- Email: [email protected]
Intel's ID code
SECURITY REPORTS Microsoft, CitiGroup sign on for infrastructure defence scheme John Sterlicchi
M
icrosoft and US megabank CitiGroup have signed on as the first two charter members at iDefense, a fledgling company that plans to be on the frontline to defend the world’s critical infrastructure. iDefense (Infrastructure Defense) is the brainchild of James Adams, defence expert and former chief executive of United Press International, who says the company is pioneering a new industry ... the critical infrastructure defence industry. “This will be a multi, multi million dollar business”, he said.
IDefense’s main priority which is to “gather and maintain the world’s largest database on critical infrastructure” was seeded with money from Internet consultancy USWeb/CKS, which with iDefense is also developing a secure communications system, iDEF. iDefense has a team of experts that trawl the world’s information avenues searching for clues as to where cyber-terrorists might attack or the infrastructure might crack and break. The company has 30 employees at its Virginia, US headquarters at present. That number will grow to 150 by year’s end when the company also hopes to have opened two more ‘intelligence centres’ in Europe and Asia. Drawing on its information base, iDefense has built a portfolio of services that it is offering to members. These services include Threat Notification, which provides twice-daily analysis of potential vulnerabilities. Those threats could be from hacker or terrorist attack, economic espionage or system failure. iDefense also has a Certification service which establishes and maintains a wide range of standards needed to qualify a company’s security and technical staff as well as its procedures, metrics, policies, and technologies. The company says that as more businesses become iDefense certified, companies will be able to gauge not only their own security but that of their partners, suppliers, and financial institutions. Also iDefense will
advise on security architectures and policies, provide secure communications and help with contingency planning to identify redundant sources of power, services, and supplies to aid in rapid recovery in the event of a security breach or attack. Last May US President Bill Clinton issued a directive entitled “Protecting America’s Critical Infrastructures”, and he concluded that to adequately defend critical infrastructure the public and private sectors must join and share responsibility. Adams says that iDefense was founded in response to that call and the company is now linking with leading companies and organizations to be “the trusted third party between the public and private sectors”. Microsoft and CitiGroup are the first to announce they are on board, but more announcements are expected. Explaining why CitiGroup had joined with iDefense Michael Nugent, its General Counsel for Technology and Intellectual Property said: “CitiGroup devotes considerable resources and budget to information security because it is critical to our future. An important element of information security is protection of critical infrastructure from all manner of attacks and compromise. It is for this reason we have chosen to become a Charter Member of iDefense. We also believe that iDefense represents the most meaningful effort to date at serious and coordinated private sector action in protecting the nation’s critical infrastructure.”
Intel’s ID code Barbara Gengler
F
acing a boycott by privacy groups and the threat of legal action by Arizona state legislators, Intel has pledged it will ship its Pentium III microprocessors with the identification code in the ‘off’ position as well as provide software that will allow users to turn the code on if they want to do so. Shipping the processors with the ID code in the deactivated default position gives users the choice of whether they want their systems to be tracked. For instance, in the case of computer theft or for user verification in electronic commerce.
6 3723/99/$20.00
Computer Fraud & Security March 1999 0 1999 Elsevier Science Ltd. All rights reserved
SECURITY REPORTS At the same time, 20 or more companies demonstrated products and features showing how the chip’s controversial tracking technology can be used. Security companies that will use the controversial Processor Serial ID Number on the chip include Network Associates, RPK Security, Aliroo, ilumin, Rainbow Technologies, SSE and Brokat, all of which said that they will use the Processor ID for encryption, firewall and other security products. In January, Intel announced plans to ship its Pentium III processors with an ID code to heighten security on the Internet. But that decision provoked privacy groups who feared the code could be used by marketers to track users’ Web use patterns without consent. Intel made its decision after several meetings with privacy advocates Junkbusters and the Electronic Privacy Information Center. They are protesting Intel’s use of electronic identification technology in the new chips that they claim would allow Web surfers to be tracked. This is in addition to meetings with the Arizona State Legislative Representative, Steve May, who threatened to introduce legislation to ban the sale of the Pentium III chips in Arizona. Intel has pushed the ID chips as a security feature. ‘We are just going to keep making it painful and expensive for them to have the feature on”, said Jason Catlett, president and CEO of privacy advice seller, Junkbusters. “We will keep it up until it becomes cheaper for them to keep the serial number off.” The processor serial number, also known as the chip ID, is a unique identifier ‘burned’ into the Pentium III processor that can be accessed over the Internet, allowing E-commerce sites and others to know which machine is visiting a site or using a service. “The privacy groups have a very specific agenda. They believe that any number that identifies you is bad. That’s their fundamental belief, but it is not our position”, said Mike Aymar, a vice president at Intel.
