Um, embarrassing, no?
From Heise:
According to an old proverb ‘The cobbler has the worst shoes’. It’s now been reported that Secure, McAfee’s security portal, has had poor shoes or rather poor security, because until recently it displayed a vulnerability to cross-site request forgery (CSRF).
McAfee Secure is a service that lets clients use the Hacker Safe tool to check their sites or online shops for security vulnerabilities and for compliance with the PCI Data Security Standard, which is important for credit-card transactions. If the check shows sites are OK, shop operators can include the McAfee Secure logo in their web site. This is supposed to reassure their customers that their data is well protected and there’s no danger lurking in transactions, such as making payments.
I’m not going to go on about this one. Here is more from others. But, I have renewed faith in the the Nate McFeter’s Certified and Scanless PCI programs.
Budgets are a problem of late for a lot of people. They’re getting slashed and in many cases it’s just becoming too hard to make ends meet for security programs. One possible solution it GFI’s LANguard. The reason I bring this up is that I’ve gotten word that this Thursday GFI will be announcing a free version of their scanner. When you download the trial version, which gives you 10 days, it will switch to a full featured version after that for up to 5 IP addresses.
From GFI:
Top Features
* Identify security vulnerabilities and take remedial action
* Detect Virtual Machines
* Automatic remediation of unauthorized applications
* Automatic deployment of network-wide patch and service pack management
* Easily analyze and filter scan results
Sure, it’s not a lot but, five IP addresses for free isn’t too shabby. Look for the official announcement this Thursday.
In these troubled economic times I find salespeople and PR firms pitching opts and spins with a new urgency and a borderline desperation. I’ve seen a marked uptick in the Coke vs. Pepsi nonsense of why $VENDOR_A vendor thinks their product is better than $VENDOR_B.
But, then there are the one’s that just make me smile. What better way to completely screw your competition than to slash your prices (or at least renewal licensing) by 50%.
A novel approach that will certainly win over a lunch and a pen.
From Network World:
Tough times could be driving increased competition in enterprise software with the news that BigFix is to undercut its rivals’ patch management renewal licensing by up to 50 percent.
The deal appears to be catch-free beyond the need for customers to license BigFix’s Patch Management software for a three-year period, and to use it to replace only those seats actually included in any current agreement. What this probably means is that rivals will privately have to match or better the cut when renewal time comes around, leading to further falls in per-seat overheads.
Congrats to BigFix for throwing down the gauntlet.
BigFix’s patch management promotion runs until 30 June this year, and is open to all North American and EU customers using a rival product.
With companies such as Motorola, AMD and SUN all cutting their respective work force, just to name a few, it comes as little surprise that IBM might soon follow suit. IBM (full disclosure, I used to work for them) has been successful on the balance sheets since before this economic downturn took hold. Now expectations are that IBM will report its first quarterly loss in some time.
From Forbes:
Despite an expected drop in sales, analysts predict that IBM’s earnings will rise about 8% to $3.03 per share for the quarter. The company’s relatively healthy profits are a result of careful cost-cutting at the computing giant, largely in the form of a cut in its pension plans two years ago. And though it maintained its earnings target in its last earnings announcement, the company may still be preparing for tighter times. A rumor that as many as 16,000 layoffs are coming–the equivalent of 4% of the company’s workforce–has persisted on the independent IBM employee site
IBMalliance.orgAllianceIBM.org, though IBM hasn’t confirmed the job cuts.
4% of the work force might seem small but, we’re talking about a company with roughly 400,000 staff. This is yet again an example of a lot of good folks that are pacing a hole through the floor. Now they wait and wonder as to their potential fate. The writing may be on the wall.
Bear in mind that this has not yet been confirmed by IBM.
UPDATE: (Jan 21, 2009) Well, I spoke about this on the 16th and it is hitting the fan now. Wall Street Journal has confirmed that IBM layoffs are underway.
I guess the world economy isn’t taking the piss out of everyone. Today we get word (thx tipster) that security firm Next Generation Security Software Ltd (“NGSS”) has been purchased by the NCC Group.
From the NCC Group Website:
NCC Group plc (LSE: NCC, “NCC Group” or “the Group”), the international, independent provider of Escrow Solutions, Assurance Testing and Consultancy, has acquired Next Generation Security Software Ltd (“NGSS”), a security and testing company, for a maximum consideration of up to £10.0m in cash.
