A new startup has licensed technology from Los Alamos National Laboratory to help enterprises respond to security incidents. But does the company really want to be associated with a lab that routinely mishandles nuclear weapons secrets?

The SANS Institute’s Top 10 Menaces of 2008, developed by panel of security experts, predicts key threats in 2008. While some threats have been with us for some time, like Web-based attacks, spyware, and bot nets, and insider problems, the difference is in the sophistication of the attacks.

CA has launched a SOA Security Gateway, part of its IAM (Identity and Access Management) r12. The announcement brings CA into head-on competition with vendors including IBM and Cisco, though it doesn't really represent another player in the market, as much of the technology comes from an OEM deal with Web services security vendor Vordel.

NAC deployments often require more integration than seen at first blush. Especially when the NAC products don't meet with expectations. Take user login/log-offs that were a problem I mentioned in my review of ConSentry's product. There are ways to mitigate problems or bolster your NAC deployments using features you already have.

Dr. Eric Shaw‘s Tuesday keynote at the MIS Training Institute's IT Security World Conference 2007 is a sobering presentation about the underlying causes of and dangers in mishandling the rogue or disgruntled employee.

You know data security breaches are way too common when a company builds a business around customer notification of stolen information.

Momma always said every time you point a finger, three more are pointing back at you. Well, there was a lot of finger pointing going on the last few weeks between IE and Firefox over a vulnerability in url handlers, and a recent twist continue to stir things up.

You have to admire the chutzpah of startup Palo Alto Networks. The company has raised $28 million to sell a "next-generation" firewall based on ideas that are 20 years old.

Think you're too smart to get duped by a phishing scam? Are you absolutely certain you'd be able to recognize an authentic site from a scam? The Anti-virus experts at McAfee aren't as convinced and so they've set up an extremely interesting interactive quiz. The test consists of ten questions, eight of which include screenshots of both a real version of a website and a phisher's dupe. All you have to do is click on which one you believe is the valid site. At the end of the test you'll get your score.

The CEO of IronPort systems talks about his company's acquisition by Cisco and why he sees no end in sight to the problem of spam.

Listen Now | Read the Interview

Google Hacking is the popular sport of using Google's giant cache and index to discover files or applications that the administrators might not have realized were public. There are whole databases (Johnny Long maintains the most well known) that track fun search phrases to use, but it looks like Google themselves may have been bitten.

While at Interop, I had the chance to talk to Stephen Hanna, Distinguished Engineer at Juniper and Co-chair of the Trusted Computing Group Trusted Network Connect working group and Paul Mayfield, Group Product Manager for Enterprise Networking.

(now you see why I do print)

The Trusted Computing Group Trusted Network Connect published Microsoft’s Statement of Health protocol (SoH) which lets NAP clients send health information to a Policy Decision Point (PDP)—the server that makes a decision based in whole or in part on the host health.

Over in NWC News Analysis, we covered the formation of a new group to build an open source 802.1X supplicant. The group, called the OpenSEA Alliance, is working to develop an open-source 801.X supplicant (a client implementation) to ensure a standards-based implementation and speed industry adoption, they said.

Our editors have varying opinions on the move:

Yesterday, Computerworld reported on a Gartner tidbit that "QuickTime Vulnerability Exposed by Contest Poses Wide Risk". I'm in complete agreement with the title. The QuickTime vulnerability is indeed a pretty nasty one. It impacts both Mac and Windows (including Vista!) machines with any web browser as long as Java and Quicktime are enabled and installed. Pretty bad combination.

A University of Portland student was suspended for writing a program to bypass the Cisco Clean Access NAC system on campus. Apparently this incredibly dangerous activity is a Patriot Act violation. Or, at least, it is if you believe the letters being sent out by the administration at UP who seem to be confusing "skipping security checks" and "hack into a licensed product"

Security in OS X is a pretty interesting topic to watch on the web. For every stereotypical Mac user, perfectly smug in the invulnerability of their operating system of choice, there is a detractor who claims Macs only seem secure because nobody uses them and thus nobody tries to break their security. The truth, as is usually the case in such things, surely lies somewhere in between.

