Information Security Resources » FEATURE ARTICLE

DoS Attack Reveals Widespread Vulnerabilities

ADMIN — Fri, 12 Mar 2010 05:30:21 +0000

By Anthony M. Freed, Director of Business Development, Infosec Island Network

There is an UNEQUAL amount of good and bad in most things, the trick is to work out the ratio and act accordingly… The Jester

Infosec Island has once again gained exclusive access to a video demonstration of the XerXeS DoS attack recently developed by the infamous patriot-hacker known only as The Jester (th3j35t3r).

This new video shows a little more of the XerXeS dashboard, and reveals even more about the attack technique – watch the text box on the left as Jester mentions “Apache” for the first time outside of our private conversations.

As noted below in an analysis of DoS vulnerabilities by security consultant Michael Menefee, more than half of all the websites in the world use Apache, which means this exploit potentially poses a very serious problem should it ever be utilized by nefarious elements…

Continued: See the video and more at InfosecIsland.com

All content from Information-Security-Resources.com will begin migrating to the Infosec Island Network:

We are pleased to announce that Infosec Island™ has acquired www.information-security-resources.com, one of the leading online news portals addressing security issues.

The two infosec communities will continue to be operated separately while ISR’s content is gradually migrated to the Infosec Island framework by mid-year.

Don’t miss out on your opportunity to win one of over $10k in service prizes in the Infosec Island Q1 Membership Drive!

Only completed profiles are automatically entered into the drawing. Registration is quick - it takes less than five minutes to complete.

Prizes include:

• The Grand Prize is a FREE core server license, including maintenance, of the Grid Data Security’s Enhanced Authentication Solution from SyferLock™. This prize has a value of up to $10,000.

• Second Prize – The member winning second prize will receive two myKryptofon security software products from I.D. Rank Security, valued at $690.

• Third Prize – Two third prize winners will receive an EncryptStick™ software application download from Onix International Inc.

Register now and win! https://www.infosecisland.com/

We are also seeking active security bloggers and forum moderators - a great way to increase your exposure and generate more business opportunities for your company.

Contact Anthony through your Island email account, or directly at afreed@WireHeadSecurity.com for more details!

Infosec Island is committed to serving the needs of SMBs and mid-market enterprises across many industries, as well as nonprofits, government agencies and educational organizations and the infosec community at large.

* * *

Stay Informed With ISR News Alerts:

* * *

Follow us on Twitter

* * *

Anthony is a researcher, analyst and freelance writer living in beautiful Eugene, Oregon. Anthony founded Information-Security-Resources.com in 2008, and merged forces with the Infosec Island Network in January of 2010. Infosec Island is committed to serving the needs of SMBs and mid-market enterprises across many industries, as well as nonprofits, government agencies, educational organizations, and the infosec community at large. Contact Anthony at afreed@wireheadsecurity.com regarding all aspects of business development, client and community relations. Many opportunities are currently available for business and strategic alignment at Infosec Island.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Tech Stocks Week in Review Featuring iPad

ADMIN — Sun, 07 Mar 2010 21:31:01 +0000

From Trefis.com

Trefis, named for its focus on trends, forecasts, and insights, is revolutionary in its forward-looking approach to stock analysis, which incorporates an intuitive look at the relationship between a company’s product divisions and its stock price. More about Trefis: Innovative Analytic Tool Empowers Investors

Below is a summary of the activity on Trefis during the past week that we thought you would find interesting.

Insights from the Week

Apple Stock: iPad Business More Valuable Than Mac Desktops on March 2, 2010 We estimate that Apple’s iPad business accounts for 4% of the $267 Trefis price estimate for Apple’s stock compared to about 3% for Apple’s Mac desktop business…
Trefis Analysis: What percent of eBay’s stock is PayPal? on March 5, 2010 eBay is known primarily for its marketplaces (ebay.com, half.com) where buyers and sellers exchange a variety of merchandise online. However, the company also makes a significant amount of money from its online payments platform, PayPal…
Shifting Consumer Preference from Buying to Renting DVDs Can Benefit Netflix’s Stock on March 5, 2010 Netflix, which makes money by charging monthly subscription fees to its movie rental customers, can benefit from the shift in consumer preference to renting instead of owning DVDs…
Qualcomm’s Mobile TV App Drives Demand for Powerful Mobile Chips on March 5, 2010 Although the direct contribution of the mobile TV business for Qualcomm is small, demand for mobile TV can drive sales of more powerful Qualcomm mobile phone chipset …
iPhone Could Overtake BlackBerry Market Share in 2011 on March 5, 2010 RIM’s market share lead over Apple has been shrinking and we estimate that Apple will be able to overtake RIM market share by early 2011…
Microsoft’s Deal with Yahoo Could Hurt Google’s Stock on March 5, 2010 We believe that the Microsoft-Yahoo Search partnership will improve the Bing search engine by giving Microsoft access to all Yahoo searches…
Disney Characters Drive $8 billion Disney Consumer Merchandise Business on March 4, 2010 We estimate that Disney’s consumer products business is worth about $8 billion and contributes about 10% of the $36.73 of Trefis price estimate for Disney’s stoc …

Verizon and Vodafone Can Help Google Sell 5 Million Smartphones in 2010 on March 4, 2010 Google’s recently launched smartphone, the Nexus One, is likely to be sold by Verizon in addition to T-Mobile soon…
Comcast Deal Can Slow Symantec’s Market Share Declines on March 4, 2010 Apple sold about 43 million iPhones globally from June 2007 through the end of 2009. During the same period, AT&T’s subscriber count increased by about 22 million, implying more than a 2% rise in market share…
Market Share Declines Could Hurt Motorola on March 3, 2010 Symantec recently won a deal over its competitor McAfee (NYSE:MFE) to provide its Norton Suite of antivirus software to Comcast’s 15 million high speed internet customers…
Apple’s iPad can help New York Times’ online ad business and boost NYT stock on March 3, 2010 Taking cues from the positive impact of smartphones on nytimes.com viewership, we expect that the iPad can have some impact on the website’s unique visitors if iPad sales trend as we forecast…
27% of Qualcomm’s Stock is Value of its Cash on March 3, 2010 Qualcomm provides the technology used in many of the mobile phones sold today and the royalties that it earns from the use of its technology helps drive growth of its cash balanc …
Cisco’s Router Business is Worth More Than $20 billion on March 2, 2010 We estimate that Cisco’s router business constitutes more than $20 billion of Cisco’s value, which implies that about 15% of the $23 Trefis price estimate for Cisco’s stock is from router …
Increased political ad spend benefits CBS; upside to stock is small on March 1, 2010 Typically, political ad dollars are spent with big media companies that own broadcast networks (CBS, ABC, NBC, Fox). We expect CBS, one of the leading broadcast networks, to earn a significant share of the extra ad dollars…
Trefis Analysis: What percent of Apple’s stock is Apple TV? on March 1, 2010 Apple launched Apple TV in early 2007 and has only sold about 10 million Apple TV units to date. In comparison, the company has sold more than 40 million iPhones since the launch of the device in mid-2007…
30% Upside for Sprint Stock if it Can Revert Subscriber Losses on March 1, 2010 The company is making efforts to improve its network and quality of customer service that could lead to a reversal in the subscriber trend and boost Sprint’s stock…
iPad Gross Profit Margins Higher than iPod and Kindle Margins on March 1, 2010 Apple’s gross profit margin on the first generation iPads sold in 2010 is expected to be around 55%…

