Adopted in 1971, those rules gradually gained popularity largely because they are less detailed. International guidance regarding revenue, for instance, is much less extensive than GAAP's and contains little industry-specific instructions. While countries...
In Crisis Fallout, Rethinking Risk and Human Judgment
Call in the philosophers, call the psychologists. The idea of risk, the most fundamental concept in the insurance industry, is undergoing its most rigorous analysis in decades.

As the financial crisis sweeps Wall Street and Europe, big insurers are scrambling to unearth flaws in their core assumptions about the chances for financial outcomes -- and to devise new ways to cope with uncertainty and "slippery slopes," both for themselves and the companies that buy their products.

"With this crisis, everybody is re-evaluating the concept of risk management," said Richard Phillips, a professor of risk management and insurance at Georgia State University, which has a leading program for insurance studies.

The scrutiny goes beyond a dissection of the complex mathematical models created by financial engineering, particularly those behind credit default swaps, the $63-trillion-dollar market of insurance-like products that nearly bankrupted American International Group, caused steep losses at MBIA and Ambac, and has upset banks from Seattle to Amsterdam.

Rather, the rethinking "is focusing on the over reliance on models," said Carol Fox of the Risk and Insurance Management Society, a trade group.

Because nearly all risk-management models failed to predict or protect against the crisis, Fox said, insurers will increasingly view risk "more as a function of behavior than of models."

Going forward, she said, insurers will use models "as a point of information, but it won't drive risk tolerance" or the appetite for making financial and other bets.

Although both rely on historical data, the actuarial models behind life, property and casualty insurance -- the industry's stock in trade -- are not the same as those behind complex derivatives.

So the rethinking means considering the role of financial models in a company's overall operations, and whether those models fail to consider, for example, the risk of collateral calls or write-downs on the company's balance sheet -- both missed...
Securing Your Wireless Network
In the light of recent events where terrorists have allegedly used unsecure Wi-Fi networks to send e-mails, you can take some relatively simple steps to protect your connection from being misused. Wi-Fi or Wireless Local Area Networks (WLAN), or, to give it its technical name, 802.11 wireless protocol, is still extremely convenient, both in office and home, given that all modern laptops and high-end mobile devices have receivers to pick up these signals. The latest 802.11n specification is also quite fast and supports the higher broadband speeds that come into the WLAN router.

You can secure your connection by following these three simple steps. However, keep in mind that these are only tips and much like a car security system, only offer a slightly enhanced level of protection. A determined hacker can still break into any network without enterprise levels of security.

Disable SSID broadcasting

Most Wi-Fi routers broadcast their network name using the Service Set Identifier (SSID) to the world every few seconds, which makes it easy for people to move from one wireless access area to another but people rarely change the network's default name. Disabling the SSID might help if your access device mobile or computer usually stays in the signal area. Constantly moving in and out of the Wi-Fi signal could lead to slow or dropped connections. But you also must keep in mind that many modern devices can detect and access 'Hidden WLAN' networks where the SSID is disabled.

Don't keep your Wi-Fi Router near a window or the outside wall of your house. This is not a hardware tip, but simple common sense. A Wi-Fi router does not send a uni-directional signal (though some modern routers do). A Wi-Fi router placed near a window or outside wall will leak signals to the world, which can be picked...
Microsoft's Morro Could Challenge Security Giants
McAfee and Symantec could be affected as Microsoft moves to provide free antivirus software. If the software, code-named Morro, successfully protects against viruses, analysts said, it could mean an exodus from well-known security brands.

On Tuesday, Microsoft announced a security offering focused on protecting against malware. The software giant is addressing what it sees as a growing need for a security solution that meets the unique needs of emerging markets and smaller PC form factors.

"This could be third-time lucky for Microsoft in regards to an antivirus product," said Graham Cluley, a senior security consultant at Sophos. "They tried with MSAV in Windows 3.11/MSDOS 6.2, which wasn't terribly successful -- especially when it detected Windows 95 as a virus."

A Smaller Footprint

The secret sauce for Morro is in the architecture. It will offer comprehensive protection from various forms of malicious software, including viruses, spyware, rootkits and trojans, by focusing on a smaller footprint that uses fewer computing resources.

Microsoft said Morro is ideal for low-bandwidth scenarios or less-powerful PCs. By targeting the core anti-malware features that most consumers don't keep up to date, Microsoft said, Morro will provide the essential protection that consumers need without overusing system resources, and provide better protection against online threats.

As Morro comes on the scene, Microsoft will discontinue retail sales of its Windows Live OneCare subscription service, effective June 30, 2009. OneCare was Microsoft's second attempt at security. Although it was much better at detecting malware, Cluley said, it didn't capture a large home-user audience.

