Security & Privacy

SAN FRANCISCO--Microsoft is testing some of its new identity-based security technology in Washington state schools, where students and teachers will be able to securely access grades and class schedules, a Microsoft executive said in a keynote address Tuesday at the RSA 2009 security conference here.

The software company is working with the Lake Washington School District-- comprised of 50 schools and nearly 24,000 students in and around Microsoft's home town of Redmond--to deploy its Geneva claims-based identity platform, said Scott Charney, corporate vice president of Microsoft's Trustworthy Computing Group.

Students and parents will bring identification information into … Read more

SAN FRANCISCO--IBM on Tuesday introduced cloud security services and said it is initiating a company-wide project to develop a security architecture for hosted computing.

The company, which made the announcements at the RSA security conference, also unveiled an appliance designed to protect virtual network segments. Proventia Virtualized Network Security Platform, an appliance that includes intrusion prevention, Web application protection, and network policy enforcement.

IBM also announced:

Proventia Web application firewall, which is embedded into the IBM ISS Proventia portfolio of products and which acts as a virtual application patching mechanism.

Malware scanning for IBM Rational AppScan, which allows users to … Read more

SAN FRANCISCO--Cisco is set to make several cloud-related security announcements at the RSA conference on Tuesday, including the expansion of its hosted security services and the integration of security-as-a-service applications with corporate network infrastructures.

The new products include Cisco Security Cloud Services, Cisco IPS Sensor Software 7.0 for intrusion prevention, and Cisco Adaptive Security Appliance 5500 Series 8.2 software with a botnet traffic filter for identifying infected clients and remote access capabilities.

The company uses what it calls "SensorBase," a massive threat-monitoring network overseen by 500 workers in its Cisco Security Intelligence Operations center. The center … Read more

Updated 9:40 a.m. PDT April 21 with Symantec CEO comment from keynote.

SAN FRANCISCO--Symantec has acquired Web security firm Mi5 Networks and announced two new security suites at the RSA security conference on Tuesday.

Mi5 sells a Web security appliance that protects corporations against Web-based threats. Symantec will integrate the technology into its offerings later in 2009 and offer it as a stand-alone product, Joan Fazio, director of product marketing for Symantec Endpoint Security, said in an interview.

The all-cash transaction was completed in March, she said, declining to disclose the terms.

The company also is announcing Symantec … Read more

LinkScanner is once again available as an independent plug-in for Windows-based Firefox and Internet Explorer, following more than a year spent as a feature of AVG Technologies' AVG security suite. Still available as part of AVG, users can now once again download LinkScanner independently of AVG's antivirus software, and for free.

The new LinkScanner works much the same as the original one did. Once you've installed the EXE, AVG's "Search Shield" returns search results from both Google and Yahoo with flags next to them. Green flags on Google indicate a result is safe to click … Read more

Windows 7 makes remote connectivity to corporate networks seamless, protects data on thumb drives, and offers fewer user account control prompts to bug users compared to Vista, Microsoft said on Monday.

The software giant began an education blitz about the security features of the newest version of its operating system at the start of the RSA 2009 security conference.

Windows 7, which was released in public beta in January, will have 29 percent fewer user account control (UAC) prompts than Windows Vista has, and fewer prompts in general, according to Paul Cooke, director of Windows Client Enterprise Security.

"We'… Read more

AVG on Monday will begin offering a free version of its LinkScanner software, which offers real-time scanning of Web pages while surfing or doing Web searches.

LinkScanner, which is currently part of the AVG Free Edition suite, scans a Web page before a surfer visits the page and warns if the page appears to be unsafe.

AVG LinkScanner also offers safety rankings for all organic search results on Google, Yahoo, and MSN. Safe pages in searches will have green check marks next to them and unsafe ones will have red "X"es and pop up windows offer more … Read more

With the Conficker worm still hot and Microsoft patching multiple software vulnerabilities last week, it might be reasonable to assume the bad guys are winning the battle to get control over Internet-connected computers.

That's not necessarily the case. Developers are increasingly equipped with tools to shore up their products and vendors are collaborating in unprecedented ways to not only close holes in software, but also make sure they aren't in there in the first place, according to security experts.

"I think the industry as a whole is definitely getting better, but the spread between the best and the worst is widening," said Dan Geer, a risk management specialist and chief information security officer for In-Q-Tel, a nonprofit venture capital firm that invests in security technology.

