Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
O.T. Korea guards against online ID theft
One million ID theft cases drive new policy
Simon Burns in Taipei, vnunet.com 06 Oct 2006
http://www.vnunet.com/vnunet/news/2165834/korea-guards-against-id-theft
South Korean authorities have introduced a new online identity system in an attempt to combat a wave of identity theft that affected more than one million people earlier this year.
Citizens will now be able to apply for a special Internet Personal Identification Number, or i-PIN, the country's Ministry of Information and Communication announced this week.
Koreans commonly use their 13-digit citizen registration numbers to verify their identities online. However, due to lax security at internet firms, databases containing these numbers have fallen into the hands of criminals.
The numbers have also come under fire because they contain personal information which the holder may not wish to divulge online, including gender, and place and date of birth.
The new i-PIN numbers do not contain any personal data. In addition, under the new system, citizens will be able to cancel their old i-PIN number and apply for a new one if they suspect that the number has been copied.
Earlier this year, some 1.2 million people, more than two per cent of the country's population, found that their official citizen registration numbers had been used to sign up for accounts in Lineage, a series of popular online games.
Although there were earlier cases of existing Lineage accounts being hijacked, the victims in the vast majority of recent cases did not even play the game. Instead, their real-world identities were used to sign up without their knowledge.
According to investigators, the bogus Lineage accounts were apparently used by China-based groups to generate virtual items in the game world which were then sold to gamers in exchange for real cash.
One Korean newspaper report later estimated that the group behind the scam could have made in excess of $10m from the sales.
New account registrations which provided a free trial period of several days could be obtained simply by entering an ID number into an online form. Lineage publisher and developer NCsoft said that it has since tightened up its registration procedures.
While the new i-PIN system is not yet mandatory, Korea's major internet companies have said they will support it. However, most will initially offer i-PIN registration in parallel with existing systems, according to local media reports.
NCSoft was threatened with a potentially costly class action lawsuit after the Lineage identity thefts, but this appears to have been abandoned. NCSoft also publishes the popular online games Guild Wars and City of Heroes outside Korea.
As well as the new i-PIN online identity system, public consternation generated by the Lineage incident has driven the Korean government to strengthen ID theft penalties.
Punishments for offenders now include a possible three-year jail sentence, as well as hefty fines.
Security fears raised at conference
By Jonathan Kent
BBC News, Malaysia
http://news.bbc.co.uk/2/hi/technology/5399050.stm
Communications like Voip are under attack, the hackers reported
Concerns over the latest hi-tech security vulnerabilities have been highlighted at a conference in Kuala Lumpur, Malaysia.
There seems to be an unspoken understanding among hackers that dressing in black is cool. Hack in the Box, Asia's leading hacking and security gathering, is full of geeks in black. And their cloak and dagger looks add a certain frisson to the occasion.
However though some may dress in black they are not 'black hats' as malicious hackers are known. Most put their hacking skills at the service of industry closing down security loopholes.
There are presentations about weaknesses in Vista, Microsoft's new operating system due out early next year; 'blue pill' attacks that can create a virtual computer within your own without you knowing anything about it.
There are talks on the use of technology to track our every move and record our every written or even spoken thought and there are lectures about technical issues so dense just reading their titles makes my brain ache.
However if there's a discernable thread running though many of this year's presentations in Kuala Lumpur it's the vulnerability of communications software and technology.
Hacking a commercial satellite that's been up there more than 10 years is very easy for some people, if you have the right equipment
Jim Geovedi, Bellusa Asia Pacific
The term 'phishing' has entered the English lexicon, defined as an attempt to gain access to an individual's bank or other sensitive personal details by using fraudulent e-mails or by diverting him or her to bogus websites.
Check your inbox and if it is like mine you'll find dozens of security alerts purporting to be from banks.
This morning I had e-mails purporting to be from Barclays and Volksbanken Raiffeisenbanken. Both contained Trojans designed to phish for information.
You might think that your phone was secure but if you or the institution you are ringing uses Voip (internet telephony) you might have to think again.
Telecoms security specialists like "The Grugq", who kept his school nickname as a cover for his hacking activities, are highly sceptical.
"Basically Voip is going to make telephony as secure as the internet," he says. That's about as damning as a hacker can be.
"What I expect we're going to be seeing in a few months, and what's already technically possible, is for an attacker to gain access to a call centre."
The Grugq outlines a scenario in which "the customer does everything right," rings his bank's legitimate number, is put through to a call centre whether in the US, UK or even India and has their call hijacked.
"An attacker would be able to [hack] into the call centre. He could then set up a server that would monitor all of the traffic and during the hold music it would be possible for an attacker to inject content such as 'In order for us to better serve you please enter your account number and PIN code'."
If that were to happen, you have just handed over your bank details to someone who wants to empty out your accounts. And the Grugq has bad news for companies looking to save money through Voip.
"They need to make sure that everyone who has a Voip system that's connected to the internet is secure otherwise the entire system falls apart. It's basically a house of cards."
And if internet usage and mobile Voip telephony takes off with the next generation of mobile phones (3.5 / 4G), experts say its coding, known as IPv6, will be open to the same sort of "man in the middle attacks" that The Grugq describes.
The next implentation of the internet is also vulnerable
"The vulnerabilities that we have in our current internet protocol they still have similar vulnerabilities in the upcoming IP version 6," says Van Hauser, a member of The Hacker's Choice, a group of international network and system security experts.
"There are ways to secure it if implemented correctly, set up correctly, administered correctly which will be a big challenge but at least there is a chance and a hope."
Triple Play, the term used for bundled internet telephony, data and TV services, is also open to hacking, says Yen-Ming Chen, who works for the Foundstone division of the McAfee security software company.
"Right now we see vulnerabilities in different components in this whole architecture so we categorise them into home networks, delivery and management network and also the back end and content source.
"What that could mean in practice is that rather than storming the local TV station political hackers could take control from the comfort of their own bedrooms.
"In this case the goal of the attackers would be taking control of a lot of home users set top boxes or just computers," says Chen, "and then to broadcast whatever content they want to. That's the worst scenario, for whatever political motivation or anything like that."
But perhaps the most intriguing possibility is that of hackers hijacking satellites.
Jim Geovedi, a Jakarta based information security consultant with Bellua Asia Pacific doesn't look like a Bond villain. But he possesses secrets that some of them might kill for.
When they [banks] really start losing money on it they'll have the motivation to come up with some way of fixing it
The Grugq
"There's a theory that if somebody can control one satellite they can cross to the next satellite and create a chain of destruction because everything is around the equator. If everything is destroyed so you don't have any communication, any TV any data transfer'."
It is just a theory, but can someone actually do it?
"Hacking satellites is not as easy as hacking kids' toys," he says.
"It's very difficult. Every manufacturer has their own kind of technology. You have to understand everything.
"But, hacking a commercial satellite that's been up there more than 10 years is very easy for some people, if you have the right equipment."
"In my experience telecoms companies and lots of other companies only do what is absolutely necessary and hope that the rest will not fall apart," says Van Hauser.
It is a view echoed by The Grugq: "When they [banks] really start losing money on it they'll have the motivation to come up with some way of fixing it."
Microsoft's Fathi Responds to Vista Security Concerns
http://security.ithub.com/article/Microsofts+Fathi+Responds+to+Vista+Security+Concerns/190351_1.aspx
REVIEW DATE: 03-OCT-2006
Participate in Endpoint Security Study: NAC Benchmark by AberdeenGroup
http://www.tekrati.com/research/News.asp?id=7868
AberdeenGroup - October 4, 2006
This week, Tekrati readers are invited to participate in an AberdeenGroup survey on the value of Network Access Control (or Network Admission Control) to control and monitor endpoint security in an organization. Heather DalleTezze, a research analyst with AberdeenGroup's Information Security practice, is conducting the study. The focus is identifying the security processes and technologies used by best in class companies to solve business problems. She will present findings in a benchmark report designed to drive planning.
NAC allows companies to protect sensitive information and data residing on the network through identifying end users at log on, stipulating what access level the user has within the network (through predefined network admission policies), and confirming that the endpoint is in compliance with the network security infrastructure.
The survey takes ten to fifteen minutes to complete. It runs through Friday, October 6, 2006. AberdeenGroup keeps all responses anonymous.
Participants will receive a free copy of the final report when it is completed.
Follow the link below to complete the survey, or contact Ms. DalleTezze (profile at AberdeenGroup) for more information.
Very Cool! Better than a fortune cookie.
dude_danny
VoIP fraud will be big in 2007
http://www.voiplowdown.com/security/index.html
Along with cell phone worms, VoIP fraud is among the top 10 security threats to watch next year, according to a panel of experts assembled by the SANS Institute. The report predicts that this will because hackers have begun penetrating VoIP servers and selling dial tone as if they were a phone company.
"The hackers collect the money from the people that use it, while the company operating the servers gets the bill,” said SANS Director of Research, Alan Paller. The fact that calls can be hijacked without either party's knowledge anywhere along the route over the net that connects the call also makes things easier.
This vulnerability and other security holes will be exploited as soon as VoIP becomes the norm. We know that VoIP is being marketed aggressively - especially to medium-sized companies who are only looking at the cost benefits and end up not doing much about security. The more it expands the more hackers turn their attention to VoIP - now that's only logical don't you think?
While VoIP is growing and soon replacing traditional phone systems around the world but the way systems are being setup and managed also need to be examined. VoIP vendors argue that these security flaws are hard to exploit but you can find more than 20 freely available tools specific to attacking VoIP, according to this Wired News article.
