Monday, May 28, 2012

Oracle slammed for outdated approach to Java security

Oracle Openworld
Oracle has fallen dangerously behind the times with the security policies and practices it utilises on its Java platform, according to one of Kaspersky Lab's top researchers.
Roel Schouwenberg, a senior antivirus researcher with the Kaspersky Lab global research and analysis team told V3 that Oracle has not kept pace with the security advances made by other companies in recent years.
"You can see that Microsoft has gone to sandboxing for Office, Adobe has gone that way, Google has gone that way with Chrome," Schouwenberg noted.
"When you look at what Oracle has done, the sad reality is nothing. And I have to ask why we are letting Oracle get away with this?"
According to figures from Kaspersky, Java remains a top target for malware writers and cyber criminals. Along with Adobe Reader and Flash, Java vulnerabilities are the most popular for online exploits which lead to malware infections.
Adobe has extended the security protections on Reader and Flash. Oracle however has only recently installed basic security measures, says Schouwenberg.
"Two years ago I would have been slamming Adobe for its security," the researcher said.
"Adobe still makes its mistakes, but with Oracle we don't see anything that they are doing to change something."
Oracle did not respond to a request for comment on the matter.
While the Java maker was singled out for its practices, Oracle is far from the only vendor Schouwenberg sees ignoring security issues.
He noted that Google's loose oversight of its Play market has left Android devices vulnerable to malware, while Apple continues to ignore major security risks on the OS X platform in the wake of the Flashback malware outbreak.
Throughout the entire market, Schouwenberg sees the need for better security response time and policies should vendors wish to protect users from malware.
"Any program that can be directly accessed from a web browser should be checking for updates every other day, reasonably, and definitely not less than once a week," he said.
"A broken update system is an issue for a lot of programs still, even Adobe is still struggling on that a bit."

India steps up battle against rising cyber crime wave 

Surfing internet
As the number of people coming online in
India rises so could the victims of hackers

As Ankit Fadia, 28, works on his laptop, his fingers furiously tapping away, there is silence in the packed auditorium in central Delhi. 

His projector throws images of codes and symbols onto a white wall, and then suddenly, the crowd bursts into spontaneous applause.

Another website has been successfully hacked and unlocked.

But rather than doing something illegal, Mr Fadia, who describes himself as an ethical hacker, says he is trying to protect people and businesses from a rising wave of cyber crime.

"The difficulty about tackling cyber crime is that it's increasing all the time," says Mr Fadia.

"If we control one set of attacks there are hundreds more the next minute. That's why we need our systems, policing, the law, prepared for this kind of cyber onslaught."

Spam manager

“Though India has laws aimed at tackling cyber crime, it isn't used effectively”
  --- Ankit Fadia ,Ethical hacker

The BBC's Shilpa Kannan reports on what companies
 are doing to protect themselves from cyber attacks

According to a recent report by global research and accounting firm Ernst and Young, data or information theft was the most committed fraud in India last year.
That data can be anything from personal details, to bank accounts, to company contacts and secrets.
Ernst and Young warns that it could cost companies as much as 5% of their profits if they are targeted by cyber criminals.
At the same time, there has been an increase in nuisance internet issues such as spamming, with India recently overtaking the US to become the 
top global contributor of junk messages. And while this jams an inbox and is a headache for the consumer, for the government there are also more serious issues, such as national security and trying to avoid a potential cyber attack by a terrorist group.
According to the Minister of State for Communications and IT, Sachin Pilot, more than 100 Indian government websites were hacked in the first three months of 2012.
It is no surprise then that the government has been trying to step up its policing of cyberspace, and is mulling plans to build a National Cyber Coordination Centre, which will detect malicious cyber attacks and issue early warning alerts.
The IT industry lobby group Nasscom has also recommended establishing a cyber command centre which would sit within the defence forces. They argue the cyber command should be equipped with defensive and offensive cyber weapons and staff trained in cyber warfare.

