Federal Managers struggle with patching and compliance, a survey reports:

According to a survey of federal security managers published by Intelligent Decisions, the top concerns facing federal networks are patching, network compromises, and compliance with the Federal Information Security Management Act (FISMA). Almost half the respondents said the private sector should improve the quality assurance of their softwares. Federal managers often lack both the labor and money to meet FISMA requirements, especially managers with budgets of less than $500,000. Managers spend an average of three hours each day on compliance rather than strategic security planning. The survey finds that as managers' budgets increase, the amount of time necessary for compliance decreases: managers with less that $500,000 spent 45% of their time on compliance, while those with budgets over $10 million only spent 27%. The survey is based on telephone conversations with 25 of 117 federal security managers.

Microsoft decides to patch the vulnerability discovered recently by Finjan

This is not because the software has a problem, it is because the social engineering can be used to attack users by exploiting the vulnerability discovered by Finjan. Originally, Microsoft has totally denied the possibility of the vulnerability that was reported in Finjan's advisory. Silicon.com.

Oracle is moving to quarter patch update cycle

On January 18, 2005, Oracle will begin releasing patches for Oracle Database, E-Business Suite, Application Server, Oracle Enterprise Manager, and Collaboration Suite on a quarterly cycle. The quarterly patches, which Oracle calls "Critical Patch Updates," will address both security fixes and general software updates. The quarterly cycle is designed to give customers more flexibility in planning software updates. Systems administrators can plan system shutdowns and software installations to fit with business processes, such as quarterly reviews. Oracle says it will deviate from its quarterly cycle if a security company issues a "high-severity security alert," especially if an exploit is found in the wild. The quarterly cycle is also expected to help Oracle develop well-integrated and well-tested patches. Read more.

Microsoft hopes to extend patching cycle

Microsoft is working towards its ultimate goal of producing an operating system which will not require any patching. Of course, this is an ideal scenario, maybe impossible to reach. However, the company wants to reach a stage where patch cycle is extended to six months, instead of the current practice of a month. Read more at Znet.

Another Irresponsible Vulnerability Disclosure: Microsoft Needs Some Help

Security tools maker Finjan Software warned on Wednesday that it found as many as 10 security flaws in the last update to Microsoft's flagship operating system, Windows XP Service Pack 2. In a statement that contained few details, the U.K. company claimed that the vulnerabilities could enable attackers to remotely access a victim's files, remove security measures aimed at Internet threats and run programs without any notification to the user.
The company did not wait for Microsoft to fix the issues, as many security companies do, and used the announcement to push its own wares as a way to be protected from the threats. This move is interpreted by many as an effective publicity generation. The overall objective of the security industry should be to improve security of the society. Although researchers are acknowledged when the fix for the vulnerability arrives if they follow responsible vulnerability disclosure process, some still choose to put the society at risk by going to immediate public disclosure. To read more on this recent issue, please go to News.com.

Do blackhats release their exploits strategically?

The creators of the latest MyDoom variant, which exploits a recently discovered iFrame vulnerability in Internet Explorer, may have timed the release of the viruses to throw Microsoft's monthly patch cycle into disarray. In its latest monthly update on Tuesday, Microsoft was not able to fix a serious vulnerability in the Internet Explorer browser because the flaw was discovered only a few days before the company's regular update was due. The two variants of the MyDoom virus were released earlier this week, leaving the software giant without any option but to ignore the problem--for now. Public disclosure of the vulnerability has been criticized since it does not allow the vendors to be able to develop their patches before information about vulnerabilities becomes public. Since the recent vulnerabilities are announced publicly just couple of days before the Microsoft patch cycle, the software giant did not enough time to develop, test, and ensure that the patch is stable. Therefore, fixes for the recent two vulnerabilities are not included in the last update. This was good news for the malicious users because they can exploit the vulnerability for a conceivable time since the fixes are not included in this batch. This is, however, bad news for the society overall. This should definitely bring up the discussion of the legitimacy of the public disclosure. More.

Vulnerability is discovered in Morgan Stanley online banking

Online banking continued its run of security issues, as a vulnerability has been discovered in Morgan Stanley’s online banking website. The flaw was reported to BBC Breakfast, and enables users to access their credit card information by entering only the first digit of their credit card number. Tim Pickard, strategic marketing director for EMEA at RSA Security, commented that two-factor authentication would dramatically improve the security of online banking consumers, and that Morgan Stanley’s vulnerability would not be a problem if they used two-factor authentication.By Computeractive.

A man is charged with selling the Windows' code

William P. Genovese, Jr., 27, was charged November 9, 2004 with unlawfully distributing a trade secret, a charge that carries a maximum prison sentence of ten years and a maximum fine of $250,000 fine if convicted. Mr. Genovese allegedly sold secret source code from Windows NT 4.0 and Windows 2000, and was discovered after posting a message on this website offering the code for sale. Federal prosecutors said a Microsoft-hired investigator and an undercover Federal Bureau of Investigation (FBI) agent downloaded the code after submitting electronic payment.
By Reuters.

Market punishes security breaches severely

Professor Huseyin Cavusoglu found that "The announcement of an Internet security breach is negatively associated with the market value of the announcing firm. Breached firms, on average lose approximately 2.1% of their market values within two days surrounding the events. This translates into $ 1.65 billion average loss in market capitalization per incident." This and many other findings have been recently published in International Journal of Electronic Commerce. His study co-authored with S. Raghunathan and B. Mishra has been regarded as the most rigorous study that uses event study methodology. More.