In addition to cell phone viruses and VoIP attacks, other trends SANS predicts for 2007 in the Technewsworld article include the following:
Targeted attacks will be more prevalent, in particular on government agencies. Spyware will continue to be a huge and growing issue. Zero-day vulnerabilities will result in major outbreaks resulting in many thousands of PCs being infected worldwide. The majority of bots will be bundled with rootkits and Network Access Control will become common and will grow in sophistication to name a few.
Implementing Secure VoIP in the Enterprise
http://www.lucent.com/livelink/090094038009a064_White_paper.pdf
Oct 10, 20005
***Lucent is a contributor to TCG.
Encryption
VoIP voice packets can potentially be intercepted and analyzed during
transmission by unauthorized persons. Encryption protects against this
analysis by increasing the difficulty of decoding the packets.
Endpoint Authentication
Endpoint authentication means that all VoIP phones must register with
the call controllers using some form of strong authentication before being
allowed to make a call. Endpoint authentication can protect against items
such as spoofing, SNMP, and TFTP attacks.
dude_danny
O.T. Lenovo and IBM Announce Battery Recall
http://www.lenovo.com/news/us//en/2006/09/battery_recall.html
RESEARCH TRIANGLE PARK, N.C. and ARMONK, N.Y. – September 28, 2006 – Lenovo and International Business Machines Corporation, in cooperation with the U.S. Consumer Product Safety Commission today announced the voluntary recall of approximately 526,000 lithium-ion batteries worldwide manufactured by Sony Corporation. In the interests of public safety, Lenovo will offer customers free-of-charge replacement batteries for all recalled batteries.
Although no make or model of battery is immune from some overheating or failure, Lenovo has confirmed that these batteries can be subject to overheating, posing a potential fire hazard, and Lenovo is advising customers to check if they are using one of the affected batteries as follows:
The recalled batteries were sold with or sold separately to be used with some models of ThinkPad notebook PCs.
T Series (T43, T43p, T60)
X Series (X60, X60s):
R Series (R51e, R52, R60, R60e)
Battery Part/model number
ASM P/N
92P1072
92P1088
92P1142
92P1170
92P1174
FRU P/N
92P1073
92P1089
92P1141
92P1169 or 93P5028
92P1173 or 93P5030
Additionally, since these batteries work with any T4x Series or R5x Series system, customers who ordered an extra battery or received a replacement battery for any T4x or R5x Series notebook PC between February 2005 and September 2006 may also have a battery subject to recall.
IBM and Lenovo sold these batteries with new notebook PCs or as replacement batteries between February 2005 and September 2006. Customers can continue to use their notebook PC by turning off the system, removing the battery, and plugging in the AC adapter and power cord to power the system. Customers should use only genuine ThinkPad batteries obtained from either Lenovo or an authorized reseller.
Following reports of an incident at Los Angeles International airport, Lenovo has reacted swiftly, announcing this recall less than two weeks after the incident was first brought to the company's attention. Lenovo estimates that between five and ten percent of ThinkPad notebooks sold during period of February 2005 to September 2006 are affected by the recall.
Sony has agreed to financially support the recall.
dude_danny
O.T. Lenovo Debuts Fleet of Intel Core 2 Duo ThinkCentre Desktop PCs
Newest Desktops Offer Rock Solid Security, Resiliency and Quality with Enhanced Manageability Features
http://www.lenovo.com/news/us//en/2006/09/tc_core2duo.html
RESEARCH TRIANGLE PARK, N.C. – September 26, 2006 – Lenovo today introduced several new desktop PCs including the new ThinkCentre M55p with Intel® vPro™ technology, which combines the industry's most advanced PC processing features with rock-solid design, functionality and reliability. The new M55p is part of two lines of ThinkCentre desktops that, for the first time, offer the Intel Core™ 2 Duo processor, and provide enterprise users with high performance, enhanced security features and automation tools designed to help IT staff remotely manage systems.
The two lines of Core 2 Duo-enabled ThinkCentre desktops include the M55p, M55, M55e, A55 and A53 models and offer enterprises maximum choice for processor technology, graphics and form factors and the lowest total cost of ownership. The ThinkCentre M and A Series desktops are built for the way IT managers work and offer platform stability, industry-leading service and support and a common software image for easy fleet management.
To further enhance user experience, the new desktops are preloaded with ThinkVantage Technologies, a suite of software tools that help maintain user productivity and reduce costly and time consuming calls to the help desk. ImageUltra Builder and ThinkVantage System Migration Assistant make rollouts simpler and more efficient for IT departments. ThinkVantage Productivity Center guides the user to a host of information and tools to help set up, understand, maintain, and enhance their ThinkCentre desktop. All ThinkCentre M and A series desktops also feature ThinkVantage Rescue and Recovery to help recover from crashes, quickly and easily.
"Today's enterprise customers want the best performance but not at the expense of security and reliability," said Tom Tobul, executive director, global desktop marketing, Lenovo. "Our new ThinkCentre desktops with ThinkVantage Technologies offer IT managers image stability along with leading security and manageability tools, while end users benefit from improved productivity. Lenovo designs the best-engineered PCs to support day-to-day business, and customers will find peace of mind knowing their investment will support the operating systems and applications of today and tomorrow."
The performance model of the ThinkCentre M Series line – the M55p – features Intel's vPro platform, which utilizes Intel's Active Management Technology and Intel Virtualization Technology to provide an advanced level of remote PC management. The M55p with vPro technology optimizes the functionality of ThinkVantage Technologies to allow IT managers to remotely access and inventory PCs even if the systems are powered down, or if the operating system is not responding. This new software helps empower businesses to take full advantage of managing their ThinkCentre desktops, with immediate system updates and tracking across entire PC fleets.
ThinkCentre M Series desktops also feature the ThinkVantage Client Security Solution, an additional layer of security that helps protect vital company security information like passwords, encryption keys and electronic credentials. Rescue and Recovery with Antidote Delivery Manager allows IT staff to rapidly deploy security updates, even to systems that are powered down.
All ThinkCentre M and A Series desktops offer customers a choice of Intel's Core 2 Duo, Pentium D, Pentium 4 and Celeron D processors. Toolless-entry drives, adapter cards and steel chassis further enhance the simplicity of the ThinkCentre M and A Series desktops by allowing users to easily access components for quick repairs or upgrades. Both lines are Microsoft Vista capable and designed to support today's and tomorrow's software for flexible PC solutions that can evolve over time.
Pricing and Availability
The new ThinkCentre M and A Series will be available beginning September 26th 2006 via www.lenovo.com and select Lenovo business partners. Prices for M Series models start at $749. Prices for the A Series start at $379.
dude_danny
Lack of openness could limit Vista security gain
by Bill Goodwin
Tuesday 26 September 2006
http://www.computerweekly.com/Articles/2006/09/26/218612/Lack+of+openness+could+limit+Vista+security...
Microsoft's decision to build anti-spyware, a firewall and other security services into Windows Vista is unlikely to directly benefit large corporate IT departments, Gartner said last week.
The analyst company did, however, praise Microsoft's efforts to improve the security of its code.
The inability of Microsoft's...
... security products to integrate with non-Microsoft systems was a barrier to its use by larger firms, though small and medium-sized enterprises might benefit, said Gartner vice-president Neil MacDonald.
MacDonald also warned that Microsoft could potentially face a conflict of interest if it placed too much emphasis on security products rather than eliminating security weaknesses in its software.
However, he said large organisations could benefit by using the security products built into Vista as a bargaining chip to win better deals from their existing security suppliers. Microsoft's entry into the field was already bringing costs down, MacDonald said.
Despite giving a mixed reception to Microsoft's built-in security tools, Gartner said Microsoft's programme to develop more secure code was "best in class". No other supplier has gone to the same lengths to review the security of its products, said MacDonald.
There is now little difference between the security of Windows and Linux, and the decision to move to open source is no longer security-driven. Microsoft is also supporting its products for longer than other suppliers, the conference heard.
Windows Vista will offer some genuinely useful functions, including the ability to control USB devices and encryption of data through the Bitlocker feature, said MacDonald. But there are some drawbacks.
Bitlocker will only be available to businesses that pay for Software Assurance licensing. Also, although USB control is included, there are other routes into machines that are not protected, such as Bluetooth and infrared, said MacDonald.
dude_danny
O.T. YouTube signs partnership with Warner Music By Yinka Adegoke
http://news.yahoo.com/s/nm/20060918/wr_nm/youtube_dc
YouTube said it would use a new advanced content identification and royalty reporting system, set for release by the end of the year, to identify the music videos and help manage payment to the record labels.
***would be interesting to see who provides this service***
1 hour, 14 minutes ago
NEW YORK (Reuters) - Music videos from Madonna, Red Hot Chili Peppers and Sean Paul will be legally available for the first time on YouTube, the online video sharing site, which signed its first commercial partnership with Warner Music Group Corp. on Monday.
ADVERTISEMENT
YouTube, which has over 100 million videos viewed everyday, and Warner Music, the fourth biggest record company, said on Monday the pact would help Warner distribute music videos, behind-the-scenes footage, artist interviews and original programming.
The companies said YouTube users would also be able to incorporate music from Warner's catalog into the videos they create and upload.
Music videos belonging to Warner Music and other record companies are regularly uploaded to YouTube by its users but usually without permission from the labels.
The partnership, which has been in discussions for months, was signed late on Sunday afternoon. It comes just days after Universal Music Group, which is owned by Vivendi, described YouTube and News Corp.'s social networking site MySpace of being "copyright infringers" that owe the music industry "tens of millions of dollars."
The strong language has prompted speculation that a lawsuit is imminent from Universal or some other owner of copyrighted material.
