Category: Uncategorized

Cerf, who co-created the TCP/IP (Transmission Control Protocol/Internet Protocol) of the Internet and now works as chief corporate strategist for MCI, delivered opening remarks Thursday here at the first inaugural Email Technology Conference. The chief topic of debate at the conference was spam.

Cerf said that standardizing methods for authenticating e-mail senders would ultimately lead to successful filtering–technologies that many companies that attended the conference are developing. “Getting to critical mass with those sorts of mechanisms will be really interesting,” Cerf said to an audience of technology executives attending the two-day conference. “Starting from that angle will be more productive than anything,” he added.

Previously, Cerf had jokingly suggested that the industry hold public floggings of spammers as a deterrent.

Spam has skyrocketed to epic proportions since the first e-mail was sent in 1971. Back then, there were just a few geeks sending e-mail, as Cerf put it in his presentation on the history of the Internet, so there was no one to send unsolicited commercial e-mail. Spam has risen to such heights partly because of a fundamental weakness in the Simple Mail Transfer Protocol, or SMTP, the messaging protocol that has defined e-mail for more than two decades.

The Federal Trade Commission in its report on the proposed federal Do Not Email registry said the industry needs to develop a common system for verifying e-mail senders before it could work. Microsoft recently brokered a deal to consolidate Sender Policy Framework and Microsoft’s Caller ID for E-mail–two antispam authentication schemes that look at DNS (Domain Name System) records to determine senders. Others, including Yahoo, are testing key encryption protocols to verify senders.

Cerf touched on digital signatures as a means to encrypt and verify senders, which his company MCI has used effectively. The digital signatures, or unique codes given to each individual, are attached to e-mail and must be authenticated to deliver the message.

Various solutions are in development. Some systems will run into problems in a public forum, he said, because of a lack of a central authority from country to country or state to state to govern the technology.

Another system, called Cloudmark Immunity, builds up a spam “immunity” based on input on what is unwanted e-mail from employees, according to the company. The technology, called Virus Outbreak Filters, is used to detect and quarantine suspicious e-mail or viruses before they can infect the entire network.

For consumers, Cerf suggested that everyone adopt a regimen of “cyberhygiene” to protect themselves from spam, viruses and spyware. Running filters and anti-spyware programs like Ad-aware should be a regular habit, he said, because active HTML (Hypertext Markup Language) and XML (Extensible Markup Language) have made receiving unwanted software to the PC dangerous.

More info: http://zdnet.com.com/2100-1104_2-5238202.html?tag=adnews

For instance, last August, Microsoft issued a patch that fixed a hole that the company described this way: “It could be possible for an attacker who exploited this vulnerability to run arbitrary code on a user’s system. If a user visited an attacker’s Web site, it would be possible for the attacker to exploit this vulnerability without any other user action.”

“IE is a buggy, insecure, dangerous piece of software, and the source of many of the headaches that security pros have to endure…”

A little over a week ago, the SecurityFocus Vulnerability Database reported the “Microsoft Internet Explorer Modal Dialog Zone Bypass Vulnerability,” which “may permit cross-zone access, allowing an attacker to execute malicious script code in the context of the Local Zone.” That was just one of the six reported so far this month – and we’re only halfway through!

In fact, it’s gotten so bad that now spyware creators (AKA, scumbags) are using flaws in IE to surreptitiously install the I-Lookup search bar (or one of several others) into the browser. Again, the user doesn’t need to do anything – just visit a Web site or click on a URL in an email. Your home page is changed, a bunch of new bookmarks show up in your Favorites, and popup windows for porn sites open constantly.

On Monday, the Mozilla Foundation released its latest preview release of Mozilla Firefox, available for download and ready to run.

As most of you probably already know, the Mozilla browser is great, but it’s also a huge software project, encompassing a Web browser, an email program, an address book, a Web page editor, and much, much more. Mozilla Firefox is an effort to pull out the browsing component, resulting in a faster, more focused, and more innovative Web browser. Its feature set is enviable: pop-up blocking, tabs, integrated search, an awesome level of customizability, and excellent support for Web standards.