Disaster on hold! Ed Wehde
and Sun Microsystems and led by Quantum Systems have launched Prove-IT to offer the small and medium-sized business continuity and archiving services. Prove-IT is aimed at companies with annual revenue between $50 million and $500 million. There are plans to expand the initiative to according to Margaret Pereira, Europe, spokesperson for Quantum, but she gave “six months to a year” as a time frame for when the programme may move overseas. According to Quantum, central to the initiative is the challenge to companies to ask internally: “Can we recover from a computer systems disaster? Can we prove it to ourselves ?’ One cornerstone of Prove-IT is to aim the initiative at top-level management who want a strategic prospective. At least one analyst agrees that reaching upper management is key. “With high-profile projects like Year 2000 and Internet Commerce vying for budget priority, disaster recovery planning often gets relegated to the bottom of the list,” said Fred Joy, senior research analyst at META Group. “We see this all the time: IT professionals, whose necks are on the line if the technical infrastructure goes down, cannot convince their senior executives that disaster recovery technology expenditures may mean the difference between having a bottom line to save or not. Education and consciousness-raising of senior executives aim right at the jugular vein of this problem.” The initiative is aimed at midsize companies because the feeling is that they are the least prepared, according to Pereira. “Most Fortune 500 companies have a disaster recovery programme in place”, Pereira said. “But midsize companies have often grown quickly and their disaster recovery plans haven’t kept up with that growth.” “With H-P being a leading provider of storage systems, it benefits us to participate in the initiative”, said Mike Koponen, product marketing manager for H-P’s Storage Systems Division. “If companies pay more attention to the issue, it will lead to increased sales of our products.”
A
new disaster recovery initiative is just being launched in the US by 20 vendors. The vendors including Dell Computer, Hewlett-Packard, IBM
Computer Fraud & Security March 1999 3723/99/$20.00 Q 1999 Elsevier Science Ltd. All rights reserved
7
M
icrosoft and US megabank CitiGroup have signed on as the first two charter members at iDefense, a fledgling company that plans to be on the frontline to defend the world’s critical infrastructure. iDefense (Infrastructure Defense) is the brainchild of James Adams, defence expert and former chief executive of United Press International, who says the company is pioneering a new industry ... the critical infrastructure defence industry. “This will be a multi, multi million dollar business”, he said.
IDefense’s main priority which is to “gather and maintain the world’s largest database on critical infrastructure” was seeded with money from Internet consultancy USWeb/CKS, which with iDefense is also developing a secure communications system, iDEF. iDefense has a team of experts that trawl the world’s information avenues searching for clues as to where cyber-terrorists might attack or the infrastructure might crack and break. The company has 30 employees at its Virginia, US headquarters at present. That number will grow to 150 by year’s end when the company also hopes to have opened two more ‘intelligence centres’ in Europe and Asia. Drawing on its information base, iDefense has built a portfolio of services that it is offering to members. These services include Threat Notification, which provides twice-daily analysis of potential vulnerabilities. Those threats could be from hacker or terrorist attack, economic espionage or system failure. iDefense also has a Certification service which establishes and maintains a wide range of standards needed to qualify a company’s security and technical staff as well as its procedures, metrics, policies, and technologies. The company says that as more businesses become iDefense certified, companies will be able to gauge not only their own security but that of their partners, suppliers, and financial institutions. Also iDefense will
advise on security architectures and policies, provide secure communications and help with contingency planning to identify redundant sources of power, services, and supplies to aid in rapid recovery in the event of a security breach or attack. Last May US President Bill Clinton issued a directive entitled “Protecting America’s Critical Infrastructures”, and he concluded that to adequately defend critical infrastructure the public and private sectors must join and share responsibility. Adams says that iDefense was founded in response to that call and the company is now linking with leading companies and organizations to be “the trusted third party between the public and private sectors”. Microsoft and CitiGroup are the first to announce they are on board, but more announcements are expected. Explaining why CitiGroup had joined with iDefense Michael Nugent, its General Counsel for Technology and Intellectual Property said: “CitiGroup devotes considerable resources and budget to information security because it is critical to our future. An important element of information security is protection of critical infrastructure from all manner of attacks and compromise. It is for this reason we have chosen to become a Charter Member of iDefense. We also believe that iDefense represents the most meaningful effort to date at serious and coordinated private sector action in protecting the nation’s critical infrastructure.”
