Seth Ravin</FONT><BR> <FONT SIZE="+1">CEO Of Rimini Street</FONT></B><BR> Interview by Larry Greenemeier</CENTER></P> <P> <!-- photo table --> <TABLE CELLSPACING="0" CELLPADDING="0" BORDER="0" WIDTH="250" ALIGN="left"> <TR> <TD ALIGN="center" WIDTH="230"> <IMG SRC="http://twimgs.com/infoweek/1150/150H5ravin.jpg" ALT="Seth Ravin, CEO Of Rimini Street -- Photograph by Bryan Haraway/Getty Images" WIDTH="230" HEIGHT="400" HSPACE="0" VSPACE="0" BORDER="0"><BR> <img src="http://twimgs.com/infoweek/spacer.gif" width="10" height="10" hspace="0" vspace="0" border="0"><BR> <FONT SIZE="1">Photograph by Bryan Haraway/Getty Images</FONT> </TD> <TD WIDTH="20"><img src="http://twimgs.com/infoweek/spacer.gif" width="20" height="1" hspace="0" vspace="0" border="0"><BR></TD> </TR> </TABLE> <!-- / photo table --> <!-- content tables --> <TABLE CELLSPACING="0" CELLPADDING="0" BORDER="0"> <TR VALIGN="top"> <TD><B><FONT SIZE="+3" COLOR="#0F4692">1</FONT></B></TD> <TD WIDTH="20"><img src="http://twimgs.com/infoweek/spacer.gif" width="20" height="20" hspace="0" vspace="0" border="0"><BR></TD> <TD><B><FONT COLOR="#CC0000">CUP HOLDERS</FONT></B><BR> PeopleSoft, where Ravin was VP of customer sales, created and soon killed off its extended software support program in the late 1990s, fearing that it would keep customers from buying the latest apps. "When software was less mature, you needed to upgrade frequently. That's not the case today, when a lot of new features are just nice to have, like heated cup holders in a car."</TD> </TR> </TABLE></P> <P> <TABLE CELLSPACING="0" CELLPADDING="0" BORDER="0"> <TR VALIGN="top"> <TD><B><FONT SIZE="+3" COLOR="#0F4692">2</FONT></B></TD> <TD WIDTH="20"><img src="http://twimgs.com/infoweek/spacer.gif" width="20" height="20" hspace="0" vspace="0" border="0"><BR></TD> <TD><B><FONT COLOR="#CC0000">HIGH MARGINS</FONT></B><BR> Ravin left PeopleSoft in 2001 to co-found TomorrowNow, a provider of third-party PeopleSoft app support. "Software maintenance has a 90% profit margin," he notes. In 2005, SAP bought TomorrowNow, and Ravin went off on his own to form Rimini.</TD> </TR> </TABLE></P> <P> <TABLE CELLSPACING="0" CELLPADDING="0" BORDER="0"> <TR VALIGN="top"> <TD><B><FONT SIZE="+3" COLOR="#0F4692">3</FONT></B></TD> <TD WIDTH="20"><img src="http://twimgs.com/infoweek/spacer.gif" width="20" height="20" hspace="0" vspace="0" border="0"><BR></TD> <TD><B><FONT COLOR="#CC0000">SUIT'S UPSIDE</FONT></B><BR> Ravin isn't surprised that Oracle has sued SAP and TomorrowNow--it claims they downloaded Oracle documents they had no rights to--but he's disappointed his former company's management team "failed to properly execute its responsibilities." The suit, however, doesn't challenge the usefulness of third-party support. "If anything, the lawsuit validates just how big the independent support market truly is."</TD> </TR> </TABLE></P> <P> <TABLE CELLSPACING="0" CELLPADDING="0" BORDER="0"> <TR VALIGN="top"> <TD><B><FONT SIZE="+3" COLOR="#0F4692">4</FONT></B></TD> <TD WIDTH="20"><img src="http://twimgs.com/infoweek/spacer.gif" width="20" height="20" hspace="0" vspace="0" border="0"><BR></TD> <TD><B><FONT COLOR="#CC0000">KEEP IT REAL</FONT></B><BR> Ravin co-founded Real Computing at the age of 13 and acted as a computer consultant to his own school district. "We told the district that someday everyone would have a word processor on their desk, and they didn't believe us."</TD> </TR> </TABLE></P> <P> <TABLE CELLSPACING="0" CELLPADDING="0" BORDER="0"> <TR VALIGN="top"> <TD><B><FONT SIZE="+3" COLOR="#0F4692">5</FONT></B></TD> <TD WIDTH="20"><img src="http://twimgs.com/infoweek/spacer.gif" width="20" height="20" hspace="0" vspace="0" border="0"><BR></TD> <TD><B><FONT COLOR="#CC0000">DANGEROUS DEALS</FONT></B><BR> Before becoming a software entrepreneur, Ravin, who has always been passionate about politics, worked to connect the post-Cold War Russian government with U.S. defense contractors. It was a dangerous job, and Ravin received death threats. "There's nothing like a death threat to hone your negotiation skills."</TD> </TR> </TABLE></P> <!-- content tables -->2007-08-09T16:30:08ZAlthough disasters make headlines, 80% of all IT outages are caused by human error. To defend against downtime or service interruptions, organizations need to maintain strong business continuity plans.http://www.informationweek.com/news/201311255?cid=RSSfeed_IWK_AuthorsThe term "business continuity" today conjures images as varied as flooded data centers, <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=201201136">cascading power outages</a>, and <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=201311245">waves of cyber attacks</a>. But the real reason to plan ahead for a business disruption is likely to be much more mundane: Some well-intentioned system administrator makes an ill-advised change to a server in your data center causing all hell to break loose. <P> Up to 80% of all IT outages are caused by improper changes to the IT environment, Bob Vieraitis, VP of marketing for change control software vendor Solidcore Systems, told <i>InformationWeek</i>. And this is only going to get worse in increasingly complex IT environments where databases, servers, desktops, and other systems are managed by different groups within a given company. <P> "People who own the OS and servers are trying to keep them up and running," Vieraitis said. "The businesses on the other hand, if they own the application, they have new features that they have to get out there to be competitive in the marketplace, and that obviously involves change." <P> The emergence of virtual servers running on physical servers further adds to this complexity. "In a virtual environment, you no longer can tell where the OS is running," which makes it more difficult to determine where a change should be made and the potential impact of that change on the rest of the system, said Bill Lapcevic, Solidcore's VP of alliances. He added, "You become one step further away from understanding how change will affect your apps and environment." <P> Of course, given the nature of their business, Vieraitis and Lapcevic have every reason to want to believe that growing complexity will lead to greater difficulty managing change and avoiding downtime. Nonetheless, Solidcore is also in a position to see the impact that ill-advised changes have on their customers' IT environments. <P> Such as when a system administrator at <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=198001648"">WebEx Communications</a> tweaked a server and took down service to the company's customers. This was a few years ago, prior to Cisco's plans to buy the provider of on-demand Web collaboration apps. The system administrator identified the need to make a change to a file running on one of the company's servers. As soon as the change was made, however, the server went offline, interrupting service to some of WebEx's customers. "Customers were dropped and reconnected, so that impacted our availability numbers," said Randy Barr, chief information security officer for WebEx, which operates about 2,000 servers across seven data centers. <P> WebEx's data center operations center was the first to see the alert. "As soon as something turns red, they set up a conference line," Barr says. The first rule of troubleshooting is to look at any changes made in the IT environment. It didn't take long to find the problem, since the system administrator who made the change saw the alert and admitted the problem to operations center staff, which re-routed traffic on that server to another server in the cluster. <P> At the time, system administrators had to inform WebEx's security team as well as the company's change-control committee whenever they wanted to make a change to the company's systems, but there was no fail-safe way to block ad hoc changes that ultimately would prove detrimental the IT environment. <P> Today, Solidcore's S3 Control software allows changes to be made to WebEx's systems only when such changes have an approved change ticket issued by the company's BMC Remedy Change Management application. If there's no ticket, then changes cannot be made to the system. This is an important function because the leading cause of WebEx's systems being unavailable is changes applied to the company's production environment. <P> To defend against downtime or service interruptions caused by changes to applications or IT systems, organizations need to set policies that dictate what changes are permitted, who's allowed to make these changes, and when these changes can be made. Further, these changes must be tested and approved before the changed systems are put back online. <P> But not all companies see business continuity planning as a top priority. In fact, about 30% of the 1,000 U.S. IT executives surveyed by AT&T for the company's annual business continuity and disaster recovery preparedness survey released in May stated that it was "not a priority." A quarter of the executives surveyed said they don't even have a business continuity plan in place. Among the reasons for viewing business continuity as a low priority are that other issues take higher priority, belief that the probability of a disaster causing business disruption is small, and business continuity planning is too expensive. <P> The AT&T survey also indicated that, while 57% of companies have had their business continuity plans updated in the past 12 months, only 41% have had the plans tested during the same time period. <P> Testing is critical to ensuring smooth failover during an emergency, particularly for companies that deliver software as a service. "The one thing that everyone should think through: you have to test your continuity plan and update it," Barr said. He also offered the following, "Some folks don't realize that if you work in a building, you can contact building management to help with planning for an incident." Nothing compares to actually putting a business continuity plan through its paces.2007-08-07T13:00:00ZSecurity researchers at the Black Hat conference discussed the weaknesses in JavaScript that let an attacker take control of a user's browser.http://www.informationweek.com/news/201300295?cid=RSSfeed_IWK_AuthorsWhich of the following will protect your Web site from attack: network perimeter firewalls, encryption, antivirus, or multi-factor authentication? <P> None of the above, says one Web security researcher. <P> That leaves it up to Microsoft, Mozilla, and all of the foremost makers of Web browsers to protect cyber space from a litany of emerging Web-based attacks including <a href="http://www.techweb.com/encyclopedia/defineterm.jhtml?term=XSS">cross-site scripting</a>, <a href="http://www.owasp.org/index.php/Cross-Site_Request_Forgery">cross-site request forgeries</a>, and browser port scanning. <P> What's worse, poor Web site security can lead to browser infections, which can lead to malicious software installing itself on a user's computer and attacking corporate systems from the inside. "Intranet hacks are happening already," <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=197008354">Jeremiah Grossman</a>, founder and chief technology officer of Web application security firm WhiteHat Security, told <i>InformationWeek</i>. <P> Grossman and Robert Hansen, CEO of security consulting firm SecTheory, described how it works during a presentation at last week's <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=201202380">Black Hat USA 2007 conference</a> in Las Vegas. It starts when a user visits any Web page -- a blog, social networking site, etc. -- that either has been designed to distribute malware or is a legitimate site infected with malware. Once that malware infects and takes control of the browser running on the user's PC, the browser can be instructed to hand over its <a href="http://www.techweb.com/encyclopedia/defineterm.jhtml?term=NAT">network address translation</a> ID, which is designed to keep internal network addresses hidden from the outside world. Once this is done, the attacker has been handed the information needed to peruse network addresses located inside the local network. <P> The problem isn't the result of security bugs or vulnerabilities. "You can patch all you want," Grossman said. "It's a design flaw in <a href="http://www.techweb.com/encyclopedia/defineterm.jhtml?term=javascript&x=7&y=6">JavaScript</a>. Browser security is flawed in general." <P> At the 2006 Black Hat USA conference, <a href="http://www.informationweek.com/blog/main/archives/2006/08/black_hat_hows.html">Grossman discussed the weaknesses in JavaScript</a> that let an