I guess we should have expected it, as this is the summer of the superhero (I did check out Batman this weekend, and while it's overlong, I definitely enjoyed the escapades of the caped crusader), and we all know with superheros come supervillains.

According to the Business Scotsman (which I'm pretty sure isn't meant to refer to a superhero), banks around the United Kingdom are being warned of a new PC super bug designed to steal online banking info on a massive scale.

The virus is called Limbo 2 Trojan, and was designed specifically to gain access to financial data. Standard advice would be to keep the security firewall and anti-virus software fully up-to-date, but hackers are said to be so confident about this malware that they're paying upwards to $1,300 (£650) for a copy.

The security firm Prevx reported that the Trojan bug features a changeable shell with a pliable cloak coming in many guises and variants to try to fool security systems and slip past conventional signature-based anti-virus detection. This then generates fake information boxes on a compromised computer, asking the user to enter more information than usual, and as this is going on, passwords, credit card information and other personal details are transmitted to the malware's criminal operator to then exploit financially.

That's pretty scary stuff, now that a single data breach at a big firm is estimated to cost in the millions. But I just hope some security genius is currently toiling away in their fortress, cooking up some super security product to save the day...and who knows, maybe next year, the big summer blockbuster will be about a computer security superhero.

Posted by ebizQ in | Permalink | Comments (0) | TrackBacks (0)

An article over at the Baltimore Sun shows how very easy it has become for the bad guys to go shopping for someone's name and social security number before they actually go shopping. It's gotten so easy, in fact, one almost expects a 'Dummies Guide to Internet Identity Theft' to go on sale at the local bookshop.

Illegal ID marketplaces are thriving in international chat rooms, message boards and Web sites that specialize in the trade of personal and financial data for crooks and thieves. And the TJX data theft, which handed over 47 million credit card numbers, was really just the tip of the data-theft iceberg.

The article goes on to describe someone who believes their identity first got hacked from their Paypal account several years ago, and who since then has had trouble keeping a lid on his identity. Basic advice on protecting your identity: keep a close eye on all your accounts, read your statements carefully, and also make sure you change your passwords (every other month is the recommended frequency), and make sure your passwords aren't easy to crack, like just writing password (uh-oh, I've got a few quick changes to make myself, there, now I'm back), and it wouldn't hurt to read our latest security feature, Encryption Protects Data -- Period.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Editor's Note: Interested in the collaborative workplace, then you cannot miss ebizQ's upcoming virtual conference on Enterprise 2.0 coming this Wednesday, July 23. Sign up here.

What follows is my podcast with David Locke, Director of Offerings for IBM Rational, where we dive into the hot topic of the day, collaboration, and how IBM Rational's new Jazz collaborative technology is built for the flattening of the workplace (in this case software development), and how we're all pretty much expected to get our work done from anywhere and everywhere with co-workers half-a-world away. So give it a listen, or read the full transcript below.

Listen to or download the 9:18 minute podcast below:

Download file

--------- TRANSCRIPT ---------

First of all, David, can you just give me a quick overview of your announcement for IBM Rational’s Jazz collaborative technology?

You bet. So in this announcement, we’re announcing 11 new products based on the Jazz technology. So Peter, as you may recall, we’ve been working on Jazz for about two years. The development style of Jazz is what we call “Open Commercial”. So I’m sure your audience is familiar with Open Source. There’s many, many folks out there that want to contribute their abilities and their knowledge and their skills to creating better software.

The challenge with Open Source though is that there’s really no place to get training, no place to get support, and as some companies have merged to do that, they’re typically smaller vendors. In this case, with Jazz, what we’ve done is coined the term “Open Commercial”. Meaning we’re engaging the general public to help develop it but we will commercialize it.

And so two years ago, we started the Jazz Project and we’ve had over 14,000 people contributing to date. And as we’ve moved forward, the community has basically said, we’re ready for Version 1, and that’s exactly where we are and what we’re announcing here 11 new products of -- partially from IBM, partially from our partners that are based on the Jazz technology. Now, one of the premier products in this offering is Rational Team Concert. So this product is specifically focused on helping teams effectively collaborate in realtime.

Now, this might be difficult to answer, but what main problem does this then help address for a company.

