Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Recycled PCs posing data leak risk
What's on your old hard disk?
By Peter Judge
http://software.silicon.com/security/0,39024655,39167775,00.htm
Published: Monday 9 July 2007
Nearly one-third of UK business PCs still have sensitive data on them when they are discarded, according to research commissioned by Lenovo.
Many companies simply erase data or format the disk on the PC, which leaves information easy to access, the computer maker said, reporting on its survey of 300 UK businesses.
Awareness of the environmental impact of disposal of electronic equipment has been boosted by the EU's Waste Electrical and Electronic Equipment (WEEE) Directive, which came into force in the UK last week. The 'green' directive is meant to keep old hardware out of landfills. But the data-security risk is greater if PCs are kept going rather than destroyed, and this danger may be exacerbated by moves encouraging the recycling of technology.
There are measures companies can take. Wiping the disk or rewriting random bits over the existing data multiple times makes it impossible to retrieve the original information, according to experts, although it is worth making sure that any wiping method meets the standard Gutmann specifications.
Lenovo provides a free Secure Data Disposal tool for download on its site that can be used to wipe data on PCs before getting rid of them or passing them to different users in a company.
Chris Wells, Lenovo's vice president for UK and Ireland, said in a statement: "It is essential for organisations to consider secure data disposal when refreshing end-of-life computers in order to avoid becoming susceptible to potentially immeasurable business risk."
Businesses beware upgrading to Vista, warns Dell
"Vista is big and complex and there is a lot to it. It requires a lot of testing"...
http://software.silicon.com/os/0,39024651,39167747,00.htm
By Colin Barker
Published: Thursday 5 July 2007
Dell has taken the unusual step - for a PC vendor of its size - of toning down its sales pitch for Microsoft's Vista operating system and warning businesses of the migration challenges that lie ahead for them.
The step is particularly unusual because one of the issues the hardware vendor is warning business about is the extra hardware they will need to buy.
Dell's European client services business manager, Niall Fitzgerald, said: "They need to be looking at the number of images they will be installing and the size of these images. A 2GB image for each user will have a big impact."
You can't just shut off XP on Friday and start Vista on Monday morning.
In the past, Microsoft had suggested that a 1GB image was fine for Vista but Fitzgerald said image sizes of 2GB and larger will be likely.
As a result, said Fitzgerald, Dell is "stepping back" from telling people they must upgrade. "We are set up to give people all the guidance and support they need for this," he said. "We are not here to promote Microsoft and tell people they should buy it. We can show them the advantages of Vista and what they need to put in place to begin to move across."
Application migration is a key area, Fitzgerald said, echoing comments from Gartner on the size of the issue and the need for considerable testing. "You have to allow time for testing," he said. "Vista is big and complex and there is a lot to it. It requires a lot of testing. You can't just shut off XP on Friday and start Vista on Monday morning. There will be training. There are things to learn."
Overall the challenges will be significant and "should not be underestimated", added Fitzgerald. However, he still thinks business should go ahead with the migration and not wait for Microsoft to release its first service pack.
Last month, Microsoft passed 40 million sales of Vista but most of those appear to be to consumers rather than businesses, which have been slow to upgrade.
While Fitzgerald accepted some business are holding back from migrating to Vista, he denied there is a widespread feeling that it is better to wait for Service Pack 1. "I have heard that, and I don't buy it," Fitzgerald said. "It used to be a thing people did, and it might have been the case with, say, Windows 2000 but not now."
Gartner urges business ban on iPhone
No backup, no management, no competition, no security...
http://networks.silicon.com/mobile/0,39024665,39167684,00.htm
By Andrew Donoghue
Published: Friday 29 June 2007
Analyst Gartner claims the iPhone could "punch a hole" through corporate security systems if staff are allowed to use the phone for work purposes.
IT departments should be extremely wary of allowing staff to use Apple's mobile handset as it does not contain the necessary functionality to comply with basic corporate security, analysts warned in a research note released on Thursday. The iPhone will be launched in the US on Friday.
Gartner lists the following reasons to steer clear of the iPhone for now:
Lack of support from major mobile device management suites and mobile-security suites
Lack of support from major business mobile email solution providers
An operating system platform thatis not licensed to alternative hardware suppliers, meaning there are limited backup options
Feature deficiencies that would increase support costs (for example, no removable battery)
Currently available from only one operator in the US
An unproven device from a vendor that has never built an enterprise-class mobile device
The high price of the device, estimated at $500
A clear statement by Apple that it is focused on consumer rather than enterprise
Integrating mobile devices and other tech into corporate IT networks, while maintaining security policies, has become an increasing problem for businesses. The problem is exacerbated by the fact that manufacturers provide tools that allow staff to integrate their device into the corporate network, the analyst group claims.
The report stated: "Most handheld devices come with easy-to-use tools that enable rapid interfaces to business systems. When end users install such tools, they effectively 'punch a hole' through the enterprise security perimeter - data can be moved across applications to personally owned devices, without the IT organisation's knowledge or control."
Gartner argues that companies should develop a 'managed diversity' approach to supporting mobile devices. This approach effectively allows a wide variety of devices to be supported but with trade-offs, such as limited access to some systems, to maintain security levels.
Andrew Donoghue writes for ZDNet UK
Thanks Awk!
dude_danny
Wave Webinar: Find Out How Your Enterprise
Can Benefit from FDE Drives!
Wednesday, July 25, 2007
2:00 P.M. (EDT)
http://www.wave.com/webinars/index.html
Awk: I did not get a chance to listen to the TCG webinar yesterday. Can you give some highlights?
Thank you,
dude_danny
Hacker penetrates Pentagon email system
Jun 21 04:45 PM US/Eastern
http://www.breitbart.com/article.php?id=070621180520.au1jussx&show_article=1
A hacker penetrated an unclassified Pentagon email system, prompting authorities to take as many 1,500 accounts offline, defense officials said Thursday.
"Elements of the OSD unclassified e-mail system were taken offline yesterday afternoon due to a detected penetration," US Defense Secretary Robert Gates said, using an acronym for the Office of the Secretary of Defense.
"A variety of precautionary measures are being taken. We expect the system to be online again very soon," Gates said.
Between 1,000 and 1,500 users of the system were taken offline, a defense official said.
On Wednesday, a congressional panel disclosed that hackers also have succeeded in penetrating computers at the Department of Homeland Security, the lead government agency in providing security against cyber attack.
"What does this mean? It means terrorists or nation states could be hacking Department of Homeland Security databases, changing or altering names to allow them access to this country, and we wouldn't even know they were doing it," said Representative James Langevin.
The Pentagon email system carries "routine email" involving administrative manners but not classified information related to military operations, Colonel Gary Keck, a Pentagon spokesman said.
Gates said the Defense Department computers are under constant attack, but he could not say why this attack unlike others forced authorities to take down part of the system.
Pentagon officials would not comment on the source of the attack, or whether the hacker was able to read email sent over the system.
"We obviously have redundant systems in place, and there's no anticipated adverse impact on ongoing operations," Gates said. "There will be some administrative disruptions and personal inconveniences."
"It will come as no surprise that we aggressively monitor intrusions and have appropriate procedures to address events of this kind. But, as I say, we get perhaps hundreds of attacks a day," he said.
French officials want their BlackBerrys despite security warning
Jun 19 02:03 PM US/Eastern
http://www.breitbart.com/article.php?id=070619180315.8tqqez2t&show_article=1
Top French government officials are ignoring warnings to ditch their cherished BlackBerrys -- smartphones with e-mail capacity -- despite warnings their messages may be intercepted by US spy agencies, a report said Tuesday.
"They tried to offer us something else to replace our BlackBerrys," an unnamed official in the prime minister's office told Le Monde newspaper. "But that didn't work and some people use their BlackBerrys in secret."
French security officials are worried that e-mails sent by government officials from a BlackBerry might be picked up by the US National Security Agency because the servers for BlackBerry mail are located in the United States and Britain, according to Le Monde.
They first notified the government of this risk 18 months ago but have had to reissue the warning, the paper said.
"The risk of interception is real, it's an economic war," Alain Juilllet, a senior French economic intelligence official, told Le Monde.
Research in Motion, the Canadian firm that makes BlackBerry, is the market leader for mobile e-mail devices with more than seven million users of its smartphones in use worldwide.
Online shoppers still getting security sweats
Who's afraid of the world wide web?
http://www.silicon.com/retailandleisure/0,3800011842,39167581,00.htm
By Natasha Lomas
Published: Tuesday 19 June 2007
Businesses are still not doing enough to soothe consumer fears about buying online, says the Office of Fair Trading (OFT).
In its latest market report into internet shopping, the OFT said shoppers still have significant worries about privacy and security which is limiting the growth of the sector - despite its obvious successes.
