Friday, August 8, 2008

How Web E-Mail Became The Largest Corporate Security Threat

SAN FRANCISCO, Jan. 10 — Companies spend millions on systems to keep corporate e-mail safe. If only their employees were as paranoid.

A growing number of Internet-literate workers are forwarding their office e-mail to free Web-accessible personal accounts offered by Google, Yahoo and other companies. Their employers, who envision corporate secrets leaking through the back door of otherwise well-protected computer networks, are not pleased.

"It's a hole you can drive an 18-wheeler through," said Paul D. Myer, president of the security firm 8E6 Technologies in Orange, Calif.

It is a battle of best intentions: productivity and convenience pitted against security and more than a little anxiety.

Corporate techies — who, after all, are paid to worry — want strict control over internal company communications and fear that forwarding e-mail might expose proprietary secrets to prying eyes. Employees just want to get to their mail quickly, wherever they are, without leaping through too many security hoops.

Corporate networks, which typically have several layers of defenses against hackers, can require special software and multiple passwords for access. Some companies use systems that give employees a security code that changes every 60 seconds; this must be read from the display screen of a small card and typed quickly.

That is too much for some employees, especially when their computers can store the passwords for their Web-based mail, allowing them to get right down to business.

So far, no major corporate disasters caused by this kind of e-mail forwarding have come to light. But security experts say the risks are real. For example, the flimsier security defenses of Web mail systems could allow viruses or spyware to get through, and employees could unwittingly download them at the office and infect the corporate network.

Also, because messages sent from Web-based accounts do not pass through the corporate mail system, companies could run afoul of federal laws that require them to archive corporate mail and turn it over during litigation.

Lawyers in particular wring their hands over employees using outside e-mail services. They encourage companies to keep messages for as long as necessary and then erase them to keep them out of the reach of legal foes. Companies have no control over the life span of e-mail messages in employees' Web accounts.

"If employees are just forwarding to their Web e-mail, we have no way to know what they are doing on the other end," said Joe Fantuzzi, chief executive of the information security firm Workshare. "They could do anything they want. They could be giving secrets to the K.G.B."

Hospitals have an added legal obligation to protect patient records. But when DeKalb Medical Center in Atlanta started monitoring its staff use of Web-based e-mail, it found that doctors and nurses routinely forwarded confidential medical records to their personal Web mail accounts — not for nefarious purposes, but so they could continue to work from home.

In the months after the hospital began monitoring traffic to Web e-mail services, it identified "a couple hundred incidents," said Sharon Finney, DeKalb's information security administrator. "I was surprised about the lack of literacy about the technology we depend on every day," she said.

DeKalb now forbids the practice, and uses several software systems that monitor the hospital's outbound e-mail and Web traffic. Ms Finney said she still catches four to five perpetrators a month trying to forward hospital e-mail.

The Web mail services may also be prone to glitches. Last month, Google fixed a bug that caused the disappearance of "some or all" of the stored mail of around 60 users. A week later, it acknowledged a security hole that could have exposed its users' address books to Internet attackers.

Even the security experts most knowledgeable about the risks of e-mail forwarding to personal accounts acknowledge doing so themselves.

"Of course I do it; who doesn't?" said Kimberly Getgen Bargero, vice president for marketing at Sendmail, an e-mail software company in Emeryville, Calif. Ms. Bargero said she often used her Yahoo Mail account on business trips so she does not have to access her corporate network remotely.

It is difficult to quantify exactly how many otherwise model employees are opting to use services like Yahoo Mail or Google's Gmail over their company's authorized e-mail programs. Sophisticated users at the companies most lax about e-mail security can automatically forward all of their work e-mail to their personal accounts, hopscotching over the various requests for passwords meant to ward off intruders.

The more casual e-mail scofflaws send only the occasional message to their personal accounts — or just "cc" messages to their Web in-boxes to preserve them for later use — even when the messages contain sensitive company information.

Some companies frown on office use of any Web-based accounts, even for personal messages. At the business software maker BEA Systems, Anthony Bisulca, a senior security analyst, estimated that around 30 percent of his employees were using private e-mail accounts in the office, even though the company's Internet policy clearly prohibits it.

But it is not easy to wean people off of their online mailboxes. "Of course they scream," said Todd Wilson, an operations manager at the Bloomberg School of Public Health at Johns Hopkins University. "They look at me like I have three heads."

Mr. Wilson said that the use of the Web services had become a "huge concern," partly because copies of the forwarded messages sit untouched on the school's servers, taking up space.