Thomas Ptacek challenged Alan Shimmel recently on whether StillSecure's Cobia™ Unified Network Platform™ is really Open Source. Alan's response is that essentially most folks only care that open source means free, and the source code comes with it. After all, that is the obvious definition of the term without knowing the back history. It's not, however, the actual, accepted definition of the term. See the FSF's discussion of the two terms for a bit more background on "Free Software" and "Open Source".

When I first heard a number of claims that AJAX applications were inherently more insecure than standard web applications, I thought that was ridiculous. After all, as long as you don't do anything stupid like do validation of user input only on the client, what would you have to worry about?

While on one level that may be true, it looks like in the general case I was wrong. Splitting web applications into two distinct programmatic components, one that runs in the browser, and one that runs in the server is more complicated (at the very least you've got to be proficient now in two different languages), and there are definitely new types of vulnerabilities that are specific just to AJAX applications.

If anyone is interested in the Hacking Intranets presentation I gave this week, video (which very poor audio quality, unfortunately), slides, and the demo code are available online. I'm not super-pleased with the results as I think I tried to cram too much information into too short of a time-frame (especially when 15 minutes were subtracted from the length I had to present in!), but the take away of how easy it is to use web browsers to hack intranets is worth reiterating.

In preparation for my upcoming presentation on web security and abusing browsers, I was going over the long list of protection measures that either aren't in place, or don't work against the potential threats, when I stumbled across one bright spot in an otherwise bleak landscape.

I'll be making a very brief appearance at Infosec World next week. If anyone's planning on being there and would like to stop by and say "hello", I'm unfortunately presenting at 8:30 on Tuesday, and leaving just after my talk. Still, if for some odd reason you've got a burning desire to see how young I really look in person (Answer: I'm 27 and walking around campus where I work, I'm regularly mistaken for a freshman), here's your chance to find out.

I realize that might be an early talk for those west-coasters still not used to our EST sunrise, but I can promise you the demo for the talk will be entertaining. I won't be presenting any earth-shattering attacks, mostly things that those on the cutting edge of web security are familiar with, but the hands-on examples should be a lot of fun.

OpenBSD is usually touted as one of the most secure networked operating systems. Of course, part of that reputation was gained because for years it's disabled unnecessary services (or even sometimes mostly necessary ones -- like SSH) by default. Still, defaults aside, OpenBSD.org has for many years now had the tag-line, "Only one remote hole in the default install, in more than 10 years!" Just in the last few days, however, that tag-line has changed. The count's now jumped to two remote holes in the default install.

Verizon recently won a lawsuit against SMS spammers.

As e-mail providers, ISPs and enterprises have cracked down on e-mail spam, spammers have looked toward other mediums including instant messaging (discussed in Mike DeMaria's article this month on IM security appliances) and SMS.

Carriers have been cracking down on SMS SPAM as of late with some unintended consequences.

In our preliminary testing of Mobile Device Management software for the April 30th issue of Network Computing, two vendors found that SMS messages, sent via e-mail and used to reach mobile endpoints, were being rejected by some carriers (presumably as spam). The same messages sent to other carriers, however, worked fine.

Organizations that use SMS, especially via e-mail gateways, for enterprise applications may look to conduct monthly tests with all possible messages to ensure that messages aren't rejected in the fight to prevent SMS SPAM.

A recent discussion about a Cisco speakerphone vulnerability reminded me this is far from the first time Cisco's had password problems. You'd think a company that has spent so much on security branding and indeed is recognized as the first company that "comes to mind as a Networking Security leader" in six of their eight target locales (7th in Japan, 5th in China, first in US/CAN, UK, Germany, France, Italy and India -- data courtesy Cisco Systems), they'd be a bit more careful about getting the basics right.

It can sometimes be challenging to convince folks that Network Computing is serious about the motto, "For IT, By IT" (see banner, two inches to the right). It's not just a nice sounding phrase, but a major cornerstone of the philosophy of the magazine.

When I started covering the security beat, the most important challenge was learning the ins and outs of the magazine, working on my writing and other skills, not so much learning the technology. Security isn't just something I write about, it's what I do on a day-to-day basis.

