The most recent articles from vnunet.com

Summit: Test case limits government control of information

Iain Thomson in San Francisco — 2009-11-11T04:53:00.000Z

Iain Thomson in San Francisco, V3.co.uk, Wednesday 11 November 2009 at 04:53:00

Indymedia case shows embarrassing levels of snooping

A test case fought by the Electronic Frontier Foundation (EFF) has shown the extent to which the US government is willing to bend the law in trolling for data it wants.

Indymedia is a news aggregator for left wing and libertarian writers and on January 30 one of its volunteer administrators Kristina Clair received a grand jury subpoena from the Southern District of Indiana federal court.

The subpoena demanded all IP traffic to and from the site for a particular date, including "IP addresses, times, and any other identifying information. It also included a gagging order to prevent Indymedia from discussing the request.

The subpoena was made under the the Stored Communications Act (SCA) but after Indymedia went to the EFF for help it discovered that the SCA does not allow such broad searches, or the gagging order that accompanied the request.

“In sum, without any legal authority to back up their purported gag demand, the government ordered Ms. Clair not to reveal the existence of the subpoena, a subpoena that as already described was patently overbroad and invalid under the SCA,” said the EFF in their report on the matter.

“This is exactly the kind of unjustified demand of silence that creates a fog around the government's often-overreaching surveillance activities. How many other subpoena recipients have remained silent over the years in response to such bogus demands, and how many of them violated their users' privacy by handing over data that the government wasn't entitled to?”

When contacted the government first threatened to go to court to enforce the gagging order, before backing down and dropping the subpoena. It's not clear who was responsible for the request, as the subpoena was issued before the Obama administration was fully sworn in.

The case highlights not only the government's tactics but also its ability to trawl databases in the country for information that it wants. Under US law the government can access any information on servers within national borders.

This raises serious questions about the future of cloud services in the US. For example, with all of Google's main server facilities in the US, users of Google Apps may not have the security they expect.

Feds break up $9mil fraud ring

Shaun Nichols in San Francisco — 2009-11-11T02:55:00.000Z

Shaun Nichols in San Francisco, V3.co.uk, Wednesday 11 November 2009 at 02:55:00

Eight indicted over RBS hacking scheme

The US Department of Justice (DOJ) has indicted eight individuals in what authorities claim to be a $9 million bank hacking operation.

A federal grand jury based in Atlanta, Georgia issued the indictments after authorities presented evidence of the alleged breach at the Atlanta offices of Royal Bank of Scotland's RBS WorldPay branch.

The four main suspects on the case include three alleged hackers based in Estonia, Russia, Moldova and a fourth unnamed suspect labelled "Hacker 3." Each of the four are charged with 16 criminal counts including wire fraud, identity theft, conspiracy and access device fraud.

Additionally, the grand jury issued indictments for four additional Estonian residents on charges of access device fraud.

According to the DOJ, the group was able to compromise encryption protections to access data on a number of debit cards within the RBS WorldPay automatic payroll system.

Details on the compromised accounts were then used to increase credit limits and create 44 counterfeit debit cards. The counterfeit cards were then sent around the world to a number of money mules, each of whom accessed the accounts through local ATMs and sent as much as 70 per cent of the money back to the hackers.

The DOJ estimates that the entire withdrawl run took place over a span of 12 hours and resulted in a total of $9mil being withdrawn from 2,100 ATM machines.

"This investigation has broken the back of one of the most sophisticated computer hacking rings in the world," declared US district attorney Sally Quillian Yates.

"Last November, in just one day, an American credit card processor was hacked in perhaps the most sophisticated and organized computer fraud attack ever conducted. Today, almost exactly one year later, the leaders of this attack have been charged."

Summit: How businesses should manage their brands online

2009-11-10T18:45:00.000Z

V3.co.uk, Tuesday 10 November 2009 at 18:45:00

In part one of V3.co.uk's interview with Dirk Singer, he dicusses social media monitoring strategies

Dirk Singer, head of the digital division of brand communications agency Cow, discusses how businesses should go about monitoring statements relating to their brands on social sites, and explains what firms need to do to minimise the impact of negative comments.

