2010年3月5日 星期五

NABU Trend Micro News Summary - 02/27/10 - 03/05/10

NABU Trend Micro News Summary – 02/27/10 – 03/05/10

Table of Contents

Trend Micro Quotes

· Forbes.com (03.04) – Virtualization: Your Security Blanket

· Times Online: Tech Central (03.03) – What, exactly, is a botnet? Big news from Spain today that the Mariposa botnet has been taken down.

· ihotdesk (03.02) – Security is a pressing concern, expert claims

· Computerworld (03.03) – New exploit technique nullifies major Windows defense; Google engineer posts sample code to show how to bypass DEP in Windows

· FierceCIO Tech Watch (03.05) – Released: Exploit code to bypass DEP security in Windows

RSA Conference

· eWeek (03.05) – Trend Micro Reveals Cloud Computing Security Strategy

· Network World (03.04) – CISOs rain on cloud-computing parade at RSA

· USA TODAY (03.04) – How cybercriminals invade social networks, companies

o 13WMAZ.com

o ABC News

o The Arizona Republic

o Consumer Action

o CourierPostOnline.com

o Daily Record

o DMA Legislative Action Center

o KDSK.com

o The Last Watchdog

o MyCentalJersey.com

o Terremark Worldwide

o WBIR.com

o WKYC.com

o WLTX.com

o WUSA9.com

· InfoSecurity (03.03) – Trend Micro's Rik Ferguson reports on Adware Spyware Detective

· V3.co.uk (03.01) – RSA 2010: Trend Micro on the impact of cloud security services (Video)

· BankInfoSecurity (03.10) – Event Coverage: RSA 2010 Conference (Video)

· PC World (03.04) – FBI Embeds Cyber-investigators in Ukraine, Estonia

· Internet Evolution (03.03) – CISO's Dilemma: Security, Compliance at Odds

· Microsoft Certified Professional Magazine (03.02) – Security Watch; All Eyes on RSA

· NBC Bay Area (03.03) – Feeling Insecure? Technology Can Help; Silicon Valley security on display

· V3.co.uk (03.04) – RSA Conference pulls in UK security crowd

· MSP Mentor (03.01) – Security as a Service Accelerates at RSA Conference

Trend Micro Mentions

· Wireless News (03.05) – Everything Channel's CRN Unveils 2010 Security Superstars

· ZDNet UK (03.01) – Google signs up for Cloud Security Alliance

· Sentor (03.01) – Website operators 'must follow basic IT security steps'

· CIO Update (03.03) – IT Strategy - Six Endpoint Security Vendors You Need to Know About

· CTO Edge (03.02) – Qualys Offers Free Malware Testing Service

· New York Times (03.03) – Strain on HTC From Apple Suit Is Likely to Be Long-Term

· San Francisco Chronicle/Network World (03.02) – 5 things VMware must do to fend off Microsoft

· ChannelWeb (03.02) – 3 Reasons Microsoft EU Browser Ballot Will Impact U.S. Market

· ITWorld (02.28) – What I've Learned About Implementing EHR as a Service

· A Consuming Experience (03.02) – Blogger users beware: phishing attack

· Dark Reading (03.01) – Trend Micro Partners with Qualys to Strengthen its Security and Compliance Offerings (press release)

Trend Micro Quotes

"It's definitely helped us a lot," says Robert McArdle, a Trend Micro threat researcher based in Cork, Ireland. "You can click a button and the whole machine goes to the way it was before you installed the malware."

Virtualization: Your Security Blanket

Forbes.com – 3/4/10

Which may lead you to ask – what on earth is a botnet? Rik Ferguson, a web security analyst at Trend Micro, has some answers:

What, exactly, is a botnet? Big news from Spain today that the Mariposa botnet has been taken down.

Times Online: Tech Central – 3/3/10

Last week, Trend Micro senior security advisor Rik Ferguson said that popular social networks such as Twitter, LinkedIn and Facebook are attractive to hackers because of the number of potential victims they are used by.

Security is a pressing concern, expert claims

ihotdesk – 3/2/10

"This is pretty significant," said David Sancho, a senior threat researcher with Trend Micro. “This can be used to further enhance exploits, and I expect that we'll start seeing it being used within exploits fairly soon."

New exploit technique nullifies major Windows defense; Google engineer posts sample code to show how to bypass DEP in Windows

Computerworld – 3/3/10

Senior threat researcher at Trend Micro David Sancho noted that the demonstration "is pretty significant."

Released: Exploit code to bypass DEP security in Windows

FierceCIO Tech Watch – 3/5/10

RSA Conference

In a conversation with eWEEK at the RSA conference in San Francisco, Trend Micro CTO Raimund Genes outlined the company's plans for building a "private cloud within a public cloud."

Trend Micro Reveals Cloud Computing Security Strategy

eWeek – 3/5/10

Trend Micro, known for its antimalware software and services, is making a leap into the area of encryption, primarily to come up with new ways to protect customer data as it transits the Internet and ends up stored in a cloud-computing facility.

CISOs rain on cloud-computing parade at RSA

Network World – 3/4/10

"These new communication platforms are where people go, so that's where the hackers are going." – Eva Chen, Trend Micro CEO

How cybercriminals invade social networks, companies

USA TODAY – 3/4/10

"A few years ago, criminals figured out that traditional anti-malware solutions could be overcome by a surge in the volume of malicious files. If malware code could be rolled often enough, then by the time the security companies had a pattern file available it would already be out of date.” – Rik Ferguson, Trend Micro

Trend Micro's Rik Ferguson reports on Adware Spyware Detective

InfoSecurity – 3/3/10

Trend Micro chief technology officer Raimund Genes talks about some of the issues that have arisen in the wake of the rollout of the company's Smart Protection Network

RSA 2010: Trend Micro on the impact of cloud security services

(Video. Running time: 2:58)

V3.co.uk – 3/1/10

Tom Field, editorial director of Information Security Media Group, interviews Raimund Genes, chief technology officer of Trend Micro, at RSA 2010.

Event Coverage: RSA 2010 Conference

(Video. Running time: 3:08)

BankInfoSecurity – 3/1/10

"Ukraine's a huge problem," said Paul Ferguson, a researcher with Trend Micro. "I would rank it above Russia right now."

FBI Embeds Cyber-investigators in Ukraine, Estonia

PC World – 3/4/10

"We of course take additional security measures behind the scenes to ensure data is not disappearing from the customer's network, and we advise companies on how to prevent unnecessary data loss. But it's frightening that this is more about ROI and TCO than being secure." – Raimund Genes, Trend Micro

CISO's Dilemma: Security, Compliance at Odds

Internet Evolution – 3/3/10

Already, security big shots like Symantec, McAfee and Trend Micro are offering hosted security options, but even well-respected smaller players like Kaspersky Lab and Sophos are getting in on the action.

Security Watch; All Eyes on RSA

Microsoft Certified Professional Magazine – 3/2/10

Companies like Trend Micro and Cisco Systems (CSCO) are touting mobile security, selling software to keep your phone as safe as possible.

Feeling Insecure? Technology Can Help; Silicon Valley security on display

NBC Bay Area – 3/3/10

Rob Gupta, managing director of Trend Micro and Juniper partner Secon, said: We are not on the hunt for new manufacturers we want to do more with our existing ones.

RSA Conference pulls in UK security crowd

V3.co.uk – 3/4/10

Sure, entrenched players like Symantec, McAfee and Trend Micro have a range of SaaS and hosted options that frequently involve channel partners.

Security as a Service Accelerates at RSA Conference

MSP Mentor – 3/1/10

Trend Micro Mentions

The 2010 CRN Security Superstars includes:

-- Eva Chen, CEO, Trend Micro

-- Paul Ferguson: Advanced Threat Researcher, Trend Micro

Everything Channel's CRN Unveils 2010 Security Superstars

Wireless News – 3/5/10

Security vendor Trend Micro has already warned of new threats emerging from the adoption of cloud computing …

Google signs up for Cloud Security Alliance

ZDNet UK – 3/1/10

Last week, Trend Micro suggested that social networking sites are an ideal target for cybercriminals.

Website operators 'must follow basic IT security steps'

Sentor – 3/2/10

The success of Trend Micro Enterprise Security solutions is driven by the Smart Protection Network—a Cloud-client infrastructure that combines reputation technology, feedback loops, and research from TrendLabs to deliver real-time protection from today’s blended threats.

IT Strategy - Six Endpoint Security Vendors You Need to Know About

CIO Update – 3/3/10

Separately, Qualys also announced this week partnerships with Trend Micro, Imperva and Core Security Technologies.

Qualys Offers Free Malware Testing Service

CTO Edge – 3/2/10

Last year, HTC was ranked as the fourth most valuable Taiwanese brand by the Taiwan External Trade Development Council, after the PC maker Acer, the anti-virus software giant Trend Micro, and the netbook pioneer Asustek.

Strain on HTC From Apple Suit Is Likely to Be Long-Term

New York Times – 3/3/10

VMsafe has been adopted by vendors including Altor Networks, Reflex, IBM ISS and Trend Micro, so the SourceFire concerns are not universal.

5 things VMware must do to fend off Microsoft

San Francisco Chronicle – 3/2/10

PC makers already sell off screen space to security software makers like Symantec, Trend Micro, McAfee and others. Look for them to do the same kind of deals with browser vendors.

3 Reasons Microsoft EU Browser Ballot Will Impact U.S. Market

ChannelWeb – 3/2/10

As we started to go down that path, we had a hard time finding a security vendor that understood this kind of virtualized environment but when we did -- Third Brigade, which is now Trend Micro – it taught us we had to think differently about the whole security model around cloud computing.

What I've Learned About Implementing EHR as a Service

ITWorld – 2/28/10

According to security firm Trend Micro, bad guys are sending emails to Blogger users, pretending to be from Blogger.

Blogger users beware: phishing attack

A Consuming Experience – 3/2/10

Trend Micro Quotes


March 4, 2010

Virtualization: Your Security Blanket

By Taylor Buley

Burlingame, Calif. - Virtualization is one of those technologies that you hear a lot about but never see. It's the driving force behind "cloud" computing and many Web applications--but it's helping keep your desktop safe, too.

In the data center virtualization technology abstracts hardware from software so resources can be pooled across large groups of machines. But the technology came to the desktop first, where the same concept enabled operating systems to run like any other application on a Windows or Mac machine and still talk to the underlying hardware.

The convenience was not lost on security researchers, who saw hosted desktop virtualization as a way to speed up the once-cumbersome process of analyzing how viruses and other malicious software, called "malware," affect a computer's operating environment. The speed and efficacy of putting malware in a "sandbox" has become common practice at security companies worldwide.

"It's definitely helped us a lot," says Robert McArdle, a Trend Micro threat researcher based in Cork, Ireland. "You can click a button and the whole machine goes to the way it was before you installed the malware."

Virtual machines--VMs for short--can be picked up in the same state you left them, or you can throw away changes on these machines and roll them back to their initial state. This feature is helpful for security researchers, since they need to understand how a piece of malware has affected a computer.

Antivirus researchers look for what files were added or registries modified in order to use this information to write rules that allow their software to recognize and block threats. Intrusion defense companies look for network traffic, and Web filtering companies look for any URLs that a piece of malware tries to visit.

Easy, one-click restoration for researchers wasn't always the case. Since you can't trust a machine through which you've just run a piece of malware, before virtual machines existed researchers would have to wipe and reinstall the entire operating system for each thing they needed to analyze.

"That could take hours," says Paul Judge, chief research officer at Barracuda Network's threat research lab. "It only became practical in the last couple of years when virtualization technology became easy to manage."

Today, running virus samples through a virtual machine can be automated and require almost no human intervention. That's enabled Barracuda to analyze around 3,000 software samples a day, compared with a few dozen a day without using virtual machines, says Judge.

The only problem? McArdle of Trend Micro says that bad guys have caught on to the use of virtual machines for analysis. "Because the malware writers are pretty familiar with how we do our work, they realized that our security teams use virtual machines," he says.

Varying breeds of malicious software like the Storm Worm or Mebroot now attempt to detect if the software is running in a virtual machine, and act differently if that's the case. Some malware refuses to run; other malware function very differently in order to fool researchers.

To read more of Taylor Buley's stories, click here. Contact the writer at tbuley@forbes.com.


