Most online users simply ignore 'invalid certificate' warnings despite the security risks involved, according to a recent study by Carnegie Mellon University.

Although VeriSign, one the biggest names behind web certification, recently announced that it has issued more than four million Secure Sockets Layer (SSL) certificates, the research brings into question just how useful they are.

"Everyone knew that there was a problem with these warnings, our study showed dramatically how big the problem was," said Joshua Sunshine, co-author of the Carnegie Mellon paper.

Although warnings can come up due to various technical issues, they exist to help protect users from being redirected to various fake sites or to help catch out typo-squatting, where online fraudsters set up sites with URLs almost identical to their target to catch out those who accidentally misspell an address when typing it in.

According to the study, most internet users simply don't know what the certificates are or what the warnings mean, while others believe they just have to me more careful on sites where these warnings appear.

Interestingly, the results seem to depend a lot on which browser was being used, primarily because the various developers use different language and prompts when displaying certificate warnings.

As a result, users of Mozilla's Firefox 3 browser were the least likely to click through after being shown a warning, and several security warnings created by the researchers themselves were even more effective. According to VerSign, this highlights the need for education and obvious prompts that can help even inexperienced web users to be aware when something may be wrong.

"This research reminds us of the importance of providing usable tools for end users to differentiate between an authentic and an inauthentic web site and emphasises the importance of educating end users on how to use those tools," said Tim Callan, vice president of product marketing at VeriSign.

"That's why the industry has created new interface conventions like the green address bar to make it easier than ever for end users to distinguish between a real site and counterfeit site."

July 28, 2009 | Permalink | Comments (2)

Facebook users have been warned about the dangers of allowing their personal content to be used by third party applications on the popular social networking site.

The Twittersphere has been ablaze in recent days with angry Facebook users seeking information about how to prevent the site using content from their profiles, such as photos to enhance the targeted ads in the sidebar, and the advertising placed in third party apps.

Trend Micro senior security advisor Rik Ferguson argued on the firm's CounterMeasures blog that if a user gives the application the right to access their info - which they have to on agreeing to install them - the ad networks that serve these adverts will have full access to profile data.

"That's how you might find yourself being the cover girl or poster boy for a product or service that you never intended to endorse," he added.

"Be careful which applications you add in the first place. If you find you are not using an application anymore, go ahead and remove it from your profile."

Ferguson added that many people aren't aware that their information can potentially also be exposed by their own friends, as any apps that they download will be able to crawl this information.

July 25, 2009 | Permalink | Comments (0)

As software as a service (SaaS) pioneer MessageLabs celebrates its tenth birthday, security giant McAfee made moves to restate its own credentials in the space today.

MessageLabs has been fighting malware from and in the cloud before SaaS was even common parlance, and its Policy Based Encryption service has just received the sought-after UK Government's Mark of Approval (CCT Mark), the firm's third service to do so.

Since then, the service provider has seen a host of more traditional competitors begin to offer their own hosted services, and was itself snapped up by security giant Symantec only last year.

Not to be outdone then, and with perfect timing, Symantec arch-rival McAfee decided to stake its claim as number one SaaS security provider with a grand strategy announcement and product news in the space.

When you read through all the marketing spin however, there's very little actual news. The firm talks about 50 per cent cost savings, of industry-leading technology and the most diverse range of products available today, but in terms of anything new, there are just a few enhancements to its Total Protection integrated endpoint offering.

McAfee security expert Sal Viveros said that the cloud-based delivery model allows IT administrators to use a centralised online console to set policies, which are then automatically pushed out to all users.

"You can get up and running in minutes," he added. "Users click on a link to install the service, and system updates are done whether the user is connected to the corporate network or not."

The service also benefits from global intelligence captured from each endpoint agent which can be used to build up superior knowledge of the threat landscape and ultimately keep endpoints better protected, according to Viveros.

"The most important thing for customers is that it lowers costs and drives efficiencies," he said. "For years customers who don't have the time or resources have been asking us for security-as-a-service, but with the current economic conditions we're getting more and more interest."

Whether you go with one of the big two or one of the smaller vendors who are increasingly occupying this space, however, the SaaS model will be here to stay long after the recession has done its work.

July 20, 2009 | Permalink | Comments (0)

Trend Micro has become the latest security vendor to expand its offerings in the virtualisation security sphere.

Trend Micro Core Protection for Virtual Machines is a new content security solution designed to protect VMware ESX/ESXi environments.

IT uses the VMsafe APIs from VMware to offer comprehensive scanning to protect active and dormant virtual machines, said the firm.

Trend argued that traditional content security solutions not built with virtualisation in mind will often allow dormant machines to become infected, as virus scans and signature updates don't work.

To this end, Trend says its offering provides scanning and pattern updates from a separate scanning virtual machine, ensuring dormant machines are secured.

It also integrates tightly with VMware management infrastructure, and can be managed from the same Trend Micro OfficeScan console used to manage desktops and physical servers,, reducing management headaches.

"We were interested to try out Trend Micro Core Protection for Virtual Machines since most security solutions are focused on the operating system software and this was the first solution we found for addressing the unique aspects of virtual machines," said Terence Snijtsheuvel, a senior consultant at Canadian SI, Compugen.

