The most recent articles from IT Week

Microsoft opens up to security vendors

Rosalie Marshall — 2008-08-06T10:46:00.000Z

Rosalie Marshall, IT Week, Wednesday 6 August 2008 at 10:46:00

Microsoft launches Active Protection Programme and an Explotability Index

Microsoft has confirmed it will give security vendors advance notice of vulnerabilities that it intends to address in its monthly patches, in order to provide users with better safeguards.

Microsoft's Active Protection programme will reduce the chances of cyber criminals outpacing the security professionals, said George Stathakopoulos, Microsoft general manager of security engineering and communications,

It will also issue a new Exploitability Index, which will provide customers with early information on the likelihood of exploit code being developed.

Previously security professionals had to wait for Microsoft’s monthly security update process to address vulnerabilities.

“As security threats become more sophisticated, the global security community must combine its resources and work together to provide maximum security protections to worldwide internet users,” said Stathakopoulos in a statement.

Review: Lee Siegel's 'Against the Machine'

David Neal — 2008-06-09T15:04:00.000Z

David Neal, IT Week, Monday 9 June 2008 at 15:04:00

In Against the Machine: Being Human in the Age of the Electronic Mob, Lee Siegel ponders the dark side of the internet

IT Week receives many books these days, most of which are full of praise for technological advances of one kind or another. This one is different, however, and urges internet users to consider the downside of our connected world.

The fact that the author, Lee Siegel, is a cultural commentator and art critic, rather than an authority on IT, speaks volumes about how the role of technology in society is changing. One of his aims is to make sense of our relationship with the internet. “Are we sacrificing our identity?” Siegel asks, questioning whether we use the internet, or the internet uses us.

Early in the book, the author notes some parallels between the growth in the internet and the boom in car ownership in 1960s America. “The internet has its destructive side just as the automobile does, and both technologies entered the world from behind a curtain of triumphalism hiding their dangers from critical view,” he writes. “As with the car, a rhetoric of freedom, democracy, choice, and access has covered up the greed and blind self-interest that lie behind what much of the internet has developed into today.”

Siegel ponders whether we can actually get by without the internet. Although he acknowledges that there are many ways in which it can make our lives easier, such as when house hunting, he asserts that few activities are completely reliant on the internet. “No one can deny the internet’s capacity to make life easier. But let’s be honest, I would have found an apartment,” he writes.

Siegel believes society must try to rein in the internet before it gets out of hand. Built to support commerce and capital, he argues, the internet is now an unruly beast that controls our lives, dominating our attention and time. In short, Siegel thinks the internet is becoming too pervasive, too quickly.

Many who have studied the internet and its impact in the past have a far more positive outlook, but these people do not impress Siegel. For example, he dismisses the findings of the Pew Internet Group by asserting that eight out of the 12 people who write its reports have “a financial or professional stake in the internet”.

Siegel also discusses Bill Gates’ admission that while technology has created problems, it is technology that we must turn to for a solution. To which someone with Siegel’s frame of mind would no doubt retort: “Well, he would say that, wouldn’t he?”

HP offers security as a service

Rosalie Marshall — 2008-05-28T14:52:00.000Z

Rosalie Marshall, IT Week, Wednesday 28 May 2008 at 14:52:00

Updates are made to HP's Application Security Center software.

HP’s Assessment Management Platform, which brings together all of HP’s security products, will now be offered as a software-as-a-service package to enable firms to accelerate the deployment of web applications.

The platform aggregates web application security data across an organisation. It combines HP's DevInspect software for developers, QAInspect software for quality assurance professionals and WebInspect software for security professionals.

Updated security checks have been added to the management platform for rich Internet applications, such as vulnerabilities in Apache and MySpace plug-ins.

DevInspect will now combine both static and dynamic analysis to ensure the highest risk security vulnerabilities are fixed first by developers.

Static analysis, which scrutinises the source code developers write, will be updated with options to test code, such as Ajax, as well as advanced JavaScript. These capabilities will be added to firms’ current ability to test dynamically, which Dennis Hurst, Application Security Center developer, described as “testing a web application the same way a hacker will attack it”.

