 |
The WAVE Report on Digital Media 3D --- Media Creation --- Shared Space ---Published by 4th Wave, Inc.--- Issue #0549------------------12/9/05 |
The WAVE Report is Searchable on
http://www.3dlinks.com
http://www.wave-report.com
--------------------------------------
0549.2 Linux-Based Software
Blue Security Introduces Linux Version of its Spam-Fighting Software
0549.3 WiMAX Progress
As the Hype Clears, ABI Research Sees a Complementary Role for WiMAX
0549.4 Tech Shopping
0549.5 Christmas Card Virus
Akonix Security Center Identifies New IM Worm Spreading as a Holiday Greeting Card
0549.6 VoiceXML Standards
0549.7 Virus Vulnerabilies
New Study Shows Majority of American Public and Corporations Are Vulnerable to Zero Day Threats
--------------------------------------
0549.1 Story of the Issue
***DigitalID World FS 2005
By John Latta
New York, NY
11/9 – 11/10
DigitalID World is focused on the financial sector and thus a much smaller conference (200 vs. 800) than the broad event in the spring in San Francisco. The conference organizers have partnered with IDG to run future conferences but it did not happen in time for this event. The intent going forward is to have broad based conferences on each coast with the spring conference on the West coast and the fall conference on the East coast. This remains a unique conference focusing on the broad issues of how to add an identity layer to networking. As a result it covers a broad range of topics, mostly in the enterprise space.
Microsoft Discusses InfoCard
Building on the concepts articulated by Kim Cameron at Digital ID World in San Francisco, Mike Jones, Director of Connected Systems Evangelism, Microsoft, outlined InfoCard and Strong Authentication. Key points he made included:
The Internet is missing an identity layer and there are no easy solutions.
Digital Identity is about claims. These claims are represented by a drivers license, credit cards and even business cards. These claims are the basis on which all modern access technology is based.
We need a level of abstraction above identity to make it practical. Microsoft calls this the Identity Metasystem. The players in this Metasystem are Relying Parties, Identity Partners (in some cases the individual), and the Subjects who are the individuals.
The Metasystem Architecture uses a WS-Trust and WS-MetadataExchange layer between the subject and the ID Provider and Relying Party
A mockup demonstration was given using Flash technology to show how an individual is in control of the access to web sites where identity is to be passed. This allows both verification of the site authentication and the information to be passed to it.
It was stated that InfoCard is a simple user abstraction for digital identity and based on the metaphor of physical cards. This will be shipping with Windows Vista and available for Windows XP and Server 2003.
The complexities of Identity Management
Biometrics fits into Identity Management as one factor in multifactor authentication. This typically happens in the case of “strong authentication.” But Identity Management covers many areas of enterprise IT. Some discussed include:
Virtual Identity
Single Signon (SSO)
Simplified Sign-on
Roles Based Access (RBA)
Federated Security
Privacy and Regulatory Compliance
IT Security
Directory Services
Employee Provisioning and Exit
Internal IT Call Services
Authentication
Compliance certification
There is a large burden of regulatory privacy compliance in the US and Europe. Some of the US mandates include:
Foreign Corrupt Practices Act
Homeland Security Act
Patriot Act
Basel II
CoCo
Gramm-Leach-Bidley
Sarbanes-Oxley
HIPAA
California SB 1386
SEC 17A-4
OSHA Mandates
Thus, in the whole context of enterprise identity management issues, biometrics is but one small element. Further, identity management is increasingly becoming a major IT activity because the scope encompasses many high priority IT areas, as outlined above.
Panel on Strong Authentication
The panel on Strong Authentication was a mirror of the status of where biometrics fits.
The only panel participant that has implemented a biometric factor is United Bankers’s Bank. This company presented its case study at the Biometrics Summit in February 2005. Its fingerprint biometric technology goes to 2500 bank customers – mostly retail banks and not end-customers. In response to Questions, here are some issues they have found:
Fingerprints change with age.
Some individuals do not have fingerprints – especially those who have come in contact with chemicals, such as farmers.