attacker take control of a user's browser. Simply turning off JavaScript is not a great option, given that there's no Ajax -- and, consequently, no Web 2.0 -- without JavaScript. <P> New methods of attack have emerged in the year since Grossman first laid out the dangers of cross-site scripting, cross-site request forgeries, and JavaScript malware. One such attack is history stealing, whereby an attacker uses JavaScript running in a user's browser to reveal the sites the user has visited most frequently. Once the attacker knows the user's Web-surfing history, the attacker can create look-alike spoofed sites containing malware or infect the sites that the user visits. <P> In another type of attack, JavaScript can be used to do intranet port scans by forcing the browser to make certain types of requests to internal IP addresses. Even if a browser's JavaScript has been disabled for security purposes, Grossman said port scanning can be done <a href="http://jeremiahgrossman.blogspot.com/2006/11/browser-port-scanning-without.html">using HTML</a> as well. <P> One of the problems with securing Web sites is that the building and securing of Web sites is treated as two separate processes. "The security guys have no control over the Web site," Grossman said. "The developers do, and they don't work for security." <P> While Microsoft and <a href="http://www.informationweek.com/showArticle.jhtml?articleID=201202771">Mozilla</a> have made strides in improving the security of Internet Explorer and Firefox, respectively, it's incumbent upon them to ensure that their browsers can figh toff new threats.2007-08-03T09:10:00ZBecause so much of Estonia's economy relies on the Internet, when the Internet was down, citizens couldn't perform the most basic functions, such buying milk, bread, or gas.http://www.informationweek.com/news/201202784?cid=RSSfeed_IWK_AuthorsMonths after the <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=199602023">cyberattacks launched against the Baltic nation of Estonia</a> brought the country to its knees, the dangers of targeted cyberattacks and the consequences of heavy economic reliance on the Web have become clear -- even if the identity of the mastermind behind the attacks remains a mystery. <P> <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=199701774">Estonia's emergency</a> was a unique situation, since Internet connections can be blocked into the entire country, given how small it is -- about 45,000 square kilometers -- and how concentrated its Web users are. It was a "predicament of success," Gadi Evron, security evangelist for network security vendor Beyond Security, said Thursday during the <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=201202380">Black Hat USA 2007 conference</a> in Las Vegas. <P> Because so much of Estonia's economy relies on the Internet, when the Internet was down, citizens couldn't perform the most basic functions, such buying milk, bread, or gas. In this regard, Estonia likewise redefined the national infrastructure to include Internet service providers, media Web sites, and home computers, since the loss of these deeply affected the country. <P> After the Soviet Union broke apart in 1991, Estonia built its infrastructure from scratch. A lot of it was dependent upon the Web, even the company's parliamentary election system. In fact, about 99% of Estonians bank online, said Evron, a former Israeli government Internet security operations manager and founder of Israel's computer emergency response, or CERT, program. <P> The <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=200900283">attacks started on April 27</a>, although the servers hosting most of the target government Web sites held up well. The attacks escalated as the day wore on, so the government moved the sites to new servers that could more easily be defended. Estonians were seeing up to 1,000 times the normal traffic to certain sites by that time. <P> The following day, the Estonians began to realize that these attacks were amounting to a "cyberriot" rather than simply being a spike in activity, Evron said. Indeed, the original attackers had begun to use Russian blogs to successfully enlist Russians in the assault, even instructing average computer users on how to attack Estonian Web sites. One blog comment solicited donations to a PayPal account to raise money for hiring botnets to use against Estonia. "The blogosphere was responding to what was happening in Estonia and how it was defending itself," he added. In this regard, the cyberattacks against Estonia resembled mob control or mass psychology with the Internet as the means of instigation. <P> Another element of the attack was botnets, all of which originated from outside Estonia. One attack in particular came from specially crafted bots planted in a number of computers, with the attack target hard coded into their source, Evron said. "They did not propagate and were not controlled centrally from a command and control center," he added. "This has been seen before, but is not very common. This shows there was some planning" performed in advance of the attack. <P> One security researcher, Postini senior manager Adam Swidler, believes there's a good chance that authors behind the <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=201202711">Storm worm terrorizing the Web today</a> were behind the Estonia attacks. <P> Estonia's CERT worked throughout the attack to get the country's systems back online. The incident response proved useful, Evron said. And when its resources were exceeded, Estonia CERT sought help from CERT-Bund in Germany, CERT-FI in Finland, and SI-CERT in Slovania. <P> One of Estonia's defenses was to add Cisco Guard distributed denial-of-service mitigation appliances, which gradually slowed the pace of the attacks from 4 Mbps to 1.2 Mbps to 150 Kbps. Four megabits-per-second isn't necessarily a large attack, but "it was the right size for Estonia," Evron said. "More important was the impact. The spam attack against the Estonian parliament resulted in two days of downtime." Two network routers also crashed. <P> While Russians were involved in the cyberattacks, the attacks were not launched by Russia itself. Evron was very clear that there are no answers regarding exactly who initiated the attack and how much of it was pre-planned. "No one can tell," he added. "The Internet is perfect for plausible deniability. In information warfare, you may know your opponents, rivals, and enemies, but you do not know who is actually attacking."2007-08-03T06:00:00ZNow Mozilla is making its JavaScript fuzzer available to anyone who wants to use it, and it'll be followed later this year by fuzzers for the HTTP and FTP protocols. http://www.informationweek.com/news/201202771?cid=RSSfeed_IWK_AuthorsBrowser security has long been criticized as a flawed construct, but that hasn't stopped browsers from being the default interface for most of the Web's users. <P> In a bid to improve browser security, both within Firefox and among competing browsers, the Mozilla Foundation Thursday announced several open-source security testing tools, in addition to several security enhancements coming with Firefox 3, scheduled for availability by the end of the year. <P> Mozilla has been using an open-source application security testing tool, known as a fuzzer, for JavaScript to detect and fix dozens of security bugs in Firefox, Mozilla director of ecosystem development Window Snyder said Thursday at the <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=201202380">Black Hat USA 2007 conference</a> in Las Vegas. The JavaScript fuzzer found 280 bugs in Firefox, 27 of which were exploitable. <P> Now Mozilla is making that JavaScript fuzzer available to anyone who wants to use it, and it'll be followed later this year by fuzzers for the HTTP and FTP protocols. <P> "The FTP and HTTP protocol fuzzers act like fake servers that send bad data to sites," Snyder told <i>InformationWeek</i>.The HTTP fuzzer emulates an HTTP server to test how an HTTP client handles unexpected input. The FTP fuzzer likewise tests how an FTP client handles unexpected data. <P> Mozilla worked with <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=201000765">Microsoft</a>, <a href="http://www.informationweek.com/showArticle.jhtml?articleID=19990354">Apple</a>, and <a href="http://www.informationweek.com/blog/main/archives/2007/06/mobile_web_brow.html">Opera</a> before making the JavaScript fuzzer widely available in order to reduce the possibility that the tool might be used to expose vulnerabilities in those browsers. All of these browser vendors reviewed the tool and let told Mozilla know that they were okay with the release, Snyder said. <P> Mozilla's presentation also included a look at some of the new security features for Firefox 3. Expect Firefox 3 to include new phishing and malware protection, extended validation certificates, improved password management, and a security user interface. Knowing that Web users rarely look at the symbols and other information located around the perimeter of the browser page, also known as the chrome, Firefox 3 is designed to make sure that suspected Web forgeries aren't missed, "even though users don't look for them," Mozilla Project co-founder Mike Shaver said Thursday at Black Hat. <P> In some cases Firefox 3 will not only issue a warning that a site is unsafe, it will prevent the user from accessing that site, "so the users can't just ignore the warnings," Shaver said. "This feature is not without controversy of course." <P> Mozilla's Black Hat announcements follow the release earlier this week of <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=201202097">Firefox 2.0.0.6</a>, designed to fix vulnerabilities that could allow the Firefox browser to pass dangerous data to third-party applications like Microsoft's Internet Explorer. Mozilla's new workarounds and patches come just a few weeks after the organization delivered Firefox 2.0.0.5, which included patches for several other vulnerabilities. <P> The company is hoping this proactive approach to security will alleviate the need for such incremental browser updates. <P> 2007-08-02T06:01:00ZDespite the several ways to break down a Web site built using Ajax, all is not lost, according to SPI Dynamics.http://www.informationweek.com/news/201202520?cid=RSSfeed_IWK_AuthorsBandwagoning is inevitable whenever a new technology or technique demonstrates success, and Ajax, or <a href="http://www.informationweek.com/showArticle.jhtml?articleID=200001584">Asynchronous JavaScript and XML</a>, has definitely been successful in the Web 2.0 world. Maybe too successful, from a security standpoint. <P> To prove this theory, SPI Dynamics Wednesday at the <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=201202380">Black Hat USA 2007 conference</a> in Las Vegas demonstrated several ways to break down a Web site they built using Ajax. The company dubbed the rush to erect Ajax-based Web sites "Premature Ajax-ulation," and proceeded to describe how it can be diagnosed, treated, and even avoided. <P> To demonstrate the lack of attention paid to securing Ajax, all of the techniques and approaches SPI researchers used to construct their fictitious site, called HackerVacations.com, came from books and other readily available resources about Ajax. The result was a site where flight pricing, seat selection, and other features were easily manipulated. <P> "Developers write these applications the way they're supposed to be used," Bryan Sullivan, SPI's development manager, told <i>InformationWeek</i>. "That's great, except that you've only ever tried to exercise the application the way it's intended to be used." Those attacking the application have no such inhibitions. <P> "Bryan and I were shocked at the bad advice published in Ajax security books," Billy Hoffman, lead security researcher for SPI, which is <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=199905338">set to be bought by HP</a>, told <i>InformationWeek</i>. <P> Ajax is seductive because it lets developers build applications that are as responsive as a desktop app but available over the Web. Ajax has risen to prominence on the back of applications such as <a href="http://www.informationweek.com/showArticle.jhtml?articleID=201002354">Google Maps</a>, which breaks up complex functions so that the users get more immediate gratification from their requests for information. <P> "With traditional Web applications, you broke in by feeding malicious code into the server to help make the server fail," Hoffman said. JavaScript, however, makes greater use of the client, thus giving anyone attacking an Ajax-based application access to a greater amount of the application's code. <P> The news wasn't all bad, however. It is possible to write secure Ajax applications if programmers carefully define and validate the data parameters their applications accept as well as the output the applications deliver. Barring that, abstinence, or at least using Ajax sparingly, may be the best solution. 