Metrics is a group of measurements that produce a quantitative picture of something over a
period of time. Metrics are specific; measurable; attainable; repeatable and time-dependent. An
important difference between metrics and measurements is that metrics utilize a baseline as a
means of interpreting the results of the measurements.
Some suggested metrics to start with:
1. Number of Successful Logons – from security audits.
2. Number of Unsuccessful Logons – from security audits.
3. Number of Virus Infections during a given period.
4. Number of incidents reported.
5. Number of security policy violations during a given period.
6. Number of policy exceptions during a given period.
7. Percentage of expired passwords.
8. Number of guessed passwords – use a password cracker to test passwords.
9. Number of incidents.
10. Cost of monitoring during a given period – use your time tracking system if you have
one.
Process Metrics —a metric that represents the maturity of a security process. They are best for
reporting to management about the quality of your security and improvements. From the above
list, #6 is the only example of a process metric.
Examples of other process metrics include:
· Percentage of passwords meeting policy.
· Percentage of exposed systems with IDS.
· Number of firewalls per exposed system.
· Number of external users.
. Number of changes on Firewalls
Security Metrics —a metric that indicates the extent a security attribute is present. They are bestfor reporting the state of security to the members of your organization, the collector metric and process implementers. The rest of the above list is examples of security metrics. You can also include the following:
· Frequency of audit reviews.
· Number of compliance with virus updates.
· Number of virus infected components.
Tuesday, May 29, 2007
LAW : Europe considering anti-ID theft law
The European Commission is considering new legislation against identity theft. The proposal is contained in a just-published policy on EU-wide plans to fight cybercrime.
The European Commission's policy on fighting cybercrime in Europe is the product of many years of consultation and focuses on greater co-operation between European police forces.
Though the Commission said that it did not believe that new legislation would be useful at this stage in stopping the fast growth of cybercrime, it said it will consider anti-ID theft laws later this year.
"No general legislation on the fight against cyber crime can be expected to be effective at this moment," said a Commission statement. "However … targeted legislative actions may also prove to be appropriate or needed in specific areas. As an example, the Commission will consider an initiative regarding European legislation against identity theft in 2007. Legislative action could also include developing a regulation on the responsibility of different actors in the relevant sector."
Overall, the Commission said that its cyber crime fighting policies would depend on improved co-operation and communication between law enforcement forces across Europe.
"The main feature of this policy instrument is a proactive policy in reinforcing the structures for operational law enforcement cooperation," said the Commission statement. "The Commission will launch a reflection on how this cooperation can be strengthened and improved."
In a move which could prove controversial, the Commission said that its new policy included "actions to improve exchange of information" between law enforcement agencies. Attempts to share increasing amounts of information between police forces in Europe have met with opposition.
Europe's privacy watchdog the European Data Protection Supervisor recently warned of his "grave concern" that data sharing plans was a "lowest common denominator approach that would hinder the fundamental rights of EU citizens".
Earlier this week the European Parliament voted to support the reinstatement of data protection principles into a European plan to share data across police forces.
"The policy instrument includes actions to improve exchange of information and best practices, initiatives to improve training and awareness-raising within law enforcement authorities," said the Commission's statement on its plan.
The Commission also wants to create new public-private projects designed to fight crime. This could also raise privacy problems because state bodies in Europe are often reluctant to share personal information with the private sector.
The European Commission's policy on fighting cybercrime in Europe is the product of many years of consultation and focuses on greater co-operation between European police forces.
Though the Commission said that it did not believe that new legislation would be useful at this stage in stopping the fast growth of cybercrime, it said it will consider anti-ID theft laws later this year.
"No general legislation on the fight against cyber crime can be expected to be effective at this moment," said a Commission statement. "However … targeted legislative actions may also prove to be appropriate or needed in specific areas. As an example, the Commission will consider an initiative regarding European legislation against identity theft in 2007. Legislative action could also include developing a regulation on the responsibility of different actors in the relevant sector."
Overall, the Commission said that its cyber crime fighting policies would depend on improved co-operation and communication between law enforcement forces across Europe.
"The main feature of this policy instrument is a proactive policy in reinforcing the structures for operational law enforcement cooperation," said the Commission statement. "The Commission will launch a reflection on how this cooperation can be strengthened and improved."
In a move which could prove controversial, the Commission said that its new policy included "actions to improve exchange of information" between law enforcement agencies. Attempts to share increasing amounts of information between police forces in Europe have met with opposition.
Europe's privacy watchdog the European Data Protection Supervisor recently warned of his "grave concern" that data sharing plans was a "lowest common denominator approach that would hinder the fundamental rights of EU citizens".
Earlier this week the European Parliament voted to support the reinstatement of data protection principles into a European plan to share data across police forces.
"The policy instrument includes actions to improve exchange of information and best practices, initiatives to improve training and awareness-raising within law enforcement authorities," said the Commission's statement on its plan.
The Commission also wants to create new public-private projects designed to fight crime. This could also raise privacy problems because state bodies in Europe are often reluctant to share personal information with the private sector.
Cisco, RSA Team Up to Encrypt Network Data
ORLANDO -- Cisco Systems Inc. and RSA Security Inc. last week announced plans to jointly develop security technology that will provide encryption keys for archived data first on tape drives and eventually for other types of networked storage media.
Executives said the two firms plan to integrate Cisco’s MDS 9000 Storage Media Encryption and RSA’s Key Manager technologies to provide centralized data encryption, key management and key provisioning capabilities to storage devices on Cisco networks.
The encryption technology will be added to Cisco-based storage-area networks by inserting a jointly developed line card into a Cisco server chassis. The first card, for tape drives, will ship later this year.
Rajeev Bhardwaj, director of product management at Cisco, contended that the tool will be easier to implement and use than encryption and key management appliances.
Such appliances, from vendors such as NeoScale Systems Inc., Vormetric Inc. and Network Appliance Inc.’s Decru Inc. unit, require IT personnel to rewire and reconfigure networks, he said. “From our perspective, you install the line card, and with the flip of a switch you say, ‘This backup server encrypts this tape,’” Bhardwaj said.
The added work isn’t a liability for some IT managers, who still prefer using appliances to protect data.
“The reason I like the appliance is because it’s absolutely nonobtrusive to my main system,” said Sean Azhadi, senior vice president of technology at San Diego County Credit Union. “That is a huge advantage because I don’t have to work with IBM or any of my other vendors to try to create some sort of environment to support this stuff.”
The credit union, which has $3.9 billion in assets, 800 employees and 25 branch locations across San Diego and Riverside counties in California, tested NeoScale’s CryptoStor appliance for nine months before implementing it companywide three weeks ago, Azhadi said.
Because the NeoScale appliance is working as needed, the credit union has no plans to evaluate the new Cisco-RSA offering, Azhadi noted.
Cisco and RSA announced the joint effort here last week at a press conference at EMC World, the user conference of RSA’s parent company, EMC. Bhardwaj said the new line card will provide 10 gigabits of encryption throughput and an application programming interface for adding key management to drives on Cisco networks.
EMC and Cisco officials acknowledged that the agreement is nonexclusive.
Bhardwaj would not disclose a schedule for shipping future releases of the card.
Executives said the two firms plan to integrate Cisco’s MDS 9000 Storage Media Encryption and RSA’s Key Manager technologies to provide centralized data encryption, key management and key provisioning capabilities to storage devices on Cisco networks.