Only one customer refused to participate in the required use of biometrics.
eTrade and eBay are planning to go to strong authentication but it was indicated that this would be optional. The intent is to offer this to high use customers. However, biometrics is not a part of this plan but an OTP which augments an existing password already in use by both merchants. This will use either RSA or VeriSign. The additional information for the OTP will be appended to a regular password. It will appear to come from eBay but actually one of the two companies will supply this. The branding of this solution was felt to be important to many companies.
In response to a question from the audience, it was indicated that biometrics just does not provide the necessary FAR and FRR performance. Further, it is expected that some individuals will not agree to use biometrics, as a result of the negative impression of fingerprints, for example. However, this was not confirmed with any data.
It was clear that the tokens are viewed as the best current technology solution, compared to biometrics, when it comes to strong authentication technology based on multi-factors.
Identity is a Struggle
There was not a single presentation on the second day, only panel discussions. But the discussions continued to reiterate the challenges which Identity Management is facing.
Panel Discussions – The Hard Road Ahead
Wachovia Bank participated in the first session in the form of an interview. Key points include:
Identity management cannot be justified based on ROI. The only compelling proposition related to Identity Management is password reset automation. Once this has been addressed, it is difficult to make a case for the broader functions of identity management.
Yet, the next major driver for identity management is regulatory compliance. This is not an ROI issue but a mandate and thus outside of the bounds of what must be justified with an ROI.
Security has been painted in many ways. It is the ugly bear of the banking/financial business. Most IT security issues are after the fact – security weights in when something has happened. At Wachovia Bank we have changed our focus. Instead of security, we consider issues based on risk. That is, how is risk managed? Risk assessment and management is at the manager level. That individual must sign off on risk and accept the management of risk. This has important organizational implications. When incidents happen, one does not just call in security but looks to the management of risk and what happened when risk mitigation did not work.
One of the problems of SOX compliance is that it results in large access lists – who accessed what applications when. The audit of these lists is a data mining problem. In the banking industry, auditors want to see these lists and know the bank is in compliance. One strategy in implementing an Identity Management architecture is to make the collection, analysis and mining of the access information an automated process.
At Wachovia we have seen the privacy and identity management related issues reach the CEO level. This is the kind of visibly that few CIOs want. The justification of funds to accomplish Identity Management becomes much easier but this also raises the expectations of management. Words we have heard include “…you have this money. I don’t want to hear about this again.”
Federation has the potential of being a major issue. So far our systems are within the firewall but we expect them to migrate to our business partners and it is here that federation is critical but we can also see this migrating to our customers.
The regulatory and legislative environment was discussed in another panel.
It was claimed that some 300 privacy and related bills have been proposed in the last few years. There was some skepticism about the ability of the Congress to pass useful legislation which addresses the issues. An example, of bad legislation is the CanSpam Act which is ineffective.
Part of the issue is that the industry has been lax in moving forward. eBay and Paypal are the subject of continual phishing attacks but have done nothing to halt them. It is considered a cost of doing business rather than a consumer protection issue. The compromises of consumer data at ChoicePoint and others have received considerable press and Congressional attention. It could well be that legislation similar to California SB 1386 will be passed on the national level but this does not address privacy management responsibilities, only notification.
The question was asked – Is the US a leader in privacy compromises and criminality? One response was that criminal activity here is 3 years ahead of England. [Hardly something to be proud of.]
In follow-up conversations, it is not clear that any legislation will emerge from Congress. There are too many powerful competing interests which are likely to dilute consumer supportive legislation.
FFIEC Authentication Guidelines
On October 12th, 2005, the Federal Financial Institutions Examination Council issued guidelines for Authentication in an Internet Banking Environment. This is significant because it requires two-factor authentication. At the DigitalID World panel there was not a clear assessment on what this means in terms of technology and implementation. This is an area which could foster the use of more secure authentication technology of which biometrics is one possible factor. Here is a summary of the decision:
The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services. The authentication techniques employed by the financial institution should be appropriate to the risks associated with those products and services. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.
