Grant's Blog

Recently I wrote an post about how Believe in can be a safety measures danger in one’s environment; right now I will expand on that further. On the 4th of January H-Online reported a story exactly where basic safety firm SySS managed to obtain around the safety measures of some Usb drives and admittance the data with out needing to break the cryptography included. The closing argument that we is going to be tackling from the content by H-Online is, how could these devices, whose basic safety could so simply be broken, been provided the FIPS 140-2 Place 1 Official certifications?

The explanation why these Hardware drives were definitely presented this accreditation is because they have been compliant and nonetheless are. Accreditation claims a person issue and a person factor alone – that whatever they certify complies with what the official qualifications is all about. In situation of FIPS 140-2 as a way to achieve place 1 compliance all a Hardware generate essential had been 1 points.

* Requirement to achieve amount 1 consisted on the Usb disk drive to make use of among the accredited cryptographic algorithms, which in this event they did because the algorithm utilized was AES 256 bit.
* Demands for Place a couple of have been compliance with place 1 and actual safety measures for your gadget. Tamper proof seals or at the very least notification when physical tampering occurred.

The flaw discovered by SySS was that after entering a password which was validated utilizing quite a few cryptographical algorithms, the program would often send the similar sequence of bytes, irrespective on the password, to unlock the drive. Clearly none of this has anything to accomplish with FIPS 140-2 degree 1 certification.

That becoming mentioned just mainly because the FIPS certification just isn’t stating anything at all false even in light of this basic safety flaw there is nonetheless a huge difficulty. When folks make your mind up to get a safeguarded Hardware generate it truly is rather safe and sound to assume that they are going to 1st evaluate the certifications it has been presented. FIPS 140-2 would be the accreditation that federal government agencies use to make your mind up on merchandise applicability. What folks will feel when seeing a Hardware generate licensed with this kind of a accreditation is always that if this can be excellent enough for the federal government it will eventually surely be very good for them. Extremely couple of persons will stop to see what a FIPS 140-2 Level a couple of qualifications actually means. Even if men and women do look at what FIPS 140-2 level 2 is all about, it can be unlikely that a person who is not into safety measures will comprehend which components are already tested and determined compliant and which parts have had no actual oversight whatsoever. Finally even persons in safety measures who may possibly ask these questions have no way of knowing how such a unit actually operates by just searching at it! How is a single supposed to understand that this equipment is unlocked with a byte sequence that remains continual no issue what passwords are used?

The solution is the fact that naturally you can not. A person has to Have faith in that the qualifications procedure is good enough to protect you. The same problem or possibly worse is with devices which have no official certifications due to the fact here you should believe that the vendor tested the item nicely sufficient ahead of shipping it with no independent oversight. So what’s 1 to complete? The reply is certainly not have faith in a system or system being safe. This not to say that there may be no require to buy a secure Hardware drive, it merely signifies do not rely on that your info is absolutely safe and sound mainly because it truly is currently being stored on the Hardware disk drive which has qualified encryption. If that Hardware disk drive is stolen, in most situations whoever stole it’s going to not be able to obtain accessibility on the other hand there exists no actual guarantee of that.

These similar arguments do not utilize solely to Hardware drives; they apply to any gadget and any qualifications. No official qualifications claims that no issue what takes place you are secure while using certified system and it is an important point to help keep in thoughts. If the certified gadget will likely be utilised in essential capacity it truly is crucial that the very first step in selecting this kind of a system needs to be researching the certifications in question. Get familiar with what every a single is claiming and search for equipment that attain the requirements you seek. Nonetheless maintain in thoughts that no qualifications covers everything and tests every little thing. Threat can only be minimized in no way totally eliminated. Keep in mind there is no such issue as total protection.

In closing, basic safety is usually a procedure. Each and every element you add to it is going to reduce the chance over a particular front. The biggest danger to this even so is when a brand new added aspect seems so strong and reduces the threat so a great deal that it makes the user neglect other pieces, mistakenly considering that this new component is ample to mitigate all other risks. This really is by no means the instance and it’s vital to remember that one particular only desires to break the weak link to get via, and not the entire protection echo technique.