"We've been in discussions with many of the labels, television networks and movies studios," Chad Hurley, YouTube chief executive and co-founder, told Reuters.
YouTube and Warner Music said the deal would enable both parties to generate and share revenue created by advertising, which will be featured around the videos.
Warner Music executive Alex Zubillaga said the deal will start to generate significant revenue for Warner from next year as user volumes grow.
"We're trying to lead through innovation as opposed to litigation," he said.
YouTube said it would use a new advanced content identification and royalty reporting system, set for release by the end of the year, to identify the music videos and help manage payment to the record labels.
Hurley said the proprietary tools YouTube is building will allow Warner Music to manage the licensing of its music and videos remotely.
YouTube said it and Warner Music would share revenue from advertising on both music videos uploaded by the artist and user uploaded videos that incorporate audio and audiovisual works from Warner's catalog.
Last month, YouTube announced an advertising deal with Warner Music as the start-up's first partner for its new Brand Channel advertising to promote the new Paris Hilton album.
dude_danny
NTT Data to Offer Open Source Development Suite
http://www.technewsworld.com/story/53048.html
Asia Pulse
09/15/06 1:04 PM PT
Muscat promises to speed up interactive Web applications by loading special display software into the browser and then only sending XML data for display between the browser and the server.
Turn higher productivity into reality with Alienware's MJ-12 m7700a, the only mobile workstation powerful enough to make you forget you're not using a desktop. Dual-core AMD processors and the latest NVIDIA graphics are just the start. Unlock your full potential by customizing an MJ-12 m7700a now.
Japan's NTT Data has developed an open source software suite designed to facilitate Web system development, making it easier to use Ajax (asynchronous JavaScript and XML) to create buttons and data-entry boxes in interactive applications for Web 2.0.
Dubbed "Muscat," the software suite includes tools for positioning buttons and boxes, utilizing Ajax to automatically generate the display code.
Speeds Up Development
Ajax requires some training, and using it to create sites can be time-consuming. The Muscat tools eliminate the need for writing code and can more than double site development efficiency.
Muscat also promises to speed up interactive Web applications by loading special display software into the browser and then only sending XML data for display between the browser and the server.
The result promises a more than 10-fold reduction in the volume of communication between browser and server compared to normal Ajax techniques, which involve the exchange of both data and program scripts.
Release Imminent
NTT Data plans to release the Muscat suite free of charge as open source code by the end of September.
By doing so, and by encouraging programmers to add new functions, the company hopes to make Muscat a de facto industry standard.
In return, the company hopes to gain better appreciation for its technical capabilities among the Net community.
© 2006 Asia Pulse. All rights reserved.
dude_danny
NTT Data to Perform Feasibility Test on Patient Tracking System for Diaster-Drills
http://www.japancorp.net/Article.asp?Art_ID=13144
Tokyo, Aug 28, 2006 (JCN) - NTT Data Corporation will perform a feasibility test on a tracking system for patients with the Disaster Medical Assistance Team, and the DMAT management system for disaster-drill on September 1.
The DMAT will communicate with presiding ministry information regarding the delivery of patients in real-time using mobile phones and PC. The tracking system for patients sends the information such as the condition of patients by sticking the RFID medical record on to the patients.
----------------------------------------------
http://www.wave.com/news/press_archive/06/060705_NTTDATA.html
Pursuant to the agreement NTT DATA will be authorized to resell and provide support services for Wave's EMBASSY® Trust Suite technology and solutions for the trusted computing market in Japan, including financial services, government, health care and consumer market segments.
dude_danny
INFORMATION SECURITY
Federal Deposit Insurance Corporation Needs to Improve Its Program
http://www.gao.gov/new.items/d06620.pdf#search='www.gao.gov%2Fnew.items%2Fd06620.pdf'
What GAO has found
FDIC has made progress in correcting previously reported weaknesses. Specifically, the corporation has corrected or mitigated 18 of the 24 weaknesses that GAO previously reported as unresolved at the time of the last review. Among actions FDIC has taken are developing and implementing procedures to comply with its computer file naming convention standards and developing and implementing automated procedures for limiting access to sensitive information.
Nevertheless, FDIC has not consistently implemented information security controls to properly protect the confidentiality, integrity, and availability of its financial and sensitive information and information systems. In addition to the remaining six previously reported weaknesses for which FDIC has not completed corrective actions, GAO identified 20 new information security weaknesses. Most identified weaknesses pertain to access controls over (1) user accounts and passwords; (2) access rights and permissions; (3) network services; (4) configuration assurance; (5) audit and monitoring of security-related events; and (6) physical security that are to prevent, limit, or detect access to its critical financial and sensitive systems and information. In addition, weaknesses exist in other information security controls relating to segregation of duties and application change controls.
A key reason for these weaknesses is that FDIC has not fully implemented elements of its information security program. For example, it has not consistently implemented its security-related policies, addressed security plans for certain applications, provided specialized training to individuals with significant security responsibilities, implemented remedial action plans for resolving known weaknesses, and updated or tested continuity plans in light of its implementation of the new financial environment. As a result, financial and sensitive information are at increased risk of unauthorized access, modification, and/or disclosure, possibly without detection. Because of this, GAO reported information system control weaknesses to be a reportable condition in 2005.
Why GAO Did This Study
The Federal Deposit Insurance Corporation (FDIC) has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. The corporation relies extensively on computerized systems to support and carry out its financial and mission-related operations.
As part of the audit of the calendar year 2005 financial statements, GAO assessed (1) the progress FDIC has made in correcting or mitigating information security weaknesses previously reported and (2) the effectiveness of the corporation’s information system controls to protect the confidentiality, integrity, and availability of its key financial information and information systems.
What GAO Recommends
GAO recommends that the FDIC Chairman fully implement key elements of its agencywide information security program.
In providing written comments on a draft of this report, FDIC’s Deputy to the Chairman and Chief Financial Officer stated that FDIC concurred with one of GAO’s recommendations, partially concurred with three, and did not concur with one. FDIC also disagreed with GAO’s assessment that its information system control weaknesses were sufficient to constitute a reportable condition.
User Accounts and Passwords
A computer system must be able to identify and differentiate among users so that activities on the system can be linked to specific individuals. When an organization assigns unique user accounts to specific users, the system distinguishes one user from another—a process called identification. The system must also establish the validity of a user’s claimed identity through some means of authentication, such as a password, that is known only to its owner. The combination of identification and authentication, such as user account/password combinations, provides the basis for establishing individual accountability and for controlling access to the system. Accordingly, agencies implement procedures to, among other things, (1) modify vendor-supplied default authenticators during information system installation and (2) create, use, and remove user accounts. FDIC has not adequately controlled user accounts and passwords to ensure that only authorized individuals are granted access to its systems and data.
For example, the corporation did not change vendor-supplied administrator accounts and passwords or remove inactive user accounts. In 2002 and 2003, we reported the existence of these weaknesses and in 2004 reported that FDIC had corrected them.16 The reemergence of these weaknesses demonstrates that FDIC had not implemented disciplined processes for ensuring that such issues do not recur. As a result, there is increased risk that unauthorized users could gain valid user identification and password combinations to claim a user identity and then use that identity to gain access to corporation systems.
Security Plans
The objective of system security planning is to improve the protection of information technology resources. A system security plan provides an overview of the system’s security requirements and describes the controls that are in place—or planned—to meet those requirements. Office of Management and Budget (OMB) guidance directs agencies to develop and implement system security plans for major applications and for general support systems and also directs that these plans address policies and procedures for providing management, operational, and technical controls. National Institute of Standards and Technology (NIST) guidelines state that, when nonmajor applications are bundled with a general support system, the security requirements for each of the nonmajor applications should be included in the general support system’s security plan. Further, agencies are responsible for ensuring that appropriate security controls are in place for the information or application, as well as the systems on which they reside. If an agency’s information is processed on another organization’s general support system, the agency needs to ensure that adequate protection is provided for its information, including making an assessment of the sponsoring system’s security plan. In the security plans we reviewed, FDIC generally included elements such as security controls currently in place, or planned, the name of the individual responsible for the security of the system, and a description of the system and its interconnected environment. However, we identified instances where security plans were incomplete. For example, FDIC did not integrate the security plans or requirements for certain nonmajor applications into the security plan for the general support system. Two of FDIC's nonmajor applications, the corporation’s human resources and time and attendance systems, are not included in FDIC general support systems security plans. As a result, FDIC cannot ensure that appropriate controls are in place to protect its systems and critical information.
dude_danny
The Fifth International Conference
on Mobile Business june 26-27, 2006
E-Pass Using DRM in Symbian v8 OS and TrustZone: Securing Vital Data on Mobile Devices Wan Hussin Wan Huzaini
(Lancaster University), Reuben Edwards (Lancaster University
http://asp.cbs.dk/icmb2006/program/Crossroads_program_final.pdf#search=%22Card-based%20Macropayment%...
dude_danny
http://www.ericsson.com/ericsson/corpinfo/publications/review/2006_02/files/mobile_platform_security...
Conclusion
Ericsson’s mobile platforms contain a variety
of security mechanisms and an advanced
model for issuing and checking the integrity
of software. Manufacturers of mobile
phones can thus build secure applications
and a secure process for issuing platform
software. Apart from communication security
and basic platform integrity control,
mobile phone developers can decide how
and when they want to use these mechanisms.
Therefore, additional security mechanisms
might be needed.
The mobile platforms do not use an open
software environment that permits end
users to install new software modules or
applications. This limits the need for further
software-protection mechanisms. In
the future, however, we might see a more
PC-like situation, where new native software,
such as non-Java software, can easily
be installed and executed. In that case,
non-trusted software will have to be isolated
from trusted software . Advanced operating
systems isolate non-trusted software
in such a way that it is never allowed
to interfere with the execution of trusted
software. In a large and flexible OS, however,
isolation is difficult to achieve.