The encryption technology will be added to Cisco-based storage-area networks by inserting a jointly developed line card into a Cisco server chassis. The first card, for tape drives, will ship later this year.
Rajeev Bhardwaj, director of product management at Cisco, contended that the tool will be easier to implement and use than encryption and key management appliances.
Such appliances, from vendors such as NeoScale Systems Inc., Vormetric Inc. and Network Appliance Inc.’s Decru Inc. unit, require IT personnel to rewire and reconfigure networks, he said. “From our perspective, you install the line card, and with the flip of a switch you say, ‘This backup server encrypts this tape,’” Bhardwaj said.
The added work isn’t a liability for some IT managers, who still prefer using appliances to protect data.
“The reason I like the appliance is because it’s absolutely nonobtrusive to my main system,” said Sean Azhadi, senior vice president of technology at San Diego County Credit Union. “That is a huge advantage because I don’t have to work with IBM or any of my other vendors to try to create some sort of environment to support this stuff.”
The credit union, which has $3.9 billion in assets, 800 employees and 25 branch locations across San Diego and Riverside counties in California, tested NeoScale’s CryptoStor appliance for nine months before implementing it companywide three weeks ago, Azhadi said.
Because the NeoScale appliance is working as needed, the credit union has no plans to evaluate the new Cisco-RSA offering, Azhadi noted.
Cisco and RSA announced the joint effort here last week at a press conference at EMC World, the user conference of RSA’s parent company, EMC. Bhardwaj said the new line card will provide 10 gigabits of encryption throughput and an application programming interface for adding key management to drives on Cisco networks.
EMC and Cisco officials acknowledged that the agreement is nonexclusive.
Bhardwaj would not disclose a schedule for shipping future releases of the card.
UK database theft hurts customers
Cable & Wireless has served an injunction against a former executive following the theft of a 100,000 customer database, the BBC has learned.
The injunction orders Seemab Zafar to hand over any part of the database of former subsidiary Bulldog, including names, addresses and financial details.
Ms Zafar, from London, denies that she holds any part of the database.
A BBC investigation has established that the database had been illegally used by call centres in Pakistan.
The call centres tricked customers into handing over credit card details.
One victim of the scam, Gareth Thomas, has subsequently been defrauded on his bank and credit cards, and had his identity cloned on the internet pay system Paypal.
Other victims complained of being relentlessly called by call centres in South East Asia, who won't reveal their identity nor what personal information they hold.
The High Court injunction was brought by Cable & Wireless because it owned internet services provider Bulldog at the time the database was taken.
Database denial
The data base of up to 100,000 names was stolen at the same time as an employee went on a business trip to Pakistan in 2005.
Cable & Wireless said "the employee did not return as planned and was then sacked", adding that "we take this matter very seriously".
Ms Zafar now runs an international out-sourcing business.
She recently emailed the BBC from abroad to deny that she had any part of the data base: "For the record I am letting you know that I do not have any part of the Bulldog database and this is exactly what I told the lawyers."
Cable & Wireless believe its injunction, served in the past few days, has" led to the destruction of all copies of the Bulldog customer data" that may have been in the possession of Ms Zafar and her companies.
But it declined to give any assurances that data which may have been passed to other call centres had also been destroyed.
Since September 2006 Bulldog is part of Pipex Group.
Top
ETHICS! : Want to Write a Virus? Take a Class
Erik Larkin
May 22, 2007
http://blogs.pcworld.com/staffblog/archives/004452.html
A college computer course that teaches students how to write computer viruses is riling up security companies once again, according to a story in a local California paper today.
Per the story, a computer science professor at Sonoma State University in California is teaching the course in order to train his students how to design better defenses. Security companies, on the other hand, have always vigorously decried any attempts to create new malware as automatically unethical, no matter the end goal. And at least three companies are sending Ledin letters saying they will boycott hiring Ledin's students, according to the story.
This is an ongoing debate. Other colleges have previously taught such classes, and Consumer Reports took major heat when it created new malware to test antivirus software.
So who's right? Is Ledin violating an unwritten Hippocratic oath of computer security? Or is this an important thing to teach, and learn, and test?
Personally, I think the genie's out of the bottle. Unlike with biological viruses, it's not hard to create a new piece of malware. You don't need a lab, expensive equipment or even much techie know-how; There has long been software available that allows any aspiring online thug to easily create a new piece of malware.
What's more, malware writers are constantly spewing out new variants in an attempt to evade antivirus programs. The recent Storm Worm blast was a great example.
So I don't really think it makes us less safe if a few students create new malware in order to learn how they're built. Even if one of them escapes its protected environment, it will be a drop in the bucket compared to the already existing deluge of new virus variants that come out all the time.
And such training may help with what's really important: Developing effective proactive defenses that can block attacks whether they're old or brand new.
Top
LAW : Europe considering anti-ID theft law
OUT-LAW News,
24/05/2007
http://www.out-law.com/page-8084
The European Commission is considering new legislation against identity theft. The proposal is contained in a just-published policy on EU-wide plans to fight cybercrime.
The European Commission's policy on fighting cybercrime in Europe is the product of many years of consultation and focuses on greater co-operation between European police forces.
Though the Commission said that it did not believe that new legislation would be useful at this stage in stopping the fast growth of cybercrime, it said it will consider anti-ID theft laws later this year.
"No general legislation on the fight against cyber crime can be expected to be effective at this moment," said a Commission statement. "However … targeted legislative actions may also prove to be appropriate or needed in specific areas. As an example, the Commission will consider an initiative regarding European legislation against identity theft in 2007. Legislative action could also include developing a regulation on the responsibility of different actors in the relevant sector."
Overall, the Commission said that its cyber crime fighting policies would depend on improved co-operation and communication between law enforcement forces across Europe.
"The main feature of this policy instrument is a proactive policy in reinforcing the structures for operational law enforcement cooperation," said the Commission statement. "The Commission will launch a reflection on how this cooperation can be strengthened and improved."
In a move which could prove controversial, the Commission said that its new policy included "actions to improve exchange of information" between law enforcement agencies. Attempts to share increasing amounts of information between police forces in Europe have met with opposition.
Europe's privacy watchdog the European Data Protection Supervisor recently warned of his "grave concern" that data sharing plans was a "lowest common denominator approach that would hinder the fundamental rights of EU citizens".
Earlier this week the European Parliament voted to support the reinstatement of data protection principles into a European plan to share data across police forces.
"The policy instrument includes actions to improve exchange of information and best practices, initiatives to improve training and awareness-raising within law enforcement authorities," said the Commission's statement on its plan.
The Commission also wants to create new public-private projects designed to fight crime. This could also raise privacy problems because state bodies in Europe are often reluctant to share personal information with the private sector.
The injunction orders Seemab Zafar to hand over any part of the database of former subsidiary Bulldog, including names, addresses and financial details.
Ms Zafar, from London, denies that she holds any part of the database.
A BBC investigation has established that the database had been illegally used by call centres in Pakistan.
The call centres tricked customers into handing over credit card details.
One victim of the scam, Gareth Thomas, has subsequently been defrauded on his bank and credit cards, and had his identity cloned on the internet pay system Paypal.
Other victims complained of being relentlessly called by call centres in South East Asia, who won't reveal their identity nor what personal information they hold.
The High Court injunction was brought by Cable & Wireless because it owned internet services provider Bulldog at the time the database was taken.
