- Email: [email protected]
IBM's support for the Liberty Alliance brings standard convergence for federated identity a step closer.
NEWS
IBM's support for the Liberty Alliance brings standard convergence for federated identity a step closer.
I
BM bowed to customer pressure and joined the Liberty Alliance agreeing to implement Liberty standards and take a board level role in the organization. In a statement, Karla Norsworthy, VP software standards IBM, said, "Customers are looking for identity management software that is flexible, supporting both WS-* and Liberty. To that end, IBM plans to support a broad range of federated identity specifications across its Tivoli identity management product line."
It might be pragmatic marketing by IBM but there is no doubt that the move will sway federated identity convergence towards the Alliance's framework. Bjorn Wigforss, Vice President Liberty Alliance and Senior Marketing Manager, Nokia Technology Platforms, is enthusiastic about the news which came during a face-to-face meeting of Liberty sponsors and board members in Tokyo on 16 October, "This is a major achievement of the Alliance," he said. The Liberty Alliance has been driving industry consensus on federated identity standards fearing that proprietary solutions and competing ideas are holding back progress and damaging security. Wigforss argues that as long as organizations adopt the route of incompatible standards, security will continue to complicate matters. "Companies build themselves into silos behind firewalls and other security systems, increasingly distancing themselves from partners and customers," he says. IBM have maintained a distance from Liberty preferring to promote their own Web Services stack, known as WS-* which includes specifications for security and federation.
In brief MULTI-WEAPON VIRUS A new hybrid worm based on MyDoom combines spamming, social engineering, virus infection and Trojans to infect and convert PCs into spam zombies, says antivirus company F-Secure. It took just five days from Secunia's advisory of the vulnerability in Internet Explorer 6.0 on Windows 2000 and Windows XP SP1 for the worm to appear. The user of the target machine clicks on a link sent in a fake PayPal acknowledgement of a credit card transaction. This leads to a website hosted on the original infected PC. The IE exploit on that website turns the computer into another infected machine, and the cycle starts again. The worm also opens a back door to the infected computers. AOL DECISION FORCES MICROSOFT CHANGE A decision by AOL to drop testing of Microsoft's Sender ID protocol to kill spam email has prompted the Redmond firm to relax some of its demands over licences and patents in an effort to speed up the search for an industry standard. CYBERSUSPECT ON FBI MOST WANTED LIST Saad (Jay) Echouafni (37), the Moroccan-born boss of satellite TV company Orbit Communications, has made the FBI's 10 most wanted list after skipping bail. He is charged with masterminding a distributed denial-ofservice attack on the websites of business rivals. The FBI believes Echouafni is now in Morocco, but the five people he hired to launch the attacks still face a court date after allegedly causing millions of dollars of damage. HEADS UP IT - MICROSOFT Microsoft say it will give customers three days' advance notice of its monthly security updates to help them prepare for software patches. The summary will say which products are affected and rate the severity of security problems. The aim is to help companies to schedule staff and prioritize workloads. Details will be at www.microsoft.com/technet/security/default. mspx. US VOTING MACHINES BLAMED The US election season may be over, but complaints about electronic voting machines losing or not counting votes are still pouring in.
More than 4,500 votes were apparently lost in North Carolina because officials believed a Unilect voting machine could hold 10,500 votes when it could actually hold only 3005. And in Ohio, the key state, an error with an electronic voting system gave Bush 3,893 extra votes in suburban Columbus, elections officials said. Apparently Bush got 4,258 votes to Democrat John Kerry's 260 votes, but records show only 638 voted in that precinct. Bush actually received 365 votes, official said. Some voters in Florida and Ohio said that when they tried to vote for John Kerry the machine either wouldn't register the vote or showed that the vote was cast for Bush. Some 40 million people cast digital ballots, voting equipment makers said. Three congressmen have asked the General Accountability Office to investigate irregularities with voting machines. PHISHERS SPIN SMART LINE Phish emails can now steal bank log-in details without users activating a website link, says MessageLabs, an email filter maker. The firm says Brazilian bank customers have been getting phishing emails with scripts that rewrite the host files of targeted machines. The next time a user logs on to their online banking account they are automatically redirected to a fraudulent website where their log-in details are stolen. The defence is to disable Windows Scripting Host, MessageLabs says. SPAMMER GETS NINE YEARS FOR $24m SPREE A Virginia judge in the US has sentenced Jeremy Jaynes (30) to nine years for sending hundreds of thousands of spam messages to AOL subscribers to sell non-existent products such as a FedEx refund processor that netted Jaynes and his sister Jessica some $24m. The case was prosecuted by members of the attorney general's Computer Crimes Unit under Virginia's new antispam law, which took effect last year. OXFORD SUSPENDS STUDENT SNOOPERS Oxford University suspended two first-year students who exposed security flaws in the university's IT system. Patrick Foster and Roger Waite were able to read network traffic including email passwords sent in plain text and unencrypted CCTV footage. They published their story in the Oxford Student paper in May 2004. Both plan to appeal, and Foster now edits the paper.
