Both early stage and longstanding security vendors jockeyed for position in the evolving network security space at the RSA 2014 security conference. Companies including Narus, FireEye, Cyphort and Securonix, along with Fortune 500 companies such as Hewlett-Packard, demonstrated and discussed their newest security solutions.

Network security vendors were eager to persuade potential customers that their solution is the best choice to protect corporate networks.  The current crop of security start-ups are focused at the network level and take a broad approach to the problem, David Monahan, an analyst at Enterprise Management.com, told securitycurrent. “They are creating solutions that provide data in a broader context when there is a security breach and actionable intelligence,” he said.

“Vendors explain to customers the root cause of the security breach, provide the means to tell what the root cause is, and where (the customer) needs to fix it,” said Monahan, who also said he has seen at least six new security companies pop up in the last 60 days.

One of those newcomers is Cyphort, which emphasizes that its architecture adapts to each corporate customer’s specific network architecture to scan for anomalies.  As a result, Cyphort’s customers don’t need to deploy expensive network appliances to separate Cyphort’s traffic collection from its threat detection and analytics functions. Also, Cyphort and a number of its competitors promote their use of machine learning analysis and sandbox inspection of content. These tools reduce the number of false positives and provide an advantage when dealing with zero-day and armored malware.

Mergers and partnerships among security vendors are another approach security companies are taking to one-up their competitors with enhanced security solution portfolios. For example, Hewlett-Packard and Securonix announced their partnership to offer capabilities beyond those that FireEye and its latest acquisition, Mandiant, are selling.

Sachin Nayyar, Securonix CEO and founder, told securitycurrent.com that the partnership offers the market several competitive capabilities. For example, Hewlett Packard and Securonix are selling fully automated, behavior based, anomaly detection at the user, account, application, network and peer group level. This capability is useful for exfiltration detection and management, as well as for insider threat detection and management, said Nayyar.

Then there was Boeing Corp.’s Narus. The security vendor announced its nSystem’s security solution as well as its deal with Hewlett-Packard to provide interoperability with HP’s ArcSight. Together they look to capture more enterprise and government customers

Narus nSystem utilizes a combination of pattern recognition and machine learning. This approach gives nSystem the capability to recognize over half a million mobile and non-mobile applications on a network. Apps can be used to send intellectual property out of a company. Ordinarily, these pass through boundary protection mechanisms undetected, Prakash Nagpal, senior vice president of corporate and product marketing, explained to securitycurrent. “This ability to recognize existing and newly-introduced applications enhances an organization’s ability to take action quickly and mitigate malicious behavior,” he said.

In addition to technological advances derived through corporate alliances, FireEye’s recent purchase of Mandiant illustrates that it can be more efficient and economical to buy rather than build new features or products. FireEye takes a sandbox approach to protecting network while Mandiant provides an endpoint solution.  “Mandiant was essentially a good move for FireEye to continue to expand their horizons,” said analyst Monahan, commenting on the business aspect of the acquisition.  “FireEye has done a good job on branding but their revenues haven’t been keeping pace,” said Monahan.

New products or not, before any network-related security vendor can report geometric jumps in revenues or customers, security vendors will have to educate the marketplace that the need to develop an internal security program is critical. “I’m still at the stage of trying to get most of my clients to pay attention to internal network security,” said John Kindervag, an analyst with Forrester. “I’m still trying to get most of [them] to shine a light on their internal networks instead of just looking at the perimeter.”

Kindervag told securitycurrent that it’s important to focus on internal networks because all cybercrime is an inside job. “External attackers know how to bypass perimeter controls,” Kindervag explained. “Once they’ve done that, they get all the privileges of a trusted user. Now attackers can do whatever they want to because no one is watching them. They can easily breach the network, steal data and get away with it.”

Bottom line, said Lawrence Pingree, a Gartner security research director, “The reality is that no one security technology is good enough. Hackers are always working to defeat the latest defense. So you have to invest in defenses for the latest threat as well as every threat experienced in the past.”

Gail Bronson is an accomplished technology journalist and security start-up entrepreneur. She was the Founding Managing Editor of Bloomberg and the Founding Editor of Forbes Science & Technology section and she held stints at other publications including U.S. News & World Report and Internet Week.