QAInspect now includes an integrated security defect management capability with the Quality Center software. “The integration, which has been underway for the last four years, is now seamless,” said Hurst.

“This means instead of quality assurance teams testing a website manually and then pasting the security defects in a Quality Center, it is all done automatically,” he added. The updates are aimed at allowing security problems to be fixed faster and to save assurance teams time.

WebInspect has also been enhanced with faster runtimes and improved scanning accuracy. Hurst estimated the increased speed should save security experts around 25 per cent of their time in finding and fixing security defects.

Microsoft: IT vulnerabilities down, threats deadlier

Phil Muncaster — 2008-04-22T00:00:00.000Z

Phil Muncaster, IT Week, Tuesday 22 April 2008 at 00:00:00

Threats rise even though reported vulnerabilities drop

IT threats are continuing to rise, although the number of disclosed vulnerabilities tailed off in the last six months of 2007, according to new research from Microsoft launched at today's Infosecurity Europe event.

The firm's Security Intelligence Report uses data captured by Microsoft Windows Defender and the Microsoft Malicious Software Removal Tool (MSRT) over the last six months.

The disclosure of new vulnerabilities dropped by 15% in the last six months of 2007, while the amount of malware removed from computers by the MSRT was 40 per cent higher. Instances of trojan malware rocketed by 300 per cent.

The number of potentially unwanted applications – such as spyware and adware – jumped by 67 per cent to 129.5 million pieces.

"The criminals are clearly focusing on getting Trojans to download on PCs – it's the lynchpin to starting the process of gaining access," explained Vinny Gullotto, general manager of Microsoft's Malware Response Centre. "The sheer volume of threats we're seeing globally coming into the labs is staggering."

The report also claimed that newer Microsoft products are at less risk from these threats: MSRT proportionally cleaned malware from 60 per cent less Windows

Vista-based computers compared to computers running Windows XP Service Pack 2.

Facebook defends social networking security

Phil Muncaster — 2008-04-22T00:00:00.000Z

Phil Muncaster, IT Week, Tuesday 22 April 2008 at 00:00:00

Refutes "social engineering gold mine" tag

Social networking giant Facebook has defended its security and privacy controls in the face of criticism from industry experts, at this year's Infosecurity Europe show in London.

In a keynote at the event, Martyn Croft, head of corporate systems at the Salvation Army, argued that the concerns over corporate use of social networking sites, including lost productivity and malware infection, are "very real".

"It's a social engineering gold mine – a haven for finding out valuable information and it's an easy distribution platform for malware," he added. "For us, brand value is paramount and if we lose it we lose revenue very quickly."

But Max Kelly, chief security officer at Facebook, argued that the firm has gradually improved its security controls over time, to the point where users can now have control over who views any part of their profile on the site. "It is an educational challenge though," he admitted. "Users have top create a privacy model for themselves and that has been an ongoing challenge."

Kelly added that the firm has built up a "strong security team" to deal with issues at the network and application layers, and to investigate potential phishing and spamming attacks using data harvested from users of the site.

"It was in about January time that we became noticed by threatening elements who began to come after us," he said.

Jeremiah Grossman, chief technology officer at web app security firm WhiteHat Security, argued that social networking sites are prime targets for malicious Java script to be uploaded onto them. "It's an easy and effective way to effect the enterprise and because it's all purpose built, it's difficult to protect against; we need a whole new set of solutions," he said.

He suggested that Facebook is reluctant to restrict security too much on the site because it will affect its business model. "It will take risks with security because [ultimately] it's the users getting hacked not Facebook.

Conservative party pledges e-police action

David Neal — 2008-03-06T00:00:00.000Z

David Neal, IT Week, Thursday 6 March 2008 at 00:00:00

David Davis, the Shadow Home Secretary pours scorn on Labour e-crime activities

David Davis has used the e-crime Congress to launch a report into new approaches to tackling cybercrime, an issue which he described as being a "serious threat to individuals, business and government".

