This week NSS Labs released their Q2 2010 Corporate Endpoint Protection Products report. NSS has only publicly announced the two products it specifically recommends against: Panda ’s Internet Security 2010 (Enterprise) and AVG ’s Internet Security Business Edition 9. However, it takes only a quick look at Trend Micro’s web site to guess how NSS rated Office Scan (hint: very well). Some vendors have protested NSS’s ratings in the past, but like it or not NSS is changing the way security testing is conducted. Sponsor As security threats evolve, e-mail has been displaced by the Web as the primary delivery mechanism for malicious code. The old model of virus definition based antivirus software has been increasingly called into question . In 2007, Australia’s Computer Emergency Response Team claimed that leading products missed 80% of new viruses. To compensate, companies like Trend Micro and Kaspersky are developing cloud based “reputation services” to evaluate URLs and code. NSS president, and former VP of marketing at antivirus vendor ESET , Rick Moy explained in a phone interview: cybercriminals now typically use social engineering to trick users into downloading malware from web sites and run it voluntarily. Malware creators run “campaigns” on Twitter and other social media sites baiting users with anything from pornography to free iPads. Even the most savvy of users can occasionally be tricked by social engineering – we posted our own list of tech savvy Twitter users who fell for phishing scam last year. For an explanation of how such savvy users get fooled, read Cory Doctorow’s recent Lotus Magazine piece explaining why he fell for a phishing scam. Trend Micro recently published an independent report claiming the IT industry is being lulled into a false sense of security by vendors. The report cites an NSS survey which found half of respondents thought their antivirus solutions would protect them from threats 100% of the time, and that another 10% of respondents thought their solutions would protect them 99% of the time. Moy says there’s also a perception in the enterprise that anti-malware products are essentially interchangeable, but that’s turning out not be the case: NSS’s testing found wild disparities between the efficacy of different products, and found that a company’s previous track record is no indication of how well it will perform. NSS tests differ from most other testers, such as AV-Comparatives for example, in that NSS’s test computers that are actually connected to the Internet – something the company calls “live testing.” NSS tested PCs, running up-to-date copies of Windows 7 and using Internet Explorer 8 with SmartScreen disabled, by visiting known malicious sites to verify whether each product tested could successfully blocks malware from being downloaded and/or executed. According to Moy, typical testing involves using malware sets from Wildlist or Antivirus Bulletin – both of which use samples provided by the antivirus protection industry, some of which might be quite old. The results of AV-Comparatives’ most recent report , its “Retrospective/Proactive Test,” are radically different from NSS’s. Trend Micro did fairly poorly in this test, while Panda did quite well. AVG out performed Trend Micro. Peter Stelzhammer of AV-Comparatives confirmed via e-mail that the NSS and AV-Comparatives tests are not comparable, and that AV-Comparatives is working on a test similar to NSS’s. A consensus is forming in the security industry that there’s a need for new prevention techniques – and new testing methodologies to evaluate those techniques. The need for new testing methodologies was the theme of the ” Measuring The Actual Security Anti-Virus Products Provide Customers ” panel at SOURCE 2010 Boston in May, which included Stelzhammer, NSS CEO Vik Phatak, and representatives from CheckVir Labs , Dennis Technology Labs , PC Security Labs and West Coast Labs . Stelzhammer detailed the difficulties involved in doing live, Internet-connected testing and explained the methodologies for AV-Comparatives’ future NSS-like tests. AV-Test has released a test based on methodologies similar to NSS’s, with comparable results. According to the report published by Trend Micro: “ICSA and others such as Virus Bulletin state they will be evolving their certification practices in coming months to include real-time testing and/or testing against today’s threats.” NSS has a recent history of raising eyebrows in the security industry. In March of 2009 NSS published the results of a Microsoft sponsored test that found Internet Explorer 8 was more effective in blocking malicious web sites than