Community Activity

Netflix community price decreased from $65.61 to $61.89
23 community model updates in the past week
RIM community price increased from $83.57 to $88.49
14 community model updates in the past week

New York Times community price increased from $13.23 to $15.22
4 community model updates in the past week

Active Stocks

SanDisk increased 14% from $29.15 to $33.32 (Trefis price was $30.15, and we kept it unchanged) You can see our complete model for SanDisk here.

Monster increased 12% from $13.95 to $15.68 (Trefis price was $10.70, and we kept it unchanged)You can see our complete model for Monster here.

CBS increased 12% from $12.99 to $14.57 (Trefis price was $9.22, and we kept it unchanged)
You can see our complete model for CBS here.

* * *

Stay Informed With ISR News Alerts:

* * *

Follow us on Twitter

* * *

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Risk Based Enterprise Compliance Programs

ADMIN — Fri, 05 Mar 2010 05:45:34 +0000

By Thomas R. Fox, Attorney at Tom Fox Law

A recent benchmarking survey of Third Party Codes of Conduct was conducted by the Society of Corporate Compliance and Ethics (SCCE) and reported on by Rebecca Walker.

The findings indicated that a majority of companies with an otherwise robust compliance program do not extend this to third parties with which they conduct business.

The findings revealed the following: 53% of companies do not disseminate their internal codes of conduct to third parties; only 26% require third parties to certify to their own codes; and just 17% of the respondents have any third party codes of conduct.

For those companies who now desire to evaluate their third party business partners for Foreign Corrupt Practices Act (FCPA) compliance, how, and perhaps where, do they begin?

The approach that appears to be gaining the most traction both with regulators and learned commentators is to develop a risk based approach to FCPA compliance.

There is no specific Department of Justice (DOJ) guidance on any one specific process for a risk based compliance system.

However, there is sufficient guidance in other FCPA and analogous compliance areas, such that direction can be provided to US and foreign companies in this area.

Writing in the FCPABlog, Scott Moritz of Daylight Forensic & Advisory suggested that a risk-based approach based upon the regulatory programs in Anti-Money Laundering (AML) governance.

In the AML areas, the concept is that certain parties, including vendors, represent a higher compliance risk than others.

Geography, nexus to government officials, business type, method of payment and dollar volume – are all risk indicators.

This risk-based approach was commented upon, favorably by the DOJ, in Release Opinion 08-02. In this Release Opinion the DOJ reviewed and approved Halliburton’s proposed acquisition of the UK entity Expro.

The DOJ spoke directly to a risk based approach by that Halliburton had agreed to provide the following:

. . . a comprehensive, risk-based FCPA and anti-corruption due diligence work plan which will address, among other things, the use of agents and other third parties; commercial dealings with state-owned customers; any joint venture, teaming or consortium arrangements; customs and immigration matters; tax matters; and any government licenses and permits. Such work plan will organize the due diligence effort into high risk, medium risk, and lowest risk elements.

This risk-based approach has also been accepted by UK’s Financial Services Authority (FSA) in its settlement of the enforcement action against the insurance giant AON earlier this year. As a part of the settlement AON agreed to the following:

AON…designed and implemented a global anti-corruption policy … limiting the use of third parties … whose only service to AON is assisting it in the obtaining and retaining of business solely through client introductions in countries where the risk of corrupt practices is anything other than low. These jurisdictions are defined by reference to an internationally accepted corruption perceptions index. Any use of third parties not prohibited by the policy must be reviewed and approved in accordance with global anti-corruption protocols.

How does a company implement this guidance? Scott Moritz suggests that key to any risk-based approach is “the strategic use of information technology, tracking and sorting the critical elements — including risk-ranking, as well as enhanced due diligence and ongoing monitoring of high-risk parties proportionate to their risk profiles.”

The uses of a risk based compliance system can be myriad.

The Release Opinion 08-02 system was in response to an international acquisition. Such systems can also be used to rank and assist in the evaluation of business partners or supply chain vendors.

But, however such a system is used, the clear import from the DOJ, FSA and learned commentators is that some type of rational system should be put in place and followed.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The author can be reached at tfox@tfoxlaw.com.

* * *

Stay Informed With ISR News Alerts:

* * *

Follow us on Twitter

* * *

Thomas Fox has practiced law in Houston for 25 years. He is now assisting companies with FCPA compliance, Risk Management and international transactions. He was most recently the General Counsel at Drilling Controls, Inc., a worldwide oilfield manufacturing and service company. He was previously Division Counsel with Halliburton Energy Services, Inc. where he supported Halliburton’s software division and its downhole division, which included the logging, directional drilling and drill bit business units.

Tom attended undergraduate school at the University of Texas, graduate school at Michigan State University and law school at the University of Michigan. Tom writes and speaks nationally and internationally on a wide variety of topics, ranging from FCPA compliance, indemnities and other forms of risk management for a worldwide energy practice, tax issues faced by multi-national US companies, insurance coverage issues and protection of trade secrets. Website: www.tfoxlaw.com

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Data Loss Prevention Has Jumped the Shark

ADMIN — Thu, 04 Mar 2010 01:27:53 +0000

By Robert Siciliano, ID Theft Expert and Security Consultant to Intelius.com

When Fonzie jumped the shark on his HOG, that spelt the end of Happy Days.

The FTC sending a warning to 100 companies and agencies that their employees are leaking client and sensitive data on the web via Peer to Peer file sharing (P2P) is the single most pathetic and embarrassing communication to come across the desk of an IT professional.

It’s over, Johnny IT’S OVER!

The FTC certainly has their hands full with the mess of information security that we call identity theft. I’ve met some from the FTC.

These are smart people who are doing the best they can with what they have to work with.

But government is usually the last to be on top of what is new and ahead of what is next. Especially, with technology issues.

Generally, they are reactive and fix it after it’s broke. They step in when there is a problem and work to fix it so it’s not a problem in the future.

How is it that after hundreds of data breaches and numerous articles that all point to leaks via P2P; there are still companies who allow the installation of technology that opens a big hole in your network, big enough for a car bomb?

As Byron Acohido eloquently stated “The Federal Trade Commission today finally voiced concern about the long-known problem of data leaking into criminal hands via LimeWire, BearShare, Kazaa and dozens of other peer-to-peer (P2P) file sharing networks.”