Intel’s ID code Barbara Gengler
F
acing a boycott by privacy groups and the threat of legal action by Arizona state legislators, Intel has pledged it will ship its Pentium III microprocessors with the identification code in the ‘off’ position as well as provide software that will allow users to turn the code on if they want to do so. Shipping the processors with the ID code in the deactivated default position gives users the choice of whether they want their systems to be tracked. For instance, in the case of computer theft or for user verification in electronic commerce.
6 3723/99/$20.00
Computer Fraud & Security March 1999 0 1999 Elsevier Science Ltd. All rights reserved
SECURITY REPORTS At the same time, 20 or more companies demonstrated products and features showing how the chip’s controversial tracking technology can be used. Security companies that will use the controversial Processor Serial ID Number on the chip include Network Associates, RPK Security, Aliroo, ilumin, Rainbow Technologies, SSE and Brokat, all of which said that they will use the Processor ID for encryption, firewall and other security products. In January, Intel announced plans to ship its Pentium III processors with an ID code to heighten security on the Internet. But that decision provoked privacy groups who feared the code could be used by marketers to track users’ Web use patterns without consent. Intel made its decision after several meetings with privacy advocates Junkbusters and the Electronic Privacy Information Center. They are protesting Intel’s use of electronic identification technology in the new chips that they claim would allow Web surfers to be tracked. This is in addition to meetings with the Arizona State Legislative Representative, Steve May, who threatened to introduce legislation to ban the sale of the Pentium III chips in Arizona. Intel has pushed the ID chips as a security feature. ‘We are just going to keep making it painful and expensive for them to have the feature on”, said Jason Catlett, president and CEO of privacy advice seller, Junkbusters. “We will keep it up until it becomes cheaper for them to keep the serial number off.” The processor serial number, also known as the chip ID, is a unique identifier ‘burned’ into the Pentium III processor that can be accessed over the Internet, allowing E-commerce sites and others to know which machine is visiting a site or using a service. “The privacy groups have a very specific agenda. They believe that any number that identifies you is bad. That’s their fundamental belief, but it is not our position”, said Mike Aymar, a vice president at Intel.
Disaster on hold! Ed Wehde
and Sun Microsystems and led by Quantum Systems have launched Prove-IT to offer the small and medium-sized business continuity and archiving services. Prove-IT is aimed at companies with annual revenue between $50 million and $500 million. There are plans to expand the initiative to according to Margaret Pereira, Europe, spokesperson for Quantum, but she gave “six months to a year” as a time frame for when the programme may move overseas. According to Quantum, central to the initiative is the challenge to companies to ask internally: “Can we recover from a computer systems disaster? Can we prove it to ourselves ?’ One cornerstone of Prove-IT is to aim the initiative at top-level management who want a strategic prospective. At least one analyst agrees that reaching upper management is key. “With high-profile projects like Year 2000 and Internet Commerce vying for budget priority, disaster recovery planning often gets relegated to the bottom of the list,” said Fred Joy, senior research analyst at META Group. “We see this all the time: IT professionals, whose necks are on the line if the technical infrastructure goes down, cannot convince their senior executives that disaster recovery technology expenditures may mean the difference between having a bottom line to save or not. Education and consciousness-raising of senior executives aim right at the jugular vein of this problem.” The initiative is aimed at midsize companies because the feeling is that they are the least prepared, according to Pereira. “Most Fortune 500 companies have a disaster recovery programme in place”, Pereira said. “But midsize companies have often grown quickly and their disaster recovery plans haven’t kept up with that growth.” “With H-P being a leading provider of storage systems, it benefits us to participate in the initiative”, said Mike Koponen, product marketing manager for H-P’s Storage Systems Division. “If companies pay more attention to the issue, it will lead to increased sales of our products.”
A
new disaster recovery initiative is just being launched in the US by 20 vendors. The vendors including Dell Computer, Hewlett-Packard, IBM
Computer Fraud & Security March 1999 3723/99/$20.00 Q 1999 Elsevier Science Ltd. All rights reserved
7