Cyber crime facts:

Number of people subjected to cyber crimes globally in 2011 : 431 million
Number of cyber crime victims in India: 29.9 million
Cost of cyber fraud globally: up to $388bn a year
Cost of cyber fraud in India: $7.6bn a year - $4bn worth of direct losses and an additional $3.6bn in time spent resolving the crime
Source: Norton Cybercrime Report 2011

Grey men
But for observers such as hacker and author Mr Fadia, India already has some firepower in place with its Information Technology Act that was passed in 2000.
The issue, however, is not with the law, rather the implementation of it.
"Though India has laws aimed at tackling cyber crime, it isn't used effectively," explains Mr Fadia, who has tied up with the national police academy in Hyderabad and helps train police officers in understanding cyber crime.
"Even when arrests are made, very few people actually get convicted."
Experts say that even if you go after the criminals it is not always easy to catch them because they usually operate behind the wall of anonymity that the internet offers.
According to Arpinder Singh, head of Ernst and Young's Fraud Investigation and Dispute Services, the company recently tried to identify the profile of an Indian cyber fraudster.
What they found was that the fraudster had changed significantly.
Now, typically, they are a male middle-management employee in his 30's who is very ambitious and tech savvy. He can work anonymously from a remote location.
This makes it harder to trace any wrongdoer, a task that will only get harder as India's internet population grows from its current level of about 120 million, or about 10% of the current population.
Mr Singh warns that as more people come online the risks to companies both big and small will increase.

Safe practice

One small firm that is already taking defensive measures is UC Infosystems.
In a busy office in west Delhi, the company's technicians are breaking down electronic equipment and consumer gadgets so they can service their parts.
As well as being full of computers and keyboards, the office is also brimming with confidential information such as client orders and addresses, payment methods and other financial data.
In an increasingly competitive business, the founder of the firm wants to make sure nothing can be lost or stolen.
"Though we are a small business, all our data is online," explains Sanjeev Sharma.
"My accounts department processes financial data; the service staff can access client addresses and phone numbers.
"I have to consider the possibility that my competition can steal the data. That puts not just my business at risk, but all my valuable client data at risk."

Wednesday, May 16, 2012

Norton Scientific Reviews: Facebook Admits ‘material impact’ from Yahoo Lawsuit

Facebook may have downplayed it in the face of the general public but its IPO filing has now included a caution regarding Yahoo’s lawsuit. And because the litigation battle can have a major impact on its business, Facebook warns investors of the possibility of an unfavorable result.

Also in the new filing, Facebook emphasized that it could be in jeopardy if the many lawsuits filed against them all turn up to be unfavorable. It also noted that the class action cases against the company are all claiming huge monetary damages even though the actual harm done, if proven, is hardly considerable.

In a statement from Facebook, it says that it’s too early for the litigation stage to show what will be the result so everything is still not certain. In addition, if it will come to an unfavorable result, Facebook admitted that the impact would be “material” to their finances, operations and overall business.

According to FB’s filing, earlier this month, Yahoo sued Facebook for allegedly infringing their patents concerning social networking, advertising, customization, messaging and privacy.

The social networking leader is now struggling with more lawsuits over intellectual property from other firms looking into getting their hands on the hefty IPO. Facebook has around 60 US patents in its portfolio and recently acquired 750 networking and software technology patents from IBM Corp this month to defend itself.

Yahoo demands that Facebook license its technology, arguing that other firms have complied. Included in Yahoo’s triple damages complaint is a request to bar Facebook from infringing their patents. Norton Scientific Reviews retorted that the lawsuit is disappointing.

Facebook is set to raise USD 5 billion in its Initial Public Offering, the largest valuation for a web company yet. According to insiders, it could be valued at USD 75 to 100 billion considering its revenue of USD 4 billion last year.

Monday, May 14, 2012

Posts Tagged ‘norton scientific scam fraud warning reviews’

Norton Scientific Reviews: Scammers’ Valentine Treat

A global security company issued a scam warning against spam messages with catchy subject lines for Internet users this Valentine’s season.

Users must be extra careful in opening messages in their email accounts especially during the holidays as they can receive spam mails meant to get their attention and steal their personal data.

One such scam warning issued by an antivirus company describes email messages that invites users to buy a gift for his/her loved one for Valentine’s using an attached discount coupon from Groupon.

Even though the proliferation of coupon services is not totally an illegal method, their popularity comes with the risk of being used in phishing attacks.

