Wednesday, October 3, 2007

Web 2.0, social networking can endanger corporate security

With the Web becoming central to the way companies do business, cybercriminals are taking increasing advantage of Web 2.0 and social networking sites to launch attacks, according to IDC analyst Christian Christiansen.

The Web isn't the benign resource for information that people once saw it as, said Christiansen, who spoke today at Kaspersky Lab Inc.'s Surviving CyberCrime conference in Waltham, Mass. "One of the things that's happened that's disconcerting -- and it's been growing over the last 10 years -- is the blending of people's private lives with their corporate lives," he said.

Employees' personal lives -- their online shopping habits and interactions with friends and families -- get intermingled with the interactions they have at work with customers, fellow employees, partners and suppliers, he said. "So that creates a perforated perimeter where there isn't a hard, fast separation between the corporate world and the personal world," he said.

The problem is that employees don't always follow their companies' security policies -- probably because they don't know what those policies are, just as they don't know what their companies' acceptable use policies are. The result: employees don't know what's allowed and what they're barred from doing. Sometimes, Christiansen said, the very people who set up the corporate policies don't even follow them.

Problems also occur when an IT department no longer controls the products being connected to the corporate network. That list could include everything from smart phones to new and untested laptop and desktop computers to various application environments, he said.

"We're seeing the realization that the internal security problem is growing -- the threats are coming from inside the network," he said.

The latest threats to network security now are coming from collaboration and Web 2.0 environments -- where employees casually click on links that could lead them to malware. And they're coming from the wide variety of devices that may be accessing private as well as corporate networks, he said.

"We're seeing a change in the threat environment," he said. "Instead of the threats -- the malicious code -- being distributed as e-mail attachments, we're seeing more and more that they're being embedded in Web 2.0 links," he said. "In the past, what you saw was an immediate effect. Now we're seeing much greater levels of subterfuge and much more sophisticated attacks."

To better avoid potential problems, IT departments need to control user behavior, the types of devices being used to access information, the applications being used and content contributions.

"Risk reduction requires policy managements and layered protection -- at the gateway to the Internet as well as at the endpoint [desktops, laptops and servers]," he said. "You need a whole series of checks and balances."



(Computer World)

Microsoft launches enterprise 'get legal' program

Microsoft Corp. amped up its antipiracy campaign today, adding a program that targets large customers that need to "get legal" after being fingered for using counterfeit or illegally-applied volume licenses.

The program, dubbed Get Genuine Windows Agreement (GGWA), plugs a hole in the company's antipiracy efforts, said Cori Hartje, the director of Microsoft's 18-month-old initiative to identify phony copies of Windows or instances of unlicensed use of the software.

"This fills in the entire picture," said Hartje. "Consumers who had been identified as running a counterfeit [version of] Windows could simply push a button and have the purchase made right then. But we didn't have a good way to programmatically address the same for larger-scale customers, particularly through the [reseller] channel."

GGWA uses Microsoft's standard volume licensing -- and therefore is designed for organizations that generally acquire the company's software through that venue -- to sell full licenses of Windows XP Professional. Most customers looking to get legal using GGWA would go through their existing channel reseller, Hartje said.

"We also wanted something like this as a turnkey for the channel," she said. "This way, resellers will be able to offer [their customers] Microsoft financing, for example, as well as other services, such as Software Assurance."

Hartje said she expects that most organizations using GGWA would do so not because they find counterfeit copies of Windows on OEM-sourced PCs, but because they have "mislicensed" systems. "After an internal review, a company may find it has, for example, 2,000 machines that it got 'naked.' And they need a way to address that."

In "mislicensing," Hartje explained, a customer misunderstands the licensing rules. They think they can purchase "naked" computers -- PCs sans operating system -- and then apply their volume licensing agreements to load Windows. "The regular volume licensing agreements like the Select Agreement or Enterprise Agreement have upgrades available for purchase, so there must be an eligible licensed copy of the Windows software already on the machine to be able to use the upgrade available in those programs."

Other companies might find they're running a large number of illegal machines if they misuse a volume licensing key or let it leak. When it identifies a leaked key, Microsoft invalidates it; subsequent activations of Windows, or in Vista and the upcoming Windows Server 2008, regular checks of Windows legitimacy, would then finger PCs as noncompliant.

"We needed to have options for our business customers so that it was easy to get full Windows licenses, to help customers who found themselves in an unlicensed situation," said Hartje.

GGWA is in addition to the still-available Get Genuine Kit (GGK) packages, which contain one or 10 XP Pro licenses, but it comes with several new provisions that strip away the anonymity of GGK. According to information posted on Microsoft's site, GGWA requires customers to sign a legalization agreement and make a commitment to legalize all out-of-compliance PCs. The legalization agreement also contains what Microsoft describes as an "audit clause." Microsoft officials were not able to immediately confirm this, but the clause would presumably be similar to the one in an Open Value volume licensing agreement. Open Value's audit clause lets Microsoft request an internal audit of all Microsoft software used in an organization.

"Enterprises who want anonymity can still purchase the Get Genuine Kit," said Hartje, "though that's cumbersome in large volume, with the packs showing up on the loading dock and having to be opened."

The new program offers Windows XP Professional licenses rather than Vista licenses, she added, because XP Professional is what's in widespread use. "XP is where we have the gap. It has a large installed base, and that's where [companies] are discovering [noncompliant] PCs."

In other words, stocking GGWA with Windows XP is not an admission that Vista isn't selling well to corporate customers. "Most people are now buying new PCs that come with Vista," she said. "And so they don't need to get another license."



(Computer World)

Could Adobe be vulnerable to an AIR attack?

Adobe Systems Inc.'s moves to support rich Internet applications are exposing the software vendor -- and its developers and users -- to the threat of more Web-based malware and efforts to take advantage of security holes in its products.

"It's annoying to Adobe that suddenly they have become a target" for malicious hackers, said Chris Swenson, an analyst at NPD Group Inc. in Port Washington, N.Y.

For instance, a British security researcher claimed last month that an unpatched vulnerability in Adobe's Portable Document Format (PDF) technology could be exploited to take control of systems running Windows XP; at the time, Adobe said it was researching the reported flaw. And in January, Adobe issued a patch to fix a vulnerability in its PDF-based Adobe Reader and Acrobat software that made systems vulnerable to cross-site scripting attacks.

And then there are all the potential vulnerabilities lurking in Adobe's newer, less mature technologies, such as its still-in-beta Adobe Integrated Runtime (AIR) software.

The AIR framework enables Web applications built with HTML or Asynchronous JavaScript and XML (AJAX) to run offline. The problem, though, is that doing so exposes users of AIR-based applications to many of the same security issues that other users face, if not more of them, according to Ron Schmelzer, an analyst at ZapThink LLC in Waltham, Mass.

"The current generation of spyware, virus and malware [detection] products have no visibility into running AIR programs," Schmelzer wrote in an e-mail. "As such, there is a high possibility for malicious AIR applications -- which are no longer security-restricted to the browser sandbox and are free to manipulate local machines -- to spread into the wild."

John Landwehr, Adobe's director of security solutions and strategy, said at the company's Adobe MAX 2007 North America conference here that AIR applications are not only digitally signed to ensure authenticity, but also use security sandboxes to limit the ability of malware to take control of other applications on a compromised PC.

(ICTNEWS)