"Anything which encourages more home users to defend their PCs has to be encouraged, provided innovation and competitiveness is not stifled," Cluley said, "but consumers will have to wait until next summer to find out how good the product actually is."

Sleepless Nights?

Microsoft is moving early to educate the market about the product. Morro is...
Microsoft Will Replace OneCare with Security Software
Microsoft plans to stop accepting paid subscriptions to Windows Live OneCare in mid-2009. The security software is slated to be replaced by a free offering code-named Morro, which will focus on providing consumer PCs with core protection from viruses, spyware, rootkits, trojans and other forms of malware.

"We know that there are still some 60 percent of consumers in developed markets -- and even more in emerging markets -- that don't have up-to-date security protection on their PCs, and we want to help provide that core level of protection," said Amy Barzdukas, senior director of product management at Microsoft's Online Services and Windows Division.

Low-Bandwidth Scenarios

Morro will deliver the essential protections that consumers need by "shifting the focus onto the core anti-malware features that most consumers still don't keep up to date," Barzdukas said. The platform also will be available in a smaller footprint that will use fewer computing resources, she said.

One goal is to make Morro "ideal for low-bandwidth scenarios or less-powerful PCs," Barzdukas said. The other is to remove the cost barriers that have slowed security software adoption in emerging markets -- where low-cost mini-notebook and netbook devices are becoming popular.

"By offering such basic protection at no charge to the consumer, Microsoft is promoting a safer environment for PCs, service providers and e-commerce itself, since it is through unprotected PCs that the worst threats are introduced to the system as a whole," said Roger Kay, founder and president of Endpoint Technologies Associates.

More Threat Intelligence

Morro will integrate the same core malware engine that Microsoft uses across its line of anti-malware products. However, the new platform will not incorporate the same set of features that Windows Live OneCare currently provides.

For example, Morro will not offer or support multi-PC "circle" management and printer sharing, Barzdukas said....
Upgrading Your Wireless System
Years ago, I set up a wireless system for my laptop. This worked great at the time, but now that the speeds of everything else have increased, I realized recently that the time had come to upgrade the wireless system.

When wireless systems first came out, you had to buy something called a "wireless access point," which was basically a transmitter/receiver that plugged into your existing cable or DSL modem or network router.

This was pretty straightforward and simple, as there were few choices since wireless technology was in its infancy. Now, two or more generations later, there are dozens of choices: Wireless-G, Wireless-N, gigabit networks, integrated wireless/wired routers, and even combo modem/wireless/wired network boxes.

Obviously, a combo unit would simplify installation; but for people like me, who have several devices on the network and a router that has more ports than most all-in-one boxes, that won't work.

I purchased a Netgear WNR854T, a 4-port wired and Wireless-N router for $45 (on sale), with the hopes of just installing it in the same way as my old access point since no one offers "just" an access point anymore.

Boy, was I wrong. These new devices are designed to be easy-to-install, integrated network solutions. They give you a high-speed combination of Wireless-N and four wired ports, all in one box.

Searching the web for solutions only turned up suggestions for a couple of older models. I tried these and found they worked with limited function. I was able to access the web but not the other devices on the main router; it was almost like a separate network.

A quick email to the Netgear tech support team got me detailed, step-by-step instructions on how to do exactly what I needed. It took me about 15 minutes to install it as an access point with full functionality.

One of the...
Cloud Computing and Data Security: Know the Risks
Some enterprises now consider cloud computing to be the next-best thing to sliced bread. But Jeff Kalwerisky chief security evangelist of Alpha Software, sees the benefits as well as the hype. As an expert in information security and risk management for more than two decades, Kalwerisky has worked for many Fortune 100 companies and sees some security risks that could expose company data in the cloud architecture.

"The devil is in the details," says Kalwerisky, who advises exploring security risks from all angles. Data security needs to be measured according to the classic model he calls "CIA": confidentiality, integrity, and availability.

Users walk into the cloud expecting that some basic needs will be met. "Users want to be sure their data is confidential and kept private at all times," he says. Users also expect data integrity and accuracy; data needs to be updated with the most current version available 24/7, he says. But that is not always the case. "Even Amazon went down for 4 hours last February. For big companies, it's a nuisance, but for smaller companies, it's a big loss of business." And what happens when the cloud computing company has a hardware or software malfunction or fire? The big question is accountability, he says: "Which throat do you choke if it's not working?" He suggests making sure data is stored in at least two different places for safekeeping and future accessibility.

