Category: News

The alliance was set up with the aim to generate public awareness and focus on best practices for security and privacy of Internet telephony networks.

The alliance said membership of its technical board had risen to 50, with newer members including a McAfee division, MCI, PricewaterhouseCoopers, Samsung Telecommunications America, Sprint and VeriSign.

Internet telephony, which is unregulated, is becoming popular due to cheap rates. With this popularity have come fears of spam and viruses–a nuisance for Internet users–though there have been no major attacks as of yet on Net telephony.

http://news.zdnet.com/2100-1009_22-5643061.html?tag=zdfd.newsfeed

Users of Windows 2000, Windows XP, and Windows Server 2003 will be able to use it to scan for, download, and install updates and fixes for Windows, Office, Exchange, and SQL Server.

According to Microsoft, each group of users — consumers, small businesses, and enterprises — will use its own interface to the all-in-one update center.

Small- and mid-sized enterprises will use Windows Server Update Services (WSUS), a plug-in to Windows 2000 Server and Windows Server 2003, while enterprises will turn to Systems Management Server 2003, an already-available patching, deployment, and hardware auditing program.

Microsoft said it will add other products from its software stables to the new update service.

http://www.securitypipeline.com/news/159905045

The federal welfare agency recently made public its plans to integrate at least 31,000 fingerprint scanners into its national support office, area support offices, call centres and customer service centres.

“Equipment with built-in scanners [has] multiple points of failure,” it added. “And if a mechanical failure occurs, the scanner will be affected since it is not independent of the keyboard.”

The fingerprint scanners are designed to replace Centrelink’s existing single user password verification system.

http://www.zdnet.com.au/news/hardware/0,2000061702,39185504,00.htm

In its seventh bi-annual Internet Security Threat Report, Symantec said over the past year, security researchers had discovered at least 37 serious vulnerabilities in the Mac OS X system.

According to Symantec, as Apple increases its market share–with new low cost products such as the Mac mini–its user base is likely to come under increasing attack.

“Contrary to popular belief, the Macintosh operating system has not always been a safe haven from malicious code,” Symantec said. “Out of the public eye for some time, it is now clear that the Mac OS is increasingly becoming a target for the malicious activity that is more commonly associated with Microsoft and various Unix-based operating systems,” the report said.

“Apple Computer has become a target for new attacks… The appearance of a rootkit109 called Opener in October 2004, serves to illustrate the growth in vulnerability research on the OS X platform… The various OS X vulnerabilities allow attackers to carry out information disclosure, authentication bypass, code execution, privilege escalation, and DoS attacks.”

Symantec believes that as the popularity of Apple’s new platform continues to grow, so too will the number of attacks directed at it,” the report said.

Symantec’s concerns were echoed by James Turner, security analyst at Frost & Sullivan Australia, who said many of the people who bought Apple products were not concerned about security, which left them wide open to attack.

“The iPod, PowerBooks and mini Macs are cool products,” Turner said. “The by-product is that people are buying these products for form over function. They say it looks pretty and then buy it but don’t secure it. As Apple increases its market share, it will be a legitimate target.”

Trend Micro senior systems engineer Adam Biviano said all complex operating systems had security flaws and the more popular the platform, the more likely it would be attacked. “All sophisticated platforms–Mac, Linux, Solaris or anything else — will have vulnerabilities,” Biviano said. “The only reason Windows has had mass exploits written for it is the sheer number of connected devices that are present on most networks. As soon as you start seeing mass deployment of any technology you are going to see exploits.”

According to Biviano, while there have not been any mass outbreaks of viruses targeting the Mac, the potential does exist. “You don’t see Macintosh viruses in mass outbreaks but you do see them in the labs as proof of concepts. There aren’t any outbreaks because there are simply are not enough [Macs] out there. For a virus to be successful it needs a combination of an exploit and a large target audience,” said Biviano, who nominated the mobile phone market as an example of malware writers targeting the most popular platform, not Microsoft’s platform. “Look at where mobile viruses are going and they are not targeting Microsoft–they are targeting the market leader, which is Symbian,” he said.