The post Numerous Companies Compete for Position in Evolving Network Security Space appeared first on Security Current.

Vormetric has announced a new application encryption tool kit, which equips corporate IT departments with the ability to create and integrate encryption in their own applications. The new solution, called Vormetric Application Encryption, extends Vormetric’s data security platform with tools to encrypt data at rest within the enterprise and web applications, as well as cloud and big data environments.

Customers were asking for an application layer toolkit because they wanted to design encryption specifically into their applications, Vormetric’s CEO Alan Kessler told securitycurrent.com. “Customers are feeling pressure to increase the amount of data they protect in their applications,” he explained. “It’s clear that increasing regulatory agency requirements concerning privacy, security and compliance, are compelling organizations to protect more data at rest on their servers.”

In general, enterprises are eager to move more resources to the cloud, observed Garrett Bekker, an analyst at 451research.com. “But security  concerns remain a major  barrier to adoption. Encryption is one way to address those concerns as well as regulatory compliance mandates,” he said.

CEO Kessler said that Vormetric’s central platform will drive down overhead costs for customers as well. “Our one, central policy and management platform means customers don’t have to deal with multiple vendors and buy products piecemeal, or train up to work with different solutions, which all incur additional expenditures,” he said. “We’ve given them a single belly button to push.”

“The performance of Vormetric’s encryption at the operating system layer, just under the application layer, allows customers to integrate our encryption into their own applications,” added Sol Cates, Vormetric’s Chief Security Officer.

The toolkit includes key management, APIs, interfaces and sample code tools to encrypt data at rest within enterprise and web applications, as well as in the cloud and in big data environments. Cates said that the toolkit allows developers to design encryption specifically into their applications. Having a toolkit will reduce developer reluctance to deploy encryption that often requires the use of free open source libraries such as Crypto++ and Java Cryptography Extension (JCE).

Customers will be able to manage encryption of data at rest over extended periods of time, and encrypt specific database fields and customer specific data. So, for example, if a website asks someone to enter sensitive data such as a credit card or social security number, with Vormetric’s application encryption in place, the website owner can selectively encrypt that data as soon as it’s typed into the website fields before the data is communicated on the network. Another use is to encrypt usernames and passwords instead of the normal hash functions used by most applications.

The performance of Vormetric’s encryption at the operating system layer, just under the application layer, is what allows customers to integrate our encryption into their own applications,  and create policy about data access as they wish ,” explained Cates. “This tool provides powerful control at the field level for encrypting applications interfacing with databases.”

Of course, competitors such as RSA and SafeNet, also provide application encryption libraries as part  of their toolkits, said Cates.  “However, these libraries rely on separate key management platform, and deep integration for each application. Vormetric’s Data Security platform allows for transparent or application encryption, with one interface that meets all the data security needs of our customers.”

Just as important as the encryption of the data is controlling access to the encrypted information. Vormetric’s policy management, associated with the application encryption tools, allows customers to determine who should have privileges to access specific data files or databases. The policy then provides monitoring of who accesses, or attempts to access, that data.  When unauthorized requests for access occur, the requests are denied and alerts are generated about the unauthorized request.

Vormetric also announced today that it has integrated Intel’s Xeon processor E7v2 chip into its data security platform.  The new Intel chip’s AES-NI encryption boosts performance dramatically compared to Intel’s previous generation processor. “Encryption is math,” said Kessler. “So having a faster math processor, so-to-speak, will improve the likelihood that the encryption itself won’t become a performance bottleneck.”

Kessler said that faster encryption can provide more easily managed, cost effective security, which also makes it easier for customers to meet their data security, privacy and compliance needs. “So our customers can get more miles to the gallon, so-to-speak,” said Kessler.

Gail Bronson is an accomplished technology journalist and security start-up entrepreneur. She was the Founding Managing Editor of Bloomberg and the Founding Editor of Forbes Science & Technology section and she held stints at other publications including U.S. News & World Report and Internet Week.

The post Vormetric Introduces Application Layer Encryption Solution appeared first on Security Current.

These days every company conducting business on the Internet must be vigilant to stave off the endless onslaught of viruses and other malware.  Attackers who use software programs to make unauthorized intrusions are eager to steal website content and gain access to the content and databases behind each website. Then these thieves use the stolen data for their own purposes or sell it for a lofty price.

