IT security, vunerabilities, bugs, fixes, flaws, RSA conference and Infosec.
A blog from

« March 2010 | Main | May 2010 »

No escape for McAfee as hoodies taunt over false positive

The first day at London security conference Infosecurity was hijacked by a group of hooded men taunting insecurity firm McAfee over the false positive incident that recently rendered PCs inoperable.

Yesterday morning, about half a dozen men arrived at the Earls Court conference wearing black hoodies with a message on the back which said "You're only meant to blow the bloody virus up", an obvious reference to the Italian Job movie.

On the front of the hooded jumpers it said 'DAT 5958', a reference to an update that the firm released last Wednesday which resulted in the 'blue screen of death' and DCOM errors after applying it.

This affected Windows XP SP3 users, with the post update security scan recording false positives and misdiagnosing machines as affected with W32/wecorl.a malware.

When asked where they were from, they refused to say. But suggestions were that it could be rival vendors or even businesses affected by the update.

Security companies were united in sympathy for McAfee, as this was a mistake that could have happened to any of them. McAfee has since offered to fix the PCs affected by the problem.

"I don't think it's appropriate for a company to snigger and chortle at what was an unfortunate incident for McAfee and their many customers," said Sophos security expert Graham Cluley, who witnessed the jokers first hand.

"I did wonder whether they had been sponsored by a security company, or a bunch of guys from a company that got hit. I have no idea, because they had no affiliations with them."

Reblog this post [with Zemanta]

April 28, 2010 | | Comments (0)

Government body heralds age of multifactor authentication

The future of information security will be dominated by ideas of identity and trust, according to new research from non-departmental public body the Technology Strategy Board (TSB).

Revolution or Evolution - Information Security 2020, which was undertaken by consultancy PricewaterhouseCoopers, reports that as identity theft becomes evermore commonplace and more interactions become virtual, proving one's identity online will become increasingly challenging.

"The research throws trust and identity up as key drivers of change in information security over the next decade," argued Andrew Tyrer, who heads up information security at the TSB.

"Current models primarily look at human to human trust. But with greater connectivity, there is an increasing need for humans to trust technology, technology to trust technology, and even technology to trust humans as devices increasingly act on behalf of individuals."

In areas such as e-commerce and m-commerce, the report suggests new authentication methods requiring multifactor authentication are likely to proliferate in the future, although they will need to take account of user privacy and consent.

The report also looks at the potential problems surrounding the increasing interconnectedness of devices and the need to share information electronically beyond the firewall as well as within.

While hardly telling us anything we don't know already, the report may be significant for some in the industry, as the Technology Strategy Board said it will use its findings to guide future support for research and development.

It may also shape the TSB's work in other strategic areas, such as healthcare and sustainability, it said.

April 27, 2010 | | Comments (0)

Phishing need not be smart to work

On Friday we ran an article on a phony anti-phishing site which asked users to enter credit card numbers, only to scorn them for handing over sensitive data and provide links to anti-phishing resources. The site shows how social engineering need not be smart to still be effective.

While the page links to the Anti-Phishing Working Group's guidelines on avoiding phishing scams, the site is not run or condoned by the APWG, as was originally reported.

Reblog this post [with Zemanta]

April 26, 2010 | | Comments (0)

Google now "paranoid" about security

Google is now "paranoid" about security, chief executive Eric Schmidt is reported to have told an assembled bunch of 400 chief information officers at an all day event in Mountain View yesterday.

Speaking at its inaugural Atmosphere 2010 event, Schmidt is reported to have explained that the web giant learned some hard lessons from its recent brush with Chinese hackers.

It is widely believed that the hackers gained initial access to an employee's computer via a flaw in Internet Explorer 6, from which point they managed to infiltrate deeper into Google's systems.

So what does this all mean for the security or otherwise of Google's products? Well, in a strange way the hack will probably end up being good news for the web giant's customers.

Schmidt argued that the firm has since accelerated its plans to use more of its own web-based products and services internally, such as the Chrome OS. These are "inherently more secure" than the alternatives out there, he added. Over to you, Microsoft.

April 13, 2010 | | Comments (0)

Yet more local authorities found wanting by ICO

The problem of public sector data breaches was highlighted again in the run up to Easter with three local authorities falling foul of data protection watchdog the Information Commissioner's Office.

The ICO rapped the knuckles of St Albans City and District Council and Warwickshire County Council for failing to encrypt data on portable devices.

In the case of the former, a laptop which was used to store postal voters' records was stolen from a desktop along with three other laptop computers. In the case of Warwickshire it was the theft of two laptops and the loss of a memory stick.

The third local authority in question was the Highland Council, which was found to be in breach of the Data Protection Act after personal data relating to several members of one family was inadvertently disclosed to another unrelated individual.

The chief executives of all three councils have signed undertakings with the ICO promising to ensure a similar breach does not occur again. Encryption and staff education were two of the key recommendations to come from the ICO.

Now these incidents may be small fry when compared to, say, the massive HMRC breach of a few years ago, but nevertheless highlight that the ICO's work is still as important as ever in this area.

Whether progress is being made is another matter, but at least with the new power to fine the worst offending organisations up to £500,000, the ICO's stick can be a lot firmer on those occasions when its carrot is not quite doing the job.

April 7, 2010 | | Comments (0)

Site credentials: About | Privacy policy | Terms & conditions | Top of the page
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093