Panda Internet security software Software Next year Assessment

Article by sturat mike

This video by Tenable Security is pretty wild. It shows a visualization of an office network. Using different colors and lines users can pin-point problem areas based on traffic and data being sent and received to each machine.

The system lets you call out various aspects of the network using marker shape, color, and network lines. For example, you can change symbol colors depending on vulnerabilities and even change the shape and position of mobile devices. You can see a little more of the visualization over here.

Tenable released 2.0 of the software this month and sits on top of the company’s Nessus security scanner software. Sadly, the visualizer doesn’t show the “polychrome shadow, countless translucent layers shifting and recombining” of the average computer virus. Maybe we need to wait for the Kuang Mark Eleven.

Server Colocation – Safety And Security Of Your Enterprise Data

Article by Edison

Nearly all of the business deals with computer systems and the knowledge saved play a vital position within the progress of the business. However how far is the data secured? You will have to retailer the data, on the same time you should entry the info from completely different source. Only sever colocation provides a solution for this. You may astonish why this is usually a solution however the reality is that this can be the only solution. Have you ever thought about the info that will get stolen or will get destroyed in any disaster? Such colocation service might help you in this regard in defending your data. It can be performed by making your data completely obtainable on the website. It provides access to your website tools for monitoring, which leads to properly managed administration. They make use of a disaster recovery called bare metal catastrophe recovery through which it lets you restore the knowledge or data in the server from the backup. Normally it’s essential to partition the drive in the regular back up service whereas right here it actually provides different ways as well a broken computer. And such service enhances in steady protection of your knowledge by altering the disks nicely in advance before the actual again up starts. In the back up, you don’t have the need to go by document by document. The backup home windows are additionally very small such that the extra backup will get over in a few minutes.

It uses a again up called Incremental sector backups. Such back up doesn’t makes use of the unused portion which is present within the disk and copies solely the half which might have varied recently. Such back ups compared with the same old methodology of backup, helps in reducing the storage capacity virtually to ninety%. Nicely this ends up in time saving. Right here the information is being strongly encrypted such that there is no such thing as a chance of any theft even in the course of the restore of data. During the transmission it makes use of a special key password. The administration half is properly managed and simply handled from the distant place and it makes use of an interface which is sort of net based. Such administration actually helps in offering the information in any type and brings again to the original location in the same form. The server colocation enhances in operating the business without any disruption. Information is being stored very safely and is easily protected. So, it’s better to decide on a server colocation service that has received sufficient expertise in such administration. Server Colocation enhances within the safety of Business data. Server Colocation ensures for the enterprise security too.

Find More Server Colocation Articles

As you may have seen over the weekend, someone has discovered a security hole in FileVault, which arose with the OS X Lion security update, version 10.7.3, back in February: FileVault encryption passwords are now visible in plain text outside of a computer’s encrypted area.

The hole was apparently spotted by someone back in February, although it was most publicly first pointed out by security consultant David Emery on the Cryptome blog a few days ago and the rest of the blogosphere has run with it.

Now, it appears that the problem could be bigger than previously thought: it turns out that the developer who first noticed the hole back in February has discovered that it exists outside of FileVault, too, with at least one other company’s security encryption software, Lion VM, from VMWare Fusion, showing the same behavior.

From earlier this morning, he wrote, in answer to his own thread started in February:

I’m not sure if I can support the assumption that this is an error in filevault.

I’ve just tried logging in as an network user in an newly setup and updated Lion VM (VMware Fusion) and run into the same behavior. Filevault was never active on this system.

Can someone with the following environment please verify:

- OpenDirectory users with Network Home on AFP

- Lion (10.7.3) Clients

- Snow Leopard or Lion Server

Steps:

- Setup a new machine, or use one that never had filevault enabled

- Login as a (unprivileged!) network user with a Network Home on an AFP share

- logout, login as an admin user

- Check “Console” for log messages containing the string “_premountHomedir”

Please help to get to the bottom of this!