Therefore, other means, such as hardware
mechanisms or more stringent security requirements
(in the OS) will have to be employed.
dude_danny
O.T.? Juniper, Nortel Open Wallets to Invest in WLAN Vendor
(*** Trapeze Networks is a TCG member***)
Sorry if posted
http://www.crn.com/sections/breakingnews/dailyarchives.jhtml?articleId=192300804
By Jennifer Hagendorf Follett, CRN
4:38 PM EDT Mon. Aug. 28, 2006
Juniper Networks Monday put some skin in the WLAN game by investing in Trapeze Networks, part of a $30 million funding round secured by the wireless vendor.
Trapeze, Pleasanton, Calif., said it plans to use money from the round D funding to support geographic expansion, bolster its channel programs and expand product development.
On the channel front, the new funding will support Trapeze's efforts to recruit new partners and add channel personnel, said Jim Vogt, CEO of Trapeze.
"We're seeing growth, and a key part of that is recruiting and maintaining a channel," Vogt said.
As wireless technology becomes ubiquitous, new channels are opening up for Trapeze, Vogt said. For example applications such as VoIP and location-based services are opening doors to new sets of partners, he said.
The two companies are now investigating options for how Juniper can work with Trapeze's wireless technology. Co-development, resale and OEM partnerships are all on the table, he said, noting that "nothing is nailed down right now."
First-time Trapeze investor Juniper was joined in the funding round by Nortel Networks as well as several venture capital firms, which all added to previous investments in the wireless vendor.
The investments will strengthen partnerships Trapeze already has with both Juniper and Nortel. Nortel OEMs wireless technology from Trapeze, as do several other networking vendors, including 3Com (*** new TCG member from Awk's find***), D-Link and Enterasys Networks. Trapeze also counts Funk Software among its Solution Alliance partners, which was acquired by Juniper in December.
The investment should also help Trapeze in its bid to chip away at rival Cisco Systems' market-leading hold in the WLAN market. Juniper and Nortel both compete against Cisco on several technology fronts, including networking and security.
Through the first half of 2006, Cisco commanded nearly 57 percent of the enterprise WLAN market and, together with its Linksys division, nearly 38 percent of the overall wireless market by revenue, according to Synergy Research Group.
Trapeze later this week is expected to unveil the newest version of its Mobility System software, adding new security and voice over WLAN features.
Trapeze also plans to unveil its next-generation architecture in about five to six weeks, Vogt said
dude_danny
SEAGATE HOLDS ENTERPRISE TECHNOLOGY SEMINAR IN TOKYO
Sorry if posted
http://www.seagate.com/cda/newsinfo/newsroom/releases/article/0,1121,3288,00.html
TOKYO—04 September 2006— Seagate Technology, the world's leading supplier of hard disc drives, will hold a "Seagate Enterprise Technology Seminar" for system integrators (SI) and value added resellers (VARs) to educate these important channel partners about the diverse applications for multi-drive, high capacity systems featuring Seagate enterprise drives, including the new Barracuda ES series of drives. The seminar will be held on Friday, September 8, 2006.
Tom Kobayashi, president of Nippon Seagate said, "In our ongoing dialogue with channel partners we are seeing a tremendous need for better data management capabilities, and a deeper understanding of the best solutions to meet specific customer needs. Seagate provides enterprise drives to meet any need system integrators and value added resellers have. Our Barracuda ES drive family is specially designed to be at the core of today's most robust and reliable data management solutions for nearline storage. The Barracuda ES drive provides a significant boost in capacity and reliability that far exceeds prior generations in meeting the need for cost-effective, Disk Array/WB server storage."
At the technology seminar, Seagate and fellow technology leaders Intel and Adaptec, will talk about the challenges that enterprises face and provide in-depth knowledge about solutions VARs and SIs might employ in meeting their customers' needs. They will also showcase applications where Seagate enterprise hard drives combine the highest capacity available with enterprise features demanded in 'multi-drive' capacity-intensive configurations, ideal for low cost-per-GB business storage solutions. Some of the topics that will be discussed include serial ATA and Serial Attached SCSI (SAS) interface technologies, latest server platform and data protection.
The seminar is specially designed for SI and VARS and registration is required. Further information can be found at https://seagate-marketing.info/public/seminar/view/4.
About Intel
Intel, the world leader in silicon innovation, develops technologies, products and initiatives to continually advance how people work and live. Additional information about Intel is available at www.intel.com/pressroom.
About Adaptec
Adaptec, Inc. provides trusted storage solutions that reliably move, manage, and protect critical data and digital content. Adaptec's software and hardware-based solutions are delivered through leading Original Equipment Manufacturers (OEMs) and channel partners to provide storage connectivity, data protection, and networked storage to enterprises, government organizations, medium and small businesses, and consumers worldwide. Adaptec is an S&P Small Cap 600 Index member. More information is available at http://www.adaptec.co.jp/
About Seagate
Seagate is the worldwide leader in the design, manufacture and marketing of hard disc drives, providing products for a wide-range of applications, including Enterprise, Desktop, Mobile Computing, Consumer Electronics and Branded Solutions. Seagate's business model leverages technology leadership and world-class manufacturing to deliver industry-leading innovation and quality to its global customers, and to be the low cost producer in all markets in which it participates. The company is committed to providing award-winning products, customer support and reliability to meet the world's growing demand for information storage. Seagate can be found around the globe and at www.seagate.com in English and www.seagate.co.jp in Japanese.
Seagate, Seagate Technology and the Wave logo are registered trademarks of Seagate Technology LLC. Barracuda is a trademark or registered trademark of Seagate Technology LLC or one of its affiliated companies. All other trademarks or registered trademarks are the property of their respective owners. When referring to drive capacity one gigabyte, or GB, equals one billion bytes and one megabyte, or MB, equals one million bytes. Accessible capacity may vary depending on operating environment and formatting
The Future Network Security
Tian Haibo, Wang Yumin
State Key Lab. on ISN, Xidian University, Xi'an, China
Sorry if posted.
http://www.china-cic.org.cn/english/digital%20library/200608/4.pdf#search=%22tpm%201.2%20and%20indus...
Trust platform module style hardware enabled devices
will play a major role as the future network
security infrastructure. Network threat landscape is
obviously a stimulation power. The technique advance
of TPM style hardware over traditional security
techniques serves as another push power. More
importantly, industry plans will bring us to a new
network with enhanced security. More attention
should be paid to some problems to enable a TPM
style hardware based future network. These problems
also provide opportunities for domestic security
enterprises. Some characteristics of our future
network are summarized.
dude_danny
Nice Find OknPV!
dude_danny
Great find Snackman! Post of the Day!
dude_danny
Identity Crisis
An epidemic of high-profile laptop heists shows how vulnerable Americans' personal information is.
Saturday, August 5, 2006; Page A18
http://www.washingtonpost.com/wp-dyn/content/article/2006/08/04/AR2006080401379.html
THIS HAS BEEN the summer of identity theft. Since May, federal agencies and private companies alike have admitted to exposing millions of Americans to the threat of marred credit reports and imbalanced bank statements through sloppy handling of confidential personal data. The recent news is frustratingly typical: Last month the Agriculture Department announced that one of its laptops had vanished -- along with personal information about 350 USDA employees on its hard drive and a paper printout of the data. Someone returned the laptop and the printout to a meat plant, but investigators don't know whether any of the profiles had been compromised.
This isn't the first trouble the USDA has had with ensuring the security of its workers' information. In June, the agency reported that a hacker had gained access to the records of 26,000 D.C. area employees. And the USDA's foibles are only a fraction of the problem. In May, a Department of Veterans Affairs employee lost a laptop with personal information about 26.5 million people on it, unencrypted. In June, another laptop burglary, this time from the home of an ING U.S. Financial Services agent, exposed the personal data of 13,000 District employees and retirees. The Federal Trade Commission, the agency responsible for monitoring identity theft, lost two laptops of its own in June with files containing people's financial account numbers. In the past year and a half, about 85 million Americans have received word that their identifying information may have been stolen.
These cases should be stern warnings to government and private-sector managers alike. All it takes is one stolen laptop in the hands of the right thief to deal expensive and time-consuming damage to people who did little more than give their Social Security numbers to their employers. According to the FTC, identity theft cost American consumers $5 billion in 2002.
Over the past decade, Americans have gotten used to their personal information zipping around cyberspace, and, for the most part, that's a good thing. The growing success of e-commerce, Internet banking and other electronic services in which personal data are exchanged attests to the value of public trust in the security of the information they give out. But government agencies and private companies have to be more careful with Americans' identities. That means doing such basic things as encrypting data taken outside the office or maintaining a functional hacker shield -- measures a surprising number of organizations haven't adopted.
There also may be room for Congress to help. It can't prevent personal data from being stolen, but it can follow the lead of many states by passing the Data Accountability and Trust Act, which requires prompt notification to those at risk when their data are compromised.
dude_danny
http://www.gartner.com/teleconferences/attributes/attr_151875_115.pdf
sorry if posted
dude_danny
Pen Testing Windows Vista BitLocker Drive Encryption from the Inside
Sorry if posted
http://conference.hackinthebox.org/hitbsecconf2006kl/index.php?page_id=107
Presentation Details:
This insider’s candid perspective on the threat analysis and penetration of BitLocker Drive Encryption will be a forthright review of its threats, vulnerabilities, and their mitigations — significant since the talk is in advance of the products release date. The presentation will bring together known device attacks such as DMA exploits with “not-widely-discussed” platform vulnerabilities to show how they affect BitLocker Drive Encryption and device security in general. The presentation will also include the penetration team’s best crack-finding practices, the BitLocker team’s use of Microsoft’s Security Development Lifecycle, threat-modeling, threat-storming, queer views, and other practical tips. Along with DMA exploits, some of the other BitLocker and device attacks to be discussed are: PIN-hammering, key-wear analysis, ciphertext manipulation, physical memory attacks, Trusted Computing Base subversion, LPC bus attacks, and others.
