- Email: [email protected]
PKI dies hard
news
PKI dies hard
In Brief
Brian McKenna Public Key Infrastructure is staging a comeback, according to new research from European IT user association EEMA. The European Certification and Authority Forum - EEMA's security interest group - has published 'PKI Usage within User Organisations'. The report shows that 92% of responding organizations consider PKI a strategic requirement, with many more organisations indicating that they are issuing certificates to business partners. Sixy four% of the surveyed organizations are using separate signing and encryption keys, compared to 43% in 2002. Kate Hodgson, systems manager at Royal Mail, and the vicechair of ECAF said that PKI certificates would be a decisive counter to phishing attacks, and that the technology would have been more successful in the UK had "the government given a better lead; they were reluctant to be seen to endorse one particular technology, and so retarded the whole thing". She added that PKI has been a
big benefit to the Royal Mail, which has its own Certification Authority for internal use. "Identity management is a big driver", said Hodgson. "There is no real alternative to PKI that gives you the infrastructure across the whole access and control piece. Basically, you can turn the employee off when they leave, straightaway". She confirmed that 25 of EEMA's 200 member organizations responded to the survey. "It is not a huge sample", she admitted, "but there were some implications we could draw. PKI has not gone away, but has been growing steadily and quietly in the background. It is, after all, a complex technology that can change all your processes". The research shows that big multi-national companies are most minded towards PKI. "They have a need to use the certificates for more that one thing, not just securing email".
FIRST MOBILE VIRUS DISCOVERED
MICROSOFT TO OFFER AV SOFTWARE
A virus, which exploits a flaw in the Symbian operating technology common in Nokia phones and spreads itself via Bluetooth, has been created - but it is not yet in the wild. The worm, which is called Cabir, would have to be accepted as an unknown file by an active Bluetooth user (despite two warning messages) before it would be activated. As yet there is no malicious payload with the file. It is believed that this proof-of-concept worm was developed by 29a, the same group of virus writers that developed virusers for Win64 and .Net.
Microsoft has revealed that it is still intending to produce a stand-alone anti-virus solution at some point in the future. While not news, the fact it is stand-alone software rather than bundled with Windows has proven to be a relief for the market, which would find it hard to compete with Microsoft at that level.
SPAMMERS SUED BY MICROSOFT Microsoft has filed eight lawsuits in the US against 200 alleged spammers, claiming that they had deceived customers and had used false information to conceal their true identities. Using the new CAN-Spam Act, Microsoft could be awarded up to US$1million per spammer in civil fines. This is seen as the latest step in Microsoft's ongoing battle to reduce spam by using legislation as well as technology.
CISSPs pass new ISO benchmark Twenty five thousand information security professionals will join supply managers, occupational therapists and firesprinkler fitters under a new global standard that approves key professionals. The CISSP qualification from (ISC)2 has achieved the International Organization for Standardization's (ISO) accreditation for people in key professions - ISO/IEC 17024. "This means stronger recognition for CISSPs," said Lyndsay Turley, an ISC2 spokesperson, "if they want to develop an international career, or even at a national level"- they now have the ISO stamp of approval.
"The ISO standards that existed before were all about products and processes and not about people," said Turley. The ISO 17024 was set up last year and is recognized in 88 countries. "(ISC)2 is the first organization within the IT sector to earn accreditation for personnel certification," said James E. Duffy, CISSP, executive director for (ISC)2
ONLINE RACISM A two-day conference was recently held in Paris to discuss what can be done about the increase of racist and anti-semitic literature on the Internet. It is thought that in the face of xenophobic viruses such as Zafi.B that more stringent measures must be taken to fight hate websites, which thrive in the anonymous arena of the Internet. The Organization for Security and Cooperation in Europe set up the meeting which was attended by representatives of 55 countries.
FTC DO-NOT-SPAM REGISTER Despite legislation insisting on the creation of a do-not-spam register, the US Federal Trade Commission will not, in the near future, start such a list. Turning the responsibility elsewhere, the FTC asked Internet service providers to continue to research authentication technologies.
ATTACKER PENETRATES KOREAN DEFENCE LABS An attacker has compromised computers at the Agency for Defence Development, the Korea Atomic Energy Research Institute, the Korea Institute for Defence Analysis and others. "NCSC recently found some PCs at state agencies have been contaminated by a variation of Peep Trojan hacking programme and taken emergency measures," the agency said in a statement. INSTANT MESSAGING EMERGES AS PROBLEM Instant messaging applications are exposing enterprises to security according to a report compiled by the Internet Security Forum. Weak identity management, user authentication, and logging ability as well as lack of encryption are issues with instant messaging application. To limit the risk of IM, corporates should do risk analysis, configure IM controls, secure IM infrastructure and apply management controls.