Database denial
The data base of up to 100,000 names was stolen at the same time as an employee went on a business trip to Pakistan in 2005.
Cable & Wireless said "the employee did not return as planned and was then sacked", adding that "we take this matter very seriously".
Ms Zafar now runs an international out-sourcing business.
She recently emailed the BBC from abroad to deny that she had any part of the data base: "For the record I am letting you know that I do not have any part of the Bulldog database and this is exactly what I told the lawyers."
Cable & Wireless believe its injunction, served in the past few days, has" led to the destruction of all copies of the Bulldog customer data" that may have been in the possession of Ms Zafar and her companies.
But it declined to give any assurances that data which may have been passed to other call centres had also been destroyed.
Since September 2006 Bulldog is part of Pipex Group.
Top
ETHICS! : Want to Write a Virus? Take a Class
Erik Larkin
May 22, 2007
http://blogs.pcworld.com/staffblog/archives/004452.html
A college computer course that teaches students how to write computer viruses is riling up security companies once again, according to a story in a local California paper today.
Per the story, a computer science professor at Sonoma State University in California is teaching the course in order to train his students how to design better defenses. Security companies, on the other hand, have always vigorously decried any attempts to create new malware as automatically unethical, no matter the end goal. And at least three companies are sending Ledin letters saying they will boycott hiring Ledin's students, according to the story.
This is an ongoing debate. Other colleges have previously taught such classes, and Consumer Reports took major heat when it created new malware to test antivirus software.
So who's right? Is Ledin violating an unwritten Hippocratic oath of computer security? Or is this an important thing to teach, and learn, and test?
Personally, I think the genie's out of the bottle. Unlike with biological viruses, it's not hard to create a new piece of malware. You don't need a lab, expensive equipment or even much techie know-how; There has long been software available that allows any aspiring online thug to easily create a new piece of malware.
What's more, malware writers are constantly spewing out new variants in an attempt to evade antivirus programs. The recent Storm Worm blast was a great example.
So I don't really think it makes us less safe if a few students create new malware in order to learn how they're built. Even if one of them escapes its protected environment, it will be a drop in the bucket compared to the already existing deluge of new virus variants that come out all the time.
And such training may help with what's really important: Developing effective proactive defenses that can block attacks whether they're old or brand new.
Top
LAW : Europe considering anti-ID theft law
OUT-LAW News,
24/05/2007
http://www.out-law.com/page-8084
The European Commission is considering new legislation against identity theft. The proposal is contained in a just-published policy on EU-wide plans to fight cybercrime.
The European Commission's policy on fighting cybercrime in Europe is the product of many years of consultation and focuses on greater co-operation between European police forces.
Though the Commission said that it did not believe that new legislation would be useful at this stage in stopping the fast growth of cybercrime, it said it will consider anti-ID theft laws later this year.
"No general legislation on the fight against cyber crime can be expected to be effective at this moment," said a Commission statement. "However … targeted legislative actions may also prove to be appropriate or needed in specific areas. As an example, the Commission will consider an initiative regarding European legislation against identity theft in 2007. Legislative action could also include developing a regulation on the responsibility of different actors in the relevant sector."
Overall, the Commission said that its cyber crime fighting policies would depend on improved co-operation and communication between law enforcement forces across Europe.
"The main feature of this policy instrument is a proactive policy in reinforcing the structures for operational law enforcement cooperation," said the Commission statement. "The Commission will launch a reflection on how this cooperation can be strengthened and improved."
In a move which could prove controversial, the Commission said that its new policy included "actions to improve exchange of information" between law enforcement agencies. Attempts to share increasing amounts of information between police forces in Europe have met with opposition.
Europe's privacy watchdog the European Data Protection Supervisor recently warned of his "grave concern" that data sharing plans was a "lowest common denominator approach that would hinder the fundamental rights of EU citizens".
Earlier this week the European Parliament voted to support the reinstatement of data protection principles into a European plan to share data across police forces.
"The policy instrument includes actions to improve exchange of information and best practices, initiatives to improve training and awareness-raising within law enforcement authorities," said the Commission's statement on its plan.
The Commission also wants to create new public-private projects designed to fight crime. This could also raise privacy problems because state bodies in Europe are often reluctant to share personal information with the private sector.
Wednesday, May 23, 2007
Cost of Data Security v/s Data Breach
http://www.techweb.com/wire/199700810
The Payment Card Industry data security standard created by Visa, MasterCard, and other payment services has emerged as a primary driver of IT security spending and some serious rethinking of how data and systems are secured. And with good reason. If the severe fines levied by Visa and its PCI partners aren't enough to persuade companies to invest in encryption, application firewalls, and other security measures, the threat of a costly and embarrassing data breach is enough to convince anyone.
"TJX is the new poster child for why PCI compliance is essential," says George Peabody, director of the emerging technologies advisory service at Mercator Advisory Group, which specializes in research and consulting for the payments industry. "Large merchants are working hard to meet the deadlines." TJX is the parent company of T.J. Maxx, Marshalls, and other retailers.
So are large credit and debit payment-processing firms such as Intuition Systems, which is trying to get out in front of the demanding PCI compliance requirement -- coming in 2008 -- that requires organizations to use application firewalls. Whereas a network firewall is more concerned with blocking malicious data traffic coming into a company's network, an application firewall provides IT shops with information about requests coming to their Web applications. "They let you know if a request is normal or a possible attack," says Intuition CIO Jean-Pierre Zaiter.
Intuition has since February been using Imperva's SecureSphere Web application firewall appliances. Zaiter found them particularly useful in protecting the various custom-made payments-processing applications Intuition has developed for its clients -- primarily merchants and retailers. "Because our customers ask for changes to these applications on a fairly frequent basis, we would have to retest each version of each application for compliance with PCI," Zaiter says.
Thus far, Intuition has spent as much as $250,000 on the hardware and software needed to achieve its own PCI compliance. This number excludes the labor costs associated with implementing the technology and the other IT projects that don't get done because PCI is such a high priority.
While it's not been proven that PCI compliance equals data security, it's clear that one of the biggest data breaches reported this year came from a company that was not PCI compliant. TJX last week announced in its first quarterly earnings statement that it took a $12 million hit, or 3 cents per share, because of the loss of more than 45 million credit and debit card numbers that were stolen from its IT systems over an 18-month period.
This fiasco almost makes Visa's fines for noncompliance -- which can be tens of thousands of dollars per month -- seem like a slap on the wrist. "Large break-ins like TJX are exactly what they're trying to prevent with PCI," Peabody says.
The cumulative pressure heaped on companies that accept and process credit and debit card payments is likely to a positive effect on data security, as it'll pressure merchants, payment issuers, acquirers, and processors to upgrade their security. PCI raises the bar for encryption, requiring compliant organizations to separate encrypted traffic from other network traffic. "We came up with a solution that was a load-balanced encryption process that moves traffic for encryption away from the rest of the network traffic," Zaiter says.
State legislators are riding the wave of data breach fears to give PCI an even sharper bite. Texas's House of Representatives last week unanimously approved a measure that would make PCI compliance a state law and force merchants and vendors that suffer a breach to reimburse banks and credit unions for costs incurred in blocking the use of compromised cards and issuing new ones if that business was not PCI compliant at the time of the breach. While some are leery of getting the government involved in enforcing an industry standard, Peabody says, "It certainly can't hurt compliance to have another source of consciousness rising out of statehouses."
