uncompiled.com

A theft of nearly $1 million from bank accounts of the University of Virginia’s College at Wise is being investigated by the FBI.

While the agency – as per their official policy – does not confirm or deny that such an investigation is underway, the college’s media relations director refused to divulge any details but confirmed an internal investigation, while also mentioning that as far as they can tell, no student data has been compromised.

Unofficial sources say that the cyber thieves managed to compromise a computer belonging to the university’s comptroller by infecting it with a data-stealing “virus”, which then forwarded them the online banking credentials for the accounts in question, reports Brian Krebs.

Once they were able to access the account, they initiated a single wire transfer that transferred $996,000 to an account opened at the Agricultural Bank of China.

Source

We’re always looking for ways to make AWS an even better value for our customers. If you’ve been reading this blog for an extended period of time you know that we reduce prices on our services from time to time.

Effective September 1, 2010, we’ve reduced the On-Demand and Reserved Instance prices on the m2.2xlarge (High-Memory Double Extra Large) and the m2.4xlarge (High-Memory Quadruple Extra Large) by up to 19%. If you have existing Reserved Instances your hourly usage rate will automatically be lowered to the new usage rate and your estimated bill will reflect these changes later this month. As an example, the hourly cost for an m2.4xlarge instance running Linux/Unix in the us-east Region from $2.40 to $2.00. This price reduction means you can now run database, memcached, and other memory-intensive workloads at substantial savings. Here’s the full EC2 price list.

As a reminder, there are many different ways to optimize your costs. When compared to On-Demand instances, Reserved Instances enable you to reduce your overall instance costs by up to 56%. You pay a low, one-time fee to reserve an instance for a one or three year period. You can then run that instance whenever you want, at a greatly reduced hourly rate.

For background processing and other jobs where you have flexibility in when they run, you can also use Spot Instances by placing a bid for unused capacity. You job will run as long as your bid is higher than the current spot price.

Source

Continuing its cloud computing buying spree, IT management software provider CA Technologies announced Monday that it plans to acquire authentication solutions provider Arcot for $200 million.

The acquisition, expected to close by the end of September, will expand Islandia, N.Y.-based CA’s existing security portfolio by adding fraud prevention and advanced authentication functionality to its existing identity and access management (IAM) offerings. Additionally, the acquisition will allow CA to accelerate its delivery of identity and access management (IAM) solutions from the cloud, CA said in a statement.

Dave Hansen, general manager for the security business at CA Technologies, told SCMagazineUS.com on Monday that customers want to take advantage of the cloud but are concerned about security and want authentication to ensure the right people are accessing the right information.

“People are starting to realize – and this [acquisition] reinforces it – that cloud computing is here, and people want to take more advantage of it and feel like they have the security and control around it to deliver a reliable service,” Hansen said.

Founded in 1997, Sunnyvale, Calif.-based Arcot is a provider of authentication and fraud prevention solutions that can be delivered as cloud services or deployed on premise. Arcot’s technology is used to help prevent fraudulent transactions for about one million credit card transactions each day. CA said that combining Arcot’s technology with its SiteMinder web access management portfolio will enable the company to further help customers reduce risk, support regulatory compliance, and confidentially secure business transitions.

Arcot’s operations and approximately 165 employees will become part of CA’s security business. The acquisition will allow CA to compete with RSA, which also provides advanced authentication solutions, Hansen said.

This is the seventh cloud computing acquisition for CA in the past 14 months. Earlier this month, CA acquired 4Base, a virtualization cloud infrastructure consulting firm. Other recent CA cloud acquisitions include Nimsoft, a cloud monitoring provider; 3Tera, a developer of solutions used to build cloud applications; Cassatt, a provider of cloud computing software for data centers; NetQoS, a network management software and services firm; and Oblicore, a service-level management technology vendor.

Source

In an effort to broaden its footprint in the market for security and identification products, 3M Co. has agreed to acquire Cogent Inc., a Pasadena-based provider of biometrics systems that focuses largely on public sector agencies in law enforcement and homeland security.
Under the deal, disclosed Monday, 3M will acquire all of Cogent’s outstanding shares at $10.50 per share, a premium of 18% over Friday’s closing price of $8.91. The agreement, subject to shareholder’s acceptance and other conditions, is expected to close in the fourth quarter, 3M said.

Cogent shares were up 21.03%, to $10.79, in early afternoon trading Monday. That its shares were trading above 3M’s offer was a sign investors believe other vendors might try and top 3M’s offer, a move that could kickstart a bidding war akin to Dell and HP’s contest to acquire storage company 3Par.