The Symantec report found in the second half of last year, an increasing proportion of malware was designed to expose confidential information.

The report also found that phishing attacks increased by 366 percent while the number of Windows-based worms and viruses increased by 64 percent, when compared to the first half of 2004.

http://news.zdnet.com/2100-9590_22-5628665.html

A post-mortem of its Sarbanes-Oxley compliance effort, looking at what worked and didn’t work, found inconsistent documentation of financial controls, as well as ones that should have been automated. Among the lessons learned is that “standardization of processes minimizes the risk of misstatements on financial reports,” McWilton says. Nextel Communications Inc. found it needed to do a better job controlling employee access to sensitive data and IT systems. And United Technologies Inc. discovered that it wasn’t making full use of the financial controls built into its enterprise-resource-planning systems.

The Securities and Exchange Commission estimates that companies collectively spend nearly 5.4 million staff hours each year implementing Sarbanes-Oxley’s section 404–the part of the federal legislation that deals with financial-reporting controls. Sarbanes-Oxley, which took effect late last year, was designed to improve the quality of financial reporting and restore confidence in financial statements in the wake of the Enron and WorldCom accounting scandals.

No wonder Sun Microsystems CEO Scott McNealy in 2003 likened Sarbanes-Oxley to throwing “buckets of sand into the gears of the market economy.”

At Nextel Communications, which is merging with Sprint Corp., the compliance process “began as an administrative task but has evolved into a basis for achieving competitive advantage,” says Michael Bryan, who until leaving the company last week was Nextel’s director of IT governance. While working through the steps to comply with Sarbanes-Oxley, Nextel managers discovered they needed to pay more attention to how employees were given access to sensitive data and programs. The company installed Thor Technologies Inc.’s Xellerate Identity Manager system to automate the management of Nextel’s 90,000 user identities.

Companies are finding that beyond complying with Sarbanes-Oxley, automating access controls helps enforce information security policies, such as limiting access to sensitive data to authorized users, according to a February report from the Aberdeen Group market-research firm that examined the Sarbanes-Oxley compliance efforts of 40 companies. As information security and access control become more important, they’re being transformed from a set of ad hoc activities into coordinated business processes. The company has gained peace of mind that it had the necessary financial controls in place for complying with Sarbanes-Oxley, CFO and executive VP Frank Terence says.

But working through the compliance process also uncovered areas where business processes needed to be improved, particularly IT change-management processes and procedures used to control access to critical software programs and data.

United Technologies is another company that discovered through its compliance-assessment process that its IT systems had automated capabilities of which the company wasn’t taking advantage. The survey also has brought a sense of unity to a company that’s sprawled out over 125 countries, Howells says. And the process of developing a standard way of documenting and testing financial-reporting controls has led to standardization in other accounting processes and policies.

http://www.informationweek.com/story/showArticle.jhtml?articleID=159902183&pgno=3

A number of security providers were overwhelmingly positive about any possible scheme, which will be the focus of a study carried out by an as-yet undecided consultant to the Department of Communications, Information Technology and the Arts.

“We need an Australian national certification scheme for security professionals to take into account our local security issues, legislation and corporate governance needs,” Alan Bell, who is McAfee’s marketing director for the Asia-Pacific region, told ZDNet Australia.

Paul Macrae, who works at MessageLabs in a business development director capacity, said the whole idea was laughable and that there were international standards that could be better applied. “This is ridiculous, it’s just people wasting their time when they could be doing something more serious, like actually protecting or educating the small to medium enterprise (SME) market, which is a much more useful thing,” he said.

And James Turner, who manages the security portfolio at analyst firm Frost & Sullivan, agreed with Macrae. “Australia is not an island on the Internet,” said Turner.

http://www.zdnet.com.au/news/security/0,2000061744,39184626,00.htm