More than 80% of security administrators think that Web 2.0 applications — social networking tools, widgets, instant messaging programs, and their ilk — are undermining enterprise security. Furthermore, one in five think that employees rarely or never consider the consequences to corporate security of engaging in such activities as downloading applications from the Internet, streaming video, or using peer-to-peer file-sharing sites.

Those results come from a new survey of more than 2,100 IT security administrators in the United States, United Kingdom, France, Japan, and Australia. The survey was conducted by the Ponemon Institute and sponsored by Check Point Software Technologies.

“Our research finds security can be seen as an afterthought for corporate users of Web 2.0 applications; the growing number and sophistication of security threats, coupled with the proliferation of online and easily downloadable tools, is exacerbating the challenges of protecting sensitive information,” said Larry Ponemon, chairman and founder of the Ponemon Institute, in a statement.

The survey also found that nearly half of security managers think that minimizing Web 2.0 risks is an urgent priority. According to respondents, the top threats posed by Web 2.0 applications are, in order, poor workplace productivity, malware, data loss, and viruses.

But so far, spending on Web 2.0 security technology lags. “While this is an issue that must be addressed through strategic investment in technology and awareness, our research also shows that most IT administrators do not believe their organizations have sufficient resources dedicated to securing critical web applications,” according to Ponemon.

On a related note, Check Point Monday announced its forthcoming release of Application Control Software Blade, which can control and manage the use of Web 2.0 applications in the enterprise. The product will use the Check Point AppWiki, which catalogs more than 50,000 Web 2.0 widgets and more than 4,500 Internet applications, including social networking, instant messaging, and media streaming tools. The tool can be centrally managed — together with other Check Point “software blades” — from a single Check Point console, and will also integrate with any of the company’s security gateways, such as UTM-1 or Power-1.

Check Point plans to release the Application Control Software Blade by the end of the year.

Source

The UAE said Sunday it will block key features on BlackBerry smart phones, citing national security concerns because the devices operate beyond the government’s ability to monitor their use. Officials in neighboring Saudi Arabia indicated it planned to follow suit.

The decision could prevent hundreds of thousands of users in the Mideast country from accessing e-mail and the Web on the handsets starting in October, putting the federation’s reputation as a business-friendly commercial and tourism hub at risk.

BlackBerry data is encrypted and routed overseas, and the measure could be motivated in part by government fears that the messaging system might be exploited by terrorists or other criminals who cannot be monitored by the local authorities.

However, analysts and activists also see it as an attempt to more tightly control the flow of information in the conservative country, a U.S. ally that is home to the Gulf business capital Dubai and the oil-rich emirate of Abu Dhabi.

This isn’t the first time BlackBerry and Emirati officials have had run-ins over security and the popular handsets, a fixture in professionals’ pockets and purses the world over.

Just over a year ago, BlackBerry maker Research in Motion criticized a directive by UAE state-owned mobile operator Etisalat telling the company’s more than 145,000 BlackBerry users to install software described as an “upgrade … required for service enhancements.”

RIM said tests showed the update was in fact spy software that could allow outsiders to access private information stored on the phones. It strongly distanced itself from Etisalat’s decision, and provided details instructing users how to remove the software.

Within hours of the Emirati decision to block BlackBerry services, a telecommunications official in neighboring Saudi Arabia said the desert kingdom would begin blocking the BlackBerry messaging service starting later this month. The Saudi official, who spoke on condition of anonymity because he is not authorized to talk to the media, said the country’s telecommunications regulator would issue a statement on the move soon.

Ali Mohammed of Saudi Telecom, however, said the company had “not received any instructions about BlackBerry from the ministry.”

Like in Saudi Arabia, government censors in the UAE already routinely block access to websites and other media deemed to carry content that runs contrary to the nation’s conservative Islamic values or could stoke political unrest.

In announcing the ban, the UAE telecommunications watchdog said it will suspend BlackBerry messaging, e-mail and Web browsing services starting October 11. It was unclear if the ban would affect only local users or foreign visitors with roaming services as well.