The operative word here being “FINALLY!” Why are we having this conversation?

For the under a rock crowed, P2P has been around since before the days of Napster. Peer to peer file sharing is a great technology used to share data over peer networks. It’s also great software to get hacked.

Last year the House Committee on Oversight and Government Reform responded to reports that peer to peer file sharing allows Internet users to access other P2P users’ most important files, including bank records, tax files, health records, and passwords.

This is the same P2P software that allows users to download pirated music, movies and software.

An academic from Dartmouth College found that he was able to obtain tens of thousands of medical files using P2P software.

In my own research, I have uncovered tax returns, student loan applications, credit reports and Social Security numbers.

I’ve found family rosters which include usernames, passwords and Social Security numbers for entire family. I’ve found Christmas lists, love letters, private photos and videos (naughty ones, too) and just about anything else that can be saved as a digital file.

Installing P2P software allows anyone, including criminal hackers, to access your data. This can result in data breaches, credit card fraud and identity theft.

This is the easiest and frankly, the most fun kind of hacking. I’ve seen reports of numerous government agencies, drug companies, mortgage brokers and others discovering P2P software on their networks after personal data was leaked.

Blueprints for President Obama’s private helicopters were recently compromised because a Maryland-based defense contractor’s P2P software had leaked them to the wild, wild web.

Don’t install P2P software on your computer.
If you aren’t sure whether a family member or employee has installed P2P software, check to see whether anything unfamiliar has been installed. A look at your “All Programs Menu” will show nearly every program on your computer. If you find an unfamiliar program, do an online search to see what it is you’ve found.
Set administrative privileges to prevent the installation of new software without your knowledge.
If you must use P2P software, be sure that you don’t share your hard drive’s data. When you install and configure the software, don’t let the P2P program select data for you.

Protect your identity.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. With your iPhone get my book as an App or go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

* * *

Stay Informed With ISR News Alerts:

* * *

Robert Siciliano is an expert on personal security and identity theft as the CEO of IDTheftSecurity.com. An American television news correspondent, security analyst, and author of “The Safety Minute: How to take control of your personal security and prevent fraud”. Featured on the The Today Show, CBS Early Show, CNN, MSNBC, FOX, CNBC, Inside Edition, EXTRA, Tyra Banks, Stern, and in USA Today, Forbes, Tech Republic, SC, CSO, Search Security, Tech News World, EWeek, SecurityInfoWatch, NY Times, Boston Globe, LA Times, Wash Post, Chicago Tribune, AP, UPI, Reuters, and Entrepreneur.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Leveraging Open Source for Business Intel

ADMIN — Wed, 03 Mar 2010 04:42:43 +0000

By Bozidar Spirovski, CISSP, MCSA, MCP

Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence.

In reality, the methodology used in OSINT is the information gathering phase of every penetration phase.

They only stuck a fancy name to the process.

Regardless of the name, OSINT is very useful, and it’s results can be very well used even outside of the penetration testing process.

The information gathering, or OSINT process can be summarized in the following steps:

Identify your point of interest - who/what is your target of investigation. Start broad, and then narrow down to the interesting elements. For instance, start with a domain name or an IP address pool for a provider, until you find the contacts and names of actual persons. Then you can start drilling for material left on the Internet by them for further useful clues
Collect information from multiple sources - consult search engines corporate sites, mailing list servers, even the old and forgotten Usenet might be useful
Sift through the gathered information to form a useful result- Identify interesting pieces of intelligence for further use

The process looks very simple on paper, but bear in mind that most searches generate tons and tons of possible clues and/or false leads. It takes

Here is what you’ll have to deal with:

Irrelevant/false hits on a keyword - URL links or sites that contain the same sequence of words but in totally different context. The more generic the terms that you are searching for, the more of these there will be.
Fake contacts placed during registration process - looking for that all important ‘Who’ behind some site or document? Bear in mind that contact information on the web is usually fake to avoid pestering sales persons. And anyone can use your target’s name for an alias on a registration.
Hundreds or thousands of archived messages from forums and mailing lists - much like the previous one, aliases and nearly useless communication can be found and needs to be sifted through. And you cannot be certain that you are looking at something written by your target of investigation
Documents with irrelevant word matching - a large enough digital book will contain all the words of virtually any phrase

There are a lot of tools that will help you on your quest for information, but I’ll sum-up those that I find useful

Google hacking - The title says it all. Choose your keywords and then drill for data on google Maltego CE - a client side program that drills the Internet for information on the element that you have chosen as source.

It will return all kinds of possible information for further drill down. Produces a lot of false positives

Silobreaker - an information correlation and pattern recognition system that returns results as summarized information clusters related to your search query. Not always very accurate, so always use other sources.

* * *

Stay Informed With ISR News Alerts:

* * *

Author: Bozidar Spirovski of Information Security Short Takes

Occupation: Information Security Expert
CISSP #301565
MCSA, MCP ID# 2448347
Send comments, requests or general inquiry to shortinfosec _at_ gmail dot com
Visit my LinkedIn profile at http://www.linkedin.com/in/spirovskibozidar

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Outsourcing Breach Response Lowers Costs

ADMIN — Wed, 03 Mar 2010 04:41:08 +0000

By Doug Pollack, Chief Marketing Officer for ID Experts

The Ponemon Institute released their 5th annual 2009 Annual Study: Cost of Data Breach last month.

This year, the report explored several new areas and came up with some interesting and in some cases surprising conclusions.

These include:

- Customer/patient/client churn rate, the tendency for a data breach event to cause them to “vote with their feet” and choose another provider, remains the key cost driver for data breach incidents. Such lost customer costs are typically 2/3rds the cost of a data breach. Industries that exhibit the highest churn rates are healthcare, pharmaceuticals and communications (all 6%).

- Almost half (44%) of organizations outsourced the data breach response effort to an expert third party consultant. When outsourced in this way, the costs per victim declined a huge 26% vs. companies that “go it alone”. The ability to reduce costs by outsourcing the response process is counterintuitive to some, but validates the value of an outside consultant that is knowledgeable and can execute using best practices

- “Companies that notify too quickly may incur higher costs”. This was surprising to me. The study found that these “quick responders”, organizations that notified within one month of detection of the breach, ended up paying 12% more than their peers. The assumption was that moving too quickly through the process causes inefficiencies that can be avoided.

As always, the study and report is full of valuable and interesting data and perspective for privacy, information security, legal and financial officers. It is a “must read” for anyone in a relevant role at an organization that is entrusted with PII and PHI, especially the CISOs who are most frequently the organizational members responsible for the handling of data breach incidents.