View Original Content

Small and medium-size firms (SMBs) can gain a fantastic deal from Cloud-based products and services but this will not mean they have to do away with their present infrastructure.

On the contrary, cautious planning, a thorough understanding of what the business enterprise and infrastructure needs are, and applying GFI’s newly announced Hybrid Method to the selection creating procedure can give organizations the ‘best of the two worlds’ and support them save funds from the process.

Based on GFI-commissioned study, just more than 50 percent of SMBs inside US use one particular or much more hosted/managed services. Fifty-six percent said they utilised these services due to quick Internet access and scalability even though 46% pointed on the decrease expenses involved. More rapidly deployment (43%) was also a key consideration. Nevertheless, getting the plunge also depended on hosted providers giving assurances on application performance, lack of data privacy/security and methods failure/redundancy (62%). Just under half (47%) mentioned customization with the solutions was a higher concern.

The dilemma for a lot of SMBs is how you can reap the gains of Cloud computing with no dismantling their current infrastructure or dealing while using the inherent risks that arrive with Cloud-based companies. The dilemma is deciding which delivery model is best. The answer frequently is really a mix of equally, depending inside infrastructure desires in the enterprise in the time.

“Customers and partners are seeking in the flexibility with the application delivery model as they will need to speedily adapt to changing economies and market influences. The type we’re proposing is always that shoppers can have Cloud merchandise offerings operate with their active on-premise software to give them the gains of each. The beauty of this method is the fact that start-ups can get down to business enterprise with relative ease and reduce costs though established businesses can address weaknesses and inefficiencies in their present set-up by using a complementary service in the Cloud,” GFI’s CEO Walter Scott explains.

GFI’s Hybrid Approach addresses quite a few concerns SMBs might have simply because it offers them the capability to decide on the answer they need to have to safeguard their network, email server and/or manage their archives, irrespective of whether or not it truly is hosted or on premise. Often, they may need a mixture of equally.

The Hybrid Approach makes it possible for an SMB to switch back and forth involving the Cloud and on-premise alternatives with relative ease or adopt a set-up that has each, thereby maximizing the strengths of both delivery models and avoiding the inefficiencies inherent if separate delivery types were utilized. SMBs also gain from defense-in-depth, company continuity and redundancy – not always a given while using the non-hybrid delivery style.

Getting capable to choose among delivery designs and on the very same time also gain from quality remedies which can be cost-effective and created for that SMBs is a person quite excellent motive why SMBs need to actively explore the hybrid approach.

View Site

View Source

We are pleased to announce that GFI has launched two hosted e mail safety and continuity options for small and medium-sized firms – GFI MAX MailProtection and GFI MAX MailEdge.

These two solutions form component from the new GFI MAX household of hosted IT options and adhere to the acquisition of Katharion, a primary hosted email security provider in Los Angeles, USA.

GFI MAX MailProtection can be a proven, extremely powerful, and low maintenance Cloud-based email security answer that presents next-generation technology to guard thousands of organizations from spam and viruses though also providing valuable electronic mail continuity.

GFI MAX MailProtection uses a multi-layered approach to spam filtering to stop spam, viruses, along with other mail threats prior to they achieve the network or mail server. Incoming e-mail is redirected for the service’s fully redundant, multi-tenanted network and application architecture, which processes messages in real-time via both standard spam filtering tactics and leading-edge approaches to message analysis such as authenticity checks, message fingerprinting, heuristic rule sets, extensive URI databases, real-time message source analysis, and customizable whitelists and blacklists.

GFI MAX MailEdge is a hosted frontline spam filtering and continuity remedy for organizations that require an extra layer of safety before email reaches their mail server thereby improving efficiency.