Although internet sales have been increasing for years, online sales comprised just three per cent of all retail sales, and only six per cent of businesses were selling online to consumers, according to the latest OFT data from 2005. And while there are many reasons why people choose not to shop online, it identified security worries as a significant factor holding back the sector.
The OFT said 79 per cent of web users it surveyed were "very concerned" about the security of their payment details when shopping online. And it estimates 3.4 million internet users shun ecommerce because of "a lack of trust or fears about personal security".
The OFT report said: "Shoppers' fears about online payment security risks are considerable," adding that many consumers were even willing to forego potential savings online in order to gain peace of mind by buying goods offline.
The report added: "Confidence and trust are important to the success of internet shopping."
In addition, the OFT said increased consumer confidence would make 42 per cent of offline businesses surveyed more likely to open an online channel.
There is also evidence online shoppers are not always aware of precautions they should take to help safeguard their security, the OFT said.
According to its research, one in five web users never check the security of a site and 34 per cent only do so sometimes. But while businesses need to help improve consumers' security savvy by informing them of actions they can take to help protect themselves online, it cautioned against over-hyping the threat and scaring people away.
The report said: "[Consumer security awareness] campaigns need to be balanced, so that shoppers know how to protect themselves, without having excessive fears about online shopping."
Another area identified by the OFT as in need of attention is online shoppers' rights - both businesses and consumers are not always aware of their rights under laws such as the Distance Selling Regulations, it said. In its survey, the OFT found nearly a third (28 per cent) of UK-based online traders were not aware or only slightly aware of the laws applying to online shopping, and two-thirds (66 per cent) had never sought advice on them.
The OFT added that with the online shopping arena evolving so rapidly it's likely the existing laws will need updating to keep pace. The report said: "The backdrop to internet shopping is changing at a dizzying pace, with developments such as mobile phone commerce, targeted advertising, digital delivery, web 2.0 and virtual worlds."
Storage Needs to be Trusted Everywhere
https://www.trustedcomputinggroup.org/news/Industry_Data/TCG_Commentary_Final.pdf
dude_danny
Nice Find OknPV!
Best Regards,
dude_danny
Dell Latitude D531 review
http://laptopciti.gadgetpapa.com/2007/06/13/dell-latitude-531
Flexible Endpoint Security
Strategic, comprehensive solutions for all types of businesses
* Optional Encrypted Hard Drive delivers full disk encryption without compromising performance
* TPM security chip enables a personal virtual drive for all your encrypted files
* Wave EMBASSY® Trust Suite works with the TPM for robust file/folder encryption and much more
NotebookReview has a review of the Dell Latitude D531 put up saying – “My general impression of this notebook is neither wholly positive nor negative. It has little problems yes, but such things might be expected for a budget notebook you’re paying $799 for. The build quality is good overall and better than many consumer notebooks, so you’re getting a bargain there in terms of price. Disregarding the graininess issue, the screen quality was above average, having better viewing angles and brightness, compared to other business notebooks such as a ThinkPad T60 series. It offers a good usability and performance to price ratio.”
Banks warned over IT security flaws
Online banking a major factor
http://www.silicon.com/financialservices/0,3800010322,39167496,00.htm
By Julian Goldsmith
Published: Thursday 14 June 2007
The number of security flaws within financial institutions' IT systems is growing fast, due in part to customer demand for internet services.
A survey of just under 400 financial institutions, ranging from high street and City banks to insurance and credit services, claimed seven per cent of the organisations tested revealed between 41 and 126 separate vulnerabilities. If found 49 per cent of financial companies had one or more high risk vulnerability.
A spokeswoman from security company NTA Monitor, which runs the survey using its own penetration testing software, told silicon.com that 32 per cent of the companies tested were in the high-risk category, although this figure was a decline from 61 per cent last year.
NTA technical director Roy Hills blames the move online as one of the primary causes of security weaknesses in the sector.
Cheat Sheets
♦ Basel II
♦ MiFID
♦ Sarbanes-Oxley
Financial organisations are one of the frontrunners in terms of online activity, and are being pushed to open themselves up to the public by offering more online services or by allowing customers to access their personal financial data.
While this extra accessibility is of benefit to many customers, at the same time it can increase the exposure to external attacks, he warned.
iPhone, Gmail and blogs - a corporate security nightmare
Fear consumer tech...
http://software.silicon.com/security/0,39024655,39167527,00.htm
By Andy McCue
Published: Friday 15 June 2007
The use of consumer-based technology such as web email, instant messaging, smart phones and games consoles by employees is one of the most significant threats to corporate IT security.
Analyst companies Forrester and Gartner have both warned this week that the entrance of consumer technologies into the enterprise is impossible to eliminate and challenges traditional security models.
It is very easy to sniff Bluetooth traffic.
Consumer-based communications tools such as Hotmail, instant messaging and voice over IP are used by most employees, often from work and also as a way to transfer work materials to and from their PCs at home.
In a report, Gmail, iPhones and Wiis: Preparing Enterprise Security for the Consumerisation of IT, Gartner research VP Rich Mogull said: "Most organisations will find themselves unable to completely block these services, for cultural, if not technical reasons, but security options are available to limit the risks that consumer communications services create."
Blogs, social networking tools and other web 2.0 technologies are another risk for information leaks or as channels for malicious software and viruses.
Gartner advises organisations to configure content management and data loss prevention tools to monitor and block the release of sensitive content over HTTP and peer-to-peer network traffic and also configure the web gateway to block any services such as social networking not deemed suitable in the workplace.
The emergence of increasingly sophisticated media-centric consumer mobile handsets such as the iPhone can also be managed without a complete enterprise ban.
Security options for these devices include restricting the ability for unapproved devices or storage to connect to managed PCs and laptops, deploying an SSL (secure sockets layer) VPN to enable secure thin-client remote access to enterprise systems, and encrypting all approved mobile devices with access to sensitive data in case of loss or theft.
Forrester senior analyst Bill Nagel, speaking at the Forrester IT Forum in Edinburgh this week, added: "Not all information needs to be protected. Only put high-levels of security around data you cannot afford to lose. Consumer technology is very useful and is not going to go away."
Forrester highlighted Bluetooth, insecure home wireless networks and "evil twin" malicious public wi-fi hotspots as particular security risks to corporate IT security.
Nagel said: "Bluetooth is a security nightmare. Bluetooth traffic is rarely encrypted. One big problem is people just leave the security enabled by the phone, which is usually nothing. It is very easy to sniff Bluetooth traffic."
But Forrester said the use of consumer-based technology by employees also has many advantages and can lead to equipment cost savings, better back-up of corporate data, more flexible work conditions and improved collaboration.
Windows Server 2008: Virtualisation is the key
Will this be Longhorn's silver bullet?
By Tim Ferguson
http://software.silicon.com/os/0,39024651,39167450,00.htm
Published: Tuesday 12 June 2007
Virtualisation will be the key to the popularity of Microsoft's long awaited server operating system, Windows Server 2008, analysts have predicted.
The final version of the OS - formerly known as Longhorn Server - is due to be released at the beginning of 2008 following a long and protracted development.
The first public beta version of Longhorn was recently made available, with 100,000 downloads made since the end of April. But analysts are predicting the virtualisation app - Viridian - will be key.
According to Microsoft, Windows Server 2008 will initially include a beta version of its virtualisation application which will be updated when the full version becomes available within 180 days.
David Bradshaw, analyst at Ovum, emphasised the importance of virtualisation. "Virtualisation is the silver bullet. As with any silver bullet you have to treat it with caution," he said.
Virtualisation is the silver bullet. As with any silver bullet you have to treat it with caution.
He said this will be very valuable for CIOs who are being put under increasing pressure to make better use of assets.
Bradshaw said leading-edge companies and those due for a server OS upgrade are more likely to go for Windows 2008. But he added much will depend on issues such as the extent to which users can mix and match server operating systems. "Companies will probably move very slowly," he said.
And Roy Illsley, senior research analyst at Butler Group, said: "I think it will become the default server operating system. It will over time become significant but where it's going to be challenged is virtualisation."
Illsley added: "Without it [virtualisation] people are going to be looking at it and wondering 'what's the benefit?'. Virtualisation is the one that's key."
But the virtualisation space is already getting crowded and Illsley envisages a "bit of a battle" ahead.
He predicts a "fair proportion" of companies will buy Longhorn on its release but are more likely to use it for testing, with only 10 per cent potentially taking it into production.
According to Illsley, companies may also be cautious about moving to the new OS and are more likely to wait for the first service pack to become available.
But he admitted Microsoft has a pretty strong base to work on with a significant presence in the server OS market.
As well as virtualisation, Microsoft touts other innovations in Longhorn - such as improved control and security features.