Other threat analysis and penetration insights from the team will include: the poison of conventional wisdom, avoiding paranoia-induced burnout, pros and cons of external security review, security code review best practices, how to avoid analysis paralysis, leveraging dream states, adversary modeling, forensics, and cryptographic validation. The presenter is a member of the penetration team. This presentation will not be a marketing or sales presentation. It will contain a (very) brief overview of BitLocker Drive Encryption, limited to its security elements. For general BitLocker information, please go to www.microsoft.com.
Why this talk rocks
Reason 1: This presentation is an insider’s candid perspective on the threat analysis and penetration of a significant data protection feature in Microsoft Windows Vista. The presenter is a member of the penetration team. This is not a marketing or sales presentation.
Reason 2: This will be a forthright discussion of threats and mitigations — in advance of the products release. The presentation will bring together known device attacks such as DMA exploits with “not-widely-discussed” platform vulnerabilities to show how they affect BitLocker Drive Encryption and device security in general.
Reason 3: Microsoft has staffed a formidable security team and implemented new security engineering processes which are state-of-the-art. Sharing the BitLocker team’s experiences with these processes will help the threat analysis and penetration community.
Detailed Outline:
1. Brief Technical Intro to BitLocker
Trusted Platform Module (TPM)
Pre-OS Architecture
Secure Startup
OS Architecture
Key Architecture
Modes: Usability & TCO vs. Security
2. Attacks against the CRTM and TCB
Core Root of Trust for Measurement (CRTM)
Trusted Computing Base
CRTM Immutability
Pre-OS component Attacks (bootmgr, winload, winresume)
Mitigations: BIOS Secure Upgrade
3. Defining the Threat Domain
Defining the target of evaluation
How the device has become the new attack frontier
Attack / defense asymmetry: Every stone in the castle wall must be checked
Modeling the adversary: profiling and serial criminals
Why we assume adversaries have oracle knowledge of the system
4. DMA Attacks
References David Maynor and David Hulton previous USB and PCCard bus work
Describes how these threats affect BitLocker
Mitigations
5. Ciphertext Manipulation Attacks
Attacks against the CRTM and the security posture of the system
Mitigations
6. Brief Intro to BitLocker Cryptographic Components
AES
AES CCM
Elephant / Diffusion
7. BitLocker Cryptographic Validation
Implementation bugs
Internal review
External review
FIPS
8. Brief Intro to Microsoft’s Security Development Lifecycle
List the 13 stages
Discuss how BitLocker exceeds SDL requirements and why
Tools
What did and didn’t work for the BitLocker team
9. TPM PIN Dictionary Attacks
Description
Mitigations
Related attacks
10. Brief Intro to Threat Modeling at Microsoft
Component Diagrams
Entry Points
Trust Levels
Protected Assets
Threats, STRIDE, DREAD
Data Flow Diagrams
Tools
Threat Trees vs. Threat Graphs
Threat-storming
Queer views
What did and didn’t work for the BitLocker team
11. Why Code Review is Fruitful
Static analysis
1000’s of APIs
100,000’s Lines of Code
Examples of vulnerabilities found and fixed
12. Analysis Paralysis and the Data Flood
Condensing the threats: Top Ten
Threat classes
13. Pentest Tool Development
Manual vs. Automated pentesting
Negative testing vs. pentesting
Dumb and smart fuzzing
Demoing the Exploit: An (expensive) communication medium to management
14. External Security Review:
Pro and cons
15. Physical Memory Attacks
Warm ghost
DIMM Extraction
Burn-in
Mitigations
16. Avoiding Paranoia Burnout
Finding the threat edge
Fear of the unknown
Postcards from Lu-Lu land
17. Forensics
Front doors only
No secret sauce
18. Crack-finding summary
Top ten habits of successful penetrators
Puzzles
Dreaming
The insider threat
19. A short description of the BitLocker penteam
Top ten desirable characteristics of penetrators
Why it pays to have in-team threat analysis and penetration
20. Security work at Microsoft is hot
Microsoft has built a world-class security team.
Our experience, talent, knowledge base, tools, and resources are a formidable asset.
If you want to take part in security that will positively affect millions of people, this is an excellent place to be.
21. BitLocker crack-finding is an on-going effort
The crack-finding work will continue indefinitely
About Douglas
Douglas MacIver joined Microsoft in 2004 as a penetration engineer, hell-bent on helping to build data privacy tools for the citizens of world. He has worked on security projects at Intel, PassEdge, InterTrust, and Microsoft.
dude_danny
Subverting Vista Kernel For Fun And Profit
* Note: Maybe we will start to hear some news concerning "Presidio and Pacifica" with regards to TPM.
http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html
Joanna Rutkowska, Senior Security Researcher, COSEINC
The presentation will first present how to generically (i.e. not relaying on any implementation bug) insert arbitrary code into the latest Vista Beta 2 kernel (x64 edition), thus effectively bypassing the (in)famous Vista policy for allowing only digitally singed code to be loaded into kernel. The presented attack does not requite system reboot.
Next, the new technology for creating stealth malware, code-named Blue Pill, will be presented. Blue Pill utilizes the latest virtualization technology from AMD - Pacifica - to achieve unprecedented stealth.
The ultimate goal is to demonstrate that is possible (or soon will be) to create an undetectable malware which is not based on a concept, but, similarly to modern cryptography, on the strength of the 'algorithm'.
Joanna Rutkowska has been involved in computer security research for several years. She has been fascinated by the internals of operating systems since she was in primary school and started learning x86 assembler on MS-DOS. Soon after she switched to Linux world, gotinvolved with some system and kernel programming, focusing on exploit development for both Linux and Windows x86 systems.
A couple of years ago she has gotten very interested in stealth technology as used by malware and attackers to hide their malicious actions after a successful break-in. This includes various types of rootkits, network backdoors and covert channels. She now focuses on both detecting this kind of activity and on developing and testing new offensive techniques.
She currently works as a security researcher for COSEINC, a Singapore based IT security company.
dude_danny
Hackers: Many Wireless PCs Secretly Vulnerable to Attack
Friday, August 04, 2006
http://www.foxnews.com/story/0,2933,206884,00.html
LAS VEGAS — Some computers with wireless Internet capabilities are vulnerable to attacks that could expose passwords, bank account details and other sensitive information even if the machines aren't actually online, researchers said here Wednesday.
The researchers demonstrated the vulnerability at a computer-security conference, showing how to take complete control of a MacBook from Apple Computer Inc. (AAPL).
But the two researchers, David Maynor, 28, and Jon Ellch, a 24-year-old who prefers to go by his hacker handle Johnny Cache, said the technique will work on an array of machines, including those that run Microsoft Corp.'s (MSFT) Windows and the free Linux operating system.
• Click here to visit FOXNews.com's Cybersecurity Center.
"The problem itself isn't really an Apple problem," said Maynor, a researcher at SecureWorks Inc., a network-monitoring company. "This is a systemic problem across the industry."
The technique, detailed during the first day of the Black Hat conference, has broad implications for the large number of people who over the past five years have grown accustomed to connecting to the Internet wirelessly while sitting in airports, hotels and cafes.
"It's an alarming weakness," said Phil Zimmermann, a software engineer who specializes in data security. "Now I would rather connect using an Ethernet cable," he said, referring to the term for wired Internet connections.
Maynor and Cache showed a room of about 300 attendees a video in which they dropped what is known as a "root kit" into a MacBook by exploiting a weakness found in a wireless card, a component that uses radio waves to connect to the Internet.
A root kit is a virtually undetectable program that criminals can use to do things such as log passwords and gain access to sensitive files.
Maynor was able to create, read and delete files on the Apple laptop.
The MacBook, which was running a fully patched version of the latest Apple operating system, showed no indication that it had been compromised.
The MacBook used in the demonstration was not using the wireless gear that shipped with the computer. Instead, they used a third-party wireless card that they declined to name.
Apple spokeswoman Lynn Fox declined to comment.
The researchers were not identifying the makers or models of wireless devices that are vulnerable, so that manufacturers have a leg up on criminals who might use that information to exploit the vulnerabilities. But Maynor said the flaws are so common that he'd have no trouble walking into the typical Internet cafe and finding someone vulnerable.
"I have no doubt," he said in an interview following his presentation.
He said the technique could be useful in targeting specific people or specific groups of people who are in close proximity to an attacker — for instance, a cafe that is frequented by executives of a particular company.
The researchers declined to demonstrate the attack live because they said radio receivers in the room could allow people to detect their techniques and use them to commit crimes.
A computer need not be connected to the Internet to be infected. All that's required is that it have certain wireless devices installed and that those devices be turned on.
Wednesday's demonstration came four days after Intel Corp. (INTC), the world's biggest chip maker, released security fixes for wireless capabilities it includes with many of the laptop processors it sells.
One of the vulnerabilities fixed would have allowed someone to gain control over a computer using the Intel wireless gear.
Maynor said during his presentation that he and Cache did not provide technical details of the attack to Intel but couldn't rule out a connection between the findings and the Intel patch.