"Conficker did far less damage in 2009 than it would have done in 2003," said Dan Kaminsky, director of penetration testing at IOActive. "Windows used to be a lot easier to blow up."

But on the eve of RSA, the world's largest security conference, which starts on Monday, experts say the hunt is on for the elusive Holy Grail of computer security-vulnerability-free software.

At RSA shows in years past, Microsoft was roundly criticized for releasing software full of security holes. In 2002, the company launched its Trustworthy Computing initiative, vowing to make security a top priority. Seven years later, the move is bearing fruit. The company reports that there are far fewer security holes in newer versions of its products and weaknesses in its operating system overall have dropped. Web applications have become the security bad boys of software.

In the second half of 2008, the proportion of Microsoft vulnerabilities on Vista-based machines accounted for just 5.5 percent of the total, Microsoft says. Machines running Vista were found to have 60 percent fewer infections than those running Windows XP, the company said in a recent report.

Microsoft went from being the vendor responsible for the greatest proportion of vulnerabilities to being third, with 2.5 percent share, according to research last year from IBM's X-Force. The lion's share of the vulnerabilities come from start-ups racing to be the next Facebook, and 70 percent of them are doing the security testing and review after they release the product, Microsoft says.

"Security is an inherently hard problem. It's difficult to get to perfection for any company," said Steve Lipner, senior director of security engineering strategy in Microsoft's Trustworthy Computing Group. "What we are seeing is the percentage of vulnerabilities coming out of major software organizations is dropping as a percentage of the total of vulnerabilities reported."

Better tools, fewer mistakes The company has turned its Security Development Lifecycle (SDL) process into a pseudo-religion for other companies to follow. Last year, Microsoft began offering free SDL tools so outside developers can assess their practices and analyze their software designs to look for security weaknesses.

The tools for writing secure code are getting better, so developers are less likely to make mistakes, said Johannes Ullrich, chief security researcher at the SANS Institute security organization.

Microsoft isn't alone in providing help to the developer community. HP is offering a free tool that helps find holes in Flash applications, and last week announced tools that nonsecurity professionals can use to do security testing. IBM sells a tool for Flash and Ajax developers, and last week the CERT Coordination Center at Carnegie Mellon released an open-source tool for testing ActiveX code.

In particular, Microsoft's recent release of an open-source tool called "!exploitable Crash Analyzer," which simplifies the process of identifying exploitable vulnerabilities during application development, is a "game changer," said Kaminsky.

"I don't think it's ever been quite so easy for non-security developers to recognize when they have vulnerabilities, when they have a flaw that could be used by a bad guy," he said.

Despite the recession, the software security market is growing significantly, accounting for more than $450 million in revenue in the U.S., Gary McGraw, chief technology officer at software security consulting firm Cigital, wrote in an article last week.

The challenge for developers McGraw recently got a peek at the secure development processes at Microsoft, Google, Adobe, Wells Fargo, The Depository Trust & Clearing Corp., and four other leading companies, and released a report card of sorts (although grades are confidential) that other companies can use to gauge their level of progress. The Building Security in Maturity Model is "an objective yardstick" for development of products that are secure, McGraw said.

"In my view, software security is getting more and more important every single day," he said. "The good news is we are actually making some progress." The tools are out there, but the problem is developers often aren't trained, experts said.

A Forrester survey commissioned by Veracode and released last week found that only 34 percent of companies have a comprehensive software development lifecycle process that integrates application security and 57 percent of organizations don't have systematic application security training programs for developers.

Ullrich advocates a concept he called "software security street fighting"--where developers avoid complex techniques in which holes are more easily created.

"Developers, to some extent, can't really win," Ullrich said. "They have to be right every single time, while an attacker only has to be right once."… Read more

FireID was set to announce at RSA 2009 on Monday technology that allows people to access multiple Web sites on their mobile phone without having to remember all the passwords.

The FireID universal personal authenticator app turns any phone that runs Java into a one-time password generator and generates the password directly on the phone instantly so there is no risk of it being intercepted and no waiting for an SMS like with other password-generator systems, said Jenny Dugmore, chief executive of FireID.

The system also works with multiple applications and creates a unique encrypted password for each session. It … Read more