GFI MAX MailEdge is made specifically to become utilized only in combination with an active on-premise software program or hardware anti-spam/anti-virus answer. This hybrid delivery design permits customers to keep their existing set-up yet also maximize the benefits of getting all inbound email filtered initial within the cloud. Via its IP reputation filters, connection throttling, directory harvesting protection, and optional greylisting, GFI MAX MailEdge is capable to safely block up to 90% of all spam emails and email threats just before they get to the customer’s network.

Also, both providers offer business enterprise continuity thanks to integrated queuing and on-demand mail functionality ensuring that clients can continue to access and respond to emails even when their own email server is offline.

GFI MAX MailProtection and GFI MAX MailEdge provide a range of important positive aspects to customers, including:

* Significantly reduced bandwidth and processing power expected for incoming email
* An additional level of protection given the inherent scalability limitations and single point of failure of any on-premise option dependent on a single server
* A rapid and simple setup with minimal effort and training, and no supplemental hardware
* Full re-branding capabilities at all end-user touch-points, to make it possible for partners of any size to quickly and inexpensively offer you the support as an OEM solution.

Following Apple’s announcement of the iPad as well as the rumors circulating about the crazy things folks are willing to complete to acquire 1 for totally free; we made the decision to launch this awesome competitors!

We is going to be giving out a Cost-free iPad to 1 lucky/daring winner. All you might have to do is to let us know, via a comment on this blog post, or a message on our Facebook page about What you’d be willing to perform to acquire a Free iPad!

It could be anything from climbing a mountain, walking backwards to acquire your usual stuff accomplished close to the office for a complete day, or perhaps even swimming 100 laps at your local pool wearing a penguin costume! The possibilities are endless (as extended as it is not criminal, illicit, objectionable, disrespectful to any race, age, creed or gender, immoral, or in any way hazardous or irresponsible).

Nonetheless: There’s just just one last but quite essential detail – the selected winner may have to actually perform the stated action and send us a video or photo evidence to become in a position to claim their Totally free iPad.

We will also give out a $100 Amazon.com gift voucher on the 2nd and 3rd very best entries received respectively.

The competition is going to be open right up until February 28, 2010, as well as the winner will probably be announced on Monday, March 1, 2010. The picked entry is going to be contacted immediately, and asked to submit video proof.

Terms & Condtitions

* GFI Software employees cannot take part in this competitors
* The Apple iPad will be shipped for the winner when available (i.e., subject to availability)
* Multiple, original, submissions are accepted and encouraged
* Upon contacting the winner/s, if no reply is received within a week, GFI will choose another entry
* GFI retains the right to cancel/change this or any promotion without notice
* GFI’s decision is final and no correspondence is going to be entered into
* GFI is not in any way responsible for and cannot be held responsible for participants’ actions and/or submissions in relation to this competition and/or for any repercussions of those actions/submissions.

View Site

View Original Content

Want a additional handy solution to retain up-to-date with the GFI blog and read every one of the latest news from GFI along with the tech planet?

Download the GFI application for that iPhone for free and tap into our good news resource with just 1 button. All website posts are offered in a clear format for you personally to understand and comment upon.

The Talk Tech To Me – GFI Web site app is accessible from the app store for no cost!

So desire to maintain up with every one of the GFI news? There’s an app for that!

GFI MAX RemoteManagement has won the management resources category in the IT PRODUKT 2009 awards organized by the Czech edition of ComputerWorld.

GFI MAX RemoteManagement beat stiff competitors in its class to win the award which the magazine’s editors give to individuals solutions which can be a cut above the others in terms of top quality, feature arranged and positive aspects for that user.

“During the GFI MAX evaluation, our editorial staff appreciated the superior and extensive features for real-time monitoring, fully-automated checks, remote access and also the incredibly very good monitored system status overview too as high quality reporting. The item might be create to monitor end-users’ web sites inside a short time and buyers pay only for checks they use,” Peter Velecky, ComputerWorld editor, IDG Czech, mentioned.

“One very common issue that buyers have with remote management and monitoring tools is that they are tough to implement; and several corporations give up just before they commence generating any revenue. GFI MAX RemoteManagement might be build in minutes and this and other attributes have contributed on the product’s good results despite solid competition inside the management resources class,” said Robert Houser, technical manager, GFI Czech and Slovak republics.