2007-08-01T16:58:41ZDon't let politics get in the way of progress. That was one of the key messages former U.S. counterterrorism advisor <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=201202380&cid=RSSfeed_IWK_News">Richard Clarke delivered during his Black Hat keynote</a>. Of course, Clarke has a colorful way of putting things.http://www.iweek-interim.com/news/229215391?cid=RSSfeed_IWK_AuthorsDon't let politics get in the way of progress. That was one of the key messages former U.S. counterterrorism advisor <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=201202380&cid=RSSfeed_IWK_News">Richard Clarke delivered during his Black Hat keynote</a>. Of course, Clarke has a colorful way of putting things.Clarke, chief counterterrorism adviser on the U.S. National Security Council during portions of the Bill Clinton and George W. Bush administrations and currently chairman of Good Harbor Consulting, has been known to wear his politics on his sleeve. Although he served during both the Clinton and Bush administrations, let's just say he's not been impressed with the latter. He even suggested that the Bush Administration's lack of funding for important technology developments will create serious impediments for the U.S. <P> Clarke criticized the current Bush Administration's policies against stem-cell research and its opposition to the development of <a href="http://www.iec.org/online/tutorials/hmi/">human-machine interface</a> technologies. The question is, "are humans beginning to take control of their own evolution and is that a good thing or a bad thing?" he asked the crowd Wednesday at the Black Hat USA 2007 conference in Las Vegas. "We need to start thinking about it now." <P> Clarke operated at the highest level of the federal government, and he's no novice when it comes to IT security or to <a href="http://www.darkreading.com/document.asp?doc_id=130232">Black Hat</a>. Clarke keynoted Black Hat during President Bush's first term. "When I got back to the White House, I got a lot of" <i>insert expletive</i> "for it," he said. "They didn't get it. The real reason I took" <i>insert same expletive</i> "is because I encourage you all to continue to hack &#8230; Apparently, someone from Redmond called the White House," and complained. <P> The key to progress is avoiding politics when it comes to technological advancements. "At the center of all these advances is computing," he said. The human genome couldn't have been decoded without superior computer processing power. Yet, there are still enormous security problems that plague computer software and systems. <P> Of course, Clarke is also hawking his new book, <i>Breakpoint</i>, which, as I understand it, addresses the impact of technology on humanity, with IT security playing a crucial role. Clarke said that his new book paints a scenario in the future where soldiers wear intelligent exoskeletons to protect them in combat, an advance that reminded me of a similar technology portrayed in <a href="http://www.alandeanfoster.com/version2.0/frameset.htm">Alan Dean Foster's</a> <a href="http://www.allreaders.com/topics/Info_9780.asp"><i>Sentenced To Prism</i></a>, which I read as a teenager. Foster's book is a few decades old, however, and didn't address what Clarke views as the biggest threat to such battlefield armor: a computer virus that freezes up the systems that allow the soldier to control the exoskeleton. <P> Near-term science-fiction aside, Clarke is a big believer that net-centric warfare is on the way. Its combatants will be on the battlefield and in front of the computer, as each soldier will have multiple IP addresses that tie his equipment to a larger network. <a href="http://www.ipv6tf.org/index.php?page=news/newsroom&id=3058&lan=en">IPv6's</a> ability to accommodate this is one of the reasons the Pentagon is pushing the adoption of this protocol. <P> Today's networks can't differentiate Web traffic, can't tell the difference between downloading a relative's vacation photos and an emergency responder using the network to get through in an emergency. "IPv6 would let you do that," which is why it needs to be adopted more rapidly, Clarke said. One of the problems, he noted, is that insufficient funding is being provided to secure cyberspace. <P> So it comes down to politics again. Regardless of whether you agree with his political slant, it's hard to argue against Clarke when he's talking about IT security. He knows his <i>insert expletive</i>.2007-08-01T14:00:00ZThe former federal counterterrorism adviser tells security pros at the Black Hat USA conference that continuing to build more of the global economy on cyberspace as it exists today is dangerous business.http://www.informationweek.com/news/201202380?cid=RSSfeed_IWK_AuthorsThe convergence of all forms of technology is happening, allowing paralyzed hospital patients to move computer mice via brain waves and treating certain cases of epilepsy and depression through brain stimulation. It won't be long before human-machine interactions that tie the human brain directly into the Internet are possible. That is, if we can make cyberspace secure, former U.S. government counterterrorism adviser Richard Clarke told attendees Wednesday at the Black Hat USA 2007 conference in Las Vegas. <P> The convergence of different technology disciplines -- IT, <a href="http://www.informationweek.com/showArticle.jhtml?articleID=200900618">robotics</a>, <a href="http://www.informationweek.com/showArticle.jhtml?articleID=197801614">nanotech</a>, and so forth -- has already begun, and "that's going to change the nature of the society we're in -- in your lifetime," added Clarke, chief counterterrorism adviser on the U.S. National Security Council during portions of the Bill Clinton and George W. Bush administrations and currently chairman of Good Harbor Consulting. <P> Nanotechnology is "the ultimate machine-human interface," Clarke said, referring to tiny machines that have the potential clean out veins and detect diseases. <P> Indeed, the human genome couldn't have been decoded without superior computer processing power. Yet, there are still enormous security problems that plague computer software and systems. <P> Clarke warned that continuing to build more of the global economy on cyberspace as it exists today is dangerous business because "we've still secured very little of cyberspace." Much of the transactions that users engage in are not authenticated and encryption is underutilized. <P> That's where the Black Hat audience comes in. Clark encouraged the security researchers in attendance to not only continue their work finding software vulnerabilities and reporting them to the vendors -- "because I know a lot of other people out there are going to find them and exploit them," he said -- but also to push for changes in government and industry policy and practices that inhibit security advances. <P> Clarke appealed to the security pros in attendance to push for advances in IT security because they not only understand the technology, but what's at stake if cyberspace continues on its current insecure path. Added Clarke, "Sure, it's a really hard problem, but a lot could get done that's relatively easy." <P> Universal standards for writing more secure software, adoption of encryption, and better protection of the Domain Name Servers that underpin the Internet are all measures within the grasp of industry and government today. They would do well to heed Clarke's warnings.2007-07-30T10:00:00ZFour men have pleaded guilty to using phony point-of-sale PIN-pad terminals to steal customers' data and passwords and then defraud stores.http://www.informationweek.com/news/201201747?cid=RSSfeed_IWK_AuthorsA finely tuned fraud-detection system earlier this year helped put the kibosh on a cross-country ring of payment-card thieves hitting up grocery stores in New England and stealing from ATMs in California. Now, four California men are facing several years in prison and fines of up to $250,000 for the roles they played in a <a href="http://www.informationweek.com/showArticle.jhtml?articleID=197007473">skimming operation at Stop & Shop supermarkets</a> that compromised more than 238 payment card account numbers and netted them more than $130,000. It could easily have been much worse. <P> Mikael Stepanian, Arutyun Shatarevyan, Gevork Baltadjian, and Arman Ter-Esayan have all pleaded guilty to conspiracy to traffic in unauthorized access devices and aggravated <a href="http://www.informationweek.com/blog/main/archives/2007/07/10_rules_for_av.html">identity theft</a> for stealing credit and debit card account information in February through altered supermarket point-of-sale PIN-pad terminals they planted during overnight hours at four 24-hour Stop & Shop stores in Rhode Island and one in Massachusetts. <P> The scam worked like this: As they entered a store, one of the men distracted a clerk while the others swapped the store's PIN-pad terminals with nearly identical devices that had been electronically altered to capture customers' account numbers and PINs, a process that took as little as 12 seconds, according to a <a href="http://www.usdoj.gov/usao/ri/press_release/july2007/stepanian_plea.html">statement released July 13 by the U.S. Attorney's Office for the District of Rhode Island</a>. Several days later, the men returned to the store, replaced the original terminal, and made off with the altered one containing customers' account information. <P> As a result of this conspiracy, $132,018 in fraudulent charges were made against the compromised accounts at several financial institutions, including Citizens Bank. <P> But investigators at Citizens Bank noticed something fishy when they saw transactions taking place on both the West and East coasts for certain customers. Citizens soon found a common point in a series of unauthorized ATM withdrawals in their network. All of the compromised accounts had previously been used at Stop & Shop stores in Rhode Island. Alerted that their stores were being targeted by the thieves, Stop & Shop security personnel later reviewed store surveillance tapes and saw the fraudsters switching PIN-pad terminals. This led to the arrest of three of the men inside a Stop & Shop in Coventry, R.I., on Feb. 26. The fourth man was arrested in a parked car outside the store. <P> A search of the men's hotel rooms in Connecticut turned up devices for skimming credit and debit card information and a laptop computer with thousands of credit and debit card account numbers and PINs, stored in folders cleverly labeled "Stop & Shop." Citizens Bank relied, in part, on Proactive Risk Manager software from ACI Worldwide to detect the fraud being committed on its debit network as a result of the stolen Stop & Shop customer information. The Proactive Risk Manager system first alerted Citizens to the fraudulent activity on Feb. 10. "Our ATM velocity rule was triggered," Mark Macheska, a VP of card risk prevention at Citizens Bank, told <i>InformationWeek</i>, referring to how the bank monitors activity on its network. <P> The bank uses Proactive Risk Manager to establish a threshold for the number of transactions performed over a specified period of time on its networks for a specified dollar amount. If it sees too many big transactions in a short amount of time, red flags are raised. <P> The fraudulent activity observed on Feb. 10 kept up through the next day, when Citizens identified the Stop & Shop store in Cranston, R.I., as a common point of compromise. Another common point of compromise was the Stop & Shop in Coventry, R.I. In other words, all of the account numbers committing fraud on Citizens' network in California had recently been used to make purchases at that Stop & Shop thousands of miles away. "We alerted our corporate security folks that there might be skimmers at those locations," Macheska said. As it turns out, the guilty parties were traveling from California to New England every week to plant and swap out skimmer devices and collect customer data. <P> Once Macheska and his team were able to determine the point of compromise, they were able to query Citizens' database for all of the cards the bank had issued that had been used at those