Return to top

Times Online: Tech Central

March 3, 2010

What, exactly, is a botnet?

Big news from Spain today that the Mariposa botnet has been taken down.

Which may lead you to ask – what on earth is a botnet? Rik Ferguson, a web security analyst at Trend Micro, has some answers:

What is a botnet?

Criminals use malicious software, or malware, to break into computers. The computers they infect are overwhelmingly people’s home PCs. Recent statistics from TrendLabs showed that 75 per cent of all bot infected computers were in people’s homes, and there are tens of millions of them across the globe.

Once a computer is infected it is under the full remote control of the criminal, “bot” is short for robot; another term often applied to these kinds of infections is “zombie” for obvious reasons. A botnet is a collection of compromised computers under the control of a single individual or criminal group. Criminals use the infected computers as a resource to make money and as the underground economy has flourished they have devised many different ways to monetise their “investments”.

Why should you care?

Bots are primarily designed to steal banking login information, login credentials for online services such as PayPal, eBay, webmail accounts in fact any kind of username/password combination they can. They are also capable of silently adding extra content to banking pages to grab even more information. You may find for example the real login page of your credit card company is now asking not only for your username and password but your ATM PIN as well.

In addition to information theft botnets are often rented out to other criminal groups as a distribution platform. If I had some fake anti-virus software I wanted to distribute I could pay a botnet owner per thousand “loads” to get it pushed out to his botnet. If I wanted to send a large Spam run I could subcontract to the botnet owner and get all his compromised PCs (that’s your PC) to send the Spam for me. The vast majority of Spam in your inbox will come from otherwise innocent computers just like your own.

Bots are also used to host malicious websites designed to further the infection chain or phishing websites designed to steal information. They have even been known to be used for hosting pornographic content both legal and illegal for others to download.

The malware used to infect machines is often specifically designed to avoid classic anti-virus software and many non-criminal websites are often infiltrated in order to infect the casual visitor. The software necessary to create your own botnet is available free of charge in online forums. Hardened criminals and newcomers alike are all getting involved. The botnet is the platform of choice for most cybercriminals.

When it comes to botnets it would be really nice to be able to say “it’s getting better”. It’s not. More and more computers are being infected, and they are staying infected for longer.

What can you do?

Inform yourself. Find out how your antivirus software works, if it doesn’t warn you when you’re visiting a web page that may infect you, then it doesn’t protect you. Use free tools and software that are designed to stop infections before they happen. Once the zombie is in your PC he’ll do all he can to stay there, so help yourself.


Return to top


March 2, 2010

Security is a pressing concern, expert claims

By Jessie Richards

Internet security has to advance to deal with the increasing number of malware attacks, IT outsourcing users have heard.

Mark McLaughlin, chief executive of Verisign, told BBC News that hackers are using increasingly sophisticated and malicious attacks when attempting to breach security systems.

The expert also revealed that his organisation is targeted between one and two thousand times a day by cybercriminals, with attackers ranging from amateur hackers working on their own to "state-sponsored actors" attempting to identity security vulnerabilities.

"Certainly as more utilisation of the net occurs and more people go online, then the more security concerns have to go up," he told the broadcaster.

The expert pointed out that the rise of cloud computing, smartphone data access and digitalisation of health records are developments which should be matched by an increased focus on IT security.

Last week, Trend Micro senior security advisor Rik Ferguson said that popular social networks such as Twitter, LinkedIn and Facebook are attractive to hackers because of the number of potential victims they are used by.

Return to top


March 3, 2010

New exploit technique nullifies major Windows defense

Google engineer posts sample code to show how to bypass DEP in Windows

By Gregg Keizer

March 3, 2010 (Computerworld) The disclosure of a new exploit technique that bypasses an important Windows security feature may result in more successful attacks against Microsoft's newer operating systems, researchers said today.

On Monday, Berend-Jan Wever, a Google security software engineer who goes by the moniker "Skylined" when he posts exploit research, published proof-of-concept code that bypasses DEP, or data error prevention, one of two major security enhancements Microsoft has added to Windows since 2004. The other: ASLR, for address space layout randomization.

DEP prevents malicious code from executing in sections of memory not intended for code execution, and is a defense against, among other things, attacks based on buffer overflows. ASLR, meanwhile, randomly shuffles the positions of key memory areas, making it much more difficult for hackers to predict whether their exploit code will actually run.

Microsoft introduced DEP in Windows XP Service Pack 2 (SP2), the security-oriented refresh launched in 2004, and it debuted ASLR in Windows Vista three years later.

"I am releasing this because I feel it helps explain why ASLR+DEP are not a mitigation to put a lot of faith in, especially on x86 platforms," said Wever in a post to his personal blog on Monday.

Wever should know about Windows: According to his LinkedIn account, he worked for Microsoft as a security software engineer from 2006 to 2008.

In 2005, Wever helped popularize "heap spraying," a technique that made exploits, especially those against browsers, more efficient. Hackers quickly picked up on heap spraying, and have applied it in several prominent attacks, including one a year ago against a then-unpatched bug in Adobe's Reader.

"This is pretty significant," said David Sancho, a senior threat researcher with Trend Micro, when asked to peg the importance of Wever's demonstration. "This can be used to further enhance exploits, and I expect that we'll start seeing it being used within exploits fairly soon."

There have been DEP workarounds making the rounds, Sancho acknowledged. "But this is generic enough that it will work within any exploit," he said.

Earlier today, another Trend Micro researcher also predicted that Wever's disclosure will likely lead to attacks that regularly shove aside DEP's defenses. "After Wever released his heap-spraying exploit codes in 2005, a lot of new exploits started using that technique," said Trend's Ria Rivera in an entry on the company's malware blog. "It would thus be not farfetched that the release of this new proof-of-concept could lead to the same scenario -- new exploits could start using 'return-to-libc' to achieve DEP bypass."

Wever's new technique requires that ASLR be bypassed as well, but that's not a solid barrier, said Sancho. Attackers have taken to running their exploit code many times, in many parts of memory, in the hope of one landing in a executable location. "Yes, attacks need to bypass both ASLR and DEP, but [Wever's proof-of-concept] makes it all easier," Sancho emphasized.

The proof-of-concept that Wever published doesn't actually do damage, as it is wrapped around an exploit of a bug in Internet Explorer 6 (IE6) that was patched years ago.

"This exploit targets a bug that was fixed in IE6 in 2005, which explains why it does not affect any recent install," said Wever in a comment he added to his blog entry. "This release is for academic purpose only, it is not an 0-day that script-kiddies can use to pwn your grandma's computer."

From Sancho's viewpoint, the DEP bypass doesn't exploit a vulnerability in Microsoft's code, but rather takes advantage of a design flaw. "Microsoft can fix this, and I have faith they will," he said.

Microsoft was not immediately available to answer questions about Wever's proof-of-concept DEP bypass, and whether it would -- and if so, when -- revamp the security feature in Windows.


Return to top

FierceCIO Tech Watch

March 5, 2010

Released: Exploit code to bypass DEP security in Windows

By Paul Mah

Google security software engineer Berend-Jan Wever has published proof-of-concept code on how to bypass Microsoft's data execution prevention technology, or DEP. First introduced in Windows XP Service Pack 2, DEP prevents malicious code from executing in memory spaces not meant for code execution. This helps the operating system defend against various types of attacks, including those based on buffer overflows.

Wever worked for Microsoft as a security software engineer from 2006 to 2008. In his personal blog, he says that the decision to publish the exploit is to demonstrate that the combined use of ASLR and DEP are not a mitigation to "put a lot of faith in." ASLR stands for address space layout randomization, a technique in which the position of key memory areas are randomly shuffled around to thwart hackers from predicting whether their exploit code will actually run.

Where ASLR is concerned, Wever wrote that on the x86 platform at least, "32-bits does not provide sufficient address space to randomize memory to the point where guessing addresses becomes impractical, considering heap spraying can allow an attacker to allocate memory across a considerable chunk of the address space and in a highly predictable location."

Heap spraying was a technique Wever popularized in 2005 to make exploits against browsers more efficient. Senior threat researcher at Trend Micro David Sancho noted that the demonstration "is pretty significant." According to Sancho, "This can be used to further enhance exploits, and I expect that we'll start seeing it being used within exploits fairly soon."


Return to top

RSA Conference


March 5, 2010

Trend Micro Reveals Cloud Computing Security Strategy

By Brian Prince

In a conversation with eWEEK at the RSA conference in San Francisco, Trend Micro CTO Raimund Genes outlined the company's plans for building a "private cloud within a public cloud."

For Trend Micro CTO Raimund Genes, talking about the cloud is nothing new. But now, things are slightly different; instead of talking about offering security services in the cloud, the company is looking at the concept of securing the cloud infrastructure enterprises are expected to adopt, Genes said.

“The last few years we invested in delivering security from the cloud…and now, more and more security for the cloud (is what) you will see (in) the first products this year,” he explained in a conversation with eWEEK at the RSA conference in San Francisco.

That starts with a focus on virtualization. Currently, the company also looks to solve virtual security issues with its Deep Security technology, which transparently enforces security policies on VMware vSphere virtual machines. But looking ahead, Trend Micro is extending its encryption technology to virtual environments to help organizations build a “private cloud within a public cloud,” the CTO said.

“To protect data in the cloud Trend Micro works on a product which encrypts virtual machines in the cloud,” he explained. “So you could build your virtual machine in house, put it Into Amazons elastic cloud, but the machine will be encrypted. Only the one who has the key, could access this VM in the cloud. Together with identity based key management this enables companies to use the cloud even for confidential data/customer records etc.”

Right now the encryption and key management solution is being tested by some ISPs in Europe , and is expected to be ready in the second half of 2010, he said.

Securing cloud environments was a hot topic at this year’s RSA conference, and there were no shortage of vendors and analysts offering up opinions on what enterprises need to focus on to make sure their data is safe. According to Genes, U.S. companies are adopting cloud computing faster than enterprises in Europe , who seem to be more worried about issues surrounding compliance and data protection.

“( U.S. companies) are not as concerned as European ones, but still there are security concerns,” he said. “Virtualization is adopted by 37 percent of US enterprises, I don’t have percentage on cloud computing but the costs savings speak for themselves…. But without proper security, a lot of companies simple can’t do it.”

As a good rule of thumb, any cloud vendor should be held to the same compliance standards their customers have to comply with, Nils Puhlmann, co-founder of the Cloud Security Alliance, told eWEEK in an e-mail.

“While we encourage to use the CSA Guidance document to ensure all areas of security domains are covered, different compliance regulations ask for very specific requirements to be met,” he said. “These requirements need to be met where the data is stored and handled.”

Without the proper level of security and controls, cloud computing simply does not compute, Genes said.

“I would be scared to death to put customer data into the cloud without a guarantee from the cloud vendor that nobody else could touch my data,” he said.


Return to top

Network World

March 4, 2010

CISOs rain on cloud-computing parade at RSA

By Ellen Messmer, Network World

SAN FRANSISCO -- Economic pressures are driving more businesses and governments to nervously eye cloud computing, despite myriad unanswered questions that swirl around a single central concern: security. This was backdrop for a panel discussion between CISOs at this week's RSA Conference.

Slideshow: Products shown at RSA Conference

"We're all in dire straits," said Seth Kulakow, Colorado's CISO. "Cloud computing is obviously on everybody's mind." But even if cloud-computing looks like a bargain, "it's got to have the same kind of risk controls you have now."

"It's imperative we look at it," said Nevada's CISO Christopher Ipsen, who had noted that the economic crisis and housing-market collapse have left his state's financial situation "extremely bad."

"We are doing some cloud services with e-mail," said California's CISO, Mark Weatherford. "It's very efficient. We can't ignore the benefits in the cloud, but we have to proceed carefully." The Los Angeles Police Department is regarded as the state's early adopter in all this since it's moving to a cloud-computing arrangement with Google.

But giving up control over IT infrastructure and software assets in favor of rental and pay-as-you-go models evokes anxiety, too. "What I'm most worried about is catastrophic failure, and if we put all our eggs in one basket, someone in the middle hold the keys," Ipsen noted.

IT customers are not the only parties that need to evolve their thinking, panelists said.

