January 2006 – Page 5 – CyberSecurity Institute

BANK SECRECY ACT Sharing Suspicious Activity Reports With Controlling Companies

Posted on January 20, 2006December 30, 2021 by admini

* A controlling company includes a bank or savings association holding company, or a company having the power directly or indirectly to direct the management or policies of an industrial loan company or a parent company, or to vote 25 percent or more of any class of voting shares of an industrial loan company or a parent company.

* Sharing a SAR within an organization is allowable for the head office, or for the controlling entity or party to discharge its oversight responsibilities with respect to enterprise-wide risk management and compliance with applicable laws and regulations.

* Accordingly, a bank or savings association (depository institution) may disclose a SAR to its controlling company(ies), whether domestic or foreign; and a U.S. branch or agency of a foreign bank may disclose a SAR to its head office outside the United States.

* Depository institutions, as part of their anti-money laundering program, must have written confidentiality agreements or arrangements, and proper internal controls in place to protect the confidentiality of the SAR.

http://www.bankinfosecurity.com/regulations.php?reg_id=140&PHPSESSID=dc6f96a8b3806f79be541fd18aa9c5a7

An Inside Look at IPSec in Vista

Posted on January 17, 2006December 30, 2021 by admini

One big change in Vista is in the TCP/IP networking stack itself. Vista has a totally revamped Next Generation TCP/IP stack that has a ton of enhancements with regard to performance, scalability, and extensibility. There’s also a new architecture called Windows Filtering Platform (WFP) that provides APIs for accessing packets at virtually any point in the path as they are processed by the stack. These changes to the stack affect how IPSec works because of the addition of built-in callout functions that can be used for IPSec communications.

A list of APIs for this feature can be found on MSDN if you’re a developer interesting in building IPSec-aware applications and tools. Note that these APIs, like any other feature of Vista, are subject to change before RTM.

Another change in Vista is that management of IPSec and Windows Firewall now are tied closely together. This is accomplished by integrating the firewall filtering functions and IPSec protection settings and managing them using a single snap-in called Windows Firewall with Advanced Security.

There are also unified command-line tools you can use as well to manage both Windows Firewall and IPSec settings. In fact, even the Group Policy settings for Windows Firewall and IPSec are now in the same place with Vista and are found under Computer ConfigurationWindows SettingsSecurity SettingsWindows Firewall with Advanced Security. That means in existing Windows XP and Windows Server 2003 platforms, it’s possible to set up firewall filters that conflict with IPSec policies and prevent network traffic from working the way you intend it to. With a single console for configuring both Windows Firewall and IPSec settings, there’s less chance for errors like this to occur, which is good since IPSec problems are notoriously difficult to troubleshoot.

Finally, the new console and command-line tools for managing Windows Firewall and IPSec settings are designed to make it a heck of a lot easier to configure IPSec policies in the first place.

The question is whether these enhancements on the client side will work with current Windows servers, or whether we’ll have to wait for Longhorn Server to see these benefits fully realized.

First, a Microsoft PressPass news release concerning the December 2005 Community Technology Preview (CTP) of Windows Vista says that the new integrated firewall/IPSec console “centralizes inbound and outbound traffic filtering along with IPSec server and domain isolation settings in the user interface.” And Vista is designed to help make domain isolation easier to implement–though Longhorn Server will probably be required for domain isolation to be truly simple to configure.

And second, Vista supports Network Access Protection (NAP), a new security technology that extends the Network Access Quarantine Control feature of Windows Server 2003 to help protect Active Directory-based networks from infected, misconfigured, or otherwise unhealthy client computers. Vista will change some of that, and Longhorn Server will bring this elusive goal even closer.

Meanwhile, the enhancements to TCP/IP and the IPSec management improvements found in Vista will make IPSec easier to use in the enterprise and likely lead to more organizations adopting it as an inside network protection technology.

http://www.windowsdevcenter.com/pub/a/windows/2006/01/17/an-inside-look-at-ipsec-in-vista.html

Microsoft Pushes Windows XP SP3 To Late 2007

Posted on January 17, 2006December 30, 2021 by admini

In the same roadmap, Microsoft posted the second half of 2006 as the anticipated release frame for Windows Server 2003 Service Pack 2 (SP2).