3M’s shares were off .75%, to $80.39, as it cautioned the deal would reduce earnings by $0.09 to $0.10 in the first year.

3M officials said acquiring Cogent would bring their company deeper into key growth markets like border and airport security. “Cogent Systems has done a tremendous job establishing a strong presence in the biometric industry,” said Mike Delkoski, VP and general manager for 3M’s Security Systems Division, in a statement.

“Adding Cogent Systems products to our business strengthens our product portfolio and services in high security credential issuance and authentication systems and positions 3M’s business in law enforcement applications. It also expands our reach into access control and other commercial ID and authentication applications,” said Delkoski.

The U.S. Department of Homeland Security is a key Cogent customer. Cogent has teamed with ARINC, FLO Corporation, and International RAM to develop the iQueue pre-approved traveler program for use at airport security checkpoints around the country.

Other Cogent customers include New York State, the UK national post office, and the Belgian federal police department.

Cogent founder and CEO Mingh Hsieh is expected to remain with the organization following completion of the acquisition. “3M can accelerate our growth and extend our reach in global border control markets, law enforcement and commercial applications,” said Hsieh, in a statement.

Source

There’s a tremendous buzz today about cloud computing, but before outsourcing your critical business systems to the cloud let’s review some security concerns.

The most critical business applications deal with corporate HR, finance, credit card, and other sensitive data. If any of this information is compromised lawsuits may ensue and your corporate brand is tarnished. This is a nightmare that could lead to customers avoiding purchasing your products or services. How can cloud computing effectively protect sensitive data?

There are three areas that need to be addressed to effectively push your applications into the cloud:

Let’s start with defense in depth.

First, put sensitive data in a second tier of firewall segments behind the main corporate firewalls. This second-tier firewall and corresponding network shields sensitive applications and their data from being easily accessed if the Web-facing firewalls are breached. For example, let’s look at grocery stores. It would be wise to deploy at least four firewall/network segments: one for HR data, one for financial data, one for credit card PCI (Payment Card Industry) data, and one for services that the other segments share. The segment containing services that are shared could contain common support services such as network and systems management, encryption and PKI functions, access control services, and security event management functions.

Another architectural implementation that protects corporations from internal data theft is the creation of a Tunneling Access Protocol. The Tunnel Access Protocol is an access control function that forces all administrators to log information before they perform administration on segment systems. Hence, all administrative access is tracked, discouraging internal theft of information

The second area that needs addressing is the analysis needed to determine successful migration of the application to behind the cloud’s second-tier firewalls. I recommend starting with the application design document first. It gives you a big-picture understanding of which business need the application performs, what middleware is used, what databases are used, and what protocols it uses. It also often contains the logical architecture.

It is important to focus on all the systems the application interacts with. Your security team will have a variety of information collected about the application: what data is sensitive, how and what tools are used to encrypt the data, and penetration testing results if it is a Web-facing application. Also, I recommend creating a protocol diagram showing all servers and their IP addresses, the protocols being used, and the protocol (TCP or UDP) ports being used. This network view specifically shows which servers need to talk to each other and what protocols (ports) they will use to do it. It is not necessary to include switches, routers and other network infrastructure components because the protocols/ports just ride over them. If the protocol diagram is thorough, it should be a simple step to create the firewall rules. Firewall rules are made up of source and destination IP (Internet Protocol) addresses, protocol used, and ports that ride on top of those protocols.

Lastly, I recommend a thorough collection of system and application metadata. The need to port your application well requires this work. Plus, if you have a disaster, business interruption or want to pull your application from the cloud — you need this data. System information exists per firewall/network segment. All applications share the same system data such as the same firewall, routers, switches, encryption algorithm (if used for all applications in a segment), and storage subsystem. System metadata includes vendor, model, software release and version, and other system-wide configuration data. Application data is similar but it addresses load balancers, encryption method, middleware, database, server hardware and operating system, and services, protocols, and ports that ride on top of those systems. Application metadata includes vendor, model, software release and version, and other application configuration data.

The next debate is where this metadata should be contained. I recommend containing this information in a hierarchy in a LDAP repository. I would create two tiers in the directory: one called Segment System for each of the four segments in the example above, and lastly one called Application for all applications within a given segment. This ordering enables a systematic collection of all metadata so that sensitive cloud applications can quickly be deployed. And, most importantly, it enables a quick deployment of the application and/or segment into a cloud.