Phishing can be done by sending a massive amount of email messages asking people to enter their details on a bogus website — one that looks very similar to the popular auction sites, social networking sites and online payment sites. They are designed to obtain personal details like passwords, credit card information, etc.....

Norton Scientific Reviews: Symantec source code leaked by hackers

A group of hackers who call themselves the Lords of  Dharmaraja, (and is associated with Anonymous) have published the source code of Symantec, a digital security firm know for the Norton antivirus program and pcAnywhere, raising concerns that others could exploit the security holes and try to control the users computer.

The release of the source code came after the ‘extortion’ attempt failed as Symantec did not comply with their numerous deadlines.

Negotiations through email messages between a representative of the hacker group, YamaTough, and someone from Symantec were also released online. The exchange of messages are about Symantec’s offer to pay USD 50,000 for the hackers to stop disclosing the source code and announce to the public that the whole Symantec hack was a fake, which made them a subject of mockery for appearing to buy protection.

Both sides admitted that their participation was just a trick......

Tuesday, May 8, 2012

The Norton Group

Check fraud and forgery are two of the biggest security problems faced by banks. In fact, according to a recent Ernst & Young study reported by the National Check Fraud Center, over 500 million checks are forged annually, with losses totaling more than $12 billion, not counting those incurred by other types of document forgery.

Check fraud law is governed by Articles 3 and 4 of the Uniform Commercial Code (UCC). As a result, check fraud law has moved toward reflecting contemporary banking practices.

This memorandum generally addresses check fraud litigation resulting from: (i) alterations to the check, (ii) forgeries of the maker's signature on either the face of the check or the payee's endorsement on the back of the check, or (iii) counterfeit checks created by a dishonest third party. If there is a policy implicit in the UCC's rules for allocation of losses due to fraud, it surely is that the loss be placed on the party in the best position to prevent it.

The revisions to the law will likely result in three significant changes to the causes of action available in check fraud litigation. First, they may provide a new cause of action for contribution based solely on shared culpability. Second, they may expand conversion as a cause of action in check fraud cases. Third, they allow a drawee bank to recover from upstream banks for encoding errors that may result in shifting liability in some counterfeit check cases.

Check Fraud Law

Before addressing the law, it is important to know the relationships between parties typically involved in check fraud litigations. A customer is a person with an account at a bank. A drawer or maker is a person writing a check and is typically a customer of the drawee bank. A drawee is a party, typically a bank, required to pay out money when a check or draft is presented. A payee is the party entitled, by the creation of the check by the drawer, to receive funds from the payor bank, usually the drawee. Presentment is the delivery of a check or draft to the drawee or the drawer for payment .

A check written by the drawer moves downstream from the drawer to the payee, and then moves to the drawee bank that pays the amount shown. Several other parties, however, may enter the stream between the payee and the drawee. Typically, the check moves downstream from the payee to the depository bank. Continuing downstream, the check moves from the depository bank to the collecting bank (most often the Federal Reserve Bank for depository institutions), then perhaps to a presenting bank, and finally to the drawee bank.

The essential element of most check fraud claims is an unauthorized or forged signature or endorsement. The offender may enter the stream at any point in the sequence. Since the person committing the fraud often has disappeared with the money or is judgment proof most check fraud litigation involves a claim by an injured party against a drawee bank that paid over a forged signature, or a depository bank that accepted and processed an item bearing a forged endorsement.

Generally, a drawee bank is liable for claims involving the drawer's signature on the face of a check, and a depository bank is liable for claims involving the payee's endorsement on the back of the check.

A drawee bank's liability for forged signatures of the drawer arises because the drawee bank maintains the drawer's signature card on file and is held responsible for verifying the signature.

The depository bank's liability for forged endorsement of the payee arises because the depository bank has direct contact with the individual presenting the fraudulent endorsement. Thus, the depository bank is in the best position to verify the endorsement. In double forgery situations, when both the drawer's signature and the endorsement are forged or unauthorized, the case is treated as forged check and the drawee bank is generally liable.

Counterfeit items are usually the responsibility of the bank, that pays the item since the check was not authorized by the account holder.

Banks do however have an obligation to pursue a remedy against all parties who were in a position to know or should have known of any wrong doing (forged endorsement/signature or counterfeit, etc.).