Microsoft UK Windows server product manager, Gareth Hall, said: "It's what IT admins have been asking for a long time," adding that customer reaction suggests "there's a fairly serious interest in the product".
Hall said: "Anecdotally it's been pretty positive. People are pretty eager to get hold of this. We're encouraged and optimistic."
DOD IT Document by Mr. David M. Wennergren, Deputy Assistant Secretary of Defense (Information Management and Technology) DoD Deputy Chief Information Officer
Federal CIO Council, Vice Chair
http://www.cio.gov/documents/CIOCouncilStrategicPlan2007-2009.pdf
***Pages 13-14
OBJECTIVES
1.Integrate the FEA into the Federal budget process as a tool for evaluating IT investments to identify redundancies and opportunities for shared solutions.
2.Implement the SmartBuy project plan.
3.Collaborate with the LoBs to identify and establish shared service providers for select cross-agency business processes.
4. Accelerate the use of e-Gov solutions across all departments/agencies.
5. Adopt service-oriented design allowing integration of standard business service components across the Federal Government.
6. Encourage the adoption of standards-based best practices across government.
7. Incorporate best practices into the inherently governmental processes to be developed and deployed by agencies, LoBs, and e-Gov projects.
8. Provide the government’s IT leaders with the knowledge and skills they need through best practices forums, CIO Bootcamps and an effective website and collaboration tool.
9. Continue to develop more efficient and effective methods for sharing information on emerging technologies.
Lean, green, theft-proof machines?
News analysis: Has your IT department had the 'size zero' debate yet?
http://software.silicon.com/applications/0,39024653,39167401,00.htm
By Will Sturgeon
Published: Wednesday 6 June 2007
Following silicon.com's recent series of stories revealing how many laptops get stolen each year, it is perhaps no surprise that companies are looking at ways of securing their corporate data. And at the Citrix iForum this week there was no shortage of advocates willing to sway visitors further towards thin client computing.
The argument goes like this. The more information that resides centrally and the less that resides on a laptop or desktop, the more secure that information is. The more dumb the terminal, the more the dumb user can't lose your sensitive company data, if you like.
Neoware, a partner of Citrix, is one company producing pretty sexy devices that look like a laptop, sound like a laptop and probably even smell like a laptop but cannot contain any of the data you'd normally find on your average lost or stolen notebook PC.
Bob Cope, operations IT manager at UK insurance company Towergate, a customer of Neoware, says he's seen no data loss or leakage since his company started using Neoware's thin client laptops for around 3,500 staff across the operation.
Neoware even ships its units in boxes that boast "theft-proof device". Of course the device is as susceptible to theft as any laptop but once stolen the victim has lost nothing but a shell. The data - far more valuable now than hardware - is certainly a lot safer.
If all the applications, data and therefore the balance of power are centralised then switching users on and off also becomes a lot easier to manage, as does controlling who uses what. As a result, viruses are also easier to deal with and compliance can be a more manageable headache.
Another benefit, according to Sean Whetstone, head of IT at Reed Managed Services, is the thin client model can be far greener - ticking an important box on the current corporate agenda. Whetstone, also looking after a 3,500 employee-strong company, previously had desktops running 24/7 "in case some Microsoft update had to be pushed out". Moving to a model that will see around 98 per cent of PCs replaced with thin client terminals means those updates are centralised and the terminals are not only using less power anyway but are on for only around 10 hours per day.
Whetstone says this measure has been a considerable step in helping Reed hit its objective of being a carbon neutral company.
But it's not all things to all people. Some users, Towergate's Cope says, initially recoiled at the idea of surrendering their smarter laptops and many businesses will resist - especially when many are only now replacing desktops with shiny new laptops.
However, the thin client hardware market will grow 27 per cent this year, according to IDC, so it's clearly finding plenty of fans.
Gartner too has predicted solid growth over the coming three years, with security a major factor for those decommissioning PCs and laptops and taking the thin client route, according to a 2006 report from the analyst house.
The CNET Networks UK Business Technology Awards are now open. Tell us how you excel and you could be taking your place on the stage with the best in technology and business. Enter now at http://www.cnetnetworks.co.uk/awards/
Windows Vista no more secure than XP: report
By Ken Fisher | Published: May 30, 2007 - 12:09PM CT
http://arstechnica.com/news.ars/post/20070530-windows-vista-no-more-secure-than-xp-report.html
The strength of Windows Vista's security model is easily the biggest question facing the nascent operating system. While sales will be strong simply on account of the way OEMs have adopted Vista on their midrange and high-end offerings, the place of Vista in the enterprise is not yet clear. Microsoft must demonstrate that its approach to security with Vista is indeed effective; otherwise, IT managers will see little benefit to moving to the new OS anytime soon.
Windows Vista only offers "marginal security advantages over XP" according to tests completed by CRN. "Vista remains riddled with holes, despite its multilayer security architecture and embedded security tools." The report's findings are mixed and at times a little unfair, but it does demonstrate the problems that Microsoft has to face—technical and otherwise.
The report faults Vista for "providing no improvement in virus protection vs. XP," but of course Windows Vista does not ship with antivirus software—something the reviewer fails to mention. Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted. Any business that is deploying Vista (or XP) without an antivirus solution is, of course, out of its mind.
What Vista does have built in is Windows Defender and User Account Control, which should both help stop forms of malware other than viruses. And CRN found that Vista does have an "edge" over XP when detecting spyware and adware. It wasn't perfect though: some malware slipped though. Here, though, we run into the issue of deciding what counts as "stopping" malware. For instance, CRN says that Vista "missed" Trojan-Spy.Win32.Goldun.ms, when in fact UAC warns a user when it is accessed (I can confirm that). CRN faults Windows Defender for not identifying and blocking the Trojan outright (it did block others), while Microsoft will tell you that UAC did its job by throwing up a warning and asking for user intervention.
In testing some remote data exploits, the reviewers were unable to determine if all of the exploits they tested actually target Vista, making their findings rather questionable. IE7 did stop one RDS exploit while missing four others that may have been only targeted at XP. Notably, XP did not stop any of the RDS exploits. Vista is better here, but the jury is out on how well it did or did not do since the reviewers were unable to determine the full threat of the exploits they were using.
Vista and XP both failed miserably at finding scripting exploits in the HTTP stream, and this remains a big problem for both operating systems. Vista failed to flag the exploits as they came down the pipe, though the firewall did detect when the exploits attempted to communicate over the 'net. This is what we've found in our testing as well (the results of which we hope to publish next month).
CRN doesn't tell the whole story with such exploits, however. IE7 in protected mode forces such scripts to run at a very restricted user privilege level, unlike XP which will allow those same scripts to run at the same privilege level as a user. Vista may let some of those scripts through, but the damage they do is also mitigated to a certain extent. This is why Microsoft believes such threats will have to evolve to survive with fewer rights and less access to the system: if they get through, they will find a very limited sandbox to play in. CRN's coverage complete ignores this point and fails to test for its effectiveness.
It was also disappointing to see CRN completely ignore the issue of buffer overflows, which has been addressed well in Vista by most accounts. This was a major weak spot with XP, and so far, Vista looks strong in this area, strong enough that Vista may never get its own "SQL Slammer." Why CRN didn't address this is a mystery, as it is no minor matter.
Indeed, while the CRN report is informative, it lacks much critical information to support its judgment that Vista is only a minor improvement. For instance, it's not enough to know if an exploit "got through" IE. What happened afterward? Did it modify system files, corrupt the registry, or deliver some other payload? CRN doesn't report on the effects it observed. We cannot know if the scripting exploits really bypassed Vista because CRN doesn't tell us what the scripts did. There's a big difference between 1) a script exploit running and then installing a rootkit in XP and 2) a script exploit running in Vista but failing at installing that same rootkit. CRN makes no distinction.
In all, the CRN report finds that Vista was as good as XP in seven categories and better in four others (notably, Spyware/Adware, Obfuscated Code Exploits, RDS Exploits, and Trojans). Importantly, it was never outperformed by XP, and just as importantly, these tests were carried out using default settings. The scripting exploits, for instance, are largely defanged by tweaking IE7's zone settings, and there are other moves that a competent IT shop would undertake to make Vista more secure before releasing it to Joe User. And again, CRN didn't measure the effect of these exploits, which ignores a big piece of the overall security overhaul in Vista.
Still, Vista's security is most certainly not a "slam dunk," and that should worry Microsoft. The mantra that Vista is an evolutionary step in security should be met with better results than this. As one IT contact told me recently, some shops view Windows security primarily as an issue of aggressive filtering at the corporate firewall, and Vista doesn't look poised to change that. All the reviews in the world probably won't change that, either. Time, coupled with a relatively clean record for Vista, is probably the only thing that will change skeptical minds.