Extrusion protection is heading for the desktop. Once defined by gateway appliances that monitored Web, e-mail and IM traffic for sensitive information that might be slipping out of the enterprise, a new crop of products put an agent directly on the desktop to plug potential leaks.

According to Neil Wu Becker, PR Manger, Security, for Cisco, "Cisco is NOT open-sourcing CTA, nor do we have any plan to do so. We're not even considering it -- it's not something on our radar and it's not a pressing issue on our agenda."

As I traveled out to San Francisco for RSA 2007 I was again struck by how, in many ways, the "real world" could use a security refresher. There are a number of examples where security researchers have exposed flaws in physical systems simply because they applied the same critical eye that they're used to using in their electronic analysis. Matt Blaze's research on master keyed locks, is one example, along with the Princeton group who found both physical and software security flaws in Diebold voting machinery.

To that end, I'd like to propose my list of obvious real world security flaws:

Extreme's ExtremeXOS 11.6, available on the X450 and BlackDiamond switches are getting an uplift that starts to make DHCP NAC enforcement comparable to 802.1X for enforcement. The feature enhancement tracks DHCP leases as they are handed out and applies ACL's on access ports. Extreme has a solid foundation that enhances NAC DHCP enforcement, but needs to work on a few niggling, but critical details with handing mobile computers, before it is truly enterprise ready. DHCP lease awareness is not new. Cisco has a feature in IOS 12 called DHCP Snooping and IP Source Guard that offers similar functionality. Switching software from other infrastructure vendors like Foundry Networks, and Nortel, also have DHCP snooping features.

There has been a lot out the upcoming CA/Browser Forum’s Extended Validation Certificates. The certificates are supposed to increase users confidence that a web site is legitimate and also supposed to stop phishing.

Cisco Systems tapped into two robust markets—anti-spam and messaging compliance—with today's $830 million acquisition of IronPort.

Code Green Networks is launching an information leak prevention appliance for the mid market. The appliance sits at the boundary of the internal network and monitors e-mail, Web mail, HTTP and FTP traffic for sensitive corporate information.

Join Curt Franklin in this Radware sponsored Security Podcast. This week's podcast includes security news; The Worldwide growth of Spyware and Adware; Detecting and Defeating Rootkits | Click to listen

Join Curt Franklin in this Radware sponsored Security Podcast. This week's podcast includes security news, a security feature: CSI Trendspotting (part one of a two part series), and a security product review: Reflex Disknet Pro. | Click to listen

Andrew Conry Murray interviews Blue Lane's President & CEO Jeff Palmer. Palmer explains the company's appliances, which sit inline on the network and emulate security patches on real-time traffic to protect servers until the patch is installed. | Click to listen

Is it too early in the NAC space to starting talking about revolution or evolution? Maybe. But there are some interesting changes going on. The whole of NAC has really been centered around assessing an endpoint's health and making an access decision like granting access or enforcing quarantine. That's all well and good, but really, your protecting the network from an infected or malicious host. It's not really access control.

This Week's Network Computing Security Podcast is brought to you by Radware

Join Curt Franklin as he tells reviews the Kingston Data Traveler Secure and discusses Strategic E-Mail security.

Click to listen

BT bought Managed Security Services Provider (MSSP) Counterpane this week for "tens of millions of dollars," according to Chuck Pol, president of BT Americas.

Major vendors are partnering with start-ups in the emerging Information Leak Prevention (ILP) market to spice up their products and tap into compliance dollars.

The following post contains the correspondence between Barracuda Networks and Frank Bulk in response to Frank’s blog on Barracuda’s representation of its Spam Firewall e-mail capacity.

Veteran IT buyers know that vendor promises about performance or capacity tend to be aspirational rather than factual. But Barracuda, maker of the Network Spam Firewall, has stooped to a new low: eight times lower, that is.

Is the new Cisco NAC/Microsoft NAP Interoperability Architecture partnership a harbinger of things to come? Is this the situation that NAC vendors have feared (or welcomed, depending on your point of view)? It certainly is an ambitious partnership and if successful, will change the shape of the NAC market and, more importantly, your deployment options.