Many corporate technology professionals express the fear that Google and its rivals may actually own the intellectual property in the e-mail that resides on their systems. Gmail's terms of service, however, state that e-mail belongs to the user, not to Google. The company's automated software does scan messages in Gmail, looking for keywords that might generate related text advertisements on the page. A Google spokeswoman said the company has an extensive privacy policy to ensure no humans at Google read user e-mail.

Paul Kocher, president of the security firm Cryptography Research, said the real issue for companies was trust. "If you can't trust employees enough to use services like Gmail, they probably shouldn't be working for you," he said.

Many companies apparently do not have that level of trust. In a survey conducted last year, the e-mail security firm Proofpoint found that 37 percent of companies in the United States used software to monitor office use of Web mail.

The Internet companies themselves are looking to take advantage of consumer preferences for Web based e-mail services. This year, Google plans to introduce a more secure version of Gmail for use in large companies.

But Microsoft and other providers of traditional internal e-mail systems, which the research firm Radicati says generated $2.5 billion in sales last year, are helping companies combat employee use of the Web services.

The new version of Microsoft's corporate e-mail service, Exchange Server, offers administrators improved tools to monitor the content of employee mail and block forwarded messages.

At the same time, upgrades to Exchange and Microsoft's e-mail program Outlook have made it easier for traveling employees to access e-mail on the corporate network from a Web browser. Microsoft also recently began urging corporate technology departments to give employees more storage space in their e-mail accounts.

But the Web services are improving as well, and employees will no doubt continue to find them tempting.

"We have as high a security standard as any company," said Ms. Bargero of Sendmail, "and sometimes it is just too difficult to access our e-mail."

Copyright 2007 The New York Times Company.

Thursday, August 7, 2008

A Website Explains How To Make A Nuclear Bomb

The US government posted on the Internet Iraqi documents that explain how to build a nuclear bomb, the New York Times reported on its website.

The Times said that officials from the International Atomic Energy Agency had complained to US officials last week about the postings of "roughly a dozen" documents from Iraq's pre-1991 nuclear research that contained diagrams, equations and other details for making a nuclear bomb.

The Times cited experts who said the documents "constitute a basic guide to building an atom bomb."

The US government posted the bomb-related documents on a website set up last March to make available to the public a huge archive of Iraqi government papers, hoping that the public would help sift through the archive for useful information government translators did not have time to search for.

The Times said that earlier in the year UN arms control officials had complained about documents on the website that had information on producing extremely dangerous nerve agents sarin and tabun.

The Times said that the website, called the "Operation Iraqi Freedom Document Portal", was shut down Thursday after the newspaper made enquiries about the nuclear-related documents.

Chad Kolton, spokesman for US Director of National Intelligence John Negroponte, told the Times in a statement that "While strict criteria had already been established to govern posted documents, the material currently on the website, as well as the procedures used to post new documents, will be carefully reviewed before the site becomes available again."

Copyright © 2006 Agence France Presse

JVC emisiones' bien empapado 'de los oradores mejor karaoke
Marijuana Passive Hydro System

Sunday, August 3, 2008

Valentine's Day May Bring Viruses

Security experts are warning PC users to be on guard against viruses masquerading as Valentine's Day messages, which could damage computers.

"Computer users should keep a wary eye on any romantic messages received by e-mail, as many of them could contain malicious code," said US security firm PandaLabs after detecting an increase in a worm it dubbed Nurech.A.

The worm hides in e-mails with subjects like: "Together You and I," "Til the End of Time Heart of Mine."

People who open an attached file such as postcard.exe can end up infecting their computers.

Security firm Symantec said it had detected "large-scale spamming" of e-mails including a Trojan horse, a program that contains or installs a malicious program.

Symantec said the malware was a new version of Trojan, Peacomm or the "Storm Trojan."

"With Valentine's Day approaching, this time around the authors are attempting to tug on the heartstrings of unsuspecting users with romantic subject lines such as 'My Heart belongs to you,' said Symantec's Orla Cox.

"The Trojan is much the same as we've seen before, the only difference being that the authors have used a modified packer in an (unsuccessful) effort to evade detection by antivirus vendors."

"As a general rule, don't open any suspicious e-mail, regardless of what is says it contains," said Luis Corrons, technical director of PandaLabs.

"Instead of going on instincts, let a security solution decide whether it's safe to open it or not," he said, urging users to scan any suspicious messages with an antivirus program.

Corrons said events like Valentine's Day and Christmas are often exploited by cyber-criminals to try and spread their creations by disguising infected e-mails as e-greeting cards.

This use of "social engineering" was used in the LoveLetter virus, which caused one of the biggest epidemics in computer history.

Copyright © 2007 Agence France Presse.