In summary, migrating critical cloud applications involves putting data behind a second tier of firewalls. Common services exist in one of the segments that can be shared by all segmented applications. Applications should be in separate segments based upon the type of data that is being protected such as credit card data, finance data and HR data, and services that are shared. A variety of documentation should be created and/or reviewed to make sure that the porting of applications behind the second-tier ‘deep theater’ defense firewalls goes well. This collected metadata is from a hierarchy of two layers: common system per segment and different applications within each segment. I recommend the metadata be saved in a directory where it can be easily retrieved.

Source

A tug-of-war intensified yesterday between America’s top two computer makers, Dell and Hewlett-Packard, as the pair of hardware titans outbid each other in a billion dollar takeover fight for a hitherto obscure data storage firm, 3Par.

Early on Thursday, Texas-based Dell slapped down an improved offer of $1.52bn for 3Par, topping a $1.5bn proposal tabled by HP three days earlier. But HP struck back after the close of markets on Wall Street, raising its bid to $1.6bn.

The unusually aggressive head-to-head confrontation comes as the computer manufacturers jostle for position in the potentially lucrative market for so-called “cloud computing”.

3Par, which is based near San Francisco, offers flexible data storage solutions to companies that do not want to invest capital in owning their own servers. It is considered well placed to benefit from higher information technology spending when the corporate world eventually stages a recovery from the recession.

HP’s latest offer for 3Par is pitched at $27 per share, a significant premium on Dell’s bid of $24.30. The auction began last week when Dell offered $18 in a deal initially accepted by 3Par’s board. Financiers expressed surprise at the rapid upward march of the price.

“It’s a very rich valuation,” said Jeffrey Fidacaro, an analyst at Susquehanna Financial Group. “At what point does someone cry uncle? It’s difficult because valuations don’t seem to be making a whole lot of sense here. But then again, we don’t know the revenue synergies they expect out of this.”

3Par has 670 staff but has lost money for much of its 11-year history. Admirers say it could cash in from a trend where organisations shift away from spending money on their own server hardware to having technology resources delivered over the internet by third-party suppliers according to need – known as “cloud computing”.

Toan Tran, a technology analyst at research firm Morningstar, said HP, the bigger of the two bidders, could be the hungrier: “At the end of the day, 3Par is worth more to HP than it is to Dell, given HP’s existing enterprise hardware and services business.”

HP splashed out $13.9bn two years ago on Electronic Data Systems, bolstering its presence in business IT services. But it is hobbled by a lack of a permanent chief executive: its boss, Mark Hurd, was forced out earlier this month in a scandal over allegations of sexual harassment and improper expense claims.

Source

Intel on Thursday announced plans to acquire Santa Clara, Calif.-based McAfee for $7.68 billion.
The boards of both companies unanimously approved the deal, which is expected to close pending McAfee shareholder and regulatory approvals.

The acquisition reflects that security is now a fundamental component of online computing, Intel said in a statement.

“Today’s security approach does not fully address the billions of new internet-ready devices…as well as the accompanying surge in cyberthreats,” the company said.

McAfee, with $2 billion in revenue in 2009, will become a wholly-owned subsidiary of Intel, reporting into the chip giant’s Software and Services Group.

Source

HP has bought Fortify Software, strengthening its application security software portfolio.

The software security assurance firm essentially offers products which check the security of your software, help organise vulnerabilities so the most dangerous are fixed first and help manage the process of fixing them.

Fortify offers various compliance, vulnerability and detection products. It also offers hosted security testing.

The company was founded in late 2002 by Roger Thornton with money from VCs Kleiner Perkins Caufield & Byers. Before this Thornton was an adviser to ETrade and eBay. The Silicon Valley native has also worked for Apple, Centerline Software and Sun Microsystems.

Fortify’s customers include Experian, WaMu, JP Morgan, Gap and the US Air Force. Financial terms were not provided.

Fortify will continue to operate as a standalone business for now, but will be gradually borged into HP’s Software and Solutions division.

The agreement follows a years after IBM acquired Ounce Labs, a less established competitor to Fortify that also plays in the application security and assurance market.

Source

Betting that moving to the cloud won’t be as easy as vendors promise, CA Tecnologies has bought 4Base, a consulting firm that helps companies adopt and implement the cloud.

“The rise of boutique consulting firms focused on cloud and virtualisation tells you that there’s a need here,” wrote Jay Fry, vice president of business unit strategy for CA, in a blog post about the acquisition.

The companies did not disclose the terms of the deal.

4Base has worked on more than 300 projects, CA said, and includes eBay, T-Mobile and Visa among its customers.