Stork ID network comes step closer

David Neal — 2009-11-10T17:35:00.000Z

David Neal, V3.co.uk, Tuesday 10 November 2009 at 17:35:00

Cross-border ID card scheme agrees common framework for specs

A pilot scheme funded by the EU to create a Europe-wide electronic network for ID cards has announced that it has made its first step towards delivering pilot projects in 2010.

Today Stork (Secure idenTity acrOss boRders linKed), which is the project's name, said that it had agreed on a common framework and specifications with which to develop its Euro-wide solution.

It has taken twelve months to produce the model, which will be officially unveiled on 18 November.

Miguel Alvarez Rodriguez, one of the two people leading Stork's development, said, “The main objective now is to test the model in real time with real people. Usability is critical to the success of the framework, so during the pilots we are expecting to refine and improve elements where necessary. Although it was a key factor in the conceptual design, scalability is also a challenge to be addressed in any future extensions of the project.”

Stork expects to create a common network for ID cards across Europe, meaning that businesses, citizens and government employees will be able to use their national electronic identities (eID) in any member state, which will make cross-border administration easier.

Five pilot projects will run for the next twelve months in order to demonstrate the system and its capabilities. These include developing cross-border mechanisms for the secure online delivery of documents, as well as safer chat protocols.

iPhone worm was "justified"

Cath Everett — 2009-11-10T17:30:00.000Z

Cath Everett, V3.co.uk, Tuesday 10 November 2009 at 17:30:00

New Sophos poll finds users in forgiving mood

Three-quarters of respondents to a recent online poll believe that the Australian student who wrote the first Apple iPhone worm was justified because he helped raised awareness of security issues.

The software, which is now available for anyone to download, has spread rapidly around Australia changing device-based wallpaper into an image of the 1980s pop star Rick Astley.

Every infected phone also consumes each user’s data transfer allowance as it replicates itself elsewhere, potentially leading to large bills at the end of the month.

But the research undertaken by security software firm Sophos, which garnered 721 responses, found that 76 per cent answered yes to the statement: "He’s done iPhone users a favour. This was an acceptable way to raise awareness of poor security".

A further 10 per cent believed that the 21-year-old student had acted recklessly and that the end does not justify the means, while another 15 per cent hoped that he would be investigated by the police.

“Has the world gone completely bonkers? It’s a depressing notion that most people think that doing harm and breaking computer crime laws is a good thing,” said Graham Cluley, senior technology consultant at the vendor.

Not only will iPhone users need to repair the damage caused by the worm, but the fact that the “genie is let out of the bottle” means that it raises the spectre of others writing a more dangerous version of the worm, "which could have a much more dangerous payload”, Cluley added.

Cluley said there were signs that such an attack might not be that far away. When analysing raw search statistics for the Sophos web site, Cluley found that the key search terms were not "Rick Astley" or "Rickrolling" as might be expected. Instead they referred to the name of the worm itself – "ikee" and " ikee source code".

Apple unveils massive patch update

Cath Everett — 2009-11-10T17:22:00.000Z

Cath Everett, V3.co.uk, Tuesday 10 November 2009 at 17:22:00

A whopping 38 patches for critical flaws released

Apple has released its sixth security update for its Mac operating systems this year, with a huge 32 out of 58 accompanied by the phrase “may lead to arbitrary code execution”, which in the vendor’s jargon means critical.

Included in the patches were five specifically aimed at vulnerabilities in Snow Leopard, aka Apple Mac OS X 10.6, which was newly launched in August.

These vulnerabilities included a pair of bugs in the CoreMedia component’s parsing of H.264 movie files, one in ImageIO’s handling of TIFF files and vulnerabilities in the kernel and launch services.

Four other bug fixes also sorted out critical vulnerabilities in QuickTime 7.6.4, the version that was originally packaged with Snow Leopard.