Firefox, Safarai, Chrome, and Opera. This lead to many skeptical articles and accusations of bias. However, when looking at what was actually being tested, the results aren’t particularly radical: NSS found that Microsoft’s blacklist blocked more sites than the blacklists used by other browsers. NSS was not tested for other browser vulnerabilities. In September 2009, Network World reported that NSS was shifting its focus towards conducting self-funded tests instead of vendor sponsored tests. NSS would sell the reports and consult vendors, but would not take money for testing. One of NSS’s first self-funded tests found 3com TippingPoint 10 firewall to be deficient. Moy told TechWorld he thought that Tipping Point must not have been investing enough in improving its products. Some commenters were, shall we say, skeptical about NSS’s rating. That same month, NSS released its first Corporate Endpoint Protection Products test, unfunded and using its new live testing methodology. It ranked AVG, Panda and Moy’s former employers ESET at the bottom of the heap. It gave top marks to Trend Micro. In March of this year NSS released a free report detailing the failure of many commercial products to defeat variants of the infamous Aurora virus that infected Google’s computers. McAfee was the only product NSS tested that successfully blocked variants of the virus, and NSS found AVG was the only product tested that didn’t block the original exploit. In an entry on the company blog , AVG protested the results of the Aurora test and called a few things into question. It noted that the report initially indicated that NSS had tested AVG 8 instead of the newer AVG 9, and that NSS later claimed this was a typo and that it had tested version 9. AVG also claimed NSS gave them different information about the results of the testing before the publication of the report and that NSS was slow providing methodology before publication. AVG also provided a screenshot showing AVG blocking the Aurora virus. ESET also fired back at NSS , claiming that NSS’s report didn’t comply with two of the Anti-Malware Testing Standards Organization’s Fundamental Principles of Testing . ESET also complained that NSS did not provide access to samples used in its testing. Since NSS has moved ESET out of “caution” category in the newest report, we asked ESET if it had made any changes to its product to improve its ratings with NSS. “ESET was unable to get any useful feedback on its performance in the previous test without paying a substantial sum to NSS for ‘consultancy,’” replied David Harley, ESET Research Fellow & Director of Malware Intelligence via e-mail. “Even when ESET offered to pay the agreed-upon sum, the fee kept escalating. To this day, information on the test samples has never been supplied, so we are unable to assess the competence and validity of the test, let alone make any changes that would impact our performance in the more recent test.” Moy answered critics on the NSS blog. First, he addressed AVG’s objections . Moy disputed AVG’s claims that NSS withheld information and points out that the methodology and steps for reproducing its Aurora testing was available in the published report. He provided a video showing AVG 9 failing to protect against the Aurora exploit, and pointed out that the screenshot AVG provided depicted Firefox, even though Aurora was an Internet Explorer virus. In a post seemingly in response to ESET , Moy wrote: Some vendors used the anti-malware testing standards organization (AMTSO) to try to discredit the test. One of their objections was that we recommend against buying products that scored on the bottom third of our test. Sorry, we unabashedly believe malware protection should indeed be the key purchasing criteria for an AV product. And for vendors who claim their anti-spam on the corporate desktop will improve their protection against socially-engineered malware hosted on web sites, that’s just stretching it. Moy told us that all the NSS test methodology is available for free on the company’s web site and that ESET was mostly upset NSS didn’t release its malware sample set. Although NSS has received money from vendors for past tests, and does do security consulting, Phatak told us NSS did not receive money from Trend Micro or McAfee before the tests were conducted. Conclusion Science is about repeatable, verifiable results. The only way to glean a better understanding of the efficacy of various endpoint protection products is for more labs to employ cutting edge testing methodologies. The more tests released in the future, the more information enterprises will have in making informed decisions. Discuss