...continued on page 20
November 2004
Network Security
3
CALENDAR
IBM ...continued from page 3
However, with 50 million users at stake and alleged pressure from Orange, IBM originally committed to supporting Liberty Alliance specifications on its Tivoli identity management range in July. A statement issued at the time said, "To improve the experience of its customers and service usage, Orange will use IBM software that complies with the Liberty 1.1 specification for single signon, a specification that allows identity data to communicate over disparate networks."
USB sticks to be audited – no escape
'W
hitelist' vendor SecureWave has launched an auditing product that tracks data written to authorized portable devices while blocking unauthorized ones.
'Sanctuary Device Control with Device Shadowing' enables IT departments to determine what I/O devices are allowed and who can use them. Chief Operating Officer Bob Johnson said "it provides a way of closing down a hole in terms of the escape of sensitive
information". The audit capability goes with an ability to "shadow or copy information copied to one of these removable devices". The product offers a fine level of granularity, he said. "So Joe is only allowed to use USB device A and only A, and you can audit that use. "Since the introduction of XP especially, with plug and play, businesses have had growing problems with these devices" Sanctuary Device Control is a centralized management tool through which an administrator can manage a whitelist of devices that are permitted on the network, while excluding all unknown or unauthorized devices. Devices are managed according to their types (scanner, zip drive, PDA, modem, and so on) rather than by their methods of connection (USB, LPT, FireWire, WiFi, and so on). Temporary access can be granted to a given device type: for example, certain kinds of devices might be usable on the network only during work hours and not at night. Sanctuary also audits I/O device use as well as attempts to use unauthorized devices. The shadowing feature provides a complete record and copy of data transferred to authorized devices from corporate endpoints, databases and servers. The product costs $45 per user.
Government regulations drive job demand
G
overnment regulations and dynamic threats are driving double digit demand for qualified IT security staff, says market researcher IDC.
It expects the global total to rise from 1.3 million to 2.1 million by 2008. Fastest growth will be in Asia Pacific (18.3%), followed by the Americas (12%) and Europe (11.4%). The International Information Systems Security Certification Consortium commissioned the report.
MS source code fence busted
T
he FBI has charged a Connecticut man with selling stolen source code for Microsoft's Windows NT 4 and Windows 2000 operating systems. William Genovese (27), faces 10 years in prison and a fine of up to $250,000 for allegedly "unlawfully distributing a trade secret".
Investigators working for Microsoft and an undercover FBI agent were each able to download Microsoft's software from a site run by Genovese after paying $20 via PayPal to the accused, prosecutors allege. Genovese has not been charged with stealing the source code.
EVENTS CALENDAR 24-25 November 2004 INFOSECURITY FRANCE Location: Paris, France Website: www.infosecurity.com.fr
Website: www.marketforce.eu.com Tel: +44(0)207608 0541 Email: [email protected]
7-9 December 2004 30 November 2004 BUSINESS INFORMATION SECURITY Location: London
20
Network Security
INFOSECURITY USA Location: New York, USA Website: www.infosecurityevent.com
7-8 December 2004 THE SYMPOSIUM FOR INFORMATION SECURITY MANAGEMENT Location: Amsterdam Website: www.mistieurope.com Email: [email protected]
14-18 February 2005 RSA Conference 2005
Location: San Francisco Website: http://2005.rsaconference. com/us/
29-30 March 2005 ECCE E-CRIME & COMPUTER EVIDENCE Location: Monaco, France Website: www.ecce-conference.com
November 2004
IBM's support for the Liberty Alliance brings standard convergence for federated identity a step closer.