* * *

Stay Informed With ISR News Alerts:

* * *

Doug Pollack has 20+ years of industry experience in computing, networking, and software. He currently resides in Portland, Oregon and is Chief Marketing Officer for ID Experts, leader in data security breach prevention and remediation. His background includes over 13 years in Silicon Valley in management positions at Apple, 3Com, and a software startup that grew to $25MM and an IPO. After relocating to Oregon, Doug led marketing & business development for GemStone Systems, a Java technology company with close ties to Sun Microsystems & IBM, to an acquisition in 2000. Doug has also acted as interim CEO for two venture-backed software startups and prior to ID Experts was VP of marketing and business development for Digimarc, a $100MM publicly traded corporation (DMRC). Doug’s educational background includes a BSEE from Cornell Univerisity and an MBA from the Stanford Graduate School of Business.

ID Experts provides data breach solutions, risk assessment, forensic investigation and fully managed victim identity restoration to corporations, financial institutions, healthcare organizations and government agencies. As a leader in data breach prevention and remediation, the company has managed hundreds of data breach events, protects millions of individuals from identity theft and authored the Identity Crime Victim’s Bill of Rights. ID Experts is actively involved with industry organizations including ANSI/Identity Theft Prevention and Identity Management Standards Panel, International Association of Privacy Professionals, Internet Security Alliance, and the Santa Fe Group.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Gartner Tells CIOs to Embrace Social Media

ADMIN — Tue, 02 Mar 2010 01:01:43 +0000

By Laton McCartney, Editor at CIOZone

Has someone been putting strange substances in the drinking water at Gartner’s Greenwich, CT headquarters?

Some of their analysts are beginning to sound like New Age gurus on a mission to bring peace, love and harmony to the corporate world.

Consider these words of wisdom recently imparted by Gartner analysts to clients at an Orlando conference:

“Banning access to social media from the corporate network is futile. The world we live in is digitally enabled and socially connected.”—Carol Rozwell, a Gartner vice president.

Here’s Rozwell’s view of the socially connected workplace:

“While a job may be viewed as an economic transaction, the human brain thinks of the workplace as a social system… (social networking) can make employees feel valued, a part of the community.”

Now here’s Peter Sondergaard, a senior VP of research at Gartner:

“We’re moving from control to greater autonomy…”

The “we” being presumably corporate America and specifically IT. Sondergaard, of course, is speaking about a virtualized, shared services computing enviroment.

Let’s forget for a minute that in the past Gartner was effectively saying that social media use within the enterprise was about two steps removed from letting the inmates run the asylum.

Not so now, Gartner is telling us. CIOs need to stop being such control freaks and embrace the new, open order.

Fine, I’ll go with that up to a point. Likely, CIOs, I don’t really give a damn that those crazy kids in marketing text message each other about the previous night’s episode of Mad Men.

That’s not the CIO’s problem. Nor is their concern to make sure the new purchasing agent feels valued.

They also probably well aware that it’s a digitally enabled, socially connected, far more autonomous world than it was even a year ago, thank you very much.

They don’t need Gartner to tell them that.

What CIOs might find highly useful, however, is a road map to help them make the transition into the future.

For the past decade of so IT chiefs have been told again and again that their number one priority is aligning IT and business.

So now we have highly disparate, often grass roots, increasingly autonomous technologies that need somehow to be harnessed into alignment.

Gartner needs to advise its clients how to go about doing that, instead of concerning themselves about emotionally fulfilled employees.

* * *

Stay Informed With ISR News Alerts:

* * *

Laton McCartney is a former editor-in-chief of InformationWeek. He has also been a top editor at several Ziff Davis publications, including Smart Partner. Laton has written for The Washington Post, Fortune and other national publications. He also the author of a number of books, including the best-seller “Friends in High Places: The Bechtel Story.” His latest, “The Teapot Dome Scandal: How Big Oil Bought the Harding White House and Tried to Steal the Country“, will be published in February by Random House.

CIOZone.com is the first of its kind online meeting place for CIOs. It is built upon the foundation of social networking and combines user generated content and expert editorial together around an open source platform.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Tech Stocks Week in Review Featuring Dell

ADMIN — Sun, 28 Feb 2010 21:44:27 +0000

From Trefis.com

Below is a summary of the activity on Trefis during the past week that we thought you would find interesting.

Insights from the Week

What Loss of iPhone Exclusivity Could Mean for AT&T’s Stock on February 26, 2010 Apple sold about 43 million iPhones globally from June 2007 through the end of 2009. During the same period, AT&T’s subscriber count increased by about 22 million, implying more than a 2% rise in market share…
Better Resume Search Technology Can Help Monster Compete with LinkedIn, Facebook on February 26, 2010 We believe such technology will make Monster more competitive against social networking sites like LinkedIn and Facebook that have increasingly been used as alternative channels of recruitment by employers…
Featured Forecast: Netflix Subscribers to Double by 2016 on February 26, 2010 Netflix’s subscriber base has roughly tripled since 2005. The company had about 12 million subscribers by end of 2009 compared to only about 4 million subscribers in 2005…
Trefis Analysis: Notebook PCs 17% of Dell’s Stock on February 25, 2010 Dell shipped an additional 1.2 million notebook PCs in 2009 over 2008. We expect growth in the global notebook market to drive Dell’s notebooks sales in the future…
Rising Subscriber Fees Expected for News Corp’s Fox Sports on February 25, 2010 We estimate that Fox Sports’ Fee per subscriber has grown from $1.45 in 2005 to about $2 in 2009, driven by the following two factors…
LTE Technology Can Limit Share Declines for Nokia Siemens Network on February 24, 2010 We believe that Nokia’s LTE technology is limiting its share from declining even further…
Featured Forecast: Sprint’s iDEN Subscribers Expected to Decline on February 24, 2010 Sprint’s iDEN push-to-talk subscribers have historically been an important part of the company’s postpaid business…
RIM Stock: Free Software Can Sell More BlackBerries on February 24, 2010 Although the free BES Express may reduce RIM’s software revenues initially, we believe that it will help RIM to sell more BlackBerry smartphones to small businesses over the long-run…
Comcast’s On-Demand Video Service Worth More than 30x Blockbuster on February 23, 2010 We estimate that Comcast’s on-demand business is worth $2.4 billion (excluding any debt) and constitutes about 3% of the $18.65 Trefis price estimate for Comcast’s stock…
Trefis Forecast: What % of Google’s stock is Orkut? on February 23, 2010 We estimate that Orkut earns about 30 cents for every 1,000 page views on orkut.com…
Does Qualcomm’s BREW Mobile App Platform Matter for the Stock? on February 23, 2010 We estimate that Qualcomm’s BREW constitutes less than 1% of the $42 Trefis price estimate for Qualcomm’s stock…
Microsoft Deal to Boost Yahoo’s Search Advertising Margins on February 23, 2010 We expect Yahoo’s Search Advertising EBITDA margins to improve from the present 42% to around 45% by the end of Trefis forecast period…
All-In-One Printer Demand Will Help Lexmark’s Stock on February 22, 2010 Although Lexmark’s inkjet printer and cartridges business constitutes only about 4% of the company’s value, the injket business is once again gaining traction as a result of demand for AIO-type printers…
Windows is 32% of Microsoft’s Stock; Windows 7 Key to Future Growth on February 22, 2010 Microsoft’s new Windows 7 operating system helped the company gain about 1% market share during the past year…
Intel’s Stock Impacted by Shift from Desktops to Notebooks on February 22, 2010 We estimate that Intel’s notebook and netbook processor business constitutes 45% of the $22 Trefis price estimate for Intel’s stock compared to only 12% for Intel’s desktop business…
Trefis Forecast: Expected iPad Pricing Declines will Impact Apple’s Stock on February 22, 2010 We forecast average iPad pricing to decline from $600 in 2010 to $440 over the Trefis forecast period…
Featured Forecast: Intel Will Continue to Lose Server Processor Market Share on February 22, 2010 We estimate that Intel had nearly 88% processor market share amongst the 15 million server processors sold in 2005 and that this figure declined to as low as than 70% in 2008…