Last week, Microsoft extended support for Windows XP Home through 2008, a change from earlier plans to drop support for the OS by the end of 2006.

http://www.informationweek.com/story/showArticle.jhtml?articleID=177100974&cid=RSSfeed_IWK_news

DHS grant kit offers cybersecurity guidance

Posted on January 17, 2006December 30, 2021 by admini

In previous years, DHS has made general recommendations that states and other grant recipients conduct cybersecurity planning.

The largest grant program, a $2.5 billion State Homeland Security Grant Program, sends money to the states for anti-terrorism planning, equipment, exercises and training. The second largest is $862 million for the Urban Area Security Initiative, which distributes grants to major cities.

http://www.washingtontechnology.com/news/1_1/daily_news/27757-1.html

Web applications are easy targets

Posted on January 16, 2006December 30, 2021 by admini

One issue is the thousands of insecure PHP or other web scripts that get installed and are never updated, even when the programmers come up with fixes.

Security experts at Netcraft, which audits web applications, typically find problems such as weak session management, SQL injection risks, buffer overflows and vulnerable debug code mistakenly left in production applications.

In a paper presented at the JavaOne conference last year, Cisco security architect Martin Nystrom claimed that 95 percent of web applications have flaws, with 80 percent vulnerable to cross-site scripting attacks.

http://www.vnunet.com/itweek/comment/2148638/web-applications-easy-targets

ISPs, telcos and police voice fears over data retention cost

Posted on January 13, 2006December 30, 2021 by admini

However, the directive has been criticised for not putting the question of who pays the cost of retaining data into law, instead relying on informal negotiations between individual ISPs, telcos and the Home Office. “No mention is made of costs. The directive says ‘Article 10 — Costs. Deleted’,” said Internet expert Clive Feather, speaking at the Internet Service Providers Association (ISPA) Annual Parliamentary Advisory Forum in Westminster.

Italian ISP Tiscali also believes this is a serious issue if the law is to work. “There is a concern that the directive makes no provision for reimbursement to ISPs for extended data retention,” said Emeric Miszti, Security and AUP Officer at Tiscali. “Data retention is not simply about disk drives. The development, management, and security costs must be taken into account.” .

This is a view shared by the police who will be expected to pay part of the cost. “There should be recognition of the cost of data retrieval, and also the cost of the mechanism and process of data retention,” said Jim Gamble, Deputy Director General, National Crime Squad. “We pay a portion of the cost of recovery, and believe industry should have reasonable recompense.”

Feather also raised other concerns about the wording of the directive says that it still “contains nonsense”. “It includes provision for the retention of the date and time for ‘log in’ and ‘log off’ an Internet email service, but most email programs connect to the email server every five minutes. The directive doesn’t ask for the time mail is sent and received. It doesn’t ask for the sender of received emails,” said Clive Feather. The directive also does not specify exactly what an Internet service provider is, said Feather, leaving companies and organisations from universities to Internet cafes in a legal limbo. Feather also reckons that the legislation is not keeping up-to-date with current developments and pointed to the omission in the legislation of emerging technology such as Internet telephony and instant messaging.

Tiscali’s Miszti said he was concerned that the security of emerging technology had not been given sufficient consideration: “With more unsecured Wi-Fi networks and Internet cafes, there are more opportunities for crime that are not targeted by the directive. Why should criminals sign up for an ADSL account when they know they’re being monitored?”

A concern for ISPs is that this legislation will open the door for more far reaching legislation that will force them to retain entire data communications, including data packets. “It’s not as bad as we feared. Not every single data packet has to be retained — yet,” said Clive Feather.

Questions were also raised about the human rights implications of storing large amounts of communications data. The Earl of Erroll, President of the E-business Regulatory Alliance, an organisation that examines legal and regulatory issues in Brussels and Westminster, asked: “Is the directive necessary, legal, and balanced? Will it protect citizens from unnecessary access to confidential information?” The Home Secretary, Charles Clarke, gave an assurance that human rights legislation would be conformed to.

http://news.zdnet.co.uk/business/legal/0,39020651,39246970,00.htm