We have seen a number of solutions entering this space. The latest solution to protect websites from these assailants is ScrapeDefender, which launched its cloud-based anti-scraping and monitoring service. This service, also called ScrapeDefender, uses anti-intrusion algorithms and patented technology to analyze network activity. The service immediately informs clients about suspicious scraping activity on the customer websites.

Screen scraping is a common practice in many industries, including  the travel industry, where competitive pricing information is sought and has led to battles between the airlines and travel websites.

This practice  has many legitimate uses and there are many tools to help developers gather and curate information, such as that as Connotate. According to an article written by Rami Essaid, CEO of Distil Networks:

“In 2009, Facebook won one of the first copyright suits against a web screen scraper.  This laid the groundwork for numerous lawsuits that tied any web scraping with a direct copyright violation and very clear monetary damages. The most recent case was  AP v Meltwater , where the courts stripped away what is referred to as fair use on the Internet. Previously, for academic, personal, or information aggregation people could rely on fair use and use web scrapers. In the Meltwater case, the court  gutted the fair use clause that companies had used to defend web scraping. The court determined that even small percentages, sometimes as little as 4.5 percent  of the content, are significant enough to not fall under fair use.”

Robert Kane, ScrapeDefender’s CEO, told securitycurrent that ScrapeDefender is the “only solution on the market” that scans monitors and protects websites against suspicious scraping activity. “Before ScrapeDefender, there was no one comprehensive solution for companies on the Internet to thwart intruders and monitor their websites for bots that are continuously trying to plunder websites,” Kane added. Despite his  claims, there are many traditional defenses against website abuse such as Imperva’s Web Application Firewall, various defenses against automated logins such as nuCaptcha, and although it does not market itself as anti-screen scraping, Shape Security.

Although Kane declined to identify their beta testers, he said ScrapeDefender worked with companies in the airlines industry, consumer electronics and financial markets. The service is available now as a managed service by ScrapeDefender, or the customer can take control of the service.

The chief executive estimates that losses from web scraping and content theft are close to $5 billion annually. According to a recent industry study by Incapsula, malicious non-human-based bot traffic now represents more than 50 percent of all website visits.

“This nasty business of screen-scraping and unauthorized use of corporate data behind websites is growing at an alarming rate,” Kane said.

While it is not always nasty, defending against theft and re-use of valuable data can be invaluable to many website operators.

Gail Bronson is an accomplished technology journalist and security start-up entrepreneur. She was the Founding Managing Editor of Bloomberg and the Founding Editor of Forbes Science & Technology section and she held stints at other publications including U.S. News & World Report and Internet Week.

The post ScrapeDefender Protects Website Content With New Anti-Scraping Software appeared first on Security Current.

Shape Security disclosed today that after two years of research and development, the company has built a network security appliance called a botwall, which it said protects websites against a wide range of cyber attacks – scripts, bots and malware.

Shape said its network security appliance is the first commercial use of real-time polymorphism as a defense against scripted web attacks. It transparently modifies the underlying web code these attacks rely upon making web sites and web apps much more difficult to attack.

The new network security appliance is called ShapeShifter. It continuously changes the attack surface of a website by changing the web code, the HTML, CSS and JavaScript. Shape said this process removes the static elements in a website’s code that botnets and malware depend on for their automated attacks.

“Malware is very brittle and unprepared for constantly changing web codes,” said Neal Mueller, Shape’s head of product marketing. “Criminals will inevitably reprogram their malware, but it will still be deflected the next time they try to make an automated attack on a polymorphic website.” Meanwhile, Mueller added, the botwall reproduces the original experience for anyone who comes to the website.

“Shape’s technology bankrupts fraudsters by taking a page out of their own playbook,” added Robert Capps II, Senior Manager, Global Trust and Safety at StubHub, and who is familiar with the new technology. “ShapeShifter makes automated attacks more difficult and expensive. A ShapeShifter-protected website becomes a moving target for fraudsters.”

Shape’s Mueller said the company is ramping up channel distribution for sales. For now, the company is selling individual site licenses with multi-year contracts to brand name enterprises. Shape said beta tested the network appliance with more than 20 large enterprises over the past nine months.

