What a week! Security violations left, right and centre, culminating on Friday with the news that Microsoft had been hacked and its Office source code had been compromised. Intruders had probed away until they found an opening and got into Microsoft`s Holiest of Holies. Microsoft`s reaction was interesting, to say the least. First, CEO Steve Ballmer denied that the code had been compromised; then later he confirmed it.
US business investigations company Kroll Associates has found that top management at dot-coms are four times as likely to have 'unsavoury` backgrounds as brick-and-mortar directors.
Ian Melamed, Chief Technology Officer, SatelliteSafe
Reports have it that Microsoft`s defences were infiltrated by the QAZ Trojan, a well-known malicious program that was attached to an e-mail. The Trojan gained access through an employee`s off-site system. One has to ask: How is it possible for Microsoft to be infected by a known Trojan? Surely its anti-virus protection would have detected, blocked and deleted the e-mail containing the malicious program on entry?
Unfortunately, the present use of pull technology - "logoff logon to get latest updates" - results in users not keeping their definitions up to date.
I was in London last week, and I came across a major corporation whose systems had not been updated since July. The technical department had regularly installed the latest updates on the servers. Its policies were clear: "Logoff at the end of each day." But, as this rule was not being observed, updates relying on login scripts - the most common system in practice today - were not being implemented.
This, I believe, is the most likely cause behind the success of the Microsoft intrusion.
How do we fix it? We need to move towards a model of push technology throughout the organisation, rather than depending on pull. Building our defences means regular review of existing technology. Housekeeping tasks such as anti-virus updating need to be as automated as possible, with as little user intervention as possible. Don`t pull, just push.
Significantly, Microsoft was attacked from St Petersburg, which I reported last week as being the new world centre for up-and-coming hackers. I reiterate: we have only seen the tip of the iceberg in terms of what disaffected bright young men can do, given time and resources.
Connected to Microsoft`s troubles: Sun Microsystems posted its nine million lines of StarOffice code on its Web server and announced to the world at large that it was available for download. The consequence - the server was trashed by the sheer weight of visitors, and stayed down for hours. Note: Sun is not only giving away its Office-type software, it`s also giving away the source code, or the keys to the kingdom. But no server has been designed to deal with the volume of traffic this generated.
US business investigations company Kroll Associates has found that top management at dot-coms are four times as likely to have "unsavoury" backgrounds as brick-and-mortar directors. Kroll says 39% of its due diligence investigations into dot-coms uncovered people with "problems" including insurance fraud, undisclosed bankruptcy, overseas fraud and connections to organised crime. Out of interest, it`s the experienced managers brought in to make the business work who are being identified as the problem guys, not the dot-com start-up entrepreneurs. "It`s a ready-made market for fraudsters. The irony is that the consultants, advisors and board members brought in to add credibility have some of the most distasteful histories we found," says Kroll. You can make statistics say what you like, but these certainly do raise the eyebrows.
From Korean giant LG Electronics comes a cool innovation: a computer monitor with fingerprint identification system; it can function as an alternative to passwords for controlling access to computer systems. A sensor in the monitor verifies users` identity by comparing their fingerprint with those registered on its system. Next up from LG will be iris-scanning technology to perform a similar function.
Sources: Silicon.com, Computerwire and ZDNet.
Share
