Liudvikas Bukys

VNUNet: Security swallows a twelfth of IT budgets

IT directors have been advised to spend three to eight per cent of their IT budgets on ongoing security costs.

The figures are best practice guidelines given by analyst Meta at its 14th annual forum in Barcelona earlier this week.

Meta explained that the figure does not include special events, nor projects such as public key infrastructure implementations.

The analyst added that security budgets will increase by 10 per this year, as they had done in 2001 and 2002.

Financial services firms should spend eight per cent of their IT budget on security to cover ongoing costs. Energy companies should allocate 6.5 per cent, e-commerce companies six per cent, retailers five per cent and manufacturing companies three per cent.

These figures do not cover business continuity and disaster recovery, which should take up another 2.5 to four per cent, according to Tom Scholtz, vice president of security and risk strategies at Meta.

…
Meta’s nine components for a security programme:

• A governance structure that ties security to the business.
• A vision, reduced to quarterly deliverables, that drives toward an appropriately secured environment; an architecture that is adaptable.
• An organisational approach that supports accountability and the correct separation of duties.
• A plan to generate continuous cultural change.
• A maturity programme for security-related processes.
• An approach to supporting local management discretion in determining the appropriate level of security.
• The execution of processes that determine just how secure the environment is – right now!
• The execution of projects that make the environment more secure.
• The execution of processes which ensure that security is servicing the current needs of all aspects of the business.

United Press International: Hackers strike at University of Texas:
“Authorities Thursday sought computer hackers who stole the names and Social Security numbers of 59,000 current and former students, faculty and staff last week at the University of Texas at Austin.

UT Austin: Data Theft and Identity Protection:
“The malfunction was assessed to be the result of a deliberate attack from the Internet. Subsequent analysis revealed that a security weakness in an administrative data reporting system was exploited by writing a program to input millions of Social Security numbers. Those SSNs that matched selected individuals in a UT database were captured, together with e-mail address, title, department name, department address, department phone number, and names/dates of employee training programs attended. It is important to note that no student grade or academic records, or personal health or insurance information was disclosed.

Computer logs indicate the information was obtained by computers in Austin and Houston over a five-day period that began last Wednesday, according to UT officials. They don’t know yet if the identification information was used for any illegal purposes… Approximately 55,200 individuals had some of the above data exposed. This group includes current and former students, current and former faculty and staff, and job applicants.”

CW360°:

“The technology will be available by the end of this month free of charge on IBM’s alphaWorks web site and provides Soap enablement of existing CICS Cobol applications, permitting them to be invoked through Soap requests over either HTTP or WebSphere MQ messages and then integrated both inside and outside of the enterprise.”

ZDNet |UK| – News – Story – IBM sells mainframe for grid research:
“The university has created software that lets actual grids be carved up into private ones for individual users or specific applications. The researchers are using the z800 with z/VM and Linux and the cluster of Intel servers running VMware’s virtualisation software for Linux. In addition to developing grid virtualisation, the systems will be used for nanotechnology and computer science research.

The National Science Foundation funded the purchase of the z800, which was sold by Cornerstone Systems. The University of Florida also bought an Enterprise Storage Server “Shark” system with 3.36 terabytes of capacity.”

The Register: LSD puts Sendmail bug under the microscope:
“Polish ethical hackers Last Stage of Delirium (LSD) yesterday published proof of concept code for a serious flaw in Sendmail which emerged this week.
In a posting to BugTraq yesterday, LSD provides a detailed analysis of the buffer overflow vulnerability for the first time. ”

The Wired News article “Gambling on Private Data Search” includes many naive-sounding quotes regarding hashing and data mining. Obviously hashing alone is not enough to avoid serious privacy problems. So is there more to this than the vendor quotes below? (I hope so.)

Systems Research and Development, a company known for helping casinos spot fraud, has developed a product called Anonymous Entity Resolution. It claims the technology can help investigators determine whether a terrorist suspect appears in two separate databases — say, a government watch list and a hotel reservation system.

…

It not only finds the information by comparing records in multiple databases, but also scrambles the information using a “one-way hash function,” which converts a record to a character string that serves as a unique identifier like a fingerprint.

“All it tells them is that they have somebody in common,” said Jeff Jonas, founder and chief scientist at SRD. “It doesn’t tell them who.”

Once a match is found, which happens when disparate records produce the same character string, agents can isolate those particular records without examining any other information.

A record that has been one-way hashed cannot be “un-hashed” back to the original record — any more than “a sausage can be turned back into a pig,” Jonas said.

UR loses big patent decision:

In his opinion
[PDF], Larimer wrote: “An inventor or patentee is entitled to a patent to protect his work but only if he produces or has possession of something truly new and novel.”

“The invention he claims must be sufficiently concrete so that it can be described for the world to appreciate the specific nature of the work that sets it apart from what was before. The inventor must be able to describe the item to be patented with such clarity that the reader is assured that the inventor actually has possession and knowledge of the unique composition that makes it worthy of patent protection. The patent at issue here does not do that.

“What the reader learns from this patent is a wish or plan or first step for obtaining a desired result. What he appreciates is that the patentee had a goal for achieving a certain end result. The reader can certainly appreciate the goal but establishing goals does not a patent make. The reader also learns that the patentee had not proceeded to do what was necessary to accomplish the desired end. In my view, such an invention is not really one at all.”

AtNewYork :
DRMAA, according to Peter Jeffcock, Sun Group Marketing Manager for Grid Computing, will expand the reach of grid computing because it will make it easier for independent software vendors to make and promote grid computing applications.

Dive Into Accessibility, especially
Day 26: Using relative font sizes

Antivirus firm joins war on spam:
“The software will use a scientific method known as heuristics, which calculates the probability that a particular e-mail is spam by examining a pattern of characteristics in the message.” !