So, in theory, apart from having advance notice to patch their own systems, those agencies could exploit that zero-day vulnerability to hack into your data, before Microsoft gives you a chance to patch the flaw. And it’s not just Microsoft. According to the report, “thousands of [U.S.] technology, finance and manufacturing firms” are closely aligned with American national security agencies, passing them information such as vulnerability details and hardware and software specifications, and giving them access to overseas facilities and data.

In return, Bloomberg claims, the agencies give the companies information about foreign attacks on their systems. Google is cited as an example of this, with Sergey Brin allegedly having been invited to sit in on a secret intelligence briefing after an attack by Chinese hackers in 2010. Of course, the companies aren’t the only sources of useful flaws — security expert and activist Christopher Soghoian detailed late last year how some security researchers sell vulnerability information to governments for large sums of cash too. “This is the [U.S.] government buying a flaw without the intention of fixing it,” Soghoian explained in his Harvard University presentation. (Thanks to Jeff Ausloos for alerting me to that one.)

Backbone hacking

The Bloomberg report also notes claims recently made by NSA leaker Edward Snowden that the U.S. hacks network backbones in China and Hong King. Although the evidence for this “Blarney” program appears scantier than that for PRISM, the gist is that the scheme captures metadata from internet-connected devices such as computers and smartphones around the world, including OS version, Java software version and browser. Again, this would make it easier for the agencies to target and hack such devices.

On the domestic front, the piece also claims a security system called Einstein 3, which is meant to protect U.S. government systems, can “expose the private content of the emails under certain circumstances.”

Who’s the customer?

But it’s the claims about U.S. tech vendors and their apparently voluntary information exchange with the country’s spy agencies that will most bother governments and their public sector organizations around the world.

Microsoft spokesman Frank Shaw seemingly confirmed this cooperation in the Bloomberg article, saying the early release of vulnerability information helps to give the U.S. government an “early start” in protecting its systems. Other “trusted partners” reportedly include Intel’s security business McAfee, which apparently acts as a consultant of sorts to spy agencies wanting to know more about network architectures around the world.

There’s no suggestion that any of this data-sharing is illegal – but for many governmental customers around the world it will suggest that their vendors have undisclosed interests that don’t align with their own. For some in the U.S. tech industry, these revelations may turn out to be as damaging as PRISM, if not more so.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• In Q3, Big Data Meant Big Dollars
• Connected consumer first-quarter 2013: Analysis and outlook
• Cloud and data first-quarter 2013: analysis and outlook

Although it’s always been very important, network security seems to be attracting an increasing amount of attention these days, largely due to high-profile hacks. The Stonesoft acquisition, should it go through the usual regulatory hoops, will give Intel a boost in the areas of firewalls, evasion prevention systems and secure VPN services.

Here’s how McAfee president Michael DeCesare put it in a statement on Monday morning:

“With the pending addition of Stonesoft’s products and services, McAfee is making a significant investment in next-generation firewall technology. These solutions anticipate emerging customer needs in a continually evolving threat landscape.”

McAfee will blend Stonesoft’s services with its own existing portfolio, in particular its IPS Network Security Platform and its Firewall Enterprise product, and it looks like Stonesoft’s “next-generation” firewall will continue to be a product in its own right. In the statement, Stonesoft CEO Ilkka Hiidenheimo noted that “the combination of the two companies allows Stonesoft to benefit from McAfee’s global presence and sales organization of over 2,200 employees, best-in-class threat research and technology synergies.”

Intel said in January that it intended to “deliver more integrated solutions and comprehensive protection across mobile devices, endpoints, servers, and network through an extensible framework,” and would embark on a series of acquisitions, development initiatives and new partnerships to do so. The Stonesoft buy appears to be a pretty loud shot in that salvo.