This is the second round of fixes published for the new operating system in as many months. The first was delivered on 10 September to fix nine flaws in Adobe’s Flash Player. Although the holes had been plugged by late July, it did not leave enough time to include them in Snow Leopard before its launch.

The appearance of the new offering has also led to the removal of Tiger, aka Mac OS X 10.4, which first appeared in April 2005, from security support schedules. Apple traditionally stops providing security updates for its oldest supported operating system several months after the release of a new one.

Comment: Three steps to a social media strategy

Dirk Singer — 2009-11-10T16:25:00.000Z

Dirk Singer, V3.co.uk, Tuesday 10 November 2009 at 16:25:00

Monitor, register and engage, says communications adviser Dirk Singer

When it comes to social media in general and Twitter in particular, there are two things you can be sure of.

One, people will be talking about themselves. Two, in addition to talking about themselves they will be talking about brands – possibly even yours. That’s a potent cocktail that can wreck your brand's reputation, or perhaps enhance it.

Both these assertions are supported by recent research.

First of all, Oxford University Press did an analysis of 1.5 million words used on Twitter. 'I' was the most popular world after 'the'.

By comparison, in everyday speech 'I' is the 10th most used word, meaning it’s five times more popular on the micro-blogging service.

Secondly, Penn State in the US did research involving half a million tweets. Twenty per cent were about brands in some shape or form. Added to this is the results of another study, this time by Perfomics Marketing, showing that 44 per cent had recommended a product on Twitter and 39 per cent had discussed one.

What does this mean? Brands and products are part of our everyday lives. And as Twitter is a personal broadcasting system, people will be quick to pass on their experiences with them.

One example involving London Underground should give any customer-facing organisation, and that means pretty much any organisation, food for thought.

The other week blogger Jonathan MacDonald filmed a London Underground staff member verbally abusing an elderly passenger who’d had the misfortune of having his arm caught in a tube train door. That was on a Thursday afternoon.

By Friday morning it was on his blog and on Twitter. By Friday afternoon it was on the front page of the Evening Standard. The staff member in question, apparently a peace-loving 'Jedi', has since resigned.

The cycle from it hitting Twitter and it reaching the mainstream media was around four hours. How many organisations would even spot that something was happening online in that time frame?

Indeed, one of the misconceptions about Twitter is that it’s a place for people to exchange various inane comments. There is some of that, but its user base is disproportionately made up of bloggers, social media influencers and – yes, journalists (Sky News now has a Twitter correspondent).

These are people who spot things on Twitter and take them somewhere else. Twitter is effectively the bridge to other media.

So what can you do about it? At its most basic, a social media programme should involve three stages, the first two essential and the third highly recommended: monitor, register and engage.

1 Monitor – People are going to be talking about you whether you are present or not. You might as well know what they are saying about you! More to the point, you need to be able to head off any negative comment before it snowballs.

There are plenty of tools that allow you to do the job, many free. A good list is the wiki maintained by Ken Burbarry

2 Register - If you haven’t registered your brand profile on social media sites, you leave yourself open to anyone with an axe to grind doing so and poking fun at you.

For example, take a look at what’s been done with the Twitter profile of London commuter train service South West Trains (I’ve used them as a case study several times in the past and I’m amazed they haven’t yet done anything about this).

As a result, even if you do nothing else with them, at the very least register your brand profiles. It’s free, and namechk will show you where your brand identity is still available.

3 Engage – This is the more difficult, and also potentially more rewarding, bit. As we’ve already said, people will be talking about you online whether you like it or not, so you might as well be present to shape the conversation.

Fortunately, there are plenty of case studies of companies that have got it right online to guide you, thanks in part to social media pundit Peter Kim, who has created a wiki with examples of what a stack of brands have done online. Take a look, draw your own conclusions and plans, and dive in.

Or…ignore this space completely, wait for a crisis to blow up online, miss it completely, and be left to firefight when the mainstream media gets hold of it several hours later.

Dirk Singer heads up the digital division of brand communications agency Cow. He additionally blogs at liesdamnedliesstatistics.com and is on Twitter.