Negative Impact of Potential HP-McAfee Deal on Symantec’s Stocke on February 22, 2010 The Symantec-HP deal has been estimated to generate $200 million of revenue annually for Symantec and its loss could amount to a 3% to 5% loss of market share for Symantec in the $3.8 billion antivirus software market…

Community Activity

Intel community price decreased from $25.59 to $24.46
19 community model updates in the past week

Nokia community price decreased from $21.05 to $18.08
13 community model updates in the past week

Ebay community price decreased from $40.80 to $38.15
7 community model updates in the past week

Active Stocks

Qualcomm falls 7% from $39.59 to $36.69 (Trefis price was $41.64, and we kept it unchanged) You can see our complete model for Qualcomm here.

Monster falls 7% from $15.02 to $13.95 (Trefis price was $10.90 and we decreased it to $10.70)You can see our complete model for Monster here.

CBS falls 6% from $13.83 to $12.99 (Trefis price was $9.07 and we increased it to $9.22)
You can see our complete model for CBS here.

* * *

Stay Informed With ISR News Alerts:

* * *

Follow us on Twitter

* * *

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Federal Guides for Social Media Security p.II

ADMIN — Fri, 26 Feb 2010 06:10:21 +0000

By Mike Meikle, CEO at Hawkthorne Group

In my previous post, we had reviewed the rationale behind the Federal CIO Council release of secure social media usage guidelines.

This was primarily tied back to President Obama’s memorandum on Transparency and Open Government and the growing popularity of social media (Web 2.0) in the workplace.

We also touched on the lack of concrete implementation advice by the guidelines for social media within the document.

The guidelines abruptly switch over to outlining the current use of social media within government. But not before mentioning two researchers at the National Defense University, Dr. Mark Drepeau and Dr. Linton Wells.

They are quoted as to the government’s definition of social media and the four specific types of uses within the Federal Government.

What is more interesting is that these gentlemen wrote a research paper for the Feds that is a large component for the Social Media Guidelines.

The name of the document is Social Software and National Security: An Initial Net Assessment.

I highly recommend those individuals that are charged with the responsibility or implementation of social media within their agency read that document.

It is highly informative and has copious footnotes to other research that will provide a better view of the social media landscape with the Federal Government and abroad.

Also, it has been my experience that these footnoted sources can then be used as supportive documentation when an agency’s own policy is crafted, since they have been used in other official guidelines.

The guidelines discuss at length the direction of sharing and level of interaction in the governmental social media milieu.

Basically it boils down to sharing content within governmental agencies and with non-governmental organizations and how the risk profile changes.

For interdepartmental sharing within an agency the Federal Information Security Management Act (FISMA) rules apply.

Once an agency crosses over into social media interactions with other agencies and non-governmental organizations, the guidance gets diluted. The guidelines point to five government agencies, none of which are the definitive resource for social media implementations.

The five referred to are National Institute of Standards and Technology (NIST), Department of Defense (DOD), Office of Management and Budget (OMB), Government Accountability Office (GAO) and the Department of Homeland Security (DHS).

NIST has scores of documents, none definitively linked to social media and the policies that should surround it.

I would recommend starting with the Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) and the Guide for Developing Security Plans for Federal Information Systems. There are others that apply tangentially, but these two should be the starting point in my view.

The DOD has a well organized page for security policies regarding web applications .

However, I would start with the Policy for Department of Defense Internet Interactive Activities memorandum.

The document is from 2007, so it’s applicability to social media is dubious. The document does refer to the creation of a “Best Practices for Internet Interactive Activities” by USSOCOM in the near future.

I was unable to find this document during my research for this article however, so I assume it is still being developed in the bowels of the government.

On a brighter note, the DOD has an interesting Social Media Hub that should provide actual implementation data and humans to contact.

OMB offers ye olde Circular A-130 as its entry in the information security arena. Last updated in November of 2000, it should come with tips on the revulcanization of the tyres for your Model T.

It’s good to be familiar with this document however since it will obviously be around for a long time to come.

The GAO has adopted FISMA as its internal standard. Since the GAO audits federal agencies for their compliance to federal guidelines, it is interesting to note how agencies are fairing in their efforts to become more secure.

These audit finding are valuable intelligence that will assist in closing any gaps an agency could have, so you don’t end up in the same reports.

The DHS National Cyber Security Division has a interesting link that drops you into an application security site called Build Security In.

The site is similar NIST in regards to the large amount of security related articles to review. For a shortcut, take a look at the Ten Most Recently Modified Articles section for the latest.

The Federal CIO Council lists as its last and latest example of guidelines for Social Media as published by U.S. Air Force.

The US Air Force New Media Guide (2009) is an excellent document that is short, concise and provides valuable guidance on social media implementations.

A must read for any organization that is considering a foray into the Web 2.0 sphere.

On a side note, while researching this article, I came across the Information Assurance Support Environment, an entity sponsored by the Defense Information Systems Agency.

It is a clearinghouse for all things IT within the government umbrella. The site is overwhelming at first, due to the vast amounts of data that is presented. I would recommend that you start here for simplicity sake.

This site puts the herculean task that is faced by many CISO’s and CIO’s in a stark light when it comes to following the appropriate security policies for their federal agencies.

This overt display of absurd policy complexity show why the black hats will continue to gain ground on their targets.

They do not operate in a blizzard of paperwork and it behooves the security community to demand the same. That is a topic for another day however.

In my next article on the Federal Social Media Guidelines, we will look at the various types of security threats that are enhanced with Social Media and mentioned in the document.

Also, I will review the recommendations of the CIO Council in how to combat them and provide additional sources of information.