“We have observed a amazing response to GFI MAX RemoteManagement from the day it was released on the Czech and Slovak markets. Winning the IT PRODUKT 2009 award from a leading publication for instance ComputerWorld is a strong indication from the achievement and influence that the product has had for the industry inside initial three months,” said Martin Riha, sales manager, GFI Czech and Slovak republics.

View Source

We’re pleased to announce ASCII Group Alternative Alliance Membership and Platinum Sponsorship with the ASCII Reseller Achievement Summits. The alliance in between GFI and ASCII will supply supplemental benefits and education for ASCII people within the growing IT Service, VAR and Managed Providers market.

GFI has been welcomed through the ASCII Group – the nation’s oldest and most established community of independent managed assistance companies, process integrators and remedy providers.

“We continue to add far more positive aspects for that ASCII community at large and we’re proud to have GFI join the Alternative Alliance network with their uncomplicated, affordable IT methods. GFI recognizes the current market value with the ASCII community and offers IT solutions to aid IT service organizations develop worthwhile recurring revenues,” states Alan D. Weinberger, Founder, Chairman and CEO of ASCII.

Via its GFI MAX suite, GFI Application gives uncomplicated, affordable, hosted IT methods that guide IT Assistance companies operate a far more efficient IT help business enterprise, assists corporations scale and allows construct cost-effective recurring revenues. As a new platinum sponsor, GFI Software is functioning closely with ASCII to offer new ASCII member positive aspects to IT Assistance Companies, VARs and Managed Assistance Providers. ASCII members will meet the GFI MAX team at the Los Angeles ASCII Summit on February 18. GFI will demonstrate GFI MAX characteristics, functions and rewards, explain how monitoring may be set up in less than 10 minutes and assist persons register for a no cost 30-day trial with the solutions: GFI MAX RemoteManagementTM, GFI MAX MailProtectionTM and GFI MAX MailEdgeTM.

Ed Harnish, VP Marketing and advertising, GFI Software program states, “Through joining the ASCII Group’s Option Alliance Network, we’re delighted to deliver ASCII people the opportunity to discover much more about how the GFI MAX loved ones of hosted items can help IT Assistance firms construct recurring revenues, win a lot more company and deliver best-of-breed proactive IT help – the quick way!”

Source

View Source

Twitter was named ‘word’ on the year in 2009 confirming the growth of a interpersonal networking and media web page that’s applied by more than 350 million individuals worldwide. Nevertheless, Twitter can also be gaining a reputation as a protection risk for individuals and organizations.

Cybercriminals adhere to social networking web-sites using a passion simply because they see in Twitter along with other social networking web-sites a big chance to make dollars and commit fraud. While spammers, scammers and malware creators are the root from the dilemma, end-users on the support are equally harmful simply because, eventually, it can be what they do with Twitter that counts. If Twitters paid attention to what these are doing, listened carefully to warnings from safety authorities (their IT team at operate) and didn’t have confidence in every follower who sent them a message, there can be no explanation for being concerned.

Unfortunately, humans include the weakest link in the safety chain. Add to that a lack of education and tiny or no awareness of protection and you have the best combination for some thing to go completely wrong.

So what include the risks and what can organizations and end users do to limit this sort of risk?
The Dangers

Information leaks of confidential or proprietary details: Corporate organizations are continuously wanting to reduce the channels via which facts may very well be leaked. You will find numerous ways to update your Twitter account so it is impossible to block admittance every one of the time. The data that could possibly be leaked contains identity theft, credit card fraud, company plans, confidential data, info about facilities, availability of personnel or their schedules.

Malware and viruses: Malware creators see Twitter an as outstanding opportunity to spread malware. The use of abbreviated URLs creates it easy for that poor guys to mask links to infected internet sites and to redirect consumers to internet websites that they would think twice about visiting. The setting up of fake providers could be employed to collect credentials and facts from that user.