Most State laws say that a bank may only charge a customer's account for checks that are "properly payable." This provision creates a cause of action against a bank that charges its customer's account for a check not properly payable. Such a claim is like a customer's breach of contract claim against the bank based on the theory that the drawee bank breached the terms of the deposit agreement by paying an item not "properly payable."

A bank and its customer may alter the relationship subject to the limitations imposed by the law that provides that the parties cannot disclaim a bank's responsibility for its lack of good faith or failure to exercise ordinary care or limit the measure of damages for the lack or failure.

However, the parties may decide by agreement the standards by which the bank's responsibility is to be measured if those standards are not manifestly unreasonable.

The terms of the deposit agreement between the drawee bank and the drawer may provide the basis for a cause of action under the law. The terms of the agreement may supersede the law as long as the terms do not disclaim a bank's liability for its own lack of good faith or failure to exercise ordinary care not withstanding any such agreement.

Under the law an instrument is converted if it is taken by transfer, other than a negotiation, from a person not entitled to enforce the instrument or a bank makes or obtains payment with respect to the instrument for a person not entitled to enforce the instrument or receive payment. For example, a thief takes A check payable to Mary Dow, forges her endorsement, and pockets the proceeds. Dow may assert a claim for conversion against either the depository bank that cashes the check, or the drawee bank that pays the forged endorsement. The law provides that the measure of damages in a conversation action is presumed to be the face value of the instrument. The payee, however, may only sue for conversion against the drawer if the instrument is a draft payable by the drawer, and not a check payable by the payor bank. A "draft" is a negotiable instrument that is an order. A "check" is a negotiable instrument drawn on a bank and payable on demand.

Generally, a drawer may not sue for conversion, because in many States the courts have ruled that a drawer has not a cause of action for conversion against the depository bank which cashed checks for an individual who forged the payee's endorsement when the check has never been delivered to the payee.

In a check fraud litigation, a plaintiff who maintains an individual account may sue his or her drawee bank or another bank in the collection process under Section 9.

Besides the rights established by the UCC, there are several common law bases to recover losses resulting from check fraud schemes. The most frequently used are conversion, indemnification, negligence, and money had and received. The availability of any common law cause of action for check fraud depends on if the cause of action is displaced by specific provisions of the UCC.

In cases with joint payees, where one payee forges the signature of another payee, the nonforging payee may file a contract claim against the drawer of the check based on the underlying obligation.


The revised UCC continues most defenses to claims based on check fraud, but provides significant changes where an employer of a forger was negligent. The revised UCC shifts liability to the employer where the employer is in the best position to prevent the underlying embezzlement.

One of the most significant changes in the revised UCC is the introduction of comparative negligence concepts. The revised law precludes a party who substantially contributes to the making of a forged signature from asserting an unauthorized signature. Under the old code, a bank is generally liable for the total loss if the bank is negligent in most embezzlement cases. Under the revised law, however, if both the drawer and the bank are negligent, the court will apportion the loss between the two according to their respective fault. The comparative negligence language may also provide the drawer with a new cause of action against the drawee bank. The drawer may assert that, while it contributed to the forged endorsements, it should not be hold liable for the total loss.

The revised law introduces a comparative negligence scheme into the bank/customer relationship.

It provides a bank with a defense to a customer's claim for reimbursement for payment of an item not properly payable, and the revisions introduce comparative negligence as a loss allocation system to the extent each bears responsibility for causing the loss.

The revised law covers situations where an impostor impersonates either a payee or an agent of the payee. Under the old code, this section applied only to cases in which the impostor impersonated the payee and not false agent cases. The revision shifts liability from the bank to the drawer in "bad bookkeeper" cases and other situations in which an impostor-agent endorses a check made out to the principal by the drawer.

The revised law incorporates a comparative negligence standard into impostor and fictitious payee situations. Under it, a bank that fails to exercise ordinary care may be liable for part of the loss from an impostor or fictitious payee situation to the extent that the failure to exercise ordinary care contributed to the loss. It is impossible to predict what the practical result of the comparative negligence standard will be.

Under the revised UCC, double forgery cases will be treated as forged check and not forged endorsement cases. This revision does not result in changes in most States since double forgeries were already generally treated as forged drawer's signature cases.

