In today’s sophisticated threat landscape, innovation is a critical component to an effective defense strategy.

That innovation typically comes to bear at the tiny technology companies, whose goal, in most cases, is to create that next big thing, so the firm can go public or get acquired.

But with the economy in ruins, investors are growing increasingly wary of taking chances with their money. As a result, the funding needed to support startups - in our case, those focused on IT security - is drying up ever so quickly.

According to the Arizona Republic, venture capitalists nationally invested $7.1 billion in 907 deals this year compared to $7.8 billion in 981 deals last year.

So it was certainly good news to hear this week of plans by the University of Texas at San Antonio to launch an incubator inside its Institute for Cyber Security.

It works sort of like a hospital incubator might for a premature baby - IT security firms who face challenges that prevent them for launching on their own can turn to the incubator to “fast track their product development efforts and expedite time to capital, market and profitability.”

In return, participants must agree to “significant collaboration” with university staff.

While the incubator only stands to help a few companies at a time, hopefully it will encourage other universities to embark on similar missions. For more information, visit here.

In a few hours at a press conference in California, Apple is expected to announce two new MacBook laptops priced at around $1,200 and $1,500. Considering the downturn, let’s call it, in the economy, their strategy of offering more affordable laptops seems to be particularly well-timed.

Rumor sites are touting pumped up functionality – faster processing speed, faster wireless connectivity, better screen resolution, longer battery life – all the improvements one would expect with a new product line.

Our concern, however, is the security angle. As the price point of laptops continue to lower and they become more easily procurable to larger segments of the marketplace, their function broadens as well. No longer are they simply a hard drive on which road warriors can keep their accounts up to date. Laptops are quickly evolving into mobile devices. Anyone with one of these tools can flip it open and easily connect to a wireless network to send email or check their stocks or Facebook page. Witness the scene at any Starbucks or park.

In the old days, a year or so ago, laptops were generally checked out of the office, presumably with some security oversight. Nowadays, as they become more of a consumer buy, laptops are functioning in much the same manner as a smart phone or PDA. They’re not quite down to the size of a Dick Tracy wrist phone, but are certainly more ubiquitous.

Apple is not immune to vulnerabilities. In fact, just last week, in its latest software update, Apple fixed a security vulnerability which could have led to cross site request forgery. Sophos recently released a whitepaper offering 10 steps to better protect Macs from data theft.

But, while the Apple OS has been less of a target for malware writers than Microsoft’s Windows and Vista, that luxury may be waning. The popularity of the iPhone, and now the introduction of near-$1,000 laptops, while benefitting Apple shareholders by increasing the Cupertino, Calif-based company’s slice of the computer pie, is certain to invite assaults by virus writers, spear phishers, trojan spreaders and all the other n’er-do-wells who feed off the success of others.

The launch today of Android, Google’s new cell phone OS, has elicited the usual hoopla.

The system, in partnership with T-Mobile’s G1 cell phone, may prove to be, despite some lukewarm reviews, a worthy competitor to Apple’s iPhone. While many of its features are similar, offering the now standard Wi-Fi and Bluetooth, the prime selling point is the OS’s underlying Linux-based open source mobile platform.

The company is touting how this will allow its app store, called the Android Marketplace, to be completely open – the inference being that it will be easier for developers to create and distribute their applications for the device without the policing Apple provides with its app store.

Critics are already pointing out how this lack of security oversight could lead to viruses and malware being dropped into coding as easily as adding salt to a recipe.

In a piece today, NY Times tech and gadget guru David Pogue responds to those accusations, saying, “[Google] will remove apps that contain malware, copyright infringement, pornography, etc…”

But we have to wonder. Last year, Google got things rolling by offering $10 million in prizes to developers. Recently announced winners included Wertago, a social networking app that lets users hook up with their friends; and cab4me, which enables users to summon a taxi with one click.

Certainly, the first wave of apps will prove useful and fun for the ever-burgeoning techno set. However, the next wave of apps is sure to take advantage of the popularity of the new smart phone technology to launch insidious malware attacks.

Gene Munster, an analyst at Piper Jaffray, predicts that Google’s take from mobile search revenue will reach about $2 billion by 2012. So the stakes are high.

Imagine a web browser that sits as an application on your desktop. If you click to open, it delivers you to a previously set website. You can navigate all you want through that particular website - maybe it’s Bank of America - but don’t try going to Facebook. It won’t let you. There’s no address bar.