UNSAFE EVER : Cisco routers caused major outage in Japan
By Jim Duffy,
Network World,
16 May 2007
http://www.networkworld.com/news/2007/051607-cisco-routers-major-outage-japan.html
Cisco routers were the source of a major outage May 15 in an NTT network in Japan, according to an investment firm bulletin.
Between 2,000 and 4,000 Cisco routers went down for about 7 hours in the NTT East network after a switchover to backup routes triggered the routers to rewrite routing tables, according to a bulletin from CIBC World Markets. The outage disconnected millions of broadband Internet users across most of eastern Japan.
Cisco says it could not say which specific router models were involved.
"Cisco is working closely with NTT East to identify the specific cause of the outage and help prevent future occurrences," a Cisco spokesman said in an e-mailed reply. "At this time, Cisco and NTT have not determined the specific cause of the problem."
NTT East and NTT West, both group companies of Japanese telecom giant Nippon Telegraph and Telephone (NTT), are in the process of finalizing their decisions on a core router upgrade, according to the report.
The routing table rewrite overflowed the routing tables and caused the routers' forwarding process to fail, the CIBC report states.
"Clearly, this failure doesn't reflect well on (Cisco) and at the very least highlights the need for two vendors," states CIBC analyst Ittai Kidron in the report. Kidron states that NTT West is evaluating Juniper core routers while East evaluates the Cisco platforms.
"That said, we don't expect the failure at NTT East to influence its decision with respect to its choice of core router vendor," Kidron states in the bulletin. "In fact, as router capacity was partly responsible for the failure, it is possible the outage could accelerate NTT's transition to Cisco's newer core router, the CRS-1."
NTT was one of the initial testers of the CRS-1 when the product was launched three years ago.
"We don't believe the decisions would change based on this event," Kidron concluded. "Juniper still remains a leading contender at NTT West and Cisco at NTT East."
Monday, May 21, 2007
Indian visa application data accessible to anyone
Davey Winder, Staff Writer
16 May 2007
(Courtesy – Nandkumar Saravade)
http://www.daniweb.com/blogs/entry1466.html
Sanjib Mitra is a man who likes to be responsible and do the right thing. A year ago he discovered, quite by accident, that a little bit of URL tweaking could reveal personal data about people other than himself within a website database. He was completing a complicated application form himself when he was faced with a blank page and a browser back button that did nothing, so he tried changing numerical data at the end of the URL in an effort to salvage some of the information he had spent the previous hour entering. His reward was not time saved and the application retrieved, but rather the applications of pretty much anyone who had ever used the system at any time in the past, and all it took was a different number to be substituted in the URL.Now this is nothing unusual, poorly designed sites make this kind of security gaff all the time. Of course when it is a commercial site and it is customer data we are talking about then things take on a rather different perspective than the local bowling club membership database being exposed. Unfortunately, the website that Sanjib was logged on to at the time was VFS India, the British High Commission's commercial partner in India to which it outsources the operation of visa application centers on behalf of the four visa departments in India. Indian citizens wishing to travel to the UK and requiring visas use this service to make their applications online. The personal data that Sanjib was able to read was the full visa application details of assorted strangers. By simply changing part of the URL, it was possible to bring up intimate detail of other applicants such as their full names, addresses, employment details, passport number, spouses details, kids details and so on. Just the kind of thing that your average ID thief would pay good money for, and your average terrorist dreams about.Given that Sanjib did the right thing, a year ago, and reported the problem to VFS as well as the British High Commission, why am I bothering to write about it now? Mainly, it has to be said, because after a year that security hole was gaping as wide open as ever. Although I will refrain from posting precise details here, yesterday afternoon I was able to manipulate the data URL simply by changing what appears to be the date on which the application was made along with a sequence number. Doing this, entirely at random, brings up the visa application details of people ranging from someone who applied yesterday through to some who applied a year ago and I have the screenshots to prove it. I immediately contacted VFS Global to alert them to the fact that this problem was still ongoing and ask what they were doing about it. Although they refrained from making any direct comment, Senior Vice President in New Delhi, Ms. Venku Murthi, did assure me that as a direct result of my probing an immediate investigation would be launched by the VFS IT team. The Information Commissioner's Office in the UK, responsible for enforcing the Data Protection Act, was not so forthcoming. Nor indeed were the UK Foreign and Commonwealth Office or the British High Commission in India. At the time of writing there have been no replies to my requests for comment on the story from any of them. Frankly, I am amazed that this has been allowed to continue for so long, exposing thousands of Indian identities with enough sensitive data to make ID theft child's play. I am even more amazed that nobody, apart from that VFS Vice President, cared enough to acknowledge I was writing this story and try to prevent my posting it, or provide some kind of mitigating comment by way of an apology and promise that the hole had been sealed shut immediately. Sanjib did everything right, was responsible in his reporting of the situation and careful not to go down the road of public disclosure immediately. VFS and the British High Commission did everything wrong in not taking his reports seriously and so protecting the applicants who data was being exposed from further vulnerability. What's more, given the political climate in both the UK and India regarding acts of terrorism, by not acting for over a year a door to identity theft, which could just as easily be entered by terrorist groups as fraudsters and accidental tourists, has been left open and unguarded. Sanjib certainly is taking this seriously, enough so to set up a blog and post some details of the situation within it and then email the UK security services organization, MI5, via their website to report the problem to them . We know that they took it seriously enough to read because the blog visitor log, an Indian blog with no publicity and very few visitors, shows it being accessed by someone in Lambeth, UK within an hour of the report being made. Thames House, the MI5 HQ, overlooks Lambeth Bridge. Of course, the only official response Sanjib got was a template one from a mailbot confirming delivery of his message. Still, that was quicker than the British High Commission which took 2 months to send a standard 'thanks for letting us know' email and did nothing about it, or VFS who never replied at all and did nothing about it.As Sanjib says "VFS India could be responsible for large scale identity theft, for every online visa application that it receives. This is an issue which I believe is of utmost importance to UK homeland security, and poses a great threat if overlooked."Perhaps most worryingly of all, VFS handles visa applications for governments around the world, including Russia, South Africa, Singapore and China. Who is to say that the same security hole is not open across all the online visa application sites? The chances, it has to be said, are pretty good that this is indeed the case. Especially as a little digging managed to reveal that the VFS site that handles the visa applications to the USA was suffering from exactly the same gaping security hole back in November 2006 according to one Indian blogger who reports how he managed to bring up the application details of a complete stranger by making a mistake when entering the last few digits of the URL. At least, as a result of the good citizenship of Sanjib Mitra and this investigation by DaniWeb, VFS Global finally took the problem seriously enough to launch an investigation and within 24 hours the head of IT, Uttam Lahiry, had been in touch to ask for more detail to aid that investigation. Within an hour the security breach had been dealt with. I can confirm that it is now no longer possible to access the visa application data of complete strangers just by changing a few numbers in the URL. What a shame it took the intervention of this reporter and the DaniWeb investigation to make someone sit up and take notice.Questions need to be asked as to why VFS did nothing when an Indian citizen, someone directly impacted by the problem, reported it a year ago. Questions need to be asked why the British High Commission ignored that same Indian citizen when he raised serious concerns over homeland security in the UK as a result of the security breach. Questions need to be asked as to how an organization responsible for handling such a sensitive process for governments around the world could be allowed to do so with Mickey Mouse security procedures for so long without any of those governments bothering to check it was adequate.I have asked those questions of all parties, but adequate replies have not been forthcoming...UPDATE 15th MAY: This just in from Mandy Ivemy, Director of Visa Services South Asia for the UK Foreign and Commonwealth Office -"As a side issue, you might be interested to know that as part of our global standardisation of procedures, we are moving towards hosting all online applications on our secure UK website and hope that this will be in place towards the end of the year. Many of our visa operations already offer this facility, and we hope to do the same in India before December 2007. I have asked one of VFS's Senior Vice-Presidents to make sure that all of their IT systems continue to be regularly tested so that I can be sure that they are secure. We take customer service issues very seriously indeed, and I will be personally monitoring this aspect of VFS's service to make sure that this does not happen again."UPDATE 16th MAY:I wrote "Who is to say that the same security hole is not open across all the online visa application sites?" and can now answer that question. The same security hole was open to application data on a global basis it would seem. I asked Uttam Lahiry, Head of IT for VFS Global, if the problem was a global one and if it had been fixed accordingly and he responded "it is been resolved globally" which solves that. And by globally, I mean it. Take a look at the list of VFS clients and you will see that they might just deal with Indian visa applications into the USA, but for the UK they handle applications from India, Singapore, Bangladesh, Malaysia, Sri Lanka, China, Ghana, Qatar, Indonesia, Nigeria, Russia and Thailand. And their other client countries for whom they handle online visa applications include UAE, Ireland, Australia, Italy, France, Canada, Thailand, Germany, Sweden, Belgium, Netherlands and Austria!With some of these clients dating back to 2001 (as is the case with the USA) it becomes clear that the potential number of people whose data was at risk of exposure rises from thousands into millions. VFS Global claim to handle 3 million applications per year, do the math...
