[SecurityRatty] tag: survey

Should You Install Messaging Security Software on Your Exchange Server?

Fri, 05 Sep 2008 09:00:00 +0000

(Source: Sunbelt Software) Osterman Research shares insights gleaned from a just completed survey that dispel the fears of employing server-based email security solutions. Read this white paper to help you understand the latest Exchange security risks and also learn about reasons why an installed security solution may be the best option for you in countering those challenges.

More MMORPG Fakeouts

Thu, 04 Sep 2008 12:16:43 +0000

Here's a few more sites presumably created by the maker of the fake Batman Online game.

Step up, Dragonball Z:

Click to Enlarge

To "download" this Dragonball Z MMORPG, you have to fill out a survey:

Click to Enlarge

Once done, you'll be amazed(!) to find you're taken to....shockingly....the official Dragonball Z MMORPG game.

The only problem? The website is in Japanese and the game hasn't been released yet.

Click to Enlarge

Forgive me for thinking this isn't the greatest deal I've ever been sold.

Now it's Harry Potters turn:

Click to Enlarge

Like the Batman site, you need to install Zango. Do so, and.....you're taken to the popular Hogwarts Live, which you could have easily found and played yourself without installing Adware. As you probably guessed, the screenshot from the title graphic on the site is not part of the game you'll eventually play.

The sites involved are

onlinedbzgame.info

and

harrypottergame.info

in case you want to add them to your blocklists.

Survey: VARs concerned about cybersecurity, health care

Wed, 03 Sep 2008 20:00:00 +0000

Many U.S. businesses fail to take cybersecurity protection seriously and are unwilling to spend money on additional protection, according to a recent survey of value added resellers (VARs) by the Computing Technology Industry Association.

Links List 8.29.08

Fri, 29 Aug 2008 10:00:44 +0000

ChangeWave Research released a survey of 1,947 people responsible for IT spending. Thirty percent of the respondents reported that third-quarter IT spending was lower than previously planned – while 12 percent spent more than planned. Thirty-five percent cited higher energy costs as the top factor for spending slowdown.

Parlez-vous open source? While wide-spread open source usage is still debated in many companies, the French have been advocating for all open source all the time in government and education. French President Nicolas Sarkozy set up an economic commission that recommended tax benefits to stimulate more open source development. Lesson learned from France: start ‘em early. “All students in France use open source.”

Just in time for Labor Day, John Edwards (no, not that one) comes out with an informative guide on “Who provides what in the cloud”. No doubt, this will be a rapidly expanding list, but what’s really interesting is the comment on the article. People have very strong opinions on the cloud…

Research firm Aberdeen Group reports that network costs will increase slightly more than 5 percent over 2007. Contributing factors: “need for speed”, shift from standard to mobile PCs (more end points of connectivity), and the ever-expanding network. And of course the hidden costs of multiple tools with multiple management consoles – if you’re not smart enough to choose say a comprehensive network management solution that is vendor agnostic…One tool to monitor them all…

And just because I miss the Olympics already, here’s an irreverent take on what it’s like to lose to Michael Phelps. http://www.thetechstop.net/?p=1503

Enjoy your long Labor Day Weekend!

How do you Manage Virtualization if you cant see Performance?

Thu, 28 Aug 2008 21:15:41 +0000

NetIQ, which seemed to drop off the planet not long after being bought by Attachmate, is back with the results of a very interesting virtualization survey. Now, you know that you need to take all surveys with a big grain of salt (e.g., the majority of respondents to this one were less than 10% virtualized), but it’s still good to take temperatures whenever possible.

The numbers we found interesting:

- only 21% currently deploying virtualization have any kind of systems management solutions for their virtual infrastructure

- about 27% are managing performance/ability of virtual systems with same tools they use for physical servers (Nothing wrong with that as long as they’re seeing what they need to see but…)

- 40 percent of those surveyed do not report the performance of their virtualized applications, hardware, operating systems, or their virtual machines in any measureable way (which rather undercuts the whole point)

Get the full results here.

Web Services and XML Security Training at OWASP

Thu, 28 Aug 2008 04:55:59 +0000

I am teaching Web Services and XML Security training at OWASP's AppSec conference in NYC, Sept 22-23. Web services provide the backbone that integrates many things in the enterprise from application servers, databases, ERP, and CRM. Increasingly we are seeing Web services in more B2C roles with Rest, Federation and other technologies. The class looks at how Web services applications are built, what are common threats and vulnerabilities in Web services, and how to build your Web services application to defend against them.

I have often said that OWASP conferences are my favorite ones because they are in depth technically and very practical. I always look forward to teaching at OWASP and the speaker lineup for this conference looks excellent.