Applications: Consumers set as well significantly have confidence in in both the persons following them as well as the programs that are very easily distributed. These applications, which may perhaps be insecure, may just be used to steal accounts.

Improper use: Twitter creates it so simple for men and women to inform their pals and extended network of contacts about what they may be executing, wherever these are and so on. Impulse messaging is usually unsafe specifically if the user is irate and does not stop to believe concerning the repercussions of his or her tweet. Sending inappropriate tweets just isn’t suggested. From a corporate perspective, workforce is usually a threat if they article data that could impact negatively on the company, hurt its integrity. A completely wrong article picked up by such a wide audience could grow to be a PR nightmare for that business.

Client treatment: As more and more businesses set up their personal accounts and encourage clients to maintain in touch, organizations should be mindful how they deal with disgruntled clients who may possibly use Twitter to discuss a damaging encounter they had. With only 140 characters at its disposal, a business ought to avoid acquiring into a slanging match with an unhappy consumer on Twitter and encourage the customer to use conventional customer treatment channels. Take the conversation offline.
How you can counter the risks?

Each and every organization or organization which uses Twitter (or any other social media or networking site) need to have a strong policy in location (and enforced) that clearly states how it should be applied by workers.

They need to be aware on the consequences of sending out seemingly innocent tweets which could even now get them into deep trouble. In December 2009, a Vodafone employee was fired right after his post was deemed by the organization to go against fair competition. Drastic? Maybe, however it showed that even a humorous publish could backfire.

Some fundamental guidelines incorporate:

1. Think twice ahead of posting. Workforce have to think compliance, integrity, security… then article.
2. Access URLs in tweets with care. If there is certainly no true ought to check out the internet site, leave it.
3. Display staff what to look out for. The way to notice when somebody is stalking or attempting to social engineer facts.
4. Avoid confrontation on Twitter. It can be a good tool for buyer feedback but a disaster in resolving issues.
5. Create a policy in the language which is understood by staff. Have them sign it. There ought to be no excuses which they did not know what they could or could not say.

This week the BBC reported that somebody has disclosed make contact with facts for 170,000 of Shell’s employees planet wide. The disclosure comes with a note declaring it’s becoming disclosed by former workers who can’t stand the damage the corporation is undertaking to the enviroment. Shell has in turn downplayed the event claiming that the info disclosed doesn’t pose a safety chance to its employees given that it doesn’t include employee’s addresses.

Following this statement I definitely hope that this sort of a declaration is basically destruction manage on Shell’s part and that it does not absolutely believe that the declaration the organization released. Whenever an organization is hit with some thing like this the implications are enormous and it is certainly not one thing to take lightly. While the facts published incorporated names and telephone numbers for the most part there’s no guarantee that whoever perpetrated the leak doesn’t have entry to extra details. Furthermore even with such restricted facts those as name and get in touch with quantities a social engineer can use that facts quite efficiently to infiltrate the organization.

Another point Shell need to surely be concerned over is, if the attacker managed to acquire access to this info what else did he manage to have his hands on? How will this impact its workforce? Will the resulting harassment result in persons leaving the company? Will the breach mean that some achievable future staff will consider twice before the joining the corporation fearing for their privacy? What about lost enterprise? It can be definitely being expected that some companies will worry about their contractual and monetary specifics getting safe with the corporation! This can bring about lost deals and revenue.

What’s definite is that this sort of a breach causes 1 big PR nightmare that should not go away by downplaying the breach; downplaying, if something, will make the scenario worst.

Because the proverb goes, prevention is greater than cure and this was never more so than inside the realm of safety. After this kind of a breach occurs the destruction is carried out. Contingencies may perhaps limit the damage a tiny but in any case the resulting fall out is likely to get much more pricey than protecting the program in the 1st place. I am definitely not saying that Shell didn’t do its best to safeguard its information, that’s one thing I tend not to know and neither do I’ve a way of knowing. What I’m trying to say is that 1 should do his very best in order to avoid this kind of an unfortunite scenario. If one particular is always to presume the disclosed letter, the attack was perpetrated by insiders. Although Shell itself is sceptic of this claim it’s genuinely not that tough to think. Time and time again researchers have placed insider threats incredibly higher around the safety risks organization’s face. Worse yet, generally organizations spend the majority of their protection budget safeguarding the inside from the outside and never the inside of from by itself. One particular would definitely do really properly to remember that in safety one particular loses as soon for the reason that weakest link is compromised and never soon after the strongest measures fall.