Stop & Shop locations. "We can then monitor those cards or reissue them," he said. Citizens reissued thousands of cards as a result of the skimming operation. <P> Detecting payment card fraud is neither foolproof nor instantaneous, but ACI Worldwide, a software maker that had until recently been known as Transaction Systems Architects, is moving in the direction of both improved accuracy and performance. "You're generally looking for a needle in a haystack when you're trying to find fraudulent transactions," Derren Jones, ACI Worldwide's director of product management for fraud and risk management, told <i>InformationWeek</i>. "You could be getting 100 or 1,000 transactions per second, depending up on how large you are." The company Monday introduced an online fraud-reduction calculator to help companies determine the effectiveness of their current fraud-prevention systems. <P> The key to keeping a lid on the Stop & Shop scam was early detection. "Stop & Shop's losses were not as bad as they could have been," Macheska said. "If we didn't have some sort of detection system in place, we would have been buried as a result of &#91;the&#93; Stop & Shop" data theft. <P> Stop & Shop's security response was low-tech but effective nonetheless. The company's stores began bolting down their point-of-sale terminals so that they couldn't be removed by customers. <P> Citizens is now looking to implement real-time fraud notification through ACI's Proactive Risk Manager system. "With a real-time rule, we can deny a transaction before fraud occurs," Macheska said. "You're now dealing with the authentication process. That can cut down the amount of money that's taken to begin with."2007-07-28T00:00:00ZIn May, Andre Gold departed as Continental Airlines' director of information security and landed at ING, becoming that financial service provider's head of technology risk management. Now he's spreading his wings with a larger staff and more responsibilities.http://www.informationweek.com/news/201201357?cid=RSSfeed_IWK_Authors<CENTER><B><FONT SIZE="+2">Andre Gold</FONT><BR> <FONT SIZE="+1">Head Of Technology Risk Management At ING</FONT></B><BR> Interview by Larry Greenemeier</CENTER></P> <P> <!-- photo table --> <TABLE CELLSPACING="0" CELLPADDING="0" BORDER="0" WIDTH="270" ALIGN="right"> <TR> <TD WIDTH="20"><img src="http://twimgs.com/infoweek/spacer.gif" width="20" height="1" hspace="0" vspace="0" border="0"><BR></TD> <TD ALIGN="center" WIDTH="250"> <IMG SRC="http://twimgs.com/infoweek/1148/148H5Gold_46.jpg" ALT="Andre Gold, Head of Technology Risk Management at ING -- Photograph by James Leynse" WIDTH="230" HEIGHT="400" HSPACE="0" VSPACE="0" BORDER="0"><BR> <img src="http://twimgs.com/infoweek/spacer.gif" width="10" height="10" hspace="0" vspace="0" border="0"><BR> <FONT SIZE="1">Photograph by James Leynse</FONT> </TD> </TR> </TABLE> <!-- / photo table --> <!-- content tables --> <TABLE CELLSPACING="0" CELLPADDING="0" BORDER="0"> <TR VALIGN="top"> <TD><B><FONT SIZE="+3" COLOR="#0F4692">1</FONT></B></TD> <TD WIDTH="20"><img src="http://twimgs.com/infoweek/spacer.gif" width="20" height="20" hspace="0" vspace="0" border="0"><BR></TD> <TD><B><FONT COLOR="#CC0000">TRAILBLAZER</FONT></B><BR> In 2002, Gold was tapped to be Continental's first executive-level security manager. The airline's former CIO, Janet Wejman, told him, "I want you to run security, but I'm not giving you a budget, and you can only take one person" from the e-commerce team he'd been on.</TD> </TR> </TABLE></P> <P> <TABLE CELLSPACING="0" CELLPADDING="0" BORDER="0"> <TR VALIGN="top"> <TD><B><FONT SIZE="+3" COLOR="#0F4692">2</FONT></B></TD> <TD WIDTH="20"><img src="http://twimgs.com/infoweek/spacer.gif" width="20" height="20" hspace="0" vspace="0" border="0"><BR></TD> <TD><B><FONT COLOR="#CC0000">COMPETITION TAKES WING</FONT></B><BR> Setting security priorities depends on the type of business you're defending. At Continental, logons and passwords became cumbersome when gate and ticketing agents had to share the same computer in a terminal so planes could be loaded promptly and customers kept happy. If they're not happy, "they don't even have to walk across the street to do business with a competitor." His job at ING is to deal with risk at a higher level: "Are we ready in the event of an unplanned outage?"</TD> </TR> </TABLE></P> <P> <TABLE CELLSPACING="0" CELLPADDING="0" BORDER="0"> <TR VALIGN="top"> <TD><B><FONT SIZE="+3" COLOR="#0F4692">3</FONT></B></TD> <TD WIDTH="20"><img src="http://twimgs.com/infoweek/spacer.gif" width="20" height="20" hspace="0" vspace="0" border="0"><BR></TD> <TD><B><FONT COLOR="#CC0000">FLYING HIGH</FONT></B><BR> Between 2005 and May of this year, Gold served on the Data Link Security Subcommittee, an aviation industry board that's "drafting security protocols that will enable not only Wi-Fi connectivity, but also determine the way future aircraft connect to respective carrier networks, offload messages, and upload data like gate information."</TD> </TR> </TABLE></P> <P> <TABLE CELLSPACING="0" CELLPADDING="0" BORDER="0"> <TR VALIGN="top"> <TD><B><FONT SIZE="+3" COLOR="#0F4692">4</FONT></B></TD> <TD WIDTH="20"><img src="http://twimgs.com/infoweek/spacer.gif" width="20" height="20" hspace="0" vspace="0" border="0"><BR></TD> <TD><B><FONT COLOR="#CC0000">MAN ON THE RUN</FONT></B><BR> Gold likens his day-to-day responsibilities at ING to a sprint, whereas the pace at Continental was more of a marathon. At ING, "we run harder and faster while we're at the office," but the work/life balance is more distinct.</TD> </TR> </TABLE></P> <P> <TABLE CELLSPACING="0" CELLPADDING="0" BORDER="0"> <TR VALIGN="top"> <TD><B><FONT SIZE="+3" COLOR="#0F4692">5</FONT></B></TD> <TD WIDTH="20"><img src="http://twimgs.com/infoweek/spacer.gif" width="20" height="20" hspace="0" vspace="0" border="0"><BR></TD> <TD><B><FONT COLOR="#CC0000">GET A BACKBONE</FONT></B><BR> There are many traits needed to do security well, not the least of which is "having a backbone. Your vision will be challenged all the time. And a lot of time, business units won't be able to deliver on projects once you work in the security considerations."</TD> </TR> </TABLE></P> <!-- content tables -->2007-07-27T13:00:00ZThe new threat comes from a number of newly registered Web sites that pretend to represent Italian organizations, but are really just vehicles for using malicious IFrames to spread malware.http://www.informationweek.com/news/201201582?cid=RSSfeed_IWK_AuthorsThe <a href="http://www.informationweek.com/showArticle.jhtml?articleID=200001941">Italian job</a> that last month saw more than 10,000 legit Web pages embedded with malicious IFrames has resurfaced, this time with even more international intrigue. Last month's threat pushed malicious HTML files onto Web pages of several Italian Web sites and infected Web surfers visiting those sites. The new threat comes from a number of newly registered Web sites that pretend to represent Italian organizations, but are really just vehicles for using malicious IFrames to spread malware. <P> Indeed, these new sites aren't even being hosted in Italy; they're being hosted out of Germany and may be tied to Russian malware writers, Trend Micro network architect Paul Ferguson told <i>InformationWeek</i>. "One of our researchers found an IP address that included 400 pieces of malware on different URLs," he said. <P> As of Friday morning, about 2,500 systems may have been infected by these malicious IFrames. "Not an astounding number," Ferguson acknowledged, "but the number is apparently growing." Trend Micro's investigation is ongoing. <P> An IFrame, or inline frame, makes it possible to embed one HTML document inside another HTML document. Victims of the first attack in June were people visiting Web sites hosted in Italy for Italian city councils, employment services, and tourism sites. Attackers embedded IFrames into these sites. When site visitors clicked on these malicious IFrames their computers were infected. <P> Trend Micro came across the new Web sites while the company's researchers were doing their daily analysis of their <a href="http://www.informationweek.com/showArticle.jhtml?articleID=188702961">honeypot</a> and proxy logs, which are placed out on the Internet and made to look like open proxies or unpatched systems ripe for attack. "We saw certain IP addresses and domain names that raised a red flag," Ferguson said. This included the movement of domains from one domain name server to another, a move that's typically associated with an attempt to avoid detection. These new sites containing malicious IFrames create layers of obfuscation that make it difficult to determine who's behind the sites. <P> While Trend Micro's research isn't comprehensive enough at this time to send law enforcement busting through anyone's door, it's detection of these new sites laden with malicious IFrames comes before the problem "managed to fully blossom," Ferguson said. "We're making these guys go through a lot of trouble for nothing." <P> It's not so much that the malware threat is different; it's similar to the one that surfaced last month in that it looks to exploit unpatched PCs. Instead, this new scheme represents an evolution of the delivery mechanism for malware. To counter these emerging methods, security vendors need to rely less on building up already bulky blacklists or adding signatures to malware filters. As cybercriminals become more experimental, it's the ability to trace these malicious sites back to their source that's going to make the difference in fighting cyber attacks, Ferguson said.2007-07-26T09:31:30ZThe creativity and ambition of cybercriminals all but ensure for years to come there will be a market not only for security technology but for individual security components provided by a multiplicity of vendors.http://www.iweek-interim.com/news/229215513?cid=RSSfeed_IWK_AuthorsThe creativity and ambition of cybercriminals all but ensure for years to come there will be a market not only for security technology but for individual security components provided by a multiplicity of vendors.That's the message of a recent Burton Group research paper entitled, "The Long Tail of Risk and the Dynamics of the Security Market," a sentiment that runs contrary to market trends, where a you know a vendor or technology has arrived because they're being snatched up by a larger vendor for hundreds of millions of dollars. <P> Earlier this week, <a href="http://www.informationweek.com/showArticle.jhtml?articleID=199901797">IBM sealed a deal to integrate Watchfire's Web application vulnerability assessment and compliance technology</a> with IBM Rational software quality management products. This was just the latest in a long string of major deals, which over the past few months have included <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=200000461">Cisco's $830 million deal for e-mail security provider IronPort</a>, <a href="http://www.informationweek.com/showArticle.jhtml?articleID=199905338">HP's bid for application security provider SPI Dynamics</a>, and <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=201000248&cid=RSSfeed_IWK_News">Google's planned $625 million acquisition of Postini</a>, a provider of managed security services. <P> Still, it's not the fate of every startup security product vendor or service provider to become part of the larger security machine, according to Burton Group analyst <a href="http://www.informationweek.com/showArticle.jhtml?articleID=184417621">Bob Blakley</a>, who wrote, "Unlike most markets, the security market is not driven solely by customer demand and vendor profit. It's also driven by innovation -- the innovation of the bad guys." <P> As a result, "the security market will therefore remain for the foreseeable future in a steady state which is 'always consolidating but never consolidated.'" Blakley wrote. There's certainly plenty of money being spent on security's moving target, a fact that guarantees to attract new waves of security entrepreneurs for years to come. IDC predicts the market for security products and services will reach $66.6 billion by 2010. <P> Others aren't so sure. Addressing this year's RSA conference in San Francisco in February, <a href="http://www.informationweek.com/showArticle.jhtml?articleID=197003917">EMC's RSA division president Art Coviello made headlines</a> with the claim, "With the exception of a few innovative startups, the standalone security industry will end within three years." Of course, Coviello already had cashed in, so it wasn't a stretch for him to make this prediction. Still, as I noted before, RSA isn't