* * *

Stay Informed With ISR News Alerts:

* * *

Mike Meikle is a Senior Consultant and Senior Program/Project Manager for several organizations across government, health, telecommunications, corporate and education sectors, providing technological and organizational leadership. Mike has worked with the Virginia Department of Health, Richmond Montessori School, Virginia Department of Emergency Management, Virginia Department of Social Services Division of Licensing Programs Health and Information Network (DOLPHIN), and many more. Follow Mike on Twitter.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Relationships with Foreign Business Partners

ADMIN — Thu, 25 Feb 2010 00:21:33 +0000

By Thomas R. Fox, Attorney at Tom Fox Law

There are several critical components in the selection, use and retention of any Foreign Business Partner, such as agents, resellers, joint venture partners or distributors.

In view of the critical risks a US Company must manage when entering into a relationship with a Foreign Business Partner, the US Company should, prior to establishing the relationship, kick off the risk management process by initiating thorough due diligence on the proposed Foreign Business Partner.

The due diligence process should contain, at a minimum, inquiries into the following areas:

* Need for the relationship with a Foreign Business Partner: The Company Business Team or Business Person should articulate the business case for the proposed Foreign Business Partner relationship. This must be approved by management before it goes to legal or compliance for review.

* Credentials: List the critical reasons for selection of the proposed Foreign Business Partner. This should include a discussion of the business partner’s background and experience.

* Ownership Structure: Describe whether the proposed Foreign Business Partner is a government or state-owned entity, and the nature of its relationship(s) with local, regional and governmental bodies. Are there any members of the business partner related, by blood, to governmental officials?

* Financial Qualifications: Describe the financial stability of, and all capital to be provided by, the proposed Foreign Business Partner. Obtain financial records, audited for 3 to 5 years, if available.

* Personnel: Determine whether the Foreign Business Partner will be providing personnel, particularly whether any of the employees are government officials. Obtain the names and titles of those who will provide services to the US Company.

* Physical Facilities: Describe what physical facilities will be provided by the Foreign Business Partner. Who will provide the necessary capital for their upkeep?

* Reputation: Describe the business reputation of the proposed Foreign Business Partner in its geographic and industry-sector markets.

These due diligence inquiries are required under the Federal Sentencing Guidelines and the guidance offered by the Department of Justice (DOJ) Opinion Releases and the publicly released Plea Agreements and Deferred Prosecution Agreements (DPA) entered into by US companies who admit to violating the Foreign Corrupt Practices Act (FCPA).

This due diligence should be recorded and maintained by the US Company for review, if required, by a governmental agency. Some of the due diligence can be handled by the US Company’s in-house legal and/or compliance groups.

However, it is recommended that for any high risk Foreign Business Partner, an outside forensic auditing firm and outside legal counsel be retained to conduct the due diligence investigations.

This brings a level of expertise usually not available within a corporation plus an outside perspective less susceptible to in-company business pressures.

After this initial inquiry is concluded the US Company should move forward to perform a background check on a prospective Foreign Business Partner by using the following resources:

* References: Obtain and contact a list of business references.

* Embassy Check: Obtain information regarding the intended business partner from the local US Embassy, including an International Company Profile Report.

* Compliance Verification: Determine if the Foreign Business Partner, and those person within the Foreign Business Partner who will be providing services to the US Company, have reviewed or received FCPA training.

* Foreign Country Check: Have an independent third party, such as a law firm; investigate the business partner in its home country to determine compliance with its home country’s laws, licensing requirements and regulations.

* Cooperation and Attitude: One of the most important inquiries is not legal but based upon the response and cooperation of the Foreign Business Partner. Did the business partner object to any portion of the due diligence process? Did it object to the scope, coverage or purpose of the FCPA? In short, is the business partner a person or entity that the US Company is willing to stand up with under the FCPA?

After a company completes these due diligence steps, there should be a thorough review by the Board, or other dedicated Management Committee, on the qualifications of the proposed foreign business relationship partner.

It is critical that the reviewing Committee is not subordinate to the US company’s business unit which is responsible for the business transactions with the Foreign Business Partner.

This review should examine the adequacy of due diligence performed in connection with the selection of overseas partners, as well as the Foreign Business Partner’s selection of agents, subcontractors and consultants which will be used for business development on behalf of the US Company.

The steps listed herein do not include the use of, or continued management of, a Foreign Business Partner.

These steps need to be taken by all US Companies entering into, or already engaged in, a relationship with Foreign Business Partners as the FCPA applies to all US Companies, whether public or private.

Remember, due diligence, due diligence and once that has been completed; more due diligence.

This publication contains general information only and is based on the experiences and research of the author.The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The author can be reached at tfox@tfoxlaw.com.

* * *

Stay Informed With ISR News Alerts:

* * *

Follow us on Twitter

* * *

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Exclusive Video of XerXeS DoS Attack Demo

ADMIN — Tue, 23 Feb 2010 05:50:24 +0000

By Anthony M. Freed, Director of Business Development, Infosec Island Network

Infosec Island has gained exclusive access to a video demonstration of the XerXeS DoS attack as it is unleashed on the Taliban website www.alemarah.info, and carried out by infamous patriot hacker The Jester (th3j35t3r).

The video release follows an earlier announcement that The Jester has been working to improve and automate aspects of the attack method, which unlike a DDoS attack, requires only one low spec machine to implement.

“This is an early beta version demo of XerXeS from about three weeks ago. I am still developing it, adding more features and safety nets, in fact it’s moved on quite a lot since this version. Video of the upgrades to come at a later date,” said The Jester in an IM chat Monday.

Improvements over earlier versions of XerXeS include the ability to monitor feedback from the target server and adjust the attack to counter the network’s defenses…

See the video and more at InfosecIsland.com

All content from Information-Security-Resources.com will begin migrating to the Infosec Island Network:

We are pleased to announce that Infosec Island™ has acquired www.information-security-resources.com, one of the leading online news portals addressing security issues.

The two infosec communities will continue to be operated separately while ISR’s content is gradually migrated to the Infosec Island framework by mid-year.

Don’t miss out on your opportunity to win one of over $10k in service prizes in the Infosec Island Q1 Membership Drive!

Only completed profiles are automatically entered into the drawing. Registration is quick - it takes less than five minutes to complete.

Prizes include:

• The Grand Prize is a FREE core server license, including maintenance, of the Grid Data Security’s Enhanced Authentication Solution from SyferLock™. This prize has a value of up to $10,000.

• Second Prize – The member winning second prize will receive two myKryptofon security software products from I.D. Rank Security, valued at $690.

• Third Prize – Two third prize winners will receive an EncryptStick™ software application download from Onix International Inc.

Register now and win! https://www.infosecisland.com/

We are also seeking active security bloggers and forum moderators - a great way to increase your exposure and generate more business opportunities for your company.

Contact Anthony through your Island email account, or directly at afreed@WireHeadSecurity.com for more details!

