Archive for July, 2010

NEWS: SonicWALL launches remote SSL VPN access products

July 31, 2010 Leave a comment

Comprising a major software upgrade (Aventail 10.5) and a new device (SRA 1200), SonicWALL’s new offerings include smartphone support for remote access to data behind the corporate firewall.

The Aventail upgrade ties the unique mobile device ID to a specific user, confirms the user’s identity and verifies the security status of the end-point. Once these security checks have been passed, the SonicWALL Aventail solution grants the appropriate level of access from any web-enabled device, including Internet kiosks, laptops, smart phones, tablet PCs or any other web enabled device.

Let’s face it: everyone is mobile these days. We are connected and work whenever, wherever. Whether you like it or not – the corporate I.T. department has already lost control of what mobile devices we use and how we use them. This issue is known as the ‘consumerization’ of IT. With the SonicWALL Aventail solution, we return control and security to IT and still give end-users total freedom of choice to select the mobile platform that’s right for them. We can determine the appropriate level of trust for each mobile device and automatically grant differentiated levels of access. We return to order and security from a chaotic and dangerous mobile environment.
Patrick Sweeney, vice president of product management, SonicWALL

The new SRA 1200 appliance provides a unified policy management interface to simplify how IT managers grant access to corporate resources. Additionally, SonicWALL has integrated a powerful, Web Application Firewall (WAF) that incorporates dynamic signature updates to protect against modern, web-based threats.

SonicWALL’s SRA 1200 introduces a wealth of new, powerful SMB-focused features that help reduce my clients’ costs, and expand the capabilities of their networks. Best of all, innovative features like ‘Virtual Assist’ help me support small businesses remotely without having to do a truck roll.
Tom Gregorski, technical manager, eDrivium Corp


Categories: All, Vendor News

BLOGS: iPad Facebook scam

July 30, 2010 Leave a comment

Rik Ferguson’s You Were Warned blog warns of a new Facebook scam. Users are being offered free iPads:

Hey guys, this website is messing up right now and sending out free iPads to everyone for free without you having to complete any of those annoying advertisements. I don’t know how long this is going to last… so hurry and get one before they fix the glitch!!!

This is followed by the link to your ‘free’ iPad. But Rik warns

If you see this posted on any of your friend’s walls, tell them immediately to change their facebook password and whatever you do, don’t click on the links – they are malicious!

Blog entry

Categories: All, Blogs

The ICO – our very own Three Monkeys

July 30, 2010 Leave a comment

You have to hand it to the ICO – its ability to sit on a fence while looking both ways at the same time is truly Vaudeville.

This is what it says about Google’s drive-by wi-fi-spy:

The information we saw does not include meaningful personal details that could be linked to an identifiable person… [but] we recognise that other data protection authorities conducting a detailed analysis of all the payload data collected in their jurisdictions may nevertheless find samples of information which can be linked to identifiable individuals.


There is also no evidence as yet that the data captured by Google has caused or could cause any individual detriment… [but] it was wrong to collect the information.


…we remain vigilant and will be reviewing any relevant findings and evidence from our international counterparts’ investigations.

Therefore our information and privacy and the privacy of our information remains safe.

ICO Statement

Categories: All, Security News

BLOGS: New DMCA rules on circumventing encryption

July 30, 2010 Leave a comment

EFF’s Corynne McSherry explains the effect of the new DMCA rules, starting with the exemption on “breaking DVD encryption in order to take short clips for purposes of criticism and commentary for noncommercial use, educational use and documentary films.”

Before this exemption was issued, the only people allowed to circumvent DVD encryption for fair use purposes were film and media studies professors. Now, that category has expanded to include all college and university professors and film and media studies students (as long as they are circumventing for educational purposes), documentary filmmakers, and noncommercial vidders. The user may take only a “short portion” of the original work for purposes of criticism and commentary, and she must reasonably believe she needs to break the DRM to accomplish that purpose.

Blog entry

Categories: All, Blogs

The Inland Revenue owes me money. Hurrah!

July 29, 2010 Leave a comment

Well! Are there no lengths they won’t go to nor depths they won’t plumb in their drive to cut costs and reduce the public sector? I’m talking about the ConDems of course!

But it’s not all bad. The Inland Revenue has finally agreed with me that I’ve been overpaying them for years. The sent me this email telling me that they needed to refund me with £1382.49. Nice!

And that’s how I found out: the Government is outsourcing the Inland Revenue. It’s actually a very good idea. Not only will they reduce costs and the size of the public sector, they are instantly improving efficiency. These new people will process my refund request in just 2-3 days!