"The cloud represents a fundamental change in how vendors will work with their customers," said another panel participant, Forrester Research analyst Jonathan Penn. "We need some sort of standardization in this so we can have some way of comparing platforms and levels of service so I can understand what I'm getting."

IDC analyst Chris Christiansen said the cloud security market is estimated at $1 billion, mainly for e-mail and Web services, and trying to track it is going to be a challenge since many new forms of product and service delivery are arising.

So, too, are horror stories, including one about an enterprise that needed to pay $170,000 merely to pry its own data back from a cloud service.

"Just about any kind of dispute can arise in a cloud-computing relationship," said Tanya Forsheit, founder and partner at Information Law Group. "The inability to obtain data, the level of data security, the allocation of liability in the result of a breach, and what are the default rules?" Privacy regulations in the United States and Europe, for instance, may mean that certain kinds of sensitive data simply cannot move about freely.

And a tricky aspect in cloud negotiations is that there's the strong perception that most cloud-service providers, Amazon Web Services included, are not "transparent" enough -- the preferred word many are using -- about their internal infrastructure. And this secrecy is making the legal situation more tenuous and expensive than it should be.

"I call it 'faith-based IT,'" quipped Chris Whitener, chief security strategist at HP. "They think they'll use it and nothing will happen to them."

But HP, now one of the world's largest data outsourcing companies since its merger with EDS, is itself in internal foment to re-define or expand its data center services, often completed in multi-year formalized contracts, to add more flexible on-demand, pay-as-you-go, cloud-like services. With announcements on that score possible later this year, HP is mulling possibilities such as cloud services with well-defined security services, though wondering whether customers so eager for bargains will pay a bit more for better security, such as PCI-compliant computing clouds.

But the high-tech industry, re-inventing itself in virtualization, does seem to be betting that customers will demand the means to extend security controls from the enterprise into the cloud. And this idea is triggering a new era of creative change among long-established security vendors.

At RSA this week, CA announced how its Identity Manager product can be used with Salesforce's Sales Cloud 2 service so CA customers can automatically provision and de-provision access and privileges. And Cisco outlined a product-development strategy for mobile and cloud-based security, with products expected in the second quarter.

Trend Micro, known for its antimalware software and services, is making a leap into the area of encryption, primarily to come up with new ways to protect customer data as it transits the Internet and ends up stored in a cloud-computing facility.

Encryption vendor PGP is also preparing to provide a new range of options for cloud-based computing, says PGP president and CEO, Phil Dunkelberger. He argues the public-key encryption model favored by PGP will triumph over any private-key models. A third vendor, McAfee, is also expected to make cloud-security announcements in the next week or so.

Some vendors, though, are having to admit their cloud-computing security efforts are dragging on. VMware and RSA, for instance, at a press conference this week had to acknowledge that the initiative they had announced at RSA in 2009 to integrate the RSA data-loss prevention (DLP) technology into VMware's vSphere product had not progressed as quickly as expected, and it remains uncertain whether a DLP integrated vSphere will be out by year-end.

Read more about security in Network World's Security section.


Return to top


March 4, 2010

How cybercriminals invade social networks, companies

By Byron Acohido, USA TODAY

SAN FRANCISCO — "Hey Alice, look at the pics I took of us last weekend at the picnic. Bob"

That Facebook message, sent last fall between co-workers at a large U.S. financial firm, rang true enough. Alice had, in fact, attended a picnic with Bob, who mentioned the outing on his Facebook profile page.

So Alice clicked on the accompanying Web link, expecting to see Bob's photos. But the message had come from thieves who had hijacked Bob's Facebook account. And the link carried an infection. With a click of her mouse, Alice let the attackers usurp control of her Facebook account and company laptop. Later, they used Alice's company logon to slip deep inside the financial firm's network, where they roamed for weeks. They had managed to grab control of two servers, and were probing deeper, when they were detected.

Intrusions like this one — investigated by network infrastructure provider Terremark — can expose a company to theft of its most sensitive data. Such attacks illustrate a dramatic shift underway in the Internet underground. Cybercriminals are moving aggressively to take advantage of an unanticipated chink in corporate defenses: the use of social networks in workplace settings. They are taking tricks honed in the spamming world and adapting them to what's driving the growth of social networks: speed and openness of individuals communicating on the Internet.

"Social networks provide a rich repository of information cybercriminals can use to refine their phishing attacks," says Chris Day, Terremark's chief security architect.

This shift is gathering steam, tech security analysts say. One sign: The volume of spam and phishing scams — like the "LOL is this you?" viral messages sweeping through Twitter— more than doubled in the fourth quarter of 2009 compared with the same period in 2008, according to IBM's X-Force security research team. Such "phishing" lures — designed to trick you into clicking on an infectious Web link — are flooding e-mail inboxes, as well as social-network messages and postings, at unprecedented levels.

An infected PC, referred to as a "bot," gets slotted into a network of thousands of other bots. These "botnets" then are directed to execute all forms of cybercrime, from petty scams to cyberespionage. On Tuesday, authorities in Spain announced the breakup of a massive botnet, called Mariposa, comprising more than 12 million infected PCs in 190 countries.

Three Spanish citizens with no prior criminal records were arrested. Panda Security, of Bilbao, Spain, helped track down the alleged ringleader, who authorities say has been spreading infected links for about a year, mainly via Microsoft's free MSN instant messenger service.

"It became too big and too noticeable," says Pedro Bustamante, senior researcher at Panda Security. "They would have been smarter to stay under the radar."

What happened to Bob and Alice, the picnickers at the financial firm, illustrates how social networks help facilitate targeted attacks. As a rule, tech-security firms investigate breaches under non-disclosure agreements. Honoring such a policy, Terremark used pseudonyms for the affected employees in supplying USA TODAY with details of what happened at the financial institution.

Investigators increasingly find large botnets running inside corporate networks, where they can be particularly difficult to root out or disable. "Social networks represent a vehicle to distribute malicious programs in ways that are not easily blocked," says Tom Cross, IBM X-Force Manager.

Koobface gold mine

The attacks run the gamut. In just four weeks earlier this year, one band of low-level cyberthieves, known in security circles as the Kneber gang, pilfered 68,000 account logons from 2,411 companies, including user names and passwords for 3,644 Facebook accounts. Active since late 2008, the Kneber gang has probably cracked into "a much higher number" of companies, says Tim Belcher, CTO of security firm NetWitness, which rooted out one of the gang's storage computers.

"Every network we see today has a significant problem with some form of organized threat," Belcher says. The Kneber gang "happened to focus on collecting as many network-access credentials as possible."

Stolen credentials flow into eBay-like hacking forums where a batch of 1,000 Facebook user name and password pairs, guaranteed valid, sells for $75 to $200, depending on the number of friends tied to the accounts, says Sean-Paul Correll, researcher at Panda Security. From each account, cyberscammers can scoop up e-mail addresses, contact lists, birth dates, hometowns, mothers' maiden names, photos and recent gossip — all useful for targeting specific victims and turning his or her PC into an obedient bot, Correll says.

On the high end, the Koobface worm, initially set loose 19 months ago, continues to increase in sophistication as it spreads through Facebook, Twitter, MySpace and other social networks. At its peak last August, more than 1 million Koobface-infected PCs inside North American companies were taking instructions from criminal controllers to carry out typical botnet criminal activities, says Gunter Ollmann, vice president of research at security firm Damballa.

In another measure of Koobface's ubiquity, Kaspersky Labs estimates that there are 500,000 Koobface-controlled PCs active on the Internet on an average day, 40% of which are in the U.S., 15% in Germany and the rest scattered through 31 other nations. "The personal information employees post day-by-day on Facebook is turning out to be a real gold mine," says Stefan Tanase, a Kaspersky Lab senior researcher.

Facebook, the dominant social network, with 400 million members and therefore the biggest target, says recent partnerships with Microsoft and security firm McAfee to filter malicious programs help keep compromised accounts to a small percentage. "We are constantly working to improve complex systems that quickly detect and block suspicious activity, delete malicious links and help people restore access to their accounts," says spokesman Simon Axten.

Still, social networks have grown popular because they foster open communication among friends and acquaintances, which plays into the bad guys' hands, says Eva Chen, CEO of anti-virus firm Trend Micro.

"These new communication platforms are where people go, so that's where the hackers are going," Chen says.

Meanwhile, discussions about restricting workplace use of social networks and training employees to be more circumspect are just beginning to percolate at venues like the big tech security trade show here this week sponsored by RSA, the security division of EMC. "Most larger businesses simply ask employees to watch their time spent on social-networking sites," Ollmann says.

A noisy attack

Each infected PC in a corporate network represents a potential path to valuable intellectual property, such as customer lists, patents or strategic documents. That's what the attackers who breached Google and 30 other tech, media, defense and financial companies in January were after. Those attacks — referred to in security circles as Operation Aurora — very likely were initiated by faked friendly messages sent to specific senior employees at the targeted companies, says George Kurtz, McAfee's chief technology officer.

The attack on the picnicking co-workers at the financial firm illustrates how targeted attacks work. Last fall, attackers somehow got access to Bob's Facebook account, logged into it, grabbed his contact list of 50 to 60 friends and began manually reviewing messages and postings on his profile page. Noting discussions about a recent picnic, the attackers next sent individual messages, purporting to carry a link to picnic photos, to about a dozen of Bob's closest Facebook friends, including Alice. The link in each message led to a malicious executable file, a small computer program.

Upon clicking on the bad file, Alice unknowingly downloaded a rudimentary keystroke logger, a program designed to save everything she typed at her keyboard and, once an hour, send a text file of her keystrokes to a free Gmail account controlled by the attacker. The keystroke logger was of a type that is widely available for free on the Internet.

The attackers reviewed the hourly keystroke reports from Alice's laptop and took note when she logged into a virtual private network account to access her company's network. With her username and password, the attackers logged on to the financial firm's network and roamed around it for two weeks.

First they ran a program, called a port scan, to map out key network connection points. Next they systematically scanned all of the company's computer servers looking for any that were not current on Windows security patches. Companies often leave servers unpatched, relying on perimeter firewalls to keep intruders at bay. The attackers eventually found a vulnerable server, and breached it, gaining a foothold to go deeper.

A short time later, the attackers were discovered and cut off. One of Bob's Facebook friends mentioned to Bob that the picnic photos he had sent had failed to render. That raised suspicions. A technician took a closer look at daily logs of data traffic on the company's network and spotted the vulnerability scans.

Terremark's Day says two or three collaborators, each with different skill sets, most likely worked together to pull off the attack. "They were noisy about how they went about this," Day says. "Had they been quieter they would've gotten much further."


Also @



ABC News


The Arizona Republic


Consumer Action




The Daily Record


DMA Legislative Action Center




The Last Watchdog




Terremark Worldwide










Return to top


March 3, 2010

Trend Micro's Rik Ferguson reports on Adware Spyware Detective

Whilst the RSA Conference 2010 is going on in San Francisco, Rik Ferguson, Trend Micro's security spokesperson has been expounding on how criminals are battling against the rising ride of anti-malware technologies in the marketplace.

According to Ferguson, whilst the anti-malware industry is still working on agreeing standards for effective product testing, the criminals already know it's no longer all about the files.

"A few years ago, criminals figured out that traditional anti-malware solutions could be overcome by a surge in the volume of malicious files. If malware code could be rolled often enough, then by the time the security companies had a pattern file available it would already be out of date", he said.

"This realisation is responsible for the exponential growth in malware we have seen over the past three or so years, a growth that has put a serious dent in overall detection rates of file-centric security solutions", he added.

Ferguson went on to say that one of the services that has grown up around this explosion of variants is the file-scanning on demand against multiple security vendors.

"Of course it was always going to happen, but the criminals have seen the industry's response to the threat of volume and their service offerings are evolving to cope", he said in his Countermeasures blog.

"Any decent security solution now will include detection for the threat as a whole, examining not only the malicious file, but the source email or the destination website or IP to get a holistic view", he added.

As a result of this, Ferguson argues that it is starting to become important for criminals to know not only when their file is being detected, but also when their web presence for distribution of `Command & Control' systems gets blacklisted, and they need that information in real time.

"Enter AdwareSpywareDetective, a file scanning service that has been online since October of 2009", he said, noting that a colleague pointed out that the service has evolved since its launch.