The security hole, as it exists in Apple’s own FileVault (and potentially other) encryption software, means that passwords for the encrypted part of a person’s computer are revealed in plain text to a user who knows where to look. As Sophos’ Naked Security blog notes:

Anyone with access to the disk can read the file containing the password and use it to log into the encrypted area of the disk, rendering the encryption pointless and permitting access to potentially sensitive documents. This could occur through theft, physical access, or a piece of malware that knows where to look.

That is yet another reminder of how, although we hear a lot about passwords needing to be   cryptic enough, ultimately if the encryption falls down on implementation, those passwords will be useless anyway. “How products store, manage and secure keys and passwords is the most common failure point in assuring data protection,” Chester Wisniewski of Sophos points out.

The advice he gives is to upgrade to a full-disc solution, such as FileVault 2 or another, and also to change your passwords if you’re a FileVault users.

It’s not clear how many users have been affected by this security flaw, which follows on another security mis-hap for Apple last month, when 600,000 Macs were apparently recruited into a botnet after a security update for Java was delayed in its release.

Apple’s been working for some time on improving the security of its operating systems — partnering with the security community to advance that aim — but as the company’s ubiquity continues to grow this will become even more urgent an issue.

We have contacted Apple for a response to this story and will update as we learn more.

As Facebook pushes ever closer to one billion users, one of the biggest issues it has faced has been backlash from consumers around the areas of privacy and security. Today, the social network is taking two steps in an effort to improve its image around that area — and potentially positioning itself as a software reseller in the process.

It is partnering with Microsoft, McAfee, TrendMicro, Sophos, and Norton/Symantec to enhance its own URL blacklisting system; and it is launching a new service, the Antivirus Marketplace, with these five companies, to offer a selection of antivirus software to protect users even further. That software will be free of charge for the first six months of use.

“We believe that arming our users with anti-virus software will help empower them to stay safe no matter where they are on the web,” the company said in a blog post announcing the news. The AV Marketplace will also be available as a link within the Facebook Security section of the site.

From today, Facebook users will have the option of downloading full versions of antivirus software from these five companies, under free six month trials. After that, users will have to buy the software, an example of Facebook facilitating the sale of computer software to its users. When you explore individual products from the line-up, there is a button to download the software, and another, currently darkened out, for “other products,” so there may be plans to add more software to the line-up.

Meanwhile, Facebook says that its URL blacklist system — the one where a site may end up when a user reports it as “abusive or spammy” — already scans trillions of clicks per day. Now that system will be augmented by blacklist databases from these five companies.

Today’s news is another move in Facebook’s evolution to improve the experience that people have through the social network, and is part of a continuing trend for the company to turn to third-parties to do this: that not only lets Facebook choose best-of-breed applications, but also allows for Facebook to share in some of the other company’s brand credibility in this area.

Among past deals, Facebook partnered with Websense in October 2011 to develop a system that checked a link when a user clicked on it to determine whether or not it’s safe. If it’s not, a message is displayed warning the user that the link is potentially harmful and suggests you return to the previous page.

Facebook also says that the five companies will now be contributing blog posts to its Security Blog in the form of information about keeping their data safe and other relevant news about the world of social media security.

I personally have been reading Sophos’ thoughts in that area for a while now on its Naked Security blog — and it has been pretty outspoken in highlighting some of the security issues that come up for Facebook users. It will be interesting to see whether any of that kind of content makes its way to Facebook itself.

Fragmentation isn’t just a problem reserved for mobile operating systems, it’s inherent to our online identities as well. Our digital identities exist in a loose and fragmented consortium of usernames, email addresses, scree names, social media accounts, passwords, and sitekeys. Many have tried to capture the single sign-on holy grail, and most have failed, because as much as we are inconvenienced by fragmentation, no one wants to hand over their personal information to one entity.

Last month, we covered the beta launch of OneID, a San Jose-based startup founded by Steve Kirsch, a serial entrepreneur, Silicon Valley veteran, and one of the co-inventors of the optical mouse. With OneID, Kirsch is looking to topple the current username/password digital identity paradigm and replace it with a system that uses public key cryptography to assert users’ identities across PCs, smartphones, tablets, and more.

There are already a number of services which attempt to handle the single sign-on problem, and while OneID wants to eliminate passwords from memory, oftentimes these identity plays just end up in offering one more competing standard, rather than achieving the opposite. (See Randall Munroe’s humorous take.) If the service can offer real value to the end user, and reach the kind of scale required to make a difference, there’s hope — but that’s a tall order.