Announcing the report Davis accused Labour of having ignored the issue, and pledged a lot of effort from the Conservatives to solve it. Included in the proposals are the creation of a new national cybercrime unit, the establishment of a specially focussed team within the Crown Prosecution Service, and the appointment of a minister with the responsibility for cybercrime.

The report says that the current government has a naive over-reliance on new technology that is both attractive to attackers, and very vulnerable.

Davis adds, "To protect ourselves… will require a shake up in attitudes and strategy, including the whole mindset of government."

Can online crime ever be beaten?

Phil Muncaster — 2007-09-25T00:00:00.000Z

Phil Muncaster, IT Week, Tuesday 25 September 2007 at 00:00:00

A new report offers an insight into the scale of e-crime and what can be done about it

A new report has once again highlighted the increase in internet crime, leading to renewed calls for better crime reporting and for firms to do more to protect their online customers. The report, published by online identity protection firm Garlik, found that more than 3.2 million internet crimes were committed last year in the UK, which it said equates to one every 10 seconds.

The firm defined cyber crime as online identity theft, financial fraud, offences against a person, online sexual offences and computer misuse offences. The report gathered its statistics from 26 different sources, including UK payments association Apacs, the DTI and the recent report on personal internet security published by the House of Lords Science and Technology Committee, in an attempt to get a full picture of the scale of the problem.

Chief executive of Garlik, Tom Ilube, said businesses should be aware that although online crime does not appear to be putting off consumers from shopping or using services online, this could change if the situation goes unchecked.

“Businesses need to be aware that what we’re seeing may be non-linear,” Ilube warned. “They may say consumers are not reacting but if business shrugs its shoulders and the government does nothing, in a few years’ time three million crimes may have risen to 30 million and we may see larger shifts in [consumer] behaviour."

Ilube added that the current system for reporting fraud and other internet crime is inadequate and needs to be overhauled. On 1 April this year, the rules for fraud reporting changed, making banks and financial institutions the first point of contact for cheque, card and online fraud offences, rather than the police.

“We may be losing a valuable insight into what’s happening that aspect of the law needs to be revisited as the Lords’ report [on internet security] suggested,” he argued.

Ilube also suggested that online merchants and service providers could do more to encourage their customers to report fraud. “Most sites warn you about phishing emails and other [scams] but rarely encourage you to report what’s going on,” he explained. “It wouldn’t be too difficult to create mechanisms across the industry [to this effect].”

Greg Day, security analyst for web security firm McAfee, argued that the international, anonymous and untraceable nature of much internet crime has made it increasingly popular among the criminal fraternity. “Cyber attacks have become an ever-more prevalent issue as the volume of online shoppers, bankers and users increases, and so does the volume of personal information being posted online,” he added.

Day argued that much responsibility lies with individual users, who should run regular checks on their PC, keep up to date with anti-virus software and limit the amount of personal details they post online.

But Andrew Kellett of analyst firm Butler Group argued that online firms need to take more responsibility to ensure their customers are protected. “We’re starting to get there, although it’s a slow process,” he said. “The banks are considering options for [strong authentication], although it’s disappointing that they haven’t come to the same conclusions over the best way to do this.”

Kellett agreed that online fraud reporting in the UK is currently inadequate and bemoaned the lack of government leadership on issues of internet crime prevention. “The [subsumation] of the National Hi-tech Crime Unit (NHTCU) into the Serious Organised Crime Agency (Soca) is another indication that they don’t want to give cyber crime the attention we all believe it deserves,” he added.

Apacs played down the significance of the figures relating to financial fraud, however. “In real terms, the proportion of online fraud is tiny, even though it seems like a lot of money,” said a spokeswoman. “If someone is set on stealing your identity there is very little you can do to stop them. It’s about being aware of what to do to put the situation right.”

Apacs recommended that firms take a multi-layered approach to security that involves use of fraud-detection technology and the 3-D Secure scheme, which requires users to complete an extra authentication process before purchasing items.