Wave: a Gold Sponsor at Networkworld Santa Clara 2007 June26
http://www.networkworld.com/events/santaclara07/expo.html
http://www.networkworld.com/events/santaclara07/agenda.html?a=a
http://www.networkworld.com/events/santaclara07/it_tracks.html
dude_danny
Tesco.com takes stock with Windows Vista
Case study: Retailer reveals benefits of move to Microsoft's new OS
By Tim Ferguson
http://www.silicon.com/retailandleisure/0,3800011842,39167331,00.htm
Published: Thursday 31 May 2007
Online shopping giant Tesco.com has migrated 2,000 desktops to Windows Vista with increased security and energy saving among the key reasons for the switch.
The retailer migrated the PCs to Vista Ultimate edition in January, following several months of testing.
Tesco.com IT and new technologies manager, Nick Lansley, explained there were three factors influencing the decision to move onto the new operating system.
A major consideration was security, of both customer information - such as payment details and addresses - and source code for the website.
silicon.com Retail & Leisure
Get the latest retail and leisure news straight to your inbox. Sign up for the R&L newsletter today!
Lansley said: "It's really about our concerns for security - we wanted to have every base covered. Our source code is very important to us."
With company laptops often taken home by staff, Vista's network access protection tools were particularly useful according to Lansley. Vista's upgraded security features help make sure "nothing yucky" gets on the Tesco.com network, he said.
The group was also keen to get to grips with Vista to understand how Tesco.com customers using it might approach the site differently.
The final reason for switching was potential environmental benefits. Lansley said: "We wanted to see how much energy we could save."
Vista will detect if a computer is inactive and automatically switch to sleep mode, saving energy.
The PCs used by Tesco.com run at 300 watts when fully operational - but at just six watts in sleep mode.
Staff don't always think to put their PCs on standby but as Lansley said: "With Vista, it all comes naturally."
A more accurate picture of the power savings will be clearer following a technical audit of the 2,000 computers due to take place soon.
Tesco.com was part of the Vista early adopter programme, with testing starting in September last year, several months before its official launch.
Two people in each work team installed Vista to allow them to get used to its new features and understand any issues with the migration. After this testing period, full migration took place in the second week of January.
Although the rest of Tesco group remains on Windows XP, Tesco.com was able to complete the transition fast due to its smaller size - 400 people in a single building.
TCG Infrastructure Working Group Verification Result Schema
Specification Version 1.0
Revision 1.00
21 May 2007
Final
https://www.trustedcomputinggroup.org/specs/IWG/Verification_Result_v1_0.pdf
dude_danny
An Encrypted File System using TPM
Steven Houston: shouston@eecs.berkeley.edu
Thomas Kho: tkho@eecs.berkeley.edu
May 14, 2007
http://www.eecs.berkeley.edu/~tkho/classes/252/project7_report_ver3.pdf
dude_danny
Report slams FBI network security
FBI network vulnerable to insider attacks, government watchdog group says
By Ellen Messmer, Network World, 05/24/07
http://www.networkworld.com/news/2007/052407-gao-slams-fbi-network-security.html
The Government Accountability Office, the federal government’s watchdog agency, Thursday released a report critical of the FBI’s internal network, asserting it lacks security controls adequate to thwart an insider attack.
In the report, titled “Information Security: FBI Needs to Address Weaknesses in Critical Network,” the authors -- Gregory Wilshusen, GAO’s director of information security issues, and Chief Technologist Keith Rhodes -- said the FBI lacks adequate network security controls.
The FBI “has an incomplete security plan,” the report concluded.
The bureau, which had the opportunity to review the GAO’s findings before publication, responded that it wasn’t arguing with some of the technical observations expressed in the GAO report, but disagreed that the FBI is open to unacceptable risk of an insider attack.
In a letter of response to the GAO, Dean Hall, the FBI’s deputy CIO, and Zalmal Azni, the FBI’s CIO, noted, “The FBI concurs with many of the GAO’s technical recommendations and the programmatic recommendation to continue the implementation of information security activities in order to fully establish a comprehensive Information Assurance Program.”
Hall and Azni defended the FBI’s risk-management posture, however, emphasizing, “The FBI does not agree that it’s placed sensitive information at an unacceptable risk for unauthorized disclosure, modification or insider threat.”
The GAO, however, stated in the report that an evaluation of the effectiveness of the FBI’s security controls over routers, switches, servers, network management, firewalls and other IT infrastructure at FBI headquarters, revealed the FBI “did not consistently configure network devices and services to prevent unauthorized insider access.”
Among its other findings, the GAO said the FBI did not adequately “identify and authenticate users to prevent unauthorized access.” The GAO report also criticized FBI network security in other regards, saying that there was a lack of encryption to protect sensitive data and patch management wasn’t being done in a timely manner.
The GAO’s analysis of the FBI internal network had been requested by Rep. James Sensenbrenner, chair of the Judiciary Committee in the U.S. House of Representatives.
Juniper's Unified Access Control (UAC) Technology Partner Ecosystem
*Good to see Wave at the top of the list under ENDPOINT SECURITY*
http://www.juniper.net/partners/uac_partner_ecosystem.html
dude_danny
Thanks GreenWavx for sharing!
dude_danny
Standardizing Network Access Control: TNC and Microsoft NAP
to Interoperate
May 2007
https://www.trustedcomputinggroup.org/news/Industry_Data/TNC_NAP_white_paper_final_may_18_07.pdf
dude_danny
TCG Trusted Network Connect TNC Architecture for
Interoperability Specification Version 1.2
Revision 4
21 May 2007
Published
https://www.trustedcomputinggroup.org/specs/TNC/TNC_Architecture_v1_2_r4.pdf
dude_danny
Wave Systems Webinars: Find Out How Your Enterprise
Can Benefit from FDE Drives!
Increase your knowledge of Trusted Computing and Wave Systems' solutions during our free 30-minute webinars. Get the information you need to boost your company's security and better protect your company's network and sensitive data at a fraction of the cost of other competitive solutions. To register for a webinar, click on the "Register" button next to each webinar you would like to attend, and submit the registration form.
http://www.wave.com/webinars/index.html
Thanks OknPV and New Wave:
It seems like these events are appearing on a regular basis.
Can you imagine if this happened went on during the COLD WAR/STAR WARS days?
dude_danny
O.T. Russia accused of unleashing cyberwar to disable Estonia
· Parliament, ministries, banks, media targeted
· Nato experts sent in to strengthen defences
http://www.guardian.co.uk/russia/article/0,,2081438,00.html
Ian Traynor in Brussels
Thursday May 17, 2007
The Guardian
A three-week wave of massive cyber-attacks on the small Baltic country of Estonia, the first known incidence of such an assault on a state, is causing alarm across the western alliance, with Nato urgently examining the offensive and its implications.
While Russia and Estonia are embroiled in their worst dispute since the collapse of the Soviet Union, a row that erupted at the end of last month over the Estonians' removal of the Bronze Soldier Soviet war memorial in central Tallinn, the country has been subjected to a barrage of cyber warfare, disabling the websites of government ministries, political parties, newspapers, banks, and companies.
Nato has dispatched some of its top cyber-terrorism experts to Tallinn to investigate and to help the Estonians beef up their electronic defences.
"This is an operational security issue, something we're taking very seriously," said an official at Nato headquarters in Brussels. "It goes to the heart of the alliance's modus operandi."
Alarm over the unprecedented scale of cyber-warfare is to be raised tomorrow at a summit between Russian and European leaders outside Samara on the Volga.
While planning to raise the issue with the Russian authorities, EU and Nato officials have been careful not to accuse the Russians directly.
If it were established that Russia is behind the attacks, it would be the first known case of one state targeting another by cyber-warfare.
Relations between the Kremlin and the west are at their worst for years, with Russia engaged in bitter disputes not only with Estonia, but with Poland, Lithuania, the Czech Republic, and Georgia - all former parts of the Soviet Union or ex-members of the Warsaw Pact. The electronic offensive is making matters much worse.
"Frankly it is clear that what happened in Estonia in the cyber-attacks is not acceptable and a very serious disturbance," said a senior EU official.
Estonia's president, foreign minister, and defence minister have all raised the emergency with their counterparts in Europe and with Nato.
"At present, Nato does not define cyber-attacks as a clear military action. This means that the provisions of Article V of the North Atlantic Treaty, or, in other words collective self-defence, will not automatically be extended to the attacked country," said the Estonian defence minister, Jaak Aaviksoo.
"Not a single Nato defence minister would define a cyber-attack as a clear military action at present. However, this matter needs to be resolved in the near future."
Estonia, a country of 1.4 million people, including a large ethnic Russian minority, is one of the most wired societies in Europe and a pioneer in the development of "e-government". Being highly dependent on computers, it is also highly vulnerable to cyber-attack.