Open source advocates are upset after the recent mi2g's study: open source systems expose to more attacks than Microsoft.

A number of security experts are questioning the findings of a report from mi2g which names Linux the "most breached" operating system. The report is based on an examination of over 235,000 successful attacks against computers permanently connected to the Internet from November 2003 through October 2004. The study found that Linux accounted for 65% of breaches, with Windows coming in second at 25%. Open source advocate Bruce Perens criticizes the report for not factoring in the main problem, automatic virus attacks, which even the report admits have greater economic impact on Windows systems. Linux servers running Apache account for nearly 64% of web servers. Rob Enderle, principal analyst with the Enderle Group, notes that mi2g's methodology on a number of previous studies has been questionable, and describes the recent study as more of a media event than a serious investigation. The study found BSD and Apple's Mac OS X as the most secure operating systems with less than 5% of breaches each; however, both systems have few users, and BSD users in particular tend to be highly competent. The report may indicate that widely deployed systems with poorly trained users a more vulnerable, Mr. Enderle argued, adding that results should be normalized based on skills and usage. By Internetweek.

Microsoft rolls out an early notification service for the upcoming patches

The software maker will provide a summary of planned security bulletins three days in advance. Microsoft announced that everyone will have access to advance information about pending security updates. In its statement, Microsoft said the new policy is in "response to customer feedback." According to Microsoft, the advance notifications will include how many security bulletins may be released, how severe the security problems being fixed are, and a list of the affected products. The information provided in the notification will be general and won't disclose vulnerability details or other information that could put customers at risk. By Information Week.

Early warning to general public by Microsoft

Although Microsoft has been giving information regarding the content of its updates in advance to selected customers, but it is now providing the information to all customers. However, the advance information will only include general information and will not disclose vulnerability details that could put customers at risk. The first example of this new practice is the information about November 9th 2004 ISA Server update. Microsoft said that the vulnerability in ISA server is important, its second highest classification. More.

Although Microsoft has been giving information regarding the content of its updates in advance to selected customers, but it is now providing the information to all customers. However, the advance information will only include general information and will not disclose vulnerability details that could put customers at risk. The first example of this new practice is the information about November 9th 2004 ISA Server update. Microsoft said that the vulnerability in ISA server is important, its second highest classification. More.

Simply obtaining password worked again to compromise !

An inmate in Colorado has accessed sensitive information on a county sheriff and nearly 1,000 other local-government employees after he obtained a password into the county's computer system, Colorado authorities announced on November 5, 2004. By Reuters.

Another Virus writer joins anti-virus firm

After German security company Securepoint hired Sven Jaschan, who were self-confessed creator of the destructive NetSky and Sasser worms, as a trainee software developer in September 2004, Benny, ex-member of the 29A virus-writing group, is hired to work as the main developer at Zoner Anti-Virus (ZAV), part of Zoner Software. By Register.

Legislation might create a negative impact on risk management

According to banking security expert Michael Colao, director of Information Management at Dresdner Kleinwort Wasserstein, recent legislation is having a negative effect on risk management, as companies struggle to deal with increased governance. Information technology mangers are being tied up in red tape by the requirements of data protection, Sarbanes-Oxley, Basel II and other corporate governance reforms. Mr. Colao says some chief information officers are relying on complicated processes rather than sound judgment in order to protect themselves from measures that make IT managers legally responsible for adherence to corporate governance rules. Tim Pickard, strategic marketing director at RSA Security EMEA, added that the nature of EU directives makes it nearly impossible for global CIO’s to be fully compliant. The Register.

Virus report points to profit-hungry hackers

According to a report by security company Trend Micro's TrendLabs, malware cases rose 22% in October 2004, with Trojan horses accounting for 47% of cases. The report concluded that these results vindicate earlier claims that motivation of malware authors is shifting from notoriety to profit. While most of the top worms and viruses were in decline, the Netsky.P worm, which was the most frequently reported malware, registered a 30% increase in infections over September 2004. The report attributed users’ penchant for opening unknown attachments for the worm’s continued prevalence. You can read at CNet.

The dutch kid will be pressed charges for the DoS Attack

The Dutch government plans to press civil, and possibly criminal, charges against an eighteen-year-old for a distributed denial of service attack that disabled a number of government websites for four days. The defendant is also suspected of belonging to the "0x1fe Crew", a group of fifteen hackers protesting recent cabinet decisions. The suspect apparently revealed his actions and personal details on a television program, leading to his arrest. The government has taken a number of measures, including purchasing increased bandwidth, in order to withstand future attacks. If found guilty, the suspect faces fines amounting to tens of thousands of euros. Read more

How will spyware products react to Internet Spyware Prevention Act

According to Mike Healan, editor of SpywareInfo.com, spyware makers will split into two groups in response to the recently passed Internet Spyware Prevention (I-SPY) Act: one group will appear to comply with regulations while the other will develop spywares that are harder to detect and remove. Anti-spyware vendors will have difficulties determining which programs comply with spyware laws while blocking the more malicious variety. Aluria Software plans to do both by leading companies out of the spyware market and into legitimate advertising. A number of spyware companies have contacted anti-spyware vendors to find out how their products can be counted among the acceptable adwares. However, many producers of malicious spyware are outside the United States and the jurisdiction of I-SPY. Security firm Webroot currently finds 80 new variations of existing spywares and 20 new spywares each week. Research firm Gartner estimates that eighty to ninety percent of computers have some form of spyware. Antivirus vendors are expected to offer anti-spyware tools as spywares become more of a threat. Ream more