After the last annual calculations of your fiscal activity, we have determined that you are eligible to receive a tax refund of 1382.49 GBP. Please submit the tax refund request and allow us 2-3 days in order to process it.

How do I know about the outsourcing? Well, there’s this Geeky trick you can do. If you hover the cursor over a link without actually clicking it, the browser displays the actual address at the bottom of the screen. I used this trick and discovered that the Inland Revenue’s offices are now in Brazil!

Well, I’m just off for a cup of tea, and then I’ll be filling in my refund form.


While having that cup of tea, the nice Mr Cameron, a great fan of this blog, phoned me. He said, whoa! Hold on a minute. This has got to be a scam. In fact I know it’s a scam. We have no plans to do any such thing. There’s no way we’d ever give you any money back.

There it is. Sorry, but if you get an email from the Inland Revenue offering you a refund, bin it. It’s probably a prank perpetrated by the remnants of the last Labour government.

Categories: All, Security Issues

Reputation-based processes are democratic but insecure

July 29, 2010 Leave a comment

A couple of days ago I commented on a weakness in reputation-based systems:

At the very least it shows the danger of any reputation-based warning system. Reputations can be manipulated, either by lowering the bar (as in this case), or seeding the system.
When is a scam not a scam – or when is marketing a scam?

Here’s an example of seeding the system. All Facebook is reporting a flood of rude messages (in Spanish) on Facebook. This appears to have been achieved by tricking the Facebook translation application.

Due to a flaw in the Facebook Translations application, if enough people vote on an incorrect translation, that phrase will be replace [sic] what was previously a legitimate phrase.
Spanish Facebook Hacked Resulting In Widespread Vulgarity

Categories: All, Blogs

Forget full disclosure; forget responsible disclosure; sign up for Microsoft’s new Coordinated Disclosure

July 28, 2010 Leave a comment

This is clever. Microsoft has taken some stick over Tavis Ormandy and full disclosure (not as much as Tavis, but some): the whole issue has raised the possibility that companies like Microsoft might sit on vulnerabilities, sometimes for years, if the researcher doesn’t go fully public.

No company likes that sort of accusation floating around, so Microsoft has come up with a new disclosure policy. It’s not ‘responsible disclosure’ (a term and approach that is ridiculed by many serious security researchers), nor yet is it the fearful ‘full disclosure’ (a term and approach that is ridiculed by many serious security vendors). It’s a new one. It’s ‘coordinated disclosure’.

The idea is this:

Definition of coordinated vulnerability disclosure. Microsoft believes coordinated vulnerability disclosure is when newly discovered vulnerabilities in hardware, software and services are disclosed directly to the vendors of the affected product, to a CERT-CC or other coordinator who will report to the vendor privately, or to a private service that will likewise report to the vendor privately. The finder allows the vendor an opportunity to diagnose and offer fully tested updates, workarounds or other corrective measures before detailed vulnerability or exploit information is shared publicly. If attacks are underway in the wild, earlier public vulnerability details disclosure can occur with both the finder and vendor working together as closely as possible to provide consistent messaging and guidance to customers to protect themselves.

Frankly I can’t see much difference between this and responsible disclosure, except that a CERT-CC becomes involved. This is the clever bit. CERT-CCs are pretty well trusted by the general public (well, they’re often ‘government’, so they must be trustworthy, right?). It’s a bit like David Cameron inviting the LibDems into government: if it goes right, it’s the Conservatives what did it; but if it goes wrong, we can blame the LibDems. Ah, but it’s more than just sharing the blame. The CERTs I’ve come across all have a policy of not going public with a known vulnerability until the vendor produces a patch.

In other words, there is no actual difference between this new ‘coordinated disclosure’ and the old ‘responsible disclosure’ except that we are given the false impression that the whole process will be policed by a CERT. That’s clever. And, of course, it’s followed by pretty standard emotional blackmail:

Microsoft calls on the broader community — from security researchers to vendors — to move to coordinated vulnerability disclosure. The need for coordination and shared responsibility has never been greater, as the computing ecosystem faces an unprecedented level of threat from the criminal element. To overcome that element, we must work together to improve the security of the entire ecosystem — and, as always, making customer protection our highest priority.

I suspect this will make not the slightest difference in reality. Existing full disclosure proponents believe that full disclosure is making user protection the highest priority; just as responsible disclosure proponents believe in their procedure. Coordinated exposure is just meaningless new semantics: but it does make good PR.

Categories: All, Vendor News