Security News Curated from across the world
First, support for both IE 5.01 SP3 and IE 6 SP1 on Windows 2000 SP3 will expire.
Second, Windows 2000 SP4 moves from mainstream to extended support.
The key difference between mainstream support and extended support which he thinks is most relevant to this audience is this quote from the lifecycle site: “Microsoft will not accept requests for warranty support, design changes, or new features during the Extended support phase.”
http://blogs.msdn.com/ie/archive/2005/05/27/422721.aspx
At present there is no one general fraud law in English law, but an untidy mess of eight specific statutory crimes (such as ‘obtaining property by deception’) and a vague common law offence of “conspiracy to defraud”. This can make it difficult for prosecutors to choose an offence to fit a particular crime of dishonesty. Nor do the current laws deal effectively with the growing problem of phishing — which occurs when a fraudster sends an e-mail with a link to a fraudulent web site where users are asked to provide personal account information.
In January alone, according to the Anti-Phishing Working Group, the number of phishing attacks jumped 42% from those reported in December. So the Government is determined to clarify the ambiguities and yesterday published its new Fraud Bill, which creates a new general offence of fraud.
While the existing laws do not make phishing legal in England and Wales, they could make a prosecution more challenging than it should be. Security provider MessageLabs welcomed the new law, but the company’s Chief Information Security Analyst, Paul Wood, warned that the laws do not remove the need for technical solutions.
The new offence of fraud, which will carry a maximum sentence of 10 years, can be committed in three ways: By false representation. By failing to disclose information and By abuse of position.
Scotland does have a common law crime of fraud, committed when someone achieves a practical result by a false pretence.
http://www.out-law.com/php/page.php?page_id=fraudbilltidiesen1117197431&area=news
While sophisticated hackers might always find a way into a system, many companies, such as the two mentioned above, are guilty of some basic failings which would have been discovered within minutes of penetration testing, according to a leading expert.
Dan Newman has been running one of the most popular certified ethical hacking courses for three years at the UK-based Training Camp and says he’s not seen a single student from an e-commerce company put forward to attend, while financial institutions, government departments and the military are well up on the need for penetration testing. “We had one guy who worked for a retailer but he funded it himself because he was actually looking to move into a new job in a different sector,” said Newman. While this doesn’t mean e-commerce sites have never honed their penetration-testing skills, Newman is confident he’d have seen some of them through his classroom at least, or heard of their efforts if such skills were commonly used in the online retail sector.
Newman walked Builder UK sister site silicon.com through a very basic ‘hack’ which simply involves changing cookies to access any number of customers’ details on one ecommerce Web site. By doing so a hacker would be able to download paid-for documents from other users’ accounts with one keystroke.
Newman blames a lot of the failings on the pressures of the retail environment and on developers charged with getting functionality online in time to meet demand, rather than when it is ready. “I used to be a developer and I used to make the same mistakes they do,” said Newman. Newman said a lot of the time “they’re getting things out there as quickly as they can” without regard for security. “Some Web sites are just bulging at the seams,” said Newman, referring to the multitude of security weaknesses just waiting to be exploited in the e-commerce sector.
Firebox.com is one online retailer happy to talk about its penetration testing. “Our IT team regularly check all of our security and always start with anywhere there could be a potential problem and thankfully they have always been pleasantly surprised but you still have to test,” said the spokeswoman. “I feel bad for a lot of companies who buy products from vendors who know nothing of security,” added Newman.
But just because e-tailers deal with a third party vendor doesn’t abdicate responsibility for carrying out their own thorough penetration testing.
http://uk.builder.com/webdevelopment/scripting/0,39026636,39247453,00.htm
An identity metasystem is much like a metadirectory, according to industry watchers. A metadirectory, or uber-directory service, is designed to users to view data from different directory systems in a unified way.
In a white paper published this month to the Microsoft Web site, Microsoft describes the identity metasystem this way: “This metasystem, or system of systems, would leverage the strengths of its constituent identity systems, provide interoperability between them, and enable creation of a consistent and straightforward user interface to them all.
“The ID metasystem is a new concept that we just started talking more formally about last week,” said Michael Stephenson, director of product management with the Microsoft Windows Server team. The identity metasystem is an outgrowth of the WS-* Web services architecture that Microsoft and its partners have been championing for the past couple of years. Stephenson said that while the digital ID platform vision advances, Microsoft and its partners will continue to submit the various WS-* protocols to standards bodies in a royalty-free manner.
As outlined by Microsoft in its metasystem white paper, the digital ID metasystem will build on top of two of the WS-* protocols: the WS-Trust and WS-Metadata Exchange ones. Security token servers and WS-SecurityPolicy-based clients that require user-identification-vertification will plug into this base.