the only company to have welcomed the warm embrace and deep pockets of a tech heavyweight looking to sink its hooks into the security market. <P> But Blakley concludes that entrepreneurial nimbleness is a necessary part of ensuring that security technology keeps pace with the evolving threat environment. "An organization's platform and its risks are never in equilibrium for long; as long as equilibrium exists, risks are under control and the bad guys are denied their payday," he wrote. "But bad guys need to feed their families, so they're constantly developing innovative ways to disrupt the risk equilibrium." <P> This constant cycle of attack and defend ensures that spending on IT security won't decrease anytime soon, if ever. Look on the bright side -- job security abounds: for IT security pros, security vendors, and, of course, the malicious malcontents who keep them on their toes.2007-07-25T09:20:00ZA House committee hearing shows that the security dangers of file sharing over peer-to-peer networks is still a major problem.http://www.informationweek.com/news/201200981?cid=RSSfeed_IWK_AuthorsThe <a href="http://oversight.house.gov/story.asp?ID=1427">House Oversight and Government Reform committee</a> thought a hearing it held four years ago about the security dangers of file sharing over peer-to-peer networks had sufficiently addressed the problem. Clearly it hadn't. The committee convened a follow-up hearing Tuesday after an informal investigation into <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=199600527">P2P security</a> recently turned up files containing the corporate strategies of Fortune 500 companies, military operation orders, and other sensitive information. <P> The committee had a strong interest in "national security and leaks bubbling out of the government," Eric Johnson, director of Dartmouth's Glassmeyer/McNamee Center for Digital Strategies and a professor of operations management at Dartmouth's Tuck School of Business, told <i>InformationWeek</i> after testifying before the committee Tuesday. <P> Some members of the committee want to crush P2P file sharing out of existence, "but that game has been played and there are only two large players left in North America," Johnson said, referring to <a href="http://www.limewire.com/">LimeWire</a> and <a href="http://www.morpheus.com/">Morpheus</a>. "Most of the others come from outside the U.S., so shutting them down is not a really viable approach." <P> The primary outcome of the hearing is that committee members are starting to better understand the security risks that arise when government and business workers engage in file sharing from computers that contain sensitive information. "Today's hearing was one of saying, look, this <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=199100239">problem has been around for a few years</a> and it's getting worse," Johnson said. "There are a lot of government and corporate documents leaking out, and we need to do something." <P> Committee members know this first hand. Using the LimeWire P2P program, committee staffers ran a series of basic searches prior to Tuesday's hearing. "What we found was astonishing: personal bank records and tax forms, attorney-client communications, the corporate strategies of Fortune 500 companies, confidential corporate accounting documents, internal documents from political campaigns, government emergency response plans, and even military operation orders," committee chairman Rep. Henry Waxman, D-Ca., said to open the hearing. "All these files were found in unpublished, Microsoft Word document format. All were found in limited searches over the past month. It is truly chilling to think of what private information an organized operation or a foreign government could acquire with additional resources." <P> Robert Boback, CEO of Tiversa Inc., which provides technology for monitoring P2P networks, testified Tuesday that his company has come across numerous sensitive documents freely available through P2P networks. This includes a corporate disclosure by an attorney whose clients are the world's largest pharmaceuticals manufacturers. The document "disclosed 436 sensitive and confidential files related to those clients," Boback said. This information included pending litigation. <P> One of the documents Tiversa found, dated April 2007, labeled "confidential," and addressed to Waxman and the committee's ranking member Rep. Tom Davis, R-Va., "appears to address questions regarding drug trials" of a particular pharmaceutical company, Boback said, adding, this is a "clear example of extended enterprise risk." <P> One of the problems with controlling P2P networks is that it's hard for many people to understand how it works, Johnson said. "So getting clear in their minds what it is and why it's a threat was one of the more successful outcomes of today." Johnson speculates that, as the government comes to better understand this issue it will enforce existing restrictions against putting government data on personal computers, particularly those accessible via P2P networks.2007-07-23T15:00:00ZThe 13 months Yahoo will keep search data is shorter than the 18 months announced by Microsoft and Google.http://www.informationweek.com/news/201200556?cid=RSSfeed_IWK_AuthorsFeeling pressure from U.S. and European Union legislators, the <a href="http://www.informationweek.com/news/showArticle.jhtml?articleID=201200289">major search engine providers have now all fallen into step</a> by providing greater visibility into the types of data they collect from Web users and promising to make that data anonymous after a certain period of time. Yahoo on Monday became the latest, stating that the company would "anonymize" data about searches and searchers within 13 months after each search is performed. <P> Yahoo, which offers the second-most popular Web search engine, will hold onto this information for a shorter period of time than competitors Google or Microsoft, both of which have stated that after 18 months they'll delete IP address and cookie ID information linking searches to the computers requesting the search. <P> Based on legal and regulatory feedback that Yahoo's peers have received regarding their own search data retention policies, Yahoo decided it was time to make its own move, Yahoo spokesman Jim Cullinan told <i>Information Week</i>. "Thirteen months incorporates the seasonality aspect of this, such as Christmas to Christmas," he added. <P> Yahoo's change in search data retention policy isn't something the company sought to announce, but it felt the need to say something or risk appearing to care less about privacy than its rivals. "If users don't trust you, they're not going to use your services," Cullinan added. <P> Although Yahoo doesn't sell information about its users' searches, it does use this information to personalize banner ads for those who use Yahoo's free services, including Instant Messenger and e-mail. As with search leader Google and with Microsoft, Yahoo also claims the need to hold onto search data to help protect its advertisers from click fraud, which can be committed by those who manipulate a search engine's results to improve their standing in Web search results. <P> The search engine one-upmanship has been on display since Google in March <a href="http://googleblog.blogspot.com/2007/03/taking-steps-to-further-improve-our.html">reported a change in its privacy policy</a> in which the company would make anonymous the information stored in its server logs after 18 to 24 months unless legally required to retain log data for longer. Microsoft, which runs the <a href="http://www.nielsen-netratings.com/pr/pr_070620.pdf" target="_blank">third most popular search engine</a> made a <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=201200289"> similar announcement on Monday</a>. <P> Search engine companies are now using privacy as a marketing tool, which is good because their concern for user privacy has in the past been perceived negatively, Forrester Research analyst Jennifer Albornoz Mulligan, told <i>Information Week</i>. "If the search companies have the data, you never know what they might do with it, and it's something that can be stolen," she added." The general concern -- especially in the European Union -- is that the government will track where you go (on the Web) and what you do there." <P> Although search data isn't as widely sought after by cybercriminals as financial information, the search engine providers are setting a good example that the financial services and retail markets might want to emulate. "People are searching for all sorts of stuff that they effectively confess to search engines; we are very revealing to our search engines," Danny Sullivan, editor-in-chief of the <a href="http://searchengineland.com/">Search Engine Land</a> Web site, published by <a href="http://thirddoormedia.com/">Third Door Media</a>, told <i>InformationWeek</i>. "The attention paid to search isn't as important as that directed at credit card companies and retailers, but it's a start." <P> However, it's been proven that enterprising Web users can <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=191901983">connect search data with personal information</a>, as <i>The New York Times</i> did a year ago, after AOL shared about 20 million search words and phrases used by 658,000 of its subscribers. The AOL cache, supposedly stripped of personally identifiable information and posted online, revealed its subscribers' Social Security numbers, names, dates of birth, and cell phone numbers. The <i>Times</i> tracked down 62-year-old Thelma Arnold, a resident of Lilburn, Ga., based on her AOL searches. <P> "Whether what Yahoo and the other search engines are doing is significant is much less important than the message around it," Burton Group analyst Pete Lindstrom told <i>Information Week</i>. "If it makes people more comfortable about using the Web, more power to them."2007-07-23T06:00:00ZMicrosoft outlines incremental improvements to its privacy principles for its Live Search and online advertising services.http://www.informationweek.com/news/201200289?cid=RSSfeed_IWK_AuthorsFeeling the pressure of growing concerns over data privacy, most of the major Web search engine providers are stepping forward to better articulate how they handle the information they collect from their users. The latest to do this is Microsoft, which Monday outlined incremental improvements to its privacy principles for its Live Search and online advertising services. <P> Microsoft, which operates the number three search engine, joins <a href="http://www.nielsen-netratings.com/pr/pr_070620.pdf">search-engine leader Google</a>, which made a similar policy-clarifying move earlier this year. Meanwhile, Yahoo, which operates the second-most popular search engine, has remained silent on the subject, seeing fit to stick with its <a href="http://info.yahoo.com/privacy/us/yahoo/details.html">current privacy policy</a>. <P> Ask.com, a wholly-owned business of IAC that ranks fifth behind AOL Search, is the only search engine to address the privacy issue on multiple fronts. In addition to joining Microsoft on Monday in calling for the search industry to develop a common set of global privacy practices for data collection, use, and protection, Ask.com last week introduced its <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=201200282">AskEraser tool</a> that keeps Ask from storing information about its users' searches. Ask.com, wholly-owned business of IAC, plans to make AskEraser available on Ask.com in the U.S. and U.K. by the end of the year, and globally early next year. <P> Microsoft on Monday articulated in greater detail its privacy principles for Live Search as well as its online advertising services. The principles break down into five areas, the first of which promises Web users that Microsoft will continuously inform them of how the company gathers, secures, and shares search information. "We're not sharing anything that can be tied back to an individual," Brendon Lynch, Microsoft director of privacy strategy, told <i>InformationWeek</i>. <P> Microsoft, which later this year will begin offering advertising services to third-party Web sites that want to market to Microsoft search users, also will give those users the ability to opt-out of receiving these targeted ads. In addition, Microsoft will also make all Live Search query data -- including the IP address and cookie IDs -- anonymous after 18 months, unless the company receives user consent for a longer time period. <P> The company also will store Live Search service search