Employees take greater risks at work than home

Most people consider themselves prudent when it comes to workplace activities, but actions speak louder than words—especially when it comes to computer security.

A large gap exists between what employees say about computer security and how they practice it at work, according to the Information Systems Audit and Control Association, which polled 301 white-collar workers at companies of at least 100 employees.

For example, 15 percent of workers had shared files over a peer-to-peer network, which “is opening a big door at a large corporation,” says Kent Anderson, a consultant who serves on ISACA’s Information Security Management Committee. “Most of these file-sharing programs by default scan available files and serve those out to anybody who wants them.”

Eleven percent of workers had e-mailed confidential documents to the wrong person—yet only 60 percent considered the behavior risky. And 35 percent had knowingly violated a corporate IT policy.

“They think, even if I make a mistake, nothing bad is going to happen,” Anderson says.

One reason for the risky behaviors may be that employees tend to take workplace IT security for granted. More than 90 percent told ISACA they considered their offices secure. While they worry about the security of their home machines, they feel somebody else has taken care of security on their work computers, Anderson says.

Another reason may be that employees don’t understand the risks they’re taking with what may seem routine tasks and use. Anderson says corporate IT departments tend to write overly long or technical IT policies, then stick those policies on a shelf and leave them unenforced.

Security policies must be simple, he says, and employees must be able to follow them and still do their jobs.

ISACA recommends corporate IT departments make security training routine. They should train new hires, update training frequently, and let employees know when there are specific threats.

ISACA’s recommendations reflect the results of a recent Computer Technology Industry Association (CompTIA) survey that found 68 percent of businesses have no security training program, even though most are seeing an increasing number of security threats and incidents.

This is the first time ISACA has surveyed security practices at work, and Anderson wants to follow up on the results. He’s especially interested in how and why people knowingly violate corporate IT policies.

Checking personal e-mail at work may not seem like a problem, he says, but when you consider that 49 percent of workers clicked on a URL in an external e-mail and one-third downloaded files or software from friends, the risks grow quickly.

Read more »

Software developers to get a standardized security test

Software developers, sharpen those No. 2 pencils. A standardized test on your knowledge of secure programming may soon be coming your way.

The Secure Programming Council unveiled Tuesday a proposed standard for companies to test their software developers’ knowledge of secure programming. The aim is to create a situation in which companies can ensure that their developers, whether in-house or outsourced, have a base level of knowledge about wrapping security into software applications.

The council is rolling out its “Essential Skills for Secure Programmers Using Java/JavaEE” (PDF), the first of six standards initiatives. It plans to later add skills tests for C and C++, as well as languages .Net, PHP, and PERL.

The council is opening up the Java/JavaEE proposed standard for public comment via e-mail over the next 60 days.

Some of the proposed areas of testing will include data handling, authentication, and session management and access control. For example, under the data handling task, Java programmers must be able to write programs that read input from interfaces, properly validate the data, then disseminate it. The programmers would also need to be familiar with such malicious-attack scenarios as cross-site scripting and SQL injections.

The skill testing is designed to not only ask developers whether they know what encryption is but whether they understand the differences between PKI encryption and other forms of encryption, said Ryan Berg, co-founder of Ounce Labs and a member of the Secure Programming Council’s Java and JavaEE steering committee.

More than 40 companies, government agencies, and security firms have participated in helping to establish the standards, largely coming from the financial services, manufacturing, aerospace, military, and outsourcing industries, said Alan Paller, director of research at SANS Institute.

“One large financial institution has told its developers that they had to pass the test by August 1, or they won’t touch a line of code,” Paller said. “The financial industry is taking the lead because they have the most to lose.”

SANS will administer the tests, which are scheduled to begin on December 5 in London and continue for the next eight months in cities through out the United States and Europe.

The tests, which don’t actually require a No. 2 pencil, cost between $50 and $450, for participants ranging from students to employees of large corporations.

Read more »

Software-licensing costs predicted to fall

Software-licensing costs are set to fall over the next decade, as IT industry trends converge to give buyers more bargaining power.

Research firm Gartner predicts that vendors will find themselves increasingly challenged as IT departments look to reduce software costs, as they have done with hardware and services.

“Up until now, the unique nature of the software market has meant that buyers had very little negotiating power after the initial purchase of a software license,” Gartner Vice President William Snyder said in a research note. “We expect those dynamics to change considerably over the next 5 to 10 years, giving CIOs and software procurement officers more bargaining power while potentially reducing software vendor profit margins.”

Gartner has identified seven major trends converging to change software delivery models, reduce dependence on the giant application vendors, and force prices down.