***Blue Security Introduces Linux Version of its Spam-Fighting Software; Blue Security Now Offers Its Free Service to More Than 29 Million Linux Platform Users Worldwide, Empowering Them to Join the Do Not Intrude Registry and Actively Fight Spam
MENLO PARK, Calif.
Dec. 6, 2005
Blue Security, Inc., developers of the Do Not Intrude Registry solution to eliminate unsolicited e-mail spam, announced the availability of a Linux operating system version of Blue Frog, its free anti-spam software. This new offering will enable the 29 million Linux platform users to participate in the Blue Community and register in the company's Do Not Intrude Registry to actively fight spam and safeguard personal and business e-mail accounts though a hands-on, community-based approach.
The Linux version of Blue Frog was created directly through the contributions of Blue Community members and Linux developers and enthusiasts at large. The Blue Frog visible source program allows users and developers to contribute to the development of the Blue Frog client by providing feedback and comments to the company to enhance the Blue Frog software and assist in adapting it to other platforms.
Since the launch of the Do Not Intrude Registry in the summer of 2005, approximately 65,000 e-mail addresses have been registered and protected through the Blue Community. Preliminary results of the Beta service have users reporting 50 percent or greater reduction in the amount of spam they receive, indicating that a number of spammers already comply with the Registry and avoid sending spam to Blue Security customers.
Joining the Do Not Intrude Registry is simple and merely requires installing the Blue Frog client on an Internet-connected computer. No integration with existing network or e-mail infrastructure is required. Unlike spam filters, with the Do Not Intrude Registry there are no false positives, no messages lost, no maintenance or management.
Consumers, businesses and organizations can join the Do Not Intrude Registry by simply registering and installing the Blue Frog client software at
http://www.bluesecurity.com/register/pr
***As the Hype Clears, ABI Research Sees a Complementary Role for WiMAX
OYSTER BAY, N.Y.
Dec. 6, 2005
When ABI Research's last annual study of WiMAX was published at the end of 2004, the hype around the new wireless broadband technology was flying thick and fast. Performance claims of 75 Mbps speeds at distances up to 30 miles (48 km) were common.
Fast-forward a year, and, according to ABI Research's latest WiMAX study, much of that hype has been replaced by a more realistic assessment of WiMAX's performance and role. According to the study's author, those who made extravagant performance claims were just trying to get the wheels of the WiMAX bandwagon moving. Today, most commentators have no problem admitting that real-world speeds, depending as they do on the number of users per base station sector and their distance from the base-station, will be far slower than media reports had previously suggested.
Given this new sense of realism, some question the need for WiMAX, certainly for 802.16e mobile WiMAX. In a recent press release, ABI Research noted the nagging question: since they appear to meet many of the same demands, do we really need both cellular services and WiMAX?
In reply, ABI Research now says that Mobile WiMAX will eventually form part of cellular providers' networks, alleviating network congestion in urban areas. Providers will use it to offload part of the data traffic. At the same time, WiMAX is becoming a stepping-stone to 4G mobile services, which will be based on related technologies.
WiMAX: The Market for 802.16-2004 and 802.16e examines the important drivers and inhibitors of this market, explaining mobile broadband technologies and how the WiMAX market will evolve.
***Britain's Dreaming of a Digital Christmas; New Report Reveals Digital Gadgets and Media Are Becoming the Gift of Choice
GLASGOW, United Kingdom
Dec. 7, 2005
Britain should prepare for an avalanche of digital gadgets and data this Christmas, according to an independent report published by Crucial Technology Europe. The report suggests that Britons will buy a total of 50 million digital gadgets this season -- nearly equivalent to one device for each adult in the country. It also indicates that the British public will take over 1.2 billion photos during the Christmas period using a digital camera or camera phone. The report identifies the 10 most popular digital gifts for Christmas 2005, with estimated sales numbers as follows:
1. Compact Discs (154.3m)
2. DVDs (130m)
3. Video games (43.6m)
4. MP3 players (13.6m)
5. MP3 downloads (11.m)
6. Portable media players (8.3m)
7. Digital cameras (8.8m)
8. Camera phones (7.6m)
9. Sony Playstation Portables (PSPs) (6m)
10. Digital storage devices (4.8m)
Of the 10 most popular digital gifts for Christmas, seven require memory cards to store digital data. There are at least 10 different formats of memory cards for use in digital cameras, mobile phones, MP3 players and other devices. Confused customers can visit www.memorycardselector.com to find the right card for their digital device.