Singer was talking to V3.co.uk as part of its Information Overload Summit event, running from 10 - 12 November. Visit our dedicated Summit web site for more breaking news, views, analysis and video on the topic of Information Overload.

Panda Security steps up with new cloud offering

Phil Muncaster — 2009-11-10T15:49:00.000Z

Phil Muncaster, V3.co.uk, Tuesday 10 November 2009 at 15:49:00

New service could help boost SME security efforts

Cloud security firm Panda Security today launched a new endpoint and email security offering designed to protect customers against all major new threats, including malware, spyware, rootkits and viruses.

Panda Cloud Protection is a fully hosted, managed cloud-based security service that can scale from individual users up to large enterprises. However, Panda's UK managing director Petter Lautin said the firm expects it to appeal mainly to SMEs, which generally have fewer resources to throw at security than large organisations.

"We believe this solution addresses some of the key issues, in terms of time, cost and complexity you deal with in traditional hardware and software solutions," he said.

"There is a cost of adding hardware and software to the network, and you need dedicated and skilled resources to do it – this solution takes these problems away."

The new service, which has been available in beta since April, takes advantage of Panda's cloud-based Collective Intelligence system to scan and block malware using a variety of methods ranging from traditional signature and blacklisting techniques to behavioural and heuristics-based analysis.

"Last year, we saw 30,000 new malware samples every day, which is why we started working on Collective Intelligence," said Panda Security technical director Luis Corrons. "Right now we're dealing with 50,000 threats a day, most of them Trojans, botnets or rogueware-related – you can't be reliant on just signature scanning."

Summit: Richard Thomas advises on handling the data deluge

Rosalie Marshall — 2009-11-10T15:24:00.000Z

Rosalie Marshall, V3.co.uk, Tuesday 10 November 2009 at 15:24:00

Former Information Commissioner speaks out on government databases and data privacy

Former Information Commissioner Richard Thomas gave his views on data privacy, government databases and Tory proposals to use Google and Microsoft to host public medical records at V3.co.uk's Information Overload Summit on Tuesday.

Thomas, who is now the global strategy adviser for law firm Hunton & Williams, discussed how individuals can stay in control of all their data online and how to maintain their privacy when using social networks.

He also spoke about what organisations should do before embarking on a new technology initiative to ensure customer and staff privacy.

Thomas gave his views on a poll V3.co.uk is conducting on what readers believe is the biggest cause of the data explosion. So far, some 21 per cent of readers said they feel overloaded by information because of social networks.

A video of the full interview with Thomas will be available to watch at the Summit web site later today, where you can also find more breaking news, views, analysis and video on the topic of Information Overload.

Microsoft bids to boost Agile security

Cath Everett — 2009-11-10T13:47:00.000Z

Cath Everett, V3.co.uk, Tuesday 10 November 2009 at 13:47:00

SDL extended to include popular development methodology

Microsoft’s Trustworthy Computing Group has released new guidance to enable programmers using the Agile software development methodology to employ its Security Development Lifecycle (SDL) process.

The guidance, which was announced today at the vendor’s TechEd Europe 2009 conference in Berlin, is intended to extend security best practice to the ever-growing Agile development community.

“A well-managed software security programme is a good investment at any time and can help minimise security-related maintenance costs, while providing customers with a more secure experience,” said Steve Lipner, senior director of security engineering strategy for Microsoft’s Trustworthy Computing Group.

According to Forrester Research in its report From Agile Development to Agile Engagement, which was published in May this year, some 85 per cent of IT professionals have either adopted or are in the process of adopting Agile methods.

The Agile methodology focuses on iterative software development, whereby both requirements and deliverables evolve through collaboration between cross-functional teams. It is a disciplined project management-based process that encourages the rapid development of high-quality software by focusing on frequent reviews, adaptation and teamwork.

This contrasts with more traditional waterfall methods of development where specifications are clearly defined in detail in advance and teams work on pre-determined features and tasks over the entire length of a scheduled development process. This makes it difficult to change direction if alterations are required.