Now, he says, not only do they offer file scanning by subscription but will also include Domain, IP and URL scanning against sixteen different databases, including ZeuS Tracker, Malware Domain List, Spamhaus, Google Safe Browsing and Microsoft SmartScreen,

Interestingly, Infosecurity notes that the service has recently reported it has made its 500,000 scan - using 27 vendor technologies 16 domain, IP or web databases, and has received positive reviews from Cnet and Softpedia.


Return to top


March 1, 2010

RSA 2010: Trend Micro on the impact of cloud security services

CTO Raimund Genes reflects on side effects of Smart Protection Network

Trend Micro chief technology officer Raimund Genes talks about some of the issues that have arisen in the wake of the rollout of the company's Smart Protection Network.

(Video interview with Shaun Nichols. Running time: 2:58)


Return to top


March 1, 2010

Event Coverage: RSA 2010 Conference

Tom Field, editorial director of Information Security Media Group, interviews Raimund Genes, chief technology officer of Trend Micro, at RSA 2010. (Running time: 3:08)


Return to top

PC World

March 4, 2010

FBI Embeds Cyber-investigators in Ukraine, Estonia

By Robert McMillan, IDG News Service

Hoping to catch cybercrooks, the U.S. Federal Bureau of Investigation has begun embedding agents with law enforcement agencies in Estonia, the Ukraine and the Netherlands.

Over the past few months, the agents have begun working hand in hand with local police to help crack tough international cybercrime investigations, said Jeffrey Troy, chief of the FBI's Cyber Division, in an interview at the RSA Conference in San Francisco. Because virtually all cybercrime crosses international borders, this type of cooperation is crucial, law enforcement experts say.

The embedding was inspired by a successful operation in Romania, begun in 2006, which led to close to 100 arrests. "We looked at that and said, 'Where else can we do this,'" said Troy, who heads up FBI cybercrime operations.

The FBI has a history of embedding its agents with international police. In the 1980s, U.S. agents worked with Italian law enforcement to crack mob cases that involved the two countries. "This is not a new model, but it's certainly new to cyber," Troy said.

Troy wouldn't comment on what cases the agents were working, but he said, "those countries were selected for a reason."

Currently, there is one embedded agent in each of the three countries, and one remains in Romania, Troy said.

Security experts say the Ukraine is home to a large number of online scammers and the creators of bank-account-emptying malware such as the Zeus Trojan. "Ukraine's a huge problem," said Paul Ferguson, a researcher with Trend Micro. "I would rank it above Russia right now."

Traditionally, securing law enforcement cooperation with Ukrainian police has been a problem, however. "It's encouraging that they have someone embedded there," Ferguson said. "I hope it's more than just a token presence."

Ferguson had no comment on why the FBI might be in Estonia, but his company has linked a widespread rogue-antivirus operation to an unnamed Estonian company that displayed 1.8 million scam "You are infected" messages to Web surfers in July 2009.

The third FBI agent is stationed in The Hague, the Netherlands.

Back in the U.S., agents have also created an in-house botnet expert group of technically savvy agents who can help the FBI's local law enforcement teams investigate botnet-related cases, Troy said. Now more than ever, scammers are using botnet-infected computers to steal banking credentials from victims and move that money offshore.

Recently, the FBI helped shut down a massive botnet, called Mariposa, which had infected millions of computers worldwide.

Troy called botnets "a significant threat."

"There are zillions of botnets out there," he said.

Return to top

Internet Evolution

March 3, 2010

CISO's Dilemma: Security, Compliance at Odds

Written by Michael Singer

Is your enterprise up to speed on its compliance for security? How many certifications and checkboxes does it take to secure a network? Do certifications really make your business safer?

These are questions recently asked by Lance Miller, a principal at security site Infosec Island, and ones that I also posed this week while attending the RSA Security Inc. (Nasdaq: EMC) conference in San Francisco.

Security compliance regulations (PCI DDS, HIPAA, SOX,) are valuable in the enterprise. They identify best practices and set standards. They're especially helpful these days since data theft and other unauthorized use of business information have increased. But the benefits of a compliance program cannot be realized unless security is practiced every day. Unfortunately, most companies focus on getting compliant for business reasons rather than staying compliant for security reasons.

"People are more concerned about job security than network security," Miller says. "It is really that simple. People want to be able to check a box to satisfy a compliance requirement, and in turn satisfy the office of the CFO and the outside auditor. There is no other sector where this is more true than in the financial and healthcare worlds -- two places where you would hope that it is just the opposite."

If you think Miller is being flippant, take the Heartland breach as an example. Visa USA and the PCI Security Standards Council maintained that no compliant company has ever been breached; therefore Heartland could not have been compliant. Yet, Heartland had just been certified as compliant at about the same time the breach was alleged to occur.

"Security always, always, always requires human involvement in the testing. Security goes far beyond checking items off a list. Scans don't cut it. Compliance means your auditor is happy, not a secure network," Miller says.

The problem is even more pronounced outside the United States. Trend Micro CTO Raimund Genes says his Japanese customers only require a signoff that no personal information will be shared outside the firewall.

"We of course take additional security measures behind the scenes to ensure data is not disappearing from the customer's network, and we advise companies on how to prevent unnecessary data loss," Genes says. "But it's frightening that this is more about ROI and TCO than being secure."

But security and compliance don't have to clash. Business processes and policies are one way to ensure compliance is not just a paper tiger. Gartner Inc. recommends that CISOs and IT leaders follow four major phases to implement effective information security program management:

• Strategize and plan

Identify and prioritize security requirements, based on business objectives and the threat and risk environment. Consider compliance requirements. Establish accountability for security. Develop a security program aligned with the needs of the business.

• Assess current state

Conduct a rigorous assessment of the maturity and efficacy of the enterprise's existing security program and security architecture.

• Implement

Create and enforce effective security policies. Ensure that appropriate security technologies are deployed. Devise risk assessment and control processes.

• Operate and evolve

Conduct periodic reviews of potential risks and vulnerabilities with business process and information asset owners and other stakeholders. Follow through with communications plans to drive security awareness enterprise wide.

If CISOs are to align security policy and controls with business requirements, they need to balance them with physical tests and establish clear accountability for information security. Otherwise executives will have their compliance blinders on when looking at their networks, which is the least effective information security program you can invest in.

— Michael Singer, Senior Editor at Internet Evolution, is focused on executive (Executive Clan) and midmarket (Midmarket Clan) issues.


Return to top

Microsoft Certified Professional Magazine

March 2, 2010

Security Watch

All Eyes on RSA

The annual security conference revisits some familiar topics. Plus, Microsoft issues IE-centric security advisory; educating enterprises about Windows 7 security.

By Jabulani Leffall

It's time for the RSA Conference once again, and everybody who's anybody in IT security is flocking to (or is already at) the Moscone Center in San Francisco. Product launches, fraud predictions and workshops abound as they do every year, but there are some themes to look out for at this year's confab.

The most prominent involves implementing more nimble IT security programs. Cloud security and an offshoot of Software as a Service that many IT security evangelists are calling "security as a service" are two of the bigger discussions on this year's agenda. Already, security big shots like Symantec, McAfee and Trend Micro are offering hosted security options, but even well-respected smaller players like Kaspersky Lab and Sophos are getting in on the action.

Web-based threats will also be discussed in great detail at various RSA workshops this week, with an emphasis on which browser -- Internet Explorer, Chrome, Firefox, Safari -- is the most secure.

And then, of course, there are the evergreen issues: securing social media and mobile computing, the challenges and changes in IT security compliance, and password management -- always an enterprise computing favorite.

IE the Focus of New Microsoft Advisory

Microsoft is having more third-party disclosure problems. Late Monday, Microsoft issued yet another security advisory that has implications for the ubiquitous IE browser. However, this time the vulnerability is for Windows 2000, XP, and Windows Server 2003 through the (and language is important here) use of IE.

The advisory states that the bug "exists in the way that VBScript interacts with Windows Help files when using Internet Explorer. If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user."

Microsoft stressed that Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 aren't affected by this issue.

Exec: Microsoft Should Educate IT in Windows 7

Philip Lieberman's company, Lieberman Software, is one of many hocking products at this week's RSA Conference. For its part, Lieberman Software will launch a new rev of its ID management product called Enterprise Random Password Manager (ERPM).

Lieberman said ERPM works best when sitting on a secure enterprise OS such as Windows 7. But one of his main gripes with Microsoft's latest OS isn't with the OS itself, but with the fact that he thinks Microsoft should be more proactive in getting the word out about how good Windows 7's security is.

"Unfortunately, Microsoft has done a poor job helping large IT shops understand that the bad, old ways of doing things are no longer necessary," Lieberman said. "Most of the large IT shops we talk to still do not understand the value proposition of Windows 7, nor do they understand what Microsoft has done with Server 2008 R2."

This is tragic, Lieberman said, because "Microsoft has done a superb job in simplifying such technologies as PKI and VPNs in this new generation of products, all at a ridiculously low price compared to the costs of running an XP-Server 2003 shop."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


Return to top

NBC Bay Area

March 3, 2010

Feeling Insecure? Technology Can Help

Silicon Valley security on display


Technology trends will come and go, but cybersecurity has, and will, stick with us. From massive terrorist threats, to just making sure your 'tween isn't meeting the wrong people on Facebook, if you have a computer, you're in the security game.

Which explains why, no matter what's going on with the overall market, your Symantec (SYMC) and McAfee (MFE) shares have done pretty well through the years. These companies consistently grow, hire, and acquire other smaller security firms. It's an industry of intense competition, and with so many hackers, bots, and viruses cruising through the virtual world, they're always busy.

To get a close-up look at what's coming to your office or livingroom when it comes to security, we hit the annual RSA Security Conference in San Francisco. Companies large and small from all over the world are on the show floor, demonstrating their latest software and hardware, aimed at stopping cybercriminals in their tracks. The White House is outlining its cybersecurity plan here, Microsoft (MSFT) is trying to convince developers that its newest Windows is safe, and Intel (INTC) and VMWare (VMW), a pair of Silicon Valley neighbors, are showing off their security collaboration.

It's big business, and it's more necessary every year. Now, with our phones doubling as our computers, mobile security is hot. If you've ever been hit with a web virus, a Trojan Horse, or just had your Twitter account hacked into, you've felt the pain. Companies like Trend Micro and Cisco Systems (CSCO) are touting mobile security, selling software to keep your phone as safe as possible.

One of the coolest things here? The startup competition, where newe security companies showed off for the judges. It's called "Most Innovative Company at RSA 2010." Yes, their ideas were more creative. Among the companies, names like Hacktics, and Catbird. Among the prizes? Millions of dollars in funding from VCs, looking for the next cybersecurity hit.

Further proof that tech security has a future, which is good news, because we're all still buying gadgets.


Return to top


March 4, 2010

RSA Conference pulls in UK security crowd

By Doug Woodburn

Large swathes of the UK security channel converged on San Francisco this week, meaning one thing only: it was RSA Conference time again. Skip related content

Resellers and distributors bound for the five-day junket agreed attendance this year was vital to remain one step ahead in a bleak market.

Since 1991, the RSA Conference has grown into a behemoth, able to suck in end users and vendors from around the world. This year, more than 300 exhibitors were touting their wares and end users were able to select between some 250 sessions.

While UK security channel players are already gearing up for Infosecurity in April, those who made the 26-hour round trip to RSA Conference were convinced it offers several advantages over its European competitor.

The most obvious is that it is viewed by many vendors as the best place to debut new technology.

Dave Ellis, e-security director at distributor Computerlinks, who attended RSA Conference for the first time this year, said: The US market is slightly ahead of Europe.

Vendors use RSA as a springboard to launch new technologies, so it can give UK resellers a feel of what is happening before it occurs in Europe.

Mike Burkitt, technical director at Launchpad Europe which helps tech startups enter the European market agreed. This is the kind of show resellers have to attend to mingle with their peers and hopefully return with leads, contacts and some technology they can be first to market with in the UK channel, he said.

Innovation rewarded

One of Launchpads partners, Israeli outfit Hacktics, is one of 10 finalists in the contest to find RSAs most innovative company, said Burkitt.

There are quite a few Israeli companies that do not come to Infosec as it clashes with a religious holiday, or they do not feel they are getting bang for their buck, he explained.