Kirsch says that OneID’s value prop is that it operates like a secure Facebook Connect, keeping payment and address info secure by encrypting it in its distributed architecture, which is only then readable by your particular mobile device. As with single sign-on plays, the goal is to reduce friction and fraud inherent to authentication (and security) that is part of every digital financial transaction. That, and on the consumer side, it comes with the benefit of speeding up the sign in and check out process by way of single-click purchases — like Amazon one-click without the login.

While it’s a big infrastructure play and a tall order, OneID has some help. Kirsch developed OneID’s technology with veteran engineers Jim Fenton, Adam Back, and Bobby Beckmann, and today the startup is bringing on veteran security executive Alex Doll as CEO. Before coming to OneID, Doll was most recently an executive-in-residence at Khosla Ventures, where he was working on new approaches to the digital identity problem. Before Koshla, Doll was a founding executive at PGP Corp, the makers of public-key cryptography tech, which he led from zero to its integration with Symantec’s anti-virus technology. As a result of Doll’s appointment, founder Steve Kirsch will become acting CTO.

On top of its new CEO, OneID is also announcing that it has raised $7 million in series A financing. The round was led by Khosla Ventures and North Bridge Venture Partners. As a result of its new funding, Khosla Ventures General Partner Shirish Sathaye and North Bridge Partner Jonathan Heiliger will be joining the startup’s board of directors.

OneID’s new leadership, coupled with this significant infusion of capital, should be a serious leg-up as the company expands. As mentioned, for OneID to work, it’s going to need a significant user base, because there isn’t a whole lot of value for other sites in adding this tech, even if it’s something consumers are dying for. According to Kirsch, OneID is currently live on over 1,000 sites (that reach over 100 million users), and we can expect that the new leadership to focus on adding zeroes to that number.

Stay tuned. For more on OneID, check out the company at home here.

Move over organized cybercriminals, the new gangs in town don’t want our money, but they want to make a point, and they’re going to do whatever it takes to make sure we listen. The annual Data Breach Investigations Report (embedded below this post) from Verizon and major security agencies has found that hacktivism from the likes of Anonymous accounted for 58 percent of all data stolen online in 2012 — a contrast with years past, when organized crime groups were the main culprits.

And, as is the way with hacktivists, they work on large volumes of records rather than multiple, targeted opportunities: “The megabreach is back,” said Chris Porter, principal on the Risk team at Verizon.

In an investigation that also involved United States Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting & Information Security Service and the Police Central e-Crime Unit of the London Metropolitan Police, Verizon found that 2011 was the second-highest year for data loss that it has recorded, since it stated the annual investigation in 2004. In all, it analysed 855 data breaches covering 174 million stolen records and 100 million users.

One notable point is that while organized criminals will use the data for financial gain, hacktivists are wreaking havoc for political and social reasons.

Yet athough organized crime may have been, in volume, less active than the hacktivists, they were no less lethal in terms of what kind of cost they represented.

Verizon, frustratingly, doesn’t include any figures on what kind of cost these data breaches represent, but Porter describes the impact of the organized criminals as “death by a thousand paper cuts”, where they go after “less risky, low-hanging fruit,” that in aggregate can represent a very valuable enterprise.

That can include tactics like skimming information from card machines at gas pumps, breaches of e-commerce sites, and big thefts of data records from cloud-based services, such as the situation that hit Sony PlayStation last year.

Another point is that hacktivists’ tactics are also being adopted by others: although hacktivists accounted for 58 percent of stolen data, hacking actually appeared in 81 percent of breaches (versus 50 percent in 2010). Malware also grew in usage: it appeared in 69 percent of breaches, compared with 49 percent in 2010.

Attacks go global: In all, Verizon found breaches originating from 36 countries last year — a rise from 22 in 2010. That, admits Porter, is partly down to the fact that there was a larger global team of investigators this time around able to gather that data more comprehensively, but also a reflection on how criminal networks have expanded in their activities in an effort to elude authorities.