"It's pretty interesting, the timing of it," Maynor said. "It seemed a bit suspicious."
dude_danny
O.T. McAfee security programs may expose data
By DAN GOODIN, AP Technology Writer
Mon Jul 31, 9:55 PM ET
http://news.yahoo.com/s/ap/20060801/ap_on_hi_te/antivirus_flaw;_ylt=AomM32Ty4k.7dIh95XZztdSs0NUE;_yl...
SAN FRANCISCO - Consumer versions of McAfee Inc.'s leading software for securing PCs is susceptible to a flaw that can expose passwords and other sensitive information stored on personal computers, researchers said Monday.
The vulnerability affects many of McAfee's most popular consumer products, including its Internet Security Suite, SpamKiller, Privacy Service and Virus Scan Plus titles, said Marc Maiffret, chief hacking officer at eEye Digital Security Inc., a competing maker of security products.
McAfee spokeswoman Siobhan MacDermott confirmed the vulnerability and said software engineers were testing a fix. She said officials expected to release the patch Wednesday using a feature that automatically updates McAfee products over the Internet. The flaw does not affect 2007 versions of McAfee products, which were released Saturday, she said.
Maiffret said he has found a way to connect to PCs running the flawed McAfee products over the Internet and make them run code of his choosing. The flaw, if exploited, would make it possible for a criminal to track bank account numbers, and access, modify and delete sensitive files and do other damage on machines running the McAfee products, he said.
The reported flaw came on the same day that McAfee posted an item on its Web site taking a swipe at Microsoft Corp., whose products increasingly compete with the offerings of McAfee, Symantec Corp. and other security companies. It warned that code had been released that exploited flaws in a feature used to automate certain administrative tasks in Microsoft's Windows operating system.
"Microsoft products have always been an attractive target for hackers and malware authors," according a posting on the McAfee Web log.
Maiffret's company, which in the past has discovered embarrassing flaws in products sold by Apple Computer Inc., Microsoft, Symantec and McAfee, said he was withholding technical details of Monday's vulnerability to prevent criminals from learning how to exploit it.
The flaw comes two weeks after Aliso Viejo, Calif.-based eEye disclosed a hole in McAfee program for protecting business computers. In that case, Santa Clara, Calif.-based McAfee said it had fixed the defect three months earlier but did not warn customers about it until eEye made it public.
In May, eEye uncovered a similarly dangerous flaw in security software by Symantec.
Neither Maiffret nor McAfee said they were aware of any attacks that target the flaw disclosed on Monday.
"The vulnerability isn't public, so you shouldn't see exploits for it," Maiffret said, adding that users of McAfee products should make sure they are configured to automatically check for updates each day.
dude_danny
Identity theft victims to sue NCsoft
Online games giant faces potential $230m lawsuit
Simon Burns, vnunet.com 02 Mar 2006
http://www.whatpc.co.uk/vnunet/news/2151224/identity-theft-victims-sue?page=2
Sorry if posted
Lawyers in South Korea have filed a class action lawsuit on behalf of more than 230,000 victims of identity theft in an online game.
The suit will claim damages of about $1,000 for each plaintiff whose identity was used to register new accounts in NCsoft's popular games, Lineage and Lineage 2, according to media reports.
Most of the identify thefts took place over the past six months as underground gaming syndicates stole victims' official Korean ID numbers in hacking attacks and used them to register hundreds of thousands of Lineage accounts.
As reported last week by vnunet.com, the new accounts were then 'farmed' by low paid workers in Chinese gaming sweatshops to generate 'gold' and other game-world items that could be sold for real world cash.
NCsoft has claimed that it registered the bogus accounts in good faith, and has denied responsibility for the initial theft of ID numbers that made the crime possible.
As well as Lineage, which claims millions of players worldwide, NCsoft operates popular games like City of Heroes, City of Villains and Guild Wars in Europe and the US, and plans to release the much-anticipated Auto Assault this summer.
The company earned pre-tax profits of $86m last year on revenue of $346m. Staff who answered a call to NCsoft's office in Seoul declined to identify themselves or to comment on the identity theft case.
As befits South Korea's tech-savvy citizens, who reportedly spend an average of five hours a day online, the lawsuit is being organised through an online legal portal.
Lawmarket Asia allows plaintiffs to 'auction' their cases to the law firm that promises the highest payout or the lowest fee.
The identity theft cases have generated considerable public comment, as well as complaints, in South Korea.
However, a Lawmarket spokesman told the Korea Herald that, as of Tuesday, only about 100 people had joined the class action suit. The company charges each claimant a $1 fee to join.
Korea's Information Ministry has announced a series of measures which it hopes will prevent a recurrence of the mass ID theft.
These include checking that game and website operators have applied up-to-date security patches, and bolstering monitoring activities by the country's Cyber Terror Response Center, a specialised police division. Police have asked China's assistance in tracking down the perpetrators.
In addition, the Ministry said that it will strongly discourage game operators from demanding government identity numbers from gamers, even though this has proved a simple and convenient way to sign up in the past, and will help them develop an alternative system.
dude_danny
Intel's new chip design takes aim at AMD
By DAN GOODIN, AP Technology Writer
1 hour, 46 minutes ago
http://news.yahoo.com/s/ap/20060727/ap_on_hi_te/intel_chip_debut
SANTA CLARA, Calif. - Intel Corp. introduced its most important product line in six years Thursday, unveiling 10 microprocessors that are expected to help the world's largest chip maker retake ground lost to smaller competitor Advanced Micro Devices Inc.
The Core 2 Duo microprocessors, which are being rolled out gradually over the next month, are Intel's first desktop and mobile chips to feature a blueprint designed to deliver significantly better performance while requiring less power and kicking off less heat.
Over the past year, Santa Clara-based Intel has lost about 5 percentage points of market share to rival AMD thanks to a raft of products that many reviewers have said are faster and less expensive to run than Pentium 4 processors, which Intel rolled out in 2000.
The new Intel design — which delivers as much as 40 percent better performance while consuming as much as 40 percent fewer watts than the previous generation — represents a potent weapon as it tries to close an advantage that AMD has enjoyed for three years.
"The days when AMD could just kick Intel around like it was a piece of wet newspaper are gone," said analyst Nathan Brookwood of the research firm Insight 64. "It is really a dramatic shift in terms of their competitive position, and not a minute too soon."
Intel, which has already begun shipping the new processors, said they will be available from PC makers over the next month. PCs carrying Intel's Core 2 Extreme, a high-end model aimed at computer gamers and other enthusiasts, are already being sold. Desktop systems with the Core 2 Duo will be available in about two weeks, while mobile machines carrying the new chip will start selling in about a month.
Prices for desktop processors range from $183 at the low-end to $999 for the top-of-the-line model, when purchased in volume. Intel did not provide prices for its mobile chips.
The chips, which act as the electronic brain in a computer, are built using a state-of-the-art manufacturing process in which the average circuit feature has been shrunk to about 65 nanometers — small enough so that 100 transistors will fit into a single human blood cell. There are about 291 million transistors in each processor.
Shrinking the circuitry allows Intel to cram more transistors onto the same size of silicon, in much the same way that condensing a letter font allows more words to be printed on a piece of paper. The smaller size also allows Intel to put two computing engines on a single chip.
The processors are built using a new design, or microarchitecture in semiconductor parlance, that was built from the ground up to reduce the wattage they consume and the amount of heat they give off. That helps Intel fight back against AMD, whose newer processors have boasted better performance-per-watt ratios.
Both companies are racing to deliver more power-efficient chips as energy bills for maintaining large numbers of computers and keeping them cool have emerged as one of the top costs in running many businesses.
Shares of Intel gained 8 cents, to $17.58, in Thursday afternoon trading on the Nasdaq Stock Market. AMD shares lost 2 cents, to $18.23, in trading on the New York Stock Exchange
dude_danny
Phoenix piles in on AMD-Intel case
Trusted Platform Module raises its head
By INQUIRER staff: Friday 14 July 2006, 11:03
EVERY CLOUD has a silver lining and that's never been truer than for lawyers working for IT companies that have found themselves dragged into the AMD Intel antitrust case.
The latest firm forced to get its learned friends is Phoenix Technologies, maker of hand crafted BIOSes to the PC industry. And welcome to a little spat over Trusted Computing.
In a deposition to the Delaware Court, which surely will have to hire a warehouse to put the millions of documents being collected, Phoenix said it had "general" and specific objections to document requests.
For example. "Phoenix objects to each and every document request, definition and instruction, to the extent they seek to impose discovery obligations that differ from or exceed the obligations set forth in the Federal Rules of Civil Procedure."
Phoenix objects to the time, manner and place demanded by the plaintiff, AMD. It will produce documents and the rest only at a time and place to be mutually agreed.
It doesn't want the subpoena to reveal confidentia, proprietary and trade secret information of Phoenix, its customers or third parties. It thinks that requests from Intel and AMD are unreasonable, annoying, expensive and burdensome. If AMD really wants stuff from Phoenix it can get it from Intel. And it thinks the term "Trusted Platform Module" is vague, ambiguous and unintelligible. Surely many people would agree with that? In fact, most of the objections Phoenix makes relate to the Trusted Platform Module.
***Just wondering if WAVE will be asked to testify???***
dude_danny
Vista has security flaws
Symantec states the obvious
http://uk.theinquirer.net/?article=33108
By Nick Farrell: Tuesday 18 July 2006, 14:12
ALTHOUGH Microsoft is touting its super soar away Vista as the most secure ever, a security outfit is claiming that it is just creating newer and more spectacular flaws.
Symantec, which has been playing with the beta software, says it is less stable and secure, at least for now.