Burkitt added that the event held a special attraction this year.

To overcome a shrinking market you have to be innovative, he said. The people responsible for security at end users and technical experts in the channel really have to be ahead of the game as it is reactive technology.

A different theme has been chosen every year since 1995 and this time organisers went Egyptian as the influence of the Rosetta Stone on deciphering hieroglyphs was celebrated.

And proponents of the show argued its ability to offer rare air time with end users would provide important clues on how to unravel the customer-spending riddle.

As one of the UKs larger security integrators, MIS regularly sends delegations to RSA Conference, but was unable to attend this year.

Etienne Greeff, director of MIS, said: It was just a ­timing thing. Security resellers can become insular: they tend to spend too much time with other resellers and vendors and do not get to hear about security issues from an end user point of view. That is what RSA is about.

Burkitt agreed: At Infosec and Storage Expo you meet people on the floor and end users will typically take a day off. At the American shows customers usually take three days off.

However, not all UK channel players see the need to cross eight time zones to get the security market lowdown.

Rob Gupta, managing director of Trend Micro and Juniper partner Secon, said: We are not on the hunt for new manufacturers we want to do more with our existing ones. It is important to see what the market is doing and what trends are out there, but a lot of that you can do locally.

Intermediary worth

Ahead of the show, Launchpad conducted a poll of more than 100 users who underlined just how important intermediaries are to startup vendors.

Three quarters of the mainly US and UK respondents said they had consulted with some kind of technical advisor in 2009, whether that is a consultant, reseller or systems integrator.

Regardless of how innovative your technology may be, vendors must befriend the channel community to succeed in new markets, said Burkitt.

The research also found that security was respondents top priority when considering cloud vendors.

Ellis said: Security as a service will be a key theme at RSA Conference and data leakage prevention will still be an important one."


Return to top

MSP Mentor

March 1, 2010

Security as a Service Accelerates at RSA Conference

By Joe Panettieri

As the RSA Conference kicks off today in San Francisco, much of the buzz involves security as a service. But here’s the challenge: Nearly 80 percent of top managed services providers already offer some form of managed security to their customers, according to our third-annual MSPmentor 100 results. So where can MSPs go next with managed security? Here are some clues.

Sure, entrenched players like Symantec, McAfee and Trend Micro have a range of SaaS and hosted options that frequently involve channel partners. But upstarts like Kaspersky Lab and Sophos are preparing more recurring revenue opportunities for MSPs. During a recent partner conference in the Dominican Republic, Kaspersky Lab’s Nancy Reynolds offered some clues about the recurring revenue efforts. Plus, there was growing chatter about Kaspersky Lab potentially launching a small business SaaS or hosted security service later this year.

Meanwhile, Sophos starts its next fiscal year in April 2010. At that point, I think it’s safe to expect Channel Chief Chris Doggett to pull back the curtain on the security company’s plans for MSPs.

Also of note: Identity management services seem to be shifting to the cloud. It’s safe to expect the Novell Cloud Security Service, still in beta mode, to grab some of the RSA Conference spotlight. And watch for partner moves involving Websense and Juniper Networks.

One other key trend I’ll be exploring: Two-factor authentication. A few weeks ago, I questioned whether VARs and MSPs could set up their own two-factor authentication services (and recurring revenue) for small businesses. Since that time, a few readers have sent over examples of success. I plan to blog about them — and other RSA Conference trends — in the days ahead.


Return to top

Trend Micro Mentions

Wireless News

March 5, 2010 Friday

Everything Channel's CRN Unveils 2010 Security Superstars

Everything Channel, a technology marketing and sales solutions company, announced it has named its 2010 CRN Security Superstars.

The list created by Everything Channel editorial includes thinkers, researchers and executives in the information security industry.

The 2010 CRN Security Superstars includes:

-- Ed Amoroso, SVP and Chief Security Officer, AT&T

-- Lane Bess, President, CEO, Palo Alto Networks

-- Jim Bidzos, Versign Founder, Chairman of the Board, Executive Chairman

-- Marvin Blough, VP, Worldwide, SonicWall

-- Eva Chen, CEO, Trend Micro

-- Graham Cluley, Senior Technology Consultant, Sophos

-- Philippe Courtot, CEO, Qualys

-- Art Coviello, CEO, RSA

-- David DeWalt, CEO, McAfee

-- Phil Dunkelberger, CEO, PGP

-- Paul Ferguson: Advanced Threat Researcher, Trend Micro

-- Gary Fish, Founder, CEO, Fishnet Security

-- Ben Greenbaum, Senior Research Manager, Symantec

-- Dave Hansen, Corporate SVP, GM, Security and Compliance Business Unit, CA

-- Paul Henry, Security and Forensic Analyst, Lumension

-- Christofer Hoff, Director, Cloud and Virtualization Solutions, Data Center Solutions, Cisco

-- Tracy Hulver, Executive VP, netforensics

-- Matt Hynes, VP, Worldwide Channel Sales, Websense

-- Paul Judge, VP of Cloud Services and Chief Research Officer, Barracuda Networks

-- Wolfgang Kandek, CTO, Qualys

-- Eugene Kaspersky, Founder and CEO, Kaspersky Lab

-- Steve Lipner, Senior Director of Security Engineering, Microsoft

-- Derek Manky, Project Manager for Security and Threat Research, Fortinet

-- Steve Manzuik, Senior Manager of Security Research, Juniper Networks

-- David Marcus, Director, Security Research, Communications, McAfee Avert Labs

-- Matt Medeiros, CEO, SonicWall

-- Jason Miller, Data and Security Team Leader, Shavlik

-- Stephen Orenberg, President of Kaspersky Lab for the Americas

-- David Perry, Director of Global Education, Trend Micro

-- Fernando Quintero, VP of North American Channel, McAfee

-- Don Retallack, Lead Analyst, Directions on Microsoft

-- Nancy Reynolds, SVP, Sales, Kaspersky Lab Americas

-- Marty Roesch, CTO and Founder of SourceFire, creator of Snort IDS

-- Mark Romano, Director of Global Channel Marketing, WatchGuard

-- Enrique Salem, CEO, Symantec

-- Howard Schmidt, Federal Cybersecurity Czar

-- Roel Schouwenberg, Senior Antivirus Researcher, Kaspersky Lab

-- Gil Shwed, CEO, Check Point

-- David Sockol, President, eMagined Security

-- Richard Stiennon, Security Expert, Industry Analyst, IT-Harvest

-- Andrew Storms, Director of Security Operations, nCircle

-- Hugh Thompson, Application Security Expert

-- Roger Thompson, Chief Research Officer, AVG

-- Alex Thurber, VP of Worldwide Channel Operations, McAfee

-- Peter Tippett, VP, Research and Intelligence, Verizon Business Security Solutions

-- Steve Trilling, Senior VP of Security Technology Response, Symantec

-- Mike Valentine, VP, Americas Sales, Support, Fortinet

-- Vincent Weafer, VP, Symantec

Security Response

-- Ken Xie, Founder, President, CEO, Fortinet

-- Michael Xie, Founder, CTO, VP, Engineering, Fortinet

The 2010 CRN Security Visionaries include:

-- Steve Bellovin

-- Bill Cheswick

-- Dorothy Denning

-- Whitfield Diffie

-- Dan Geer

-- Peter G. Neumann

-- Marcus Ranum

-- Stephen Northcutt, Alan Paller, Marcus Sachs

-- Bruce Schneier

-- Eugene Spafford

The 2010 CRN Security Researchers are:

-- Dino Dai Zovi

-- Kevin Finisterre

-- Landon Fuller

-- Robert Graham

-- Jeremiah Grossman

-- Larry Highsmith

-- Billy Hoffman

-- Mikko Hypponen

-- Dan Kaminsky

-- Paul Kocher

-- Nate Lawson

-- David Litchfield

-- Charles Miller

-- Jeff Moss

-- Jose Nazario

-- Joanna Rutkowska

"According to the 2010 CRN State of the Market survey, security was the top technology that solution providers were expected to add this year to grow their bottom line," said Kelley Damore, VP, Editorial Director, Everything Channel. "Protecting networks and data is a business challenge for companies large and small and a huge opportunity for the solution provider community."

More Information:


Return to top


March 1, 2010

Google signs up for Cloud Security Alliance

Google has joined the Cloud Security Alliance, plugging a major gap in the organisation's membership.

The search giant, which announced its membership on Friday, was one of three cloud-computing leaders missing when the trade organisation launched in April 2009. Of the other two, Microsoft has since signed up, but Amazon has not.

The Cloud Security Alliance (CSA) is dedicated to promoting best practises for and awareness of cloud-computing security, which has emerged as a potential barrier to adoption among businesses. It counts Cisco, Dell, Novell, CA, VMware and RSA among its 34 corporate members.

Writing on Google's enterprise blog, Google's senior product marketing manager Adam Swidler said that the alliance is an "important part of an ecosystem that works to increase transparency, lower risks and promote independent research".

"The CSA's focus on security best practices offers valuable information to organisations looking to move to the cloud. We look forward to providing ongoing education about cloud computing and its value to the organisations that use it," Swidler wrote.

The signing up of Google is an landmark for the alliance, which is trying to expand its presence globally. Last week the CSA tried to stimulate discussion of a possible certification for cloud security, which would set common standards for suppliers. However, that is also the aim of a project launched in February to set a Common Assurance Metric for the cloud, under the guidance of a consortium that includes Google, Microsoft, Amazon and other members of the CSA.

Security in the cloud remains an issue for enterprises concerned about how the use of cloud services affect data protection and compliance. Security vendor Trend Micro has already warned of new threats emerging from the adoption of cloud computing, while Enisa, the EU agency responsible for promoting IT security good practice, has warned businesses to exercise caution in the procurement of cloud services.

In December, the CSA updated its guidance on the areas of security focus organisations should take. One of the major updates to the guidance was to include experience gained from actual deployments over the last six months.


Return to top


March 1, 2010

Website operators 'must follow basic IT security steps'

Internet users who run websites should ensure they follow some straightforward guidelines in order to make them as secure as possible, it has been suggested.

Paul Baccas, a senior threat analyst at encryption firm SophosLabs, explained that the security of a hosting server is more important to a site's security than its content.

In addition, he urged administrators to follow a number of "established best practices" in order to stave off the attentions of hackers, malware and other e-threats.

"Secure and hard-to-crack passwords, regular and up-to-date patching, and secure coding to prevent exploitation [are all advisable]," he said.

"Having service level agreements with your hosting provider and suppliers of third-party content that mention security and response to hacking is also a good step."

Mr Baccas also explained that it would be a mistake for internet users to believe that simple-looking websites pose fewer security risks than their more complex counterparts.

Last week, Trend Micro suggested that social networking sites are an ideal target for cybercriminals.


Return to top

CIO Update

March 3, 2010

IT Strategy - Six Endpoint Security Vendors You Need to Know About

By Matt Sarrel

Many organizations are not only facing increased security risks but also increased regulatory compliance such as that of HIPAA or PCI, both of which mandate that certain security measures be taken. These two factors result in increased attention being paid to security on all levels and all sizes of organizations. In addition, as security plays a greater role in IT purchasing and implementation decisions, there is an increase in centralized management and reporting to provide a holistic picture of corporate information security.

Endpoint security products are typically software suites that include anti-malware (anti-virus, anti-spyware), desktop firewall, host-based intrusion prevention (HIPS), device control, and application control features. The software runs on desktops, servers, laptops, and increasingly on handhelds such as Blackberries and Windows mobile devices. These products also feature a central management console that can be used for reporting and policy updates.

The general trend in the endpoint security market is to consolidate many separate security software products into one suite that can be centrally managed.

Can the market keep pace with the threats? The majority of spyware is propagated by spam or phishing emails pumped out by botnets, or by users unwittingly accessing webpages that that automatically download malicious script files to exploit OS and application vulnerabilities and plant malware. According to Cyvellance, over 50% of today’s web-borne malware goes undetected by today’s best selling AV products.

My company, Sarrel Group, conducted an in-depth competitive analysis of endpoint security products offered by Cisco, McAfee, Trend Micro, eEye Digital Security, and Symantec in February 2008. Overall, we are pleased with recent advances in the market, particularly in increasing the robustness of solutions and adding greater centralized management and reporting capabilities.