3
PKI dies hard
In Brief
Brian McKenna Public Key Infrastructure is staging a comeback, according to new research from European IT user association EEMA. The European Certification and Authority Forum - EEMA's security interest group - has published 'PKI Usage within User Organisations'. The report shows that 92% of responding organizations consider PKI a strategic requirement, with many more organisations indicating that they are issuing certificates to business partners. Sixy four% of the surveyed organizations are using separate signing and encryption keys, compared to 43% in 2002. Kate Hodgson, systems manager at Royal Mail, and the vicechair of ECAF said that PKI certificates would be a decisive counter to phishing attacks, and that the technology would have been more successful in the UK had "the government given a better lead; they were reluctant to be seen to endorse one particular technology, and so retarded the whole thing". She added that PKI has been a
big benefit to the Royal Mail, which has its own Certification Authority for internal use. "Identity management is a big driver", said Hodgson. "There is no real alternative to PKI that gives you the infrastructure across the whole access and control piece. Basically, you can turn the employee off when they leave, straightaway". She confirmed that 25 of EEMA's 200 member organizations responded to the survey. "It is not a huge sample", she admitted, "but there were some implications we could draw. PKI has not gone away, but has been growing steadily and quietly in the background. It is, after all, a complex technology that can change all your processes". The research shows that big multi-national companies are most minded towards PKI. "They have a need to use the certificates for more that one thing, not just securing email".
FIRST MOBILE VIRUS DISCOVERED
MICROSOFT TO OFFER AV SOFTWARE
A virus, which exploits a flaw in the Symbian operating technology common in Nokia phones and spreads itself via Bluetooth, has been created - but it is not yet in the wild. The worm, which is called Cabir, would have to be accepted as an unknown file by an active Bluetooth user (despite two warning messages) before it would be activated. As yet there is no malicious payload with the file. It is believed that this proof-of-concept worm was developed by 29a, the same group of virus writers that developed virusers for Win64 and .Net.
Microsoft has revealed that it is still intending to produce a stand-alone anti-virus solution at some point in the future. While not news, the fact it is stand-alone software rather than bundled with Windows has proven to be a relief for the market, which would find it hard to compete with Microsoft at that level.
SPAMMERS SUED BY MICROSOFT Microsoft has filed eight lawsuits in the US against 200 alleged spammers, claiming that they had deceived customers and had used false information to conceal their true identities. Using the new CAN-Spam Act, Microsoft could be awarded up to US$1million per spammer in civil fines. This is seen as the latest step in Microsoft's ongoing battle to reduce spam by using legislation as well as technology.
CISSPs pass new ISO benchmark Twenty five thousand information security professionals will join supply managers, occupational therapists and firesprinkler fitters under a new global standard that approves key professionals. The CISSP qualification from (ISC)2 has achieved the International Organization for Standardization's (ISO) accreditation for people in key professions - ISO/IEC 17024. "This means stronger recognition for CISSPs," said Lyndsay Turley, an ISC2 spokesperson, "if they want to develop an international career, or even at a national level"- they now have the ISO stamp of approval.
"The ISO standards that existed before were all about products and processes and not about people," said Turley. The ISO 17024 was set up last year and is recognized in 88 countries. "(ISC)2 is the first organization within the IT sector to earn accreditation for personnel certification," said James E. Duffy, CISSP, executive director for (ISC)2
ONLINE RACISM A two-day conference was recently held in Paris to discuss what can be done about the increase of racist and anti-semitic literature on the Internet. It is thought that in the face of xenophobic viruses such as Zafi.B that more stringent measures must be taken to fight hate websites, which thrive in the anonymous arena of the Internet. The Organization for Security and Cooperation in Europe set up the meeting which was attended by representatives of 55 countries.
FTC DO-NOT-SPAM REGISTER Despite legislation insisting on the creation of a do-not-spam register, the US Federal Trade Commission will not, in the near future, start such a list. Turning the responsibility elsewhere, the FTC asked Internet service providers to continue to research authentication technologies.
ATTACKER PENETRATES KOREAN DEFENCE LABS An attacker has compromised computers at the Agency for Defence Development, the Korea Atomic Energy Research Institute, the Korea Institute for Defence Analysis and others. "NCSC recently found some PCs at state agencies have been contaminated by a variation of Peep Trojan hacking programme and taken emergency measures," the agency said in a statement. INSTANT MESSAGING EMERGES AS PROBLEM Instant messaging applications are exposing enterprises to security according to a report compiled by the Internet Security Forum. Weak identity management, user authentication, and logging ability as well as lack of encryption are issues with instant messaging application. To limit the risk of IM, corporates should do risk analysis, configure IM controls, secure IM infrastructure and apply management controls.
3