The research also produced some interesting regional variations on Britain's digital Christmas:
-- Scotland and Wales are least keen on exchanging DVDs as gifts, with half the survey respondents not intending to purchase one over the holiday period.
-- In contrast, three out of four people in East Anglia and South East England have DVDs on their Christmas list.
-- Adults in the North East are the least likely to be plugging in their consoles this year, with only one in five intending to purchase a video game compared with almost half in Wales. Furthermore only 2% will purchase a Sony PSP compared with 19% of their North West neighbours.
***Akonix Security Center Identifies New IM Worm Spreading as a Holiday Greeting Card; Latest Virus Indicates New Attack Method Used During the Holiday Season
SAN DIEGO
Dec. 6, 2005
Akonix Systems, Inc. hasidentified a new instant messaging (IM) worm named W32/Aimdes.E, propagating over a leading public IM network. The Akonix Security Center classified the worm as low risk and immediately used real-time IM malware, SPIM and protocol update system to automatically push updates to customers for protection against this threat.
Aimdes.E is spread through a holiday greeting sent from one IM user to another. Holiday greetings present a vulnerable avenue of attack and Akonix warns that this method will most likely be used throughout the month of December. Virus writers have once again found a new social engineering technique to introduce this vulnerability. The worm is downloaded once the recipient opens the greeting card. Upon execution, this memory-resident worm propagates through one of the major IM networks. It sends the following message to other users listed on the infected user's buddy list:
The user has sent you a Greeting Card, to open it visit: http://g{BLOCKED}aol.com/index.pd?source=christmastheme? my_christmas_card.com
When an unsuspecting recipient clicks the link, the worm automatically installs itself on the affected system. The worm also has backdoor capabilities. It opens random ports and comes with a built-in Internet Relay Chat (IRC) client engine, which enables it to connect to an IRC channel and wait for several commands from a malicious user. This routine then compromises system security.
For Akonix L7 Enterprise customers, systems are automatically configured to download and install the latest updates to the Akonix SPIM & Malware Filter, and no IT intervention is required. Akonix L7 Enterprise is the industry's only IM security system that combines dynamically updated IM security policies and integrated anti-virus scanning to provide the most comprehensive protection for corporate networks from IM-based attacks.
For other organizations, it's recommended to ensure all desktop computers are updated with the latest security patches, and that all public IM use is appropriately blocked or managed.
http://www.imsecuritycenter.com
***VoiceXML Forum Applauds W3C's Decision to Include Speaker Identification and Verification in VoiceXML 3.0
PISCATAWAY, N.J.
Dec. 6, 2005
The VoiceXML Forum has announced its support for the World Wide Web Consortium's (W3C's) decision to include speaker identification and verification (SIV) in the next version of the Voice Extensible Markup Language (VoiceXML). VoiceXML is a markup language for creating voice user interfaces that use automatic speech recognition and text-to-speech synthesis and became a recognized Web standard in March, 2004. The decision to include SIV in VoiceXML 3.0, the next version of the standard, was the result of cooperation between the VoiceXML Forum's Speaker Biometrics Committee and the W3C, the standards organization responsible for the technological evolution of VoiceXML and related speech technologies.
In August, 2005, the VoiceXML Forum chartered the Speaker Biometrics Committee that championed the effort to develop a detailed set of business and technical requirements for SIV capabilities in VoiceXML-based systems. These requirements were delivered to the W3C's Voice Browser Working Group in September, 2005 and can be viewed at
http://www.voicexml.org/resources/biometrics.html
The Voice Browser Working Group is using these requirements to guide the development of VoiceXML 3.0 to include SIV.