Click here to read more

Open source software is at an inflection point in the enterprise. According to a survey by Accenture , more than two-thirds of organizations anticipate increases in investments this year. Almost 40% said that they expect to migrate mission-critical software to open-source within the next 12 months. The survey is in line with a market that is validating the use of open-source in the enterprise. This is illustrated by Red Hat’s most recent financial results. In the past year, Red Hat’s revenues are up 20%. All parts of its business are showing growth with particular strength in middleware. The company signed the largest deal in its history during the last quarter. According to Datamation , Red Hat renewed all of its top 25 deals during the quarter at over 120 percent of their original value. Sponsor Accenture surveyed 300 blue-chip organizations in both the public and private sector. Half of the respondents are fully committed to open-source. The survey further validates Red Hat results in its findings that 88% of all companies that use open-source will increase their investments in 2010. Some of the other findings in the survey: In both the United States and the United Kingdom, respondents cited quality and improved reliability as the key benefits to open-source. A total of 70% cited improved reliability and 69% said they are finding better security and bug fixing. Cost is a huge driver. Of the respondents, 71 percent said they believed they could save in software maintenance costs. They also cited savings in total cost of ownership and development costs. Companies still don’t want to share their own open-source. Less than a third say they do. This may be one of the biggest concerns as open-source goes in-house and not shared with the community. It’s this sharing that gives open-source its strength. The public sector is lagging in the adoption of open-source. Senior management, training and insufficient open-source alternatives hinder further adoption. The biggest challenge is training. Half of the respondents from the public sector said training is a hindrance, compared with only 22 percent in financial services. Further, lack of senior management support appears to be a key reason given for not using open source software. Those yet to make the transition to open source also cite insufficient open source alternatives compared to proprietary software suites. Open-source is at a point that shows its spread across the enterprise is on a trajectory to become dominant over the next 10 years. That’s great news for companies like Red Hat, which are already seeing the upside in revenues that comes with open-source adoption. Discuss

Click here to read more

Quirky Boston-based startup Baydin won this year’s Enterprise 2.0 Launchpad competition with their interesting take on e-mail search: Unsearch. Unsearch, now in closed alpha, is an Outlook plugin that analyzes individual e-mail messages as they’re read, and provides relevant search results next to the message. Imagine Gmail, but with related attachments and e-mail conversations instead of ads. Sponsor The ZapThink report the company commissioned notes that Outlook add-ons can be a dicey business proposition. “If Microsoft likes what a partner is doing and thinks they can do better themselves, then they’ll simply incorporate the partner’s functionality into their software and put the partner out of business.” We asked Baydin CEO Alexander Moore how the company hopes to avoid commoditization. Moore thinks the company has some secret sauce that’s difficult to clone. Although driven in part by Microsoft’s Windows Desktop Search API, Unsearch does its own filtering of search results returned by the API. “We have two layers of proprietary technology sandwiched around Microsoft’s tech,” says Moore. First, Unsearch analyzes the e-mail and extracts keywords. Then, it runs the keywords through the search API and runs a set of proprietary algorithms on the search results to filter and reorder them. It then displays those processed results. The only piece of software Baydin has released publicly is Boomerang, a simple piece of productivity software that allows users to move a message out of their inboxes until a pre-scheduled time. Moore admits that Boomerang would be easier to replicate than unsearch, but notes that it’s actually just one piece part of a larger forthcoming project. “We decided to go ahead and release it as a standalone product when we realized that there were a lot of people who needed that specific feature right now,” he says. Baydin could be seen as competing with Xobni . According to the company’s web site, the word “Baydin” is Burmese for “foretelling the future through magic.” The company has strong ties to Burma: one of the founders ethnically Burmese, the other is in a long-term romantic relationship with someone from Burma. The company promises to donate 5% of its profits towards educational efforts in Burma. Baydin won the Enterprise 2.0 Launchpad competition in Boston last week. The other finalists were Doodle , InnovationCast and MindQuilt . Last year’s winner was CubeTree . Baydin presented the following video at the Enterprise 2.0, which includes a history of the financial crisis that could be charitably called “incomplete”: Discuss

