Security Advisor

Sophos Voices Concern Over Internet Explorer 9 Security

The company points out flaws about a Microsoft study that shows IE 9 malware blocking success rate. Plus: Google to fix Android hole, Sony's security still being taken advantage of and a cloud vendor wants providers to make security a higher priority.

• By Jabulani Leffall
• 05/23/2011

Chet Wisniewski, a security researcher at U.K.-based vendor Sophos, suggests that Microsoft's claim of blocking malicious downloads on IE 9 is not particularly accurate, and that the data upon which Redmond makes its stand is inconclusive.

Microsoft's data reveals that that one in every 14 downloads by Windows users is malicious, and thus blocked by IE9.

Specifically Wisniewski accuses the software giant of comparing "Apples to nothing." He says the data fails to account for third-party applications on Windows systems that can be accessed or launched during an IE browsing session. Specifically he says IE 9 wouldn't, in theory, be fully able to recognize and block exploits from Adobe's Reader and Flash, Apple's iTunes or Java from Oracle.

While Wisniewski didn't argue the effectiveness of IE 9 he labeled Microsoft's claims as a "PR move" that don't tell the whole story.

Microsoft has yet to formally respond to the issue. Seeing how there's no love lost between Sophos and Redmond, it'll be interesting to see what that response entails.

Google To Patch Android Flaw
Google said it would roll out a server-side patch for what it calls a security vulnerability affecting smartphones with the Android OS. The hole Google aims to plug is one that could give hackers access to sensitive data stored on the phones, especially when the phones are logged on to public Wi-Fi hotspots.

According to a Google statement, the hotfix will address a "potential security flaw that could, under certain circumstances, allow a third party access to data available in Calendar and Contacts tools on Android OS-based smartphones.

Google wasn't specific on the dynamics of the fix, but with the growth of smartphones and the equal growth of attacks using mobile computing systems as a vector, the security community is still lauding Google's quick response.

Sony Can't Seem To Catch a Break
First Sony announces that it expects the recent hacking into its PlayStation Network to result in a $170 million special charge this fiscal year. Now another unit of the company, Sony BMG (the recording and music arm), has been "pwned." These two announcements both come on Monday and mark the fourth time in as many weeks that hackers have broken into a Sony network.

In the Sony BMG case, hackers broke into the company Web site and looted the company's database, extracting user account names, actual identity names and e-mail addresses of users who registered with the site.

The ongoing security saga affecting Sony is becoming a landmark study in how large corporations are increasingly vulnerable to anonymous hacks, and how such attacks can not only lead to downtime but millions upon millions in financial losses (which includes a potential customer mass exodus resulting from the attacks).

Other entertainment conglomerates and large technology concerns are no doubt seeing this as a cue to tighten up their networks.

Lieberman: Cloud Security a Real Concern
Cloud computing has, for a while, been a sexy buzz phrase and concept in both enterprise and consumer information technology. It was certainly one of the major subjects bandied about during last week's Microsoft TechEd conference.

One of the attendees and exhibitors at the confab, Phil Lieberman, president of Lieberman Software, has some strong feelings about cloud security -- more aptly, the lack thereof.

"While there's considerable conversation about security in the cloud, there is evidence that cloud providers simply don't place security as a high priority in their offering and practice a disconcerting lack of accountability on security in general," he said.

The key caveat right now with security in the cloud is service provider accountability and data ownership. According to recent research by the Ponemon Institute culminating in a study titled" Security of Cloud Computing Providers," the majority of cloud service providers surveyed believe that it isn't them but their customers who are responsible for securing client-side data. Moreover, about 80 percent of the organizations polled also admitted to allocating 10 percent or less of IT resources to security.

This is not very promising news for users concerned about floating data on public, private and still-vulnerable Web-based clouds.

"The fact that so many cloud providers have little interest in managing privileged identities or limiting access to sensitive data and systems should give end user customers great concerns about putting their most precious data into the cloud," added Lieberman.