According to Microsoft, “Examples of technologies that could be utilized via the metasystem include LDAP claims schemas, X.509, which is used in Smartcards; Kerberos, which is used in Active Directory and some UNIX environments; and SAML, a standard used in inter-corporate federation scenarios.”
Microsoft envisions individual vendors building their own implementations of the digital ID metasystem. Infocard Infocard, which is similar to a virtual credit card or membership card, will be the common user interface for the Microsoft digital-ID metasystem, Stephenson said. Company officials have said that Microsoft will build into future versions of Windows, starting with Longhorn, an InfoCard client.
http://www.microsoft-watch.com/article2/0,1995,1817451,00.asp
While reports of this type of crime have circulated for several years, most victimized companies remain reluctant to acknowledge the attacks or enlist the help of law enforcement, resulting in limited awareness of the problem and few prosecutions.
Extortion is “becoming more com’monplace,” said Ed Amoroso, chief information security officer at AT&T. “It’s happening enough that it doesn’t even raise an eyebrow anymore.”
“In the past eight months we have seen an uptick with the most organized groups of attackers trying to extort money from users,” said Rob Rigby, director of managed security services at MCI (Profile, Products, Articles). While MCI has been asked to help with prosecutions in other cybercrime cases, Rigby says he does not recall a service provider being subpoenaed in a DDoS extortion case.
Quantifying the extortion problem is difficult because the FBI, ISPs and third-party research firms can’t provide figures on the number of DDoS attacks that include demands for money. An indeterminable number of victims are choosing to meet the demands of extortionists rather than turn to law enforcement because they’re worried about negative publicity.
The law does not prohibit paying, said Kathleen Porter, an attorney at Robinson & Cole LLP in Boston, who has extensive experience with e-commerce and Internet law. Companies are not required by law to report these crimes, Porter said, adding that she suspects that many are reticent to do so because they fear being sued over the risks that such an attack might create for their customers.
Anti-DDoS services cost around $12,000 per month from carriers such as AT&T and MCI, said John Pescatore, an analyst at Gartner Inc. The most popular type of anti-DDoS equipment used by service providers is Cisco Systems’s (Profile, Products, Articles) Riverhead gear and Arbor Network’s detection tools. This equipment can filter about 99 percent of the attack traffic, Pescatore said, although sometimes network response times drop by a few seconds.
Last fall, the Bellevue, Wash., payments-processing firm, which authorizes credit card transactions for more than 114,000 merchants, had its Internet-based service disrupted by extortionists demanding payment to cease a massive DDoS attack.
“Today, we’ve not yet seen a successful apprehension of anyone involved,” said Authorize.Net President Roy Banks.
http://www.infoworld.com/article/05/05/16/HNddosextortion_1.html?source=rss&url=http://www.infoworld.com/article/05/05/16/HNddosextortion_1.html
The report involved 15 schools which used open source software and 33 that didn’t. It concluded that the cost of a primary school computer running open source software was half that of one running proprietary software, while in secondary schools an open source PC was 20 percent cheaper.
Stephen Uden, Microsoft’s education relations manager, claimed that this sample size was too small to draw firm conclusions from. Uden also defended Microsoft against the charge that schools that choose its software are getting worse value than those that take the open source path.
“Obviously costs are an important part of this. But most head teachers are interested in quality. We spend more time looking at better learning for kids,” said Uden. He pointed out that three of the primary schools involved were supported by a secondary school, giving them access to valuable support–something he claimed distorted the findings.
The 24-page report looked at three areas–technical infrastructure, administration and management, and curriculum software–and overall delivered a mixed verdict about what open source software offers today. The report found that open source software was generally superior as an operating system on both servers and PCs. But the schools involved were split as to whether open source applications were better than their proprietary counterparts. One teacher reported that some colleagues welcomed StarOffice, but others refused to use it and stuck with Word. At another school, open source software had been installed on laptops alongside proprietary alternatives, but appeared to be never used.
Becta described the position on content-specific open source software as “weaker”, as the schools involved in the study were only using a very small range of open source teaching applications.
Despite this, OpenForum Europe–which supports the use of open source software in business–has hailed Becta’s report. “This report underlines the massive opportunity that exists for all schools to get the best value for money from their IT budgets,” said Mike Banahan, director of OpenForum Europe. “The advent of Open Source Software solutions in education opens up the whole UK education market for the first time in a decade to competitive choice, removing the inevitability of lock-in.”
http://news.zdnet.com/2100-9593_22-5706457.html?part=rss&tag=feed&subj=zdnet