As a result of the declining effectiveness of traditional AV solutions, configuration management and application white-listing/blacklisting are taking the endpoint protection market by storm. IT departments are sick of having to push signature updates with increasing frequency. Users are sick of suffering through decreased system performance caused by traditional AV products getting more and more bloated. According to a report from Forrester Research, “with the rate of new malware emerging, soon the updating signature approach will no longer be fast enough or scalable enough. It is without question the time to look for alternative approaches. “

Application white-listing, the process of protecting systems by preventing installation and execution of unapproved applications, is gaining momentum. The technology has been around for about 10 years but was traditionally considered too intrusive to be deployed to the general end-user population. White-listing is, in some ways, the opposite of traditional AV: instead of allowing anything to run except the known bad, white-listing only allows the known good. This not only prevents stealthy malware installation, but installation of any application not pre-approved by IT.

While application white-listing may be a cumbersome solution for power users who require multiple applications, it is an excellent fit for environments that can be locked down without impeding users. The average user would be perfectly happy with only business productivity applications such as MS Office, an email client such as MS Outlook, and a Web browser such as Firefox or Internet Explorer. In retail, there is no reason for a point-of-sale system to run anything other than POS software, so lock that puppy down with application white-listing. The same goes for call centers where employees only require access to a few Web-based apps.

Just like traditional AV apps, application white-listing is not a perfect solution. This is because white-listed applications can still be exploited. For example, Internet Explorer vulnerabilities can be exploited in memory. For this reason, defense-in-depth—combining AV scanning, HIPS, white-listing, vulnerability assessment, and patch management to protect endpoints—is the strongest solution to current and future malware problems.

Sarrel’s Vendor Short List - Current Leaders

Endpoint Protection 11 - Symantec, www.symantec.com

No discussion of endpoint protection would be complete without mentioning Symantec. EPP 11, as the product is affectionately called, wraps anti-virus, anti-spyware, firewall, HIPS, and device and application control in a single endpoint agent. The first iteration of EPP 11 suffered from client performance issues, but Symantec has streamlined processes to offer first rate protection more efficiently. The client agent is highly configurable via the centralized management console. Security policy can be applied by user, group, or machine type giving you the ability to dictate, for example, that laptops can only connect to secured access points. Administrators can also build application white-lists and blacklists.

VirusScan Enterprise - McAfee, www.mcafee.com

McAfee offers a slew of products that can be combined to offer solid endpoint protection. These include McAfee AntiSpyware Enterprise, McAfee Host Intrusion Prevention, McAfee Network Access Control, McAfee Policy Auditor, McAfee VirusScan, and McAfee Application Control. This allows for a flexible approach to endpoint protection, but also creates unnecessary complexity. Everything gets managed centrally from McAfee ePolicy Orchestrator 4.5. I find the ePO interface to be unintuitive, but McAfee has built a loyal customer base over the years so obviously someone likes it. Application control is a mature application white-listing module that ensures only trusted software can run on endpoints.

Trend Micro Enterprise Security Platform - Trend Micro, us.trendmicro.com

The success of Trend Micro Enterprise Security solutions is driven by the Smart Protection Network—a Cloud-client infrastructure that combines reputation technology, feedback loops, and research from TrendLabs to deliver real-time protection from today’s blended threats. Endpoints protection is available in several separate modules that can be clustered together to provide anti-malware, HIPS, DLP, web threat protection, firewall, and patch and power management. Everything can be managed from a central Web-based console. Interestingly, Trend Micro is the only company listed here that doesn’t include application white-listing features.

Sarrel’s Vendor Short List - Three Disruptors

Retina CS - eEye Digital Security, www.eeye.com

eEye Digital Security has been a force in the vulnerability assessment market for year. The combination of vulnerability assessment, application white-listing, configuration management, anti-virus, and HIPS, plus the snazzy new Flash-based management interface for Retina CS, cause me to reclassify eEye as a disruptor rather than a traditional AV vendor. This is a single solution that is comprehensive enough to create its own defense-in-depth strategy.

Bouncer - CoreTrace, www.coretrace.com

The principle behind CoreTrace’s Bouncer is to only allow known good applications to run on endpoints and to do this in a way that is less obtrusive to users and easier to centrally manage by IT staff. The solution is being quickly adopted in the electrical utility space to secure control systems. The solution is rolled out as a 2u rack-mounted appliance that is managed via RDP over the network. A key component of Bouncer’s success is TrustedChange, a feature which allows IT departments to predefine conditions under which new applications can be automatically white-listed. This eases the administrative burden of implementing an application white-listing solution.

FireEye Malware Protection System - FireEye, www.fireeye.com

The FireEye Malware Protection System is not directly an endpoint security solution, but the technology that it uses to protect your endpoints makes it a disruptor that should be on your radar. A large and growing threat to endpoint security is botnet related—bots download malware to infect local machines and then report back to a command and control infrastructure where they can be used to infect other machines or send spam and phishing attacks. The FireEye Malware Protection System inspects network traffic to capture suspicious packets and reassemble them for inspection and evaluation. Attacks are then replayed in virtual machines to determine whether they should be blocked or not. So, it is live malware testing in a simulated endpoint environment running on a network appliance. This makes it a strong complement to any of the other endpoint security products mentioned here.

Whichever solution or solutions you choose to run may not be as important simply choosing to run a solution. The different approaches to fighting malware on the market today may or may not work for your business. And, as much as we’d all like to have a single solution with a single management interface for protecting endpoints, you must evaluate each solution within the context it will be used and pilot test it before rolling it out widely.

Matt Sarrel is executive director of Sarrel Group, a technology product test lab, editorial services and consulting practice specializing in gathering and leveraging competitive intelligence. He has over 20 years of experience in IT and focuses on high-speed large scale networking, information security, and enterprise storage. E-mail matt@sarrelgroup.com, Twitter: @msarrel.

Tags: Symantec, McAfee, Sarrel Group, end point security, TrendMicro,


Return to top

CTO Edge

March 2, 2010

Qualys Offers Free Malware Testing Service

Free offer is designed to highlight managed services capabilities. Half the battle when it comes to malware is trying to find out where and when your systems are affected. Qualys, a provider of a remote management service delivered via an appliance that manages compliance requirements, is now extending that service to include a free malware testing service.

According to Qualys CTO Wolfgang Kandek, the basic idea behind offering the new service is to provide a set of security services that will serve as an introduction to the company’s compliance service. Unveiled at the RSA Security 2010 conference, the QualysGuard Malware Detection service will scan a Web site daily for malware, deliver alerts and identify vulnerable pieces of code.

The company also rolled out a commercial Qualys Go Secure service that tests Web sites for malware, vulnerabilities and SSL certificate validation. Once a site passes all four tests, Qualys will issues a certificate attesting to the security of the site that a customer can display on their home page.

While remotely scanning Web sites for malware provides a free valuable service, it also highlights a general shift towards managed services delivered via the cloud for a broad range of utilitarian applications that are much needed, but can’t justify additional IT headcount because they add no quantifiable return on investment to the business.

Separately, Qualys also announced this week partnerships with Trend Micro, Imperva and Core Security Technologies.


Return to top

The New York Times

March 3, 2010

Strain on HTC From Apple Suit Is Likely to Be Long-Term


TAIPEI — Apple’s patent lawsuit against HTC will not cause major problems for the Taiwan technology company in the short term, analysts said Wednesday. But it could strain its relations with partners in the crucial U.S. market and test its leadership, adding to its challenges in the increasingly competitive smartphone field.

About half of HTC’s revenue comes from the United States, where its smartphones are bundled with services from providers like T-Mobile. HTC makes the Nexus One phone for Google under contract and also makes phones under its own brand.

“The short-term impact will be pretty minor,” said Jeff Pu, a handset analyst at Fubon Securities in Taipei, adding that such lawsuits can drag out over three or four years. “But from a long-term perspective, many carriers in the U.S. may take a more conservative stance in adopting HTC’s new products because of the lawsuit risk, or ask for price cuts to compensate for the risk.”

In focusing on HTC, Apple is taking on what many analysts regard as one of the island’s best-managed technology companies.

From its humble beginnings as a small laptop vendor in 1997, it has become a technology giant under the leadership of its co-founder and chairwoman, Cher Wang. She is one of nine children of Wang Yung-ching, a petrochemicals owner, now deceased, who was one of Taiwan’s richest men.

Mrs. Wang, who holds a masters degree in economics from the University of California, Berkeley, made her own name by guiding HTC early into the promising smartphone segment. The company won the contract to make the iPaq handheld personal computer for Compaq in 2000. Later, it introduced phones using Microsoft’s Windows Mobile platform and Google’s Android system.

In the fourth quarter of 2009, 95 percent of HTC’s revenue came from phones with its own brand, Mr. Pu said.

According to the technology consultant IDC, HTC had a 4.6 percent global share of the smartphone market in 2009, compared with Apple’s 14.4 percent (both firms trailed Nokia’s 38.9 percent share and Research in Motion’s 19.8 percent). Apple is already locked in a separate legal dispute with Nokia.

Last year, HTC was ranked as the fourth most valuable Taiwanese brand by the Taiwan External Trade Development Council, after the PC maker Acer, the anti-virus software giant Trend Micro, and the netbook pioneer Asustek.

But Mr. Pu said that HTC had struggled recently with new smartphone competitors. It introduced a brand-bolstering campaign in October and is diversifying into lower-end smartphones, but faces shrinking margins and falling profits, he said.

HTC’s 2009 consolidated revenue was 144 billion Taiwan dollars, or $4.5 billion, down 5.2 percent from the previous year. Gross profit in 2009 was down 9.5 percent, according to a data released by the company in January.

Its 2009 operating margin was 15.5 percent, down from previous years, and is expected to fall to between 12 percent and 14 percent in the first quarter of this year. “The company is now facing severe margin and pricing pressure,” Mr Pu said.

Gary Chia, head of Greater China research for Yuanta Securities in Taipei, said the lawsuit was in some ways a measure of HTC’s success.

“This is what happens in Silicon Valley,“ said Mr. Chia. “When you’re big enough to become a threat, I’ll slap a suit on you sometimes just to slow you down.”

Mr. Chia said he did not foresee any immediate effect on HTC’s shipments, and he noted that HTC could appeal or even countersue, since the company had its own patents.

“This is a cloud hanging over the company, but I wouldn’t say it’s a huge cloud,” Mr. Chia said.

He described HTC as one of Taiwan’s best-managed firms and one of the better-managed firms in all of Asia, and said the lawsuit would test that leadership.

“We know the smartphone market is heating up, with platforms competing against each other, and now you have this big behemoth going after you,” he said. “If management is worth its salt, this is where they show their value, now.”

John Cheng, a Taipei-based mobile devices analyst for IDC, said that HTC was one of a handful of Taiwan firms that were shaking off the island’s contract-manufacturing model of the past and establishing Taiwan’s own brands.

“HTC is not just doing contract business, but has also tried to be a brand vendor,” said Mr. Cheng. “Most people think Taiwan companies don’t invent too many technologies, but HTC has changed this kind of impression.”

HTC’s stock slid nearly 2 percent Wednesday on the Taiwan Stock Exchange after the lawsuit was announced.


Return to top

San Francisco Chronicle

March 2, 2010

5 things VMware must do to fend off Microsoft

By Jon Brodkin, Network World

With 170,000 customers, including every member of the Fortune 100, you might think VMware's toughest task is stocking enough paper to print up new customer contracts. But the industry's biggest x86 virtualization vendor is facing a strong challenge from Microsoft, which is enticing IT executives with Hyper-V, an alternative that may not be quite as sophisticated as VMware but is less expensive.

VMware says Microsoft 'shenanigans' led to new VMworld restrictions

2010 will be a crucial year for both VMware and Microsoft in the virtualization race. Here is a list of five things VMware and its CEO -- former Microsoft executive Paul Maritz -- have to do to stay ahead of their biggest rival.

1. Cut prices

If there's one major complaint customers and analysts have about VMware, it's that prices are too high.

"Are you going to spend five times the cost [of Microsoft]?" asks Burton Group analyst Chris Wolf. "Is it five times the features? Most folks, looking at their wallet, would say 'I don't think it is.'"

