News Header

Archive - November 2000

Sanctum extends security to Web applications

Even if you have properly configured desktop security tools in place, along with encryption to protect data in transit and network protection in the form of firewalls and intrusion detection systems, you may still be leaving an important piece of the puzzle unprotected: applications.

Many of the most high-profile Web site intrusions and defacements were actually the result of application-level compromises, according to Izhar Bar-Gad, chief technology officer of Sanctum, Inc., of Santa Clara, Calif. Applications can be compromised by simple hacks, such as intruders adding long strings of data to a URL, causing a buffer overflow and potentially opening up avenues into administration pages only internal IT personnel should ever see.

Sanctum's AppShield is intended to prevent such attacks by examining Web application logic and disallowing any data that doesn't fit within the parameters of what the application requires and expects. It also logs each attempt that is outside established policy parameters and alerts administrators of any illegal activity.

The company is now shipping AppShield version 3.0, which offers a 25 percent performance boost over previous versions and integration via SNMP with enterprise systems management tools from vendors including IBM's Tivoli unit, Computer Associates and Hewlett-Packard Co. Additionally, users can now monitor the system from multiple consoles, enabling them to divvy up monitoring by geography or areas of responsibility, for example.

AppShield is also now compatible with OPSEC, the open security framework spearheaded by Check Point Software, and supports SSL accelerators from nCipher, Inc. and Rainbow Technologies, to improve performance in environments that require heavy use of encryption.

It is a difficult, it not impossible, task for developers and administrators to plug every possible hole in their applications, Bar-Gad says. And his security service team proves it time and again. "On average it takes us less than three hours to get almost total control over applications at major e-commerce sites," he says.

Among the oversights that he commonly sees are companies that allow data to be inserted into fields that show up in a URL. He sites the example of a bank that offered customers a pre-approved credit card online, with maybe a $5000 limit. When the customer fills in the required personal data and hit enter, the application came back with a URL in which the number 5000 showed up. By simply changing the 5000 to 500000, the customer could dramatically increase his credit limit.

Similarly, another site sported a search engine that accepted a limited number of characters, maybe 50. But the search criteria likewise showed up in the URL, which had no such limit. By simply inserting a long string of characters, an intruder could cause a buffer overflow that results in a "critical error" page. Unless administrators remembered to disable the function, that could bring the site into debug mode and bring up an administration page, giving the intruder access to all sorts of site underpinnings.

It is these kinds of horror stories that AppShield is intended to prevent. Sitting in front of a Web or application server, AppShield examines all traffic coming into and out of the server, Bar-Gad says. It compares each Web page with the logic behind the page.

For example, AppShield will be smart enough to know in the credit card example that the credit limit field, a so-called hidden field, should not be changed. Any attempt to do so would result only in the user receiving an error page, which is fully customizable. Similarly, any fields with anything other than accepted types and numbers of characters would be rejected. For pull-down menus, only items that are on the menu are accepted.

Sanctum also makes a complementary product to AppShield dubbed AppScan. As its name implies, it is a tool that scans a Web site looking for security vulnerabilities. The tool takes advantage of the knowledge base Sanctum's services team has built up over the years, Bar-Gad says.

AppShield 3.0 is available now for Windows NT and Solaris, with pricing starting at $15,000 per server.



Securant, Netegrity offer competing security standard proposals

Securant Technologies and Netegrity, Inc., already rivals in the market for authentication and authorization tools, are now competing in the standards arena.

Less than a week apart, each of the companies in November announced efforts to develop an XML-based standard for Web security, intended to provide a standardized way of securing transactions even as they cross multiple Web sites based on different platforms and using different vendor's security tools.

Securant says it worked for months with partners and customers before announcing its proposal, dubbed AuthXML. Among the organizations Securant says have joined the AuthXML working group to help create the standard are: Access360, Authentify, Bowstreet, Brown University, CertCo, Check Point Software Technologies, Citrix, Deloitte and Touche, Entrust, Equifax, Internet 2 Project, McKesson, Novell, PriceWaterhouseCoopers, Royal Bank of Scotland, SAIC, Sandhill Systems, Secure Computing, Silverstream, Thomson Financial and Wave Systems Corp.

Netegrity's entry is called the Security Services Markup Language (S2ML). Netegrity credited a number of companies with helping to create S2ML, including Bowstreet, Commerce One, Jamcracker, Sun Microsystems, VeriSign and webMethods.

Each company says its proposal will allow a user's security data to be passed along as a transaction winds its way across various Web sites, providing for single sign-on and obviating the need for a user to be reauthenticated if a transaction crosses multiple vendor sites. In essence, all of a user's security privileges would travel with him through the life of the transaction. Each scheme is intended to work with existing security tools, so users don't need to change out existing infrastructure.

Additionally, both Securant and Netegrity plan to submit their respective proposals to relevant standards bodies, including the World Wide Web Consortium (W3C) and OASIS.