Here is a quick list of tools we have used in past classes

Web Services frameworks
Apache CXF - very interesting open source Web services framework with support for JMS, SOAP, and Rest
Apache Axis & Axis2
.Net
Metro - interesting framework from Sun for interop with WCF

Identity
PingFederate - leading federation tool, we'll look at browser based SSO with SAML
PingFederate Web Services - we'll look at how to implement a STS in Web services
Bandit - Cardspace, authorization, and auditing

Security Services
VordelSecure - XML gateway, comprehensive web services security policy creation and enforcement, deploying decentralized security services
Apache Ramparts
modecurity

Testing
Soapbox - web services security testing
WebScarab - web services fuzzing

Static Analysis
Fortify SCA - how to scan your web services code for security bugs *before* you deploy

This is just a quick list, new tools are added periodically. If you are using tools of these types in your company you may find it interesting to attend.

Testimontials on past classes

"High quality detailed overview of SOA security standards and approaches. Well thought-out and structured presentation."
- Sr. IT Architect, Fortune 10 enterprise

"The knowledge and transfer was a great baseline and with the additional resources Gunnar made available, made this one of the best one day classes I've taken."
- IT Security Lead, Fortune 10 enterprise

"This class was a thorough and well-organized trek through the current Web Services Security landscape. Going beyond just describing the standards and the options available in the Web Services Security world, this class discusses real-world use cases and offers implementable solutions, best practices, even vendor choices in several key areas. This class provided me with actionable tasks that I took back to my project teams the very next day!"
-Jesse Aalberg, Sr. Enterprise Application Architect, United Healthcare

"The class was distinctly focused on Security requirements and the strength and weaknesses of the various solution approaches we could consider. The result of the course was actionable approaches to providing security in our SOA environment."
-Brad Sillman, Director IT Security, Deluxe Corp.

"Anyone who wants up-to-date information on SOA Security, security standards and best practices should take this class."
-Kevin Beam, Senior Systems Engineer, Union Pacific Railroad

"Good comprehensive overview of subject, standards, and threats"
- Sr.Security Consultant, Ubizen

"The class helped me get my head around what "SOA" and WS-Security is really all about"
- Mike Zusman, Independent consultant

"Topics addressed are timely and relevant. Labs are hands-on and help see concepts in action"
- Jerry Tan, Systems Analyst, DTCC

"This class was concise and covered a majority of the problem set my company is looking at and dealing with."
- Steve Reilley, Technical consultant, Commerce Insurance

"Excellent two day overview of security topics as related to Web Services."
- Daniel Reznick, Information Security, ADP

"Issue affecting most of us today & for those that don't - will soon. Very necessary education and technology."
Aaron Delashmutt

"Great class! Effective and relevant teaching in an area without much guidance."
- Mark DiSabato, Senior Information Security Architect, Roche

"The class cut through jargon to communicate concepts and implementation details."
- Developer, Fortune 100 insurance company

"Good overview regarding SOA Security. Contains new technology like AMQP and REST"
- Lars Loland, Statoil

"The course covered what I had to learn about Web services"
- Sven Vetsch, Dreamlab Technologies

"Very good, eye opening especially for websecurity noob."
-Michael Brandon

"Presenter has very broad and deep technical knowledge on subject. Content: good overview and comparison of SAML and WS-*"
- Security consultant, ING

"Good to learn where our application is vulnerable to attacks and how we can avoid them."
- Application Development Programmer Lead, Fortune 100 Insurance company

"Entirely thorough overview of technology surrounding the use of web services with a 1 day presentation"
- Technical consultant Contextis

"Gave a good overview of the Web services security environment"
- Francesco Degrassi, Emaze Networks

"A great entry point for securing your web services"
- Stig Kluver

"Lots of good technical information about an emerging area that's very useful"
- Rory McClune, HBOS PLC

"This class reinforced the importance of software security assurance to me as it lucidly demonstrated why being 'behind the firewall' is an outdated concept."
-Senior Support Engineer, Software Security vendor

"The area of SOA Security is complicated and youg. A course such as this helps bring it into focus."
-Jayme Frye, System Engineer, Union Pacific Railroad

"Web services security class provided application security concepts valuable for applications audits."
- Mary Ma, IT Auditor, DTCC

"Very knowledgeable coverage of security requirements for Web services."
- David Libershal, Network Security Engineer, Johns Hopkins University Applied Physics Laboratory

"WS/XML security is not a "black art", but you do need to know about it to be able to take it into consideration."
- Applications Specialist, Global 500 manufacturer

"Good overview of techniques worth considering when planning secure apps"
- EAI Specialist, Leading Mobility company

"Brought concepts in very easily understood terms."
-Glenn Bernard, Systems Engineer

"Gives ideas about the latest Web services security standards in the industry"
- Security Coordinator, Global 500 manufacturer

"Class cleared up various WS-* standards and gave great concrete examples of how to build a message using each standard. Very good general thoughts on security groups' role in IT."
- Matt Kasselman, UP Systems Engineering