Shape Security, based in Mountain View, CA was launched in 2011 by CEO Derek Smith, CTO Justin Call and VP of Products Sumit Agarwal. Smith and Call worked together earlier at Oakley Networks. Smith and Agarwal met when they were both working in the U.S. Department of Defense.

The founders raised $26 million from a number of venture capital firms. These included Venrock, Google Ventures, Allegis Capital, Kleiner Perkins Caufield & Byers and Tomorrow Ventures, the investment vehicle owned by Eric Schmidt, Google’s executive chairman.

Gail Bronson is an accomplished technology journalist and security start-up entrepreneur. She was the Founding Managing Editor of Bloomberg and the Founding Editor of Forbes Science & Technology section and she held stints at other publications including U.S. News & World Report and Internet Week.

The post Shape Security Comes Out of Stealth Mode with Network Appliance that Disables Attacks on Websites and Web Apps appeared first on Security Current.

The establishment of the Mobile App Security Working Group, (MAS), was announced at the Amphion Forum in San Francisco last week. Member companies will collaborate to develop security standards for mobile applications that interact with each other. The MAS charter members are Mocana, SAP, FireEye, McAfee and Wind River.

The rise of connectivity between industrial control systems is stimulating the need to develop these standards to govern secure mobile apps on all kinds of devices used in all sorts of environments. These situations may range from a war zone to a hospital emergency room, from a power plant to an automobile factory floor, explained AJ Shipley, Senior Director of Security Solutions at Wind River, an Intel subsidiary. One of the conference keynote speakers, Shipley said Intel forecasts there will be 15 billion connected devices online by 2015.

“The development of mobile apps in all kinds of industries with enterprise, military and consumer end users is only going to continue to accelerate,” Shipley added.

New industry standards will also help mobile companies grappling with malware. “The goal is to create an industry standard for sharing security relevant data so we can make more informed decisions closer to real time when malicious activities occur,” said Shipley. He added that securing the emerging IoT (Internet of Things) doesn’t require any new approaches. “What is required is adapting the IT security controls that have been refined over the past 25 years to the new use cases and the resource constrained environments of the IoT.”

Gail Bronson is an accomplished technology journalist and security start-up entrepreneur. She was the Founding Managing Editor of Bloomberg and the Founding Editor of Forbes Science & Technology section and she held stints at other publications including U.S. News & World Report and Internet Week.

The post Working Group to Develop Security Standards for Mobile Apps appeared first on Security Current.

Thanks to the hijinks of Edward Snowden, and just this week, the news that a group of eight tech giants, including Google and Microsoft, are asking for governments worldwide to address surveillance of individuals and data access regulations, the public’s attention is again focused on how the Federal government goes about protecting Americans against potential terrorist threats.

So a recent debate about the Federal government’s data collection, which some folks call domestic espionage, was quite timely. Intelligence Squared U.S., a nonprofit organization that hosts debates for NPR, and the McCain Institute for International Leadership, hosted such a debate last month — listen here. The event brought together four experts in national security, civil rights and spy craft. The two sides jousted over whether the Federal government oversteps its legal authority in the ways it works to protect American citizens against terrorist acts before they take place.

The two teams were formidable. Defending the belief that the government performs well within its legally established rights were Stewart Baker and Richard Falkenrath. Baker’s resume includes his service as the first Assistant Secretary for Policy in the Department of Homeland Security (DHS), and earlier, as General Counsel at the National Security Agency (NSA). Baker’s partner, Falkenrath, served at Homeland Security as a deputy advisor. Also, Falkenrath was the New York City Police Department’s deputy commissioner for counterterrorism.

The background of their opponents was equally impressive. David Cole, a long-time Constitutional law professor at Georgetown University, won this year’s ACLU Foundation Award for a Lifetime Commitment to Civil Liberties. His teammate, Michael German, is the Senior Policy Counsel, who works on national security and privacy issues for the American Civil Liberties Union (ACLU). Before joining the ACLU, German was an FBI special agent for 16 years. German focused largely on domestic terrorism for 12 of those years.

So in terms of expertise, the teams were fairly matched. However, their arguments clashed.

There were really two points of contention.  One was the stated question for the debate, whether or not the U.S. government has the legal right to collect data for future use. The secondary issue called into question whether the government’s collection of data impinges on personal privacy.