In a security report into Vista, Symantec said that Vole has removed shedloads of good, tried and tested code and replaced it with new stuff. This means that it has bugs and defects in the short term.
While we would have thought this obvious, Symantec said it found several security bugs in Vista already, and there will be more in the future.
The report said that Symantec was not saying that Vista was going to be inherently insecure when it is released, but people should be aware of the ramifications of a "virgin network stack".
It says that Vista will be the first Windows version to support IP6, but some of this functionality could expose PCs which would be otherwise be snug and secure behind a firewall.
More at news.com. µ
dude_danny
Mobile Security 2006
http://www.tuff.co.uk/Downloads/Informa%20Security%20(2).pdf
Sorry if posted.
Examining the Role of Standardisation within Mobile Product
Security to Build Robust Security Strategies
• Outlining current malware threats and potential future security challenges
• How can mobile device security be standardised and what is the effect of
standardisation?
• Detailing the perspective of Nokia on the Trusted Computer Group’s security
specification
• To what extent can TCG initiatives increase the security protection of the
mobile user?
Janne Uusilehto, Head of Product Security, Nokia Corp., Finland and Chair,
Mobile Phone Work Group, Trusted Computing Group
10:30 Panel Debate - What is the Extent of the Mobile Security Challenges
Facing Operators and their Customers Today?
The debate surrounding the true extent of mobile security threats is heated. Is a
major virus attack imminent? Are mobile devices likely to encounter large-scale
hacking? Do mobile operating systems suffer the same vulnerabilities as their fixed
counterparts? Or is the threat continuing to be overstated? This session will let you
join the debate on the true nature of the mobile security threat today:
• How do different players in the mobile value chain view the current threat and are
these views justified?
• Are the views of operators and vendors moving further apart?
• To what extent are viruses still a challenge facing operators?
• Have many of the issues that vendors are still flagging been solved by operators,
device manufacturers and software developers?
Paulo Simoes, Innovation Unit, TMN, Portugal
Janne Uusilehto, Head of Product Security, Nokia Corp., Finland and Chair,
Mobile Phone Work Group, Trusted Computing Group
Frank Zabawa, Corporate Security / Mobile Security, o2 GmbH & Co.OHG,
Germany
Janine Joubert, Forensic Services Risk Manager, Vodacom, South Africa
dude_danny
Technology responses to ubiquitous security threats for e-security (TRUST-eS)
http://www.medeaplus.org/web/downloads/profiles/A306_profile.pdf
During the past decade, Europe has led development of smart cards into
complex media able to store, compute and securely manage multiple
applications. Global terrorist activities have now driven governments,
national authorities and large companies to consider cards and other
options to upgrade security. But, there is a need to overcome technological
limitations currently encountered in card-based transaction platforms,
and pre-empt foreign competition to provide reliable and cost-effective
solutions for the e-security and e-government applications needed. The
MEDEA+ TRUST-eS project is targeting authentication technologies
addressing multimode identification with smart-card-based biometrics.
Partners:
Atmel
Axalto
Bioret
CEA Leti
CNM
Gemplus
GET
InnovaCard
INPG-TIMA
iRoC Technologies
STMicroelectronics
SystemPlus
Telefonica
Thales
Uni Madrid (Carlos III)
Uni Tarragona (URV-URJC)
dude_danny
Great find Awk! IMO Asia will become the biggest market for Wave.
dude_danny
O.T. Financial Insights Asia/Pacific Reports on Growing Use of Biometrics in Asian Banks
http://www.idc.com/AP/pressrelease.jsp?containerId=prSG20220906
21 Jun 2006
Lack of Standardization May Prevent Large-Scale Customer Deployment
SINGAPORE and HONG KONG, June 21, 2006 – Leading independent research and advisory firm, Financial Insights, an IDC company, today announced the release of a new report examining the growing use and effectiveness of automated biometric authentication devices by banks in Asia.
Generally viewed as an expensive, high-level security application, biometrics has become more accessible for commercial purposes through technological advances. Estimates by the International Biometric Group see biometric usage growing significantly over the coming years. However, despite increasing usage by Asian banks for internal security, Financial Insights believes it will still be several years before automated biometric authentication devices can be effectively deployed on a customer level.
Figure 1
Abhishek Kumar, market analyst for Financial Insights' Asia/Pacific IT Benchmarking Advisory Service, says, "It is not really an issue of whether banks are ready for biometrics but an issue of whether biometrics is ready for banks. Numerous banks in Asia have already implemented biometrics for internal security purposes, but problems arises when they try and implement customer-level biometric authentication."
Despite being touted as the highest level of security, biometric devices are too diverse with a variety of proprietary elements that make it difficult for them to be interoperable and customer-friendly in the modern banking environment. Kumar concludes, "The lack of standardization between devices, little regulatory guidance, and cost concerns show that the practical implementation of biometric authentication on a customer level is still several years away."
For more information on obtaining this report, Biometrics: Ready for Asia's Banks? (Financial Insights, #FIN201881, June 2006), please contact: sales@financial-insights.com.
About Financial Insights, an IDC Company
Financial Insights provides independent research, custom consulting, and detailed multiclient studies on the technology issues and challenges facing the financial services industry. Our global research covers topics of strategic importance to corporate and retail banks, insurance carriers, asset management firms, securities and brokerage firms. Our local practices in Asia Pacific, Europe, Latin America and Canada add an in-depth regional viewpoint. Financial Insights, an IDC company, is headquartered in Framingham, Massachusetts, USA. IDC is a subsidiary of IDG, the world's leading IT media, research, and exposition company.
Visit www.financial-insights.com for more information.
dude_danny
The case for enterprise rights management
http://www.gcn.com/blogs/tech/41105.html
Richard Clarke, former special advisor to the President for cyber security, sounds as if he feels sorry for the Veterans Affairs Department employee who lost records for 26 million individuals when he took the data home, only to have his laptop stolen.
"Was he at fault or was the department at fault?" Clarke said today at a breakfast in suburban Washington.
While not excusing the VA employee--he did after all violate department policy, Clarke pointed out--the former White House adviser and current chairman of Good Harbor Consulting, lamented the fact that the government had to fire someone who, in most respects, was the kind of employee it should encourage--one who wanted to work overtime on a project and felt the need to take files home to do so.
Clarke was advocating agencies use the type of security tools that would allow that freedom while tightly controlling who can do what with which data--namely enterprise rights management software.
The breakfast was put on by Liquid Machines of Waltham, Mass., which has an ERM suite and recently named Clarke to its public sector advisory board.
Clarke said that not long ago his consulting firm was working with a Boston-based firm that sent over a bunch of data. While trying to manipulate the data (Clarke went so far as to say his team was trying to "hack" the data), Good Harbor personnel discovered they could view the data on-screen, but they could not copy it, or print it, or control it in any other way. It was protected by Liquid Machines' technology.
ERM, or digital rights management as the music/video providers call it, will be a hot topic in the coming years as agencies such as VA try to find technology answers to questions like "How can I make is so an employee can't copy files to a laptop or thumb drive? And how can I keep track of where data goes?"
Liquid Machines software can work with Microsoft Rights Management Services, which is part of Windows Server 2003 and controls data in newer Office versions. And Adobe Systems has been out promoting its LiveCycle Policy Server for controlling documents inside and outside the firewall. (LiveCycle Policy Server won a GCN Best of FOSE 2005 award.)
Going forward there will be several ERM solutions to choose from and challenges to overcome--from integrating them with current directory systems to making them work with HSPD-12 PIV cards. But we have to agree with Clarke when he says that years from now we'll wonder why it took us so long to build this kind of data security.
"We don't know how to control our data and the access to it," he said. And he likened information security to the auto industry. Today we'd never buy a car that didn't have seat belts, airbags, etc., but there was a time they didn't exist.
"Somehow government got around to regulation," Clarke said. "In that case we needed it. The pain got so much we even asked for it."
Clearly, agencies need greater control of their data. And soon they'll probably be forced to achieve it.
Posted by Brad Grimes
dude_danny
STMicroelectronics Appoints New Corporate Vice Presidents for its Asia Pacific and Emerging Markets Regions
Tuesday June 20, 6:00 am ET
http://biz.yahoo.com/prnews/060620/nytu046.html?.v=56
GENEVA, June 20 /PRNewswire-FirstCall/ -- STMicroelectronics (NYSE: STM - News) today announced the appointment of two new Corporate Vice Presidents, Francois Guibert for Asia Pacific and Thierry Tingaud for the Emerging Markets region.
ADVERTISEMENT
Francois Guibert, currently Corporate Vice President and General Manager of ST's Emerging Markets Region, will be appointed to the position of Corporate Vice President, CEO Asia Pacific region, effective October 1, 2006. Guibert's appointment follows the decision of Jean-Claude Marquet, the current Corporate Vice President of ST Asia Pacific, to retire in October 2006, after successfully managing the subsidiary since 1995.
Under Marquet's leadership, the Company's operations in the Asia Pacific countries, including China, have seen substantial growth over the past ten years, with customers in the region currently accounting for close to 50% of ST's total sales. He has been instrumental in establishing ST's integrated presence in Asia Pacific, spanning the world-class manufacturing machine, R&D and design, customer support, as well as logistics and administrative infrastructure. Marquet also contributed to the recent establishment of ST's new Greater China organization that has been created to further drive the Company's success in the world's fastest growing economic zone.