Mark Turner, managing consultant at penetration testing specialist NCC Group, said he was surprised the figure for online crime incidents was not higher, but argued that the public “should be reassured that the banks and online traders spend a lot of time and money on security”.

Turner added that the Payment Card Industry (PCI) Data Security Standard has done much to mandate the safe storage of customer credit card data, making it harder for criminals to commit fraud.

Interview : Network security needs to have depth

Dave Bailey — 2007-09-24T00:00:00.000Z

Dave Bailey, IT Week, Monday 24 September 2007 at 00:00:00

Sourcefire CTO Martin Roesch says UTM appliances alone are not enough to protect extensive networks

IT Week: How did you come up with the idea for the Snort intrusion detection and prevention system?

Roesch: In 1998 I was looking to write a new tool that would be able to monitor my cable modem at home, function as a network packet sniffer and be able to have features added to it easily, such as automated analysis. I wrote the package in the C programming language and dubbed it Snort. The two overriding things with Snort were that it had to be flexible and it had to be fast.

Why did you then feel the need to create a company around Snort?

At the end of 2000 I came out of a failed startup and wondered what to do next. Several friends said I should start a company based around Snort and I thought, “How am I going to do this put it on a CD and charge $50 with a manual?” My friends and I worked out a value-add model where we’d sell Snort and wrap policy and configuration management technology around it. But for enterprises, any technology like this needs to be able to scale, and that’s what Sourcefire aims to ensure.

What do you think of unified threat management appliances (UTMs)?

There are situations where these types of appliance are appropriate, but just having border defence is not enough you need defence in depth. I think people understand that it’s not possible to stop everything. If I’m protecting an extensive network, I need to have an extensive set of tools. UTMs are useful for small enterprises and branch offices and they could be useful in large enterprises but it’s difficult to solve all the problems from one point in the network; it’s best to have multiple vantage points. Remember, also, that turning on all the features, like intrusion prevention and content filtering, can lead to performance issues.

Which threats will be taxing the security industry most over the coming years?

Most malware threats seen today are a combination of trojans and botnets. What you’re going to see is a lot of activity on botnet disruption. The attackers now are very professional: there are organisations out there that have quality and assurance departments and source code control. This increasing professionalism has led to rapid changes in malware distribution.

Do you think anti-virus systems are too complex for home users?

The trouble with anti-virus tools is that they need to be tuned to be effective, and most users lack the expertise to do this. We have to get to the point where the smart technology is in the box and not expect home users to know how to configure these systems.

Flexible working quality mark increases pressure on IT chiefs

James Murray — 2007-05-16T00:00:00.000Z

James Murray, IT Week, Wednesday 16 May 2007 at 00:00:00

Lobbyists mark the start of national Work Wise Week with a quality mark aimed at high-performing firms

Lobby group Work Wise UK today marked the beginning of its national Work Wise Week with the launch of a new quality mark aimed at firms that embrace flexible working practices.

The organisation said the new Work Wise UK standard had been developed in conjunction with the TUC, Transport for London, HBOS, the NHS, BT and the Association for Commuter Transport and would provide a best practice framework for firms keen to embrace home and flexible working.

The scheme was welcomed by UK skills envoy Sir Digby Jones who, speaking at a launch event for the new standard, claimed that firms that attain the quality mark would receive major benefits in terms of staff recruitment and retention.

"Those organisations which achieve the Work Wise Quality Mark will be well placed to attract the very best staff, as the labour market becomes ever more competitive and society becomes increasingly aware of the benefits of flexibility and new ways of working," he predicted.

Work Wise said that organisations keen to qualify for the quality mark would have to submit to a two day assessment where they will have to demonstrate an understanding of "smarter working" techniques and a clear plan for encouraging flexible working practices.

The new standard, coupled with growing momentum for flexible working embodied by Work Wise's National Work From Home Day on Friday and recent legislation requiring firms to consider staff requests for flexible working, is likely to increase pressure on IT departments to provide secure and robust remote working and home office technologies.