Stories this kind of as this must be an efficient cautionary tale of what safety is meant to stop. While investing in end point security, the perimeter and access control could possibly not bring any tangible ROI in the short term, if that just one time expense can prevent an unpleasant scenario this kind of as this it would have much more than paid for by itself.

View Site

Today I came across a series of articles that claims that most solutions that encrypt voice communications on mobile phones usually are not up to par and can effortlessly be intercepted. My initial reaction was that this was a really bold claim and after reading further I kind of lost a small faith from the Smarsh. That getting mentioned, some of his arguments do have merit and his technique was incredibly clever in its simplicity.

Notrax, the hacker in query, approached the challenge not by cracking the voice encryption algorithm by itself but by installing a Trojan about the victim’s headset and intercepting the voice as it truly is currently being recorded from the cell phone’s microphone before it receives processed / encrypted. Uncomplicated and useful. Virtually all of the options have been vulnerable to this method. He sees this like a failure for the side of answer providers; this can be what I will not agree with. I usually do not think that the method Notrax employed is something that such an answer must cater for. It is true that a couple of remedies detected something fishy going on and stopped the connection; kudos to them, if Notrax praised these solution for their effectiveness I wouldn’t have anything to comment next to but shooting down other people who didn’t find the intrusion goes a bit overboard in my viewpoint.

Notrax claimed that this failing for the solution provider’s part means that their protection is useless. He says that this implies they really do not do what they advertise, given that they claim that your calls will likely be protected whereas he very easily managed to intercept the calls using a uncomplicated procedure. Nevertheless, like I argued in a very previous post, there’s no such issue as absolutes in safety. No answer can shield towards just about every form of assault. Each product / computer software tries to safe its personal tiny domain and whoever is implementing the protection policy must not only recognize this but construct his tactic close to this notion. Getting these safe calling options for example, if I employ this sort of a solution I really don’t assume being 100% secure versus anything. No matter how nicely intended or how pricey it may well be, do I expect this type of software to keep me secure from anything as trivial to be a man or woman close by hearing me talk ( recognized as shoulder surfing)? Obviously not! What I would be expecting from such a remedy is always that if a person had been to sniff / intercept the encrypted voice transmission he may have no method to reverse it in a very timeframe that makes it useable.

Notrax’s tactic required bodily entry for the phone and also the capacity to deploy computer software. If an attacker gets actual access to some thing you want to protect then you’re already inside a great deal of trouble. No alternative will safeguard you after an event like that. Even those applications that find some thing amiss and block the call; what’s to stop an attacker who has bodily accessibility to the cell phone from uninstalling them and instead installing a lookalike application with as many backdoors as the attacker wishes? Practically nothing!

What I’m trying to say is not that Notrax is wrong, he is correct; his strategy works and is undoubtedly a threat; nevertheless, what I don’t agree with is the fact that it is the vendor’s fault. Actual physical security in the mobile cellular phone is not their responsibility and his strike was, in my viewpoint, an assault in opposition to the actual security with the gadget and not the voice encryption remedy. This strike vector cannot be protected versus via software it can only be avoided if correct bodily security is ensured. With actual accessibility towards system a person can simply hook a bug to the cell mobile phone microphone by itself and have almost everything transmitted unencrypted on any frequency the attacker wishes. No software package remedy will detect or block that.

What I wish to say right here is let’s maintain focused on what we’re safeguarding in opposition to and surely by no means assume that 1 remedy will cover it all. Security is about identifying the risks, seeing which ones are worth mitigating and then adopting remedies that could mitigate them.

View Site