4Base will become the nucleus of a new group in CA called the Global Virtualisation and Cloud Consulting Team. Based on 4Base’s experience, the group will offer assessments of virtualization capability and operational readiness for virtualisation, strategy assessments and cloud-based advisory services.

The acquisition will also help CA start engaging with customers earlier in their planning processes, not just when they need help installing software, Fry said.

He argued that despite all the buzz about the simplicity of the cloud, businesses are already noticing that it’s complex to use and implement the cloud. Some fall into the “virtual stall” as they get stuck in the midst of virtualisation rollouts, he said.

“While it’s true that no one’s looking for complexity, we know that complexity is with us in current, more traditional IT environments. As we get early cloud computing implementations off the ground, I don’t think we have much choice: complexity will follow IT to the cloud (and back) as well,” he wrote.

Source

Let’s be honest: Organizations follow compliance and regulatory requirements like PCI because VISA threatens to fine your company or worse, cut you off from credit card processing.

OMG! I would not be able to process credit card payments, it will cost me untold profit… OMG!

That is more like it, because we all know that if your organization is truly practicing on a daily basis good information security you would be compliant to PCI (just missing QSA certification of course), and you would most likely be in compliance with just about any compliance or regulatory requirements your organization might have thrust upon it.

If you follow and actually practice, perform and maintain a best practice, state of art, best of breed, call it what you will, information security program, you would basically be doing all the right things to become compliant if required. The difference between being secure and being compliant is an organizations maturity model. Practice daily good information security and you will basically be compliant (good maturity). Implement or improve information security for compliance requirements, such as PCI (bad maturity).

While I was at TRISC 2010 to present on “Cloud Security can be used securely”, I listened to the ever entertaining Dr.Eugene Schultz in his keynote mention the PCI breaches involving TJX and Heartland Financial. We have all read the plethora of articles about the incidents, how they occurred and how much it cost the organizations and of course that they were both ‘PCI Compliant’ at the time. If you believe they were PCI Compliant, you would be sadly mistaken, but this is the first thing you hear people discuss. “But they were PCI compliant,” is what you’ll hear (Also read: Heartland CEO on data breach: QSA’s let us down).

True, both TJX and Heartland had been PCI certified by a QSA at some point in time, but when did the incidents or breach occur? The day the QSA certified them? Of course not, they were compromised after they stopped being or practicing PCI compliance or when they stopped performing best practice, state of the art, best of breed information security, which I am guessing was only days after they obtained their PCI certification or after the QSA left. Remember certification is a point in time, the day you were assessed by the QSA in the case of PCI, is the day, or maybe a few days you were actually compliant, not weeks, months or a year later.

Why? Well it is simple really: TJX and Heartland both stopped monitoring their environments. How do we know? The initial incidents were not detected for roughly 17 months for TJX and roughly 7 months for Heartland. These companies were not actually PCI Compliant at all as PCI requires monitoring (requirements 10 and 11) and alerting to occur, every day, all the time, for everything, everything that is actionable security related events that is. Basically it means watch for malicious activity and automate it. This is where most organizations fail in audits and assessments I have performed over the years and of course TJX and Heartland did as well.

Recently I read Brian Krebs Blog on the Verizon Business Risk team report on 2009 Breaches. The report showed that 85 percent of breaches involved common configuration errors or weaknesses. Yup, you guessed it, that could be fixed with a software patch! Companies that are patch happy and have an “apply them now” mentality often were found not to have reviewed their log files in months. The same article sidebar titled “Of needles and haystacks” stated 86 percent of the breaches could have been prevented or detected if the organization actually reviewed their logs for unusual behavior or actionable security related events. This means actually alert on security incidents. Yup, PCI DSS requirements 10 and 11. We all know and can relate to this, it is like hiring a security guard at the front desk and they don’t actually check ID badges or watch for any nefarious behavior by ne’er-do-wells.

So this simple report from Verizon shows how a company that obtains some form of certification, usually because they are obligated or required, often fail as in the case of TJX and Heartland because they stopped performing good information security practices and thus falling out of PCI compliance the first day they stopped being proactive with monitoring and alerting. If theses organizations performed PCI Compliance daily, thus looked at some log report or alerted on actionable security related events, they would not have had the breaches they did.

If you practice real, proactive information security, then by default you will be compliant with almost any regulatory and compliance requirements. If you implement information security, like PCI, ISO, HIPAA, etc. To become compliant, you will never really ever be compliant because you do security to pass a test, not regularly practice, perform and maintain a best practice, state of art, best of breed information security program, thus being compliant.

Source