However, Mike Hockey of IT services firm 2E2, insisted that those organisations that do embrace home working are seeing multiple benefits in terms of cost, productivity, staff satisfaction and the environment. "We are working with several local councils who have found that enabling home working and setting up hot desks for flexible working has had a wide range of benefits, allowing them to limit the environmental impact of commuters, increase staff productivity and actually close down some offices."

In related news a report from contact centre software specialist Exony argued that UK contact centres are largely failing to adopt home working, or " homeshoring" practices that could save them up to £5 per employee per hour.

"We’re way behind the US in our attitude to enabling contact centre workers to operate from home," said Exony CEO Ian Ashby. “Combining technologies such as broadband, enabling employees to both handle calls and connect securely with the corporate network, with tools to measure and manage agent and call performance in real-time, allows contact centres to reap the benefits of homeshoring."

Two-thirds of workers fall for password honeytrap

IT Week Staff — 2007-04-17T00:00:00.000Z

IT Week Staff, IT Week, Tuesday 17 April 2007 at 00:00:00

Survey finds that it only takes a chocolate bar and a smile to get staff to reveal their passwords

The majority of UK office workers will hand over their computer passwords in exchange for "a bar of chocolate and a smile", according to a new study from the organisers of the annual Infosec show.

The survey of 300 office workers and IT professionals was carried out at London stations and an IT trade show and found that 64 percent of the 300 people approached could be tricked into handing over their password in return for a flirtatious conversation and a free bar of chocolate.

The researchers used social engineering techniques to gain the information, initially asking the delegates if they knew what the most common password was and asking them what their password was. At this stage 40 percent of commuters and 22 percent of IT professionals told the interviewer their password.

If respondents initially refused to hand over their password the researcher then asked if it was based on the name of a child, pet or football team and began guessing possible passwords. At this point a further 42 percent of IT professionals and 22 percent of commuters divulged their password.

"What is most surprising is that even when the IT professionals became slightly wary about revealing their passwords, they were put at their ease by a smile and a bit of smooth talk," said Sam Jeffers, event manager for Infosecurity Europe 2007. "It just goes to show that we still have a long way to go in educating people about security policies and procedures as the person trying to steal data from a company is just as likely to be an attractive young woman acting as a honey trap as a hacker using technology to find a way into a corporate network."

Crime bill overlooks IT offences

David Neal — 2007-01-19T00:00:00.000Z

David Neal, IT Week, Friday 19 January 2007 at 00:00:00

Experts criticise government's lack of focus on IT crime

New Home Office proposals for a Serious Crime Bill to crack down on organised crime do not give enough consideration to IT-based offences, experts have warned.

The proposals include crime prevention orders that can be used against individuals and firms, and improvements to data sharing.

However, John Barker, a solicitor with law firm Chadwick Lawrence, said the bill is evidence of the government’s lack of focus on IT crime.

“Crimes under the Computer Misuse Act 1990 are not included within the [proposal’s] definition of ‘serious offences’,” Barker said. “[The government] needs to decide if it considers IT crime to be serious. If it does, it needs to specifically legislate against [IT offences] and give the police the power to investigate cases.”

Microsoft also criticised the Home Office for not doing enough to counter IT crime in a written submission to parliament last week. The software giant said UK police needed more resources to fight problems such as phishing and identity theft.

A separate anti-fraud law that came into force last week could help crack down on certain online crimes, however. The 2006 Fraud Act covers prosecution of those involved in the creation of software designed to be used in connection with fraud.

“The new rules could lead to a 10-year prison sentence for people that carry out phishing attacks,” said Rosemary Jay, a lawyer with Pinsent Masons.

In related news, the US Department of Justice has released a guide for law enforcement officers, advising on areas such as copyright theft and malware.

Corporate ID theft to cost UK £700m a year

James Murray — 2006-09-18T00:00:00.000Z

James Murray, IT Week, Monday 18 September 2006 at 00:00:00

Fraudsters who steal a company’s identity can rack up huge debts

The cost to UK firms of corporate identity (ID) theft, whereby fraudsters assume a company's identity in order to exploit its credit lines, empty its bank accounts or order assets in its name, is set to soar to £700 million a year by 2020 - a fourteen-fold increase on 2005 levels.