Stonesoft’s secret sauce is its Security Engine, which can adapt to act as firewall, unified threat management system, server load balancer or VPN concentrator as needed. The company’s military-grade firewalls can be deployed as software or in the form of hardware or virtualized appliances. It’s not yet clear what will happen to the parts of Stonesoft’s portfolio not mentioned in the statement, such as its intrusion prevention system, which is also powered by the Security Engine.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Connected world: the consumer technology revolution
• Bluetooth to Feel Blue as Personal Area Network Battles Loom
• Connected consumer first-quarter 2013: Analysis and outlook

What company that does not have sensitive information — source code, customer lists, blueprints, M&A plans — that it doesn’t want walking out the door on someone’s USB drive? Those fears are exacerbated by the bring-your-own-device (BYOD) tidal wave, in which employees use personal smartphones and consumer cloud services like Dropbox to store work documents — even when forbidden to do so.

In theory, DLP should keep bad guys from stealing stuff in the first place but is often more likely to help catch them faster, minimizing damage, and to provide a detailed audit trail of who took what and how. That is important. The problem is that most DLP solutions to date are on-premises solutions that are complicated, time consuming and expensive to deploy.

Now, Verdasys, a Waltham, Mass.-based company that helped pioneer a cloud deployment model for DLP is offering less expensive DLP managed services for smaller companies that can’t afford the traditional DLP. This week it’s opened up that service globally by bringing non U.S.-based cloud suppliers online. Competitors include BEW Global, a systems integrator that deploys and manages DLP clouds using Symantec McAfee, RSA or other technologies.

By making DLP technologies available as managed services or via a software-as-a-service model, vendors make sure customers are working with latest technologies to meet fast-changing threats, according to Edward Ferrara, principal research analyst for security and risk professionals for Forrester Research.

And, the availability of cloud-based DLP also makes it more affordable both to the huge enterprises — big aerospace companies and car makers — that are typical DLP customers, as well as to smaller organizations. Many smaller suppliers in the aerospace business, for example,  cannot subcontract with the big vendors unless they deploy approved DLP. Last year, Gartner estimated that a typical DLP rollout costs $350,000 to $700,000 but can go much higher.

Getting DLP from an off-premises cloud (Verdasys uses private Rackspace clouds for most geographies) can cut time and cost of DLP deployment down to $100,000 per year and perhaps less, depending on company size compared to traditional on-premises DLP approaches, Verdasys said.

While trusting an outside cloud for internal security seems illogical, Bill Munroe, VP of marketing for Verdasys, says it makes sense. Verdasys does not collect the actual data itself. Rather, it aggregates the metadata about the files and documents and watches for patterns of activity. Sensors placed on every piece of the network watch the data move around, collects that metadata, encrypts it and sends it up to the cloud.

“It may see a Word document with credit card numbers on it or a CAD file — it looks at it but it doesn’t send the actual file up — just the data about the file,” Munroe said. The patterns collected are not just about the data but the user, the machine used, the file type and the application in use.

Verdasys customers include CDI Corp., a Tempe, Ariz. aerospace company that works with GE Aerospace.

DLP is just one of several new application areas starting to move to the cloud — via a managed service or SaaS model. And that means that many more businesses — with security concerns of their own — will be able to take advantage of the technology at an affordable price.

Photo courtesy of Flickr user Todd Ehlers

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• The rise of M2M security challenges
• AWS Storage Gateway jolts cloud-storage ecosystem
• A near-term outlook for big data

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Mobile 2012 and beyond
• 2012: Data, spectrum and the race to LTE
• The future of mobile: a segment analysis by GigaOM Pro

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• A near-term outlook for big data
• Connected world: the consumer technology revolution
• 12 tech leaders’ resolutions for 2012

McAfee’s Q3 report, out today, noted that Android malware was the fastest-growing in the quarter, increasing by some 37 percent — a trend that other security specialists have been spotting, too. Given that Symbian is a platform that is quickly receding in prominence — almost mirroring the rise of Android, in fact — it may not be long before Android overtakes Symbian as the focus of the most malware attacks.

