EYE ON SECURITY

The World of Secure Development.

January 2007

A new Identity Initiative has been unveiled by Symantec. The Initiative is a combination of services and software that addresses how consumers manage their online identities and ensure the security of online transactions.

A key element of the service is one-time use credentials, such as credit cards, postal addresses, and email addresses. For example, if customers are not familiar with a particular e-commerce site, they can elect for Symantec to generate a one-time use credit card, limiting their financial risk. In addition, the identity service also has the potential to support parental controls and the authentication of other personal information such as age and memberships.

Symantec is taking a user-centric approach, making the identity service protocol-independent. The service will interact with websites supported by different identity exchange protocols, such as CardSpace and OpenID. Symantec expects to roll out its Identity Initiative worldwide over the next 12-24 months. Even without formal partnerships, the Norton Identity Client will be compatible and functional with the majority of websites.

The Norton Identity Client, which is a single interface for consumers, provides consumers with online credentials and gives them protected access anywhere they transact on the Internet. This online identity credential will be similar to how a passport or driver’s license functions in the physical world; however, it could be modified as needed and accepted virtually everywhere.

In addition to solving a key need for consumers, the Symantec Identity Initiative addresses significant business concerns. In fact, 53 percent of Internet users have stopped giving personal information to websites in fear of identity theft and 14 percent have stopped paying bills online, according to market-research firm Gartner. With more secure identities and transactions, businesses will be better able to retain customers and reduce their own risk of fraud.

According to a study conducted by First Analysis Securities Corp, the cumulative market opportunity for online consumer authentication for banks, brokerages and e-commerce is estimated at $1.1B from 2006 through 2010.

Posted by Jon Erickson at 01:38 PM  Permalink |

RSA has released the results of its fourth annual Financial Institution Consumer Online Fraud Survey.

Conducted in December 2006, the survey asked 1678 adults from around the world their opinions on evolving fraud threats -- such as, phishing, vishing, and keylogging -- and on the efforts of financial institutions to strengthen remote channel banking authentication.

Among other results, the survey found that:

• 91 percent of account-holders said they are willing to start using a new authentication method, beyond the standard "username-and-password", if their banks decided to offer stronger security. Of that number, 73 percent said they would like their financial institution to use risk-based authentication.
• 69 percent of account-holders believe that financial institutions should replace username/password log-in with stronger authentication for online banking.
• 58 percent believe that financial institutions should deploy stronger authentication for telephone banking.
• 82 percent would like their banks to monitor online banking sessions and telephone banking sessions for signs of irregular activity or behavior -- similar to how credit-card transactions are monitored.

For a copy of the survey, email rsaconsumer@outcastpr.com.

Posted by Jon Erickson at 12:21 PM  Permalink |

So are we starting to figure out how this security stuff works? Well, not that you'd think, at least according to a recent report by the Computer Emergency Response Team(CERT). In fact, says CERT, in 2006 the number of reported vulnerabilities are up 35 percent over 2005.

According to CERT, the total number of vulnerabilities logged by the organization last year was 8064, an increase of 35 percent. These numbers were in line with other major flaw databases -- the National Vulnerability Database, the Open Source Vulnerability Database, and the Symantec Vulnerability Database -- all of which recorded increases ranging from 20 to 35 percent in 2006 over 2005.

So where are all these vulnerabilities coming from? Applications written in languages such as PHP accounted for 43 percent of the total vulnerabilities. And according to Art Manion, CERT vulnerability team lead, the biggest issues is the number of vulnerabilities in Web applications. "The best we can figure, most of the growth is due to fairly easy-to-discover vulnerabilities in Web applications," Manion said. "They are easy to find, easy to create, and easy to deploy."

The bottom line is that it seems we're making it easier -- not harder -- for the bad guys to go about their nefarious business.

Posted by Jon Erickson at 06:11 AM  Permalink |

While there's no such thing as a free lunch, security vendor MicroWorld Technologies is offering a free security check up and repair for virus and other malwares, at least for the next couple of weeks anyway.

The offer is a promotion associated with the 8.x release of MicroWorld's MWAV toolkit/utility. Among other features, MWAV:

• Scans your computer completely and provides reports of any viruses that it finds.
• Checks for all illegal dialers that are present on your computer and informs you of the same.
• Informs you of any background illegal sniffers or tools like spyware, adware, keyloggers etc. running in the memory of your computer.

According to MicroWorld, there’s no need install the software, -- you just download and run the toolkit and scan the computer right away. MWAV gives you the option to add it to the startup list of programs on your computer so that the toolkit scans your computer every time you start using it. This version will scan and clean your computer of any threats with the latest updates up to February 15, 2007.

Posted by Jon Erickson at 09:37 AM  Permalink |

There's something about fingerprints that brings out the Junior G-Men in all of us. Maybe it's the intellectual challenge of unraveling a mystery, the sense of justice in putting a bad guy behind bars, or knowing that there is something different and special about each and everyone of us. Whatever.

Every once in a while, I pick up my copy of Davide Maltoni et al.'s Handbook of Fingerprint Recognition and skim through it, wondering if I could have made it in the FBI, or at least a bit role in CIS: Crime Scene Investigations. Maltoni's book is interesting because it covers in fingerprint-based recognition algorithms and techniques, and includes includes a DVD of both the FVC2002 fingerprint database and a demo version of SFinGe software for synthetic fingerprint image generation.

What brought all this to mind was an announcement from IDSoftware, a biometric identification management company, that it has released PrintSearch for positive identification on inmate release. The PrintSearch program scans and matches up to 10 prints of an inmate pending release to ensure the correct inmate is identified and released. Believe it or not, the release of the wrong inmate occurs more frequently than you'd expect.

IDSoftware is what you'd call a vertical ISV since it targets its software to professiona law-enforcement and criminal justice agencies. Along with fingerprint identification, it produces software for mobile wireless quick-ID, video imaging and mug shot systems, express booking and release systems, GPS monitoring, crime scene image management, video inmate property management, and investigative case management systems.

Posted by Jon Erickson at 02:10 PM  Permalink |

A whitepaper entitled Managing Enterprise Risk in Today’s World of Sophisticated Threats: A Framework for Developing Broad-Based, Cost-Effective Information Security Programs, has been released by the National Institute of Standards and TechnologyNIST.

As its title suggests, this paper targets managers, which means it isn't overly technical. Still, it does provide an overview of the NIST Risk Management Framework and the associated standards and guidelines that support a enterprise information security program.

Don't miss the "The Golden Rules for Effective Information Security" in Appendix B. Sarcasm aside, they are good common-sense points, no matter how silly the title:

• Develop an enterprise-wide information security strategy and game plan;
• Get corporate “buy in” for the enterprise information security program -- effective programs start at the top;
• Build information security into the infrastructure of the enterprise;
• Establish level of “due diligence” for information security;
• Focus initially on mission/business case impacts -- bring in threat information only when specific and credible;
• Create a balanced information security program with management, operational, and technical security controls;
• Employ a solid foundation of security controls first, then build on that foundation guided by an assessment of risk;
• Avoid complicated and expensive risk assessments that rely on flawed assumptions or unverifiable data;
• Harden the target; place multiple barriers between the adversary and enterprise information systems;
• Be a good consumer -- beware of vendors trying to sell “single point solutions” for enterprise security problems;
• Don’t be overwhelmed with the enormity or complexity of the information security problem -- take one step at a time and build on small successes;
• Don’t tolerate indifference to enterprise information security problems; and
• Manage enterprise risk; don’t try to avoid it -- use your information systems wisely.

Posted by Jon Erickson at 11:20 AM  Permalink |