Baker and Falkenrath, the defenders of the Federal government’s current system of data collection, made some salient points at the outset. Falkenrath noted that in the overwhelming number of incidents since 9/11, the data that triggered full scale terrorist investigations came from some sort of electronic surveillance. “A terrorist

plot is not that difficult to stop if you know about it,” he said. “Finding out about it in the first place is by far the hardest step in the process. So these (data collection) programs really do matter.”

He added, “We are advocating lawful surveillance, things which are clearly backed up by the Constitution, by statutes and by court interpretation are permissible. We are not arguing for anything unlawful.”

German, on the opposing team, countered that the real issue is whether the tools the government uses are “necessary, legal or effective.” He believes data collection, which he calls “spying,” results in the waste of security resources and fills databases with irrelevant information.

It isn’t a question of whether the government should have tools, German said, of course they should. But are they legal and effective?  He used the Times Square Bomber incident as an example of data collection that didn’t protect the public. “Spying on you and spying on me makes us less free and less safe,” he said. “We know that spying on us didn’t protect us from the Christmas Day underwear bomber (or) from the Times Square Bomber. Luck is what protected us, not surveillance. ”

Baker’s repost used the very same Times Square Bomber incident as an example of a situation where data collection did protect the public. Here’s what happened.

In May 1, 2010, Faisal Shazad drove an explosives-packed Nissan Pathfinder close to Times Square and left it there. Street vendors quickly reported the car emitting smoke to the New York City police. They brought in the FBI.  Investigators connected the car to Shahzad, did some research and quickly came up with the phone number that he had given Emirate Airlines when he booked a flight out of the country two days later. Then the FBI, working with Homeland Security, was able to match this information with data about Shahzad already in government databases, because he previously had been identified as a potential threat to the country.

Immediately, Homeland Security sent a notice to Customs and Border Protection (CBP) to be on the lookout for Shahzad.  At the airport, CBP compared names on the lookout notice with the final list of passengers on his flight supplied by the airline just before take-off.  So that is how CBP discovered that Shahzad was onboard a plane that was minutes away from leaving the country. Agents were able to detain the plane on the ground, pull Shahzad off and arrest him.

In retrospect, the airlines staff at JFK could have identified Shahzad immediately if he had bought his ticket in time for his name to be included on the government’s latest edition of the no-fly list. But through a quirk of fate, Shazad bought his ticket so close to his flight time that his purchase data wasn’t included in the latest no-fly list that would’ve flagged him for the airlines.

“He would have gotten away, but for the data, which German calls spying on everybody,” said Baker. “I would call it ‘gathering data that is already in the hands of third parties,’ the airlines.”

Okay, points for the defending team in this debate. But opponents German and Cole then brought up the Boston Marathon bombers and the Fort Hood shooting in Arkansas as other examples where the government had fallen down on the job. Although the FBI had interviewed the individuals involved, the FBI didn’t tap them as potentially dangerous before their deadly actions. Points for the opponents.

Most important to his defense of the debate proposition, Baker said personal information is safeguarded by today’s system of data collection. No one is authorized to look at the data without reasonable suspicion about an individual or group’s activity.  “The only difference between a standard law enforcement search and the searches we’re talking about is that they gather information first and put it in a database,” Baker said.

“It just plain doesn’t make sense,” he said, to suggest that data should be collected only after law enforcement identifies suspicious characters, which the other debate team advocated.  He pointed out that there is no law that requires a business or organization to maintain any records about individuals for any amount of time.

“So it’s necessary to gather and store information now to make sure it still exists and is readily accessible later,” Baker said.  For example, some agencies track the patterns of phone calls and bank the information for instant access the next time there is an investigation.  “No one looks at the data until there is a reasonable suspicion that mischief is afoot,” he said. “It wouldn’t be practical to start gathering data a bombing went off or a plane plowed into a building.”

Later in the debate, David Cole, the law professor from Georgetown, lit into the government for violating the country’s “core democracy” with its “demand” for information. “We’ve reversed that when the government demanded transparency from us but demanded secrecy about the programs they employ,” he said.