Regulators say the devices operate outside of laws put in place after their introduction in the country, and that the lack of compliance with local laws raises “judicial, social and national security concerns for the UAE.”

The government said it is singling out the BlackBerry, and not other phones that can access e-mail and the Web, because the devices are the only phones in the country that automatically send users’ data to servers overseas.

Unlike many other smart phones, BlackBerry devices use a system that updates a user’s inbox by sending encrypted messages through company servers abroad, including RIM’s home nation of Canada.

Users like the system because it is seen as more secure, but it also makes BlackBerry messages far harder to monitor than ones sent through domestic servers that authorities could tap into, analysts say.

“This is the irony, that it’s the device with the highest security features,” said Simon Simonian, an analyst at Dubai-based investment bank Shuaa Capital who follows telecommunications. “These same security features corporations like have become an issue of national security for the government.”

Emirati authorities are eager to portray an image of the country as a safe, stable society free from the extremism found elsewhere in the region. They have taken steps to crack down on terror financing and efforts by neighbor Iran to sidestep international sanctions over its nuclear program.

Regulators said they have sought compromises with RIM on their concerns, but failed to reach an agreement on the issue.

“With no solution available and in the public interest … BlackBerry Messenger, BlackBerry E-mail and BlackBerry Web-browsing services will be suspended until an acceptable solution can be developed and applied,” Telecommunications Regulatory Authority director-general Mohamed al-Ghanim said in a statement carried on state news agency WAM.

“The TRA notes that BlackBerry appears to be compliant in similar regulatory environments of other countries, which makes noncompliance in the UAE both disappointing and of great concern,” he added.

A spokeswoman for Research in Motion said the Canadian company had no immediate comment.

Other countries, including India and the Gulf state of Bahrain, have also raised concerns about BlackBerry messaging features, but have not decided to block them outright.

“The UAE doesn’t want to take any chances and they want to monitor what is going on in the country,” Simonian said.

Research in Motion said in a statement last week it “respects both the regulatory requirements of government and the security and privacy needs of corporations and consumers.”

The company declined to disclose details of talks it has had with regulators in the more than 175 countries where it operates, but defended its phones’ security features as “widely accepted” by customers and governments.

Etisalat and Du, the UAE’s two state-run phone companies, said they would comply with the directive and are working on alternative services for their BlackBerry customers.

RIM does not disclose the number of BlackBerry users in the country.

Simonian, the Shuaa analyst, estimated that there are “hundreds of thousands” of BlackBerry users in the country, but likely fewer than the half million users cited by local media.

Source

Microsoft has released a “Fix it” tool to automate workarounds designed to mitigate a Windows zero-day vulnerability being targeted by attackers.

Microsoft is arming Windows users with a new automated tool to help thwart exploits of a zero-day that has come under attack.

The bug, which lies in the Windows shell component of the operating system, exists because Windows parses shortcuts in a way that permits malicious code to be executed when the icon of a shortcut is displayed. In an update to an advisory first issued last week, the company added information about attack vectors, noting the bug can be exploited locally through an infected USB drive or remotely via network shares and WebDAV.

To help block attacks, the company has released a “Fix it” tool to prevent shortcut icons from being displayed.

“This workaround will disable some icons from being displayed so we recommend administrators test this before deploying it wide,” blogged Christopher Budd, security response communications lead at Microsoft.

The company has also added information about a new workaround to the advisory on the issue, Budd noted. As an alternative fix, users can also block .LNK and .PIF files from downloading from the Internet, he wrote.

The “Fix it” tool requires a restart to work. Applying the fix will remove the graphical representation of icons on the Task and Start menu bars and replace them with white icons without the graphical representation of the icon, according to the company.

The vulnerability affects all versions of the operating system, including Windows XP Service Pack 2, which Microsoft recently stopped supporting.

The vulnerability was first uncovered by security firm VirusBlokAda, and has been linked to malware being used in targeted attacks.

“As always, we’ll update the security advisory and this blog with new information as it becomes available,” Budd wrote.

Source

IT Security Services – Percento Technologies