But that global spread collectively accounts for a very small part of stolen data. The big concentration of criminal activity, in fact, continues to come from one area in particular: Eastern Europe, which this year was the origination point for 70 percent of attacks. Less than 25 percent originated in North America, Verizon said.

One ironic conclusion in the report is that if businesses and the general public were only a bit more vigilant, the story would be quite a different one: of all the attacks 96 percent were deemed to be “not highly difficult”, and that 97 percent “were avoidable without the need for organizations to resort to difficult or expensive countermeasures.” In other words, a little proactive knowledge could go a long way in turning things around.

What about the year ahead? Porter said that if he had to make a calculated guess, the thought that hacktivism would be reduced this year, in part because of the disruption caused by enforcement agencies’ arrests.

However, stealing records has always only been part of hactivists’ tactics: some of their most-high profile activity, such as the series of moves that Anonymous made around their double campaign against SOPA and the closure of Megaupload, involved distributed denial of service attacks, which comprehensively shut down web sites and caused another kind of financial havoc for their targets.

Although there have been some significant efforts from authorities to track down and arrest the hacktivists, notably the arrests last month of several members after one became an informant, there is all reason to believe that those attacks could continue into next year, if the crowd that helps in their efforts continues to feel the flames of discontent.

Full document embedded below:

Privacy and security issues have been at the forefront of tech news this week, with The New York Times reporting on loopholes in two major mobile operating systems — Apple’s iOS and Google’s Android — that allow apps to access much more personal smartphone content than most users realize.

Superstar security researcher Ashkan Soltani (his résumé includes work with the Federal Trade Commission and The Wall Street Journal and giving testimony in front of Congress about mobile privacy) was in San Francisco this week speaking at the RSA Conference, so yesterday afternoon he came by the TCTV studio to dig a bit deeper into how safe smartphones are today and whether things are getting better.

In short? It’s complicated. But Soltani has clever and compelling ways of describing what’s going on, which made for a pretty fascinating discussion. You can watch the whole interview above; here are just a couple of his points:

This part of our chat happened off-camera, but Soltani has come up with an interesting analogy: Smartphones today are like toddlers who don’t understand etiquette. Just like a four-year-old who overhears you saying that Aunt Helen is fat (and repeats your statement to Aunt Helen the next time he sees her), mobile operating system software is not yet mature enough to understand that you may want an app to access some of your photos, but not others. That in itself is not necessarily a bad thing, but the real problem is that most average users think their smartphones are a lot smarter than they really are — and are surprised to find out otherwise.

But as toddlers grow up, they come to understand that certain information is meant to be shared only with certain people. According to Soltani, smartphone software should evolve in a similar way, learning to keep more data in context. Right now, the only data that smartphones understand to keep private is location data. Going forward, things like photos and texts could start to be treated with more consideration. Even as smartphone security gets more sophisticated, though, average users would do well to be more wary with what they share with their devices.

Even though it may be hard to remember life without your iPhone, Soltani said, it’s important to remember that they’ve only been around for four-and-a-half years (which ties in well with the toddler comparison.) That means that we’re in the very early days of reaching a consensus on where the privacy and security boundaries should be. For comparison, Soltani brought up the car industry: The earliest versions of the Ford Model T were popular but also very dangerous, and it took decades for regulations such as drivers licenses, seat belts, and air bags to create some structure around the industry. It could take some time for the same thing to happen with mobile devices.

If you run a big website, you have a range of good options for staying protected from malicious hacks: hardware from enterprise-oriented companies like Cisco or McAfee, your own in-house support, or hosted professional blog services like WordPress VIP (which is what TechCrunch uses). If you’re a smaller site out on the open web, you have weaker options — at least if you want to get auto-updated responses to a wide range of security problems.

Israeli startup 6Scan is out to change that, launching a WordPress plugin today that automatically scans and updates to protect against the latest issues coming up across the web. By “automatically,” I mean that the company’s security team monitors the web and does its own research to find problems, then pushes an update to all of its users. These go out about every hour, according to co-founder and chief executive Nitzan Miron, as they’re discovered and added to the company’s system.