That is the conclusion of new research released today by insurers Royal & SunAlliance (R&SA) and the Centre for Economics and Business Research (CEBR), which found corporate ID theft is one of the fastest growing risks faced by UK firms and is set to mirror the current increase in personal identity theft.

The study assessed current risk trends through interviews with FTSE 250 firms and found that larger firms with over 250 employees and those located in London are most at risk from corporate ID theft, with the communications, banking, finance and insurance sectors likely to be the hardest hit.

A spokeswoman for RS&A said phishing attacks on firms and scams such as contacting Companies House to change company details or add another director were being used by fraudsters to ensure they can act in a companies name to order assets or open new credit lines. "From our research it is clear there is not a lot of awareness of the problem at the moment," she said. "But it is a major trend and already cost firms £50m in 2005 [according to the Metropolitan Police]."

Simon Wallace of the CEBR said the pervasive nature of internet connectivity and subsequent increase in corporate data breaches had made it far easier for fraudsters to gain the information they require to steal a company's identity. He added that firms need to recognise the threat, and invest more heavily in security systems and processes.

R&SA also unveiled a free guide to tackling corporate ID theft advising firms to undertake security checks for new employees; own all permutations of their company name; adopt best practices to ensure digital passwords are secure; and ensure all company stationery is shredded.

The R&SA spokeswoman said companies should also sign up to Companies House Monitor service, which notifies them if any changes to their details are requested.

CSI effect lights up forensic computing

James Murray — 2006-09-14T00:00:00.000Z

James Murray, IT Week, Thursday 14 September 2006 at 00:00:00

The popularity of the CSI TV shows has turned companies on to the benefits of forensic computing

All is not well in the world of forensic science – and I'm not talking about all the dead bodies. Apparently, forensic scientists' jobs are getting harder, criminals are going free, new recruits have an unrealistic view of the profession, and there is only one thing to blame: a TV show.

The so-called "CSI effect" has proved highly damaging. According to experts, the show and its spin-offs, CSI: Miami and CSI: New York, are making it harder for police to gain convictions as juries develop unrealistic expectations about the accuracy of forensic evidence. Meanwhile, some criminologists believe suspects have got better at covering their tracks since the show was launched.

The only silver lining is that the number of new applicants for forensic science courses has soared by over 25 percent, but many of the new entrants are likely to be disappointed to discover that not all forensic scientists look like ex-US soap opera stars and that crime scenes sometimes look really, like, gross.

The only field of forensics that seems to be benefiting is the fast-expanding sector of forensic computing. Speaking recently to Brian Karney, director of product management at forensic computing specialist Guidance Software, he insisted CSI had given the company a valuable marketing boost. "I can just tell people that when you get to the scene in the show where they send the suspect's hard drive off for checking and then it comes back with the evidence – that's forensic computing," he said.

More specifically, Guidance Software and its flagship EnCase suite provide a toolset for quickly extracting incriminating data from suspect computers. With its products deployed by the kinds of government agencies that tend not to provide customer testimonials (although the company does claim its software was involved in the tracking down of Jordanian militant leader Abu Musab al-Zarqawi) Guidance Software has seen sales soar as crime-fighting agencies realise computer records are an increasingly important part of many high-profile investigations.

But it is business customers that are driving much of the sector's growth. According to Karney, the same functionality that can help police quickly spot the "how to make a pipe bomb" instructions on a suspect's PC are also proving attractive to firms that need to respond ever faster to requirements to hand over specific corporate data and prove they have disclosed all requested documents.

Similarly, the growing importance of computer files in internal disciplinary procedures and corporate espionage cases is putting increasing pressure on IT directors to establish thorough processes to search potentially incriminating files and emails.

Forensic computing's ability to catch the prime suspect on CSI may have raised its profile, but it is its ability to collar the guy in sales filing dodgy expenses that is turning it into a corporate necessity.