They’re called single-site browsers (SSBs), or site-specific browsers, or maybe some other alliteration that I haven’t heard about yet.

The security benefits are easy to get. As Andrew Jaquith of the Yankee Group - I believe the first analyst to publicly present on this topic - said in an April blog post, “Because SSBs can, by definition, browse to only one website, many of the web-based attacks against users (phishing, cross-site scripting, cross-site request forgery) won’t work.”

Bored by the security ramifications? Mac enthusiast Todd Ditchendorf explains some of the more tangible benefits here.

The concept is still a nascent one, but we can expect to hear a lot more about in the coming months. Rumor has it that when Apple releases Safari 4, will include a capability to create SSBs.

As is often the case with neat innovations, the open-source community is leading the charge.

Ditchendorf, in fact, has already designed such an Mac application to make an SSB possible. It’s called Fluid. And the smart folks over at Mozilla are working on their version, known as Prism.

A big challenge will be getting the banks and other heavily phished retailers interested in offering this to customers. But it might be worth it. As Jaquith notes, SSBs could be “a great way to ‘brand’ a website and keep users safer, all at the same time.”

Of course, as with any security technology, this is not a silver bullet. Jaquith points out that previously installed malware, such as keyloggers, can still work on SSBs, as can things like DNS exploits.

Stay tuned.

Hats off to Apple for another in a two-decade long series of electrifying product announcements yesterday.

While Hollywood is the master at creating frenzy over a new release, often spending as much on marketing as production, the enthusiasm with which Apple announcements are greeted is no less hysterical. But in Apple’s case, the passion is most often justified. The products deserve the impassioned response. They deliver, they’re innovative, they’re simple to operate, they do what they’re supposed to.

I received perhaps 20 different press releases yesterday announcing some aspect of the new iPhone 3G. There was a separate release for each country in which the device was about to receive distribution (July 11, in case you were in a coma). And there were a number of third-party partnership announcements.

One of the key developments with the new generation communication device is its integration into enterprise use. That is, Apple is making every effort to increase its appeal to business users. The new iPhone 3G now supports Microsoft Exchange ActiveSync, which allows road warriors to send and receive email and have access to their calendar and contacts. It also gives mobile users the ability to securely tap into the corporate network via Cisco IPsec VPN and wireless network services with WPA2 Enterprise and 802.1X authentication.

On top of all this, Apple has made it simple for anyone to create applications to be used on the iPhone.

And that’s what information security professionals need to take a look at. In all the news and hoopla greeting the introduction of the iPhone 3G, there was not a word about security issues these wireless tools and third-party apps may bring to the market.

The technology is moving swiftly. But along with these tremendous developments come attendant potential calamities – everything from new generations of malware developed specifically for mobile networks, to viruses introduced via third-party apps.

Apple, so far, has largely avoided the infections that have targeted Microsoft products. But now that the Cupertino, Calif.-based company is increasing its alliance with the Redmond, Wash.-based company in this move to grab a larger enterprise market share – not to mention a growing share of the consumer market as well, particularly with the price point coming down significantly – it wouldn’t be unexpected to see a growth in attacks spreading via the iPhone network.

What’s being done to keep the network secure? We’ll do our best to stay on top of developments. Let us know what you know.

Panda Security might just have the right idea when it comes to fighting malware across a threat landscape that is seeing more sophisticated and faster evolving attacks than ever before.

The Glendale, Calif.-based anti-virus firm has developed a new method known as “collective intelligence” to combat zero-day and targeted security threats — in the cloud, in real time.

Here’s how it works: Instead of relying on the manual collection and remediation of each piece of malware, which is morphing at alarming rates, Panda taps into the aggregated knowledge of its thousands and thousands of diverse users.

It’s the same principle that author James Surowiecki chronicles in his “Wisdom of Crowds” best seller. In the introduction, he recaps an anecdote from a British scientist’s visit to a county fair, at which the public tried to guess the weight of an ox. Each individual guess was wrong, often way wrong, but when the scientist averaged the predictions, the number came within 1 pound of the animal’s weight.

It doesn’t work that much differently in the case of Panda’s technology.

In other words, if one customer is infected with a new variant, Panda immediately records that, develops a fix and pushes it out to all users. The idea is, users are on the front line. Why wait for lab workers to discover the malware when there is “intelligence” to be harnessed from a huge community of users of various shapes and sizes from all over the world. They are getting hit with different stuff every day.

