Cyber Security Institute

Friday, April 30, 2004

A technical description of the SSL PCT vulnerability

A technical description of the SSL PCT vulnerabilityThere has been public discussions about the exploitation of the SSL PCT vulnerability.



Netsky Remains Big Dog In April

The Netsky worm continued to dominate the virus charts for another month, security vendor Sophos said Friday as it released its April Top Ten list.


Global IT security spend hits $42bn

Buoyed by a tidal wave of computer viruses, security breaches, legal liability and productivity concerns, worldwide IT security spending hit $42bn in 2003.


Thursday, April 29, 2004

Computer hacking ‘costs billions’

Three-quarters of UK companies have been hit by security breaches in their computer systems over the past year, costing billions to industry.


Hedging the Risk of Instant Messaging

Though instant messaging (IM) is a fast and convenient communications format, buy-side firms are still cautious about the regulatory implications of using the technology because they lack the compliance tools to archive and retrieve the content.


Tuesday, April 13, 2004

The New Economics of Information Security

Even for non-victims, there’s a financial hit in implementing security measures to prevent losses.  Firewalls cost money, and so do the salaries of the security professionals who manage them.  Yet, relatively little attention has been paid to the economics of information security.


Friday, April 09, 2004

Security Updates on Tap for Server 2003

Even as it puts finishing touches on major security upgrades for Windows XP due later this spring, Microsoft Corp. is preparing a similarly extensive set of security improvements for Windows Server 2003.


Thursday, April 08, 2004

RogueWatch does the watching for you

Whether good intentioned or not, users can create a real security nightmare when they attempt to piggyback onto your network.


Wednesday, April 07, 2004

Major security breaches usually due to human error

Major security breaches, defined by a survey “as one that caused real harm, resulted in confidential information taken or interrupted business,” are slowly increasing and are most often attributed to human error (47%), rather than technical problems.

IT directors welcome Big Four’s corporate security initiative

Plans by an industry consortium to develop a corporate checklist for assessing cyber threats could help IT directors justify security spending and help protect companies against hackers, according to industry experts.


Tuesday, April 06, 2004

Delivering the 12kb Bomb

The average size of email-bourne viruses so far this year has been well under 20 kilobytes.


Bridging the gap between security and developers

A lack of common understanding between IT security professionals and application developers is causing security flaws to be built into systems from the earliest stages of development.


Monday, April 05, 2004

Sarb-Ox Offerings on the Rise

With the first Sarbanes-Oxley Act compliance deadlines just seven months away, Microsoft Corp. and Oracle Corp. have introduced software to automate publicly held companies’ compliance processes.

Microsoft’s Office Solution Accelerator for Sarbanes-Oxley, rolled out last week, provides best-practice guidelines and templates for documenting processes using Microsoft’s Windows SharePoint Services and Office InfoPath 2003 products.

Office Solution Accelerator for Sarbanes-Oxley is one of the first products available under a larger compliance initiative from Microsoft, officials said.

The Redmond, Wash., company also has plans to offer document and e-mail retention solutions by working with third-party software developers that build on Microsoft’s Windows Storage Server 2003 product.

Each Office Solution Accelerator is designed to help develop a solution to a problem.

Such problems might include streamlining recruiting functions, consolidating administrative tasks, creating customized reports or writing proposals.

Separately, Oracle, of Redwood Shores, Calif., late last month released ICM (Internal Controls Manager) Version 2, a component of Oracle E-Business Suite.

The new version aims to speed the automation of business processes and internal controls so companies can more easily comply with Sarbanes-Oxley and other regulations, Oracle officials said.

For instance, Version 2 adds support for regional or business unit requirements when standardizing business processes.

This version can also assign objectives to business processes while identifying risks that may occur as part of those objectives.

This version features distributed certification of financial statements and the internal and disclosure controls they rely on, allowing process owners to certify and document issues where they occur.

Ilog Inc., of Mountain View, Calif., last week announced its Data Solutions Accelerator, a collection of technologies and services used in combination with Ilog’s JRules business rules management software.

The new offering includes compliance-specific business rule language templates and modeling tools, reporting and auditing features, and access to best practices developed by Ilog’s professional services team.,4149,1562071,00.asp?kc=EWRSS03119TX1K0000594

Symantec Updates Enterprise Client Security Software

Symantec on Monday introduced new client-side security software for the enterprise that borrows some tools and techniques from the company’s consumer line.