But it has really shone (as has the Mozilla Project as a whole, actually) in the area of privacy and security. All software has bugs, and none is totally “secure”. As has been said so many times, security is a process, not a product. So I’m quite aware that Firefox has had security issues, and will have more in the future as sure as the sun rises.

In addition to a good track record in the past, Firefox and the Mozilla Foundation are taking a proactive approach to securing the Web browser in the future. The privacy and security settings available in Preferences are intelligent and effective, and the browser itself does not accept ActiveX controls, a key vulnerability in IE. Firefox uses XPI files to install themes, extensions, and other add-ons.

As people who care about security – and who so often work with people who care nothing about security – it’s our responsibility to spread the word about a better Web browser that does not constantly compromise the basic security of our computers and networks.

More info: http://www.securityfocus.com/columnists/249

1. Avoidance of a costly security incident.
2. Avoidance of disruptive downtime.
3. Improved availability.
4. Improved consistency.
5. Improved failure analysis.
6. Improved audit results.

More info: http://www.computerworld.com/securitytopics/security/story/0,,93419,00.html

Exploit code was made publicly available (THCIISLame.c) and rumors of a potential worm that uses the vulnerability as an attack vector are spreading the security news. This is an analysis of the vulnerability and the method of exploitation.

More info: http://security-protocols.com/modules.php?name=News&file=article&sid=1912

Technology Under SEC rule 17a-4, instant messages must be archived and retrievable and can’t be edited or changed.

Hedge funds are shying away from using instant messaging to send orders to their brokers because there has been a lack of technology to create an audit trail. “If I did not have the ability to archive these messages, I probably would not use it,” says Angie Kim, chief financial officer of Core Fund Solutions, a San Francisco-based company that oversees four hedge funds. Even though the onus is on the brokers to archive instant messages, “There are still certain legal exposures” for the buy side, says Kim.

In fact, to limit their own exposure, prime brokers – which clear the hedge funds’ trades – don’t want hedge fund managers to use instant messaging, adds Kim. If there is a dispute over a trade, the buy-side firm has to be able to retrieve the instant message to resolve the matter. And, because IM platforms are not as secure or as reliable as most trading systems, prime brokers are concerned that a hedge fund could send them trades that an IM platform may fail to deliver. Since hedge funds tend to outsource many functions, such as operations and trading, to third-parties, they don’t want to spend money developing IT infrastructure in-house to capture and archive IM communications.

Core Fund Solutions uses one such solution, IMTrader, a combination light-weight blotter and instant-messaging platform developed by Boston-based Pivot Solutions that interfaces with compliance systems like IM Logic and Facetime. Additionally, order-management systems are expected to integrate instant messaging into their trading applications, too. “The two greatest advantages [to using a system such as IMTrader] are the ability to see trades [filled] on a real-time basis and the ability to streamline operations by downloading the blotter and uploading trades to the prime brokers,” says Kim, who uses IMTrader to monitor trading in real time between the hedge funds’ portfolio managers and their brokers. JNK Securities, an institutional brokerage firm that uses IMTrader, utilizes an order-management system from Tradeware Systems to translate messages into FIX. Since then, Pivot has tweaked the system, so “You can just add our name to your buddy list,” says Jack Weiselberg, president of JNK Securities.

But before Weiselberg implemented IMTrader, he had to make sure the data network was secure and that it met the compliance regulations that govern brokers’ activities.

More info: http://www.storagepipeline.com/news/19205462;jsessionid=ZLEIGG40253TOQSNDBCCKHY

The better approach is to take some risks, and focus on your core mission: doing business efficiently and aggressively in the competitive marketplace. One of the risks of doing business while connected to the Internet is that bad things will happen occasionally.

Your organization may be one of the unlucky few that suffers a loss of personally identifiable information such as customer names and credit card numbers. Even during the worst moments of the Blaster or Slammer attacks, the companies and government agencies with the best event management programs suffered little.

The 100th dollar you spend has less relative impact than the 1st. Therefore, it is not the size of your security budget that matters, but the effectiveness and efficiency of your security choices. It is very tempting to buy products or services because you are afraid of the next security vulnerability.

Success lies in not over-spending on security nor making the security architecture so complex and extensive that it cannot be managed efficiently.

More info: http://www.csoonline.com/analyst/report2306.html