These include business process outsourcing; software as a service; low-cost development environments, such as China and India, combined with modular architectures and service-oriented architectures; the emergence of third-party software maintenance and support; growing interest in open source; the rise of Chinese software companies; and the expansion of the Brazilian, Chinese, and Indian markets.

Although Gartner says open source won’t topple the likes of IBM and Microsoft, the firm believes that it will put pressure on traditional software margin structures, particularly in areas such as servers, operating systems, development tools, and database technologies.

Gartner also predicts that a fourth of all new business software will be delivered by software as a service by 2011.

Synder said buyers need to realize that the pendulum is beginning to swing in their favor, with an increasing number of alternatives in the software market.

“We would advise IT organizations to use BPO (business process outsourcing) and open-source alternatives to improve their negotiating power with software suppliers, as well as employing the emergence of third-party vendors as a means to reduce higher maintenance fees on older versions of software,” he said. “(Pricing) out the possibility of using offshore skills to build application functionality as Web services will also help negotiations with vendors.”

Read more »

Fans cheer as Apple’s iPhone finally hits Europe

Apple fans queued through the night in Germany and Britain to be among the first in Europe to buy an iPhone, the must-have gadget that is set to shake up the mobile industry.

Over 10,000 iPhones were sold by Friday afternoon in Germany, a T-Mobile spokeswoman said, after it went on sale at midnight in a Deutsche Telekom shop in Cologne.

“It was love at first sight,” said one 50-year-old man.

T-Mobile representatives handed out blankets and umbrellas as well as hot tea, coffee and pretzels for those waiting outside, before sales staff cheered loudly as the first customers entered the store.

In Britain, fans had to wait until 1800 GMT before the music-playing, Web-browsing phone went on sale at stores from Apple, mobile phone retailer Carphone Warehouse <CPW.L and mobile operator O2.

The queue outside central London’s main Apple store stretched around the corner and long lines also formed in the city’s financial area.

First in the queue, clutching a mug of steaming tea, was student Graham Gilbert, who arrived at 0830 GMT on Thursday and endured a wet and cold night on the street.

Deutsche Telekom, Telefonica’s O2 and Carphone have pinned high hopes on the iPhone after more than a million sold in the United States in a few months.

“It’s probably the most important phone this year in terms of the impact it will have on the mobile phone market but it’s going to be a long way from being a best seller,” CCS analyst Ben Wood told Reuters.

“But one of the things that Apple do very well is they spend a lot of time thinking about the consumer experience and we’re going to see their competitors taking more of that approach.”

Most analysts expect the device to be popular with a niche audience, in part due to its price tag, and those queuing on Friday in Germany and Britain were mostly young men.

Most European handsets are subsidised in return for long-term contracts but the iPhone costs 399 euros ($585) in Germany and customers must agree a two-year contract with T-Mobile for monthly fees between 49 and 89 euros.

In Britain the iPhone costs 269 pounds ($56 on top of an 18-month contract costing a minimum of 35 pounds per month.

“It’s a magnificent product and it’s very well marketed by Apple,” said Greenwich Consulting’s Fred Huet. “The real question will be how many they sell once the novelty wears off.”

The phone will go on sale in France at the end of the month.

Read more »

Scams use striptease to break Web traps

In a new online striptease, the buxom, beautiful blonde who promises to remove her slinky scraps of lingerie doesn’t want your money. She’s interested in your brain. Really.

The creation of online scammers, she’s trying to trick unsuspecting Internet users into helping the scammers break the online barriers that banks and e-mail services set up to thwart crooks.

The striptease is the latest attempt to defeat so-called CAPTCHA systems, which is short for Completely Automated Public Turing test to tell Computers and Humans Apart. Those safeguards require users to prove they are human by reading wavy, oddly shaped jumbles of letters and numbers that appear in an image and typing them out.

In the new scam, an icon of an alluring woman suddenly appears on a Windows computer infected by a virus. After clicking on the icon, the user sees a photo of an attractive woman who vows to take off an article of clothing each time the jumble of figures next to her is entered.

But the woman never fully undresses, and after several passwords are entered the program restarts, possibly enticing unsuspecting users into trying again.

Trend Micro researchers say the scam appears to be isolated for now to spammers trying to register bogus e-mail addresses and flood chat rooms with unwanted pitches. But they worry schemes to infiltrate financial institutions could soon appear.

Paul Ferguson, network architect at Trend Micro, speculated that spammers might be using the results to write a program to automatically bypass CAPTCHA systems.

“I have to hand it to them,” Ferguson said, laughing. “The social engineering aspect here is pretty clever.”

Read more »