terms separate from any personal information that could identify a Web surfer, such as name, e-mail address, or phone number data provided when a user signs up for a Hotmail account or some other service. Finally, Microsoft noted that when it begins offering advertising services on third-party Web sites, the company will join the<a href="http://www.networkadvertising.org/managing/principles.asp">Network Advertising Initiative</a>, and follow the principles established by this cooperative group of Internet advertisers. <P> Microsoft is promoting information about its search data privacy policy as questions arise regarding how much personal information search engines and Web sites should collect, and how that data is protected. The European Union has also <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=201000262">pressured search companies</a> to articulate in more detail how data gleaned from the Web is used and secured, although Lynch added that Microsoft has not yet been contacted by the European Union's <a href="http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/members_en.htm">Article 29 Working Group</a>, a collection of national officials from European countries that advises the European Union on privacy policy. <P> Google, which collects information about users' searches including the query text itself, IP addresses, and cookie ID numbers, in March <a href="http://googleblog.blogspot.com/2007/03/taking-steps-to-further-improve-our.html">reported a change in its privacy policy</a> where the company would make anonymous the information stored in its server logs after 18-to-24 months unless legally required to retain log data for longer. The company continues to keep server log data, it says, so that it can improve Google's services and protect them from security and other abuses. <P> The retention of search log data is essential to protecting advertisers from click fraud and ensuring that Google can investigate security attacks against its systems. In the case of Web spam, if someone tries to manipulate the Google search engine's results to improve the ranking of their Web site, having a historical log helps identify this trick. "The problem is that you don't always know about it on the day it's happening to you," Peter Fleischer, Google's global privacy counsel, told <i>InformationWeek</i>. "Often it's long term patterns that happen over many, many months. If you are fighting fraud, what is the time frame? It's not forever. Eighteen months would work for the vast majority of cases." <P> Google retains in its search server logs the IP address of the computer that connects to Google's search Web site, the time/date stamp when the computer connects, operating system and browser type, the text of the query, and, if the person is a repeat user and hasn't set up their browser to reject cookies, the cookie ID number. It's the IP address and the cookie ID numbers that are made anonymous under the new policy because they are the pieces of information that could most likely be used to track a visitor. Fleischer says Google does not sell any of this information to third parties. <P> "When you're the first company to do this, you become the subject of the global debate on the topic," Fleischer said. "Some people said fabulous while others said the policy was too long." <P> More than half of all searches are conducted using the Google search engine, while Yahoo is used about 21% of the time, and Microsoft MSN/Windows Live Search is tapped about 8%, according to the <a href="http://www.nielsen-netratings.com/pr/pr_070620.pdf">Nielsen//NetRatings MegaView Search report</a> for June 2007.2007-07-20T17:26:14ZA blog by my <i>InformationWeek</i> China colleague Jon Tian entitled "Borders of Information Security" provides some cultural perspective for several key findings in <i>InformationWeek</i> Research's <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=201001203">10th annual Global Information Security Survey</a>.http://www.iweek-interim.com/news/229215585?cid=RSSfeed_IWK_AuthorsA blog by my <i>InformationWeek</i> China colleague Jon Tian entitled "Borders of Information Security" provides some cultural perspective for several key findings in <i>InformationWeek</i> Research's <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=201001203">10th annual Global Information Security Survey</a>.<blockquote> "The Internet is borderless, accordingly, security threats are borderless, too &#8230; Certainly, Chinese companies follow their U.S counterparts in many IT application areas, including the field of information security. But I recalled the words of John W. Thompson, CEO of Symantec during an interview this March in Beijing, 'Our life has changed from real world to the digital world, now we've learned how to protect ourselves in the real world, but we have not learned the skills and experiences to protect ourselves in the digital world.' "</blockquote> <P> Tian goes on to note that China is "hanging behind" in some IT areas, but not in others: <P> <blockquote>"This kind of 'following up' happens in many, but not all, the IT application areas. For example, survey results indicate that phishing threats faced by Chinese companies are much less than U.S companies. Some may argue that it is because online banking and electronic payment are not as popular in China as in North America. However, rapid development of China's online financial services in recent years is obvious to all, yet only 16% and 17% of Chinese companies in most recent surveys &#91;indicate&#93; they were attacked by phishing, and the percentages of U.S companies almost doubled."</blockquote> <P> In fact, Tian argues, technology development in China in some areas has even leap-frogged the West: <P> <blockquote>"One of the facts that is most frequently mentioned by Americans is telecommunication development in China, directly leaping from fixed phone communication to mobile communication. In fact, China has become the lab of many different cutting-edge technologies. This kind of leap happens in information security as well. For instance, Chinese banks started their online banking systems much later than U.S banks, and learning from their U.S counterparts, Chinese banks pay much attention to security from the very beginning. Take ICBC (Industrial and Commercial Bank of China), for example -- its online banking system requires users to use U-dun (a kind of USB security device) to access their online accounts in order to ensure the transaction security."</blockquote> <P> As a result, Tian believes <a href="http://www.informationweek.com/blog/main/archives/2007/07/chinas_security.html">Accenture's observations that Chinese businesses are several years behind</a> Western businesses in their security deployments should be put in perspective: <P> <blockquote>"Considering the leap during application transformation, the three to four years gap between Chinese companies and American companies in information security may not be that bad. And as more Chinese companies are going abroad, borders in information security will gradually disappear. Globalization forces Chinese companies to adopt more international standards to improve their IT governance. Take a joint funding company, for instance -- its IT department has to be well-prepared for internal auditing by their foreign investor at least twice a year. Last year, many Chinese companies listed overseas made a lot of effort to measure up the Sarbanes-Oxley Act. Though requirements of the Act are somewhat difficult for the companies, most of them have accomplished this task."</blockquote> <P> He concludes: <P> <blockquote>"Threats of information security are borderless, so effective measures to dealing with security threats should be borderless as well."</blockquote>2007-07-19T13:30:00ZDon't expect to see a big crowd for EC-Council University home football games: The program's inaugural Master of Security Science class consists of only six students and all are taking their courses online.http://www.informationweek.com/news/201002295?cid=RSSfeed_IWK_AuthorsIt may only be July, but school's in session for IT security pros looking to develop the white-hat hacking, computer forensics, and other skills needed to help businesses turn the tide of <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=201001203"">today's security woes</a> in their favor. <P> These abilities are essential to ensuring the next generation of <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=199500745">chief security officers</a> have what it takes to defend their organizations against increasingly more organized cyberattacks, and they form the foundation of the new <a href="http://www.eccuni.us/mss.htm">Master of Security Science</a> program launched this week by EC-Council, an industry group that offers training and certification to e-commerce and security pros. <P> While several universities offer master's programs that address information security, they generally follow curricula that are broader and more theory-based than the one created by EC-Council University, which takes its candidates through cyberlaw, disaster recovery, e-business security, IT security project management, Linux security, network security, secure programming, and securing wireless networks. The four core classes that must be completed for graduation address ethical hacking and countermeasures, investigating network intrusions and computer forensics, managing secure networking systems, and security analysis and vulnerability assessment. Students also must develop and present a research project. <P> EC-Council has been working since last August to form its own university based in Albuquerque, N.M., and license the university under that state's Higher Education Department. Don't expect to see a big crowd on campus for EC-Council University home football games: The program's inaugural Master of Security Science class consists of only six students and all of them are taking their courses via an online portal. Four of the students are from the U.S., one is from Latin America, and one is from India. All of them have an undergraduate degree in computer science or IT security. Some of them have master's degrees, but not in information security. <P> The total cost to complete the master's program is projected to be $21,400, which includes a $2,000 enrollment fee and a $2,300 graduation fee. The program is expected to take between one and two years to complete, depending upon the pace that each student can sustain. <P> The goal of the program, which is taught by a faculty consisting of nine professors, is to transform today's security pros into tomorrow's chief security officers and high-level security executives, although the school can't promise any particular job placement. Students are expected to study at the university half time, while working in the security field in some capacity. Attending school full time is counter to the spirit of the program. "It would make no sense if you didn't have any practical experience when you graduated," EC-Council president Jay Bavisi told <i>InformationWeek</i>. "A CSO position can't be attained only through academic studies." <P> There's plenty of room for more educational programs that properly prepare security pros for the challenges they'll face from day one in IT security environments, Stephen Northcutt, president of <a href="http://www.sans.org/">SANS Technology Institute</a>, an educational organization licensed by the Maryland Higher Education Commission to grant graduate degrees in information security, told <i>InformationWeek</i>. Between SANS and EC-Council, "if we are both wildly successful, we will fulfill perhaps 1% of the market's true need," he added. <P> For that reason, SANS doesn't see EC-Council University as competition. Northcutt is, however, skeptical of college and university programs that offer only a concentration in security as part of their master's degrees in MIS or computer science. Such programs "are not qualified or equipped to properly prepare the students and end up wasting the student's time and financial resources and do not impart the technical and leadership skills needed to be effective in an era when the threat is at an all-time high," he said. <P> There are many academic programs that offer advanced IT degrees that treat security as a secondary component. Boston University, for example, offers an <a href="http://www.bu.edu/online/online_programs/graduate_degree/computer_information_systems/index.html">Online Master of Science in Computer Information Systems with a concentration in information security</a>. Required