Smoking emails

I just came across this, "Morgan Stanley offers $15M fine for e-mail violations" - from the article :





"US investment bank Morgan Stanley will offer a settlement to the Securities and Exchange Commission (SEC), agreeing in principle to pay a $15 million fine for failing to preserve e-mail messages. The e-mail messages could have provided useful evidence in several cases brought against the company. In one case, resulting in a $1.58 billion judgement against the bank, a judge turned the burden of proof on Morgan Stanley after learning they had deleted e-mails related to the case. However, Morgan Stanley has not yet presented the offer to the SEC nor is there a guarantee the SEC will accept. The investment bank says it is fixing the problems that led to the erasure and is pleading for leniency."



He, He, He!





You see, the email archiving market is about to top $310M for 2005 according to the IDC, still one of the world's most powerful investment banks cannot seem to be able to comply with the requirements.




Lack of financial power - nope, lack of incentives - yep! The case reminds me of KPMG's tax shelters, McAfee's fine for accounting scam between 1998-2000, and the "Smoking Emails" Admissible In $1 Billion Enron-Related Chase Case".





Quit smoking emails, and take advantage of MailArchiva - Open Source Email Archiving and Compliance.





Techorati tags :
smoking gun, investment banking, compliance, mailarchiva

How to win 10,000 bucks until the end of March?

I feel that, in response to the recent event of how the WMF vulnerability got purchased/sold for $4000 (an interesting timeframe as well), iDefense are actively working on strengthening their market positioning - that is the maintain their pioneering position as a perhaps the first company to start paying vulnerability researchers for their discoveries.


The company recently offered $10,000 for the submission or a vulnerability that gets categorized as critical in any of Microsoft's Security Bulletins. In the long-term, would vulnerability researchers be able to handle the pressure put on them through such financial incentives, and keep their clear vision instead of sell their souls/skills? What if someone naturally offers more, would money be the incentive that can truly close the deal, and is it just me realizing how bad is it to commercialize the not so mature vuln research market, namely how this would leak all of its current weaknesses?



Consider going through some of my previous thoughts on the emerging market for software/0day vulnerabilities as well and stay tuned for another recent discovery a dude tipped me on, thanks as a matter of fact!



Technorati tags:
idefense, vulnerabilities

The end of passwords - for sure, but when?

My first blog post "How to create better passwords - why bother?!" back in December, 2005, tried to briefly summarize my thoughts and comments I've been making on the most commonly accepted way of identifying yourself - passwords.

Bill Gates did a commentary on the issue, note where, at the RSA Conference, perhaps the company that's most actively building awareness on the potential/need for two-factor authentication, or anything else but using static passwords for various access control purposes. Moreover, it was again Bill Gates who wanted to integrate the Belgian eID card with MSN Messenger (Anonymity or Privacy on the Internet?) Microsoft are always reinventing the wheel, be it with antivirus, or their Passport service, and while they have the financial obligations to any of their stakeholders, I feel it's a wrong approach on the majority of occasions.

What I wonder is, are they forgetting the fact that over 95% of the PCs out there, run Microsoft Windows, and not Vista, and how many would continue to do so polluting the Internet at the bottom line. My point is that MS's constant rush towards "the next big thing" doesn't actually provides them with the resources to tackle some of the current problems, at least in a timely manner. What do you think? What could Microsoft do to actually influence the acceptance of two-factor authentication, and moreover, how feasible is the concept at the bottom line?

Technorati tags :
security, microsoft, authentication, passwords

A timeframe on the purchased/sold WMF vulnerability

The WMF vulnerability and how it got purchased/sold for $4000 was a major event during January, at least for me as for quite some time the industry was in the twilight zone by not going through a recently released report. But does this fact matters next to figuring out how to safeguard the security of your network/PC given the time it took the vendor to first, realize that it's real, than to actually patch it? Something else that made me an impression is that compared to the media articles and my post, was I the only one interested in who bought, instead of who sold it?

So here's a short timeframe on how it made it to to the mainstream media :

January 27 - Kaspersky are the first to mention the "purchase" in their research

January 30 I've started blowing the whistle and friends picked it up (even the guy that got so upset about it!)

January 31 Meanwhile, someone eventually breached AMD's forums and started infecting its visitors!

February 2 Microsoft Switzerland's Security blog featured it

February 2 LinuxSecurity.com republished it

February 2 DSLReports.com picked it up

February 2 Appeared at Slashdot

February 3 OSIS.gov(an unclassified network serving the intelligence community with open source intelligence) picked it up :)

What's the conclusion? Take your time and read the reports thoroughly, cheer Kaspersky's team for their research? For sure, but keep an eye on the Blogosphere as well!

Technorati tags :

security, information security, wmf vulnerability, vulnerabilities, Kaspersky