Security

Cisco Systems said Tuesday it plans to buy privately held Web-based security software company ScanSafe for about $183 million.

The all-cash deal, which also includes retention-based incentives, is expected to close in Cisco's fiscal second quarter, which ends in January 2010.

ScanSafe is a cloud-based software service that allows customers to license the application on demand. Cloud-based services help customers save on costs, because they don't have to buy licenses to software and manage the software applications themselves.

The ScanSafe technology will help Cisco expand on capabilities it added when it bought IronPort in 2007, the company said. Cisco also plans to integrate ScanSafe's service with its AnyConnect VPN Client to provide a secure mobility solution. And Cisco will use ScanSafe's data centers to provide new cloud security services.

After a lull, Cisco has stepped up its acquisitions. This is the third acquisition the company has announced this month. Two weeks ago it said it would buy wireless equipment maker Starent Networks for $2.9 billion. And at the beginning of the month, it said it would buy Norwegian video conference equipment maker Tandberg for $3 billion. CEO John Chambers has said the company is looking for even more acquisitions.

Cisco Systems wireless local area network equipment used by many corporations around the world is at risk of being used in denial-of-service attacks and data theft, according to a company that offers protection for WLANs.

Researchers at AirMagnet, which makes intrusion-detection systems for WLANs, discovered the vulnerability, which affects all lightweight Cisco wireless access points, as well as the exploit that could be used against networks that have the Over-the-Air-Provisioning (OTAP) feature turned on.

"We found it in our labs," Wade Williamson, director of product management at AirMagnet, said on Monday. "We don't know about it being exploited in the wild."

Basically, the Cisco access points generate an unencrypted multicast data frame that is sent over the air and includes unencrypted data like the MAC address and the IP address of the wireless controller, as well as some configuration options, he said. The controller is used to manage the access points.

With that information, someone listening to the network could easily find the internal addresses of the WLAN controllers in the network and potentially target them with a denial-of-service attack, Williamson said.

"Someone out in the parking lot or a neighbor can look at the packets and see information about the controller on the wired side," he said. "This is giving anybody that's listening to the environment some pretty detailed information about the wired network that we want to keep protected."

If an access point has the OTAP enabled, the wireless LAN is also at risk of a "skyjack" exploit, Williamson said. With the OTAP feature enabled, a newly deployed Cisco access point will listen to the multicast data being broadcast to find the address of its nearest controller.

However, the access point could end up connecting to an outside controller if it hears multicast data from that network instead, and thus it would be under someone else's control, he said.

Someone could skyjack a corporation's access point and "use the wireless LAN to create a wired path into your network," Williamson said.

AirMagnet has informed Cisco about the problems and Cisco is working on a solution, Williamson said.

"As a matter of policy, Cisco takes security vulnerabilities very seriously and we continue to take active measures to safeguard the security and reliability of our equipment," a Cisco spokesperson said.

"Our standard practice is to issue public Security Advisories or other appropriate communications that include corrective measures so customers can address any issues," he said. "For that reason we do not provide comment on specific vulnerabilities until they have been publicly reported, consistent with our well-established disclosure process."

Cisco has 65 percent to 70 percent of the install base for wireless LANs, according to Stan Schatt, security practice director at ABI Research.

"What this really shows is that more and more companies have to have 7/24 monitoring of their LANs," he said. "They can't just periodically walk around the facility with a laptop and check to see if there's a problem."

An attack on a wireless LAN would be particularly dangerous for hospitals, which are increasingly moving critical apps onto the network for use by doctors and nurses with Wi-Fi-enabled handhelds, Schatt said. "A denial-of-service attack could impact mission critical phone systems," he said.

To mitigate against any attacks, Cisco customers should disable the OTAP feature and use a separate intrusion detection system that can detect whether someone is snooping on the network, as well as monitor that all access points on a network are authorized, AirMagnet said.

Updated 11:02 a.m. PDT August 25: Cisco released an alert on Tuesday that describes the finding as a low-risk vulnerability that could allow unauthorized control of a wireless access point and which could allow an unauthenticated, remote attacker to cause a denial of service condition.

"Any clients attempting to register to the AP (access point) will be unable to access network resources, but the AP is still unable to authenticate wireless clients," the company said in a statement. "There is no risk of data loss or interception. Cisco believes the vulnerability is easily avoided or mitigated and has provided techniques for this purpose."

Software updates and patches were not yet available, Cisco said.

Cyber scammers are banking on the notion that many people who might not fall for a phishing scam via e-mail may still be easy targets through their mobile phone, according to security report released Tuesday from Cisco Systems.

Text message scams are on the rise, particularly fake messages that appear to come from a legitimate bank, said the report, which covers a wide variety of cybercrime topics.

In many of the scams, the SMS messages direct the recipient to call a telephone number where an automated message prompts the caller to provide log-in ID or account number and PIN. Other messages provide a URL that leads to a phishing site looks like a legitimate site.