This is the third acquisition by NCC Group in less than two years and as well as complementing its own capabilities in the network, testing and software security market; it will also substantially strengthen the Group’s position in this fast growing sector.
An all cash deal? Yup, the market is still good for some folks.
Congrats to David Litchfield and crew.
Wait, what?
I almost fell over when I learned this morning that Microsoft was still issuing licenses and providing support for Window 3.x until November 1, 2008. This OS for those playing the home game is 18 year old. Time to kick the kid out the house.
From BBC News:
Microsoft maintained support for Windows 3.x until the end of 2001, and it has lived on as an embedded operating system until 1 November 2008.
As an embedded system, it was used to power such things as cash tills in large stores and ticketing systems.
One of its more glamorous uses as an embedded operating system is to power the in-flight entertainment systems on some Virgin and Qantas long-haul jets.
Not to mention the fact that I have seen this OS installed on numerous gate computers in airports.
Well, the long running movie has come to the credit reel. Read on for the full story.
This morning customers that use the Sophos products weren’t able to get updates for a short spell. This was thanks to a “whoops” by one of the company’s ISPs.
From The Register:
Domain name system problems left some users of Sophos unable to get security updates on Friday. The same issue, blamed on a mistake by one of the security firm’s service providers rather than hostile action, left many surfers unable to access its main sophos.com website.
Graham Cluley, senior technology consultant at Sophos, explained that an error by one of its service providers in updating DNS settings for the Sophos.com site has permeated across the internet, and will take a little while to untangle. “Some users have experienced problems getting updates because of these incorrect settings,” he explained. “No kind of DNS cache poisoning or any kind of hacking attack was involved.”
I can well imagine that people were speculating about the possibility of a DNS attack. But, sometimes the correct answer really is the simplest one.
From Market Watch:
“Cyber-Ark is excited to be a part of the McAfee Security Innovation Alliance program,” said Udi Mokady, president and chief executive officer of Cyber-Ark Software. “McAfee is a dynamic leader in this industry and has a clear understanding of the value of integrating valuable partner technology into the overall enterprise solution to achieve a more complete security offering for customers.”
No word on whether or not they will get matching spandex as a part of the “alliance”.
Yes, its early and the coffee hasn’t kicked in yet. Let me have my fun. In all fairness the Cyber Ark folks have a good product offering for managing passwords in an enterprise.
Ah, Bill. I love my Pats but, he committed the unforgivable sin in sports. He got caught trying to swipe the other team playbook.
Now, you can get your own Playbook from the good people at Matasano. No, not a sports playbook. It’s been a while since I trotted out a sports reference.
Humour me.
What I am eventually working my way around to is that Matasano has launched their new product offering called Playbook. So, what is it exactly? Well, from their site we have the explanation.
From Matasano:
Playbook helps organizations with multiple network firewalls to better manage their policies by providing a centralized and version controlled repository of rulesets, which can be easily browsed or searched via the web. Network operators can review all recent rule changes affecting the London branch, document a recently provisioned firewall at corporate offices, and rollback to the last known version of rules for the North-East group after an update gone wrong with only a couple of clicks and without having to log into 50 different devices.
Um, that’s cool. Quite cool in fact.
Read the write up on their blog.
To throw more fuel on Myrcurial’s “cyber” fire I figured I would point folks to this article from the Arizona Star. I have to admit that I completely agree with him on the gratuitous use of the word “cyber” by talking heads and mainstream media.
From azstarnet:
Raytheon Co., which bought data-protection company Oakley Networks last year, created an information security unit to insulate federal government computers from attack and commercial customers from fraud or theft.
The new unit will seek to expand revenue in the federal and commercial data-security markets with combined total annual sales of $8 billion, Steve Hawkins, vice president of information security solutions, said in an interview Tuesday.
The $7 billion government information-security market will grow 20 percent annually over the next five years, Hawkins said. The $1 billion commercial market is increasing 40 percent annually. The new division will combine the assets acquired from Oakley with Waltham, Mass.-based Raytheon’s 25 years of experience in information security.
Yet another defense contractor jumps into the “me too” infosec pool.