16 May 2007
(Courtesy – Nandkumar Saravade)
http://www.daniweb.com/blogs/entry1466.html
Sanjib Mitra is a man who likes to be responsible and do the right thing. A year ago he discovered, quite by accident, that a little bit of URL tweaking could reveal personal data about people other than himself within a website database. He was completing a complicated application form himself when he was faced with a blank page and a browser back button that did nothing, so he tried changing numerical data at the end of the URL in an effort to salvage some of the information he had spent the previous hour entering. His reward was not time saved and the application retrieved, but rather the applications of pretty much anyone who had ever used the system at any time in the past, and all it took was a different number to be substituted in the URL.Now this is nothing unusual, poorly designed sites make this kind of security gaff all the time. Of course when it is a commercial site and it is customer data we are talking about then things take on a rather different perspective than the local bowling club membership database being exposed. Unfortunately, the website that Sanjib was logged on to at the time was VFS India, the British High Commission's commercial partner in India to which it outsources the operation of visa application centers on behalf of the four visa departments in India. Indian citizens wishing to travel to the UK and requiring visas use this service to make their applications online. The personal data that Sanjib was able to read was the full visa application details of assorted strangers. By simply changing part of the URL, it was possible to bring up intimate detail of other applicants such as their full names, addresses, employment details, passport number, spouses details, kids details and so on. Just the kind of thing that your average ID thief would pay good money for, and your average terrorist dreams about.Given that Sanjib did the right thing, a year ago, and reported the problem to VFS as well as the British High Commission, why am I bothering to write about it now? Mainly, it has to be said, because after a year that security hole was gaping as wide open as ever. Although I will refrain from posting precise details here, yesterday afternoon I was able to manipulate the data URL simply by changing what appears to be the date on which the application was made along with a sequence number. Doing this, entirely at random, brings up the visa application details of people ranging from someone who applied yesterday through to some who applied a year ago and I have the screenshots to prove it. I immediately contacted VFS Global to alert them to the fact that this problem was still ongoing and ask what they were doing about it. Although they refrained from making any direct comment, Senior Vice President in New Delhi, Ms. Venku Murthi, did assure me that as a direct result of my probing an immediate investigation would be launched by the VFS IT team. The Information Commissioner's Office in the UK, responsible for enforcing the Data Protection Act, was not so forthcoming. Nor indeed were the UK Foreign and Commonwealth Office or the British High Commission in India. At the time of writing there have been no replies to my requests for comment on the story from any of them. Frankly, I am amazed that this has been allowed to continue for so long, exposing thousands of Indian identities with enough sensitive data to make ID theft child's play. I am even more amazed that nobody, apart from that VFS Vice President, cared enough to acknowledge I was writing this story and try to prevent my posting it, or provide some kind of mitigating comment by way of an apology and promise that the hole had been sealed shut immediately. Sanjib did everything right, was responsible in his reporting of the situation and careful not to go down the road of public disclosure immediately. VFS and the British High Commission did everything wrong in not taking his reports seriously and so protecting the applicants who data was being exposed from further vulnerability. What's more, given the political climate in both the UK and India regarding acts of terrorism, by not acting for over a year a door to identity theft, which could just as easily be entered by terrorist groups as fraudsters and accidental tourists, has been left open and unguarded. Sanjib certainly is taking this seriously, enough so to set up a blog and post some details of the situation within it and then email the UK security services organization, MI5, via their website to report the problem to them . We know that they took it seriously enough to read because the blog visitor log, an Indian blog with no publicity and very few visitors, shows it being accessed by someone in Lambeth, UK within an hour of the report being made. Thames House, the MI5 HQ, overlooks Lambeth Bridge. Of course, the only official response Sanjib got was a template one from a mailbot confirming delivery of his message. Still, that was quicker than the British High Commission which took 2 months to send a standard 'thanks for letting us know' email and did nothing about it, or VFS who never replied at all and did nothing about it.As Sanjib says "VFS India could be responsible for large scale identity theft, for every online visa application that it receives. This is an issue which I believe is of utmost importance to UK homeland security, and poses a great threat if overlooked."Perhaps most worryingly of all, VFS handles visa applications for governments around the world, including Russia, South Africa, Singapore and China. Who is to say that the same security hole is not open across all the online visa application sites? The chances, it has to be said, are pretty good that this is indeed the case. Especially as a little digging managed to reveal that the VFS site that handles the visa applications to the USA was suffering from exactly the same gaping security hole back in November 2006 according to one Indian blogger who reports how he managed to bring up the application details of a complete stranger by making a mistake when entering the last few digits of the URL. At least, as a result of the good citizenship of Sanjib Mitra and this investigation by DaniWeb, VFS Global finally took the problem seriously enough to launch an investigation and within 24 hours the head of IT, Uttam Lahiry, had been in touch to ask for more detail to aid that investigation. Within an hour the security breach had been dealt with. I can confirm that it is now no longer possible to access the visa application data of complete strangers just by changing a few numbers in the URL. What a shame it took the intervention of this reporter and the DaniWeb investigation to make someone sit up and take notice.Questions need to be asked as to why VFS did nothing when an Indian citizen, someone directly impacted by the problem, reported it a year ago. Questions need to be asked why the British High Commission ignored that same Indian citizen when he raised serious concerns over homeland security in the UK as a result of the security breach. Questions need to be asked as to how an organization responsible for handling such a sensitive process for governments around the world could be allowed to do so with Mickey Mouse security procedures for so long without any of those governments bothering to check it was adequate.I have asked those questions of all parties, but adequate replies have not been forthcoming...UPDATE 15th MAY: This just in from Mandy Ivemy, Director of Visa Services South Asia for the UK Foreign and Commonwealth Office -"As a side issue, you might be interested to know that as part of our global standardisation of procedures, we are moving towards hosting all online applications on our secure UK website and hope that this will be in place towards the end of the year. Many of our visa operations already offer this facility, and we hope to do the same in India before December 2007. I have asked one of VFS's Senior Vice-Presidents to make sure that all of their IT systems continue to be regularly tested so that I can be sure that they are secure. We take customer service issues very seriously indeed, and I will be personally monitoring this aspect of VFS's service to make sure that this does not happen again."UPDATE 16th MAY:I wrote "Who is to say that the same security hole is not open across all the online visa application sites?" and can now answer that question. The same security hole was open to application data on a global basis it would seem. I asked Uttam Lahiry, Head of IT for VFS Global, if the problem was a global one and if it had been fixed accordingly and he responded "it is been resolved globally" which solves that. And by globally, I mean it. Take a look at the list of VFS clients and you will see that they might just deal with Indian visa applications into the USA, but for the UK they handle applications from India, Singapore, Bangladesh, Malaysia, Sri Lanka, China, Ghana, Qatar, Indonesia, Nigeria, Russia and Thailand. And their other client countries for whom they handle online visa applications include UAE, Ireland, Australia, Italy, France, Canada, Thailand, Germany, Sweden, Belgium, Netherlands and Austria!With some of these clients dating back to 2001 (as is the case with the USA) it becomes clear that the potential number of people whose data was at risk of exposure rises from thousands into millions. VFS Global claim to handle 3 million applications per year, do the math...