In addition to developing these requirements, the VoiceXML Forum's Speaker Biometrics Committee will review existing platform-specific implementations of speaker biometrics extensions to VoiceXML, develop a standard transaction format for exchanging SIV information, identify use cases for voice-only and multimodal applications and develop best practices for user interface design and application architectures. The Committee will also establish a formal certification program, as the VoiceXML Forum did with the VoiceXML 2.0 Platform Certification Program.
The VoiceXML Forum and the W3C: A History of Cooperation
Since 1999, when the VoiceXML Forum was founded, it has maintained a strong, cooperative relationship with the W3C. In May, 2000, the VoiceXML Forum submitted VoiceXML Version 1.0 to the W3C's Voice Browser Working Group, which agreed to adopt it as the basis for the development of a W3C dialog markup language. In October, 2001, the Forum and the W3C signed a Memorandum of Understanding, which paved the way for both organizations to focus on various aspects of VoiceXML. Since that time, the W3C has led the technical development and evolution of VoiceXML, while the VoiceXML Forum has served as an educational and technical resource, a developer certification authority and a contributor and liaison to the W3C. The success of the relationship between the VoiceXML Forum and the W3C is reflected in the widespread adoption of VoiceXML-based applications: hundreds of millions of calls each day are handled by more than 10,000 of these applications around the world.
About the VoiceXML Forum
Founded in 1999, the VoiceXML Forum is an industry organization whose mission is to promote and to accelerate the worldwide adoption of VoiceXML-based applications. To this end, the Forum serves as an educational and technical resource, a certification authority and a contributor and liaison to the Worldwide Web Consortium (W3C) and other standards organizations.
***New Study Shows Majority of American Public and Corporations Are Vulnerable to Zero Day Threats; AV-Comparatives.org Releases New Study with Alarming Findings
SAN DIEGO, Calif.
Dec. 5, 2005
ESET, a global security software company, has announced results from a study conducted by AV-Comparatives.org indicating that of the 51 new viruses that have been released In-the-Wild in the past three months, customers of Symantec, McAfee and Trend Micro had proactive detection for less than a dozen, and Kaspersky was able to detect only 18 of the 51 threats before their customers were at risk. ESET's NOD32 detected 95 percent more than the others: including In-the-Wild threats, backdoors, Trojans and other malware.
The AV-Comparatives.org "Retrospective/Proactive Test" compared 11 different antivirus products' abilities to proactively identify the increasing complexity and zero-day nature of today's threats. The independent testing institution AV-Comparatives.org is an antivirus research project coordinated by Andreas Clementi with the support of the Innsbrucker Kompetenzzentrum/Computernotdienst. The stringent testing used recent In-the-Wild samples and a variety of other malware, Trojans, viruses and worms affecting Windows and other operating systems. To effectively test the products for proactive detection, the organization used new malware samples received between August and November 2005, and tested them against the products without updating the antivirus signature.
This study, and others like it, emphasize that proactive detection is increasingly important as the threat window becomes smaller. With new threats appearing every day, it is important that antivirus companies not only provide new updates to identify these threats once they are released, but also are able to detect threats proactively through advanced heuristics. Without proactive heuristic detection, users must wait for updated versions of their antivirus software, creating a critical window of vulnerability that can last hours or even days.
http://www.av-comparatives.org/
--------------------------------------
Copyright 2005 4th WAVE, Inc.
To subscribe to WAVE go to
To unsubscribe also use the Wave Report Home page or send the preformatted UNSUBSCRIBE message:
Previous issues of WAVE, as well as other info can be found at
http://www.wave-report.com
http://www.3dlinks.com
Comments on or questions about the WAVE may be sent to:
or the below individuals below:
John N. Latta - Editor-In-Chief
Michael Robertson - Web Editor
The WAVE Report may be redistributed in full for individual readership and posted to newsgroups, Web, and FTP sites. This publication may not be reprinted or redistributed for profit. Short quotes are permitted but must be attributed to the WAVE Report. 4th Wave retains the copyright to the WAVE Report.