July 15, 2009 | Permalink | Comments (0)

Users are underestimating the potential security risks of owning an iPhone, according to new vendor-sponsored research released today.

Although the research comes from, surprise surprise, a firm selling endpoint device control software, the findings nevertheless highlight the potential security blind spot created by corporate use of Apple's iconic device.

The research, from DeviceLock found that 65 per cent of IT decision makers recognised that unauthorised users could access valuable company data through the iPhone. However, nearly the same number said they had not taken any measures to secure company data against this threat.

More worryingly still, 40 per cent of businesses knowingly allow staff to download company data onto removable devices without any security provision, according to the research.

"The amount of removable and mobile memory-enabled devices that employees have on their person at any one time is now quite considerable - be it a USB stick or an iPhone," said Sacha Chahrvin, managing director at DeviceLock UK.

"Therefore, we were very surprised to see that most companies were not prepared for this threat."

While the research is obviously a less-than-subtle piece of marketing for DeviceLock's new DeviceLock 6.4.1 product, it shows how the consumerisation of corporate IT is becoming an increasing problem for IT departments to deal with.

"While 'smart' phones bring many positive benefits to the way we live and work, if the secrets that they hold about us fall into the wrong hands, it can put users at real risk of identity fraud and serious crime," argued David Porter, head of security and risk at consultancy Detica.

"Longer term, the answer to mobile security could lie with the 'secure cloud', where data is held safely in the network and handheld devices become just a way of accessing services. But this prospect is far off and isn't the entire solution."

July 13, 2009 | Permalink | Comments (1)

Broadband provider Tiscali has launched new figures showing an alarming lack of consistency in consumer attitudes to privacy and their behaviour on social networking sites.

The firm polled 2,505 UK consumers in June and found that 49 per cent include their date of birth on social networking and online information sites, 40 per cent give their email address and 20 per cent job details.

Thirty per cent make their social networking profile public and 13 per cent said they don't know the difference between a public and private profile. Worse still, five per cent of people said they publish their home address and 21 per cent post information about holidays.

And yet two thirds said they thought aerial and streetview pictures of their home present a security risk, while 96 per cent said they thought that publishing of details such as their housemates, mother's maiden name and other details available for anyone to access would put them at risk of identity theft.

There's clearly a massive disconnect between what people do online especially on social networking sites and what they think they are doing. It appears, rather worryingly, that despite the numerous identity theft stories splashed across the front pages, the public is still woefully ill-informed about the level of risk.

July 8, 2009 | Permalink | Comments (2)

The American Better Business Bureau (BBN) has joined an ever-increasing list of parties happy to express the concern about the vulnerabilities inherent in using Twitter.

In an interview with the LA Times BBB spokeswoman Alison Southwick explained that the Bureau had identified a number of firms looking to exploit users. Typically these will offer training courses designed to make the user money using the service. Ultimately, however, they appear to deliver nothing but big bills and disappointment.

"It's unbelievable how widespread this is," she added. And with so many people vulnerable and looking for jobs, a scheme like this is going to have people falling for it when they can least afford to."

Recently security expert Graham Cluley warned that what seemed like an innocent 'name game' could actually be exploited by undesirables looking to gain personal information normally associated with privacy and login details.

"A hacker could grab details like your pet's name to try and crack into your email account," Cluley warned. "Think that's unlikely? Well, the likes of Sarah Palin, Paris Hilton and Salma Hayek have all had their private email accounts broken into by hackers after they guessed their so-called 'secret answers'. In addition, just think of how many people use the name of their beloved pet labradoodle as their password for umpteen online accounts anyway!"

The security firm Pandalabs also recently uncovered a series of rogueware campaigns surrounding popular tweets. In a blog post Sean-Paul Correll from the firms technical support team said that he had found a number of zombie accounts that ultimately linked Tweeters through to malware serving pornography sites. He added "Tthe interesting part of it all is that cyber criminals are starting to target social networking sites more than ever."

Tweeter beware.

July 7, 2009 | Permalink | Comments (1)

A posting on the Internet Storm Center (ISC) portal from security organisation Sans yesterday pointed to another mobile Trojan doing the rounds. However, exactly what threat it poses is still unclear.

The Trojan in question created a thread which sent six SMS messages, the contents of which are obfuscated. However, what the Trojan is intending to do is still cloudy.

The ISC reader in question who alerted the site said he received the unsolicited message of garbled characters and a link to a .JAR (Java ARchive) containing the malware through ICQ.

Rather worryingly, according to ISC only 14 out of 41 AV products detected the JAR file successfully.

Rik Ferguson, senior security advisor at Trend Micro, one of the lucky 14 vendors which did detect the malware, said any mobile malware discovered is noteworthy, because there is so little of it around.

"It could be an attempt to find a way through Java to make it more cost effective to write malicious code because Java was designed to be cross-platform," he added. "It could be an attempt to overcome the homogeneity of the mobile platform."

Stay tuned for more updates.

July 2, 2009 | Permalink | Comments (0)