"From a goals and objective standpoint, the difference between these proposals is almost nil," says Pete Lindstrom, senior analyst with the Security Strategies Service at the Hurwitz Group consultancy, based in Framingham, Mass. There are, however, technical differences that will have to be hashed out. "They'll need to come to terms at the table of compromise to get this pushed through."

Key to seeing that happen may be companies like VeriSign and webMethods. In an apparent case of jumping the gun, Securant included both companies on its initial list of AuthXML backers, but not on a revised list that came out a few days later. Executives from both companies say that, while they are more familiar with S2ML, they have an interest in AuthXML and would like to see the two specifications come together.

"We want to be involved in AuthXML as well as S2ML and believe the future of this whole process is to move to one standard," says Jeremy Epstein, principal security architect at WebMethods.

Warwick Ford, chief technology officer at VeriSign, voiced similar sentiments. "We haven't had the opportunity to really study or contribute to AuthXML yet, but there appears to be some overlap between that and S2ML," he says. "We'd be interested in seeing these two projects merged."

More information on the standards can be found at their respective Web sites: www.securant.com/authxml and www.s2ml.org.

By Paul Desmond. Reprinted with permission from Softwaremag.com.



Open launches a security console

There's another player on the scene offering a security console.

OpenService, Inc. is no startup, it's just new to the security scene. The company was founded in 1992 and operated mainly a consulting firm, focusing on remote management of Unix and other open systems. In that capacity, Open built some tools that could analyze systems but were flexible enough to be put to other uses, says Christopher Strug, vice president of marketing for the firm, based in Westborough, Mass.

After much hand-wringing, Open decided it would do best to focus its efforts on the security arena, given the tremendous need for security in the e-commerce era. The result is the SystemWatch family of security management products, targeted at large enterprises and managed service providers (MSPs). It joins security consoles from the likes of e-Security, Inc., Naples, Florida and IBM's Tivoli unit.

SystemWatch consists of the SystemWatch Console and a series of SystemWatch Agents. Security Agents pull data from firewalls, intrusion detection systems, virtual private networks, anti-virus systems and Windows NT and Solaris operating systems. The Device Agent monitors smaller security devices, including the emerging crop of security appliances such as firewalls set up between departments in a company. Server Agents run on various types of network servers, including Web, mail and file servers.

Security Agents monitor for meaningful activity and are trained to detect patterns that represent potential security threats. The agents also perform event correlation and log data reduction while keeping an eye on the health of the underlying computer system on which the security application is running, to ensure it is operating properly. Security Agents can also take remedial action, such as shutting down or restarting a firewall as necessary, Strug says.

All agents feed data to the central SystemWatch Console, which displays them via a Web-based interface. Administrators can assign ownership of different alerts to different security personnel, effectively creating multiple views of the network from a security perspective.

The console also correlates alerts coming in from various security devices, detecting patterns of events across devices that indicate security threats. It also allows for automatic alert escalation if problems remain unresolved for too long.

SystemWatch can also export data to trouble ticketing systems and other enterprise management systems, such as Hewlett-Packard Co.'s OpenView. "As security grows in important, security managers are gaining more control over their applications," Strug says. "But security tools still have to coexist with other network and systems management tools."

About 40 to 50 organizations are already using SystemWatch, he says.

A SystemWatch Security Starter Pack, including one management console and five security agents, sells for $13,995. Additional Device Agents cost $995 while Server agents cost $1,295 and the Security Agent costs $1,795.

For more information, go to: www.open.com

By Paul Desmond. Reprinted with permission from Softwaremag.com.



CrediView Detects Online Fraud Before It Hurts

CrediView recently launched a service it says will help online merchants detect and prevent the fraudulent transactions that can wreak havoc with their bottom line.

Online retailers experience 12 times more fraud than traditional retailers, according to the Gartner Group. CrediView goes further, saying transaction fraud is up to 25 times higher online than in traditional retail environments. The damage is potentially devastating, considering that a retailer with a 5% profit margin would have to sell $20 worth of goods to make up for every $1 in fraud.

CrediView, based in Menlo Park, Calif., aims to reduce that number using a combination of neural network technology, logical regression models and a homegrown analytical technique to identify patterns of online behavior likely to result in fraudulent transactions.

The proprietary technique, called SE, was developed by Ron Rymon, president and CEO of CrediView, who holds a Ph.D. in computer science from the University of Pennsylvania and was a computer science professor at the University of Pittsburgh. He worked with credit card issuers and service providers to implement the technique.

CrediView offers two levels of the service. ECredible Guard is provided on a per-transaction fee that is currently 10 cents per transaction, if previously developed cartridges are employed. Custom cartridges would cost extra.



Tripwire Teams With Lloyd's On Cyber Insurance

Worried about sustaining financial losses from a security breach? Perhaps you should consider cyber insurance.

Tripwire, Inc., of Portland, Ore., and Lloyd's of London recently announced an agreement to offer a 10% discount on a Lloyd's e-Comprehensive cyber insurance policy to customers who properly deploy Tripwire's file integrity software. This followed by Counterpane Internet Security of San Jose, Calif., that it would offer customers the ability to purchase cyber insurance policies that are likewise backed by Lloyd's.