The main targets have been the websites of:
· the Estonian presidency and its parliament
· almost all of the country's government ministries
· political parties
· three of the country's six big news organisations
· two of the biggest banks; and firms specializing in communications
It is not clear how great the damage has been.
With their reputation for electronic prowess, the Estonians have been quick to marshal their defences, mainly by closing down the sites under attack to foreign internet addresses, in order to try to keep them accessible to domestic users.
The cyber-attacks were clearly prompted by the Estonians' relocation of the Soviet second world war memorial on April 27.
Ethnic Russians staged protests against the removal, during which 1,300 people were arrested, 100 people were injured, and one person was killed.
The crisis unleashed a wave of so-called DDoS, or Distributed Denial of Service, attacks, where websites are suddenly swamped by tens of thousands of visits, jamming and disabling them by overcrowding the bandwidths for the servers running the sites. The attacks have been pouring in from all over the world, but Estonian officials and computer security experts say that, particularly in the early phase, some attackers were identified by their internet addresses - many of which were Russian, and some of which were from Russian state institutions.
"The cyber-attacks are from Russia. There is no question. It's political," said Merit Kopli, editor of Postimees, one of the two main newspapers in Estonia, whose website has been targeted and has been inaccessible to international visitors for a week. It was still unavailable last night.
"If you are implying [the attacks] came from Russia or the Russian government, it's a serious allegation that has to be substantiated. Cyber-space is everywhere," Russia's ambassador in Brussels, Vladimir Chizhov, said in reply to a question from the Guardian. He added: "I don't support such behaviour, but one has to look at where they [the attacks] came from and why."
Without naming Russia, the Nato official said: "I won't point fingers. But these were not things done by a few individuals.
"This clearly bore the hallmarks of something concerted. The Estonians are not alone with this problem. It really is a serious issue for the alliance as a whole."
Mr Chizhov went on to accuse the EU of hypocrisy in its support for Estonia, an EU and Nato member. "There is a smell of double standards."
He also accused Poland of holding the EU hostage in its dealings with Russia, and further accused Estonia and other east European countries previously in Russia's orbit of being in thrall to "phantom pains of the past, historic grievances against the Soviet union and the Russian empire of the 19th century." In Tallinn, Ms Kopli said: "This is the first time this has happened, and it is very important that we've had this type of attack. We've been able to learn from it."
"We have been lucky to survive this," said Mikko Maddis, Estonia's defence ministry spokesman. "People started to fight a cyber-war against it right away. Ways were found to eliminate the attacker."
The attacks have come in three waves: from April 27, when the Bronze Soldier riots erupted, peaking around May 3; then on May 8 and 9 - a couple of the most celebrated dates in the Russian calendar, when the country marks Victory Day over Nazi Germany, and when President Vladimir Putin delivered another hostile speech attacking Estonia and indirectly likening the Bush administration to the Hitler regime; and again this week.
Estonian officials say that one of the masterminds of the cyber-campaign, identified from his online name, is connected to the Russian security service. A 19-year-old was arrested in Tallinn at the weekend for his alleged involvement.
Expert opinion is divided on whether the identity of the cyber-warriors can be ascertained properly.
Experts from Nato member states and from the alliance's NCSA unit - "Nato's first line of defence against cyber-terrorism", set up five years ago - were meeting in Seattle in the US when the crisis erupted. A couple of them were rushed to Tallinn.
Another Nato official familiar with the experts' work said it was easy for them, with other organisations and internet providers, to track, trace, and identify the attackers.
But Mikko Hyppoenen, a Finnish expert, told the Helsingin Sanomat newspaper that it would be difficult to prove the Russian state's responsibility, and that the Kremlin could inflict much more serious cyber-damage if it chose to.
London: Capital of laptop theft
Theft growing faster than sales...
By Will Sturgeon
Published: Tuesday 15 May 2007
http://software.silicon.com/security/0,39024655,39167148,00.htm
dude_danny
O.T. RBS dishes out chip and PIN readers
Online banking customers roll up...
By Gemma Simpson
http://www.silicon.com/financialservices/0,3800010322,39166984,00.htm
Published: Thursday 3 May 2007
The Royal Bank of Scotland (RBS) is dishing out chip and PIN devices to its online banking customers.
The chip and PIN card readers will be sent to customers free of charge and people will start receiving the devices this week.
An RBS spokeswoman told silicon.com customers who make frequent "advanced transactions" - people setting up payments to new third party accounts, setting up new standing order payees or changing online banking PINs or passwords - will be the first to receive the devices.
The spokeswoman said: "The aim of the project is that all our customers who use online banking will eventually have a card reader."
silicon.com Financial Services
Get the latest financial services news straight to your inbox. Sign up for the FS newsletter today!
The chip and PIN terminal works in conjunction with the RBS online banking system. When a customer is - for example - setting up a third party payment, an eight-digit code is displayed on the bank's website.
The customer then puts their card into the chip and PIN device and types in the PIN, followed by the eight-digit on-screen code.
The chip and PIN terminal then uses this information to generate a unique 'response code' which the customer then feeds into the online banking system to authorise the transaction.
Customers who want to use online banking to view account details and pay existing bills will be able to continue to use the online banking system as normal without the need for chip and PIN readers.
Because this is a staged rollout, there are no exact plans as to when and how many chip and PIN terminals will be handed out, said the spokeswoman.
RBS is hot on the heels of Barclays which is in the process of sending out half a million chip and PIN terminals to its online customers.
Wave at Dell Technology and Solutions Tour in Euope 2007
Did You Know… Dell Will Hit The Road Again In May & June 2007 To Meet Customers In Europe
Dell’s European Technology and Solutions Tour will demonstrate how Dell’s products and solutions are ‘Changing the Game’ for corporate customer
http://www1.euro.dell.com/content/topics/topic.aspx/emea/corporate/pressoffice/2007/ie/en/2007_04_25...
--------------------------------------------------------------------------------
Dublin, April 25, 2007
Dell today announced the schedule for its largest ever Technology and Solutions Tour – set to visit 241 European cities in 18 countries throughout May and June 2007. The tour, themed ‘Dell is changing the Game’, kicks off on 1st May 2007 in Belfast, Ireland, and concludes in London, England, on 19th June 2007. Corporate customers will discover how Dell is changing the way its solutions are being developed, optimised and delivered to meet the needs of the customer.
Customers who are signed up to attend the tour will be able to participate in a wide range of sessions including: Technical Sessions — Learn about the latest developments in Dell's client and enterprise portfolios and be among the first to see Dell’s recently launched and soon to be launched products, including Latitude™ notebooks and PowerEdge™ servers. Also receive insight into the latest technology trends and Dell’s breakthroughs in improving performance, connectivity, mobility, power efficiency and optimisation. These sessions will enable customers to learn more about key industry topics such as unification, innovative design, data protection and the launch of Microsoft® Windows VistaTM .
Business Solutions Sessions —Leading executives from Dell and strategic alliance partners will provide insight into how businesses can use change to gain real business advantages. The sessions will look at how companies can align IT with business plans and objectives, and how they can increase performance without increasing budgets.
Product Demonstrations —Customers will get to touch and feel the latest Dell products and watch demonstrations of the latest applications.
Q&A Sessions —Attain first hand product knowledge from Dell's global / regional product specialists and subject matter experts.
Consultation Sessions —Take advantage of free consultation sessions with Dell's strategic alliance partners
"The tour provides our customers with an ideal forum to engage with product and solutions experts from both Dell and its strategic alliance partners. These experts can offer guidance and recommendations on how to best utilise Dell's technology solutions in the business environment as well as answering technical and specific enquiries," says Carsten Hasselbalch, Marketing Director, Dell EMEA. "Most importantly, the input and feedback from customers at these events is directly utilised in the future planning and development of Dell’s products and solutions, ensuring they continue to meet and surpass the needs of the customer."
Dell's strategic alliance partners present on the tour will include: Intel, Altiris, AbsoluteSoftware, AMD, Emerson, EMC, LanDesk, Microsoft, Quantum, Redhat, Symantec, VMware and Wave.
The tour will visit major cities in the following countries: Ireland, Austria, Slovenia, Italy, Greece, Romania, Slovakia, Poland, Finland, Sweden, Norway, Denmark, the Netherlands, Germany, Switzerland, France, Belgium and the UK. For more information please go to www.dellevents.com/tst
About Dell
Dell Inc. (NASDAQ: DELL) listens to customers and delivers innovative technology and services they trust and value. Uniquely enabled by its direct business model, Dell is a leading global systems and services company and No. 34 on the Fortune 500. For more information, visit www.dell.com, or to communicate directly with Dell via a variety of online channels, go to www.dell.com/conversations. To get Dell news direct, visit www.dell.com/RSS.
