Month: November 2004

Hacker Exploit Spreads Virus Through Banner Ads

Posted on by admini

The malware exploited a vulerability in Internet Explorer that was announced earlier this month; Microsoft says a fix is more than two weeks away.

Hackers used banner ads to launch a widespread attack in Europe over the weekend. The hackers apparently broke into a that delivers banner ads for Germany’s Falk eSolutions and loaded malicious code on banner advertising that appeared on hundreds of Web sites. “Early Saturday morning an unauthorized individual exploited a weakness in a load balancer on the European AdSolution network.” The purpose of the exploit was to establish a redirect to malicious code through a javascript component of Falk’s ad delivery.

The malware exploits the Bofra/IFRAME vulnerability in Internet Explorer, which was announced earlier this month. Systems that have been upgraded to Windows XP Service Pack 2 reportedly are not affected.

“In total, potential redirects to this exploit code represented less then 2 percent of EU ad requests and under 0.1 percent of U.S. ad requests during this time period,” Falk eSolutions says in a notice on its site.

GMT, the virus was removed from all Falk European and U.S. networks, and normal ad delivery was restored,” the company says.

http://enterprise-security-today.newsfactor.com/story.xhtml?story_title=Hacker-Exploit-Spreads-Virus-Through-Banner-Ads&story_id=28597&category=intrusion

Read more

Tech leaders see the CFO’s role growing

Posted on by admini

Among the business leaders taking the stage were George Reyes, chief financial officer of Web search giant Google, and James Goodnight, chief executive of SAS. Along with experts such as Blythe McGarvie, president of consulting group Leadership for International Finance, and Angelo Messina, CFO of manufacturing giant Carrier, the business leaders outlined the challenges of being a top-ranking finance executive.

Predictably, the issues most frequently touched on were related to the glut of accounting scandals unearthed at companies such as Enron over the past several years, and the daunting task of meeting the guidelines set forth in the Sarbanes-Oxley Act, the legislation crafted in the wake of those scandals to protect against corporate fraud.

Reyes noted the importance of establishing better protective measures but said Google’s efforts to comply with Section 404 of Sarbanes-Oxley have become increasingly expensive. The 404 guideline, which took effect earlier this month, demands that publicly traded companies have policies and controls in place to secure, document and process material information dealing with their financial results.

“It’s always true that a smart bad guy can extract what they need (to commit fraud), but I have real concerns over the rising costs” of Sarbanes-Oxley, Reyes said. “We’ve seen (Section) 404 certification fees triple, and with a scarcity of resources on the market, people are taking advantage.” Reyes said one benefit of working to meet the requirements of Sarbanes-Oxley has been the opportunity to employ new accounting process measures that benefit the company as a whole, not just in meeting the regulatory legislation’s terms. While he believes that costs related to addressing Sarbanes-Oxley remain “out of whack,” Reyes said he hopes activity in the sector will cool down over the next two years.

Goodnight, who offered a colorful illustration of how some companies may actually be able to save money by purchasing their own airplanes, as he says SAS has, focused on the growing need for chief executives to nurture close relationships with their CFOs.

The SAS executive said that in addition to “keeping their CEOs out of jail,” chief financial officers must become more involved in corporate strategy, not just smarter bookkeeping. “The relationship needs to be more collaborative than it ever was in the past,” Goodnight said. With the accounting fallout bringing corporate governance to the forefront, that adds a need for additional levels of trust and mutual dependency between CEOs and CFOs.”

The executive referred to the CFO as the chief executive’s “ideal confidant,” someone who needs to look beyond the numbers on a company’s balance sheet to help understand where a business needs to go in order to improve its prospects. “CEOs need to include their CFO as a trusted partner to balance internal and external factors and transform their role from providing transparency to creating a better corporate vision,” Goodnight said.

Among the other issues addressed by Google’s Reyes were the search company’s initial public offering, in August 2004. The CFO called the stock offering the “critical defining moment” for Google, and he admitted that challenges such as the publishing of a controversial executive interview in Playboy magazine made the event all the more harrying. “In some ways, we didn’t perform as well as possible, as with the Playboy article, which was a self-inflicted wound,” Reyes said. “But, as our board of directors and investors look back, we couldn’t be happier with the outcome, as the stock is performing well.”

