Public Forum for Firms to Discuss Vulnerabilities
Red Hat plans to participate in a new initiative, implemented by the National Institute of Standards and Technology (NIST), that enables members of the software industry to officially and publicly comment on vulnerabilities. This service is being implemented within the National Vulnerability Database (NVD) at NIST, based on Red Hat’s recommendation.
Red Hat approached NIST with the idea of using the NVD to create an official vendor statement service based on the Common Vulnerabilities and Exposures (CVE) naming standard, giving the software industry an open, transparent forum to contribute information about vulnerabilities. Both open source and proprietary software vendors now have the opportunity to comment on vulnerabilities in their products, and can use the service in a variety of ways, including configuration and remediation guidance, clarifications of vulnerability applicability, deeper vulnerability analysis, disputes of third-party vulnerability information and explanations of vulnerability impact.
As a widely recognized, comprehensive cyber security resource containing all publicly available US government vulnerability information, the NVD can be used by users of both open source and proprietary software. By centralizing and communicating information for vulnerabilities, customers and users will benefit from increased information coming from both the US government and vendors themselves.
To learn more about vendor statements within the NVD, please visit http://nvd.nist.gov. Vendor statements are directly visible from the relevant vulnerability pages. A complete XML feed is updated every two hours at http://nvd.nist.gov/download/vendorstatements.xml.
Face Recognition Using Card With Videocam
FaceKey Corporation has been issued a new US patent, titled “Facial Imaging Verification Utilizing Smart-Card With Video Camera.” This patent covers a smart card equipped with an embedded video camera for use with face recognition. This smart card is a unique type of security and identification device never before available. Embedding a video camera in the smart card and requiring its owner’s face to be recognized before using the smart card will prevent unauthorized access to facilities and confidential data stored on the card. Research indicates that because of the many features and benefits of the technology, the market for the smart card equipped with an embedded video camera is vast and is expected to be in the billions.
“Your face will be your key,” said Yevgeny B. Levitov, president of FaceKey Corp. “Because the presence of the owner of the smart card with an embedded video camera is required to use the card, the smart card is a new tool to increase accountability, such as limiting access to property, protecting confidential data, preventing identity theft and restoring privacy. We believe that security will be increased without the further wearing away of citizens’ privacy as business and government add restrictions as they endeavor to protect customers, employees and citizens.”
Local Symantec Conference
Symantec has issued a general invitation to its 2006 Industry Conference, this year held at the InterContinental Hotel in Riyadh. The Symantec Worldwide Industry Conference will provide insight into top-level corporate strategies and initiatives, as well as in-depth product and technology updates. The conference will include:
• Keynote presentations from top Symantec executives;
• Discussions regarding future Symantec directions;
• One-on-one meetings with Symantec executives;
• Product and solution updates from Symantec product managers
To register, click to www.symantec.com/vision/sa.
Explorer Update for Microsoft Junkies
If you are still using Internet Explorer, then the time has come to update to IE7. This is the first major update of Microsoft’s browser in years and most reviews place it barely on parity with other products already on the market.
According to John E. Burke, principal research analyst, Nemertes Research, the three key drivers for releasing IE7 were competition, compatibility and security consciousness.
“Pressured by the still-growing popularity of Firefox and to a lesser extent Safari and Opera, one key change Microsoft has made in IE7 is improved support for web standards such as Cascading Style Sheets (CSS) and JavaScript,” Burke said. “More important still, the ongoing discovery of security holes in IE6 has driven Microsoft to try to make IE7 far more secure than its predecessor. Certainly, the changes in the browser’s default behaviors — making the safer option the default in far more situations — represent a fundamental shift toward a more secure paradigm.”
For more information or to download IE7 go to: http://www.microsoft.com/windows/ie/default.mspx.
Schneier to Deliver Keynote at LinuxWorld
Internationally-renowned security technologist and author Bruce Schneier will deliver the opening keynote address at the LinuxWorld OpenSolutions Summit. Often described as the “security guru,” Bruce is best known as a security critic and commentator, best-selling author, and founder and Chief Technical Officer of Counterpane Internet Security, Inc. The LinuxWorld OpenSolutions Summit is scheduled to take place Feb. 14-15, 2007, at the New York Marriott Marquis.
Schneier’s presentation, “The Economics of Information Security,” will address the hot and rapidly growing field of research focusing on economics and computer security. When surveying current trends in information security, it’s clear that a myriad of forces are at work. But fundamentally, security is all about economics: Both attacker and defender are trying to maximize their return on investments. Economics can explain why security fails so often, as well as offer new solutions for security success. Do we spend enough on keeping hackers out of our computer systems? Do we spend too much? Are we spending our security budgets on the right things? These questions and more will be addressed during Schneier’s keynote.
“We generally think of computer security as a problem of technology, but systems often fail because of misplaced economic incentives, meaning the company that builds the operating system aren’t suffering the costs when vulnerabilities are exposed — the customers are,” said Schneier. “If we make the manufacturers responsible for software vulnerabilities, we change the economic incentive and force companies to improve security as opposed to adding more technology.”