About Dell Ireland
Dell was established in Ireland in 1990. The company's European manufacturing facility is located in Limerick with an EMEA Business Campus based in Cherrywood, Co Dublin. Dell is Ireland's largest exporter2, largest technology company and the second largest company overall3. Irish employees provide a growing range of advanced EMEA services at the two Dell sites, which include:
The EMEA Centre of Competency for Communications and Network Product Development in Limerick
The Centre has R+D capability and operates as a centre of competency for communications and network product development for use in Dell products worldwide. The team is also be responsible for the development of innovative software solutions to provide increased functionality and productivity in Dell's manufacturing sites worldwide.
The EMEA Enterprise Applications Solution Centre, Limerick..
Corporate customers from across EMEA can simulate complex networked applications on Dell server and storage equipment in a special "proof of concept laboratory before purchase".
The EMEA Enterprise Command Centre in Limerick
This centralised base of operations provides high-level 24x7x365 support for server and storage customers in EMEA in addition to being a single point of accountability for Dell's global customers based in the EMEA region.
The EMEA Enterprise Expert Centre, Cherrywood.
This group of multi-lingual system consultants provide high-level Enterprise support for complex data centres, clustered, large storage and rack dense enterprise environments.
EMEA Marketing HQ, Cherrywood
The site is home to the EMEA marketing team, responsible for online development, pricing, product marketing, business analysis and the creation, design and production of EMEA-wide advertising and direct mail campaigns.
O.T. Leaked memo spills beans on Dell's sales plans
"The direct model has been a revolution but is not a religion... "
http://hardware.silicon.com/desktops/0,39024645,39166961,00.htm
By Tom Espiner
Published: Wednesday 2 May 2007
Dell is to consider selling PCs through a reseller channel, breaking the direct sales model which has seen it become one of the world's top two computer vendors.
The plans were leaked in an internal staff memo, which also contained details of an organisational restructure at Dell.
Dell's success has been built on direct sales, which eliminated the costs associated with channel sales. However, with a changing global sales climate and an explosion in PC retail growth, especially in developing markets, Dell is reconsidering an indirect strategy.
The leaked memo, which was jointly authored by Michael Dell, the company's chief executive, and his executive team, read: "The direct model has been a revolution but is not a religion... Dell plans to make information technology affordable for millions of customers around the world. We will do this by simplifying IT where others perpetuate complexity, and innovating beyond hardware into solutions."
The company also said it is planning a round of job cuts. Having refined its executive team, the company now plans to make further reductions to its workforce. "We need to streamline our management structure to speed decisions and remove bureaucracy," said the memo. "We plan to eliminate overlaps in our organisation and activities... We also need to improve sales productivity. These won't be merely exercises in cost-cutting."
All has not gone perfectly for Dell over the last year. The company lost market share in 2006, according to statistics produced by Gartner, falling into second place behind HP.
Dell's accounting procedures are also currently under investigation by the US Securities and Exchange Commission. The company has failed to file recent profits reports with regulators due to the investigation.
Tom Espiner writes for ZDNet UK
ID management in the security spotlight
"How can you trust someone you don't manage?"
By Tom Espiner
Published: Monday 30 April 2007
http://software.silicon.com/security/0,39024655,39166929,00.htm
Identity management remains a problem for both private and public sector organisations, according to security experts speaking at London's InfoSecurity Europe event last week.
Paul Simmonds, director of global information security at ICI, said the main problem facing organisations is deciding how to manage access of systems by people outside of that system. Organisations have increasingly complex relationships with partners, outsourced operations, and clients, he said. "The problem boils down to the fact that both corporations and government can operate ID management schemes very easily, so long as we control the scheme. How can you trust someone you don't manage? We have not thought that out."
Simmonds said one of the main challenges for businesses is the need to move to user-based access to applications, rather than whether one IP address can have access to another.
Federated identity - the identity of a user spread across distinct identity management systems, assembled by means of a token - still runs up against the wall of trust, according to Simmonds. "Federated identity is a brilliant idea but very hard to implement, as you have to trust someone else's credentials - am I going to trust your company's credentials on my system? Am I going to trust your company's smartcard to access my building? Of course not."
Andy Kellet, senior research analyst at Butler Group, agreed identity management is still a perennial problem for businesses, as semi-anonymous access is the norm. A username and password does not guarantee the identity of the user - and the lack of very clear aims hamstrings many identity management projects, he argued. "Projects often become overly complex," said Kellet. "Solutions are resource-hungry, and take too long to implement. Systems cover pseudonymous access but now there's a need for very strong, two-factor authentication."
According to Kellet, the particular problems associated with identity management are provisioning and deprovisioning of user identities, access control, and identity federation.
However, Stuart Okin, Accenture's UK head of security, said these problems can be overcome. Accenture, which runs ID management consultancy services, is working with a number of businesses to implement identity management systems. "We're working with 600 clients on enterprise management solutions worldwide," he said. "We've largely taken our clients on the journey of consolidating and sharing identities. Many clients are still on that journey."
Okin said Accenture had successfully implemented single sign-on tokens throughout its own business, and used stronger forms of identification when necessary. He said many Accenture clients that have implemented single sign-on systems are considering two-factor authentication. "The next stage is putting in strong authentication - smartcards or tokens," said Okin. "With single sign-on, you have the keys to the kingdom. Accenture gives tokens for accessing certain systems - for example SAP accountancy software - but single sign-on is usually fine for less sensitive systems like email, depending on the organisation."
However, some IT professionals feel the proposed use of identity management systems in the public sector - for example, in the national ID cards scheme - is unnecessary. Toby Stevens, vice chair of the British Computing Society security forum, said: "The issue is a disproportionate situation where an individual or organisation builds up too much information on another individual or group. We have excellent federated identity systems already in place. Now we need leadership from government in the identity assurance environment."
Stevens said it is possible to build up a thin citizen-data substrate which is used to ensure uniqueness, and to make sure people aren't asserting two different identities.
ICI's Simmonds said ID cards could be linked to corporate networks to provide trusted authentication: "With the national ID card scheme, we'd love to use that as part of corporate authentication. We've seen nothing along those lines."
However, Bob Ayers, ex-security chief of the US Department of Defense, said there is a danger that government and the private sector collating data from the use of ID management systems could seriously affect citizen privacy. "My ultimate fear is in our ability to take information held by government and information held by the private sector and begin to correlate these to understand in excruciating detail what you're doing and who you're doing it with," he said.
Tom Espiner writes for ZDNet UK
Given the nature of the SEC liabilty, I trust Wave's management will not abuse options IMO. Look what happened to the former CFO of Apple.
http://www.washingtonpost.com/wp-dyn/content/article/2007/04/24/AR2007042400925.html
Apple's Former CFO Settles Options Case
Finance Official Ties CEO Jobs To Stock Backdating Plan
By Carrie Johnson and Alan Sipress
Washington Post Staff Writers
Wednesday, April 25, 2007; Page D01
A former chief financial officer of Apple reached a settlement with the Securities and Exchange Commission yesterday over the backdating of stock options and said company founder Steve Jobs had reassured him that the questionable options had been approved by the company board.
Fred D. Anderson, who left Apple last year after a board investigation implicated him in improper backdating, agreed yesterday to pay $3.5 million to settle civil charges.
Separately, SEC enforcers charged Nancy R. Heinen, former general counsel for Apple, with violating anti-fraud laws and misleading auditors at KPMG by signing phony minutes for a board meeting that government lawyers say never occurred.
Heinen, through her lawyer, Miles F. Ehrlich, vowed to fight the charges. Ehrlich said Heinen's actions were authorized by the board, "consistent with the interests of the shareholders and consistent with the rules as she understood them."
Anderson issued an unusual statement defending his reputation and tying Jobs to the scandal in the strongest terms to date. He said he warned Jobs in late January 2001 that tinkering with the dates on which six top officials were awarded 4.8 million stock options could have accounting and legal disclosure implications. Jobs, Anderson said, told him not to worry because the board of directors had approved the maneuver. Regulators said the action allowed Apple to avoid $19 million in expenses. Late last year, Apple said that Jobs helped pick some favorable dates but that he "did not appreciate the accounting implications."
Explaining Anderson's motive for issuing the statement, his lawyer Jerome Roth said: "We thought it was important that the world understand what we believe occurred here."
Roth said his client, a prominent Silicon Valley figure and a managing director at the venture capital firm Elevation Partners, will not be barred from serving as a public-company officer or board member under the settlement, in which Anderson did not admit wrongdoing. Roth declined to characterize the current relationship between Anderson and Jobs.
The SEC charges are the first in the months-long Apple investigation. Jobs was interviewed by the SEC and federal prosecutors in San Francisco, but no charges have been filed against him.
Steve Dowling, a spokesman for Apple, declined to comment on Jobs's conversations with Anderson. Dowling emphasized that the SEC did not "file any action against Apple or any of its current employees."