* * *

Stay Informed With ISR News Alerts:

* * *

Follow us on Twitter

* * *

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Fatal System Error - Be Afraid, Be Very Afraid

ADMIN — Tue, 23 Feb 2010 05:49:59 +0000

By Richard Stiennon, Chief Research Analyst, IT-Harvest

Joseph Menn has cracked open the inside workings of cyber crime bosses with his book Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet .

I packed the book with me this past week as I retired to a rustic cabin in Northern Michigan. Menn’s book made for enthralling reading by light of a butane camp lantern.

In addition to telling the story of Barrett Lyon, entrepreneur and cyber crime fighter who founded Prolexic, BitGravity and 3Crowd, Menn follows through to recount the dark world of Russian crime figures as explored by Andy Crocker, on assignment from the UK National High Tech Crime Unit (NHTCU).

Andy finally convicts three DDoS extortionists in Russian who are serving sentences of eight years hard labor.

I met Barrett in 2004 when he was still immersed in getting Prolexic off the ground. I was at Gartner and looking for something new to get involved in.

Barrett’s network defenses against Distributed Denial of Service (DDoS) attacks was the most exciting thing I had encountered.

Barrett thought I was joking when I asked him if I could send him my resume.

I was completely serious until I met his business partner Mickey Flynn in a hotel bar in Chicago. Mickey ran BetCRIS, one of the key sports book making and online gaming organizations in Costa Rica.

For once in my career my spidey sense served me well.

Mickey seemed like a great guy but it was the first time I had ever met anyone accompanied by two big body guards wearing sports coats and obviously packing.

As Barrett’s adventure unfolded I saw bits and pieces of it but I had no idea just how deeply entrenched Barrett had become in the workings of an international crime ring, one that had its own problems with cyber criminals in Russia.

Thanks to Joseph Menn I now know the story. At his wedding in San Francisco Barrett seemed as light hearted and happy as any groom should.

It is hard to believe upon reading Menn’s account that the night before Barrett had excused himself from the rehearsal dinner to secretly pass off a key fob with a digital audio recorder that he had used to capture a day’s worth of conversation with one of the Prolexic partners to an FBI agent waiting around the corner in a dark sedan.

To research his book Menn traveled to Russia with Barrett and the other hero of his book, Andy Crocker. The picture he paints of a corrupt justice and law enforcement system in Russia is chilling.

Andy spent three years in Russia tracking down the ring of extortionists that Barrett had uncovered.

Andy and Barrett did not even speak directly to each other until the night after Andy obtained convictions against three of the bad guys.

* * *

Stay Informed With ISR News Alerts:

* * *

Announcing the birth of Cyber Defense Weekly, a newsletter created to give participants in this new category a comprehensive summary of the week’s news, product announcements, and escalations in cyber threats.

Simply provide your email address here to become a subscriber.

Comments and input are welcome as always on this critical new category.

Richard Stiennon, security expert and industry analyst, is known for shaking up the industry and providing actionable guidance to vendors and end users. He recently re-launched the security blog ThreatChaos.com and is the founder of IT-Harvest, an independent analyst firm that researches the 1,200 IT security vendors. He was Chief Marketing Officer for Fortinet, Inc. the leading UTM vendor. Prior to that he was VP Threat Research at Webroot Software. Before Webroot, Mr. Stiennon was VP Research at Gartner Inc. where he covered security topics including firewalls, intrusion detection, intrusion prevention, security consulting, and managed security services for the Security and Privacy group. He is a holder of Gartner’s Thought Leadership award and was named “One of the 50 most powerful people in Networking” by NetworkWorld Magazine.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Not since Cliff Stoll’s The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage has there been a book that delves as deeply into the workings of criminal hackers. This book will be widely read by law enforcement, policy makers, and IT security professionals. Like Stoll’s book I predict it will inspire a generation of technologists to join the battle against cyber criminals.

Measuring Hidden Costs of Cloud Computing

ADMIN — Mon, 22 Feb 2010 01:17:16 +0000

By Chris Curran, CTO Forum Team

During a time when businesses are counting their pennies, every conceivable cost needs to be factored into forecasting models.

Hidden expenses are never a welcome surprise, but they are particularly unwanted now.

Cloud service providers can try to make the costs seem clear cut. However, CIOs and other IT professionals should know that $100 per user per year is only the beginning of the budget.

When making a massive technology transition and managing a new system, the costs associated with people, processes, and architecture are equally important to consider.

The mystery is how much these costs amount to in the unfamiliar realm of cloud computing.

To help uncover the hidden costs of cloud computing, answer the following four key questions:

1. What are the viable paths to move (or replace) legacy applications into the cloud?
2. What architectural changes are required to integrate cloud and non-cloud applications?
3. How should we change our technology and operations processes to take advantage of different procurement, provisioning, and management models?
4. How will a private cloud—built for the sole use of one enterprise—give us more flexibility than current hosting or public cloud models? What are the cost trade-offs?

Answers to these questions will change the mindset from leveraging cloud-based applications to managing complex systems, which will help to reveal the true costs of making the switch.

When the focus of the conversation shifts to systems, it prompts other questions that will sharpen the picture:

1. How do we make sure all of the customers in Salesforce.com are synchronised with those in our customer management application, our billing application, and our six product systems?
2. Should we add custom application logic into Salesforce.com to validate customer and company information against our master list? Or should we do it externally and integrate the resulting systems and processes?
3. What kinds of skills and other organisational considerations should we make for the IT staff that support our customer systems?

Many companies across industries are still working on getting beyond the usage costs for cloud computing to understand the complete costs of migrating, implementing, integrating, training, and redesigning the surrounding and supporting people, processes, and architecture.

In fact, three examples from companies that we are working with demonstrate how different details can lead to the same conclusion: uncertainty about the hidden costs of cloud computing.

A managed IT services vendor is interested in moving some of its in-house help desk applications into the cloud for its clients, but the company is taking its time before moving past market surveillance.

An industrial products company is evaluating new technologies and approaches, but the company is also taking a measured approach to see where the chips fall.

A financial services company that deals in very small and extremely high-speed transactions is not yet convinced that any of the cloud computing service providers can provide the processing horsepower within their service-level agreements and security requirements that would be necessary for the investment to pay off.

In these three examples, not knowing the potential hidden costs of cloud computing has stalled the decision making process.

So as cloud service providers roll out their spiel, ironically, CIOs and their IT departments need to pick holes to have a clear picture of the overall bottom line.

Remember: it’s deceptively easy to get burned on a cloudy day, if you’re not protected.

* * *

Stay Informed With ISR News Alerts:

* * *

Chris Curran is Diamond Management & Technology Consultants’ chief technology officer and managing partner of the firm’s technology practice. He writes the CIO Dashboard blog at www.ciodashboard.com, and can be reached at Chris.Curran@diamondconsultants.com or @cbcurran on Twitter.