No, that’s actually a great question, Peter. In the end of the day, software development and delivering software that really operates and runs your business is very much a collaborative effort. And if you think about the scope of the collaboration that has to happen to deliver the right software to organizations, it’s very broad.

Now, Rational has a history of delivering software to help the development teamwork more effectively together; it’s very important. But the scope is broader than that. If you think about what software delivery really is all about, it’s about automating business processes, trying to streamline companies approach to the competitive stance, being more nimble, to be able to change over time, and be able to acquire and divest different parts of their company, be able to change with technology.

All of these different aspects of business really require that collaboration happens with the line of business people, the marketing people, possibly the legal people, and definitely the technology folks in IT to make these things happen. So Rational Team Concert is all about providing that realtime collaboration. Rational Team Concert is what we call “Team Aware”, meaning as you create, for example, a set of requirements, these requirements then, of course, get passed into the IT side of the house to understand what it is you need to be built, or need to be acquired to fulfill that business set of requirements.

Well, as IT looks at those requirements, they may have some questions. Well, which business analyst actually developed those? Possibly the business analyst could be in Hong Kong, or could be in India, or could be down the street.

It’s hard to tell in this ever-flattening world as globalization is happening in our economy. And so Rational Team Concert provides this team aware approach to all of the artifacts that go into delivering this software all the way down to individual’s coders understanding which line of code has defects, all the way up to I’m looking at a set of requirements where some business models. And I don’t understand it, I need to I can then right click right inside of Team Concert and understand who developed it.

I can then open an instant messaging window, or a link to a wiki, or start a wiki, and I can actually use Web 2.0 type approach of social networking to find the right person that I need to collaborate with, start collaborating with, capture that collaboration for later use, and allow it to streamline and flow through the organization. Another key element of Rational Team Concert that helps address this is the process and workflow aspect, right.

So you can imagine that in every organization there’s some form of process. The business analyst does some modeling and hands it off to a system analyst, or and then it hands off to an architect, or down to developers, or some flow like that, right. Well, Rational Team Concert allows you to automate that flow and so it automatically creates a workflow based on the workflow in your organization.

And then helps you make it come to life and support that workflow in the organization. And then third, Rational Team Concert then allows you to look over the entire process project end-to-end and analyze how that project’s coming, or if you’re CTO, you want to know how all your projects are coming. It allows you to get realtime metrics into those projects. All of this is really around the challenges of globalization, the challenges of becoming more nimble at delivery the right software for the right challenge that the companies are facing today.

This seems like this is addressing the issue of a flattening world, you know, where I’m in New York and you are wherever you are, say you're in Hong Kong, and if we needed to work together for a couple for days, right.

That’s exactly right as different team members come and go because we acquire companies, and divest companies, as well as people moving project to project. Being able to understand what it is I’m trying to work on, and who I hand it off to, and automating that workflow, and getting the collaboration established so that I know who to talk to, to get things worked out is all about what Jazz is bringing to market here.

So what do you see for the future of this software collaboration?

With regard to the future, Peter, that’s a great question because in all we see is several different key transformations happening around this Jazz technology. One transformation is how teams work more effectively together, right. So as more and more of the Rational set of tools integrate with the Jazz technology, as well as other third parties companies take advantage of the Jazz technology, and the Jazz platform, we’ll see how development teams and software delivery teams really can work more effectively and more predictably together, right.

So we see a transformation in the organization how software development is done. Second, is an industry transformation. Now a good analogy here is the ECLIPSE world. So as I’m sure you’re familiar, before ECLIPSE, there were many different software development tools that did all sorts of great things but they did not have a common interface, they did not have a common underpinning to allow them to work more effectively together, the tools themselves.

In other words, ECLISPE has helped consolidate the desktop around a common UI, a common set of underpinnings so that these tools could work together even though they’re from disparate different vendors; that has transformed that desktop. Jazz is going to do the same thing. We already see that happening.

Jazz is going to do it from the sever side, if you will, the collaboration side of the equation. So in this announcement, not only did IBM release some new products, but we also have quite a few partners that have -- are releasing products on Jazz as well as having announced further support and new projects for themselves coming out on Jazz.