IBM today announced it will acquire security vendor ISS for approximately $1.3 billion. ISS made its name selling intrusion detection and prevention products, but Big Blue snapped up the company for its managed security services portfolio.

A new line of wallets has metal-infused RF shielding built in to prevent thieves from remotely scanning RFID-embedded credit cards. This is just silly.

This week Intel and SANS announced three vulnerabilities for Centrino device drivers on Windows, the worst of which could let the attacker execute code with kernel-level privileges.

Listen as RSA Security's Chief Executive Officer Art Coviello talks with NWC contributor Robert Hertzberg about Internet crime, privacy protection, terrorism—and storage behemoth EMC's impending $2.1 billion acquisition of RSA. | Listen Now

I always find it interesting to see how standards bodies work. A group is attempting to form within the IETF, though it’s probably more accurate to say the people are talking about forming a working group, called Network Endpoint Assessment (NEA) which from it’s proposed charter aims to standardize protocols, either existing elsewhere or developing new one, for exchanging posture information between a client, a broker, and a server.

The problems this group is addressing is fundamental and while it seems from the meeting notes at a recent Birds of a Feather meeting that a large number of participants are vendors, a few participants were from companies that will ultimately consume the products the vendors will put forth. That’s a huge advantage of a truly open standards process. This group, if it gets started, may have a significant impact on core network access control interoperability and tangentially the feature sets. Without input from stake holders, critical features may be left out weakening the usefulness of the resulting work. I remember watching the activity in the IPSec working group and the decision to not work on NAPT and user authentication resulted in years of non-standardized solutions to remote access VPN which let’s face it, was the driver in that market.

I would like to see this group form and bring some sanity to the network access control space. I think it would benefit everyone involved.

With competing network access control (NAC) initiatives like the Trusted Computing Group's Trusted Network Connect (TCG TNC), Microsoft's Network Access Protection (NAP), and Cisco's Network Admission Control (CNAC), as well as all the vendor specific NAC products and solutions, one thing is painfully clear. Standardization and conformance is critical. The matrix of security and network infrastructure products that should be included in a NAC solution for either end-point validation, profile authorization, or enforcement, is mind boggling.

Happy Friday!

Today's almost-freebie combines security and FTP servers. It's only free for 30 days, but the company suggests that the initial license should give you ample time to analyze network traffic and determine how secure (or insecure) your FTP servers might be.

And today's real freebie is MonoStack from BitRock.

I was reading Christopher Hoff's blog yesterday and got to pondering the use and usefulness of UTM and UTM architectures to the mid-to-large enterprise.

There's a lot to say on this topic, so I will confine myself to a couple of points. First, why would you even consider a UTM solution, Second who would own a UTM solution, and third what is with the different architectures.

This week, Microsoft began offering Windows Live OneCare. For $49.95 per year, you can get your PC (up to three of them) protected, maintained, and backed up.

I can see how this plan came about...

Ahh, encryption. There are few security-related topics that manage to combine complexity, minutiae, and critical needs quite as thoroughly as does encryption. Government agencies simultaneously require and fear encryption, an attitude that is also common among business leaders. Ultimately, there are plenty of reasons to encrypt data (does stolen personal data ring a bell?) and very few reasons to fear it. While relatively few of us might ultimately be the ones implementing encryption, it's important to understand the major issues so we can discuss its implementation and the policies governing its use intelligently. I recently had a phone call with a team of folks from WinMagic, and we discussed encryption as part of a full security program. You can listen to the podcast here.

(Originally posted by Mike Fratto on SecureEnterprise Magazine's Website on 02/06/06)

Newbury Networks wants a chance to respond to a blog entry where I opined about their over the top marketing and fear mongering in a white paper they published. I also pointed out what I thought, and still think, are technical inaccuracies. Their unedited response is below.

(Originally posted by Mike Fratto on SecureEnterprise Magazine's Website on 02/01/06)

Newbury Networks has been pushing extremely hard the idea that Wi-Fi is broken and can't be trusted unless you deploy their products. They are pushing over the top marketing in webinars and white papers. This white paper is one of the most blatant cases of fear mongering I have seen in a long time. Let's take this apart point by point.

