Month: December 2003

Financial firms to increase investment in compliance

Posted on by admini

The survey – conducted among 41 financial institution representatives at a Sun client conference organised by Finextra sister company 660 Degrees – found that 83% of respondents believe investment in compliance technology will be higher in 2004 than in 2003.

Of those surveyed, 64% cite compliance with legislation such as Basel II and Sarbanes-Oxley as ‘very important’ and 26% as ‘important’. Over half (55%) of firms describe compliance as a “distraction” from their core business in 2004 as they take steps to meet legal requirements.

Under Basel II, banks will be required to set aside capital to cover contingencies relating to operational risk. The final rules, which come into effect in 2007, will require banks to have collected and aggregated three years’ worth of data in order to effectively monitor and analyse risk under internal programmes.

Sarbanes-Oxley legislation requires chairpersons and chief financial officers to submit documents attesting to the accuracy and soundness of financial reports.

Martin Brown, UK head of finance, Sun Microsystems, says because of this regulation, sophisticated data mining tools, archival and retrieval systems and security software are now top of many firm’s priority lists. “2004 will be a defining year for regulation in the financial services industry. Not only is Sarbanes-Oxley coming into force, but in order to meet Basel II in 2007 financial institutions need to put the building blocks in place now,” he adds. Brown says that the Basel II and Sarbanes-Oxley are encouraging good business practice: “A firm should know what its exposure is and be able to base decisions on a complete set of historical data.”

More info: [url=http://www.finextra.com/fullstory.asp?id=10795]http://www.finextra.com/fullstory.asp?id=10795[/url]

Read more

Windows 98 Presents Security Problems As It Ends Lifespan

Posted on by admini

The research paper and an accompanying survey, both released by AssetMetrix Research Labs, an arm of IT asset management vendor AssetMetrix, points out that although there are large numbers of machines in enterprises still running Windows 98, the Redmond, Wash.-based developer is set to retire the operating system and will stop posting security fixes for the OS in mid-January 2004.

AssetMetrix’s survey of 670 companies found that 80 percent of the firms were still running at least one machine with Windows 98 and the older OS, Windows 95. Together, the two operating systems account for over 27 percent of all installed Windows machines, a number substantially higher than the meager seven percent share of Windows XP.

As of January 16, 2004, Microsoft will shift Windows 98 into what it dubs the ‘non-supported phase,’ which means that although online help for the operating system will continue, the company is not obligated to release security ‘hotfixes’ for uncovered vulnerabilities. To compound the issue, Microsoft earlier this week announced that it was discontinuing distribution for all editions of Windows 98 except for Windows 98 Second Edition, a move required by a settlement reached with Sun Microsystems in a dispute over Java.

“But the largest potential risk to corporations using Windows 95 and 98 is the probability of an Internet-based security exploit being discovered after January that can affect a Win9X PC,” said AssetMetrix’s report. Among his other recommendations: make sure that all PCs, regardless of the operating system, have the latest security fixes from Microsoft installed, inventory the enterprise’s PCs to determine how many are running Windows 95 and 98, and obtain installation images prior to December 23, when Microsoft will stop the distribution of most flavors of Windows 98.

More info: [url=http://www.techweb.com/wire/story/TWB20031211S0009]http://www.techweb.com/wire/story/TWB20031211S0009[/url]

Read more

Yet Another Worm Posing as a Microsoft Patch is Released.

Posted on by admini

Anti-virus company Sophos said the worm, which it had christened W32/Yaha-Y, spread via network shares and email. Emails sent by the worm were randomly selected from a list contained inside the worm.

Computer Associates’ analysis of the worm showed that its payload modified the lmhosts file on an infected computer to block access to symantec.com, microsoft.com, sophos.com, avp.ch, mcafee.com trendmicro.com, pandasoftware.com, www3.ca.com and ca.com – all anti-virus companies’ sites, apart from Microsoft. It appears from the code that the author also intended to install a key-logging trojan [email]anyuser@yahoo.com.txt[/email] in the cookies folder of affected machines.