Click here to read more

After a month-long test run running completely without it, PC Magazine writer Larry Seltzer has come to an interesting conclusion : “Java as a client-side platform is pretty clearly a failure, and all that remains of it is a big fat attack surface on your computer.” While that may be true, we think there are a few other things to consider before attempting at making your machine a Java-free runtime environment. Sponsor Much like abstaining from meat for Lent or going for a year without money , Seltzer took the last several weeks off from using client-side Java and found, like many who go without something, it wasn’t all that integral in the first place. Why’d he do it? “Java has a less-than-stellar security record. There’s actually quite a bit of Java malware out there, generally relying on patched vulnerabilities, as old versions of Java are common on user systems,” he wrote when he started the experiment last month. The biggest issue he ran into, it seems, was actually removing Java itself, which appears to install itself in numerous places throughout your system. Java likes it on your PC and really doesn’t want to let go. Even after you uninstall all the versions listed in your Add/Remove you may find Java components installed in web browsers. Do about:plugins on Firefox or Google Chrome. Do you see Java entries there? I thought so. You may also see plugins from other programs you thought you uninstalled. Do the same for Tools-Manage Add-ons in Internet Explorer. I suppose the uninstallers don’t necessarily bother with these browser components. After you disable them in Firefox and/or Chrome, you can delete these plugins by deleting their program files in C:Program FilesMozilla Firefoxplugins or wherever Firefox is installed. Seltzer notes that the Wall Street Journal uses it in certain cases and some banking websites he ran into also use it, but otherwise it was pretty much useless. He warns that, before getting rid of Java yourself, “go through your bookmarks and maybe the last week or so of history and look for sites you use that might use Java “. Beyond websites that still use Java, which are few and far between and have mostly been replaced by Adobe Flash, there are still some apps out there that use Java and the Java Runtime Environment – apps that some of you geeky, business types might be running. Our favorite non-cloud alternative to Microsoft Office, Open Office , for example, still relies on the JRE to function properly. As does one of the ReadWriteWeb team’s favorite website traffic analysis tools, Woopra . In batting the idea around, Alex Williams, our enterprise editor, noted that a large number of enterprise solutions still rely on Java. Vmware, for example, is introducing platforms to work with both Salesforce and Google that depend on Java to operate. In general, a lot of companies still use Java internally for custom solutions and eradicating it from your machine could stir up some issues. Were it not for Open Office and Woopra, we might take the plunge, but those are two programs we certainly don’t want to give up. For now, we’ll just make sure to say “yes” when Java asks us if we want to install the latest update. Discuss

Click here to read more

Salesforce.com is launching Chatter to its entire customer base today. The adoption means that Chatter will now be part of the entire Salesforce.com stack, available as a stand alone application and as a platform for application development. Chatter is now integrated into the entire Salesforce.com product line, including its sales and support offeirngs; Force.com and AppExchange, its marketplace for enterprise cloud computing offerings. We hear a lot these days about Facebook and its connection to the enterprise. Salesforce.com seems to have imprinted Facebook into its DNA. That may infruriate many who see Facebook as something entirely different, compared to an enterprise service. But for Salesforce.com it’s Facebook that we hear about over again in its briefings. Sponsor It’s the activity stream that matters here. An activity stream that is also an application stream. That is the fast moving trend. The ability for people to communicate effectively in the deep stream of data. We are in a time where machines communication is a must in order to organize and share information in the flow of a dynamic supply chain. Sugar CRM has an activity stream. Success Factors recently acquired CubeTree for its contact centered service built with an activity stream environment. The Enterprisre 2.0 world has its share of companies with activity streams. Soclaltext is moving its concept of the activity stream forward with its adoption of the Twitter Annotations spec . Socialcast , one of the earliest adopters of real-time activity streams, has been making headway with its service that combines real-time conversations with intergration into back-end legacy applications. Chatter has had its fair share of skeptics. But customers do speak for themselves. Going into the launch, Salesforce.com has 5,000 customers in private beta and more than 50 applications that have built Chatter into its product infrastructure. Fedex is using Chatter to manage logistics. BMC is using the Chatter platform for a real-time feed designed for IT departments and with internal users. For the launch, Salesforce.com has implemented the capability for anyone to create groups inside the Chatter environment. That’s already a primary feature with services like Status.net and Yammer . People need to break out streams into smaller trickles that apply to their own group. Salesforce.com has come to dominate the CRM category. But it has not created its own category in the market like a company such as Success Factors, which has a place on every employees desktop. It has done that by positioning itself as a employee production service. The company has a host of competitors, including Microsoft Sharepoint and IBM Lotus collaboration services. But with Chatter, Salesforce.com is increasing its odds of being more universal, providing real-time feed to employees across the organization. Discuss

Click here to read more