While malware in general continues to be on the rise — McAfee says it predicts there will be 75 million unique samples of malware in 2011, a revision of its earlier prediction of 70 million — what should be worrying to mobile users is that there are a number of methods that are specifically geared to mobile devices.

McAfee notes that two of the most popular routes for malicious hackers are to use SMS messages carrying “Trojans,” or programs that collect person information and/or steal money from users’ accounts; and malware that can actually record phone conversations and then send them to attackers.

We’ve also written about cases in which dodgy apps — sometimes designed to be knock-offs of other, more popular apps — actually contain malware that collects information about users.

What’s additionally worrying is that mobile malware is still a relatively emerging field, so unlike PC owners that tend to have antivirus software installed on their Windows devices, that kind of automatic behaviour, or reluctance to open unfamiliar SMS messages, may not be as common.

So why the focus on Android? Some might think that the reason for the rise has to do with Android being an “open” system, as opposed to something like iOS being “closed.” But McAfee says it’s the sheer popularity of the platform that makes it a target (much like the Windows OS in the PC world). Indeed, Symbian, which still has, in aggregate, more malware than Android, did have a period of being open-source (one of the several turns of strategy that Nokia (NYSE: NOK) and others tried to keep the platform afloat with developers), but for the most part it has been closed, too.

And although iOS seems off McAfee’s radar — Apple’s mobile operating system for iPhone, iPad and iPods is presumably is in the “others” category in the pie chart above — Apple (NSDQ: AAPL) is not completely immune.

McAfee noted that malware on increasingly-popular Macs has grown in Q3, although not by nearly as much as it did in Q2, as you can see by the table below. But if you take popularity as the key reason for the attacks, then today’s report from Canalys, which predicts that Apple will become the leading global PC vendor (overtaking HP) by the end of 2012, may give iConsumers some cause for concern, too.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Mobile Q2: Smartphone growth surges; iPad’s rule continues
• Connected world: the consumer technology revolution
• Tablet market to hit over 377 million units by 2016

Malware is nothing new, and the latest numbers show this is still a significant threat for computer users. Even Apple’s Mac OS X platform was found to have fake anti-virus software for the first time, which can install malicious scripts on computers, said McAfee.

But the report is most interesting, I think, in how it highlights the growing opportunity for malware to target mobile platforms instead of traditional desktop environments. McAfee said Android took the top spot in mobile malware attacks in the second quarter, growing 76 percent from last quarter, moving past Symbian OS and J2ME. Android had 44 attacks last quarter, compared to 14 for J2ME and 4 each for Symbian and Blackberry. The growing malware shift to Android reflects its rise as a smartphone platform and shows that Android users will need to be more wary of attacks that can take on the form of maliciously modified apps, SMS messages and fake app updates. Apple’s iOS, by contrast, did not have any attacks in the second quarter.

McAfee said it saw an increase in for-profit mobile malware as cybercriminals leaned on SMS-sending Trojans that send premium messages or sign people up for premium subscription services.

The mobile attacks aren’t yet an everyday headache for users, and many can avoid problems by sticking to reputable apps from respectable stores. But the report does highlight some of the vulnerability around Android, which doesn’t have a rigorous app review process and allows users to side-load apps, something Darrell wrote about recently. It will be interesting to see if these attacks, if they go unabated, do anything to curtail interest in the platform. Probably not, at least for now.

More likely, it just means more business for companies like Lookout and McAfee, which conveniently just announced that it has secured a deal with NEC to install McAfee Mobile Security suite on NEC’s LifeTouch series cloud communicator Android device.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Bluetooth to Feel Blue as Personal Area Network Battles Loom
• Mobile 2011: Data Consumption Will Explode
• Survey: How apps can solve photo management

Forrester analyst Andrew Jaquith rightly points out that “Intel’s track record with deals further up the stack are patchy at best,” but that’s the point. This must change if Intel is going to rev its business to the next level.