courses for this program include network and software security, network management and computer security, and cryptography. Another school, <a href="http://www.ltu.edu/arts_sciences/computer_science/masters_cs_computer_security.index.asp">Lawrence Technological University</a>, offers a Master of Science in Computer Science with a concentration in computer security. Required classes at Lawrence include cryptography, distributed database systems and security, and security audit. Neither program's curricula mention white-hat (or "ethical") hacking, vulnerability assessment, or computer forensics. <P> The EC-Council in 2003 began offering certification for ethical hackers as a means of exposing defense-minded IT security pros to the ways in which malicious hackers operate. The next logical step for this form of security training was to introduce it as a formal academic program, Bavisi said. One of Bavisi's goals is to see more companies create CSO positions, even though he acknowledges that it's a fairly new title at most companies. "Over the past 15 years, CSO hasn't been a common title," he said. "You don't find that title at smaller companies." <P> Today's CSOs are in general well-educated in business, security, or compliance and auditing, and they play a high-level, strategic role within their organizations, Bavisi said. "But information security is a rapidly changing field, and the benefit of having a CSO with a Master of Security Science degree is that you will bridge the digital divide between security executives and their technical teams," he added. <P> Some companies may be concerned about investing in a CSO, adding an expensive employee to an area of the business -- security -- that's more of a cost center than a revenue generator. Others may be concerned that their employees will go through the EC-Council master's program only to leave for greener pastures when they've completed their degree. "People ask, 'What if I train my people and they leave?' " Bavisi said. "But, what if you don't train your people and they stay? Is paying for talent going to cost more than succumbing to a cyberattack?" <P> Whether a company should have a CSO depends on its level of risk and the organizational structure. Bavisi pointed out that he's not suggesting that every company should have a CSO or that every security pro should have a master's degree. But with the state of computer security these days, it's clear that an influx of leadership in the security space could only help.2007-07-19T13:27:04Z<i>InformationWeek</i> Research's <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=201001203">10th annual Global Information Security Survey</a> highlights some very different security concerns facing Chinese businesses as compared with their U.S. counterparts.http://www.iweek-interim.com/news/229215508?cid=RSSfeed_IWK_Authors<i>InformationWeek</i> Research's <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=201001203">10th annual Global Information Security Survey</a> highlights some very different security concerns facing Chinese businesses as compared with their U.S. counterparts.While U.S. businesses are generally considered to have a mature and stable corporate environment that's been grappling with IT security issues for years, China's more recent movement to the global business arena means the country is just beginning to pay attention to a lot of IT security concerns. <P> Chinese companies are generally three to five years behind North American and U.K. companies in terms of IT security, Alastair MacWillson, global managing director of Accenture's security practice, told me. Accenture helped <i>InformationWeek</i> Research put together the survey, and MacWillson shares his expertise in a story entitled, "<a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=201001207">China's Evolutionary Leap</a>." "Security hasn't typically been fantastically high on their priority list." <P> Chinese businesses <a href="http://www.informationweek.com/galleries/showGallery.jhtml?galleryID=52&articleID=201001203">have a lot of catching up to do</a>, which might explain why the average percentage of IT budget spent on information security is a whopping 19% in China, as compared with 12% in the United States. "That's quite an astonishing figure," MacWillson says, adding that the Chinese companies who responded to the survey clearly understand that China is far behind in terms of IT security and are spending to catch up to where they need to be. <P> This is likely to continue to change as the country's companies seek to do more business internationally. Bank of China, for example, "wants to adopt international standards across everything they do, so they need to adopt the control features of a Western bank," MacWillson says. Chinese businesses already are seeing the effects of this move into mainstream global markets, as 32% of Chinese respondents report having been the victim of a publicized data breach or data loss within the past 12 months, as compared with 6% of U.S. respondents. <P> Chinese respondents have been struck by fewer phishing attacks than U.S. respondents, 17% as compared with 31%, and this speaks to the smaller number of people in China who have access to online bank accounts, as compared to bankers in the United States, MacWillson says. If phishing attacks continue at the current pace, they're likely to become more of a problem for the country as more and more Chinese bank online. <P> China also has a <a href="http://kdpaine.blogs.com/themeasurementstandard/2007/07/can-chinas-repu.html" target="_blank">notorious reputation</a> for <a href="http://www.chinalawblog.com/2007/07/chinese_companies_can_say_so_s.html" target="_blank">using counterfeit software</a>, which can't easily be patched. While a sizable percentage of both U.S. and Chinese survey respondents were compromised as the result of a known operating-system vulnerability being exploited, this attack method was used against nearly two-thirds of all Chinese respondents, compared with 43% of U.S. respondents. Likewise, 41% of Chinese respondents were compromised through an exploit that took advantage of a known application vulnerability, as compared with less than a quarter of U.S. respondents. MacWillson notes that this could be the result of the large amount of pirated software being used in China. "They don't have access to the patches, so that may be why they're concerned about known exploits to operating systems," he says. <P> China is recognizing that it's got problems in these areas of security and they're being challenged to address them. "Multinationals are nervous about doing business in China because of the country's reputation for security," MacWillson says, adding that perhaps the high level of IT security spending indicated in the survey could be an attempt by Chinese companies to address these concerns.2007-07-18T11:00:00ZAllied Cash's database administrator Christian Alvarez has been working to secure the company's new Web-based user interface in recent months.http://www.informationweek.com/news/201002023?cid=RSSfeed_IWK_AuthorsSecuring the data that can be accessed via <a href="http://alliedcash.com/">Allied Cash</a>'s new Web-based user interface has been the most pressing security concern for company database administrator Christian Alvarez during the past several months. <P> "We've gone from dial-up connections to a broadband solution for employees accessing Allied Cash applications," Alvarez told <i>InformationWeek</i>. Now the company's nearly 500 employees in about 250 locations across the country have speedy access to the hosted applications that let the company offer customers cash advances against their paychecks. "This gives employees more ability to roam on the Internet," he said. And of course, more roaming means a greater exposure of Allied Cash's IT systems to the Web's more malicious elements. <P> These sorts of concerns are consistent with those expressed in <i>InformationWeek</i> Research's <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=201001203">latest annual Global Information Security survey</a>, conducted with consulting firm Accenture. Of the companies feeling more vulnerable to attack today, 70% cite the increased sophistication of threats, including SQL injections, while 58% worry about the growth in the number of ways to attack corporate networks, including wireless networks. About half of the U.S. respondents are concerned with the increased volume of attacks, while little more than one-third worry about the malicious intent of their peers using the Web. <P> To counteract these threats, Allied Cash uses <a href="http://www.darkreading.com/document.asp?doc_id=129292">SurfControl's WebDefense Web-filtering application</a>, "which has different sites broken down by categories, like gaming sites or dating sites, that we have locked down," Alvarez said. "These are sites that could have malicious software on them and that employees shouldn't be using from work. We found that our users were going to non-work-related sites, and we were getting a lot of requests because their PCs were going down," Alvarez said. That's when the company decided to implement <a href="http://paologorgo.multiply.com/journal/item/15">WebDefense</a>. <P> With broadband access to the Internet, employees are more open to malicious Web content while they're using the Web to access software used to record customer transactions, including payment, marketing materials, and collection calls. "We deal with financial information about our customers, so you have to go beyond simple antivirus software for security," Alvarez said. "If employees are doing anything not work-related, they run the risk of downloading malware such as a keylogger that can be used to steal login information." <P> To control this, Allied Cash's point-of-sale system is IP-address-controlled at the network firewall, Alvarez said. Allied Cash only allows users to access its applications if they're coming from an approved IP address. "If someone tries to log into our site from an unauthorized IP address, they wouldn't be able to get in, even if they have a valid user name and password," he said. <P> Alvarez acknowledged that securing a business has gotten more complex as new offerings have hit the market. "People say security is complicated because of the different avenues they can take to protect themselves," he said. "But the best way for people to protect themselves is to start by limiting everything -- what you're going to allow out, and what you're going to allow in."2007-07-17T17:30:00ZCan cybercrooks successfully attack at will, and are those who report the details of these attacks causing more harm than good?http://www.informationweek.com/news/201001860?cid=RSSfeed_IWK_AuthorsThere are two questions in the realm of IT security that simply won't go away: Can cybercrooks successfully attack at will, and are those who report the details of these attacks causing more harm than good? The revelation earlier this week by a security vendor and research firm that a Trojan-horse may have stolen sensitive information from hundreds of businesses and government entities has revived this heated debate. <P> U.K.