Security Bites

Last month, IBM released a report (PDF) identifying the security challenges facing enterprises in the next two to five years. The survey is based on data collected internally by IBM. One theme is that as the pace of globalization picks up, traditional boundaries continue to disappear. In this new global reality, "open for business" can mean pooling resources or sharing sensitive information among organizations. The IBM report notes that "the line between participation and isolation can also mark the line of opportunity and risk. (Enterprises) rely on business systems and automated policies to guard that line--to root out the threats, to safeguard our intellectual property, to protect our reputations and privacy. With th...

In this week's Security Bites podcast, CNET's Robert Vamosi talks about user authentication with Kim Cameron, chief architect with the Identity and Security group at Microsoft. At this year's PDC and again at WinHec, Microsoft certainly talked up its new Windows Azure cloud-based services, along with Windows 7. It has also been talking about Geneva, the code name for the next version of CardSpace, the Microsoft user authentication system. One goal of Geneva is to e...

In this week's Security Bites podcast, Robert Vamosi speaks with Ryan Naraine, security evangelist for Kaspersky and Zero Day blogger for ZDNet, about malicious software. Naraine recently spoke at a conference on emerging security threats sponsored by the Georgia Tech Information Security Center about the increasing risks of malware on social networks, such as Facebook pages that to lead people to Google pages with additional links to malware sites (a two-step infection process), and the more straightforward approach of Facebook being used for botnets. In this podcast, Naraine and...

In this week's Security Bites podcast, Robert Vamosi spoke with Patrik Runald, chief security adviser at F-Secure, about the need for a new international agency to handle cybercrime. Although there have been several high-profile arrests--such as that of "Chao," an alleged Turkish ATM skimmer-- Runald said, "the message we're sending today is not enough." With a budget of only about $90 million (U.S.), Interpol was created, in part, to fight drug trafficking and human trafficking worldwide, and now it has taken on Internet crimes without any direct increase in funding. Runald concludes, "there's not enough resources to do this, and not enough coordination to do this." He suggests that the European Union, the U.S., and maybe the G8 could fund such an organization. Even...

Voting--it's the cornerstone of our democracy. But in recent years, both the systems we use and the trust we have in the accuracy of our votes have been challenged. A new report (PDF) looks at all the systems currently in use--from paper ballots to Direct-Recording Electronic machines--and the issues that surround them. Researchers at Fortify analyzed threats against three phases of an election (voter registration, casting votes, and tabulating votes), highlighting specific ways voting systems have been compromised, summarizing the strengths and weaknesses of current voting techniques, and then providing guidance for voters to ensure their votes are handled properly in upcoming elections. This week, Robert Vamosi spoke with co-authors Brian Chess and Jacob West of Fo...

Criminals may have found a way to get you to click on malware without you even knowing. Worse, they might also be able to open the microphone or Webcam on your PC to eavesdrop. Called Clickjacking, the process allows the attacker to trick you the user into clicking on something only briefly visible on the screen. While it's mostly a problem for the browser makers, it also affects Adobe Flash, Microsoft Silverlight, and Sun's Java. Although clickjacking, which may contain up to half dozen specific vulnerabilities, has been around for years, it has recently come to the attention of online criminals and security researchers alike. One of those researchers is Jeremiah Grossman, CTO of WhiteHat Security. Robert Vamosi of CNET News spoke with him by phone. ...

According to a report this week from Verizon Business, risk factors for data breaches vary industry to industry and defy a "cookie cutter" approach to security, which is why Verizon has revisited an earlier report. The goal of both the new and the prior report is to offer detailed insight into how data breaches occur, so that companies can address the problems within their specific industry. The June 2008 report spanned four years and included more than 500 forensic investigations involving 230 million compromised records. The new report uses that same data but drills down within four key industries: financial services, tech, retail, and food and beverage. The four constitute 82 percent of all the attacks in the original Verizon report. Verizon found the attacks...

This week Tom Rusin, president and chief executive officer of Affinion's North America operation, is Robert Vamosi's guest. His company monitors the criminal underground for several thousand banking institutions by lurking in carder chat rooms. "Carders" are the people who buy, sell, and trade online the credit card data stolen from phishing sites or from large data breaches at retail stores. Affinion is global, with offices in more than a dozen countries. And over the years they have provided a wealth of information to the U.S. Secret Service and the FBI. A few weeks ago, Affinion identified .Mac users who found themselves victims of a phishing scam. "Any piece of info is priceless to these people," says Rusin. Listen now: ...

It may seem trivial to you what applications are on your desktop, but from a business or organization's perspective, it can be a serious matter. If an application provides unfiltered access to the outside world, this could create regulatory issues. Certain desktop applications can also indirectly or directly introduce malware inside the perimeter through file sharing. At the very least, some applications simply take away bandwidth (for example, streaming audio or video). In its second report on Application Usage and Risk, Palo Alto Networks finds that 56 percent of the desktop applications surveyed use HTTP. Use of port 80, which the server uses to listen to requests from a Web client, makes it hard for organizations to filter or firewall the content. Chris King, who appeared on

Google has entered the browser space. Chrome, its browser still in beta, is based on the open source Webkit project. Some will recognize Webkit as the foundation for another browser, Apple Safari. But Chrome also borrows heavily from Mozilla Firefox and Microsoft Internet Explorer, giving this new browser an old and familiar feel. There is, however, innovation. Tabs are arrayed atop the browser instead of in the traditional toolbar. And users can drag and drop the tabs on the desktop outside the browser. There is also a way to make an icon for GMail and Google Calendar on your desktop. Deep down, Google has also upgraded how the browser handles Javasript. Gone are the days when Java applets simply gave you dancing babies on a Web page. Today we're running robust applications. Joining CNET News' Robert Vamosi this week is Billy Hoffman, manager of HP's Web security group. Hoffman, along with Bryan Sullivan, also co-authored AJAX Security. In this podcast, Hoffman offers what he thinks Google did right with Chrome, and what could be trouble down the road. Listen now: Download today's podcast