Microsoft created its Security Development Lifecycle (SDL) in 2004 following widespread criticism about the security of its software. The SDL is an attempt to share lessons learned and comprises a raft of tools and best practice guidance.

Summit: Experts warn of mobile botnet threat

Phil Muncaster — 2009-11-10T13:00:00.000Z

Phil Muncaster, V3.co.uk, Tuesday 10 November 2009 at 13:00:00

Malware in mobile sphere could reach critical levels in two years

Mobile malware could reach critical mass in as little as two years' time, with the potential for mobile botnets and denial-of-service attacks to cause widespread disruption for firms, according to Research in Motion's (RIM) head of global security.

Scott Totzke, who is charged with anticipating online threats and ensuring the security of RIM's range of popular BlackBerry devices, argued that hitherto the smartphone market has not been a big enough target for malware writers to bother with, while the proliferation of different operating systems also made spreading attacks over a wide area more difficult.

"The economies of scale are already there for the malware writers, but only in the past couple of years has the smartphone platform become so robust and powerful and got any type of market penetration," he told V3.co.uk at its inaugural summit event.

"Two to three years down the road we will see more critical mass and a few very targeted applications leading to the information leakage of customer data. "

He predicted that hackers would not only look to steal personal information such as credit card details from individuals, but also "exploit the trust that exists between a handset and network provider, or enterprise network".

"Ten thousand infected devices on an infected carrier's service could cause a denial-of-service outage," he warned.

Totzke explained that to mitigate such risks it is important that IT has as granular control as possible over what is allowed to run on staff devices.

Dave Rand, chief technology officer at security vendor Trend Micro, also predicted that handheld devices would increasingly become targets for hackers as organisations employ them as primary information stores.

"How do you secure and protect that information though? The only way I can think of is to encrypt that data so it is unusable by third parties," he added.

Howard Schmidt, president of the Information Security Forum and former White House cyber security advisor, argued that IT administrators need to think about how to wipe data or locate a device if it is lost or stolen, and also have some way of vetting the applications being loaded onto those devices to ensure there are no vulnerabilities.

"We need to pay more attention to this and work with the vendors and application developers to ensure we don’t end up with the situation we got with the PC," he added.

Visit our dedicated Summit web site for more breaking news, views, analysis and video on the topic of Information Overload.

Summit: UK 'in danger of being left behind' on security

Phil Muncaster — 2009-11-10T12:56:00.000Z

Phil Muncaster, V3.co.uk, Tuesday 10 November 2009 at 12:56:00

Experts warn behavioural monitoring is essential to protect sensitive data

A leading security expert has warned that UK organisations need to focus more security efforts on behavioural monitoring of employees, or risk failing on data security and falling behind on the global stage.

Stuart Okin, former chief security advisor of Microsoft and now UK MD of consultancy Comsec, said the current information overload facing firms means they cannot afford to take a reactive approach

"What we've done historically is look at the back end – tagging, archiving, encryption – essentially where the data is stored, but that strategy cannot continue with the current amount of data," he added.

"We must shift our focus to the front end – how data is accessed, who it's accessed by and what they're doing with it – monitoring the behaviour of individuals in enterprises."

Okin argued that only by combining this behavioural monitoring with more traditional security strategies that focus on securing the data where it is stored, and user education, can UK firms hope to adequately protect the vast amount of information they are handling.

He said the technology has been in place to do this for the past 18 months, and that the current economic climate should be providing extra incentive for firms to focus on this as a new way to improve the bottom line through fraud reduction.

"The US, Israel and others have really stepped up on this but we're in danger of being left behind," said Okin. "We don't understand the value of the information we have and we're not doing enough to protect the flow of that information."

Dave Rand, chief technology officer at security vendor Trend Micro, agreed that in time, IT teams would move to more proactive monitoring strategies.

"We've been talking about AI for the past 50 years, well now we have something that computers can be taught to look for, anomalous patterns – it's straightforward and simple and the credit card industry is a great example of that," he explained.