Specific scams have targeted cell phone users in Fargo, N.D., along with customers of First Community Credit Union and Buffalo Metropolitan Federal Credit Union in New York and of BCT Federal Credit Union in New York and Pennsylvania, the report said.

"People are giving up information through the voice channel in a way they never would do through e-mail or the Web," said Patrick Peterson, Cisco's chief security researcher.

Meanwhile, cybercriminals are continuing to get more sophisticated and borrowing from real-world business models. For instance, researchers have come across a service called VirTest that will test malware and viruses against products from the major antivirus vendors for a fee, Peterson said.

SAN FRANCISCO--Cisco is set to make several cloud-related security announcements at the RSA conference on Tuesday, including the expansion of its hosted security services and the integration of security-as-a-service applications with corporate network infrastructures.

The new products include Cisco Security Cloud Services, Cisco IPS Sensor Software 7.0 for intrusion prevention, and Cisco Adaptive Security Appliance 5500 Series 8.2 software with a botnet traffic filter for identifying infected clients and remote access capabilities.

The company uses what it calls "SensorBase," a massive threat-monitoring network overseen by 500 workers in its Cisco Security Intelligence Operations center. The center collects data from 7,000 devices and hundreds of millions of client computers, providing snapshots of activity at different times and locations that can indicate if a large attack is going on, said Ambika Gadre, director of product marketing in the security technology business unit at Cisco, during a briefing on Monday.

The company also is announcing Cisco SAFE, a security reference architecture organizations can use as a guideline for deploying security solutions, and Cisco Information Technology Governance, Risk Management and Compliance consulting services.

In addition, Cisco is introducing the Cisco WebEx Collaboration Cloud for software-as-a-service, a network to provide high performance and security for conferencing, instant messaging and other enterprise work group activities. Also new is the Cisco WebEx Node for ASR 1000 Series, which allows the edge router to act as a point of presence in a corporate network for online meetings.

As confusing as it may be to keep the separate announcements straight, one analyst said Cisco's overall security strategy is a good one.

"There's been a rejuvenation of security at Cisco. They've had a hard time dealing with big picture things," said Peter Christy, principal of the Internet Research Group. "Their long-term vision is that security migrates with you" through the cloud.

Patrick Peterson, a security researcher at Cisco, described some of the threats facing corporations, including cybercriminals based in Russia and the Ukraine.

"They are the Bill Gates of cybercrime," because they are tech savvy and have an innovative entrepreneurial sense, he said.

Cisco System's Security Monitoring for Threat Identification, Mitigation, and Compliance (aka MARS) product is the company's offering for security and compliance management, competing with the likes of ArcSight, RSA Security, and Symantec. The MARS product came via Cisco's acquisition of Protego for $65 million in December 2004.

Through 2005 and 2006, Cisco pushed this product into end-user accounts through an aggressive scorched-earth effort. Cisco intended to get the product out into the market quickly, establish a base, and then continually add product enhancements over time. This seems to be where the strategy hit a speed bump.

The product languished behind competitive offerings, causing problems with the installed base. This opened the door for aggressive competitors: Enterasys, Juniper, and Nortel established partnerships with Q1 Labs in a direct attack on MARS. Log management vendors like LogLogic and LogRhythm out-flanked Cisco with incremental products. Worst of all, some Cisco sales executives and channel partners eschewed MARS in favor of more popular Cisco products. When you have a portfolio of hundreds of products, it is easy to lead with your best stuff and never mention those in the doghouse.

This brings up a reasonable question: What should Cisco do with MARS? As I see it, Cisco has three choices:

1. Admit defeat and get out. Cisco could bury MARS and partner with others in the industry. GE would take this route but I can't imagine that Cisco will.

2. Double down on MARS development. MARS 6.0 was released earlier this year and it did move the ball forward but the product remains way behind others in the market. Management software has always been a bit of an Achilles' heel for Cisco.

3. Replace MARS with another acquisition. There are plenty available at bargain prices. Cisco could bid on publicly traded ArcSight, grab a legacy Security Information Management vendor like Intellitactics or NetForensics, pick up a log management player, or take a chance on a wildcard like Nitro or Splunk.

There may be some analysis paralysis going on within Cisco as this issue has been lingering for a while. With security one of the only IT bright spots for 2009, Cisco should probably address this issue soon.

IT professionals surveyed worldwide said they think their own employees pose a more serious security threat than outsiders, and often it's because of personal use of corporate assets, according to the third and final report based on a 2008 survey (PDF) commissioned by Cisco Systems and released Wednesday.

Other findings include: One in five Brazilian IT professionals said they think their employees are less diligent around protecting corporate data. And in China and in India, IT professionals are most concerned with data thefts through the use of USB devices including thumb drives and iPods in the workplace.

According to the survey, IT professionals said about 10 percent of their employees are losing corporate devices like laptops and USB drives with valuable data more than once a year.

