Testing Google’s Skipfish

According to a Google security blog post by developer Michal Zalewski, Google’s new, free Skipfish scanner is designed to be fast and easy to use while incorporating the latest in cutting-edge security logic. Felix ‘FX’ Lindner examines Skipfish to see how well it compares to other tools used to check web site integrity.

More about Skipfish on Google’s Online Security Blog

Source: The H Security

Symantec acquires VeriSign’s web security business

US security software vendor Symantec has reached an agreement to acquire VeriSign’s web security business for nearly $1.3 billion

MOUNTAIN VIEW, Calif. – May 19, 2010 – Symantec Corp. (Nasdaq: SYMC) today announced that it has signed a definitive agreement to acquire VeriSign’s (Nasdaq: VRSN) identity and authentication business, which includes the Secure Sockets Layer (SSL) Certificate Services, the Public Key Infrastructure (PKI) Services, the VeriSign Trust Services and the VeriSign Identity Protection (VIP) Authentication Service. The combination of VeriSign’s security products, services and recognition as the most trusted brand online and Symantec’s leading security solutions and widespread distribution will enable Symantec to deliver on its vision of a world where people have simple and secure access to their information from anywhere.

“With the anonymity of the Internet and the evolving threat landscape, people and organizations are struggling to maintain confidence in the security of their interactions, information and identities online. At the same time, people’s personal and professional lives have converged and they want to use their various digital devices to access information wherever they are without jeopardizing their privacy,” said Enrique Salem, president and CEO, Symantec. “At the same time, IT is faced with the challenge of giving users the appropriate access, while ensuring that corporate data is not at risk. We believe the solution to this dilemma lies in the ubiquity of identity-based security. With the combined products and reach from Symantec and VeriSign, we are poised to drive the adoption of identity security as the means to provide simple and secure access to anything from anywhere, to prevent identity fraud and to make online experiences more user-friendly and hassle-free.”

Under the terms of the agreement, Symantec will purchase the specific assets from VeriSign, including the majority stake in VeriSign Japan, for a purchase price of approximately $1.28 billion in cash. Symantec expects the transaction to be 9 cents dilutive to non-GAAP earnings per share in fiscal year 2011, due to the purchase price accounting write down of deferred revenue, and accretive to non-GAAP earnings per share in the September 2011 quarter. The agreement is subject to customary closing conditions, including regulatory approvals, and is expected to close in the September quarter.

Enabling a New Vision of Computing
Through this acquisition, Symantec can help businesses incorporate identity security into a comprehensive framework so that IT can confidently and securely adopt new computing models, from cloud computing to social networking and mobile computing to user-owned devices, that promise operational efficiencies and freedom of choice for their employees and customers. That framework is based on five imperatives that Symantec is enabling as part of its new vision of computing and includes:

  • Identity security: proving that people and sites are who they say they are
  • Mobile and other device security: securing mobile and other devices and the information on them
  • Information protection: protecting information from loss, attack, theft and misuse and ensuring the ability to recover that information
  • Context and relevance: delivering information that is relevant to people in both their personal and professional roles
  • Cloud security: ensuring the secure delivery of applications and information from both public and private clouds

Ease-of-use, speed-of-delivery and user-driven preferences are the new imperatives in today’s workplace. People whose personal and professional lives have converged onto their digital devices increasingly expect the freedom to work from anywhere using their own devices, to use any application and to collaborate with anybody in their social network to effectively get their jobs done and simultaneously live their network-enriched lives.

IT departments struggle to meet user expectations with simple, secure and cost-effective solutions. Cloud computing can provide instantaneous scale and delivery of applications and desktops by enabling businesses to leverage services from the cloud instead of deploying applications on premise. Identity-based security gives IT the assurance that as information moves in and out of the cloud it is always protected — across any device and between the network and devices they control and those that they don’t. The user’s identity drives what information they can access and how it can be used and shared, independent of the device or application.

Creating Mutually Trusted Interactions Online

VeriSign’s SSL Certificate Services provide users with assurance that the websites they are interacting with are legitimate and secure and that their information will be safe when they share it with that site. The VeriSign check mark signifies the authenticity of the websites that users visit and assures them that any sensitive information they share with that site will be encrypted during online transactions. With more than one million web servers using VeriSign SSL certificates, and an infrastructure that processes more than two billion certificate checks daily, VeriSign has the leading share of the SSL market. The addressable market for the server and user authentication segment is estimated to reach $1.6 billion by 2013.

Symantec’s current portfolio and along with assets from VeriSign provide the depth and breadth of technologies to make identity-based security of information more universal and part of a comprehensive security solution. By combining VeriSign’s SSL Certificate Services with Symantec Critical System Protection or Protection Suite for Servers, Symantec will help organizations ensure a higher level of security on their web servers as well as verify that security, providing users with the trust and confidence necessary to do business online.

VeriSign helps organizations validate the identity of users through its VeriSign Identity Protection (VIP) user authentication service that complements the existing Identity Safe capabilities within the Norton products. The cloud-based VIP service helps organizations doing business online confirm the identities of their customers, employees and partners through user-owned digital certificates that reside on a card, token or other device such as a mobile phone, ensuring that they are giving only legitimate users access to their information. VeriSign has already issued more than two million VIP credentials to individuals and has a network of hundreds of merchants.

Through Symantec’s worldwide distribution network and footprint on more than one billion systems – including end-user devices such as laptops, desktops and smart devices, as well as servers – Symantec can facilitate the ubiquity of identity security through digital certificates for both individuals and companies. This is critical to creating mutually trusted interactions online. Merchants have added incentive to join the VIP network if user certificates are widely distributed. More merchants in the VIP network means a more secure and convenient experience for customers moving among member sites. Merchants benefit as well from knowing their customers are also trusted and secure.