Under the revised law an employer is liable for theft by an individual with authority to write checks and who draws a check to the order of a payee, intending the payee to have an interest in the check, but who subsequently forms the intent to steal the instrument and does so.

The law provides the drawee bank with several time based defenses stemming from the drawer's failure to comply with a duty to review its statements to discover and report unauthorized signatures or alterations. A drawer who fails to discover and notify the bank of a forged endorsement or alteration within thirty days after the bank makes the statement and items in question available to the customer is precluded from asserting additional forgeries or alterations by the same wrongdoer. If, however, the drawer establishes negligence by the bank paying the item or items in question, then the preclusions are limited.

The customer's duty to inspect statements and discover and report any problems remains largely unchanged from the old code. The subsection defining such duty, however, has been redrafted to help truncation by banks. The revised UCC says that the statement of account provides sufficient information if the item is described by item number, amount, and date of payment. This allows banks to destroy paper checks at some point early in the collection process, retaining instead a photographic or electronic image of the check.

The UCC extends from fourteen to thirty days the time within which a customer must report the unauthorized signature or alteration of a given wrongdoer. The law maintains an absolute bar on the assertion of an unauthorized signature or alteration after one year, mirroring the one year rule under the code.

Under the revised law, the burden of proof shifts back and forth between the party asserting the preclusion and the party asserting the unauthorized signatures. If the bank pays a check over an unauthorized drawer's signature or endorsement, and the customer fails to notify the bank of the error within a reasonable time after the date of the receipt of his bank statement, the burden-shifting begins.

First, the party asserting the preclusion, generally the drawee bank, must prove that the drawer failed to review his statements with "reasonable promptness." If the bank can prove that the drawer failed to satisfy his duty to review statements and notify the bank of any errors, then the liability for the items in question shifts to the customer asserting the unauthorized signatures. The customer will then be precluded from challenging the effectiveness of such signature placed on any other item altered or forged by the same wrongdoer unless he can prove that the bank failed to exercise ordinary care in paying the items in question. If the party asserting the forged signatures can prove that the bank failed to exercise ordinary care in paying the items in question, then liability reverts to the bank on a comparative negligence basis.

A drawer may ratify an unauthorized signature or forgery, thereby foregoing the right to assert the unauthorized signature against another party. Whether a party ratified an unauthorized signature or forgery is a question of fact. Furthermore in order for a court to find that a particular factual pattern is ratification, the facts must not be susceptible to any other interpretation.


The 1990 revisions added an encoding warranty, by which a party who encodes information on the face of a check is held strictly liable for such encoding. Banks have traditionally encoded checks by employing Magnetic Ink Character Recognition technology (MICR), and they are increasingly shifting to Optical Character Recognition (OCR) technology.

The MICR and OCR line on the bottom portion of the check contains three fields. The first field contains the routing number of the payor bank, which tells the depository and collecting banks where to send the check. The second field contains the drawer's account and check numbers, which tells the payor bank which account to debit. The first and second fields are generally encoded by the drawee bank before the preprinted check form is given to its customer. The third field shows the amount of the check. The third field is generally encoded manually by the depository institution.

Definition of Ordinary Care

The definition of negligence standards used in the law were standardized in the revision. Ordinary care with respect to persons engaged in business, such as banks, means the observance of reasonable commercial standards, prevailing in the area in which the person is located, with respect to the business in which the person is engaged. The definition further specifies that in the case of a bank that takes an instrument for processing for collection or payment by automated means, reasonable commercial standards do not require the bank to examine the instrument if the failure to examine does not violate the bank's prescribed procedures and the bank's procedures do not unreasonably vary from general banking usage not disapproved by the law. This endorses the procedure of not verifying signatures on checks below a certain dollar amount (within reasonable limits).


The bottom line from these developments is that employers and businesses are now likely to be responsible for part of the loss incurred in check fraud cases.

They should be put on notice that they need to implement policies under which (1.) banks they deal with are kept current on who is authorized to issue and sign checks, (2.) limit the number of people so authorized and (3.) adequately review canceled checks and statements as quickly as possible after they are received, to ensure they have been properly issued and paid.