However, other experts were more optimistic about the progress UK organisations are making. Mike Maddison, head of security at consultancy Deloitte, argued that firms now recognise at a board level the importance of secure information handling and user education.

"I'm optimistic, because there's a recognition that this needs to be embedded into the day-to-day running of the business," he added.

"The role of information protection is more visible too, as is the role of risk management. You just have to look at the number of chief information security officer (CISO) roles at a senior reporting level that there are now."

However, Comsec's Okin warned that many organisations are still not set up to take on the proactive approach to information security he advocates.

He said that out of 22 CISOs he had met in the past year, only one knew the overall spending on security controls and countermeasures, because in most organisations things like network, application security or fraud protection are carried out by different departments.

"They are focused on awareness-raising, encryption, data storage and dealing with incidents as they occur," he warned. "If they are only focused on the back end infrastructure system and not talking to their fraud counterparts on a day-to-day basis, how are we possibly going to get on the front foot?"

Visit our dedicated Summit web site for more breaking news, views, analysis and video on the topic of Information Overload.

Breach notification laws get green light

David Neal — 2009-11-10T12:16:00.000Z

David Neal, V3.co.uk, Tuesday 10 November 2009 at 12:16:00

Privacy rights strengthened in Europe

The EU has announced that "nothing stands in the way" of its ePrivacy Directive, paving the way for stronger rules surrounding data breaches and other privacy issues.

The EU said that, since the telecoms reform package had been approved, any work left to do on its rules was just a formality, with the new ePrivacy Directive requiring compulsory adoption by member states within 18 months.

The 'formalities' required for the EU's formal adoption of the rules are expected to take just a few weeks, and once completed will tighten up rules surrounding security breaches, spyware, cookies and spam.

Under the new rules, if an ISP is involved in a data breach involving individuals' personal information, they will have to notify the people involved. The EU suggested likely scenarios including, "those where the loss could result in identity theft, fraud, humiliation or damage to reputation".

Other rules will ensure the 'reinforced' protection of communications, such as how and when cookies are installed on user machines, and the right to bring 'effective legal proceedings against spammers'. This last change will apply to both individuals and ISPs, the EU said.

European data protection controllers will also find their powers extended, and will be able to order that any breaches of their rules are immediately stopped, whether on their own shores, or cross-European borders.

Peter Hustinx, the European data protection supervisor, said, "I welcome the many improvements in the protection of privacy in the revised ePrivacy Directive. But it is now crucially important to broaden the scope of the security breach provisions to all sectors and further define the procedures for notification.

"Also, the new rules must be effectively enforced. I note in particular the emphasis on more effective enforcement of the rules on spyware and cookies. This has special relevance where privacy rights must be protected in relation to so-called targeted advertising."

Interview: Scott Totzke, VP global security, RIM

Phil Muncaster — 2009-11-10T08:30:00.000Z

Phil Muncaster, V3.co.uk, Tuesday 10 November 2009 at 08:30:00

We ask the BlackBerry maker's head of security what CIOs need to do to mitigate mobile data risks

V3.co.uk: As vice president of global security for RIM, what are the key data security challenges facing your customers?

Scott Totzke: It's about the security and privacy of information as it leaves the enterprise and is stored on mobile devices. For a lot of our customers it's a question of control: who is in control of the data, how do you manage it and how do you cope with the eventuality of it being lost or stolen in the event of the device being lost or stolen? These things are personal computers now, not cell phones, and they're capable of storing tremendous amounts of information. I've got a 16GB Micro SD card in my device – that's a lot of information.

What specific functionality are enterprises looking for to ensure their mobiles are secure?

Enterprise customers are looking at whether they can audit the communications, if they're in a highly regulated industry. It could be important to audit email, text, MMS and have phone logs so you know who's talking to who and when. And when they deal with the eventuality of a lost or stolen device, they want to make sure the systems they deploy allow for the remote erasing of information. The table stakes in the mobile world are having a secure connection into the enterprise, base manageability of passwords, and the ability to remotely wipe data from lost devices.