Guibert, 53, is an ideal candidate for the position of Corporate VP Asia Pacific, combining a successful management track record and profound industry knowledge with key contributions to ST's success in Asia Pacific. At the end of the 1980s, Guibert helped set up ST's Design Centers in Taiwan, Korea, and Hong Kong. He also served as President of the Company's operations in Taiwan in 1989-1992 and later, helped set-up the back-end joint venture with Shenzhen Electronics Group. In 2004, Guibert contributed to the successful negotiations that led to an agreement between ST and Hynix to build the new front end memory-manufacturing facility in China, which is scheduled to begin volume production this year.
Succeeding Guibert's appointment, Thierry Tingaud, currently Vice President Sales and Marketing Europe for Telecommunications, will be promoted to the position of Corporate VP and General Manager of ST's Emerging Markets Region, effective July 1, 2006.
Taking the baton from Guibert, Tingaud, 47 is fully qualified to direct and drive ST's Sales and Marketing operations in Africa and the Middle East, India, Latin America, Russia and the Eastern European countries. With twenty years of experience in sales and marketing worldwide for the Company's key market segment of Telecommunications, Tingaud has played an instrumental role in developing ST's wireline and wireless business with major telecommunication customers that have operations in Asia, China, Europe, Japan, and Americas. He has also contributed to the Company's leading position and growth in the mobile phone market.
"The Asia-Pacific economies and the emerging markets around the world rank among the fastest growing regions within the global electronics industry. I count on Francois and Thierry to continue our leading position, expand our presence and increase our influence in parts of the world that have strategic importance for our future success," commented Alain Dutheil, Chief Operating Officer of STMicroelectronics. "I would also like to use this opportunity to praise Jean-Claude Marquet for his long-standing commitment and invaluable contribution to the success of the Company."
ST's Emerging Markets region covers a number of booming economies on four continents, including the growing giants of tomorrow -- Brazil, India, and Russia. As a broad-range microelectronics supplier and complete system-solutions provider with a strong culture of cooperation and a long history of geographic diversification, ST works effectively to serve and stimulate the growth of electronics across all industries in the emerging economies, in accordance with specific local characteristics. In 2005, the Company's sales in the Emerging Markets region were approximately 600 million dollars.
Since it started its operations in the Asia Pacific region 37 years ago, ST has grown to be a major player in serving the fastest-growing regional semiconductor market in the world. The Company has built a strong integrated presence all across the region and fueled the growth of domestic sales and business with key local players, most notably in consumer, communications, and automotive sectors. According to the latest market reports, ST was ranked the fourth largest semiconductor company in the Asia Pacific region, based on 2005 sales of approximately $4.1 billion. The Company's sales in the Asia Pacific region, excluding Greater China, were approximately $1.8 billion in 2005.
About STMicroelectronics
STMicroelectronics is a global leader in developing and delivering semiconductor solutions across the spectrum of microelectronics applications. An unrivalled combination of silicon and system expertise, manufacturing strength, Intellectual Property (IP) portfolio and strategic partners positions the Company at the forefront of System-on-Chip (SoC) technology and its products play a key role in enabling today's convergence markets. The Company's shares are traded on the New York Stock Exchange, on Euronext Paris and on the Milan Stock Exchange. In 2005, the Company's net revenues were $8.88 billion and net earnings were $266 million. Further information on ST can be found at http://www.st.com .
dude_danny
Q&A: The Quest (and Justification) for Trustworthy Code
http://www.esj.com/Security/article.aspx?EditorialsID=1893
How to evaluate the security of applications you build or buy, and justify those requirements to senior management.
by Mathew Schwartz
6/13/2006
Four years ago, Microsoft announced its Trustworthy Computing initiative. The goal: to imbue each of its developers with more security savvy, so applications would be more secure from the get-go, resulting in fewer software vulnerabilities, and improving security worldwide.
When it comes to facilitating more secure applications, Microsoft isn’t alone. Its activities parallel—or have engendered—similar moves by numerous software vendors, as well as awareness levels for companies building their own applications for internal use.
Yet creating more secure applications is a laborious process, as is justifying the related expenditures to senior management. To learn how companies can better facilitate such processes, we talk to Dr. Herbert H. Thompson, the chief security strategist of Wilmington, Mass.-based Security Innovation Inc., an application security services provider.
Vocent Education Center for the Enterprise
Learn how bad authentication is responsible for many fraud and IT security failures
Learn how the use of strong authentication can help companies to comply with regulatory requirements
Receive a weekly executive briefing on the latest news and trends in authentication
Have compliance requirements changed companies’ perception of software security?
If this was eight months ago, most audits didn’t touch anything except network defenses—firewalls, IDS (intrusion detection systems). But now, [auditors are] starting to ask software-related questions.
Just that fact … has raised awareness of security as a whole in upper management. Once upper management realizes security is kind of interesting and important, then the CIO has a much better case to go to them and say some of our biggest risks in IT are coming from the software we build.
What are companies’ biggest security-related, software-building questions?
For non-software vendors, it’s really, “How can I mitigate risk, and how can I show that I’m actually doing something, to show that I’m mitigating risk?” Some of the biggest risks are coming from software—both the applications I build and choose to buy—as opposed to the network. …
Another question is, ‘How do I better judge applications to make more security-savvy buying decisions?’ There’s no equivalent of a Consumer Reports test for software security. … so [there’s a need] to arm folks to ask vendors the hard questions about security.
Are companies properly allocating resources to make applications built in-house more secure?
I’ve been to organizations that have three different firewalls from three different vendors daisy-chained so you go through all three, which is a ridiculous allocation of monetary assets. Because the chances of the [security improvement] delta you get from all three firewalls is ridiculous, for the money spent, versus what if I just trained an influential developer on security. Would that have bought me more in terms of operational security?
So companies need more of a big-picture view?
We need a holistic approach to software security, and it’s not just something that can be bolted on at the end of the process, just through testing, and it’s not just something that can be bolted onto a system through network appliances. …
Is it getting any easier to code applications more securely?
A big change is that building security in [is easier] now. Microsoft Visual Studio 2005, it’s got some source-code analysis stuff in there, a little bit of the PREfast stuff, that Microsoft uses to scan its own code. It’s also got just more to enable the developer to write more securely—more information. Again, a source-code scanning plug-in, support for libraries in a .NET framework that are inherently more secure, secure string in .NET, that sort of thing. Then you’ve got the big push from all these vendors offering security software [scanning tools].
Would the code-scanning tools in Visual Developer be sufficient to help developers write more secure code?
It’s one little thing, but that one little thing can help, certainly, if you’re not doing anything. And some places aren’t doing anything, because they don’t have any idea what they should do … or they can’t justify it up the chain in terms of return on investment (ROI).
Why is it difficult to calculate the ROI of more secure software?
If you talk to a CSO [chief security officer] or a CISO [chief information security officer], they may understand they need more secure software, but they don’t know how to communicate that need in business terms up to their bosses. … Say you’re a CISO or a CTO [chief technology officer] and you spent $500,000 or $1 million on security this year and there were no incidents, and the budget comes up for next year, and you’re in a tough spot because your manager is looking down at you, really doesn’t understand security, but does understand risk.
So one of the biggest things we’ve been doing at Security Innovation is when we deliver a service or help people improve their software-delivery process, it’s been not just helping the process, training their people, and helping them add secure-coding baselines into the mix, but also [discussing] how can you record measures of improvement, so you can know if you’re getting better or not. And that’s been a huge challenge in the industry.
How can companies calculate the ROI from lowering the risk of bugs?
[One resource is] AppSIC, the Application Security Industry Consortium, which we formed, but outside of Security Innovation—as a non-profit. It is a collection of security executives from the vendor and business communities. It includes Mary Ann Davidson, CSO of Oracle; Sachar Paulus, CSO of SAP; Scott Charney, vice president of Trustworthy Solutions for Microsoft. …
Our [goal] is … [to find] metrics for software security. [So] if I’ve got $100 to spend on a security improvement process for my software, how do I allocate it?
For improving software security, what’s your most recommended expenditure?
Awareness and training for developers: that’s probably going to buy you the most for your dollar. But there’s a point where I spend $100 or $100,000 on that, and [then], if you ask that question again, … it’s [a different answer].
What about evaluating the security of applications you might purchase?
One of the big things I’ve found is that software security isn’t just about the security quality of the application we get; it’s also about security quality of service we get from the vendor.
That’s kind of interesting, because unlike a car or something I buy from Ford, I buy the car and take it on the road, but the car doesn’t really change over time. Whereas software does. … So when I need to evaluate a piece of software, one of the biggest questions may be how is my vendor going to help me?
What questions can organizations ask to evaluate if vendors will help?
One question is what does a patch release look like? One of the biggest pains for customers is patching. So how does the vendor provide the patch, what sorts of tools do they give me to disperse the patch, can I get any insight into the destabilization it can cause? When they release a patch and discuss things like the severity of the vulnerability, is there enough information on the vulnerability for me to make a contextual assessment? They rate it as critical, but is it really critical for my network?
dude_danny
O.T. Storage Security: Staying Out of the Headlines (Webcast)
http://www.enterprisestorageforum.com/webcast/article.php/3590486
June 21, 2006, 2 p.m. EDT, 11 a.m. PDT
Speaker: LeRoy A. Budnik, Managing Partner, Knowledge Transfer
Storage security has become one of the hottest issues in IT, as high-profile database breaches and lost data tapes have catapulted the issue off the pages of trade journals and onto the nightly news. Companies report that just a single storage security incident can bring millions in unwanted scrutiny and costs.
Join us in this free Webcast to hear LeRoy Budnik, chairman of the SNIA Storage Security Industry Forum and one of the foremost authorities on data security, discuss the latest in storage security trends, including legislative and standards efforts, and steps you can take to keep your data safe and your organization out of the headlines
dude_danny