It makes sense for insurance companies to get in bed with security firms because the security companies can minimize the risk insurers have to assume when covering a company for cyber breaches.

"As a software provider, we're dealing with cyber risk on a daily basis," says Wyatt Starnes, Tripwire's CEO. About 18 months ago, his company hired a consultant to look into whether insurance companies were offering policies to cover the risk associated with e-commerce. The consultant led him to Simon Milner, an associate with JLT Risk Solutions, a Lloyd's broker who developed the e-Comprehensive policy.



Sigaba Offers Simplified E-mail Security

DuringWorld War II, the U.S. developed a machine called Sigaba to enable high-level officials to send encrypted messages to one another. Other countries had similar machines, but Sigaba was the only encryption device whose scheme was never cracked by an enemy during the war. (By contrast, the Allies rather early on cracked Germany's Enigma machine, as detailed in the compelling book {{change to italics}}The Ultra Secret by F.W. Winterbotham.)

The last working copy of the machine sits in a submarine in San Francisco Bay. With that in mind, an e-mail encryption company based in San Mateo, Calif., named itself after the machine when it was founded in 1999, according to Richard Bliss, vice president of marketing for Sigaba Corp.

Sigaba offers software that Bliss says makes it easy for users to encrypt and decrypt mail messages, combating what he says has been the biggest problem with e-mail encryption tools to date: ease of use.

SigabaSecure uses a plug-in module that works with popular e-mail programs and services, including Eudora, Outlook, Lotus Notes, Netscape Messenger, Novell Groupwise, Yahoo! Mail and Microsoft's Hotmail. To send a secure message, users merely click a button.

Sigaba offers SigabaSecure as both a service for individuals and as a product that enables enterprises to set up a secure mail service for employees and business partners. The client software is available free from Sigaba while the server component, due out shortly, will be priced for traditional enterprise use at about $1 per month per user, with a $500 minimum, for unlimited usage. For companies that are in the business of sending out e-mail, Sigaba charges about 3 cents per transaction.



Celo Seeks to Simplify Digital Signatures

Worried about how your company will deal with the new E-Sign digital signature law? Celo Communications claims it can help. Celo, whose name means "to keep secret, to conceal," in Latin, has a product called the CeloCom eSigner that is a Web browser plug-in for digitally signing documents, Internet transactions and entire, complex Web pages.

The key element that the product provides is non-repudiation, says Sven Hammar, Celo's CEO. That means being able to prove a transaction took place, by providing an audit trail. The most widely used security standard on the Internet, Secure Sockets Layer, provides authentication and session control, Hammar says, but you can't use SSL to capture any one part of a transaction and prove that it happened.

CeloCom eSigner is delivered as a browser plug-in or Java applet from a Web site to a client machine, based on pre-defined business rules that spell out when a digital signature is required. It generates a signature that complies with the PKCS #7 crypto message specification and the S/MIME authentication and encryption standard.

ESigner can sign documents of various formats, including HTML, pure text and RTF. End users see the document as they will sign it, much like a receipt. The software works with any version of Microsoft's Internet Explorer or Netscape Navigator browser version 3.x or higher.

The Celo eSigner is priced at $10,000 for a server site license. Client software goes for $250,000 for unlimited use or $2 to $15 per client, depending on volume.



WebTrends Adds Real-time Firewall, VPN Monitoring

IT managers are finally getting some help in ferreting out security problems while there's still time to prevent serious damage, with the latest entrant to the market being WebTrends Corp. of Portland, Ore.

WebTrends Firewall Suite 3.0 adds the capability to be alerted immediately to potential security breaches detected by any of the 30 firewall and virtual private network (VPN) products the WebTrends product can monitor. At the same time, the company announced three additional vendors—Sun, 3Com and Secure Computing—are now supporting the WebTrends Enhanced Logging Format (WELF) specification, which a firewall or VPN product logs data in a way that is compatible with WebTrends Firewall Suite.

WebTrends Firewall Suite 3.0 costs $1,999 per firewall or VPN proxy device that you want to monitor. The company is offering a free 14-day trial of a full working version of the product.



SecureClean: When "Delete" Really Has to Mean "Delete"

As most IT managers know, when you click "delete" to get rid of a file on a Windows-based PC or server, you are not really getting rid of the file. Even emptying the Recycle Bin doesn't remove the file completely; you're merely removing a pointer to the file, so that it no longer shows up in the file system. It still lingers on your hard disk until such time as it is overwritten by other data.

Companies are now realizing this is a security and liability risk, says Eldon Lechtenberg, president of AccessData Corp. in Provo, Utah. His company is offering SecureClean Version 3, which he says is the first product to address the requirements of an enterprise in managing deleted data. While any number of utilities can wipe a disk clean, he says none address the systemic, routine deletion of unwanted data.

SecureClean helps companies avoid losses that occur from at least three areas: old PCs that are donated to various organizations while still full of corporate data; corporate espionage; and litigation.

The product is available now. A 10-license version costs $450. Additional discounts are available for larger licenses.