Friday, May 11, 2007
Reduce Risk
One can argue that taking a risk is part of doing business. Indeed risk taking is a business choice, one that cannot and should not be stopped. But there is a major difference with intentionally taking risks, assuming risks must always be taken, or not knowing when risks are being taken.
When a business must make a constrained choice, it may take a risk to try to achieve a desirable objective. When any risk is intentionally taken, the stakeholder must be willing to live with any negative outcome if the risk should manifest as a problem. If the stakeholder is not willing to live with the problem should it manifest, the risk should not be taken, it should be controlled. These types of risks would be categorizes as chosen, understood, and appreciated when taken. The possibility of a downside is included in the taken risk. These risks are not avoided, but are managed to minimize the business impact.
Not all risks should be taken! Too often a risk is taken not knowing that there is a simple, practical way to avoid the risk. The worst possible risks are those not understood, seen, or appreciated by the stakeholder. These risks are not managed. The stakeholder does not even know that they are taking a risk. The downside is not anticipated as a possibility, and when it manifests, the risk taker says, “Well, that’s the way it is.” Well, it is not!
Today in software, the state of poor and unacceptable quality is still too often a problem. We have improved. We have processes that when implemented lead to desirable solution delivery for both the customer and the provider. We know how to deliver good quality solutions, on time, on budget, and which address the expected customer requirements.
But it is not always so. Why? Mostly because the software provider does not know or does not appreciate that application security testing by design is critical. Software can be produced at lower cost, leading to a more competitive position for the provider, and to higher customer satisfaction which in turn leads to repeat business.
We as users of software may be part of the problem. We are too forgiving when we encounter defects. It is simple to reboot when a problem on a personal computer occurs. It is a nuisance or sometimes worse, but we reboot and press on. We all know when a new release of PC software hits the streets we will encounter defects. The suppliers even admit there are defects. Yet we users buy because we want the new function. We can’t wait, and in turn we motivate poor practice by the suppliers. We need to become more demanding and with some suppliers this is an absolute must. The suppliers need to learn how to produce better software solutions, because it is possible. They can start by implementing best practices such as CMM & take inputs from the open community available on the net such as OWASP and using books.
Application Security - 19 Deadly Sins of Software Programming
Application Security Testing is going to be THE KEY to success of many organizations worlwide.
Follow the link to an open community created to address issues with poorly designed and architected software / application.
http://www.owasp.org/index.php/Category:OWASP_Project
Sin 1-Buffer Overruns
Sin 2-Format String Problems
Sin 3-Integer Overflows
Sin 4-SQL Injection
Sin 5-Command Injection
Sin 6-Failing to Handle Errors
Sin 7-Cross-Site Scripting
Sin 8-Failing to Protect Network Traffic
Sin 9-Use of Magic URLs and Hidden Form Fields
Sin 10-Improper Use of SSL and TLS
Sin 11-Use of Weak Password-Based Systems
Sin 12-Failing to Store and Protect Data Securely
Sin 13-Information LeakageSin 14-Improper File Access
Sin 15-Trusting Network Name Resolution
Sin 16-Race Conditions
Sin 17-Unauthenticated Key Exchange
Sin 18-Cryptographically Strong Random Numbers
Sin 19-Poor Usability
Follow the link to an open community created to address issues with poorly designed and architected software / application.
http://www.owasp.org/index.php/Category:OWASP_Project
Sin 1-Buffer Overruns
Sin 2-Format String Problems
Sin 3-Integer Overflows
Sin 4-SQL Injection
Sin 5-Command Injection
Sin 6-Failing to Handle Errors
Sin 7-Cross-Site Scripting
Sin 8-Failing to Protect Network Traffic
Sin 9-Use of Magic URLs and Hidden Form Fields
Sin 10-Improper Use of SSL and TLS
Sin 11-Use of Weak Password-Based Systems
Sin 12-Failing to Store and Protect Data Securely
Sin 13-Information LeakageSin 14-Improper File Access
Sin 15-Trusting Network Name Resolution
Sin 16-Race Conditions
Sin 17-Unauthenticated Key Exchange
Sin 18-Cryptographically Strong Random Numbers
Sin 19-Poor Usability
Wednesday, May 9, 2007
2007 Security Breaches in US
These 109 total breaches, affecting more than 54 million Americans, are categorized into the following areas: Business; Government/Military; Educational; Medical/Healthcare; and Banking/Credit/Financial.
More Details...
http://www.idtheftcenter.org/artman2/publish/lib_survey/Press_Release_-_2007_Breach_List.shtml
More Details...
http://www.idtheftcenter.org/artman2/publish/lib_survey/Press_Release_-_2007_Breach_List.shtml
Will SRO initiative better BPO security?
The Economic Times
Sudin Apte, Country Head Forrester Research
The SRO announcement by Nasscom has once again brought the subject of information security in offshore operations to the forefront. Data leakage or security breach in BPO operations is a universal phenomenon, and last couple of years saw more than few such instances in the Indian BPO space.
But the massive media glare that every incident gets — coupled with limited government action to prevent recurrence — is actually the major pain area. Forrester believes such an initiative is a welcome step — as it maintains focus on the burning issue, but will achieve moderate success. Why?
Attrition is one of the key root causes: Frankly, lack of security standard/certification was never a problem. Inconsistent execution processes and manpower related issues such as attrition are the root causes for most of the frauds.
One more certification to adhere to: The BPO market has become highly commoditised and competitive place, with very few making money. Most players do have some or other security standards such as BS 7799 / ISO27001 / SAS70 -(Appended text) and on top of that, most customers impose some checks and balances. Against this background, voluntary compliance initiative will yield limited results.
The bottom-line: The SRO initiative brings the information security in the limelight again. More awareness, investments, process integrity and tightening of some of the loopholes will surely rebuild customer confidence. But this alone will not stop the frauds.
Sudin Apte, Country Head Forrester Research
The SRO announcement by Nasscom has once again brought the subject of information security in offshore operations to the forefront. Data leakage or security breach in BPO operations is a universal phenomenon, and last couple of years saw more than few such instances in the Indian BPO space.