As with previous Yaha variants, the worm may also attempt Denial of Service attacks against these targets: pakrail.com, paic.com.pk, jamaat.org, kse.net.pk and pak.gov.pk.

More info: [url=http://www.smh.com.au/articles/2003/12/11/1071086178204.html]http://www.smh.com.au/articles/2003/12/11/1071086178204.html[/url]

Read more

Microsoft gets Windows XP update ready

Posted on by admini

The beta version of Windows XP Service Pack 2 is expected to be made available to testers soon via Microsoft’s developer Web site. The final version is expected to be released in the first half of next year, Microsoft said.

“The Windows XP SP2 beta is intended to provide software developers and IT professionals an opportunity to conduct early testing and to allow Microsoft to collect valuable customer feedback,” the software company said in a fact sheet it provided to reporters. “During this beta, Microsoft hopes to garner significant feedback from developers and IT professionals that will be incorporated into and improve the final product.” Microsoft said that the software will be made available to information technology managers and developers via the MSDN Web site, and the company also will test the software using a number of people who have registered to be beta testers. In all, there will be hundreds of thousands of testers, Microsoft said.

Among the security improvements in Service Pack 2 are a beefed-up version of Windows Firewall, previously called Internet Connection Firewall, and software designed to block pop-up ads and prevent the unintended downloading and installation of software. The company also turned off the Windows Messenger service, which had been abused by some hackers. The improved firewall will be turned on by default and is designed to prevent all ports from accepting information from outside networks, unless permitted to by an application.

Microsoft also said it has taken a number of steps to reduce a type of exploit known as a buffer overrun, but the company warned that it is probably impossible to completely eliminate such vulnerabilities. “Although no single technique can completely eliminate this type of vulnerability, Microsoft is employing a number of security technologies to reduce the likelihood and potential of an attack in a number of different ways,” Microsoft said.

Additionally, the company said the new Windows XP will make it easier for customers to turn on the automatic update feature, which downloads and installs critical updates automatically.

Microsoft stressed the importance of the additional security features for smaller businesses and consumers. All computers that are connected to the Internet need protection against network-based attacks like Blaster,” Microsoft said. The software maker has been under pressure to improve the security of Windows after a spate of high-profile attacks earlier this year.

The new Service Pack will upgrade Windows XP to support a later version of the short-range Bluetooth wireless technology, Microsoft said. It also includes a utility that makes it easier to connect a PC in a wide range of wireless hot spots, places where wireless Web access is available to the public, without adding special software.

More info: [url=http://news.com.com/2100-1016_3-5120138.html?tag=nefd_top]http://news.com.com/2100-1016_3-5120138.html?tag=nefd_top[/url]

Read more

Homeland department gets ‘F’ for computer security

Posted on by admini

The report, prepared for the House of Representatives’ Committee on Government Reform, found that almost all agencies had improved their computer-security grade since last year. However, several key federal departments continued to fail to adequately protect their networks and earned an “F.” Two agencies, the Department of Health and Human Services and the National Aeronautics and Space Administration, slipped in the rankings since 2002.

The newest department in the federal government, the Department of Homeland Security, got off to a bad start with an overall “F” for its computer security, despite the fact that securing the nation’s network is part of its mission.

Davis took the private sector to task for poor security overall as well. “The culture of our top-level chief executives in the private sector, and top executives in government, must be changed,” he said in the statement. “We must get those at the very top, the decision makers, the ones accountable to the shareholders, the customers or the electorate, to recognise that lack of network security in an organisation is a material weakness and one that deserves necessary resources and immediate action.”

This year, two agencies earned an “A”: the Nuclear Regulatory Commission and the National Science Foundation. Ironically, a privately maintained nuclear reactor under the NRC’s jurisdiction suffered an attack by the Slammer worm in early 2003.

More info: [url=http://www.silicon.com/management/government/0,39024677,39117281,00.htm]http://www.silicon.com/management/government/0,39024677,39117281,00.htm[/url]

Read more