-based security vendor Prevx says its software last week detected a program running on customers' computers that behaved suspiciously, creating an outbound HTTP connection to a Web site and sending information out of customers' IT environments. "These were classic behaviors of an information-stealing Trojan," Prevx CEO Mel Morris told <i>InformationWeek</i>. <P> Further study led Prevx researchers to a directory on a Web site identified as <a href="http://www.martin-golf.net/pajero">www.martin-golf.net/pajero</a>, which was live up until Tuesday afternoon Eastern Time but has since been taken down. The directory offered a list of 494 different computers (identified by their IP addresses) that were running the mysterious program Prevx had found. The program encrypted sensitive information such as logins and passwords while leaving an online ransom note informing the victim that all of their private information for the last three months had been taken and that they needed to pay $300 to buy software from the cybercrook that could decrypt the info. <P> Morris noted that the martin-golf.net directory was just a front for the cyberscam and that site's owner likely had no knowledge their site was being misused in this way. <P> Prevx, having determined that this was the work of a Trojan that had infected computers at hundreds of businesses and government agencies, notified U.K. law enforcement as well as the FBI in the U.S., Morris said. The next step was to send copies of the malware to a number of other security vendors, whose products Morris claimed had failed to detect the Trojan, which was relatively unsophisticated in that it didn't use a rootkit or techniques for hiding itself. <P> Here's where the story gets a bit contentious and exemplifies the competitiveness in the security vendor market as well as the <a href="http://www.informationweek.com/showArticle.jhtml?articleID=197700811">fine line that security researchers walk</a> when they want to disclose their findings. <P> Morris said that he and his team on July 14 alerted the FBI to the presence of this Trojan and had a conference call with the agency the following day. Prevx told the agency that it had identified 494 computer systems that had encrypted and transmitted about 200 Mbytes worth of data, which Prevx had decrypted only to find logins, passwords, and other sensitive data. "The FBI said they would be moving forward with their investigation," he said. The FBI confirmed that they had been contacted by Prevx, but would provide no further details nor confirm whether the July 15 discussion took place. <P> Prevx has spoken freely about which companies it contacted to inform them that they'd been hit by the Trojan. Morris claimed that the Trojan was found inside IT systems belonging to American Airlines, Booz Allen Hamilton, and the State Department, although none of them would comment on Prevx's story. Morris characterized their reaction to Prevx as ranging from apathetic responses ("they're too busy") to indignant responses that questioned Prevx's credentials. <P> Likewise, Prevx claimed to have contacted several security vendors to alert them that their products had not caught the Trojan. One of the security vendors, Trend Micro, acknowledged that it was aware of the Trojan and that its products can now detect and protect customers against this Trojan. <P> Yet Trend Micro was "ethically taken aback" by what they see as Prevx's cavalier attitude to go public so quickly with their research, David Perry, global director of education told <i>InformationWeek</i>. <P> Trend Micro, however, is no stranger to controversy over security disclosure. In late September, 2006, the company, which had been studying software bots and promoting a service to detect such bots, <a href="http://www.informationweek.com/news/showArticle.jhtml?articleID=193104896">reported finding bot infestations in numerous government agencies</a>. Trend Micro's list included the Defense Department, the Navy Network Information Center, and the Pittsburgh Supercomputing Center. Several organizations on the list challenged Trend Micro's research. <P> While it's not clear how much damage the Trojan in question has caused or why its creators were asking for only $300 in ransom, it <i>is</i> obvious that the IT industry, its customers, and law enforcement still aren't on the same page when it comes to finding, reporting, and fixing security threats.2007-07-17T11:00:00ZGE Healthcare already has rolled out encryption capabilities on 120,000 laptops as part of a five-pronged encryption strategy initiated in mid-2005.http://www.informationweek.com/news/201001790?cid=RSSfeed_IWK_AuthorsData security has been the top IT security priority at GE Healthcare over the past 12 months, and it isn't alone. "It's the biggest security concern both for myself and my company," said company chief information security officer Scott Hamrick in an interview. <P> By the end of last year, GE Healthcare had rolled out encryption capabilities on 120,000 laptops as part of a five-pronged encryption strategy initiated in mid-2005. Now Hamrick's investigating phase two, which will focus on encryption of both structured and unstructured data stored in applications as well as on file and database servers. This encryption project will be followed by the encryption of backup tapes, storage devices, and removable USB thumb drives. All five phases are scheduled to be completed by early 2008. <P> "So far, the removable media encryption part of the project looks to be the most challenging," Hamrick said. "We want to control it to the point that no matter what USB thumb drive you plug into your computer, the data stored on that drive would be encrypted. That way, if you lose that drive, it wouldn't pose a danger to the company." <P> GE Healthcare is tackling one of the biggest problems in security today: how to protect company and customer data from thieves increasingly focused on stealing such information. Still, a lot of companies have the ostrich syndrome when it comes to data security. If it hasn't yet affected their company, they'd rather not deal with it. InformationWeek Research's <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=201001203">10th annual Global Information Security survey</a>released this week, conducted with consulting firm Accenture, indicates that only one-third of U.S. survey respondents and less than half of <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=201001207">those in China</a> cite "preventing breaches" as their biggest security challenge. Only one-quarter of U.S. respondents rank either unauthorized employee access to files and data or theft of customer data by outsiders in their top three security priorities, and even fewer put the loss or theft of mobile devices containing corporate data or the theft of intellectual property in that category. <P> This lack of urgency persists despite highly publicized -- and highly embarrassing -- data-loss incidents in the last year and a half involving retailer TJX, the Department of Veterans Affairs, and the Georgia Community Health Department, among many others. <P> GE Healthcare's been able to focus on data security the past 12 months because Hamrick's already gotten the company up to speed on the <a href="http://www.informationweek.com/showArticle.jhtml?articleID=201001213 ">network-access control</a>, anti-virus, patching, and security policy control projects that needed to be done to address more conventional threats. "We've had to focus less on the firefighting recently, so we've been able to focus more on strategic issues like data security," he said. <P> Still, Hamrick remains undeterred by the increasing complexity of IT security. "It definitely reaches a point where it's too complex," he said. But this is being alleviated by the consolidation of security vendors into larger IT vendors such as Cisco, IBM, and Microsoft. <P> What has made IT security more complex is the introduction of new, consumer-driven technology in the workplace. "Our users go home and use Yahoo or AOL IM," Hamrick said. "You could argue that phone and e-mail isn't enough, as technologies like IM become more mainstream. It's classic risk management 101. You look at the benefits of the technology, the cost, and the risk, and then you implement the technologies that most benefit your business." <P> Despite the security risks, Hamrick realizes that his company could miss out on some really useful innovation if they don't keep an open mind. "We have to have the policy of not saying 'no' all the time," he said.2007-07-16T16:49:00ZThe author of a new book, "Exploiting Online Games," says that cheaters are infesting online worlds like World of Warcraft and Second Life, and they could become a threat to mainstream business systems. http://www.informationweek.com/news/201001670?cid=RSSfeed_IWK_AuthorsCheaters are following legitimate users into virtual worlds such as <a href="http://www.informationweek.com/story/showArticle.jhtml?articleID=200001578">World of Warcraft</a> and <a href="http://www.informationweek.com/blog/main/archives/2007/07/second_life_usa.html">Second Life</a>. And the techniques those cheaters learn can become a threat to service-oriented architectures used for business. <P> Cheating in online games has led to lawsuits and efforts from game makers to spy on their players. <P> Such cheating also could become a security problem within the massively distributed systems that many companies have deployed or are renting from service providers to act as the foundation for their service-oriented architectures, Gary McGraw, a security researcher and CTO for security services provider Cigital, told <i>InformationWeek</i>. "If you think about the kinds of security issues tied in with MMORPGs, they're an indicator of things to come as we adopt SOA," he said. <P> Online games are designed to follow the client/server model, and there are millions of people playing these games while connected to a server, which has to keep track of all the information about the virtual world in which the gamers operate. This information includes, for example, the X, Y, and Z coordinates for a gamer's avatar. If the server can be attacked and these coordinates changed, the gamer is able to essentially "teleport" his character throughout this virtual world regardless of the movement rules established by the game, said McGraw, whose new book "Exploiting Online Games," written with fellow security researcher <a href="http://www.informationweek.com/showArticle.jhtml?articleID=188703271">Greg Hoglund</a>, debuts this week. What's to stop business users from doing the same to business applications? <P> With the gaming market expected to reach $12 billion in annual revenue by 2009, game developers have a strong incentive to keep their players honest. This has led to an arms race of sorts between less honest gamers and the software companies that produce the games. "These software companies are installing spyware to make sure gamers aren't cheating," McGraw said, adding that World of Warcraft does this through a piece of software it calls The Warden. In response, McGraw and his colleagues wrote a piece of software they call The Governor, which tracks The Warden. "The Warden reports on non-World of Warcraft items that reside on gamers' computers," he said, adding that it can track the version of Windows that the gamer is using and even what they're writing in their IMs. <P> Games and virtual worlds also have online economies that map back to the real economy. Internet Gaming Entertainment, which McGraw estimates saw about $400 million in revenue last year, has been in business since 2001 selling virtual gold or other items that can be used to improve one's standing in online games, including Final Fantasy VI, Lord of the Rings Online, and World of Warcraft. One player in October 2005 even paid <a href="http://www.mindark.com/" target="_blank">MindArk</a>--makers of the <a href="http://www.project-entropia.com/index.var" target="_blank">Project Entropia</a> game--$100,000 for the rights to a virtual asteroid space resort, <a href="http://www.cigital.com/justiceleague/2007/07/12/preface-from-exploiting-online-games/" target="_blank">McGraw</a> said. In Second Life, the gamer has some property rights to land and artifacts within the virtual world, which is interesting in a legal sense, McGraw said, adding that one player managed to find a bug in the Second Life program where he could bid on virtual real estate that wasn't yet open for auction. "He became a real estate baron by exploiting a bug in their system, using URL manipulation," he added. <P> Marc Bragg, a lawyer in West Chester, Pa., approached the virtual world as a money-making opportunity, something Second Life maker Linden Lab didn't appreciate. In May 2006, he <a href="http://www.informationweek.com/showArticle.jhtml?articleID=196604327">filed suit against Second Life maker Linden Lab</a>, alleging that the company unfairly confiscated thousands of dollars worth of his virtual land holdings by shutting down his account with them. Linden Lab and some Second Life members have accused Bragg of breaking into HTML code on a virtual real estate auction list and buying virtual land for much less money than he would have paid in a public online auction. Bragg, who made money on the virtual land by renting it out to other Second Life users, claims that Linden Lab froze about $8,000 worth of virtual assets and refused to reimburse him. <P> Linden Lab, which develops and operates Second Life, used to say that users owned property in the virtual world. Now, they use more general language, that users own licenses to the property, legally similar to software licenses in the real world. <P> The list of infractions continues, including money-laundering through online games and other virtual investments. But McGraw's main contention is that these security issues may have broader implications for how business will use distributed software and defend against similar tactics in the future.