Government authorities praised Apple for coming forward with the backdating problems last year and for sharing information with investigators. Apple has not publicly released its investigation report.
Backdating stock options by choosing award dates when the stock price was low gives employees a financial edge by increasing the likelihood that they will profit when they sell the shares. The practice is not necessarily illegal, but it can violate securities laws and accounting rules when it is not disclosed to investors. The SEC is investigating more than 140 companies over backdating.
Heinen and Anderson "failed in their duties as gatekeepers" and caused Apple to underreport expenses by nearly $40 million, according to Marc J. Fagel, who leads enforcement efforts in the SEC's San Francisco office. Last year, Apple restated its financial reports from 1997 to 2002 by $84 million to cover options-related charges.
The SEC did not file charges against Wendy Howell, who reported to Heinen in Apple's legal department and who completed paperwork on an option award for Jobs in 2001.
Ingrid Ebeling, an analyst at JMP Securities, noted that Anderson's response contradicted Apple's earlier statements that Jobs was unaware of the accounting significance of backdating options. Though Anderson might be bitter, Ebeling said, "I would give his statement credibility."
At the same time, she said, the fact that the SEC investigation has proceeded thus far without charging Jobs is a good sign for the Apple chief executive. "Things are looking more favorable for Jobs," she said.
Apple shares fell 27 cents yesterday, to $93.24. The stock fell about 3 percent after Anderson's statement around 1 p.m. but bounced back.
The SEC and Justice Department have also been looking into stock options backdating at Pixar, where Jobs was chairman and chief executive before the company was bought by the Walt Disney Co. last year.
An internal investigation at Walt Disney concluded last month that Jobs had not acted improperly in the award of options to senior Pixar executives. Several of those grants coincided with dates when Pixar stock was at an annual low. Jobs was not one of the recipients.
But two weeks ago, the company said in an SEC filing that it would pay as much as $33.5 million to account for improper backdating of options given to Pixar employees.
dude_danny
O.T. Fraudsters fool ABN Amro customers
Two-factor security breach...
By Julian Goldsmith
http://software.silicon.com/security/0,39024655,39166823,00.htm
Published: Friday 20 April 2007
Customers of Dutch bank ABN Amro have been fooled by a phishing scam into revealing their passwords. According to reports, four of the bank's customers had an undisclosed amount of money stolen from their accounts, even though they were protected by a two-factor authentication system.
The system involves tokens and passwords that generate constantly changing codes as a secure method of identification. Fraudsters sent customers an email attachment which, when opened, covertly installed code on the user's machine.
When customers tried to log on to their ABN Amro accounts they were redirected to a duplicate site controlled by the thieves, who were then able to use customers' account details and withdraw money through the bank's real site.
The bank has compensated the affected customers and warned customers not to open attachments from people they do not know.
Cheat Sheets
♦ Basel II
♦ MiFID
♦ Sarbanes-Oxley
A spokesman for ABN Amro said the bank took the issue seriously and would be taking steps to improve technological security to foil hackers in the future.
Two-factor security, while generally more secure than passwords alone, is inherently vulnerable to this sort of 'man in the middle' attack, industry commentators have said.
Results of HIMSS 18th Annual CIO Survey Released
http://www.himss.org/2007Survey/DOCS/18thAnnualLeadershipSurvey.pdf
7. IT Security
Healthcare IT professionals identified an internal breach of security as their primary concern regarding data security and 18 percent reported that their organization has experienced a security breach in the past six months. Nearly all of the survey respondents (96 percent) indicated that they have concerns about the security of the data at the organizations at which they work; this is similar to
what respondents have reported in the past. Despite the widereaching concern, only 18
percent of respondents indicated that their organization has experienced a security breach at their organization in the past six months. For the past several years, respondents have indicated that an internal breach of security
was their primary concern with regard to data security at their organization. This has not changed, as 57 percent of respondents to the 2007 survey reported that an internal
breach of security is their top data security concern.
Rounding out the top three responses were compliance with HIPAA security regulations, identified by 30 percent of respondents, and limits of existing security technology (26
percent). Respondents were least likely to identify their patient’s lack of confidence in
the security of their personal data; this was identified by only 13 percent of the
respondents.
Respondents were also asked to identify the security technologies that they would use or implement at their organization in the next two years. Respondents were most likely to report that disaster recovery was the security technology that they would implement in the next two years; this was identified by 70 percent of respondents.
Rounding out the top five security technologies that were projected for use in the future were firewalls (69 percent), user access controls (68 percent), audit logs (64 percent) and
singlesign on (64 percent). Least frequently identified was publickey infrastructure (24 percent). Respondents anticipated that they would use a combination of multiple technologies to
secure data at their organization. Half of the respondents indicated that they anticipated
that their organization would use seven or more of the technologies identified in this
survey in the next two years. Only ten percent of the respondents indicated that they
would use only one of the technologies identified in this survey.
Figures:
Figure 12. Security Breach in Last Twelve Months
Figure 13. Top Concerns—Security of Computerized Medical Information
Figure 14. Security Technologies (Next Two Years)
O.T. Feds Under Fire Over Security
APRIL 12, 2007 | Congress is ticked off about computer security.
http://www.darkreading.com/document.asp?doc_id=121708&WT.svl=news1_4
Over the last two days, members of both the House and Senate have registered complaints over the way government agencies are dealing with the security issue, and they've called for action to address the problems.
Earlier today, Rep. Tom Davis (R-Va.), ranking member of the House Government Oversight and Reform Committee, gave the federal government an overall grade of C-minus when it comes to safekeeping information on government computer systems.
Davis's report card came just a day after members of the Senate Commerce Committee criticized the Federal Trade Commission for not bringing more cases against spyware and other malware authors.
Davis, who was one of the authors of the FISMA regulations for federal agencies in 2002, issues a report card each year that evaluates how well the agencies are doing in their compliance efforts. The C- was actually an improvement over the D+, D+, and D- the agencies have received over the past three years.
"This grade indicates slow but steady improvement from past years," said Davis. "Obviously, challenges remain. While there are some excellent signs of progress in this year's report, and that's encouraging, I remain concerned that large agencies like [the Department of Defense] and [the Department of Homeland Security] are still lagging in their compliance."
The Department of Justice and the Department of Housing and Urban Development showed the most improvement from 2005 to 2006, Davis said. Justice jumped from a D to an A-, and HUD climbed from D+ to A+. HUD had, for the first time, developed a full inventory of its information security apparatus, a major plus in the grading. It also showed improvement in virtually all categories.
NASA, which fell from B- to D-, and the Department of Education, which fell from C-minus to F, showed the biggest declines.
The grades are derived from annual reports agencies produce to comply with the Federal Information Security Management Act (FISMA). Agencies are rated on their annual tests of information security, their plans of action and milestones or corrective action plans, and other factors such as certification, configuration, training, and accuracy of inventory.
The Department of Homeland Security received a D this year, the first time since ratings began in 2003 that it did not receive an F. Davis attributed the improvement to DHS finally establishing an inventory of its secure computer systems, a critical first step to information security. "You can't protect what you don't know you have," Davis said.
Security experts said the low grades at DHS and DOD don't necessarily mean those agencies are vulnerable to attack. "We work with DOD on a regular basis, and I can tell you their security architecture is very robust," says Chris Fountain, CEO of SecureInfo, an information assurance company that works with federal agencies. "DOD is so large, and DHS is so new, it's harder for them to come into compliance quickly."
Aside from FISMA grading, federal agencies would benefit from some sort of penetration test that would give a more quantitative assessment of their vulnerabilities, Fountain suggests.
While many federal agencies were taking their lumps on one side of Capitol Hill, the FTC and Congress were exchanging glancing blows on the other. FTC Chairwoman Deborah Platt Majoras asked the Senate Congress Committee for more money to pursue spammers, spyware purveyors, and pretexters, and she pushed Congress for stiffer penalties against the perpetrators.
But some committee members dinged the FTC on its prosecution record. The commission has filed only 11 cases against spyware purveyors in the last two years, Majoras conceded, and it has filed only 89 legal actions against spammers in the last decade -- and only eight in 2006.
Commissioner William Kovacic said the FTC is working with other law enforcement agencies -- both inside and outside the U.S. -- to put spyware and malware authors in jail, rather than just fine them. "Until we have success as a law enforcement community in placing them in prison," he said. "I don't think we'll ultimately have the deterrent influence we need."
O.T. Intel at work on Linux mini-tablet
Move aside Nokia?
http://hardware.silicon.com/pdas/0,39024643,39166757,00.htm
By David Flynn
Published: Monday 16 April 2007
Intel is developing its own take on the mini-tablet, with a new ultra-mobile PC (UMPC) platform to be announced at this week's Intel Developer Forum in Beijing. The big surprise? It's based on Linux.