VMware has several different pricing schemes and the price each customer pays depends heavily on which version of the software they use and how many servers and workloads they have virtualized. According to a vSphere pricing document, "VMware vSphere Advanced" costs $2,245 for every processor, allowing up to 12 cores and 256GB of memory.

VMware's management software, known as vCenter Server, costs $1,500 for three hosts, or $5,000 for unlimited hosts. Numerous add-ons sold by VMware can raise a customer's bill significantly. VMware offers a free version of its hypervisor, but with limited functionality.

Microsoft offers Hyper-V, including advanced features such as live migration, as a free download. Customers planning big virtualization deployments are likely to buy management tools as well, and Microsoft's Virtual Machine Manager costs $869 per physical server.

VMware has argued that its software can be less expensive than Microsoft's on a per-workload basis, because VMware achieves higher levels of virtual machine density on each physical server. VMware also offers a small business version of its hypervisor that starts at just $166 per CPU, says Bogomil Balkansky, VMware's vice president of product marketing.

"What we've been doing over time is really stretching the range of capabilities that we offer and providing different price points," he says. "So far we think we do meet the needs of the different market segments we're trying to serve. We don't have any plans right now to adjust pricing."

Few, if any observers would claim that Microsoft's virtualization technology is better than VMware's today, but Microsoft has closed the gap significantly and for many customers that may be good enough.

That's the opinion of one customer who switched from VMware to Microsoft. Roger Johnson, technical lead for the enterprise systems group at Crutchfield, a consumer electronics retailer in Charlottesville, Va., says "cost was the biggest deciding factor."

Johnson says VMware's technology is sound, but he thinks VMware's insistence on charging significantly higher prices than the competition reflects an "egotistical mentality." Crutchfield was running VMware in 2008 but completely converted its virtualization deployment to Hyper-V, and is now running 225 Hyper-V virtual machines on 11 servers. The total Hyper-V investment came out to $10,000, but would have cost at least three times that much with VMware, he says.

Johnson is a former Microsoft employee, so he may not be the most unbiased observer. But even VMware customer Scott Lowe, CIO of Westminster College in Missouri, thinks it's time for VMware to lower the cost.

As an educational institution, Westminster College gets a discount "but it's still pretty expensive to license," Lowe says. "I think VMware is going to have to address the cost of their solution sooner rather than later to stay competitive with Microsoft."

2. Improve security

As more data centers become virtualized, hackers are sure to take a closer look at hypervisors and try to identify vulnerabilities. Hypervisors have not yet become a central point of attack but in a recent interview Forrester Research analyst James Staten says he expects them to become a big target in the next year.

"As we've seen with other technologies, the point where they're almost ubiquitous in the market is when hackers go after them," Staten says.

VMware has stripped its hypervisor down to a 32MB software package with 200,000 lines of code, presenting a relatively small attack surface to hackers. The company also announced a program two years ago to open its hypervisor to security vendors with a set of APIs making it easier to protect virtual machines, but VMware has not moved fast enough on this front in the eyes of some observers.

Some vendors say the APIs present performance problems making them difficult to use, as Network World reported in December.

"We're not using the VMware APIs today due to performance," says Richard Park, senior product manager at SourceFire.

VMsafe has been adopted by vendors including Altor Networks, Reflex, IBM ISS and Trend Micro, so the SourceFire concerns are not universal. There are security problems beyond VMsafe, however.

In vSphere, VMware released what it calls vShield Zones that let customers create zones in which security policies are enforced even when virtual machines move from one server to another. But this software doesn't integrate with VMware's Distributed Resource Scheduler, a load balancing product, Wolf notes.

"VMware's load-balancing framework does not respect security zones created with vShield Zones, and its capacity management tool (CapacityIQ) does not account for zoning," Wolf writes in a recent report.

"The left hand has to know what the right hand is doing," Wolf says in an interview.

3. Win the desktop war

Desktop virtualization is in the plans of many big companies, opening up big revenue opportunities for VMware and its competitors. Citrix, a tight partner of Microsoft, is making a strong push into this market with XenDesktop, which aims to deliver high-definition desktops to nearly any type of device.

VMware should have a built-in advantage in pursuing desktop customers, because many of them are already using VMware's hypervisor. But many companies that use VMware's server technology have opted for Citrix on the desktop. In fact, many Citrix virtual desktop customers are using VMware ESX servers to host the desktops.

One of VMware's latest moves on the desktop front was to upgrade VMware View with the PC-over-IP protocol (PCoIP), a server-centric system designed to provide great-looking desktops even to users suffering from low bandwidth.

But Citrix delivers desktops in high definition with its HDX technology, and VMware is struggling to convince customers that its own PCoIP is a better alternative.

Lowe of Westminster College is planning a VMware View desktop deployment but is concerned about VMware's ability to deliver multimedia, including Flash applications. "They need to make sure the desktop experience closely mimics a physical desktop experience," Lowe says.

Balkansky says PCoIP is "a big step forward" but stops short of saying that it does the job as well as Citrix. In desktop virtualization, he says, "there is always this tendency to try to boil things down to a single feature and a single silver bullet, and the truth is that there is no single bullet or single feature that is make-or-break."

VMware still has work to do to integrate PCoIP with WAN accelerators like Riverbed's appliance, Wolf says, and give users more options for connecting to desktops. For example, some government users want the ability to connect to a desktop with just a Web browser, without having to install software on a local machine, but have run into roadblocks with VMware on that front, he says.

4. Simplify management

Network director John Turner of Brandeis University in Massachusetts loves virtualization -- but he's puzzled by some of its quirks.

Recently, users on virtual machines experienced a major slowdown, and at first Turner's network team couldn't figure out what was going on. It turned out all of the Windows systems running in VMware virtual machines were set to receive updates at the same time, but VMware's management tools didn't provide notice that this was going to occur or that it might cause strain on storage and other systems.

The problem, he says, is that VMware makes it very easy to deploy virtual machines in large quantities -- an issue often referred to as "VM sprawl" -- but it's not easy to diagnose potential performance problems before they occur.

"From a performance or tuning perspective, as folks grow their VMware installations they're running into issues," Turner says. It's not that VMware doesn't provide diagnostics tools, it's just that they're only good if you're an expert in using them, he says.

"Either VMware needs to prevent you from growing to the point of that kind of installation, or they need to provide very simple diagnostic tools to help you understand what's going on," Turner says.

"Virtualization management is really crucial," says Laura DiDio, lead analyst with Information Technology Intelligence. "Simplifying things with respect to management and interoperability is going to be important."

If Microsoft and Citrix grow significantly in popularity, VMware may also be forced to manage multiple hypervisors. So far, VMware has insisted Microsoft and Citrix aren't used by enough customers to justify the expense of adapting VMware's management tools to multi-hypervisor environments.

Microsoft's System Center Virtual Machine Manager is capable of managing virtual machines created both with Microsoft's Hyper-V platform and VMware's ESX hypervisor, and Citrix provides management capabilities for both Citrix XenServer and Hyper-V.

Analysts say many data center pros are installing multiple hypervisors, rather than VMware only. If this trend continues, the willingness of Microsoft and Citrix to manage multiple types of virtualization platforms may give them a leg up.

VMware has built up a long list of partners to enhance its own technology, but so has Microsoft, Wolf says. Switching workloads from Citrix to Hyper-V is also easier than switching workloads from VMware to a competing platform, he says. That's because VMware is the only vendor using the Virtual Machine Disk Format, rather than Microsoft's Virtual Hard Disk format, according to Wolf.

"In the big picture, Microsoft is going after VMware with a -- dare I say it -- more open platform," he says.

According to Balkansky, the disk format and multi-hypervisor management issues are low on the list of customer concerns.

Balkansky says he recently spent a week meeting with customers and "those questions didn't come up a single time in a week of customer visits. ? What does come up is, as customers deepen and extend the virtualization footprint, there is a need to manage that extensive virtual footprint in a more scalable, automated and disciplined fashion."

5. Don't overhype the cloud

Nearly every IT vendor is hopping on the "cloud computing" bandwagon, attaching the word cloud to any product that might remotely be related to cloud computing. VMware has made some not-so-subtle shifts in this direction, calling its main virtualization platform a "cloud operating system." And while VMware used to refer to itself as "the global leader in virtualization solutions from the desktop to the data center," the company now calls itself "the global leader in virtualization solutions from the desktop through the datacenter and to the cloud." The expansive title appears in the first sentence of every press release VMware issues these days.

VMware's marketing also focuses heavily on its "vCloud" program, which seeks to build a lineup of partners that offer cloud computing services based on the VMware hypervisor.

By pushing public cloud services -- that is, on-demand computing services delivered to customers from remote data centers -- VMware risks losing sight of its core goal of helping customers build out their internal data centers, Wolf says.

"They've spent a lot of time harping on the public cloud, but the typical organization today is building out a private cloud and looking at IT automation internally, as opposed to putting corporate assets on the Internet," Wolf says.

DiDio adds that "I don't think there will be this stampede to the cloud. However, there are a lot of organizations looking at implementing private clouds. Clearly, cloud computing and virtualization go hand in hand. Anything VMware can do to help train customers and send out an explicit message helps."

Balkansky says VMware is trying to help customers build internal cloud networks that connect seamlessly to public clouds, but says VMware is still making the private data center its main focus.

"We haven't taken our eye off the ball by any means," Balkansky says. "First and foremost, our goal is to help customers build a private cloud."

Follow Jon Brodkin on Twitter: www.twitter.com/jbrodkin

Read more about data center in Network World's Data Center section.

Original story - www.networkworld.com/nwlookup.jsp?rid=202017


Return to top


March 2, 2010

3 Reasons Microsoft EU Browser Ballot Will Impact U.S. Market

By Steven Burke, ChannelWeb

Expect the European Union mandate requiring Microsoft (NSDQ:MSFT) to offer 200 million European users the ability to cast a vote in the form of an electionlike ballot of 12 Web browser choices -- other than Microsoft's Internet Explorer -- to have a big impact on the U.S. market.

The EU said Tuesday that European users will be asked to choose in a Web browser bake-off among 12 free Web browsers including Microsoft's own Internet Explorer, Google Chrome, Mozilla Firefox, Apple (NSDQ:AAPL)'s Safari and Opera. There are also more esoteric browser choices including the Slim browser, Maxthon, Sleipnir, Flock, Green browser, K-Meleon and the Avant browser.

The EU browser ballot mandate lifts the last legal cloud over Microsoft after a decade-long battle with EU over alleged antitrust violations. The EU in December dropped its last pending antitrust case against Microsoft after the software giant agreed to let users choose among the Web browsers.

Here are three reasons the EU mandate to offer Web browser ballot choices to European users will have a ripple effect on the U.S. market.

1. It's A Global Market

First off, we are living in a global market. It's foolish to expect that giving 200 million-plus Europeans the option to choose among more than 12 browsers will not have an impact on the U.S. market.

It's all about global economics. The EU mandate opens the door for browser rivals to get a foothold in the European market and then leverage that open door to break into the U.S. market.

Microsoft gets a lot of economic leverage by force-feeding Internet Explorer to U.S. users on every new PC bought and purchased. That economic leverage has just been blown up. And once Europe gets a taste of browser freedom, look for that ability to choose to spread like wildfire to the U.S. market. Think of this EU deal as the fall of the Berlin Browser wall.

The biggest impact may well be in the lucrative corporate market where businesses of all sizes and shapes are looking to control costs by standardizing. Expect competitors likeGoogle (NSDQ: GOOG) and Apple to use the browser choices to offer other "choices" to business customers.

2. Look For PC Makers In The U.S. To Cut Deals With Browser Alternatives Like Google Chrome

PC makers are waking up this morning and looking at the election browser ballot battle as a way to ink revenue-sharing browser deals with the likes of Google, Apple and others.

PC makers already sell off screen space to security software makers like Symantec (NSDQ:SYMC), Trend Micro, McAfee and others. Look for them to do the same kind of deals with browser vendors.

The fact is there is far less loyalty to individual software brands than there were in the past. That's a big opportunity for so-called white-box systems branded by solution providers to provide customers of all sizes with better value.

Microsoft does not like to offer consumers or businesses choices. Microsoft wants lock-in. The EU-mandated deal does away with browser lock-in.