And if we compare how ECLIPSE has progressed over time as compared to where we are with Jazz, kind of looking at the same point in time, we’re actually further ahead in ECLIPSE in terms of starting to transform the industry around this collaborative platform. And that’s also why we made is open commercial. Right, so that we would have industry wide support for this common underpinnings because it really is the next key thing that needs to happen for our industry.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

As with zero day exploits, in which hackers wait until after Microsoft's Patch Tuesday so they can start afresh and anew on hack Wednesday, it's good to know that some security folks are keeping an eye out for updates on the tools hackers use.

According to this article on InfoWorld that was based on a report by Symantec, an easy-to-use hacker toolkit has been updated to take advantage in a Microsoft's Access database system, ActiveX.

"Further analysis of these honeypot compromises has revealed that the exploit has been added to a variant of the Neosploit exploit kit, it will very likely reach a larger number of victims," said Symantec's report. "As is the case with most of these ActiveX attacks, they are being served by traditional Web sites that have themselves fallen victim to automated SQL injection attacks," Hittel wrote on a Symantec forum. "In the past, we have seen government, commercial, and hobby sites fall victim to these SQL injection attacks and subsequently begin serving exploits to each of their visitors."

Which makes me wonder what the sales pitches are like for these hacker tools...rob and steal and cheat without ever leaving your lair. Become a millionaire overnight with our major Microsoft exploit tool. Actually steal money that's supposed to go to Bill Gates. I mean, what are the cybercrooks gonna do if the hacker-ware doesn't work as planned, sue them?

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

In this podcast I spoke with David Drab, the Principal and Security Thought Leader for Xerox Global Services, and what's particularly interesting about this podcast is that Mr. David Drab is an ex-FBI man, and I think having him sound off on IT security issues really brings home how hacking has truly evolved into a full-time criminal enterprise, and either it's a criminal who's delving into online crime or a someone in the cubical next who's reckless activities have now become criminal. David and I talk about current enterprise security issues, and how Xerox is addressing them, and make sure to listen for the quote: Mercy to the guilty is cruelty to the innocent.

Listen to or download the 10:41 minute podcast below:

Download file

--------- TRANSCRIPT ---------

First of all, just why don’t you just give me the top security solutions companies need to be concerned with today.

Well, I think the -- one of the greatest challenges is really comprehending the risk that we face in an ever-changing global environment. There’s no question that senior executives, in particular, have a very difficult time really understanding the context of risk, what the implications are and many times don’t know really what to do about it. I think that is one of the things that is really a necessity in moving forward.

The studies have shown that many companies really have applied more resources to deal with security but it hasn’t necessarily meant improvement because it’s more understanding what you didn’t know previously. So I think one of the big challenges is its really getting proactive, getting strategic to be able to more effectively manage security and have a stronger voice across the enterprise.

Too often, it’s a matter of picking up the headlines and getting together around a table the following day and saying, what are we doing about laptops, or what are we doing about social networking sites such as MySpace and Facebook, and what kind of risks do these present to us. And unfortunately, piecemeal security is always going to be lagging far behind and not have it in a strategic kind of mode of operation.

Now, why do you think companies need to employ more than just security technology?

Well, security clearly is about people. We can't really have a meaningful discussion of security today without considering the role of those who are actually handling the information. I’ve never had to slap a set of handcuffs on a printer, or copier, or laptop, or desktop, it just doesn’t happen that way.

Now, so how should companies then hold their employees accountable for security lapses?

Well, that’s -- I think that’s a great question, Peter, because to draw on a quote, one of my favorites, actually, from Adam Smith, “Mercy to the guilty is cruelty to the innocent”. And in my experience in interviewing spies and criminals who have sort of decided to try to make right their wrongs and have talked to us about their experience in conducting crimes within organizations, have said over and over that you folks had the greatest rules and policies and procedures in place but you don’t enforce them.

And so enforcement is one of the elements of security that has to stand on its own two feet. If a senior VP has decided to setup his home computer with confidential data and it’s not done in a manner that is consistent with security policies and procedures, then he’s got to be held accountable like everybody else. It’s not a matter of objectively applying security concepts. So it’s really a topdown, bottom up mandate that organizations first have leaders who get it, who really understand it, because I can assure you that there are others out there who do get it and understand the opportunity that lies in the world that we live in today.