Symantec can expand the VIP ecosystem by incorporating user certificates into its Norton-branded consumer products providing a channel through which consumers can easily create secure identities that can be authenticated when they do business online. In addition, the combination of the information classification capabilities of Symantec’s Data Loss Prevention solutions and Data Insight technology along with VeriSign’s identity security services, will allow us to help customers ensure that only authorized users have access to specific information.

Signifying Trust Online

The VeriSign check mark is the most recognized symbol of trust online with more than 175 million impressions every day on more than 90,000 websites in 160 countries. Symantec’s security solutions and the company’s Norton-branded suites protect more than one billion systems and users around the world. With the addition of VeriSign’s security assets, Symantec will become the leading source of trust online. Following the close of the transaction, Symantec plans to incorporate the VeriSign check mark into a new Symantec logo to convey to users that it is safe to communicate, transact commerce and exchange information online.

For more information on how VeriSign’s services will augment Symantec’s portfolio please visit: http://go.symantec.com/verisign.

About Symantec

Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at www.symantec.com.

Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

Security update for Photoshop CS4

Critical vulnerabilities have been identified in Photoshop CS4 that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. A malicious .TIFF file must be opened in Photoshop CS4 by the user for an attacker to exploit these vulnerabilities. Adobe recommends Photoshop CS4 customers update to Photoshop CS4 11.0.1, which resolves these issues.

Note: These issues do not affect Photoshop CS5.

See Adobe Security Bulletin

Social Media a growing problem for IT Departments

More than half (61%) of IT decision makers in the UK see the security threat of staff use of social media as their biggest concern, according to new research by LANDesk Software, a global leader in PC lifecycle management, endpoint protection and IT service management.

The study found that IT departments are facing an uphill struggle to regain control of the way they enforce policy and practice within their organisations as they face a power struggle against increasingly digital-savvy employees.

“Platforms such as Facebook, Twitter and LinkedIn have changed the way we communicate with one another,” says Andy Baldin, VP EMEA, LANDesk.

“Today more end-users than ever are able to easily download software and manage the way they use IT.

“As a result, many employees see themselves as their ‘own IT Manager’, which has the potential to cause a number of problems for organisations.

“As applications evolve, end-users increasingly download new software add-ons, which can expose businesses to new security threats.”

Despite the fact that the majority of firms do have strict policies around the use of social media (73%) and internet downloads (89%) in place, the study showed that one in three were unsure that these were being adhered to.

Indeed, 55% of employees surveyed admitted to downloading software from the internet to a corporate computer.

Source: Security Watch – Internet Security News: IT security, Business security, Computer security, Network security, and more

PDF files spread Windows worm

A PDF attachment in spam e-mails purports to be instructions for reconfiguring the recipient’s e-mail account, but instead installs a worm and rootkit

Source: The H Security

Symantec buy PGP Corporation and GuardianEdge

Symantec has announced that it has reached an agreement to acquire PGP Corporation for $300 million and GuardianEdge Technologies for $70 million

Source: The H Security

Info security breaches at record levels

After declining in number for the last few years, a new wave of security breaches is hitting UK organisations, costing them billions of pounds, despite the fact that security remains high on management’s agenda and the recession has not dampened spending on security, according to a survey released today by PricewaterhouseCoopers LLP (PwC) at Infosecurity Europe.

Technology has continued to evolve rapidly through greater use of cloud computing and social networks, and public and private sector organisations appear to have a greater understanding of security risks and the need for assurance over them.

Source: Security Watch – Internet Security News: IT security, Business security, Computer security, Network security, and more

Security hole fixed in Firefox 3.6

Version 3.6.2, which so far is only available as a beta, fixes a critical security hole in Firefox 3.6 for Windows that was discovered some time ago

Source: The H Security

1 in 4 kids have tried hacking in Facebook accounts

Despite 78% agreeing that it is wrong, 1 in 4 of UK’s children have tried their hand at hacking into others’ Facebook accounts mostly by surreptitiously using the victims passwords– that is the stark finding of a survey released today.

And it’s not just the boys – 47% admitting guilt are girls.

The study of 1,000 youngsters from London and 150 from Cumbria found that although 27% were doing so from the relatively safe confines of their bedrooms, these juvenile offenders are utilising computers in Internet Cafés (22%), the ICT suite at school (21%), and a friend’s machine (19%).

The most common reason was for fun (46%) however 21% aimed to cause disruption and a resourceful 20% thought they could generate an income from the activity.

However, there are some things that can be done to protect our online activity:

Install security software: anti-virus, anti-spyware and a firewall
Never disclose passwords or respond to emails that ask us for this information

Vary your user name and passwords between sites. That way if one account is compromised it can limit the damage of others being breached

Untick ‘remember me’ boxes for user name and passwords, especially for email accounts, online banking, social media websites etc. if your computer is used by other members of the household – and therefore possibly their friends

Be careful what you talk about in chat rooms, you never know who you’re talking to or who’s listening in. Someone with an ulterior motive could be gathering information spanning many months that individually tells you nothing but pieced together provides a complete picture

Periodically change your username and password, immediately if you suspect someone may know it.

Protect yourself against eavesdroppers and freeloaders by using encryption on your wireless network
Use a password manager such as Password Safe by Bruce Schneier

Source: Security Watch – Internet Security News: IT security, Business security, Computer security, Network security, and more

Mac OS X: "safer, but less secure" – Update

20 security holes in Apple software are about to be disclosed: Charlie Miller intends to present details of the vulnerabilities at the CanSecWest conference next week. The expert talked with heise Security about the security of Mac OS X beforehand

Source: The H Security

← Previous PageNext Page →