"There's either a negligent behavior or careless recklessness in which they handle data maybe because they didn't realize it was there or maybe there's an education gap," Fred Kost, director of security solutions for Cisco, told CNET News in an interview. "The storage capacity of some of these devices and the types of access they have access to is becoming a critical issue for companies."

The report also cited the growing risks of portable hard drives as opposed to lost or stolen laptops. One in three IT professionals said USB drives (including iPods) were their top concern, more so than e-mail (23 percent), lost devices (19 percent), and verbal communications with outsiders (8 percent).

Surprisingly, 1 in 10 end users in the Cisco survey admitted stealing data or devices and then selling them for profit, or knowing of co-workers who have done so.

Yet there are also nonmalicious reasons to explain how corporate data gets leaked into the wild.

"If you think about the device leaving the enterprise, going into their home environment, the personal environment, maybe letting their children use it; that puts the corporate data at risk," said Kost. He said data leakage could occur when the kids are using the device to surf some Web 2.0 application. "And what about the end of life, when they go to give the device up on one of the e-waste recycling days? There's another chance for somebody to get that corporate data."

Kost repeatedly mentioned the increasingly blurred lines between business use and personal use and how some of that is OK. But long-term personal use of a corporate asset could become a problem.

"Say they have their iTunes library on the device they use for work, now they have to give up their work device, and they have to figure out what to do." In the study, less than 10 percent of the employees did keep their work devices. Of those who did, 60 percent said it was because there were personal files on the device. "It's not malicious," Kost said, "it may just be the only computer in the household."

The Cisco study was conducted in late July through early August by InsightExpress, a U.S.-based market research firm, and involved more than 2,000 employees and information technology professionals. Specifically, the study surveyed 1,000 employees and 1,000 IT professionals from various industries and company sizes in 10 countries.

The first report on cultural attitudes toward security was released in October.

In Germany it's apparently OK to have non-employees roam the offices, while in Brazil corporate secrets are commonly shared with family members, and even with total strangers. These are some of the results of a survey (PDF) commissioned by Cisco Systems and released Tuesday.

"It's interesting to see the cultural differences in terms of what's allowed and what's not allowed in different countries," said Marie Hattar, vice president of network and security solutions at Cisco. "If you look towards doing a data leakage prevention strategy, you've got to consider physical security as much as you do network security."

Hattar told CNET News that the survey came about because of dramatic changes in the workplace within the last few years. Two of the changes--a younger workforce and the rise of smart mobile phones--are "completely blurring between what's personal and what's your work life." She also cited the recent rise of the knowledge worker in countries such as India, China, and Brazil. "So it becomes key that as you implement your network security strategy, your physical security strategy, that you are also putting into place some of these educational policies to drive your employees to good behavior," she said.

In Brazil, the study found, 39 percent of employees surveyed talk about sensitive company information with their friends and family and 8 percent of the time they talk to strangers. By comparison, the numbers for the U.S. were 16 percent friends and family and only 2 percent strangers. "If you look at China," Hattar said, "it's one of the more lower countries in terms of who they talk about company business outside the company." Cisco's data showed that while 17 percent of Chinese workers talk about work to friends and family members, none said they talked to strangers.

Another data point was how permissive employees are of non-employees in the office. "In Germany, one out of five actually admit to letting partners or vendors or what have you roam their office buildings unsupervised." Hattar admitted this alone would not lead to data leakage, but warned that employees should "put their computers on standby, (prevent) their passwords from being posted on the computer or written down somewhere, and have a physical security mechanism that will alert you so that you know whether someone is looking or doing something that they shouldn't be doing."

The Cisco report further recommends that companies know where the data is stored and how it is accessed and used. Companies should educate employees on how data protection equates to money earned and money lost, the bottom line. Finally, international companies should determine global policy objectives and create localized education programs tailored to a country's culture and threat landscape.

Hattar observers that "as you evolve your business into different cultures, even if you have locked down your physical security and your network security you can't escape from having to put into place an education program to raise the awareness that you have to educate your employees about the possibility of verbal disclosure."

The Cisco study was conducted by InsightExpress, a U.S.-based market research firm, and involved more than 2,000 employees and information technology professionals. Specifically, the study surveyed 1,000 employees and 1,000 IT professionals from various industries and company sizes in 10 countries.

Just days before the annual Black Hat security conference in Las Vegas, a talk on Apple's FileVault encryption system has been abruptly canceled by its presenter.

Researcher Charles Edge told the Washington Post that he had signed confidentiality agreements with Apple. The agreements prevent him from discussing further any vulnerabilities he may have found within Apple's FileVault encryption system. Edge, director of technology of 318 Inc., has spoken at previous Black Hat and DefCon conferences.

This is not the first time a vendor has asked a security researcher not to give a talk at Black Hat.

In 2005, then-ISS employed researcher Micheal Lynn was asked by Cisco not to present a talk on flaws within that company's routers. Onstage at Black Hat, Lynn first quit his job, then went ahead and gave his original talk. Afterward, he, too, signed a confidentiality agreement with Cisco.