Right. Now, as a former FBI agent, why do you believe that companies need to use counterintelligence tactics in their security model and exactly what are those tactics?

Well, securities and even law enforcement, Peter, is always behind, always lagging and reacting to what is occurring. And in our experience in the U.S., you may recall, we had a deeply entranced mafia organization that its existence was even denied by the FBI, that it was a national conspiracy, and after years and years of plodding along in the media and various sources, it became evident that there was such a thing and a national conspiracy.

And it wasn’t until that was exposed and readily recognized that we were able to be effective to deal with that threat. So in a nutshell, the mafia organizations in our country recognized that there was value in organizing their operations in these 24 families around the country because America was a big piece of pie. So they very strategically addressed it and we all know what happened.

It wasn’t until the ‘80s when we really comprehended the threat that we were able to get the Congress to enact laws that enabled us to effectively deal with this kind of a threat. It wasn’t until we had witness protection, and wiretapping protocol, and RICO laws, and things like, the right kind of tools to deal with the problem. And then, we had to change our approach.

We had to become strategic, we had to scale down the number of cases we were working and take out the big fish instead of a lot of little fish. So applying that kind of approach to the corporate environment today, we need to have some person or organization as another layer that’s looking across lines fault lines of the organization and has their eye on the ball from start to finish.

And we see this over and over today with organizations where know there’s good security policies, we know there are good controls in place, we know there is a good culture in place around security. Yet, we wonder how and an up and coming researcher or engineer can travel to another country, and then we later find out he was recruited and became a part of an espionage operation that compromised enormous amounts of proprietary information, and it happens over and over.

And I think that the problem is we have this failure to track content to run its lifecycle wherever it resides, in the paper, or the digital world. And I think that that’s a really important need today. And this layer of counterintelligence is one that is really independent of the other security structures within the enterprise such as risk management, and IT security, and so. And what this does then is provides another element of accountability to ensure that the palace guard, for example, is in order and acting appropriately.

Right. Now, it seems to lead to my next question is; how can a company incorporate document intellectual property security into their enterprise?

Well, I think that’s the -- clearly the direction of information security moving towards the management of content rather than documents. Documents are the containers of critical information. And now we recognize the importance of using technologies that enable us to manage content within a document throughout its lifecycle.

And this, I believe, requires a framework in which critical information, the innovation of a company’s future. The bloodline of a company is really needing to be captured within this framework that begins with a clear inventory of what the critical information is; a categorization of it to be able to effectively pigeonhole the information as it moves through its lifecycle.

Now we know that when a critical idea is spawned in R&D, it may be a matter of time before it moves towards production. And then all of a sudden we have marketing plans, we have all kinds of strategies that are trades secret in nature and need to be protected. So the categorization element of this framework is one that really enables us to get our arms around information that’s dynamic, that’s constantly changing and moving and in its value.

And then the next level is identifying it, which is really measuring it against the law. Is it a trade secret, does it measure up and meet the requirements of a trade secret under the law? And then classifying it, which of course enable any user to understand what is required of them in managing the information and handling it and then valuing it, and continuing this process to ensure that the information is effectively secured to round its lifecycle.

The standard model today is that critical ideals, and innovation, and information that really sets up the future of the company is managed in a patent office, with a legal department. And this needs to be integrated so that there is a clarity around the security goals and objectives to ensure that it’s not walking out the door and we see that over and over. As you well know, Peter, that information that is not effectively identified and controlled is likely to walk out the door with an employee that is charting the course of their career.

And that’s something that is really under addressed and needs to be more fully addressed. And what we do in the document world here in my experience with Xerox Corporation, is looking at the document in the context of what happens to critical content once it’s been accessed by authorized users. And we can have all the technologies in place for a very secure environment but what is the insider doing, those who have been entrusted with the information?

And there are no silver bullets to answer that question, obviously, but there are a number of things that we are looking to do in security printing technologies to help track paper and documents as it moves in and out of the paper digital world and really build a chain of custody around the content. And this the future, this is the direction that is going to be absolutely essential in securing a global and enterprise that is facing unprecedent competition.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)