I
BM bowed to customer pressure and joined the Liberty Alliance agreeing to implement Liberty standards and take a board level role in the organization. In a statement, Karla Norsworthy, VP software standards IBM, said, "Customers are looking for identity management software that is flexible, supporting both WS-* and Liberty. To that end, IBM plans to support a broad range of federated identity specifications across its Tivoli identity management product line."
It might be pragmatic marketing by IBM but there is no doubt that the move will sway federated identity convergence towards the Alliance's framework. Bjorn Wigforss, Vice President Liberty Alliance and Senior Marketing Manager, Nokia Technology Platforms, is enthusiastic about the news which came during a face-to-face meeting of Liberty sponsors and board members in Tokyo on 16 October, "This is a major achievement of the Alliance," he said. The Liberty Alliance has been driving industry consensus on federated identity standards fearing that proprietary solutions and competing ideas are holding back progress and damaging security. Wigforss argues that as long as organizations adopt the route of incompatible standards, security will continue to complicate matters. "Companies build themselves into silos behind firewalls and other security systems, increasingly distancing themselves from partners and customers," he says. IBM have maintained a distance from Liberty preferring to promote their own Web Services stack, known as WS-* which includes specifications for security and federation.
In brief MULTI-WEAPON VIRUS A new hybrid worm based on MyDoom combines spamming, social engineering, virus infection and Trojans to infect and convert PCs into spam zombies, says antivirus company F-Secure. It took just five days from Secunia's advisory of the vulnerability in Internet Explorer 6.0 on Windows 2000 and Windows XP SP1 for the worm to appear. The user of the target machine clicks on a link sent in a fake PayPal acknowledgement of a credit card transaction. This leads to a website hosted on the original infected PC. The IE exploit on that website turns the computer into another infected machine, and the cycle starts again. The worm also opens a back door to the infected computers. AOL DECISION FORCES MICROSOFT CHANGE A decision by AOL to drop testing of Microsoft's Sender ID protocol to kill spam email has prompted the Redmond firm to relax some of its demands over licences and patents in an effort to speed up the search for an industry standard. CYBERSUSPECT ON FBI MOST WANTED LIST Saad (Jay) Echouafni (37), the Moroccan-born boss of satellite TV company Orbit Communications, has made the FBI's 10 most wanted list after skipping bail. He is charged with masterminding a distributed denial-ofservice attack on the websites of business rivals. The FBI believes Echouafni is now in Morocco, but the five people he hired to launch the attacks still face a court date after allegedly causing millions of dollars of damage. HEADS UP IT - MICROSOFT Microsoft say it will give customers three days' advance notice of its monthly security updates to help them prepare for software patches. The summary will say which products are affected and rate the severity of security problems. The aim is to help companies to schedule staff and prioritize workloads. Details will be at www.microsoft.com/technet/security/default. mspx. US VOTING MACHINES BLAMED The US election season may be over, but complaints about electronic voting machines losing or not counting votes are still pouring in.
More than 4,500 votes were apparently lost in North Carolina because officials believed a Unilect voting machine could hold 10,500 votes when it could actually hold only 3005. And in Ohio, the key state, an error with an electronic voting system gave Bush 3,893 extra votes in suburban Columbus, elections officials said. Apparently Bush got 4,258 votes to Democrat John Kerry's 260 votes, but records show only 638 voted in that precinct. Bush actually received 365 votes, official said. Some voters in Florida and Ohio said that when they tried to vote for John Kerry the machine either wouldn't register the vote or showed that the vote was cast for Bush. Some 40 million people cast digital ballots, voting equipment makers said. Three congressmen have asked the General Accountability Office to investigate irregularities with voting machines. PHISHERS SPIN SMART LINE Phish emails can now steal bank log-in details without users activating a website link, says MessageLabs, an email filter maker. The firm says Brazilian bank customers have been getting phishing emails with scripts that rewrite the host files of targeted machines. The next time a user logs on to their online banking account they are automatically redirected to a fraudulent website where their log-in details are stolen. The defence is to disable Windows Scripting Host, MessageLabs says. SPAMMER GETS NINE YEARS FOR $24m SPREE A Virginia judge in the US has sentenced Jeremy Jaynes (30) to nine years for sending hundreds of thousands of spam messages to AOL subscribers to sell non-existent products such as a FedEx refund processor that netted Jaynes and his sister Jessica some $24m. The case was prosecuted by members of the attorney general's Computer Crimes Unit under Virginia's new antispam law, which took effect last year. OXFORD SUSPENDS STUDENT SNOOPERS Oxford University suspended two first-year students who exposed security flaws in the university's IT system. Patrick Foster and Roger Waite were able to read network traffic including email passwords sent in plain text and unencrypted CCTV footage. They published their story in the Oxford Student paper in May 2004. Both plan to appeal, and Foster now edits the paper.