3. Look For Browser Rivals To Raise Antitrust Concerns In U.S.

Now that browser rivals like Google are getting a foothold in the European market, look for them to raise the issue with U.S. antitrust regulators.

In a front page story on Monday, The Wall Street Journal did a great job detailing the antitrust wrangling between Microsoft and Google. Look for Google to rally the browser rivals to press their case in the U.S.

Google has lots of cash to spend in Washington and a lot of influence to wield like a hammer. Even if the Google browser gang's antitrust concerns fall on deaf ears in the U.S. government, the noise is going to have an impact on U.S. businesses and consumers whose eyes will be opened to new browser choices.


Return to top


February 28, 2010

What I've Learned About Implementing EHR as a Service

Despite the federal mandates, even the most interesting of IT approaches make EHR project participation a tough pill for some doctors to swallow

By Beth Schultz

Like many healthcare operations, Beth Israel Deaconess Medical Center (BIDMC) in Boston has been grappling with how best to handle the federal electronic health record (EHR) mandate. Three years ago, it set out to get 200 outlying physician offices and the roughly 350 doctors working at them onto a centralized EHR system. It was – and continues to be – a daunting challenge that unwittingly turned BIMDC into one of the earliest known users of cloud computing. Without knowing what it was doing would later be labeled "cloud," IT made the unique decision of hosting EHR software at a central location and building out an infrastructure to support physician access via secure Web connections. Problem is, some doctors weren't too keen on either the EHR or cloud concepts and the going, while well-planned, has been rough in spots, says Bill Gillis, eHealth technical director at BIDMC. In an interview with contributing writer Beth Schultz, Gillis reflects on

A LEAP OF FAITH: We learned two big things about doctors. One is that doctors are fine sharing clinical information -- in fact, they want to share clinical information – but they definitely don't want to share financial information especially because, in some cases, they're competitors. So doctors had a lot of concerns about our plans and we heard a lot of 'I want the equipment here where I can see it and nobody else can get to it.' So we had a hard time convincing them that they owned the data and could do whatever they wanted with it even though it wouldn't be sitting in their offices. They also has a hard time with the idea that they'd benefit by putting their data in a centralized environment with data center-level security, power, management and the technical expertise to manage it all. That was a big conceptual leap we had to make with the physicians.

A MIXED (DOCTOR'S) BAG: The other thing we learned is that while some physicians are all set and want to jump on the electronic health records bandwagon others are reluctant. We're coming in and basically saying, 'That's great how you've done this in the paper world but to do in an electronic way, especially in a way that will let us gather metrics as a medical community under the Beth Israel Deaconess Physician Organization banner, you're going to have to make some changes.' Trying to convince that demographic that at end of day the changes will make them more efficient and let them provide better healthcare is hard. Getting them to change their processes for providing care is a big hurdle.

NO TIME LIKE YESTERDAY: Part of the convincing we had to do was that the electronic health record project has a 20-week implementation cycle for a reason. They needed to know that we're not just giving them an application that they would turn on like Microsoft Office and figure out on their own. We needed to explain that it's a transformative process for which we had to come in and understand how they provided and practiced medicine, what their workflows are like, and then figure out how to leverage the tool to improve their situations. Getting the physicians and staff to understand their role and time commitment to the implementation is critical to success. That's a hard thing to get people to understand, so you want to jump on it early. You don't want to find yourself later in the process with people on the practice level not showing up for meetings or not doing their tasks in the project plan.

TEST SUBJECTS: To find participants for our initial six pilot sites, we went to people who had used an electronic health record or electronic practice management system in the past because we figured they'd be a little bit ahead of the curve. We also went to people who already had some technology in their practices so this wouldn't be a giant leap for them, and then we looked for leaders in the clinical field and who had some sway so, if we were successful, they could spread the word through that community.

DANGLING A CARROT: When we started this project, about three years ago, we based our goal around pay for performance: The physician practices would be able to prove to insurance carriers that they're providing a better quality of care because they would be reporting on the care directly through an electronic health record. The insurance company then would give the providers better reimbursement rates. So initially we were coming in and saying, 'Hey, you're going to get better insurance rates over time, but you're going to have to go through this 20-week process and front some of the cost (even though the organization was funding 85% of the initiative, the physicians still had to come up with 15% of about $50,000 to $60,000. For them, it's like, 'What am I getting? I'm spending money, and maybe I don't want to do this.'

AND THEN A BETTER CARROT: But now it's all about meaningful use. The ARRA [American Recovery and Reinvestment Act of 2009] has this whole stimulus package around implementing electronic health records. So now in order to meet that meaningful use criteria, they basically need an electronic health record and if they meet the criteria, they get $44,000. That's more of a carrot.

FINALLY, THE STICK: So we've had this project for two and a half years, and we've got 38 offices deployed with another 160 to do by the end of the year. How did that happen? Even though everybody says, 'Sure I want to do this now that I'm eligible for that $44,000 and the medical center is providing 85% of the cost and the physician organization is giving every primary care physician additional funding to buy new hardware,' it's been a case of it being free but not free enough. People said, 'Yeah, we'll take part but put us at the end because we don't want to deal with it.' But it's a 20-week implementation cycle, and we can't leave everybody to the end. So we really struggled to get people in there for that first two years. As a lessons learned, and I would warn anyone looking to do this, is our mistake might have been that we went with a carrot when we needed more of a stick. It wasn't until the last eight months, when the physician organization said, 'If you don't have this in your practice by the end of 2010, then you'll no longer be eligible for our decreased membership rates that suddenly we had a waiting list of people who hadn't been interested.

PLANNING FOR THE UNKNOWN: We didn't want a situation where we built a large clustered environment and none or maybe only 20 of the 300 physicians signed up. That'd be like having a giant hotel with nobody checked in. So we knew right away that we needed something more modular, a housing development approach. Our only limitations in putting up houses – the physician practices -- is the land that we purchase, which is really just space in a data center and storage on a SAN, which is something we can expand as we need. So we went with virtualization right way, because it would give us the ability to be modular, scale on the fly and adjust resources – the CPU, the memory, the storage -- as we needed.

SECURITY RETHINK: We weren't caught by surprise necessarily but we did have to think very differently from how we traditionally thought about security when we got into this whole idea, and that was one of the biggest lessons learned out of all of this. In the case of this cloud environment, we have to give almost data center-level security to each individual practice. As we started to go down that path, we had a hard time finding a security vendor that understood this kind of virtualized environment but when we did -- Third Brigade, which is now Trend Micro – it taught us we had to think differently about the whole security model around cloud computing.

What do you know now that you wish you'd known then? Share your tales here or contact Beth Schultz, at bschultz5824@gmail.com.

Beth Schultz is a freelance IT writer in Chicago. Reach her at bschultz5824@gmail.com.


Return to top

A Consuming Experience

March 2, 2010

Blogger users beware: phishing attack

By Improbulus

According to security firm Trend Micro, bad guys are sending emails to Blogger users, pretending to be from Blogger.

The email asks users to "update" their accounts by clicking a link - which seems to lead to a Blogger login page starting with the same domain name as the real Blogger site, but in fact is a fake page where, if you enter your Blogger login details, they'll steal them.

So beware.

Granted, people might not be surprised that British politicians were taken in by Twitter phishing scams last week, but when even someone as tech-savvy as Cory Doctorow has had his account hacked (according to a Yahoo! story), it shows you just can't be too careful.

Return to top

Dark Reading

March 1, 2010

Trend Micro Partners with Qualys to Strengthen its Security and Compliance Offerings

Broad distribution, Integration and Technology Partnership to Reduce the Cost and Complexity of Deploying and Maintaining Enterprise Security Applications

CUPERTINO and REDWOOD SHORES, Calif. March 1 /PRNewswire/ -- Trend Micro today expanded its security and compliance coverage through the announcement of a strategic relationship with Qualys, a recognized leader in on demand IT security risk and compliance management solutions. Under the agreement, Trend Micro will repackage and sell the QualysGuard IT Security and Compliance Suite with its Trend Micro™ Enterprise Security compliance offerings to provide a more comprehensive solution for customers worldwide.

With this alliance, Trend Micro will offer organizations more comprehensive IT security compliance capabilities, including: vulnerability and threat management; compensating controls and assessment; and reporting and submission to meet GRC (Governance, Risk and Compliance) requirements. This addresses key issues organizations face today when attempting to meet both security and compliance needs.

"It's no longer enough just to identify vulnerabilities or threats. Customers are demanding integrated solutions preferably delivered as a service that span the spectrum from assessment through protection," said Charles Kolodgy, IDC research director, security products.

Customers will also benefit from the Trend Micro™ Smart Protection Network™, the technology infrastructure behind Trend Micro solutions. It uses a number of patent-pending technologies and combines Internet-based (or "in-the-cloud") technologies with real-time correlation and analysis to provide advanced visibility on vulnerabilities and exposures in servers.

"A rapidly evolving threat landscape is driving businesses to boost compliance and vulnerability assessment, a need Trend Micro is now positioned to meet across dynamic datacenters," said Eva Chen CEO of Trend Micro. "Our alignment with Qualys, the recognized market leader in vulnerability and compliance management, allows us to extend our commitment towards 'security that fits,' creating tailored security solutions that fit seamlessly into a corporation's overall IT network, whether they are in physical, cloud or virtualized environments."

"With the rise of Cloud Computing and rapid technological changes, it is imperative for vendors to work together to enable customers to secure their data and meet compliance requirements beyond the enterprise walls," said Philippe Courtot, chairman and CEO for Qualys. "We are thrilled to work with Trend Micro to help customers worldwide identify and remediate threats, protect against malware that could have previously evaded detection and give them a precise view of their global security and compliance posture."

The QualysGuard IT Security and Compliance Suite automates the process of vulnerability management and policy compliance across the enterprise, providing network discovery and mapping, asset prioritization, vulnerability assessment reporting and remediation tracking according to business risk. Policy compliance features allow security managers to audit, enforce and document compliance with internal security policies and external regulations.

Trend Micro™ Enterprise Security is a tightly integrated offering of content security products, services and solutions powered by the Smart Protection Network™. Together, they help customers be both compliant and secure by addressing a broad range of compliance controls, enabling business innovation, and delivering maximum protection with minimal complexity.

Roadmap and Availability

A Trend Micro-branded version of QualysGuard is expected in Q2. In addition, an integrated solution from Trend Micro and Qualys is also expected during the second half of 2010 as part of Trend Micro's hosted security portfolio. Details and pricing will be available at later date.

Trend Micro will demonstrate its compliance capabilities, and preview an integrated solution, during the RSA Conference, booth #1837

About Qualys, Inc.

Qualys, Inc. is the leading provider of on demand IT security risk and compliance management solutions – delivered as a service. Qualys' Software-as-a-Service solutions are deployed in a matter of hours anywhere in the world, providing customers an immediate and continuous view of their security and compliance postures.

The QualysGuard® service is used today by more than 4,000 organizations in 85 countries, including 42 of the Fortune Global 100 and performs more than 500 million IP audits per year. Qualys has the largest vulnerability management deployment in the world at a Fortune Global 50 company.

Qualys has established strategic agreements with leading managed service providers and consulting organizations including BT, Etisalat, Fujitsu, IBM, I(TS)2, LAC, SecureWorks, Symantec, Tata Communications, Trend Micro and TELUS.

For more information, please visit www.qualys.com

About Trend Micro:

Trend Micro Incorporated, a global leader in Internet content security, focuses on securing the exchange of digital information for businesses and consumers. A pioneer and industry vanguard, Trend Micro is advancing integrated threat management technology to protect operational continuity, personal information, and property from malware, spam, data leaks and the newest Web threats. Visit TrendWatch at www.trendmicro.com/go/trendwatch to learn more about the latest threats. Trend Micro's flexible solutions, available in multiple form factors, are supported 24/7 by threat intelligence experts around the globe. Many of these solutions are powered by the Trend Micro™ Smart Protection Network™ infrastructure, a next-generation cloud-client innovation that combines sophisticated cloud-based reputation technology, feedback loops, and the expertise of TrendLabsSM researchers to deliver real-time protection from emerging threats. A transnational company, with headquarters in Tokyo, Trend Micro's trusted security solutions are sold through its business partners worldwide. Please visit www.trendmicro.com.

SOURCE Trend Micro

Return to top