In fact, this is the way every law enforcement agency with a mandate to protect U.S. citizens operates, from a city police department to the NSA. The process and progress of their work isn’t revealed until completion. How could these agencies accomplish anything if their targets always knew which days, which hours and other details of how they were being investigated? In fact, German, who worked undercover for the FBI, pointed out that terrorist groups and individual criminals know they are under surveillance by governments and their agencies. But terrorists and criminals aren’t privy to the details of those government surveillance activities. It comes with the territory.

The development of laws government surveillance was another factor in the debate that weighed in favor of the Federal government’s surveillance system. Baker pointed out that these laws have evolved over the last 35 years and today extensively govern how, when and where data collection systems can be deployed.

“It’s hard to believe, but it’s a fact that 35 years ago there was no statutory constraint and no jurisprudential constraint on the ability of the President to conduct electronic surveillance inside the United States for foreign intelligence purposes,” said Falkenrath. “It was unfettered. Now it’s fettered quite significantly.”

Baker pointed out that the events of 9/11 galvanized the enthusiasm of government leaders to create a more cohesive system for Federal agencies to collect and share information.  Two months after 9/11, Congress enacted legislation that established the Department of Homeland Security and another bill that created the Transportation Security Agency, known to most folks simply as the TSA.

Cole and German, who opposed early data collection, turned the debate to the issue of privacy versus security. They railed about how domestic surveillance requires an invasion of personal privacy, and asserted that somehow continuous data collection changes the behavior of people.  German charged that everyone’s knowledge of this activity may shape their online activity. People may hesitate to go to a particular website or use a certain search term on the web, he said. “(It) does damage to the fabric of our society.”

More to the point, said Falkenrath, is that everyone voluntarily gives up a lot of their privacy when they participate in many routine activities both online and in the physical world. These include applying for credit cards or applying for a mortgage, buying a plane ticket, and of course, when we share the details of our lives on all those social media sites. “The rules governing Federal government access to private information need to be evaluated in the context of societal norms,” said Falkenrath, “and there is no question that these norms have shifted in the age of social media.”

Baker concluded, “Once we release information to other people, it’s a lot less private. So it’s only logical that when people share personal information for commercial purposes, the information also gets shared with the Federal government for security purposes.”

Who won the debate? You can listen to the debate on NPR and decide for yourselves.  As for me, this battle of wits only served to reinforce my personal point of view. Go ahead, spy on me…

For a rebuttal read Mark Rasch’s Don’t Spy on Me, I’d Rather Be Safe.

Gail Bronson is an accomplished technology journalist and security start-up entrepreneur. She was the Founding Managing Editor of Bloomberg and the Founding Editor of Forbes Science & Technology section and she held stints at other publications including U.S. News & World Report and Internet Week.

The post Spy On Me, I’d Rather Be Safe appeared first on Security Current.

Cyber security researchers discovered that about two million credentials were stolen from end users frequenting popular websites earlier this year, making it easier for hackers to use their credentials to send spam.

Trustwave’s SpiderLabs, the research team that discovered these thefts said more than 318,000 of the stolen credentials came from Facebook, nearly 60,000 from Yahoo, more than 54,000 from Google and nearly 22,000 from Twitter.

The research team said the tool used was version 1.9 of the Pony Botnet Controller’s malware, which it embedded on two million workstations (desktops, laptops and tablets) worldwide, in June this year.

The speed with which the botnet controller gained access to end user workstations and retrieved credentials for logging onto the websites was fast, according to Trustwave, which said hundreds of thousands of credentials were stolen within a few days of infecting the workstations.

Here’s how it works. Once the botnet controller invades an end user’s workstation, it installs the malware and searches all of the installed software for stored credentials to steal. The malware also watches web traffic to scoop up credentials when end users log onto websites. Then the botnet controller sends the credentials the malware has scooped up  to the Command-and-Controller that is collecting the stolen goods. Trustwave’s researchers were able to access the controller and see the names, email addresses and passwords of all the accounts that were compromised. While the Command-and-Control server is located in the Netherlands, that doesn’t indicate where the people managing Pony reside.

What’s the motivation of these cybercriminals? Money, of course. John Miller, Trustwave’s Senior Research Manager, said that in general, cyber criminals pack up these credentials and sell them in bulk for a couple of cents each. Buyers use these credentials to send spam wide and far, including to the workstations where Pony poached the credentials in the first place.