Yes, this acquisition gives Intel deep domain expertise in security, as Ashlee Vance reports in The New York Times, perhaps to embed that expertise into an improved mobile strategy. This is important, given that ARM, not Intel, is the 800-pound gorilla in mobile semiconductors. And, yes, it’s potentially part of a the chip-to-cloud security story. However, the larger purpose is to give Intel software expertise and revenue streams.

Redmonk analyst Michael Cote suggests that it will be hard for hardware-centric Intel to buy its way into software, and it’s a fair point. However, there’s a larger industry trend toward integrated hardware and software solutions, driven by Apple, that Intel can’t ignore. It doesn’t matter that the integration is hard. It’s increasingly necessary, and lucrative. Intel CEO Paul Otellini said as much: “Everywhere we sell a microprocessor, there’s an opportunity for a security software sale to go with it.”

Guess which piece will be more profitable?

There’s plenty of work to be done, of course, but make no mistake: Intel is serious about software. Its open-source MeeGo platform for mobile devices should be ample evidence of this. Intel, despite the “no software experience” label sometimes applied to it, has done a great job both developing and marketing MeeGo, though it’s still early days, and has generated significant momentum as a result, despite competition from both Apple’s iOS   and Google’s Android. MeeGo made a lot of noise at the LinuxCon event last week, but more than that it’s getting the ear of a rising number of OEMs and ODMs. MeeGo still has more promise than delivery, but everything I’ve seen suggests Intel is fully committed to ensuring its success.

What’s fascinating is that Intel seems to be using both proprietary software (McAfee, Wind River) and open-source software (MeeGo) to make its chips less of a commodity. Most companies do one or the other well. Few have figured out how to use both open source and proprietary software together successfully. Fewer still would have the wherewithal and cheek to use commodity open source software to make commodity hardware…less of a commodity.

Do two commodities make a non-commodity? It’s an intriguing proposition, and early results suggest that the dual-mode approach may be working. Intel’s Wind River-inspired proprietary OS plus commodity chip story has resonated, boosting its position against ARM in embedded. Its open-source Linux plus server chip strategy has also worked, giving Intel breathing room and solid revenue separate from Microsoft.

The question now is whether this same strategy will work for mobile with MeeGo, and in mobile-to-cloud with McAfee. The end goal is to boost its margins through software. It’s a good strategy, and makes the McAfee much more comprehensible than it first appears.

Last month the first worm that was able to exploit a Microsoft Windows vulnerability to break into power grid control systems (supervisory control and data acquisition systems, called SCADA) emerged. The worm — coined Stuxnet — was active for several days, targeted Siemens’ Windows-based SCADA systems, attacked the U.S. the hardest, and was able to penetrate the systems via infected USB devices. Researchers think the motives behind the attacks was corporate espionage, and the infected systems exposed their databases, revealing potentially sensitive and usable information.

While Microsoft and Siemens (along with the various computer security vendors) released the necessary tools for energy companies to deal with the vulnerability, there are a couple important things to note about the event. First, given this was the first time that the Microsoft vulnerability was exposed and used to attack SCADA systems, you can guess that there will be many, many copycats that will follow suit.

The event highlights the differences between IT network security management and SCADA management. The fixes in the vulnerability will likely take awhile to get deployed for the power grid (if at all on a wide scale) as SCADA managers aren’t generally and constantly updating network software like their IT counterparts are.  As the security researchers at McAfee pointed out, the worm was able to target Siemens because it had hardcoded passwords (put the passwords in the source code of the software) to connect the SCADA system to corresponding the database. Siemens said that made the system more reliable. That’s a big no-no in the Internet security world.