But the massive media glare that every incident gets — coupled with limited government action to prevent recurrence — is actually the major pain area. Forrester believes such an initiative is a welcome step — as it maintains focus on the burning issue, but will achieve moderate success. Why?
Attrition is one of the key root causes: Frankly, lack of security standard/certification was never a problem. Inconsistent execution processes and manpower related issues such as attrition are the root causes for most of the frauds.
One more certification to adhere to: The BPO market has become highly commoditised and competitive place, with very few making money. Most players do have some or other security standards such as BS 7799 / ISO27001 / SAS70 -(Appended text) and on top of that, most customers impose some checks and balances. Against this background, voluntary compliance initiative will yield limited results.
The bottom-line: The SRO initiative brings the information security in the limelight again. More awareness, investments, process integrity and tightening of some of the loopholes will surely rebuild customer confidence. But this alone will not stop the frauds.
Self-regulatory organisation (SRO) - Initiative
Self-regulatory organisation (SRO) is an independent self-regulatory body that will establish, monitor and enforce privacy and data protection standards for India’s IT BPO Industry. SRO acts as a watchdog and is targeted at employees, organisations, enforcement agencies and policy amendment, through a ‘4E Framework’, i.e., Engage, Educate, Enact and Enforce.
It is the only organisation of its kind globally in the IT BPO industry. SRO will not only reinforce India as a secure and reliable technology partner but will also bring awareness amongst employees, employers, enforcement agencies about the security standards and laws. Companies would also be provided accreditation of adhering to security guidelines.
Success of such initiatives is predominantly dependent upon industry participation. Therefore increased industry participation in defining and implementing the background verification guidelines and best practices will further strengthen India’s position in the IT BPO sector.
It is the only organisation of its kind globally in the IT BPO industry. SRO will not only reinforce India as a secure and reliable technology partner but will also bring awareness amongst employees, employers, enforcement agencies about the security standards and laws. Companies would also be provided accreditation of adhering to security guidelines.
Success of such initiatives is predominantly dependent upon industry participation. Therefore increased industry participation in defining and implementing the background verification guidelines and best practices will further strengthen India’s position in the IT BPO sector.
NASSCOM appoints new chairman for SRO
In a bid to prevent data theft and ensure that India remains a secure outsourcing destination, Nasscom has decided to form a Self Regulatory Organisation for adoption and strengthening of best practices in IT and BPO companies.
As a first step toward this, Nasscom appointed former Telecom Secretary Shyamal Ghosh as the chairman of the yet-to-be formed SRO.
Ghosh will lead the effort to set up the SRO functionally and structurally, Nasscom president Kiran Karnik said.
The body, to be formed under Trusted Sourcing Initiative of Nasscom, is being set up following allegations in the US and the UK that Indian call center workers were stealing and selling data processed by Indian outsourcing companies.
Last year, a call centre employee was arrested for using credit card details of customers to make on-line purchases.
The SRO will raise the bar in data security and privacy by including best practices currently stipulated by certifications such as the ISO17799 standard for information security of the International Organization for Standardization (ISO) in Geneva, as well as data privacy and data protection laws worldwide.
Being a member of the SRO will in effect be a certification, as member companies will have to follow best practices specified by the SRO. If SRO withdraws the certification then it would be clear to the customers of that IT/BPO/call centre that best security practices are not being followed by that company, Ghosh said.
As a first step toward this, Nasscom appointed former Telecom Secretary Shyamal Ghosh as the chairman of the yet-to-be formed SRO.
Ghosh will lead the effort to set up the SRO functionally and structurally, Nasscom president Kiran Karnik said.
The body, to be formed under Trusted Sourcing Initiative of Nasscom, is being set up following allegations in the US and the UK that Indian call center workers were stealing and selling data processed by Indian outsourcing companies.
Last year, a call centre employee was arrested for using credit card details of customers to make on-line purchases.
The SRO will raise the bar in data security and privacy by including best practices currently stipulated by certifications such as the ISO17799 standard for information security of the International Organization for Standardization (ISO) in Geneva, as well as data privacy and data protection laws worldwide.
Being a member of the SRO will in effect be a certification, as member companies will have to follow best practices specified by the SRO. If SRO withdraws the certification then it would be clear to the customers of that IT/BPO/call centre that best security practices are not being followed by that company, Ghosh said.
Philippine government seeks a few good hackers
Web-based election system to undergo 'penetration testing'Iain Thomson, vnunet.com 20 Apr 2007http://www.vnunet. com/vnunet/ news/2188211/ philippines- seek-few- hackers
The Philippines government has issued a call for domestic and foreign hackers to undertake penetration tests on its new internet voting system.
The system will allow Filipinos overseas to register and vote in national and local elections over the internet.
A trial of the system, which the government wants hackers to try and subvert, will use a sample of 26,800 Filipinos living and working in Singapore.
"The software is covered by an international patent and has been declared secure by no less than the government of Switzerland, " Florentino Tuason Jr, Commissioner on Elections, told the Manila Standard.
"But we want to be really sure, so we are inviting professional hackers to do the testing."
Singapore was chosen as a test site because it is technologically advanced and has a high volume of Filipinos in college or employment. The election will be held from 10 July.
The government has also asked for help from the non-profit International Foundation for Electoral Systems to get international or professional hackers to test the security of the system.
Set up by HP and Spanish firm Sctyl, the voting system has already been used in Europe and is due to be introduced in the UK shortly.
The Philippines government has issued a call for domestic and foreign hackers to undertake penetration tests on its new internet voting system.
The system will allow Filipinos overseas to register and vote in national and local elections over the internet.
A trial of the system, which the government wants hackers to try and subvert, will use a sample of 26,800 Filipinos living and working in Singapore.
"The software is covered by an international patent and has been declared secure by no less than the government of Switzerland, " Florentino Tuason Jr, Commissioner on Elections, told the Manila Standard.
"But we want to be really sure, so we are inviting professional hackers to do the testing."
Singapore was chosen as a test site because it is technologically advanced and has a high volume of Filipinos in college or employment. The election will be held from 10 July.
The government has also asked for help from the non-profit International Foundation for Electoral Systems to get international or professional hackers to test the security of the system.
Set up by HP and Spanish firm Sctyl, the voting system has already been used in Europe and is due to be introduced in the UK shortly.
Indian Company tie-up with US co for Computer Forensics Training
Credit Card Fraud, Threatening E-mails, Morphed pictures on Orkut, Tech savvy terrorists, Smart cyber criminals all contribute to making the Indian cyber jungle a difficult place for Indian Law Enforcement personnel.
Increasingly Indian police forces have been forced into playing catch-up in the game of cat and mouse with miscreants in the digital world. The lack of right tools and most importantly the lack of training on the appropriate tools have led to a technical divide between the cyber criminals who operate in today's world and the law enforcement which operate in yesterday's world of conventional policing.
A leading provider of computer forensic and investigation tools & training, AccessData Corp of USA and Foundation Futuristic Technologies (P) Ltd of India has announced a joint partnership To bridge this digital divide. This Joint Partnership will launch Cyber Crime Investigation Boot Camp Training Courses in India. This instructor-lead course is intended for Forensic Investigators, Law Enforcement Personnel, and Security & Network Administrators that are responsible for handling cases relating to digital evidence left on computer hard drives and other digital media.