Reyes also detailed his role in promoting Google’s human resources efforts, including the company’s strategy of keeping employees on campus by offering on-site benefits such as gyms, masseuses and an abundant cafeteria. The executive even broached the topic of the corporate expensing of stock options, a concept that has ruffled feathers throughout the IT industry, based on the belief that the practice will discourage companies from offering the incentives to employees. “Equity and stock options have been at the heart of (Silicon Valley’s) attraction,” he said.

“But there’s a new sheriff in town, and he’s beating the drum this year.

http://news.zdnet.com/2100-3513_22-5460352.html?part=rss&tag=feed&subj=zdnet

Read more

Air Force turns to Microsoft for network security

Posted on by admini

The Air Force is consolidating its 38 software contracts and nine support contracts with Microsoft into two all-encompassing, agencywide agreements, according to a statement seen by CNET News.com.

The contract, done in conjunction with Dell, will call for the installation and configuration of software as well as ongoing maintenance and upgrades.

The deal, which includes 525,000 licenses of Microsoft’s Windows and Office, is valued at $500 million over six years, according to Microsoft.

The move is part of the “One Air Force, One Network” strategy that the Air Force plans to announce Friday. An Air Force representative confirmed many details of the announcement, including that it is expected to save the agency $100 million over six years.

“The consolidation will result in standard configurations for all Microsoft desktop and server software,” the Air Force said in the statement. “The standard configurations will enforce rigorous security profiles and will be updated online with security patches and software updates.”

Microsoft representatives confirmed that the company will work with the Air Force to define security configurations for the agency’s desktop and servers. The representatives also said the deal includes an agencywide help desk service contract.

The Air Force deal differs from that of other government agencies because it will involve more custom work around security, and because the Air Force has taken an agencywide approach to procuring software and services, said Curt Kolcun, the general manager of Microsoft’s federal business.

“By working together in this way, we can get a better understanding of what we need to do to our technology and how it will be applicable for commercial products, as well as other agencies,” he said.

http://news.zdnet.com/Air+Force+turns+to+Microsoft+for+network+security/2100-1009_22-5457344.html?part=rss&tag=feed&subj=zdnn

Read more

Following trend, Oracle sets schedule for patches

Posted on by admini

The company said Thursday that it will release security bulletins and accompanying patches for its products on Jan. 18, April 12, July 12 and Oct. 18. The bulletins will address security vulnerabilities for products such as Application Server, E-Business Suite and Enterprise Manager and will be issued through the company’s support Web site.

“Organizations prefer regular, planned schedules for patching their information technology systems,” Mary Ann Davidson, chief security officer of Oracle, said in a statement. “The quarterly schedule strikes a balance between issuing patches often enough to protect customers from serious vulnerabilities while making it easier for customers to manage the maintenance process.”

The schedule is also designed to avoid common blackout dates; many organizations are not allowed to update systems at the end of the quarter when they are closing their books.

Oracle also said the updates could help cut the cost of applying patches by delivering a single patch for fixing multiple vulnerabilities. The move reflects an industry trend of software companies releasing fixes to tackle security vulnerabilities in their products on appointed dates.

http://news.zdnet.com/2100-1009_22-5458541.html?part=rss&tag=feed&subj=zdnet

Read more

Microsoft aims to increase time between patches

Posted on by admini

George Stathakopoulos, director of Microsoft product security, told ZDNet UK sister site ZDNet Australia on Wednesday that his long term goal is to create an operating system that will never need patching. But he concedes that because software is so complex this is a virtual impossibility.

However, Stathakopoulos said that as Microsoft continues to rid Windows of bugs and improves its overall resilience, the company is hoping to extend the time between patches from the current monthly update to as much as six months between updates. He believes SP2 is a step in the right direction because it brings greater resiliency to the Windows OS, which would mean an MSBlast-type attack on an SP2 system would not cause as much chaos because administrators would have more time to react.

“Take the RPC vulnerability — that enabled the MSBlast worm. If you had a personal firewall, the vulnerability doesn’t exist. Even if you take down the firewall, XP SP2 now has memory protection that filters buffer overruns. We want to change the rules so even when a hacker can exploit a buffer overrun he can’t do anything material with it,” said Stathakopoulos.

Neil Campbell, national security manager at Internet security specialists Dimension Data, welcomes Microsoft’s efforts at increasing the time between patches. Microsoft is definitely working towards reducing the number of times companies have to patch,” said Campbell. “If an application tries to write to a part of memory that it shouldn’t have access to, it will get stopped through a combination of software and hardware.

http://news.zdnet.co.uk/software/windows/0,39020396,39174244,00.htm

Read more