Client Security integrates firewall, anti-virus, and intrusion detection defenses for desktops and laptops, then puts all the protected clients under control from a single management console.

Its target: systems that are beyond the enterprise perimeter, such as employee PCs, mobile workers’ notebooks, and branch office systems unguarded at the gateway.

“If clients always stayed behind the perimeter, you wouldn’t need something like Client Security,” said Murray.

“But they’re moving beyond the perimeter, and enterprises need to protect every aspect of the corporate environment.”

Among the new features in version 2.0 are several which made their debut in the consumer-level Symantec Internet Security, said Murray.

Client Security now includes a Web ad blocker, as well as an adware/spyware detector, all tools that have been part of the Internet Security for consumers.

Client Security also boasts several new features expressly for enterprises, including a virtual private network (VPN) compliance checker that verifies an outside system meets set policies before it’s allowed to connect with the network.

Administrators can demand that remote machines accessing the network via a VPN tunnel, for instance, have up-to-date virus definitions and a properly configured and enabled firewall.

Forrester questions Linux security

A new study from Forrester Research has concluded that the Linux operating system is not necessarily more secure than Windows.


Friday, April 02, 2004

Virus alerts explode

MSBlast epidemic far larger than believed

New data from Microsoft suggests that at least 8 million Windows computers have been infected by the MSBlast, or Blaster, worm since last August—many times more than previously thought.

Insurers to drop hacking premiums

Prices for hacking insurance are predicted to drop for some businesses as insurers begin to understand the market better.

Open-source flaw database opens its doors

The Open Source Vulnerability Database (OSVDB) has launched a free Web site that catalogues security flaws in Internet-related software.

It will, say its creators, promote more open collaboration between companies and individuals “and reduce expenses inherent with the development and maintenance of in-house vulnerability databases”.

There are various specialist mailing lists that inform administrators and developers about newly discovered security vulnerabilities, but the OSVDB, which was launched in 2002, claims to be the first site to aggregate all this content onto a single searchable resource and make it freely available on the Web.

An OSVDB spokesperson said in a statement that the number of computer security vulnerabilities have increased more than 2,000 percent since 1995: “Tracking these vulnerabilities and their cures is critical for those who protect networked systems against accidental misuse and deliberate attack, from home users and small businesses to globe-spanning enterprises,” he said.

Richard Starnes, director of incident response at Cable & Wireless, welcomed the resource because of the help it could offer to administrators keep track of an increasing number of online threats: “Administrators have to cover more than a dozen Web sites and mailing lists and it is getting to the point where even medium sized companies are having to look at hiring an intelligence officer to keep track of the latest vulnerabilities,” he said.

In the same year that the OSVDB was created, antivirus company Symantec acquired SecurityFocus, which publishes the BugTraq mailing list that provides a similar service to its subscribers and opens the information to all Web users after a few days.,39020375,39150689,00.htm

U.S. Goals Solicited On Software Security

The federal government should set goals for reducing flaws in computer software that allow attacks by hackers, and other regulations might be necessary to better protect cyberspace, an industry task force said yesterday.

Despite rising incidents of worms, viruses and identity fraud that have cost businesses and consumers as much as $10 billion a year, technology companies have fiercely resisted calls for government intervention that would require companies to provide safer software and strengthen their networks.

Many cyber-security experts have argued for years that such measures are needed in a world where an attack on one computer or network can rapidly spread to thousands or millions of others.

The report issued yesterday stops short of specific mandates, focusing primarily on broad, voluntary measures for both the makers of software and the network operators who use it.

But the task force, headed by representatives of software giant Microsoft Corp. and security vendor Computer Associates International Inc., suggested some rules might be needed.

“It is possible that national security or critical infrastructure protection may require a greater level of security than the market will provide,” said the report.

The task force, whose members include technology and non-technology companies and some academics, is one of four such groups created in December in a partnership with the Department of Homeland Security.

Other recommendations in the report include: increased funding for cyber-security research at universities; improved university certification programs that stress security training for engineers; and a Department of Homeland Security evaluation of software vulnerabilities.

“To have a secure U.S. cyber infrastructure, the supporting software must contain few, if any vulnerabilities,” the report said.

is frequently not adequate to meet the needs” of computer users and network operators.

But willingness expressed in the report to consider regulation did not satisfy some critics.