Computer forensics, also called cyberforensics, is the application of computer investigation and analysis techniques to gather evidence suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it.
Increasingly Indian police forces have been forced into playing catch-up in the game of cat and mouse with miscreants in the digital world. The lack of right tools and most importantly the lack of training on the appropriate tools have led to a technical divide between the cyber criminals who operate in today's world and the law enforcement which operate in yesterday's world of conventional policing.
A leading provider of computer forensic and investigation tools & training, AccessData Corp of USA and Foundation Futuristic Technologies (P) Ltd of India has announced a joint partnership To bridge this digital divide. This Joint Partnership will launch Cyber Crime Investigation Boot Camp Training Courses in India. This instructor-lead course is intended for Forensic Investigators, Law Enforcement Personnel, and Security & Network Administrators that are responsible for handling cases relating to digital evidence left on computer hard drives and other digital media.
Computer forensics, also called cyberforensics, is the application of computer investigation and analysis techniques to gather evidence suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it.
Business magazine fails to heed its own tech advice
By Richard Pérez-PeñaMay 1, 2007
http://www.iht.com/bin/print.php?id=5513431
http://www.iht.com/bin/print.php?id=5513431
IP TV security replacing CCTV
Mass High Tech
May 4, 2007
by Efrain Viscarolasaga
A growing number of the more than 100 million security cameras worldwide are moving to an Internet protocol (IP) environment -- and away from closed-circuit television systems considered standard industry fare until now. The IP migration is spurring innovation in the security surveillance industry, and a trio of Massachusetts companies are working to take a chunk of the $1 billion dollar networked video surveillance market.
For instance, VideoIQ Inc. last week spun out of Bradenton, Fla.-based GE Security Inc. and into Waltham, armed with $8 million in Series A funding from Atlas Venture and Matrix Partners, and an established video analytics technology. The technology, designed to automatically spot unauthorized human activity in a given area, has a 95 percent accuracy rate, said VideoIQ executives.
Two other Bay State companies, IntelliVid Corp. in Cambridge and RemoteReality Corp. in Westborough, meanwhile, are ramping up their own networked video technologies and businesses. Executives at all three firms say they see opportunities to get a piece of the market with their individual expertise, but also to partner with solutions designed for specific industries.
"(The move to IP) has made a huge difference in what and how people deploy security systems," said Patrick Sobalvarro, CEO of IntelliVid. Analysts predict the migration of closed-circuit TV security systems to Internet protocol networks, coupled with the heightened emphasis on security across almost all industries, has positioned the sector for major growth. In a report last month, research firm iSupply Corp. in California estimated global revenue for video surveillance could grow from $4.9 billion in 2006 to more than $9 billion by 2011, with IP cameras overtaking closed-circuit cameras as the main format that year.
IntelliVid focuses on the retail environment, where the 30-person company's video analysis software helps retail store managers prevent theft and fraud. The niche for 16-person RemoteReality is in its technology designed to provide a 360-degree view of high-security areas. The main target for the company is in government applications (it recently closed a sale with Lockheed Martin Corp.), but the company has also been garnering interest from the private sector, particularly from casinos.
VideoIQ's technology was originally developed by Mike Gardner and Mahesh Saptharishi, and then launched through Broad Reach Security LLC in Framingham in the late 1990s. It was licensed by GE Security in 2000 and gained a customer base of about 200 chemical plants, water treatment facilities, corporate campuses and private residences. VideoIQ's spinout, which includes Gardner as vice president of operations and Saptharishi as chief scientist -- both of whom followed the technology to GE Security -- also includes former GE Security team members Doug Marman as CTO and Steve Lefkowitz as vice president of sales.
Scott Schnell, a former executive at Apple Computer Inc. and Bedford's RSA Security Inc., was brought in to lead the 13-person VideoIQ team as CEO. As an independent company, he said, VideoIQ has a better chance to succeed in a growing industry with many players and few gorillas."We concluded that there wasn't really a good way to build this business within GE because you have to integrate with so many other large vendors," said Schnell.
May 4, 2007
by Efrain Viscarolasaga
A growing number of the more than 100 million security cameras worldwide are moving to an Internet protocol (IP) environment -- and away from closed-circuit television systems considered standard industry fare until now. The IP migration is spurring innovation in the security surveillance industry, and a trio of Massachusetts companies are working to take a chunk of the $1 billion dollar networked video surveillance market.
For instance, VideoIQ Inc. last week spun out of Bradenton, Fla.-based GE Security Inc. and into Waltham, armed with $8 million in Series A funding from Atlas Venture and Matrix Partners, and an established video analytics technology. The technology, designed to automatically spot unauthorized human activity in a given area, has a 95 percent accuracy rate, said VideoIQ executives.
Two other Bay State companies, IntelliVid Corp. in Cambridge and RemoteReality Corp. in Westborough, meanwhile, are ramping up their own networked video technologies and businesses. Executives at all three firms say they see opportunities to get a piece of the market with their individual expertise, but also to partner with solutions designed for specific industries.
"(The move to IP) has made a huge difference in what and how people deploy security systems," said Patrick Sobalvarro, CEO of IntelliVid. Analysts predict the migration of closed-circuit TV security systems to Internet protocol networks, coupled with the heightened emphasis on security across almost all industries, has positioned the sector for major growth. In a report last month, research firm iSupply Corp. in California estimated global revenue for video surveillance could grow from $4.9 billion in 2006 to more than $9 billion by 2011, with IP cameras overtaking closed-circuit cameras as the main format that year.
IntelliVid focuses on the retail environment, where the 30-person company's video analysis software helps retail store managers prevent theft and fraud. The niche for 16-person RemoteReality is in its technology designed to provide a 360-degree view of high-security areas. The main target for the company is in government applications (it recently closed a sale with Lockheed Martin Corp.), but the company has also been garnering interest from the private sector, particularly from casinos.
VideoIQ's technology was originally developed by Mike Gardner and Mahesh Saptharishi, and then launched through Broad Reach Security LLC in Framingham in the late 1990s. It was licensed by GE Security in 2000 and gained a customer base of about 200 chemical plants, water treatment facilities, corporate campuses and private residences. VideoIQ's spinout, which includes Gardner as vice president of operations and Saptharishi as chief scientist -- both of whom followed the technology to GE Security -- also includes former GE Security team members Doug Marman as CTO and Steve Lefkowitz as vice president of sales.
Scott Schnell, a former executive at Apple Computer Inc. and Bedford's RSA Security Inc., was brought in to lead the 13-person VideoIQ team as CEO. As an independent company, he said, VideoIQ has a better chance to succeed in a growing industry with many players and few gorillas."We concluded that there wasn't really a good way to build this business within GE because you have to integrate with so many other large vendors," said Schnell.
ATTACK : Turkish Hackers attack NZ
Kiwi sites defaced in new hacking spree
This is the second recorded mass-defacement of New Zealand sites by Turkish hackers
Juha Saarinen, Auckland
Monday, 7 May, 2007
http://computerworld.co.nz/news.nsf/printer/5AFE7CF0A6EA30C5CC2572D100010F27
This is the second recorded mass-defacement of New Zealand sites by Turkish hackers
Juha Saarinen, Auckland
Monday, 7 May, 2007
http://computerworld.co.nz/news.nsf/printer/5AFE7CF0A6EA30C5CC2572D100010F27
Subscribe to:
Posts (Atom)