...continued on page 20
November 2004
Network Security
3
CALENDAR
IBM ...continued from page 3
However, with 50 million users at stake and alleged pressure from Orange, IBM originally committed to supporting Liberty Alliance specifications on its Tivoli identity management range in July. A statement issued at the time said, "To improve the experience of its customers and service usage, Orange will use IBM software that complies with the Liberty 1.1 specification for single signon, a specification that allows identity data to communicate over disparate networks."
USB sticks to be audited – no escape
'W
hitelist' vendor SecureWave has launched an auditing product that tracks data written to authorized portable devices while blocking unauthorized ones.
'Sanctuary Device Control with Device Shadowing' enables IT departments to determine what I/O devices are allowed and who can use them. Chief Operating Officer Bob Johnson said "it provides a way of closing down a hole in terms of the escape of sensitive
information". The audit capability goes with an ability to "shadow or copy information copied to one of these removable devices". The product offers a fine level of granularity, he said. "So Joe is only allowed to use USB device A and only A, and you can audit that use. "Since the introduction of XP especially, with plug and play, businesses have had growing problems with these devices" Sanctuary Device Control is a centralized management tool through which an administrator can manage a whitelist of devices that are permitted on the network, while excluding all unknown or unauthorized devices. Devices are managed according to their types (scanner, zip drive, PDA, modem, and so on) rather than by their methods of connection (USB, LPT, FireWire, WiFi, and so on). Temporary access can be granted to a given device type: for example, certain kinds of devices might be usable on the network only during work hours and not at night. Sanctuary also audits I/O device use as well as attempts to use unauthorized devices. The shadowing feature provides a complete record and copy of data transferred to authorized devices from corporate endpoints, databases and servers. The product costs $45 per user.
Government regulations drive job demand
G
overnment regulations and dynamic threats are driving double digit demand for qualified IT security staff, says market researcher IDC.
It expects the global total to rise from 1.3 million to 2.1 million by 2008. Fastest growth will be in Asia Pacific (18.3%), followed by the Americas (12%) and Europe (11.4%). The International Information Systems Security Certification Consortium commissioned the report.
MS source code fence busted
T
he FBI has charged a Connecticut man with selling stolen source code for Microsoft's Windows NT 4 and Windows 2000 operating systems. William Genovese (27), faces 10 years in prison and a fine of up to $250,000 for allegedly "unlawfully distributing a trade secret".
Investigators working for Microsoft and an undercover FBI agent were each able to download Microsoft's software from a site run by Genovese after paying $20 via PayPal to the accused, prosecutors allege. Genovese has not been charged with stealing the source code.
EVENTS CALENDAR 24-25 November 2004 INFOSECURITY FRANCE Location: Paris, France Website: www.infosecurity.com.fr
Website: www.marketforce.eu.com Tel: +44(0)207608 0541 Email: [email protected]
7-9 December 2004 30 November 2004 BUSINESS INFORMATION SECURITY Location: London
20
Network Security
INFOSECURITY USA Location: New York, USA Website: www.infosecurityevent.com
7-8 December 2004 THE SYMPOSIUM FOR INFORMATION SECURITY MANAGEMENT Location: Amsterdam Website: www.mistieurope.com Email: [email protected]
14-18 February 2005 RSA Conference 2005
Location: San Francisco Website: http://2005.rsaconference. com/us/
29-30 March 2005 ECCE E-CRIME & COMPUTER EVIDENCE Location: Monaco, France Website: www.ecce-conference.com
November 2004