The recent loss of data from the Veterans Administration highlites the need to know who has what data, and what they're doing with it. The VA has thus far handled this event wonderfully, and as a Veteran from a family of Veterans, I am pleased that they're doing what they have to in regards to the lost data.

But there is one thing that worries me, and I think now is as good a time as any to address it. Public outcry and the media frenzy created by sensationalism is going to cost this employee their job. I am pretty positive that the VA will look at the circumstances, correlate facts, and then fire the employee.

Open Source software tends to be one of those religious topics, where people have strong opinions and feelings that are informed by more than simple facts. It's the kind of topic that is fun to cover because it often brings far more reader and listener response than other, less emotionally-charged areas. In this podcast we wade in with both feet, talking with Mike Ferris, Redhat's Director of Solutions Strategy. He had some interesting things to say, and you can hear them here.

In keeping with my habit, here is my usual post-show post about Interop.

This time though, there will be less about vendors and more about press and analysts, because I've picked on vendors enough through the years. Though one or two did make my list for this show. As usual, most specific names have been filtered out to protect the guilty.

So many vendors were shouting about Network Admission Control (NAC) at this year’s Interop that they nearly drowned out the ‘ding-ding’ of the slot machines. That means enterprises investigating NAC first have to tune out high levels of marketing B.S., vendor obfuscation and bandwagon-jumping before they hear of anything with actual business value.

To help save your eardrums, I’ll point you toward two interesting NAC architectures that emerged from the noise at Interop: peer-based enforcement and SSL VPNs on the LAN.

The number of cell phone viruses and Trojans has doubled in the past seven months, leaping from 100 to 200 since October of 2005, according to researchers at F-Secure.

I am pondering the Risk-Cost security equation a lot these days, as I'm certain you all are.

Some things just absolutely must be protected, others just aren't that important. Some days, I think we as an industry forget that little fact.

And legislation/compliance aren't helping any.

You know identity theft has gone mainstream when pen manufacturer Uni-ball launches an ad campaign touting a high-security ink designed to fight ID fraud.

Do your eyes go all kaflooky when the site you're on pops up with one of those scrambled text signups? You know -- the ones where a string of letters or numbers appear up against a weird background that makes it hard to read? The problem with these security measures are that some vision-impaired users cannot always make out the characters. Plus, they're not as secure as some people think -- the right batch of malicious code can slip right past them.

Check Point Software put its proposed $225 million acquisition of IDS/IPS vendor Sourcefire on indefinite hold this Thursday due to political concerns.

The acquisition, announced in October 2005, came under the scrutiny of the Committee on Foreign Investment in the United States (CFIUS) in February 2006. CFIUS, headed by the Treasury Department, investigates the acquisition of U.S. companies and assets by foreign governments. Check Point, which is headquartered in Israel, needed a green light from CFIUS before the acquisition could proceed.

THE POLITICS
Michele Perry, a Sourcefire spokesperson, cited “the current climate for international acquisition” as a key reason for the withdrawal. That’s a reference to CFIUS’s controversial approval of the transfer of operations at several U.S. ports to a company based in the United Arab Emirates. Republicans and Democrats in Congress joined together to kill the deal.

According to an Associated Press story, the Sourcefire deal may have been discouraged in part to pre-empt charges of bias. Such charges would likely arise if the Bush administration approved an Israeli takeover of a U.S. company soon after bowing to Congressional pressure to freeze out the Arabs.

THE IGNORANCE
The FBI and Defense Department also disapproved of the acquisition. These agencies were spooked because they use Snort, an open source IDS created by Sourcefire founder Marty Roesch, to protect classified computers. They were concerned that a foreign government would acquire sensitive technology.

Apparently they don’t understand that ‘open source’ means anyone with an Internet connection can acquire this sensitive technology.

Fall apart when implemented.

Whenever you're in a lab environment there are challenges. It takes a certain mentality to say "Let us gather a bunch of products together, try to make them all work correctly in our environment, then run them through some tests, that sounds like fun, doesn't it?"