Aside from employee error, where do the main risks lie?

A lot of discussions are emerging about what the other mobile threats are. There is a trend towards malicious software in the PC world and it's in the process of migrating to mobile devices, so there's a lot of discussion about how to manage the applications many users want to add to the device. Email is fine, but business transformation-type applications are where you can drive most value from your mobile device.

A financial services customer of ours developed a loan approvals application and within two months it had become business critical; so you have this computing platform, and internally developed applications sitting on top, and then users who want to deploy consumer or lifestyle apps, too. Customers therefore need to look at ways to manage and control what applications run on these devices – to set policies on what can be installed.

How far off is a serious threat from mobile malware?

Mobile malware is already here but two to three years down the road we will see more critical mass and a few very targeted [malicious] applications leading to the leaking of customer data. Proactive customers are already thinking about this. The economies of scale are already there for the malware writers, but only in the past couple of years has the smartphone platform become so robust and powerful and gotten any type of market penetration. However, we've seen a lot of fragmentation in the operating system market, with Apple's iPhone OS, WebOS, and Android all appearing, and this has been a delaying factor.

What are we likely to see from the malware authors?

As mobile payments become a reality, we'll probably see a lot of social engineering efforts targeted at compromising personal information such as credit card details. Another trend we can expect is malicious applications that will strive to exploit the trust that exists between a handset and network provider, or enterprise network. It opens up interesting possibilities for what could be done with a mobile botnet. Ten thousand infected devices on an infected carrier's service could cause a DOS outage.

Is too much information being stored by firms today?

As an industry, technology-wise, security-wise and privacy-wise we need to make sure the solutions we deploy protect our customers' information. The question needs to be asked: why do you need that information? As individuals we also need to question what information we need to provide and look closely at the privacy policies we're signing up to. As we build systems it becomes increasingly important on the IT side to determine why we are collecting information, how we're storing it, what the internal governance is around it and how we protect it. There have been way too many privacy breaches.

Visit our dedicated Summit web site for more breaking news, views, analysis and video on the topic of Information Overload.

Summit: Industry needs to come clean on cloud security

Phil Muncaster — 2009-11-10T08:00:00.000Z

Phil Muncaster, V3.co.uk, Tuesday 10 November 2009 at 08:00:00

Trend Micro CTO warns of widespread data theft

A leading security expert has warned of widespread data theft as more and more organisations move their information into the cloud, and urged firms to consider data encryption by key management as the only viable way to mitigate this risk.

Speaking to V3.co.uk as part of its Information Overload Summit, Dave Rand, chief technology officer of security vendor Trend Micro, argued that IT teams want to move to cloud computing because of the cost savings, but are put off by the lack of data protection assurance offered by any of the major cloud providers.

"Most cloud service providers don't have any data backup strategy; there are no adequate security measures recording who's accessing the data, and the reason is the effect on performance," he explained.

"In the next few years there will be a move towards controlling the data itself or keeping it secure by default – encrypting it by key management at the point of production and decrypting it at the point of consumption."

However, real-time data encryption and key management is no panacea, Rand warned, as it can be open to data being "snooped in-flight", and if organisations lose their keys, any data would be irretrievable.

"The IT security industry needs to own up and say it doesn't have all the answers – but with the emergence of the cloud we have to come to a conclusion," said Rand.

"Between now and widespread adoption we will see massive data theft occurring as people move into the cloud. There will be repeated issues of data going astray, and when it occurs people will get fired and they will be yelling, and then they'll finally realise it's not just protecting the integrity of the system that matters but the data."

Howard Schmidt, president of the Information Security Forum and former White House cyber security adviser, argued that strong authentication, and encryption of data in transit and at rest are essential to securing cloud environments.

However, he said that most cloud providers are already listening to and working on customers' requests for this kind of functionality to be built into their environments.

Visit our dedicated Summit web site here for breaking news, analysis and video on the topic of Information Overload.