The worm also shows just how un-smart power SCADA systems can be. Jonathan Pollet, founder of Red Tiger Security, told an audience at the Black Hat convention last week that some energy customers had downloaded the Windows patch and the patch actually broke the SCADA systems, CNET reported. (For just how dumb the power grid is, see The Power Grid Is So Dumb That. . . . ). Pollet also said during his talk titled “Electricity for Free? The Dirty Underbelly of SCADA and Smart Meters,” that SCADA systems are in general a lot less secure than IT systems and that SCADA systems are “a ticking time bomb,” in terms of security breaches.

Both Pollet and McAfee researchers pointed to the fact that the SCADA worm was particularly sophisticated and that utility and energy companies should expect these types of attacks to continue and become increasingly more sophisticated. Up to this point, there’s been mostly simulated attacks and researchers warning of potential attacks. As the Smart Grid Security Blog puts it, “Stuxnet is heavy, heavy duty malware.” McAfee:

Energy and utility companies should be frightened by the sophistication of this attack and fearful of coordinated advanced persistent threats.

While last year I thought discussions about smart grid security had reached some kind of height in 2009, looks like 2010 is just the beginning of the actual defense and implementation of software to secure the smart grid. Joseph Weiss, managing partner at Applied Control Solutions, told Computer World that to date there’s been at least 170 known cyber-related power outages in the US.

For more research on the smart grid check out GigaOM Pro (sub req’d):

Report: Open Source & the Smart Grid

Home Energy Management: Consumer Attitudes and Choices

Cisco Seizes Smart Grid Low Hanging Fruit

Image courtesy of Davide Restivo Flickr Creative Commons.

A disaster of a different variety hit many corporate environments this week when McAfee pushed an update to computers that sent computers crashing to a halt, crippling many systems. As a Mac user, I was spared, but I watched co-workers and friends at other companies trying to figure out how to fix their dead computers. Days later, many corporate IT departments are still dealing with the aftermath. Needless to say, this past week was a tough one for many corporate web workers.

While web workers tend to be able to work on the road, extended unexpected travel delays can be difficult and stressful, especially for people spending days in airports just waiting for a seat to open up. This can be a huge drain on productivity when you are focused on managing a difficult situation instead of being focused on work. Likewise, computer issues that result in a non-functioning system can be bad enough for employees in an office, but it can be devastating to the productivity of a remote employee who can’t just walk over to the IT department for a quick fix. I was in the office during the McAfee issue, and watched as people wandered around looking lost and wondering what they could possibly do without their computer.

These are just a couple of examples of things that can be very disruptive, but here are some ways to be a little more prepared and stay productive during those difficult times.

• Contact information. Is all of your information about how to contact the IT department sitting on on your computer or on a network drive somewhere? In this case, be prepared by going old school and carrying a piece of paper in your wallet (or a note in your phone) with contact information, especially phone numbers, for your IT department, corporate travel agency, manager and other key people. This helps to ensure that you can get in touch with the people you might need to contact for a work emergency, regardless of where you are, whether you have an Internet connectiot or whether your computer is working.
• Alternatives. If at all possible, try to make sure that you always have some kind of alternative system that you can use when your primary computer is out of commission. I know this isn’t always practical, but even an old laptop, a netbook or smartphone can work in a pinch when you are having critical systems issues. Just make sure that you know what caused the first issue before booting up that other device and letting it suffer the same fate.
• Adjust. Don’t hesitate to adjust your work day to accommodate these disasters by running errands during the day and finishing your work in the evening when your equipment is back up and running. In the case of extended travel, work in chunks when you have some downtime in between focusing on catching that next flight. Make the best of a bad situation by getting some other personal tasks out of the way so that you can focus on work when you get things back under control.
• Think. Most of us are probably working on projects that require some time to think, plan or strategize. Forget about the computer for a while, and sit down with a piece of paper to sketch out some ideas or plans. While you may be used to thinking in front of the computer, I’ll bet that you can still make progress without it.

What are your tips for staying productive in tough situations?

Photo by Flickr user qmnonic used under the Creative Commons Attribution 2.0 Generic license.