Key problems it fixes include SQL injections, cross-site scripting, directory transversals, remote file inclusion and the other top security risks. The scanning software is offered for free, but it will fix remove risks and provide other features, like zero-day research and additional email and SMS support for $10 a month. Although the Israeli company has only been around since April of last year, Miron and his co-founder Yaron Tal worked in web security in their country’s military over the previous years — they’re not new to the space.

Other website guards that serve small to medium-sized sites include Dasient (now part of Twitter), Armorize, StopTheHacker (also recently funded) and CodeGuard. They each provide a range of competing services for cheaply and quickly identifying threats, and they all offer various methods for containing or removing problems. Miron says that the ability to fix existing vulnerabilities instead of requiring users to take additional actions helps separate 6Scan’s offering from web-based competitors. (Note: I haven’t tested every web site security system around, but so far I haven’t seen others that do this, exactly. Tell me if otherwise in the comments).

More generally, another type of competitor here are companies that offer hosted, supported sites for smaller businesses, that accomplish the marketing goals at stand-alone websites. This can include anything from Facebook pages to Tumblr accounts to hosted site creators like Weebly or Webs.com. On that front, Miron says that they’re also talking to hosting companies to get their software auto-installed, and they’ve been getting some interest — so, they’re not only going straight for consumer-style smaller businesses running their own sites.

While WordPress is the first live version, Miron says support for other content management systems are coming soon, with Joomla and Drupal in the next few days. In its private beta, 6Scan has already added up a few thousand customers, he adds, many of whom are already paying.

The company has so far raised an undisclosed round from YL Ventures, following on seed funding from Israeli incubator Venturegeeks last year. Miron is coming through town now, and planning to present at the SF New Tech cloud meetup at Might tomorrow.

Software and SaaS security company Cenzic is today launching a new security product for mobile application developers which will allow for the testing of mobile apps on any platform – iOS, Android, J2ME, and more. The product will be the first that can test products without requiring developers to submit the source code, as all the testing is done through the cloud, while the app is up-and-running.

The service will then be able to tell what sorts of security vulnerabilities an app has, what sensitive data it could leak, what other sorts of security threats it may be vulnerable to, and what to do about it.

The security risk inherent in using mobile applications was recently in the spotlight, when it was discovered that many of users’ favorite apps were uploading their address books to developers’ servers. But that kind of risk, while important, is not the sort of thing that Cenzic’s solution is interested in addressing.

Explains John Weinschenk, CEO of Cenzic, “there’s been a lot hype and a lot of focus on the device itself, but the device itself is not the risk. If I hack into your mobile device, I get your information. That’s not that interesting. But as a hacker, if I hack into the server itself, I can get millions of accounts, and millions of pieces of information,” he explains.

The problem Cenzic wants to help fix has to do with the fact that many companies’ backend systems were designed to be accessed by web applications, but are now being accessed by mobile apps.

With the new solution, the company looks at a mobile app’s backend and use of web services, and analyzes those for vulnerabilities. This is especially important for enterprise app makers, who need to ensure that their apps’ are protected against all the latest threats to protect sensitive customer data.

But how prevalent are these sorts of vulnerabilities? Weinschenk says that prior to today’s launch, the company tested over 30 applications for four (unnamed) beta customers, which included companies that have over a billion dollars in sales operating in the financial services space, in e-commerce and in manufacturing. During the testing period, Cenzic found that 60% of the vulnerabilities were input validation issues, while 40% were authentication issues. “What this means,” explains Weinschenk, “is that programmers writing mobile applications don’t really understand how to manage the authentication of that device communicating up to the server.”

In Cenzic’s solution, the platform will provide info on how to fix the vulnerability and how to make code changes, but, as it doesn’t have access to the source code itself, will not make the changes, only point to the affected part of the code. In addition, the library of vulnerabilities is updated every week, similar to anti-virus systems, so developers can continually test for new threats to their mobile apps’ backends.

The new mobile solution will also be wrapped into Cenzic’s other products, in the form of software, managed services and cloud offerings. Pricing starts at $7,000 per app per year.

The company today secures more than 500,000 online applications for Fortune 1000 companies, government agencies, universities, security companies, SMB’s and others. More information about the mobile product is now available on the Cenzic homepage here.