Performance Managers

Rosalie Marshall, IT Week, Wednesday 6 August 2008 at 10:46:00

Microsoft launches Active Protection Programme and an Explotability Index

Microsoft has confirmed it will give security vendors advance notice of vulnerabilities that it intends to address in its monthly patches, in order to provide users with better safeguards.

Microsoft's Active Protection programme will reduce the chances of cyber criminals outpacing the security professionals, said George Stathakopoulos, Microsoft general manager of security engineering and communications,

It will also issue a new Exploitability Index, which will provide customers with early information on the likelihood of exploit code being developed.

Previously security professionals had to wait for Microsoft’s monthly security update process to address vulnerabilities.

“As security threats become more sophisticated, the global security community must combine its resources and work together to provide maximum security protections to worldwide internet users,” said Stathakopoulos in a statement.

David Neal, IT Week, Monday 9 June 2008 at 15:04:00

In Against the Machine: Being Human in the Age of the Electronic Mob, Lee Siegel ponders the dark side of the internet

IT Week receives many books these days, most of which are full of praise for technological advances of one kind or another. This one is different, however, and urges internet users to consider the downside of our connected world.

The fact that the author, Lee Siegel, is a cultural commentator and art critic, rather than an authority on IT, speaks volumes about how the role of technology in society is changing. One of his aims is to make sense of our relationship with the internet. “Are we sacrificing our identity?” Siegel asks, questioning whether we use the internet, or the internet uses us.

Early in the book, the author notes some parallels between the growth in the internet and the boom in car ownership in 1960s America. “The internet has its destructive side just as the automobile does, and both technologies entered the world from behind a curtain of triumphalism hiding their dangers from critical view,” he writes. “As with the car, a rhetoric of freedom, democracy, choice, and access has covered up the greed and blind self-interest that lie behind what much of the internet has developed into today.”

Siegel ponders whether we can actually get by without the internet. Although he acknowledges that there are many ways in which it can make our lives easier, such as when house hunting, he asserts that few activities are completely reliant on the internet. “No one can deny the internet’s capacity to make life easier. But let’s be honest, I would have found an apartment,” he writes.

Siegel believes society must try to rein in the internet before it gets out of hand. Built to support commerce and capital, he argues, the internet is now an unruly beast that controls our lives, dominating our attention and time. In short, Siegel thinks the internet is becoming too pervasive, too quickly.

Many who have studied the internet and its impact in the past have a far more positive outlook, but these people do not impress Siegel. For example, he dismisses the findings of the Pew Internet Group by asserting that eight out of the 12 people who write its reports have “a financial or professional stake in the internet”.

Siegel also discusses Bill Gates’ admission that while technology has created problems, it is technology that we must turn to for a solution. To which someone with Siegel’s frame of mind would no doubt retort: “Well, he would say that, wouldn’t he?”

Rosalie Marshall, IT Week, Wednesday 28 May 2008 at 14:52:00

Updates are made to HP's Application Security Center software.

HP’s Assessment Management Platform, which brings together all of HP’s security products, will now be offered as a software-as-a-service package to enable firms to accelerate the deployment of web applications.

The platform aggregates web application security data across an organisation. It combines HP's DevInspect software for developers, QAInspect software for quality assurance professionals and WebInspect software for security professionals.

Updated security checks have been added to the management platform for rich Internet applications, such as vulnerabilities in Apache and MySpace plug-ins.

DevInspect will now combine both static and dynamic analysis to ensure the highest risk security vulnerabilities are fixed first by developers.

Static analysis, which scrutinises the source code developers write, will be updated with options to test code, such as Ajax, as well as advanced JavaScript. These capabilities will be added to firms’ current ability to test dynamically, which Dennis Hurst, Application Security Center developer, described as “testing a web application the same way a hacker will attack it”.

QAInspect now includes an integrated security defect management capability with the Quality Center software. “The integration, which has been underway for the last four years, is now seamless,” said Hurst.

“This means instead of quality assurance teams testing a website manually and then pasting the security defects in a Quality Center, it is all done automatically,” he added. The updates are aimed at allowing security problems to be fixed faster and to save assurance teams time.

WebInspect has also been enhanced with faster runtimes and improved scanning accuracy. Hurst estimated the increased speed should save security experts around 25 per cent of their time in finding and fixing security defects.

Phil Muncaster, IT Week, Tuesday 22 April 2008 at 00:00:00

Refutes "social engineering gold mine" tag

Social networking giant Facebook has defended its security and privacy controls in the face of criticism from industry experts, at this year's Infosecurity Europe show in London.

In a keynote at the event, Martyn Croft, head of corporate systems at the Salvation Army, argued that the concerns over corporate use of social networking sites, including lost productivity and malware infection, are "very real".

"It's a social engineering gold mine – a haven for finding out valuable information and it's an easy distribution platform for malware," he added. "For us, brand value is paramount and if we lose it we lose revenue very quickly."

But Max Kelly, chief security officer at Facebook, argued that the firm has gradually improved its security controls over time, to the point where users can now have control over who views any part of their profile on the site. "It is an educational challenge though," he admitted. "Users have top create a privacy model for themselves and that has been an ongoing challenge."

Kelly added that the firm has built up a "strong security team" to deal with issues at the network and application layers, and to investigate potential phishing and spamming attacks using data harvested from users of the site.

"It was in about January time that we became noticed by threatening elements who began to come after us," he said.

Jeremiah Grossman, chief technology officer at web app security firm WhiteHat Security, argued that social networking sites are prime targets for malicious Java script to be uploaded onto them. "It's an easy and effective way to effect the enterprise and because it's all purpose built, it's difficult to protect against; we need a whole new set of solutions," he said.

He suggested that Facebook is reluctant to restrict security too much on the site because it will affect its business model. "It will take risks with security because [ultimately] it's the users getting hacked not Facebook.

Phil Muncaster, IT Week, Tuesday 22 April 2008 at 00:00:00

Threats rise even though reported vulnerabilities drop

IT threats are continuing to rise, although the number of disclosed vulnerabilities tailed off in the last six months of 2007, according to new research from Microsoft launched at today's Infosecurity Europe event.

The firm's Security Intelligence Report uses data captured by Microsoft Windows Defender and the Microsoft Malicious Software Removal Tool (MSRT) over the last six months.

The disclosure of new vulnerabilities dropped by 15% in the last six months of 2007, while the amount of malware removed from computers by the MSRT was 40 per cent higher. Instances of trojan malware rocketed by 300 per cent.

The number of potentially unwanted applications – such as spyware and adware – jumped by 67 per cent to 129.5 million pieces.

"The criminals are clearly focusing on getting Trojans to download on PCs – it's the lynchpin to starting the process of gaining access," explained Vinny Gullotto, general manager of Microsoft's Malware Response Centre. "The sheer volume of threats we're seeing globally coming into the labs is staggering."

The report also claimed that newer Microsoft products are at less risk from these threats: MSRT proportionally cleaned malware from 60 per cent less Windows

Vista-based computers compared to computers running Windows XP Service Pack 2.