Called a Mobile Internet Device, or MID, the devices will have screen sizes from 4.5 to six inches with a target audience described as "consumers and prosumers" rather than mobile professionals.
The MID2007 platform, currently code-named McCaslin, will gain a more marketing-friendly moniker closer to next year's release of the products. This is tipped to be an extension of the successful Centrino mobile brand, in the same manner as the recent announcement earlier this month of a higher-end Centrino Pro brand for enterprise-class laptops incorporating Intel's vPro management technology.
While McCaslin's CPU components - codenamed Stealey - will be dual-core processors clocked at 600MHz to 800MHz and capable of running Windows XP and Vista, Intel plans for the devices to run an embedded Linux OS but with a mix of open source and proprietary code in the final products.
Typical MID uses will be "staying in touch", entertainment, information and location-based services. Intel's presentation specifically cites Google Maps and web-based "office and enterprise applications" in the last two categories. Connectivity will be provided through wi-fi and support for wide-area coverage via 3G HSDPA.
MID tablets will run a simplified "finger-friendly" user interface optimised for the small screens, based on the Gnome desktop but with an Intel-developed "master user interface" layer to serve as an equivalent to the desktop.
Developers will next month see the first MID-specific OS - a tweak of China's RedFlag Linux known as RedFlag MIDinux - while the IDF schedule itself includes a stream of "ultra mobile sessions" including one on "designing for Linux-based mobile internet devices".
Intel first tipped its hand in the UMPC space at last year's IDF, when it showcased several prototype devices no larger than a paperback book and announced a partnership with Yahoo! to deliver a rich web-based back-end of business and personal services.
David Flynn writes for ZDNet Australia
O.T. Specialization and Global Reach Characterize the IT Services Landscape By Wendy Wolfson
April 10, 2007 |
http://www.health-itworld.com/newsitems/2007/april/outsourcing/view
While the low hanging fruit was harvested in the first wave of healthcare-IT outsourcing, both national and global companies now report that the biggest opportunities lurk in niches. Moreover, traditionally entrenched players like EDS and Oracle are ceding ground to new global companies, say observers. Even modest IT services companies that deal mainly with community hospitals are tapping employees located outside U.S. borders.
Stir into this frothy market the steady growth of software provided via an application service provider (ASP) model, the growing desire by healthcare providers to outsource billing, and the ongoing need for systems integration and suddenly the outsourcing landscape looks more nuanced and complicated.
"The healthcare domain is becoming more specialized and competitive," says Anubhav Saxena, associate vice president of HCL Technologies, in Sunnyvale, Calif., a division of a $3.8 billion company of 41,000 employees, operating in 17 countries. Healthcare-IT comprises around 5 to 8 percent of HCL's revenues.
Demand is strong for IT systems to cope with increased regulations (such as HIPAA and NPI) and financial reporting requirements (such as Sarbanes Oxley), notes Saxena. However, clients want flexible systems and demonstrated low TCO. And, of course, the surge to move virtually all business processes online continues.
"Now when I visit a doctor I expect my medical history and records to be made available online, in a secure and ubiquitous manner and health decisions and action items to be made based on a single version of the truth,” says Saxena describing what is a distant reality for most consumers although progress is being made linking doctors and other health workers to secure digital health-IT systems.
Cost remains an issue, he says. So is sensitivity to data handling and storage. For example, HCL works with a fair percentage of the largest healthcare organizations in the world, and many of them insist that sensitive data not leave the United States. In those instances, HCL stores the data in local “business-ready” repositories.
Yet another trend, says New York-based FCG Management Services, is a stronger tendency by clients to divvy up their needs among several IT providers. “You cannot go to one company any more and expect to get everything,” says Bob Smith, president of FCG outsourcing services.
Even though vendors are supplying better tools at better price points, says Smith, clients are less inclined rely on just one or two outsourcing vendors and instead opt for three or four who can “go a mile deep,” in specialized areas. Vendors now focus on building relationships with certain hospital networks and research institutions, such as IBM with Scripps in San Diego, and university hospitals in Cleveland working with CISCO to put data on line, he says
Much of FCG business is comprised of hospitals and hospital chains located in areas — rural or urban (high cost of living) — where it’s difficult to recruit and retain IT personnel with the requisite skill sets. “The faster better cheaper syndrome is over,” said Smith. “People are looking for specific skills.”
Despite the hoopla, outsourcing remains a minority activity among hospitals. Only 90 of the 5000 hospitals in the United States are “verifiably outsourced,” says Smith. That would seem to leave a huge untapped market, but prying open that market is complicated. For one thing, political forces often incline hospitals to hire from within the community since they often provide some level funding.
Cultural problems and training time can also be problematic. While access to global talent is important, says Smith, it takes time to bring a virtual team up to speed on a client’s needs and processes. Likewise, retaining staff once they’ve been trained is a challenge. “In some cases technology makes it easier to connect. It doesn’t break down cultural or learning problems,” he says.
Yet for those who do outsource IT, Smith says it can be a low risk way to try new technologies and to stay current on the latest in software. A hospital or research organization can operate on dozens of different software applications, so just integrating systems and getting them to communicate with each other can be a complicated endeavor. Outsourcing when internal IT staffing is slim can help deal with such problems.
“Outsourcing opens windows”, Smith observes. It offers outside expertise to hospitals with limited IT talent, and it helps keep those with staff at the cutting edge. The bottom line, though, is to make technology translate to better patient care. “More and more I see the division of hospitals between the [health-IT] haves and haves not,” he says.
Renewed efforts to convince the market that ASP-delivered software and services are viable and preferable is another trend. Indeed, the ASP model has struggled for years to embed itself in industry. Now also often called software as a service (SaaS), the business model seems to be gaining traction as internet reliability and business consumer comfort increases.
“You might see organizations outsource specific areas to vendors who have an ASP model, [such] as transcription,” says Ralph Fargnoli, founder and CEO of Beacon Partners, a 100-person Weymouth, Mass. firm with a national client base of multi-hospital chains, medical schools, and community hospitals. “We are also starting to see billing and collection being outsourced to new vendors that have fourth or fifth generation systems.” he says.
To some extent outsourcing transcription or billing services is easier than tackling many IT systems, concedes Fargnoli, but complying with HIPAA regulations can be tricky especially given the fluid nature of the rules and enforcement practices.
“We are branching away from just delivery of IT outsourcing, to issues in [the] healthcare industry such as patient safety and outcomes,” says Fargnoli, who thinks applications that help screen patients earlier and “avoid trips to emergency room” will become more important. “IT has caught up with these demands,” he says, mentioning the growing health-IT pushes form Microsoft, Oracle, Revolution Healthcare, Infosys, and Accenture.
Outsourcing can also provide early access to new technology without tying up precious capital equipment budget dollars and many healthcare providers prefer that funding strategy. Fargnoli also says certain functions, such as high volume laboratory transactions, are well-suited for outsourcing to places like Vietnam or India.
Shari Stoltenberg is president of Stoltenberg Consulting, a 42-person Pennsylvania firm with a national client base. Her company focuses on application software outsourcing and steers clear of hardware. “I’m not a huge proponent of companies going in and taking over,” she says. “Often they use IT as a training ground.” Stoltenberg notes providers are now using outsourcing as a response to pay for performance pressures to say to their insurance companies that they have greater efficiency in billing, for example.
Right now electronic medical records are hot, Stoltenberg says. Clients are asking for help integrating EMRs between the physician providers and hospital systems. Physicians want to see the results in a timely way, which means automating records. A few larger provider organizations are trying to drive this trend as well. The other place she sees increased activity is in clinical information systems, and cites GEcentricity, Nextgen, and EPIC as three players she encounters most in the marketplace today.
Outsourcing is hardly new, notes Mark Brownlee, associate vice president, head of Healthcare and Life Sciences Consulting, Infosys Technologies Limited. ”We are in the tail end of the second wave now, which was a phase when the provider sector explored more aggressively ways to reduce costs. That wave spawned a wave of large scale outsourcing contracts. Many of those large contracts are coming up for renewal,” Brownlee says.
Choosing the right services partner remains a challenge, he says, and selecting unwisely will introduce inefficiency instead of productivity gains. “Our opinion is that it takes large investment [by the services provider] in new technology tools to make system integration and data integration easier,” says Brownlee. Programmers need extensive training and certification in life sciences and regulatory requirements.
Perhaps no surprise, Infosys is hiring experts, such as doctors, nurses, and dentists to maximize its health-IT capability, he says, plus it’s pre-investing in tools and has developed “accelerator” modules to speed implementation.
Want to read more expert articles like this? Send an email to:
subscribe-digital_healthcare_productivity@newsletters.digitalhcp.com