For anyone who is contemplating using the cloud, Kalwerisky suggests that customers ask a few questions before signing on the dotted line. Know your vendor and what software/hardware is being used and what security precautions are in place. Data is usually at risk when it's in transit. So make sure data is encrypted at all phases. Even if someone should intercept data while it's in transit on the web,...
Spammers Sent Packing -- for Now -- By Web Shutdown
E-mailers, enjoy the early holiday gift: Spam volume has been cut by more than half because Internet providers pulled the plug on a Web hosting firm that was allegedly helping some of the world's most dastardly junk e-mail gangs.

The break won't last long. Garbage e-mail levels are already swelling again, and are expected to return to normal in a matter of days.

'Tis the season, after all: The holidays are the busiest time of the year for spammers, and criminals are hustling to reconnect with potentially millions of virus-infected PCs that they once used to send spam -- which accounts for 90 percent of the world's e-mail.

Spam fighters scored big last week with the takedown of McColo Corp., a U.S.-based company apparently catering to bulk e-mailers. But the battle against McColo also highlights the difficulty in squashing spam-sending operations. Slapping one down means it just pops up somewhere else.

"It is always a cat-and-mouse game, and we fully expect there will be a countermove," said Doug Bowers, senior director of anti-abuse engineering for Symantec Corp.

Companies like McColo can be difficult for law enforcement to take down. Authorities have to prove company officials knew crimes were being committed through their servers. Web hosting companies often argue that they don't monitor how customers use their services.

In this case, security researchers amassed evidence of wrongdoing on their own and confronted McColo's Internet providers to get the Web hosting service taken down.

McColo, which claims a Delaware mailing address and a data center in Silicon Valley, has been on security researchers' radars for more than a year. Many spam filters blocked messages coming through McColo's service.

The FBI declined to comment. However, it appears that spam senders used McColo's service to send commands to large numbers of PCs they had hijacked.

Having that conduit is critical. Spammers use networks...
Phishing: Don't Be the Catch of the Day!
Phishing is now a widespread threat to the online community. With various products, solutions and services available out there claiming to mitigate the phishing threat, it is wise to take a step back and look at the phishing threat in itself and identify its various components. This is done through studying various phishing attacks, the processes involved, and then comparing them to other previous attacks.

"The first step to win a war is to know thy enemy." Once the various components of phishing are identified, then we are able to map the various controls to them and see which part of the phishing threat is mitigated.

Today, phishing attacks and its many variants are in the forefront of the news. Due to this publicity, organizations that offer services online, especially the financial institutions, are looking into various controls to mitigate the risks of phishing attacks.

These controls range from Two Factor Authentication (2FA) solutions, anti-phishing plug-ins for web browsers, fraud detection systems, Web site takedown services, user awareness training and a variety of end-user software.

While all these controls do help in the fight against phishing attacks, it should be noted that they only tackle only one or at most two parts of a typical phishing attack and not in its entirety.

"But what are the various portions of a typical phishing attack?" you may ask. The phishing attack is made up of different types of conventional (conventional as in something we have experienced prior to the phishing, term coined) attacks and these attacks can be categorized into four parts: Redirect, Disclosure, Impersonation and Unauthorized Usage.

Here are some variants to the typical phishing attack we have come to know and love, you know the one with the illegitimate email that directs you to a masquerade site where you key in your username, password and provide...
Criminal Hacker or Digital Vigilante?
In 1984, author and tech specialist Steven Levy released the book Hackers: Heroes of the Computer Revolution. It took a look at the already long established culture of computer hacking, and outlined the idea of the hacker ethic. The book is still a classic, and well worth a read, particularly considering it was released well before the emergence of the Internet and the many security and privacy challenges that have emerged.

Levy wrote the book, in part, to dissuade the emerging media focus on hackers as nefarious individuals intent on causing damage and destruction to computer systems. Contrary to the myth of the destructive hacker (as made famous at the time by the movie War Games), Levy asserted there were a large number of computer specialists who liked to spend their time identifying and publishing information about security challenges, problems and weaknesses within software and systems design.

Their reason for doing so was simple: identified security weaknesses should be exposed and made public to ensure that organizations are cognizant of potential security risks and pay adequate attention to security issues.

This hacker culture has had a massive impact on technology for the past few decades; for example, many of the flaws identified in operating systems such as Windows XP come from self-appointed security vigilantes. The same hacker culture has led to the concept of open-source software: the idea being that if computer code can be analyzed and shared openly in its development, then potential security vulnerabilities can be easily identified and fixed.

Twenty-five years on, not much has changed with the culture. But there are new and surprising twists.

As I write this, news stories are emerging of a group of computer specialists at the Massachusetts Institute of Technology who identified a number of security problems with the Massachusetts Bay Transportation Authority (MBTA) electronic...