Perhaps Trustwave’s most disconcerting discovery was that the botnet controller had successfully invaded payroll service provider ADP.com and reportedly stole 8,000 credentials. This means that whomever has login credentials to the ADP network, which includes ADP’s customer workstations and anyone involved in ADP’s payroll services, may have PONY’s malware in their system, said Miller. “So individuals who use ADP services might want to charge their password,” he said.

In addition, Miller noted that it’s likely that Pony has installed its malware on many browsers, in Java software, Adobe PDF and Adobe Flash software, because these programs have such large numbers of end users. The best way for end users to protect their computer or laptop, he said, is to keep all their browsers up to date and promptly install program patches.

“Flaws in Adobe software and Java are very common attack vectors for loading malicious software like Pony,” said Miller. “When an end user is redirected to an exploit kit, that kit will often use those flaws to install Pony.” Interestingly, the Pony malware can only attack PCs or laptops running Microsoft programs. Apple computers and laptops aren’t vulnerable to this malware, yet.

The discovery of this botnet controller’s widespread presence and efficiency should raise a red flag for end users about how well they protect their login credentials for websites. The best protective measures that end-users can take are nothing new; frequently change passwords and don’t use the same password across numerous websites.

Speaking of passwords, Trustwave analyzed the passwords they found among the two million stolen credentials for websites, social media and email accounts. The researchers divided the passwords into those that were excellent, medium and terrible in terms of strength. They based their determination on the length and type of characters in the password. Excellent passwords were those that used all four character types and were longer than eight characters, while terrible passwords used four or less characters and only one character type. No surprise that there were many more terrible passwords than excellent ones in the Pony haul. The majority were in-between in what they called medium strength.

Gail Bronson is an accomplished technology journalist and security start-up entrepreneur. She was the Founding Managing Editor of Bloomberg and the Founding Editor of Forbes Science & Technology section and she held stints at other publications including U.S. News & World Report and Internet Week.

The post Two Million Passwords Stolen Worldwide from Popular Websites appeared first on Security Current.

The PCI Security Standards Council (PCI SSC), a worldwide forum that develops payment card security standards for its corporate members, has published its latest version of those standards for implementation in January, 2014.

The most recent updates include recommendations for blending the PCI Data Security Standard (PCI DSS) and the PCI Payment Application Data Security Standard (PA-DSS) into everyday business processes and best practices.

The PCI Council was created in 2006 by five of the largest global credit cards brands, American Express, Discover, JCB International, MasterCard Worldwide, and Visa Inc. It is working to keep up with the growing dependence of its some 700 members, particularly small businesses, on third party security technology providers.

“As we continue to leverage technologies like cloud and expand e-commerce and mobile environments, this (dependence) will only increase,” said Bob Russo, General Manager for the PCI SSC.  “The PCI DSS 3.0 standard will help organizations better understand what they need to be aware of when working with third parties, and ensure that service providers are aware of their responsibilities to protect cardholder data.”

Version 3.0 of  the standards specifically addresses issues such as evaluation of malware threats, strengthening requirements for password management, updating  authentication mechanisms and the control of physical access to devices that capture payment card data.  Also, the updates should help members more easily integrate payment security protection into their operations.

Russo told securitycurrent that the PCI Council has increased its focus on educating members and building awareness about standards and security issues. This is necessary because many companies find it difficult to make the standards a routine part of their business practices.

The PCI Council, whose goal is to improve the security of payment card data worldwide, including systems that store, process or transmit cardholder data, updates the standards every three years based on feedback from its constituents.

As a self-regulating organization, the PCI Council has developed its own team of qualified security assessors who review and approve the security practices of each member organization annually. However, the assessment is only a snapshot in time, and many companies stumble in their efforts to maintain the standards the rest of the year. The PCI Council hopes that its education and awareness programs will help companies improve their compliance with the PCI Council’s standards.

Gail Bronson is an accomplished technology journalist and security start-up entrepreneur. She was the Founding Managing Editor of Bloomberg and the Founding Editor of Forbes Science & Technology section and she held stints at other publications including U.S. News & World Report and Internet Week.

The post PCI Security Standards Council Updates Credit Card Data Security Standard appeared first on Security Current.