New web surfing privacy tool launches

Phil Muncaster — 2006-08-31T00:00:00.000Z

Phil Muncaster, IT Week, Thursday 31 August 2006 at 00:00:00

Browzar allows mobile workers and hot deskers to surf the web in privacy

A new internet tool has been launched which enables users to browse the web without the risk of others accessing any private information they may have entered, or discovering what sites they have visited.

Browzar, the brainchild of Freeserve founder Ajaz Ahmed, is free to download, requires no installation and will be of particular interest to corporate users accessing the internet from shared computers or from internet cafes, said the firm. The tool can also be downloaded easily onto a USB memory stick for mobile workers.

It doesn't save web cache, web history, cookies, use auto-complete for partly entered web addresses or retain details entered into online forms, Ahmed explained.

"Mobile workers can log onto the corporate network safe in the knowledge that they won't leave a trail of where they've been, user names and passwords," he said. "People will find their own uses for it – it's a simple tool and on the internet the simplest are [usually] the most powerful."

Ahmed added that as enterprises are increasingly using applications provided over the internet, such as Salesforce.com, the benefits of a privacy tool like Browzar will become even more obvious.

Phillip Dunkelberger, chief executive of encryption specialist PGP, said that secure search will become increasingly sought-after in business, and could help protect firms against bad publicity resulting from exposing sensitive information.

"There are real world situations people must be concerned about where sensitive information [could be accessed by others] and it only needs to happen once [to impact a firm]," he argued.

Security fears threaten RFID adoption

James Murray — 2006-08-09T00:00:00.000Z

James Murray, IT Week, Wednesday 9 August 2006 at 00:00:00

The danger of hacked and cloned wireless ID tags poses a challenge to governments and firms alike

Experts are divided on the scale of the security risk posed by radio frequency identification (RFID) wireless tag technology after a computer expert demonstrated that data held on the tags could be easily cloned.

At the Defcon security conference in Las Vegas, Lukas Grunwald of German security company DN-Systems demonstrated a way to copy information between RFID tags, including those used in new e-passports and corporate access cards.

Grunwald said the technique had taken just "two weeks and $5,000 in legal fees to develop" using inexpensive RFID hardware and scanners and homegrown software.

While Grunwald was not able to manipulate or change data held on the tags - limiting its usefulness for forging e-passports holding biometric data - the approach did quickly copy data onto new tags, posing a potential security risk for firms using the technology in corporate access cards or to authenticate products such as medicines or manufacturing components.

Nigel Montgomery of analyst firm AMR Research branded the demonstration as " sensationalist", and said the security threat posed by RFID tags was still " minimal", but admitted it was likely to hamper adoption of RFID technologies.

"RFID tags are not 100 percent secure, but what is?" Montgomery asked. " People could copy data held on tags, but it is far easier for them to copy a label and a barcode [on counterfeit medicines, for example] than find the radio frequency, copy the tag and decrypt it so they can understand what's on it."

However, Roy Illsley of analyst firm Butler Group said the news showed RFID technology can pose a real security risk for firms. "The biggest issue is the reader and the tag tend to be at the edges of organisations, ie in depots, so theoretically these represent soft entry points into an organisation," he said.

Illsley added that in the future the tags could provide an entry point for viruses or could be easily copied, making their usefulness for tackling counterfeit goods "null and void".

Adam Jura of analyst Datamonitor agreed the ability to clone tags could provide opportunities for fraudsters, as a cloned tag for an expensive product could easily be attached to a counterfeit or cheaper version.

Experts agreed firms need to consider security issues when making RFID deployment decisions. "If you are talking to suppliers about RFID solutions my advice would be to get your security experts along as well," said Illsley. "You have to ask questions about the firewall on the system and how you can limit the risk of duplication."

Separately, IBM has unveiled a new RFID system to track pharmaceutical products. The system, built on IBM's WebSphere middleware platform, allows pharmaceutical firms to track products through their supply chain, and can help tackle counterfeit drugs, and ensure medicines match prescriptions.