The CTO Forum is India’s leading fortnightly magazine for technology decision makers. It promotes the exchange of informed perspectives and insights on trends, management techniques and new IT business strategies, between CIOs and other stakeholders. The CTO Forum is acknowledged as a ‘trusted source’ of knowledge for top management responsible for balancing the demands on technology for ‘growth and governance’.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Tech Stocks Week in Review Featuring Cisco

ADMIN — Mon, 22 Feb 2010 01:16:53 +0000

From Trefis.com

Below is a summary of the activity on Trefis during the past week that we thought you would find interesting.

Insights from the Week

Can Office 2010 Help Microsoft Maintain its Leadership in Productivity Software? on February 19, 2010 We think it’s difficult for Microsoft to maintain its share in the productivity software market due to competition from Google and IBM…

Expansion of Disney’s Parks & Resorts Will Attract More Guests and Drive Revenue on February 19, 2010 Disney is setting itself up for even more attendance (and revenue) growth at its parks by investing in expansion projects…
Services for Routers and Switches Make up 18% of Cisco’s Stock on February 19, 2010 Cisco makes a significant amount of money by providing troubleshooting and maintenance services to its hardware customers….
Smartphones Can Slow Nokia Share Loss in Emerging Markets on February 18, 2010 We believe that Nokia’s expanding smartphone portfolio and growing share within the smartphone segment can slow Nokia’s overall mobile phone share declines within emerging markets…
Qualcomm’s New Chip Can Drive Apple’s iPhone Market Share on February 18, 2010 Qualcomm is reported to have signed a deal with Apple to make chips for its ‘World iPhone’ which is designed for compatibility with mobile networks worldwide…
SanDisk’s Flash Memory Margins Dependent on Production Cost Reductions on February 18, 2010 We have updated the Trefis price estimate for SanDisk’s stock from $28.28 to $30.15, in part to reflect SanDisk’s improved ability to maintain its flash memory gross margins in the future by reducing production costs…
Featured Forecast: $55+ DirecTV Satellite Subscriber Fees on February 18, 2010 DirecTV’s Fee per Satellite Subscriber has come down from about $59 in 2005 to as low as $55 in 2009 primarily as a result of two factors…
Featured Forecast: CBS TV Network Ad Pricing Declines Expected on February 17, 2010 We estimate that CBS earned about $5.30 for every 1,000 ad impressions (1,000 views of a 30-sec TV ad) that it delivered in 2007 and that this figure declined to about $4.70 in 2009…
VoIP Will Boost Sprint’s Landline Profit Margins on February 17, 2010 Sprint’s IP-based services, including offerings like VoIP, now constitute 42% of its landline revenues, up from 25% in 2008…
Trefis Forecast: What % of Apple’s stock is the iPad? on February 17, 2010 We’ve updated our Apple analysis for the company’s recent earnings as well as the iPad announcement. We now have a Trefis price estimate of $267 for Apple’s stock…
Featured Forecast: AOL Internet Subscribers Heading to Zero on February 16, 2010 We estimate that AOL will have 3.4 million internet subscribers in 2010 and that this figure will trend down to nearly zero over our forecast period …
Smartphone Demand in Europe Can Help Nokia Offset US Share Declines on February 16, 2010 We believe Europe can help Nokia offset declines in US market share and could have a positive impact on Nokia’s stock…
Symantec Business Market Share Losses Expected to Stop on February 16, 2010 We expect Symantec’s Share in Security Software for Businesses Market to reach nearly 31% by the end of Trefis forecast period…
Featured Forecast: Intel Will Reverse Notebook Market Share Losses on February 16, 2010 We expect that Intel will recoup some of the lost notebook processor market share over our forecast period as a result of its lead in the netbook market…

Price Competition Will Impact Sprint’s Prepaid Mobile Business on February 15, 2010 We believe that the prepaid mobile business is a key growth area for Sprint as it will help the company offset the consistent declines in its monthly (postpaid) subscriber base…

Community Activity

Apple community price increased from $331 to $364
116 community model updates in the past week

Netflix community price increased from $61.82 to $65.45
9 community model updates in the past week

Ebay community price increased from $36.92 to $40.80
6 community model updates in the past week

Active Stocks

Juniper rises 11% from $24.76 to $27.44 (Trefis price was $22.29, and we kept it unchanged) You can see our full Juniper analysis here.

DirecTV rises 10% from $30.67 to $33.64 (Trefis price was $29.52 and we increased it to $32.26)DirecTV reported earnings on Thursday which led to the increase in the price. You can see our analysis regarding the update here: HD-DVR Expected to Drive Increases in DirecTV’s Revenue

Sprint rises 10% from $3.16 to $3.49 (Trefis price was $4.31, and we kept it unchanged)You can see our full Sprint analysis here.

* * *

Stay Informed With ISR News Alerts:

* * *

Follow us on Twitter

* * *

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

The Dismal State of Information Security

ADMIN — Fri, 19 Feb 2010 06:32:50 +0000

By Robert Siciliano, ID Theft Expert and Security Consultant to Intelius.com

The sheer volume of potential targets coupled with the vast amounts of money to be made has captured the attention of the global criminal hacking community.

Enterprise networks are becoming hardened and they are still vulnerable.

Some are being penetrated directly while others are accessed through 3^rd parities such as their clients or end users. Unprotected networks are being sniffed out and data breaches continue.

The organizations that track these breaches are bored, frustrated, hate the industry and offer no good news. Innovation isn’t happening fast enough and new laws and regulations aren’t effective in solving the problems.

PCI and all those who fall under its requirements are chasing their tail. Infighting continues and rumblings of lawsuits against PCI persist.

Law enforcement is getting better at investigating and catching the badguy, but there are far more of them then there are of us.

Between the TJX breach and the Heartland hack there were as many as 224 million credit and debit card numbers hacked.

The criminals penetrated the networks “in broad daylight” so to speak, which means they didn’t have much trouble getting in.

The hacks may have occurred via unsecured wireless networks, SQL injections or via social engineering though a phishing email with infected links.

While IT security professionals and white-hat hackers are fighting the battle with newer, better, faster, more robust technologies to keep the bad-guy out, the bad guy still gets in via the path of least resistance, which may be human error, laziness or a zero-day attack consisting of something we’ve never seen before. Often it is the former.

New stories keep coming out depicting small businesses losing hundreds of thousands of dollars via online banking hacks and the banks filing suit so they don’t have to pay it back.

I just spoke to 60 bankers at a conference in Las Vegas. Many of them professed to learning a lot. . No offense here, but I am of the belief that nothing I say should be in any way “new information” to anyone in the banking industry.

As we move closer to mobile banking and a dozen new ways to process credit cards we create new opportunity for the criminals and we haven’t tightened up existing vulnerabilities yet.

We are fragmented and all over the place with an incredible array of interdependent technologies that are set up with convenience in mind and security second.

Somebody please tell me to shut up.

Protect your identity.

1. Get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.

* * *

Stay Informed With ISR News Alerts:

* * *

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com