Just because they are your customers doesn’t mean you can’t use them to create more robust solutions.

This technical feat is evident in Panda’s just-announced product called Panda Security for Internet Transactions. The offering, deployed by banks, utilizes the “collective intelligence” technology to almost instantaneously scan customers’ computers for trojans when they sign into their accounts.

If the product detects malware designed to perpetrate financial fraud, something like a keylogging trojan, users are diverted to a “safe page,” where they are prompted to download anti-virus and get cleaned up.

To see firsthand how this “collective intelligence” technology works, check out www.infectedornot.com, where you can run a quick 60-second scan of your PC for any viruses or spyware.

On Monday, we told you about a serious 3ivx codec flaw, which could be exploited by hackers to take complete control of an affected system. Proof-of-concept code was spotted affecting Windows Media Player 6.4 and Winamp 5.32, and experts worried whether the bug may be exploitable in more recent versions of the popular media applications as well.

But protection is on the way, as 3ivx told SCMagazineUS.com today in an email that the company plans to issue a software update later this week. A company spokeswoman said the vulnerability is actually in the MP4 file format reader, not the MPEG-4 codec.

“The specific vulnerability is when MP4 or M4A file metadata (Artist, Album, Title, etc.) data is larger than expected, thus causing a buffer overflow,” she said. “The problem with the various attacks available is they require a specific version of an MPEG-4 filter to be installed, and a specific player to be used to play the crafted MP4. Interestingly, if this were to become a serious problem for video content portals, it would be possible to scan content for invalid metadata before making the content available to the public. A little bit like virus scanning.”

Don’t let it come to that. Make sure you upgrade to the 5.0.2 release.

If you thought Google wasn’t really serious about taking on Microsoft for world domination, you might want to start accepting it.

Today’s Wall Street Journal revealed game-changing plans by Google to launch the on-demand model to trump all other on-demand models. That’s right, the mighty company from Mountain View, Calif. is close to unveiling a service that would provide internet-based storage for all of the stuff that users normally put on their hard drives, such as word-processing documents, spreadsheets, images and music.

Google would take control and permit users the ability to access and download these password-protected files through their internet browser instead of their desktop. This fundamental shift in the way we store our information likely would mean a huge cost savings for businesses, which could practically close down their data centers in place of this revolutionary, in-the-cloud model.

Of course, there’s a big difference between a vendor who is providing you with a piece of software and a vendor responsible for storing (and protecting) kilobytes upon kilobytes of sensitive data. Privacy and performance issues are sure to arise. I would reason to guess that more than a few businesses might be reluctant to pass control of their information off to anyone, including an established, security-minded company such as Google.

“It is certainly approached with the utmost sensitivity on our end,” a Google spokeswoman told the Journal. “We have extensive safeguards in place currently to protect our user data and we have a very strong track record in this regard.”

We will see. And I’m guessing Microsoft won’t go down without a fight. They surely will use the privacy/security angle as a way to discourage any potential defectors.

An even more secure version of alternative web browser Firefox is on the way, with Mozilla announcing today the release of the 3.0 beta.

The new version features a number of new security capabilities including:
-Website owner information.
-Notification when visiting a sign containing malware.
-Web forgery protection pages.
-SSL error pages.
-Checking for up-to-date add-ons and plug-ins.
-Secure add-on updates.
-Integration with your anti-virus software when you download executables.
-Microsoft Vista parental controls.

Many people have opted for Firefox instead of Internet Explorer for security reasons, and the next version seems to only confirm that the open-source browser is focused on protecting its users. But as the market share grows for Firefox, the hackers will be paying attention.

No timeline was given for the official release of Firefox 3. Firefox 2 was pushed out in October 2006.

If you’re anxiously waiting for Microsoft to announce how many patches the company will release next Tuesday, here’s some interesting reading material.

Remember the news stories about employees getting fired, or applicants not getting jobs, because of sketchy material on their MySpace pages?

This could happen more frequently now as Facebook has announced that parts of user profiles will be searchable by outside engines.

And social networking websites, as many of us are aware, are a prime spot for some people to post photos of whatever they did last weekend – especially if they had a few drinks beforehand.

Of course, Facebook users can avoid such a mess by setting their profiles to private – a wise choice, both in terms of user-friendliness and privacy, by Facebook.

So if you hear a loud typing sound, it could be the echo of a few million teenagers and twenty-somethings rushing to change their settings.