"I found this very useful as an IT architect in a "security critical environment"."
- Mika Pullinen, IT Architect, Finnish Defense Forces

"Lots of useful information packed in a small amount of time. Good overall picture."
- Jari Pirhonen, Security Director, Samlink

"Gunnar is very knowledgeable about security topics and has a great ability to explain complex ideas using simple, appropriate, and amusing language and analogies."
- Scott Redd, Sr. Project Engineer, Union Pacific

"Excellent instructor who had a good pace to go through the presentation"
- Anna Vaahtokan, Specialist, Nordea

"Good application security principles."
- Tuomas Kivinen, IT Security Specialist, Nordea

"I liked the class quite a bit. I took it in a "survey mode" where I wanted to learn about topics at a high level, and this was accomplished. It was good to listen to those in the class that were much more familiar with SAO than I."
- John Glazeski, Senior Systems Engineer

Watch Out! Firing IT Workers Can Cost You

Wed, 27 Aug 2008 20:00:00 +0000

When IT employees are dismissed, watch out! A new survey by Cyber-Ark Software, a provider of identity management products, reports that theft of sensitive information by disgruntled former insiders is out of control.

Four quick tips for choosing an IM security product

Mon, 25 Aug 2008 20:00:00 +0000

Instant messaging (IM) has become an increasingly useful business tool for modern corporations. Data from a Forrester Research survey suggests that 71% of businesses will invest in real-time messaging this year.

Links List 8.22.08

Fri, 22 Aug 2008 16:15:48 +0000

Ah, the opening ceremonies of the Olympics. How spectacular. Is that Li Ning “running” in the sky with the torch? Oooh, aah. And wait, what’s that image on the wall behind him? Looks kinda familiar…oops, it’s an XP blue screen of death….I wonder how much Microsoft paid for advertising during the Olympics?

(Photo Credit: Gizmodo)

You lose some. You win some: Of course as NBC’s online partner, Microsoft gets a least a cut of the $100 million dollars in online advertising spent around the Olympics. And the millions of downloads of Silverlight aren’t too shabby either.

The Internet is Falling! Arbor Networks, a security and network management company, partnered with ninety network services and content providers from around the world to publish an extensive study of IPv6 traffic on the Internet. Craig Labovitiz, Arbor Networks chief scientist, stated that only 900 days were left until the end of the Internet, or at least the exhaustion of IPv4 registry allocations. For the past year, the study shows very little IPv6 traffic – something like 1/100^th of 1% of Internet traffic. Craig credits this to money issues. “The department of commerce estimates it will cost $25 billion for ISPs to upgrade to native IPv6.”

Blogger James Urquhart created a bill of rights for cloud computing. The purpose of the bill is to “help guide would-be cloud customers to those clouds best able to guarantee their freedom.” The blogosphere is a great place to get some open debate going, and I applaud James for trying to make something yet so “cloudy” a bit more clear and concrete. But what’s up with the creating a PAC for this?? (Check out the comments.)

Trying to get by on limited resources? Need more money, staff and the freedom to focus on long-term projects? Sound familiar? Then you just might be in IT at a midsize company. (or in marketing at a young but rapidly growing IT company ) Arrow Enterprise Computing Solutions conducted a survey of 200 tech leaders at midsize companies (500 to 3000 employees). The upside: 61% of those surveyed think they’ll be spending more on IT next year – is this bullish thinking about the economy or how much their own business (rev) will be growing?

Bill Snyder calls Dell “Bozo of the Month” for trying to trademark “cloud computing”. Yikes. Maybe not a “bozo” move but certainly inadvisable given how ubiquitous the term is. Here’s our take on it.

Consumer Reports Responds

Tue, 19 Aug 2008 12:12:41 +0000

Consumer Reports has sent a response to my recent column Security Software Reviews Done Wrong, which criticized their recent story on computer security and review of security products. This statement is from Jeff Fox, Technology Editor, Consumer Reports:

At Consumer Reports, we have always believed that scientific testing is the best way to evaluate products. We also use a statistically-valid survey methodology to measure consumer experiences. In preparing our September security reports, we employed both methods as we have for many decades. Some additional notes on this column:

The story was not, as you state, "filled with data sourced to eMarketer." That service provided just two pieces of data, namely the current number of Internet- and broadband-using U.S. Households

Using a separate credit card for online transactions avoids having to cancel your main card should fraud occur.

We test software against modified versions of actual malware because such threats are what security software will often be called upon to recognize on the job.

Finally, a note about your claim that Consumer Reports was invited to respond. Your e-mail to us requesting a comment was time-stamped on the same Saturday evening as your column is labeled as having posted. That left fewer than six hours to respond, on a weekend. It would have been helpful to have had more time.

It's true, as I said in the column, that I didn't give them much time to respond. I hope I can make up for that some by putting this response out now and including it in the column itself.